Dedicated to providing the latest
HIPAA compliance news

68% of Healthcare Employees Would Share Regulated Data
Apr21

68% of Healthcare Employees Would Share Regulated Data

The Dell End User Security Survey has revealed that sensitive information, including data covered by HIPAA Rules, would be shared by employees without authorization under certain circumstances. The Dell End User Security Survey sought to uncover how widespread the unauthorized sharing of confidential information has become. The results show that even in heavily regulated industries such as healthcare, unauthorized data sharing is occurring. The survey was conducted on 2,608 individuals whose job duties involve handling confidential information. Across all industries, an alarming 72% of employees said they would willingly share sensitive information. 68% of healthcare employees who took part in the survey also confirmed that they would share PHI without authorization under certain circumstances. Dell explains that in most cases, unauthorized sharing of confidential data is not malicious. It occurs when employees are trying to be more efficient and work as effectively as possible. Unfortunately, however, in an effort to get more work completed in less time, those employees are taking...

Read More
OIG Issues Warning About HHS Agency Phone Scams
Apr19

OIG Issues Warning About HHS Agency Phone Scams

This year has seen numerous email scams conducted to gain access to the tax information of employees; however, recently, criminals have started picking up the phone to conduct their scams. Phone scams have spiked in recent weeks, with criminals impersonating Department of Health and Human Services’ employees, including the Office of Inspector General (OIG). The rise in phone scams has prompted OIG to issue a warning. Scammers have been pretending to be from the OIG claiming individuals are eligible to receive a government grant. While this would likely arouse suspicion, in this case the caller ID displays the number 1-800-447-8477 (1-800-HHS-TIPS). The number is the OIG hotline number for reporting potential incidences of fraud. The scammers tell individuals they are eligible to receive government grant money as a result of paying their taxes on time. However, in order to qualify for the grant, it is first necessary to confirm an individual’s identity. The attackers ask the individual to confirm their name and Social Security number or bank account number and other personal...

Read More
21 Employees Found to Have Accessed PHI Without Authorization
Apr17

21 Employees Found to Have Accessed PHI Without Authorization

A routine audit conducted by Virginia Mason Memorial has revealed employees have been accessing the protected health information of patients without authorization. Audits of PHI access logs occasionally reveal rogue employees have been improperly accessing the medical records of patients, but what makes this incident stand out is the number of employees that were discovered to have improperly viewed PHI. The audit revealed 21 employees had deliberately accessed PHI without authorization. Virginia Mason Memorial conducted the audit in January and immediately terminated access to PHI to prevent further privacy breaches. The investigation revealed those 21 employees had accessed the PHI of 419 patients. All of the patients had visited the hospital’s emergency room. The investigation was conducted internally, although the hospital also brought in a third-party cybersecurity firm to conduct a forensic analysis of its systems. That firm has also been searching the darknet to find out if any of the accessed records have made it onto darknet marketplaces. To date, no patient information...

Read More
Protenus Publishes Healthcare Data Breach Report for March 2017
Apr14

Protenus Publishes Healthcare Data Breach Report for March 2017

Protenus has released its Breach Barometer report for March 2017, which shows a significant increase in healthcare data breaches and a major jump in the number of individuals who have had their sensitive data exposed or stolen. In both January and February there were 31 reported healthcare data breaches, although March saw the figure jump to 39 incidents.  February saw relatively few individuals affected by healthcare data breaches. 206,151 patients and health plan members had some of their protected health information exposed last month. However, in March the figure jumped to 1,519,521 – more than 2.5 times the number of individuals impacted by healthcare data breaches in January and February combined. Almost half of those individuals had their ePHI exposed in the same incident – a 697,800-record theft incident reported by Commonwealth Health Corporation. The Protenus report shows insiders were the biggest cause of the healthcare data breaches reported in March, accounting for 44% of the total. There were 10 insider incidents reported in March that involved insider error and seven...

Read More
$400,000 HIPAA Penalty Agreed with Denver FQHC for Security Management Process Failures
Apr13

$400,000 HIPAA Penalty Agreed with Denver FQHC for Security Management Process Failures

The Department of Health and Human Services’ Office for Civil Rights (OCR) has taken action against a Denver, CO-based federally-qualified health center (FQHC) for security management process failures that contributed to the organization experiencing a data breach in 2011. Metro Community Provider Network (MCPN) has agreed to pay OCR $400,000 and adopt a robust corrective action plan to resolve all HIPAA compliance issues identified during the OCR investigation. The incident that triggered the OCR investigation was a phishing attack that occurred on December 5, 2011. A hacker sent phishing emails to (MCPN) personnel, the responses to which enabled that individual to gain access to employees’ email accounts. Those accounts contained the electronic protected health information of 3,200 patients. OCR investigates all breaches of more than 500 patient records to determine whether healthcare organizations have experienced a breach as a direct result of violations of HIPAA Rules. OCR notes that MCPN took the necessary action following the breach to prevent further phishing attacks from...

Read More
AMIA Suggests it’s Time for a HIPAA Update
Apr11

AMIA Suggests it’s Time for a HIPAA Update

The American Medical Informatics Association has suggested now is the time to update the Health Insurance Portability and Accountability Act (HIPAA) to make sure the legislation fits today’s connected world. The legislation was first introduced more than 20 years ago at a time when the Internet was just in its infancy. Over the past two decades, technology has advanced in ways that could not have been predicted when the legislation was written. Updates are now required to ensure HIPAA maintains pace with technology. HIPAA is perhaps best known for its privacy provisions, although these are commonly misunderstood by patients and healthcare providers alike. The HIPAA Privacy Rule allows patients to access their health data; although many patients are confused about what data they are able to access and what their rights actually are. The Department of Health and Human Services produced video guides last year to help patients understand their right to access their healthcare data under HIPAA; however, AMIA suggests more should be done to clarify the HIPAA right to access. Healthcare...

Read More
918,000 Patients’ Sensitive Information Exposed Online
Apr10

918,000 Patients’ Sensitive Information Exposed Online

The data of 918,000 patients who provided their sensitive information to HealthNow Networks, a Boca Raton, FL-based telemarketing organization that used to provide medical supplies to seniors, has been exposed online for many months. The data were discovered by an individual with the Twitter handle Flash Gordon after he conducted a search for unprotected data on the search engine Shodan. The data had been stored in an unprotected root folder on an Amazon Web Service installation owned by a software developer who had previously worked on a database for HealthNow Networks. The project was abandoned long ago although the data provided to the developer were not secured and could be accessed online. The database contained a range of highly sensitive data including individuals’ names, addresses, email addresses, telephone numbers, dates of birth, Social Security numbers, health insurance information and medical conditions. The data had been collected by the telemarketing firm and individuals had been offered discounted medical equipment in exchange for providing the firm with their data....

Read More
Large Hospitals and Teaching-Focused Hospitals Face Greater Risk of Data Breaches
Apr06

Large Hospitals and Teaching-Focused Hospitals Face Greater Risk of Data Breaches

A study recently published in JAMA Internal Medicine examined recent healthcare data breach trends to determine which types of hospitals are the most susceptible to data breaches. The researchers analyzed breach reports submitted to the Department of Health and Human Services’ Office for Civil Rights between October 21, 2009 and December 31, 2016. During that time, 216 hospitals reported 257 breaches of more than 500 patient records. 33 hospitals experienced more than one data breach during that time frame. Four hospitals – Brigham and Women’s Hospital, Cook County Health & Hospitals System, Mount Sinai Medical Center and St. Vincent Hospital and Healthcare Inc – experienced three data breaches. Two hospitals – Montefiore Medical Center and University of Rochester Medical Center & Affiliates – experienced four data breaches. The researchers determined the size of the acute care hospitals by linking the facilities to their Medicare cost reports submitted to the Centers for Medicare and Medicaid Services in the 2014 fiscal year. 141 acute care hospitals were linked to CMS...

Read More
Quarter of Healthcare Organizations Do Not Encrypt Data Stored in the Cloud
Apr04

Quarter of Healthcare Organizations Do Not Encrypt Data Stored in the Cloud

A recent survey by HyTrust has revealed that a quarter of healthcare organizations do not use encryption to protect data at rest in the cloud, even though the lack of encryption potentially places sensitive data – including the protected health information of patients – at risk of being exposed. Amazon Web Service (AWS) one of the most popular choices with the healthcare industry, although many healthcare organizations are using multiple cloud service providers. 38% of respondents said they had a multi-cloud environment and 63% of respondents said they were planning to use multiple cloud service providers in the future. 63% of healthcare organizations said they were using the public cloud to store data. When asked about their main concerns, data security came top of the list – with 82% of surveyed healthcare organizations rating security as their number one concern. Despite the concerns about data security, encryption is not always employed. As Eric Chiu, co-founder and president of HyTrust explained, “For these care delivery organizations, choosing a flexible cloud security...

Read More
Dr. Donald Rucker Named New National Coordinator for Health IT
Apr03

Dr. Donald Rucker Named New National Coordinator for Health IT

Dr. Donald Rucker has been named as the new National Coordinator of the Department of Health and Human Services’ Office of the National Coordinator for Healthcare Information Technology. Nether the Department of Health and Human Services nor the Office of the National Coordinator for Healthcare Information Technology has officially announced the new appointment, although Dr. Donald Rucker’s name now appears in the HHS directory as National Coordinator. Donald Rucker will replace acting National Coordinator, Jon White, M.D., who took over the position following the resignation of Dr. Vindell Washington in January 2016. White is expected to return to his former position as deputy national coordinator. Prior to joining the ONC, Donald Rucker was an adjunct professor at the Department of Biomedical Informatics at Ohio State University’s College of Medicine. Prior to that appointment, Rucker was Chief Medical Officer at Premise Health for a year and CMO at Siemens Healthcare USA for 13 years. While at Siemens Healthcare USA, Rucker led the team that designed the computerized physician...

Read More
FBI Warns Healthcare Industry About Anonymous FTP Server Cyberattacks
Mar29

FBI Warns Healthcare Industry About Anonymous FTP Server Cyberattacks

The Federal Bureau of Investigation has issued a warning to healthcare organizations using File Transfer Protocol (FTP) servers. Medical and dental organizations have been advised to ensure FTP servers are configured to require users to be properly authenticated before access to stored data can be gained. Many FTP servers are configured to allow anonymous access using a common username such as ‘FTP’ or ‘anonymous’. In some cases, a generic password is required, although security researchers have discovered that in many cases, FTP servers can be accessed without a password. The FBI warning cites research conducted by the University of Michigan in 2015 that revealed more than 1 million FTP servers allowed anonymous access to stored data The FBI warns that hackers are targeting these anonymous FTP servers to gain access to the protected health information of patients. PHI carries a high value on the black market as it can be used for identity theft and fraud. Healthcare organizations could also be blackmailed if PHI is stolen. Last year, the hacker operating under the name...

Read More
Patients’ PHI Accidentally Sent to Media Outlets by Mecklenburg County
Mar29

Patients’ PHI Accidentally Sent to Media Outlets by Mecklenburg County

A spreadsheet containing the protected health information of more than 1,200 patients has been accidentally sent to two media outlets by a worker at Mecklenburg County, NC. The spreadsheet was emailed to the media outlets in response to a freedom of information request. That request was made following the discovery that 185 female patients had not been notified of abnormal Pap smear results. The spreadsheet had been created for state officials who were conducting an audit. County officials discovered the HIPAA breach on Monday and immediately launched an investigation to determine how such an error could have been made. County officials are furious about the privacy breach. Commissioner Vilma Leake said she wanted “to fire everybody on the health department.” County Manager Dena Diorio said “I am absolutely speechless with anger about how something like this could happen.” This is the second HIPAA breach in a month to be discovered by Meklenburg County. WSOCTV said it had previously been sent information that contained the name of an individual that should not have been released. A...

Read More
Former Employee Accused of Stealing PHI of up to 160,000 Med Center Health Patients
Mar28

Former Employee Accused of Stealing PHI of up to 160,000 Med Center Health Patients

The Kentucky-based 6-hospital health system Med Center Health has reported a data breach affecting approximately 160,000 patients. Med Center Health believes a former employee may have stolen patients’ protected health information (PHI) prior to leaving employment. The former employee has been accused of stealing PHI including names, addresses, health insurance information, Social Security numbers, procedure codes and billing information. Medical records were not compromised at any point. The FBI has been notified and is also investigating along with other federal agencies. Med Center health is in the process of notifying patients of the breach, although the process is expected to take a couple of weeks due to the number of individuals that have been impacted. While the breach has only recently been announced, the data theft incidents date back to 2014 and 2015. The former employee is understood to have taken an encrypted CD and encrypted portable storage device in August 2014 and February 2015. There was no legitimate work reason for ePHI to have been taken, although on both...

Read More
UNC Health Care Reports Exposure of 1300 Prenatal Patients’ PHI
Mar21

UNC Health Care Reports Exposure of 1300 Prenatal Patients’ PHI

Prenatal patients who visited certain obstetric clinics operated by UNC Health Care are being notified that some of their protected health information has been disclosed to local health departments by mistake. Pregnancy Home Risk Screening Forms of Medicaid-eligible patients are sent to local health departments to ensure those individuals are connected with appropriate support services. However, UNC Health Care has discovered that in addition to Medicaid-eligible patients, forms relating to patients who were not eligible for Medicaid were also sent to local health departments. In total, around 1,300 patients have been affected. The privacy breach affects women who had prenatal appointments at the UNC Maternal-Fetal Medicine at Rex Hospital or the Women’s Clinic at the North Carolina Women’s Hospital between April 2014 and February 2017. Pregnancy Home Risk Screening Forms contain patients’ names and addresses, race and ethnicity, Social Security numbers, health and mental health histories, details of patients’ HIV status, any sexually transmitted diseases contracted, medical...

Read More
Snapshot of Healthcare Data Breaches in February 2017
Mar21

Snapshot of Healthcare Data Breaches in February 2017

The Protenus Breach Barometer healthcare data breach report for February includes some good news. Healthcare data breaches have not risen month on month, with both January and February seeing 31 data breaches reported. The report offers some further good news. Healthcare hacking incidents fell in February, accounting for just 12% of the total number of breaches reported during the month. There was also a major fall in the number of healthcare records exposed or stolen. In January, 388,207 healthcare records were reported as being exposed or stolen. In February, the number fell to 206,151 – a 47% drop in exposed and stolen records. However, February was far from a good month for the healthcare industry. IT security professionals have long been concerned about the threat from within, and last month clearly showed those fears are grounded in reality. February saw a major increase in the number of incidents caused by insiders. Insider breaches in February accounted for 58% of the total number of incidents reported for which the cause was known; double the number reported the previous...

Read More
Alleged Social Media Retaliation by Doctor Breached HIPAA Privacy Rule
Mar20

Alleged Social Media Retaliation by Doctor Breached HIPAA Privacy Rule

A physician at the Dr. O Medical and Wellness Center in San Antonio, Texas allegedly retaliated against a patient by posting a video of the individual clad only in underwear on Facebook and YouTube. The doctor’s actions, which appear to be a clear violation of the HIPAA Privacy Rule, have resulted in her being sanctioned by the Texas Medical Board following a complaint by the patient. The patient, Clara Aragon-Delk, underwent a series of cosmetic surgery procedures starting in 2015. Non-invasive laser treatments were performed by Dr. Tinuade Olusegun-Gbadehan, and while consent was provided by the patient to have photographs and videos taken, authorization was only given for ‘anonymous use for the purposes of medical audit, education, and promotion.’ The images and video contained full face shots of the patient. Rather than protecting the patient’s privacy by pixelating the patient’s face, a video was posted to Olusegun-Gbadehan’s Facebook page without any attempt to protect the patient’s privacy. From the video, it would appear that the patient was happy with the treatment,...

Read More
New Mexico Data Breach Notification Bill Moves to Senate Judiciary Committee
Mar15

New Mexico Data Breach Notification Bill Moves to Senate Judiciary Committee

A new data breach notification bill has been unanimously passed by the New Mexico House of Representatives bringing New Mexico one step closer to becoming the 48th state to introduce data breach notification laws.  The bill (House Bill 15) – also known as the Data Breach Notification Act – was sponsored by Republican Rep. William R. Rehm of Bernalillo. The bill will now move on to the Senate Judiciary Committee. This is not the first time that a New Mexico data breach notification law has been sent to the Senate Judiciary Committee. Rehm previously sponsored a similar bill in 2015, yet on two occasions the Senate Judiciary Committee failed to pass the bill onto the senate. The new data breach notification bill covers a range of sensitive data, although medical and insurance information are not included in the definition of personal information. Entities covered by the Health Insurance Portability and Accountability Act or the Gramm-Leach-Bliley Act will not be required to comply if the bill is written into state law. Should the legislation be passed by the senate, all other...

Read More
68% of Healthcare Organizations Have Compromised Email Accounts
Mar10

68% of Healthcare Organizations Have Compromised Email Accounts

Evolve IP has published the results of a new study that has revealed the extent to which healthcare email credentials are being compromised and sold on the dark web. The FBI has also recently warned about Business Email Compromise (BEC). Email credentials are highly valuable to cybercriminals. A compromised email account can be plundered to obtain highly sensitive data and an email account can be used to gain access to healthcare networks. 63% of data breaches in the United States occur as a result of compromised email credentials and healthcare email credentials are being sold freely on the dark web. Evolve used its Dark Web ID analysis technology for the study and reviewed 1,000 HIPAA covered entities and business associates. Evolve discovered 68% of those organizations have employees with visibly compromised email accounts. 76% of those compromised accounts included actionable password information and that information was freely available on the dark web. Depending on the industry segment, between 55.6% and 80.4% of organizations had compromised email accounts. Medical billing...

Read More
Improper Disposal of PHI Discovered by Minneapolis Heart Institute
Mar06

Improper Disposal of PHI Discovered by Minneapolis Heart Institute

A member of a cleaning crew at the Minneapolis Heart Institute at Abbott Northwestern Hospital accidentally disposed of documents containing PHI with regular trash. Minneapolis Heart Institute has policies and procedures in place that require all documents containing sensitive patient health information to be securely destroyed in accordance with HIPAA Rules. However, a member of the cleaning team was discovered to have emptied a trash container from a physician’s private office before documents could be securely shredded. The incident was discovered on January 20, 2017, although not in time for the documents to be recovered and securely destroyed. The documents had been emptied into a bin bag which was placed in a regular recycling dumpster at the hospital. It is unclear at this stage how many individuals have been impacted, although as a precaution, the Minneapolis Heart Institute is notifying all patients who were part of the physician’s service group between April 17, 2016 and January 17, 2017. Those individuals have been offered credit monitoring and identity theft protection...

Read More
Healthcare Employee Accessed ePHI Without Authorization for 5 Years
Mar06

Healthcare Employee Accessed ePHI Without Authorization for 5 Years

Healthcare professionals must have access to the protected health information of patients in order to provide medical care and perform healthcare operations. Since access to data can be abused by rogue employees, it is essential that controls are put in place to alert healthcare organizations rapidly when improper access occurs. Rapid identification of improper access can greatly reduce the harm caused. In many cases, improper access is discovered during routine audits of access and application logs. When those audits are conducted on an annual basis, employees may be found to have been improperly accessing patient data for many months. Last month, Chadron Community Hospital and Health Services in Nevada discovered that a rogue employee had been accessing ePHI without any legitimate work reason for doing so. What makes this incident stand out, is how long access had been allowed to continue before it was discovered. An investigation conducted by the healthcare provider revealed that the improper access had gone unnoticed for more than 5 years. During that time, the records of more...

Read More
Data Breach Lawsuit Against Excellus BCBS Survives Motion to Dismiss, in Part
Mar03

Data Breach Lawsuit Against Excellus BCBS Survives Motion to Dismiss, in Part

A lawsuit filed by plaintiffs whose ePHI was exposed as a result of a cyberattack on Excellus BlueCross BlueShield has survived a motion to dismiss. The United States District Court of the Western District of New York has both granted, in part, and denied, in part, the motions to dismiss. The hacking of Excellus BlueCross BlueShield in 2013 resulted in the exposure of the protected health information of more than 10 million health insurance subscribers. The data breach was discovered in 2015, some 20 months after access to members’ data was first gained. Following the discovery of the cyberattack, Excellus hired cybersecurity firm Mandiant to conduct a forensic analysis which revealed malware had been installed on the network. While the malware could potentially have resulted in the theft of PHI, no evidence of data exfiltration was discovered, although the possibility that data was stolen could not be ruled out. Multiple lawsuits were filed against Excellus BCBS, which were consolidated into one case – Matthew Fero, et al., vs Excellus Health Plain Inc. The plaintiffs allege...

Read More
AHIMA Publishes New Resource Confirming Patients’ PHI Access Rights under HIPAA
Mar02

AHIMA Publishes New Resource Confirming Patients’ PHI Access Rights under HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) permits patients to obtain a copy of their medical records in electronic or paper form. Last year, the Department of Health and Human Services released a series of videos and documentation to explain patients’ right to access their health data. Yesterday, the American Health Information Management Association (AHIMA) also published guidance – in the form of a slideshow – further explaining patients’ access rights, what to expect when requests are made to healthcare providers, possible fees, and the timescale for obtaining copies of PHI. AHIMA explains that copies will not be provided immediately. Under HIPAA Rules, healthcare providers have up to 30 days to provide copies of medical records, although many will issue designated record sets well within that timeframe. However, in some cases, provided there is a justifiable reason for doing so, a healthcare provider may request a 30-day extension. In such cases, it may take up to 60 days for patients to obtain copies of their health data. AHIMA has explained to whom...

Read More
Simplified HITRUST CSF Program Helps Small Healthcare Organizations with Compliance and Risk Management
Mar02

Simplified HITRUST CSF Program Helps Small Healthcare Organizations with Compliance and Risk Management

HITRUST has announced that it has updated the HITRUST CSF and has also launched a new CSF initiative specifically for small healthcare organizations to help them improve their resilience against cyberattacks. While the HITRUST CSF – the most widely adopted privacy and security framework – can be followed by healthcare organizations to improve their risk management and compliance efforts, for many smaller healthcare organizations following the framework is simply not viable. Smaller healthcare organizations simply don’t have the staff and expertise to follow the full HITRUST CSF framework. While the HITRUST CSF program is beneficial for smaller healthcare organizations, they do not face the same levels of risk as larger organizations. Given that the risks are lower and the requirements to comply with HIPAA already take up a lot of resources, HITRUST has developed a more simplified, streamlined framework which is much better suited to small healthcare organizations. The new framework – called CSF Basic Assurance and Simple Institution Cybersecurity or CSFBASICs for short – has a more...

Read More
Theft, Hacking, Ransomware and Improper Accessing of ePHI – Attacks Coming from All Angles
Feb23

Theft, Hacking, Ransomware and Improper Accessing of ePHI – Attacks Coming from All Angles

Theft, hacking, ransomware, and improper ePHI access by employees – The past few days have seen a diverse range of healthcare data breaches reported. St. Joseph’s Hospital and Medical Center in Arizona, Family Service Rochester of Minnesota, and the University of North Carolina have all reported potential breaches of patients’ ePHI, while Lexington Medical Center in South Carolina has announced that the sensitive data of its employees have been viewed. University of North Carolina Reports Theft of Dental Patients’ ePHI A laptop computer and a SD memory card from a digital camera have been stolen from the car of a postgrad dental resident of the University of North Carolina School of Dentistry. While the devices should have had a number of security measures installed to prevent improper data access, UNC has been unable to confirm whether that was the case. The breach may have resulted in the exposure of around 200 patients’ personal information including full face photographs (without any other PHI), names, dates of birth, dental record numbers, treatment plans, dental and health...

Read More
Quarter of Americans Have Been Impacted by a Healthcare Data Breach
Feb22

Quarter of Americans Have Been Impacted by a Healthcare Data Breach

Given the volume of healthcare records that have been exposed or stolen over the past two years, it comes as little surprise that 26% of Americans believe their health data have been stolen. The figures come from a recent survey conducted by Accenture. The survey was conducted on 2,000 U.S. adults and more than a quarter said that their medical information has been stolen as a result of a healthcare data breach. Healthcare information is attractive for cybercriminals as the information in health records does not expire. Credit card numbers can only be used for an extremely limited time before cards are blocked. However, Social Security numbers can be used for a lifetime and health insurance information can similarly be used for extended periods. The information can also be used for a multitude of nefarious activities such as tax fraud, identity and medical identity theft and insurance fraud. It is also unsurprising that many victims of healthcare data breaches have reported suffering losses as a result of the theft of their data. According to Accenture, half of the individuals who...

Read More
American Senior Communities Says 17,000 Employees Impacted by W-2 Scam
Feb21

American Senior Communities Says 17,000 Employees Impacted by W-2 Scam

American Senior Communities, a nursing home chain based in central Indiana, has announced that one of its employees responded to a W-2 phishing email and sent the tax information of more than 17,000 employees to tax fraudsters. There have now been more than 70 organizations that have responded to W-2 Form phishing emails so far this year according to Databreaches.net, although the latest addition to the list is the largest confirmed breach of employee information to have occurred this year. The massive haul of W-2 Form data included employees’ names, Social Security numbers, birth dates, and addresses. An investigation suggests that the individual behind the campaign was based offshore. In many cases, organizations discover they have been scammed soon after the email has been sent, allowing rapid action to be taken to limit the harm caused. However, that was not the case here. The phishing email was sent to a payment processor for American Senior Communities in mid-January; however, the incident was not discovered for a month. The employee’s error was only identified on February 17...

Read More
Citizens Memorial Hospital Latest Victim of W-2 Phishing Scam
Feb17

Citizens Memorial Hospital Latest Victim of W-2 Phishing Scam

Another healthcare provider has announced that one of its employees has been fooled by a W-2 phishing scam. Citizens Memorial Hospital in Bolivar, MO., says a request for W-2 Form data was sent to one of its employees by email. The employee responded to the request believing the message was legitimate and had been sent internally. W-2 Forms for all employees at the 86-bed hospital who had taxable earnings for the 2016 fiscal year were sent via email to the scammers as requested. No announcement has been made about the number of employees impacted by the incident. The hospital discovered it was the victim of a scam the following day. The incident has been reported to both the FBI and the IRS and affected employees have been notified and offered 2 years of identity theft protection services without charge through Experian. The incident is not a HIPAA breach as HIPAA Rules do not apply to employee data. To prevent repeat attacks, Citizens Memorial Hospital will be enhancing its data security education programs. Staff will receive further training to help them identify any further...

Read More
2016 Healthcare Data Breach Report Ranks Breaches By State
Feb15

2016 Healthcare Data Breach Report Ranks Breaches By State

A new 2016 healthcare data breach report has been released detailing incidents reported to the Department of Health and Human Services’ Office for Civil Rights. While other reports have already been compiled, this latest report – compiled by data loss prevention firm Safetica USA –  shows where those data breaches occurred and the states most affected by healthcare data breaches in 2016. Data for the 2016 healthcare data breach report was taken from the Office for Civil Rights breach portal, which includes all reported breaches of more than 500 records. The data show that the states most affected by healthcare data breaches are those with the highest number of residents and highest number of healthcare providers. The top ten states for healthcare data breaches were found to be: California – 39 breaches Florida – 28 breaches Texas – 23 breaches New York – 15 breaches Illinois, Indiana, & Washington – 12 breaches Ohio & Pennsylvania – 11 breaches Michigan – 10 breaches Arizona & Arkansas – 9 breaches Georgia & Minnesota – 8 breaches Colorado & Missouri – 7...

Read More
Xerox: Nearly Half of Americans Concerned About Theft of Their Health Information
Feb13

Xerox: Nearly Half of Americans Concerned About Theft of Their Health Information

Healthcare data breaches in 2016 reached record levels, while 2015 saw more healthcare records stolen than the combined total stolen over the previous six years. Those data breaches have naturally had an effect on how healthcare patients view the security of their medical data. OCR figures show that since 2009, 166 million healthcare records have been stolen or exposed – that’s 52% of the population of the United States. It is therefore understandable that patients are worried about data security. A recent Xerox eHealth survey has revealed the extent to which patients are worried about the data held by their healthcare providers. In January 2017, 3,000 U.S. adults over the age of 18 were surveyed by Harris Poll for the Xerox survey. The survey revealed that 44% of healthcare patients are worried about their healthcare data being stolen. However, even with the high number of data breaches, patients are overwhelmingly in support of the transmission of electronic health data over more outdated communication methods such as faxing. 76% of survey respondents said secure electronic...

Read More
New York Giants Star and ESPN Agree to Settle Privacy Breach Lawsuit
Feb08

New York Giants Star and ESPN Agree to Settle Privacy Breach Lawsuit

A privacy breach lawsuit filed against ESPN by New York Giant’s defensive end Jason Pierre-Paul has been amicably resolved. ESPN has agreed to settle the lawsuit, although the terms of the settlement have not been announced. On July 4, 2015, Pierre-Paul was involved in a fireworks accident and sustained serious burns to his hand. He was rushed to Jackson Memorial Hospital in Miami to receive treatment for his injuries. News soon broke that the NFL star had been taken to hospital, although it was initially unclear what injuries had been sustained. That was until details of the injuries were leaked to Schefter. Schefter sent a tweet containing a photograph of Pierre-Paul’s medical chart which showed Pierre-Paul had sustained serious damage to his hand that required the amputation of his index finger. The disclosure and dissemination of Pierre-Paul’s medical charts involved a violation of the Health Insurance Portability and Accountability Act (HIPAA), although not by Adam Schefter. While the HIPAA Privacy Rule prohibits the unauthorized disclosure of patients’ electronic...

Read More
High Costs are Preventing Many Patients from Accessing their Medical Records
Feb02

High Costs are Preventing Many Patients from Accessing their Medical Records

The HIPAA Privacy Rule permits patients to obtain a copy of their medical records from their healthcare providers on request. By obtaining copies of medical records, patients are able to take a more active role in their healthcare and treatment. Obtaining copies of medical records also makes it much easier for patients to share their medical records with other healthcare providers and make smarter choices about their healthcare. The Department of Health and Human Services’ Office for Civil Rights (OCR) recently explained patients’ right to obtain copies of their medical records and created a series of videos explaining how the HIPAA Privacy Rule applies to patients. OCR also issued guidance for HIPAA-covered entities on allowable charges for labor, printing, and postage last year. A flat fee of $6.50 has been recommended for providing electronic copies of medical records – should HIPAA-covered entities opt for a single charge for providing designated record sets to patients. While not all covered entities choose this model, the costs associated with obtaining copies of electronic...

Read More
eHealth Email Spoofing Attack Sees Employee W-2 Information Disclosed
Jan31

eHealth Email Spoofing Attack Sees Employee W-2 Information Disclosed

In the past few days, two email spoofing attacks have been reported by healthcare organizations that have resulted in the W-2 information of employees being sent to cybercriminals. Tax season phishing scams are to be expected at this time of year. Cybercriminals target HR and payroll employees and try to fool them into sending the W-2 information of employees via email. The scams are convincing. A casual glance at the address of the sender of the email will reveal nothing untoward. The emails appear to have been sent from other employees who have a legitimate need for the information. The latest healthcare organization to report being duped by one of these scams is eHealthinsurance. An eHealth employee responded to a phishing email on January 20, 2017 after believing it had been sent from another eHealth employee. While many of these scams involve emails being sent from compromised company email accounts, in this case the request came from a spoofed email account. The employee sent a file by return that contained employees’ W-2 tax forms. Data passed on to the scammer included...

Read More
OIG: 16% Increase in Security Gaps in Medicare Contractors’ Information Security Programs
Jan30

OIG: 16% Increase in Security Gaps in Medicare Contractors’ Information Security Programs

An annual review of Medicare administrative contractors’ (MACs) information security programs has shown them to be ‘adequate in scope and sufficiency’, although a number of security gaps were found to exist. The Social Security Act requires each MAC to have its information security program evaluated on an annual basis by an independent assessor. Each MAC must have the eight major requirements of the Federal Information Security Management Act of 2002 (FISMA) evaluated, in addition to the information security controls of a subset of systems. The Department of Health and Human Services’ Office of Inspector General (OIG) is required to submit a report of the annual MAC evaluations to congress. The Centers for Medicare & Medicaid Services (CMS) contracted with PricewaterhouseCoopers (PwC) for this year’s evaluations. The OIG report to congress shows a total of 149 security gaps were discovered to exist in the financial year 2015; a marked increase from the previous year. In 2014, the same 9 MACs were evaluated and 16% fewer security gaps were discovered. A security gap is defined...

Read More
Hospital Employee Discovered to Have Improperly Accessed 6,200 Patient Records
Jan26

Hospital Employee Discovered to Have Improperly Accessed 6,200 Patient Records

Covenant HealthCare has notified more than 6,000 patients that their electronic medical records were inappropriately accessed by one of its employees. The improper access was discovered during a November 2016 audit of EMR access logs. The audit revealed an unusual pattern of medical record access by a single employee. Covenant HealthCare immediately ordered a full review of ePHI access by the employee to determine which medical records had been accessed and whether there was any legitimate reason for those records to have been viewed. The review revealed that the Covenant HealthCare employee first started improperly accessing its electronic medical record system on February 1, 2016. The improper access continued for nine months until November 21, 2016 and involved 6,197 patients. A range of data were potentially viewed including patient’s names, dates of birth, home addresses, health insurance information, diagnostic and treatment information, medical record numbers, Social Security numbers and driver’s license numbers. Covenant HealthCare spokesperson Kristin Knoll said in a...

Read More
Mailing Error Sees 1,126 Letters Sent to Patients’ Previous Addresses
Jan26

Mailing Error Sees 1,126 Letters Sent to Patients’ Previous Addresses

A ‘software glitch’ has resulted in billing statements and other communications sent by TriHealth of Cincinnati being mailed to patients’ former addresses. The privacy breach was discovered in November 2016, and impacts 1,126 TriHealth patients. The glitch caused current addresses to be substituted with former addresses. In some cases, mail may have been forwarded on to the correct address, although TriHealth was unable to determine whether this was the case.  Letters have now been mailed to the correct addresses and affected patients have been notified of the error by mail. The error affected mailings of billing statements, appointment reminder letters, and other correspondence between November 15, 2015 and January 12, 2017 when the error was discovered. Individuals affected by the error had all mailings directed to wrong addresses between those dates. The types of protected health information contained in the mailings varied from patient to patient. PHI that was potentially exposed was limited to patients’ names, visit dates, descriptions of medical service provided, places of...

Read More
New Report Reveals 2016 Data Breach Trends
Jan26

New Report Reveals 2016 Data Breach Trends

2016 was a particularly bad year for healthcare data breaches. The healthcare industry was targeted by ransomware gangs, careless employees left healthcare records exposed, and hackers broke through defenses on numerous occasions. 2016 was nowhere near as bad as 2015 in terms of the number of healthcare records stolen or exposed, but more healthcare data breaches were reported in 2016 than in previous years. But how did 2016 compare to other industries? A new data breach report from Risk Based Security highlights recent data breach trends and confirms just how bad 2016 was for cybersecurity incidents. The total number of data breaches reported in 2016 – 4,149 data breaches – was on a par with 2015. However, the severity of data breaches in 2016 was far worse. Until 2016, the worst year in terms of the number of records exposed or stolen was 2013, when the milestone of 1 billion exposed or stolen records was exceeded for the first time. However, in 2016 there were 3.2 billion more records exposed or stolen than that landmark year. More than 4.2 billion records were exposed or...

Read More
Court of Appeals Rules Horizon BCBS Class Action Has Standing Without Evidence of ID Theft
Jan24

Court of Appeals Rules Horizon BCBS Class Action Has Standing Without Evidence of ID Theft

The United States Court of Appeals for the Third Circuit has ruled that a class action lawsuit filed by customers of Horizon Blue Cross Blue Shield whose protected health information was exposed when two laptop computers were stolen from its New Jersey offices does have standing, even without proof of harm. The case had previously been dismissed by U.S. District Judge Claire Cecchi. The incident which led to the lawsuit occurred between November 1 and 3, 2013. Two unencrypted laptop computers containing the personal information of 839,000 plan members were stolen from Horizon BCBS’s headquarters in Newark, NJ. Stored on the laptops were names, addresses, birth dates, Social Security numbers, medical histories, demographic data, lab test results, insurance information, and other care-related data. Four plaintiffs – Courtney Diana, Karen Pekelney, Mark Meisel, and Mitchell Rindner – are named on the lawsuit, which was filed on behalf of themselves and other customers whose personal information was exposed. The complainants maintain that the laptop computers were targeted...

Read More
Hacking Group Attempts to Extort Funds from Cancer Services Provider
Jan20

Hacking Group Attempts to Extort Funds from Cancer Services Provider

TheDarkOverlord has struck again, this time the victim was a small Indiana cancer charity. The attack occurred on January 11 and was accompanied with a 50 Bitcoin ($43,000) ransom demand. Little Red Door Cancer Services of East Central Indiana was threatened with the publication of confidential data if the ransom was not paid. The charitable organization provides a range of services to help victims of cancer live normal lives during treatment, recovery, and at end of life. Little Red Door provides an invaluable service to cancer patients in East Central Indiana, with its limited funds carefully spent to provide the maximum benefit to cancer patients and their families. The payment of a $43,000 ransom would have had a significant impact on the good work the organization does, and would have taken funding away from the people who need it most. Little Red Door followed the advice of the FBI and refused to pay. Little Red Door spokesperson, Aimee Fant, issued a statement saying the organization “will not pay a ransom when all funds raised must instead go to serving families, all stage...

Read More
Protenus Releases 2016 Healthcare Data Breach Report
Jan20

Protenus Releases 2016 Healthcare Data Breach Report

Protenus, in conjunction with Databreaches.net, has published its 2016 healthcare data breach report, summarizing the hacks and mishaps that have resulted in patient and health plan members’ protected health information being exposed or stolen. Fortunately, 2016 has not seen the mega data breaches of 2015, although it has been far from a good year. More than 27 million healthcare records were stolen in 2016 across 450 reported data breaches. The total number of breached records may be down year on year, but the total number of incidents has increased. 2016 has been the worst year for healthcare industry breaches since records first started being kept. The Protenus 2016 healthcare data breach report includes data breaches that have already been reported to the Department of Health and Human Services’ Office for Civil Rights, in addition to those that have been disclosed to the media but not yet uploaded to the OCR breach portal. In total, there were 27,314,647 individuals affected by healthcare data breaches in 2016, with detailed information available for 380 of the 450 incidents....

Read More
Final Rule Updating Common Rule Regulations Issued by HHS
Jan20

Final Rule Updating Common Rule Regulations Issued by HHS

The Department of Health and Human Services has published its Final Rule for the Common Rule (45 CFR part 46). The Final Rule makes considerable changes to the Common Rule, although some of the most controversial elements which were included in the September 2015 proposed rule have been dropped. One of the proposed changes would have made it much harder for research organizations to use biomedical samples for research. Rather than allowing a general consent form to be used, HHS proposed that written consent be obtained from patients prior to their samples being used for further studies, requiring additional consent to be obtained from the patient in writing for every step of research. If a tissue or blood sample was left over from a previous research study, additional written consent would have been required before that sample could be used, even when consent to use the sample for research had already been obtained from the patient in the first place. The proposed change was included following a high-profile case of a woman – Henrietta Lacks – whose cancer cells were...

Read More
No HIPAA Violation Fine for Virginia State Senator
Jan19

No HIPAA Violation Fine for Virginia State Senator

While campaigning to become Republican state senator for Virginia in 2015, Henrico County physician Siobhan Dunnavant, M.D., used patients’ contact information – classed as protected health information under HIPAA Rules – to solicit donations from patients to help fund her campaign. Contact information – names and addresses – was shared with her campaign team and was used to communicate with patients. The same information was also disclosed to a direct mail company: A violation of the HIPAA Privacy Rule. At least two complaints were received by the Department of Health and Human Services’ Office for Civil Rights about the privacy violation last year. An OCR regional office contacted Dunnavant after being alerted to the privacy violation and informed her that her actions constituted an impermissible use and disclosure of PHI – violations of the HIPAA Privacy Rule.  Such violations can result in financial penalties being issued. Dunnavant, who was later elect to the state senate, could have been fined up to $250,000 for the HIPAA violation and could potentially have been...

Read More
HHS Issues Final Rule on Confidentiality of Alcohol and Drug Abuse Patient Records Regulations
Jan19

HHS Issues Final Rule on Confidentiality of Alcohol and Drug Abuse Patient Records Regulations

In February 2016, the Department of Health and Human Services published a proposed change to the Confidentiality of Alcohol and Drug Abuse Patient Records regulations, (42 CFR Part 2) to facilitate health integration and information exchange. HHS has now finalized the Part 2 changes following an extensive evaluation of public comments, according to a recent press release from the Substance Abuse and Mental Health Services Administration (SAMHSA). The Confidentiality of Alcohol and Drug Abuse Patient Records regulations were introduced in 1975 to protect the privacy of patients receiving treatment for substance abuse and mental health disorders. At the time there was concern that the revelation of patients’ identities would have serious social consequences and a lack of privacy may deter individuals from seeking treatment. The healthcare delivery system has changed considerably during the past 40 years and Part 2 regulations were in need of modernization. While the privacy of patients must and will still be protected, the Part 2 changes will help to promote health integration and...

Read More
OCR HIPAA Enforcement: Summary of 2016 HIPAA Settlements
Jan12

OCR HIPAA Enforcement: Summary of 2016 HIPAA Settlements

The Department of Health and Human Services’ Office for Civil Rights has stepped up its enforcement activities in recent years, and 2016 HIPAA settlements were at record levels. In total, payments of $22,855,300 were made to OCR in 2016 to resolve alleged HIPAA violations. Seven settlements were in excess of $1,500,000. In 2016, OCR settled alleged HIPAA violations with 12 healthcare organizations. Last year also saw an Administrative Law Judge rule that civil monetary penalties previously imposed on a covered entity – Lincare Inc. – by OCR were lawful, bringing the total to thirteen for 2016. Lincare was only the second healthcare organization required to pay a civil monetary penalty for violations of the Health Insurance Portability and Accountability Act. All other organizations opted to settle with OCR voluntarily. Financial penalties are not always appropriate. OCR prefers to settle potential HIPAA violations using non-punitive measures. Financial penalties are reserved for the most severe violations of HIPAA Rules, when widespread non-compliance is discovered, or in cases...

Read More
Warning for Healthcare Organizations that use MongoDB Databases
Jan11

Warning for Healthcare Organizations that use MongoDB Databases

Over the course of the past two weeks, the number of organizations that have had their MongoDB databases accessed, copied, and deleted has been steadily growing. Ethical Hacker Victor Gevers discovered in late December that many MondoDB databases had been left unprotected and were freely accessible over the Internet by unauthorized individuals. By January 6, he reported that 13 organizations had had their databases copied and deleted. In their place was a new database containing nothing but a ransom demand. The hacker responsible offered to return the data once a ransom payment had been made – in this case 0.2 Bitcoin ($175). The number of affected organizations has rapidly increased over the past few days. Today, more than 32,000 organizations have been issued with ransom demands and have had their databases deleted, including Emory Healthcare. Emory Healthcare is not the only U.S. healthcare organization to have left databases exposed. MacKeeper security researcher Chris Vickery has identified another potential healthcare victim. A database used by WAMC Sleep Clinic – which...

Read More
FDA Confirms Muddy Waters’ Claims that St. Jude Medical Devices Can be Hacked
Jan10

FDA Confirms Muddy Waters’ Claims that St. Jude Medical Devices Can be Hacked

The U.S. Food and Drug Administration (FDA) issued a safety communication Tuesday about cybersecurity flaws in certain St. Jude Medical cardiac devices and the Merlin@home transmitter after it was confirmed the devices could potentially be remotely accessed by unauthorized individuals. The FDA confirmed that unauthorized users could “remotely access a patient’s RF-enabled implanted cardiac device by altering the Merlin@home Transmitter,” potentially causing patients to be harmed. The flaws would allow an attacker to deplete the battery on implanted devices, alter pacing, or trigger shocks. The FDA confirmed that there have been no reported instances of the cybersecurity flaws being exploited to cause harm to patients to date and patients have been advised to continue using the devices as instructed by their healthcare providers. A patch to address the flaws has been developed and will be automatically applied this week. However, in order for the Merlin@home device to receive the update it must be left plugged in and connected to the Merlin Network. The...

Read More
Foreign Government-Backed Hacker Was Behind 2015 Anthem Breach
Jan08

Foreign Government-Backed Hacker Was Behind 2015 Anthem Breach

The massive 2015 data breach at Anthem Inc., which resulted in the theft of more than 78.8 million health plan members’ records, was likely the work of a foreign government-backed hacker, according to a recent report issued by the California Department of Insurance. Anthem Inc., the second largest health insurer in the United States, announced the massive cyberattack in February 2015, almost a month after the breach was discovered. However, the cyberattack occurred almost a year earlier with Anthem’s database discovered to have been infiltrated on February 18, 2014. Data stolen in the attack included members’ Social Security numbers, birth dates, employment details, addresses, email addresses, and Medical identification numbers. The attackers were able to bypass multiple layers of cybersecurity defenses with a single phishing email sent to an employee of one of Anthem’s subsidiaries. The response to the email allowed the attacker to download malware onto Anthem’s network, which in turn allowed access to Anthem’s database of members. The attackers also managed to infiltrate 90 other...

Read More
Fetal Tissue Firms Guilty of Systemic HIPAA Violations
Jan06

Fetal Tissue Firms Guilty of Systemic HIPAA Violations

The U.S. House of Representatives Select Investigative Panel has published the findings from its investigation into the sale of fetal tissue by abortion clinics, revealing systemic HIPAA violations by both abortion clinics and tissue procurement businesses. An investigation was requested by the Energy and Commerce Subcommittee on Oversight and Investigations following revelations made by undercover journalist David Daleiden. In 2015, Daleiden arranged a serious of meetings with businesses involved in the fetal tissue procurement industry via the not-for-profit group Center for Medical Progress (CMP). Daleiden secretly recorded abortion providers – and companies involved in the fetal tissue business – detailing the nature of the business of buying and selling tissues from aborted fetuses. Daleiden’s meetings uncovered some dark truths about the practices employed by abortion clinics to obtain fetal tissue, including how termination procedures were often changed in order to obtain more intact specimens, including the use of illegal abortion procedures. The investigation...

Read More
Patients Holding Back Health Information Over Data Privacy Fears
Jan05

Patients Holding Back Health Information Over Data Privacy Fears

A fully interoperable health system is becoming closer to reality. Barriers to health data sharing are being removed and the ONC and HHS’ Office for Civil Rights are stepping up their efforts to prevent information blocking by healthcare providers. However, in order for information to be able to flow, it is essential that information is collected. If healthcare providers and other healthcare organizations only have access to partial medical histories, the usefulness of health data will be limited. Unfortunately, many patients are reluctant to provide their full medical histories to their healthcare providers, and even when information is provided, many patients do not want that information shared with anyone other than their primary healthcare provider. Privacy and security issues are a major concern, and the problem is growing. As healthcare data breaches continue to increase year on year, consumer confidence is decreasing. This has a direct impact on the willingness of patients to share their health data. Important Medical Information is Being Withheld by Patients The extent to...

Read More
11GB of Sensitive Data Left Unprotected by Department of Defense Subcontractor
Jan05

11GB of Sensitive Data Left Unprotected by Department of Defense Subcontractor

A security researcher has discovered that the sensitive data of psychologists, doctors and other health workers employed by the United States Special Operations Command (SOCOM) have been exposed on the Internet by Woodbridge, VA-based Potomac Healthcare, a subcontractor for the Department of Defense. Potomac Healthcare supplies health workers to government organizations through Booz Allen Hamilton. Chris Vickery of MacKeeper discovered 11GB of internal Potomac data were left unprotected and could be accessed over the Internet without a username or a password. The data included names, Social Security numbers, locations, assigned units, and salaries of psychologists, doctors, and other healthcare professionals. The files also included lists of websites and programs with their associated usernames and passwords. Vickery said that the details of at least two Special Forces data analysts who had “Top Secret government clearance” were also present in the data. It is unclear for how long the data had been exposed and whether any other individuals had gained access to the information....

Read More
Massachusetts Data Breach Notification Archive Now Available Online
Jan05

Massachusetts Data Breach Notification Archive Now Available Online

The Office of Consumer Affairs and Business Regulation of the state of Massachusetts has taken a major step toward improving transparency by making its data breach notification archive available to the public. Previously, members of the public were permitted to view the breach reports, but only by submitting a public records request. Now all breach notifications made to the state’s Office of Consumer Affairs and Business Regulation can be viewed online. The Massachusetts Data Breach Notification Archive can be viewed and downloaded in PDF form, with the identity theft report detailing the date the incident was reported, the organization affected, breach type, number of residents impacted, types of sensitive data exposed (SSNs, Driver’s license numbers, financial information, credit/debit card numbers), and whether credit monitoring services have been offered to breach victims. The reports include breaches of both physical records and electronic personal information from 2007. The report for 2016 currently includes 1,865 breach summaries. State law (Chapter 93H) requires all...

Read More
Largest Healthcare Data Breaches of 2016
Jan04

Largest Healthcare Data Breaches of 2016

2016 was a particularly bad year for healthcare data breaches. The largest healthcare data breaches of 2016 were nowhere near the scale of those seen in 2015 – 16,471,765 records were exposed compared to 113,267,174 records in 2015 – but more covered entities reported breaches than in any other year since OCR started publishing breach summaries on its ‘Wall of Shame’ in 2009. 2016 ranks as the second worst year in terms of the number of patient and health plan members’ records that have been exposed in a single year. As of February 6, 2017 there have been 329 reported breaches of more than 500 records that have been uploaded to the OCR breach portal. 2017 looks set to be another particularly bad year for data breaches. 2016 Healthcare Data Breaches of 500 or More Records   Year Number of Breaches (500+) Number of Records Exposed 2016 329 16,471,765 2015 270 113,267,174 2014 307 12,737,973 2013 274 6,950,118 2012 209 2,808,042 2011 196 13,150,298 2010 198 5,534,276 2009 18 134,773 Total 1801 171,054,419   Largest Healthcare Data Breaches of 2016 While the above...

Read More
108 L.A. County Employees Fall for Phishing Attack: 756,000 Impacted
Jan03

108 L.A. County Employees Fall for Phishing Attack: 756,000 Impacted

It has taken some time for the County of Los Angeles to announce it was the victim of a major phishing attack, especially considering the attack was discovered within 24 hours of the May, 2016 breach. However, notification had to be delayed so as not to interfere with an “extensive” criminal investigation. The investigation into the phishing attack was conducted by county district attorney Jackie Lacey’s cyber investigation response team. In many cases, cybercriminals are able to effectively mask their identities and it is relatively rare for the individuals responsible for phishing attacks to be identified. Bringing individuals to justice is harder still. All too often the perpetrators are based overseas. In this case, the investigation has resulted in the identification of a suspect: Austin Kelvin Onaghinor, 37, of Nigeria. On December 15, 2016, a criminal arrest warrant for Onaghinor was issued. Onaghinor faces nine charges related to the phishing attack, including theft and misuse of L.A. County confidential information, unauthorized computer access, and identity theft....

Read More
Regular PHI Access Log Audits Can Prevent Major PHI Breaches
Dec30

Regular PHI Access Log Audits Can Prevent Major PHI Breaches

Infirmary Health has announced that an employee has been fired after being discovered to have accessed the health records of approximately 1,000 patients without authorization. The individual was required to access patients’ protected health information (PHI) for legitimate work reasons, yet data access rights were abused. The employee worked in the Atmore Community Hospital: A 49-bed facility serving patients in Escambia and Monroe counties in Alabama. A routine audit of PHI access logs on November 18, 2016 revealed that the individual first started inappropriately accessing patient records from October 3, 2015.  Records continued to be inappropriately accessed until November 11, 2016. According to a press release issued by Infirmary Health, the information accessed was limited to patient names, admission dates and flowsheets. It is unclear why the information was accessed, although it is not believed that any data have been disclosed to any other individual nor copied and removed from the hospital. PHI appears to have been accessed purely out of curiosity. In accordance with...

Read More
New Report Published on Privacy Risks of Personal Health Wearable Devices
Dec29

New Report Published on Privacy Risks of Personal Health Wearable Devices

Wearable technology is now ubiquitous. Consumers have embraced the wide range of trackers and health apps that have come to market in recent years and manufacturers have responded to demand and have created an even broader range of wearable devices that track and monitor health metrics. Wearable devices have expanded from trackers that monitor heart rates, exercise levels, and sleep quality, to devices that collect a far greater range of health data. The data collected from those devices now includes information classed as protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA). While the data collected by HIPAA-covered entities must be protected from unauthorized access under the HIPAA Privacy and Security Rules, those Rules only apply to healthcare providers, health plans, healthcare clearinghouses and business associates of covered entities. Non-covered entities are not required to implement the safeguards demanded by HIPAA Rules to keep ‘PHI’ secure. If a wearable device is provided to a patient by a HIPAA-covered entity, the...

Read More
Patient Posts PHI of New Hampshire State Psychiatric Hospital Patients Online
Dec28

Patient Posts PHI of New Hampshire State Psychiatric Hospital Patients Online

New Hampshire Department of Health and Human Services has alerted approximately 15,000 patients to a breach of some of their personal and highly sensitive information. Patient data were accessed by a former patient in October 2015 and were posted on a social media website. The data accessed and posted online by the former patient included names and addresses along with Medicaid ID numbers and Social Security numbers. The patient gained access to the data on a laptop computer located in the hospital library. Patients are permitted to use the library and the computers, although access to patients’ protected health information should not have been possible. At the time of the breach the patient was observed accessing ‘non-confidential’ hospital data by a staff member. The incident was reported to a supervisor and steps were taken to restrict access to the library computers. At the time, it was not known that sensitive data were accessed. While a supervisor was alerted to the incident, the matter was not escalated and neither the New Hampshire Hospital nor the New Hampshire Department...

Read More
Increase in Ransomware and Cyberattacks Linked to Fall in Price of Health Data
Dec23

Increase in Ransomware and Cyberattacks Linked to Fall in Price of Health Data

The value of health records on the black market dropped substantially in 2016. A set of health records is now reportedly attracting a price of between $1.50 and $10, according to a recent report from TrapX. Back in 2012, the value of a complete set of health records was around $50 to $60. The fall in price is easy to explain. Last year saw more than 113 million healthcare records breached, according to figures from the Department of Health and Human Services’ Office for Civil Rights. The vast majority of those records are in the hands of cybercriminals. Supply is now outstripping demand and just like any commodity, that results in a dramatic fall in prices. Stealing medical records is now much less profitable which means cybercriminals have to recoup their losses from somewhere. That does not mean the healthcare industry is likely to be attacked less. Instead the fall in price is likely to lead to even more attacks. In order to make the same level of profit, more records need to be stolen and sold on. The fall in the price of healthcare records has also prompted cybercriminals to...

Read More
Fairbanks Hospital Alerts Patients to Potential 3-Year Internal HIPAA Breach
Dec22

Fairbanks Hospital Alerts Patients to Potential 3-Year Internal HIPAA Breach

Fairbanks Hospital in Indianapolis, IN., has discovered that the electronic health information of its patients could have been accessed by all of its employees for a period of at least three years. Protections had been put in place to prevent unauthorized accessing of electronic health records by staff members, but on October 18, 2016, the hospital became aware that some files had been stored on an internal network that lacked those protections and could be accessed by all employees, even those who were unauthorized to view patients’ electronic information. Following the discovery, an independent forensics expert was called in to determine the nature and scope of the problem. That individual was able to determine that the files were accessible since November 2013, and potentially longer. It was not possible to say whether the files were accessible before that date. Attempts were made to determine whether the files had been accessed by employees during the time that they were unprotected, but access logs were not kept so it was not possible to determine whether any unauthorized...

Read More
Joint Commission Ban on Secure Messaging for Orders Remains in Place
Dec22

Joint Commission Ban on Secure Messaging for Orders Remains in Place

The Joint Commission on Accreditation of Healthcare’s (Joint Commission) ban on the use of secure text messaging platforms for patient care orders will remain in place, according to its December newsletter. In April 2016, the Joint Commission took the decision to allow the use of a secure texting platform for sending orders. The ban was not totally lifted, as the Joint Commission required certain components to be in place and certain standards to be followed to ensure patient safety was not placed at risk. The ban was originally put in place as SMS messages were not secure. It was also not possible to verify the sender of a message nor for original message to be retained for auditing purposes. Since the original ban was introduced, a number of companies developed secure text messaging platforms that incorporated all of the necessary security features to ensure messages could not be intercepted. Those messaging platforms also allowed the identity of the sender to be verified, ensured that messages were retained for auditing purposes, and a slew of other privacy and security controls...

Read More
Nurse Fired for HIPAA Violation
Dec20

Nurse Fired for HIPAA Violation

Can a nurse be fired for a HIPAA violation? Certainly. Violate HIPAA Rules and having your employment contract terminated may not be the worst thing that will happen. There may also be criminal charges for HIPAA violations. Jail time is likely if protected health information (PHI) is stolen and passed on to an identity thief, although HIPAA Privacy Rule violations alone can result in a jail term. If there is aggregated identity theft, there will be a mandatory two-year sentence tacked on to the sentence. When a nurse is fired for a HIPAA violation, finding alternative employment can be problematic. Few healthcare organizations would be willing to hire an employee that has previously been fired for violated HIPAA Rules. In January this year, a nurse aide was fired from Wayne Memorial Hospital for a HIPAA violation after the inappropriate accessing of 390 patients’ records was discovered. One notable incident in 2011 saw nurses and other healthcare staff snoop on patient records. In that case, there had been a party in a neighboring town where there were multiple drug overdoses....

Read More
Security Risks of Unencrypted Pages Evaluated
Dec20

Security Risks of Unencrypted Pages Evaluated

Pagers are still extensively used in the healthcare industry even though the devices have been shown to pose a considerable security risk. Trend Micro has recently demonstrated – in the company’s ‘Leaking Beeps’ series of reports – the extent to which pagers leak data and how easy it is for sensitive information to be intercepted by cybercriminals. The equipment needed to intercept unencrypted pages can even be purchased for as little as $20. The third installment in the Leaking Beeps series of reports has just been released, further highlighting the risk of exposure of healthcare data and showing how cybercriminals could attack the systems to which pagers connect. Trend Micro draws attention to two tools in particular that could be used by hackers to gain access to systems and data: SMS-to-pager gateways and email-to-pager gateways. SMS-to-pager gateways use specific numbers to receive SMS messages and forward them to pre-configured pagers. SMS-to-pager gateways are commonly used by healthcare organizations and the data transmitted is often unencrypted. Not only can messages...

Read More
TigerText Announces Record-Breaking Year for Growth
Dec16

TigerText Announces Record-Breaking Year for Growth

TigerText, the nation’s leading secure healthcare messaging platform provider, has announced it has recorded another record-breaking year for growth, signing up over 300 healthcare organizations in 2016. The company now boasts more than 3,000 healthcare customers in the United States, including five of the top ten largest health systems in the country. More than 10 million secure messages are now being sent via the TigerText platform every day and the platform is used in over 5,000 healthcare facilities in the United States. TigerText was originally developed as a standalone messaging platform, yet over the course of the past 6 years it has evolved into a comprehensive clinical communications platform. The platform has been tailored to meet the exacting needs of healthcare organizations, including the strict privacy and security controls required by the Health Insurance Portability and Accountability Act (HIPAA). This year has seen two major new developments. Earlier this year, the TigerText platform achieved the prestigious HITRUST certification and in October the company launched...

Read More
ONC Issues Challenge to Develop a New Online Model Privacy Notice Generator
Dec15

ONC Issues Challenge to Develop a New Online Model Privacy Notice Generator

The Department of Health and Human Services’ Office of the National Coordinator for Health Information Technology (ONC) has challenged designers, developers, and health data privacy experts to create a new online Model Privacy Notice (MPN) generator. At present, the MPN is a voluntary resource that helps health technology developers who collect electronic health data provide information to consumers about how health data is collected, used, and protected. The purpose of the MPN is to improve transparency and clearly display information about an organization’s privacy practices to enable consumers to make an informed decision about whether to use a particular product. While the ONC, in conjunction with the Federal Trade Commission (FTC), developed a Model Privacy Notice in 2011, technology has moved on considerably in the past five years. The MPN was intended to be used for personal health records, but the range of products that collect health data is now considerable, and include wearable devices and mobile applications. The current MPN is therefore somewhat dated. ONC notes that...

Read More
Hospital Employee Jailed for Credit Card Theft
Dec12

Hospital Employee Jailed for Credit Card Theft

An employee of Banner Boswell Hospital in Sun City, AZ has been arrested and jailed for stealing credit card details from hospital patients. Filip Chudziak, 40, of Surprise, AZ was charged with identity theft, fraudulent schemes, and fraudulent use of credit cards by the Maricopa County Sheriff’s Office this weekend following an investigation into credit card fraud by Maricopa County detectives. The offenses were committed over a period of three months. Potentially fraudulent transactions were reported to law enforcement by Joe Bob’s Outfitters in Kansas and also reported to the Hays City Police Department by multiple patients who had noticed fraudulent charges on their credit card statements. Chudziak’s role at Banner Boswell Hospital involved moving patients and their possessions while they were receiving treatment at the hospital. Chudziak allegedly used access to patients’ possessions to obtain their credit cards. He then used those details to make online purchases at Joe Bob’s Outfitters. Using his mother-in-law’s name and a number of different billing addresses, Chudziak...

Read More
Healthcare Data Breaches Fell in October
Nov17

Healthcare Data Breaches Fell in October

There was a fall in the number of data breaches reported by healthcare organizations in the United States in October, according to the latest Breach Barometer report from Protenus. This is the second month in a row where the number of data breaches have fallen. The number of reported breaches dropped from an annual high of 42 incidents in August to 35 breaches in October; two fewer breaches than were reported last month. However, the number of exposed records increased from 246,876 in September to 776,533 records in October. The final victim count for the month could be considerably higher as while 35 breaches were reported, the number of individuals impacted by four of those incidents is not yet known. There were some notable IT security incidents reported last month: Four healthcare organizations reported being attacked with ransomware in October. Three of those incidents resulted in a permanent loss of healthcare data. Two organizations attempted to recover data from backups, only for the backup recovery process to fail, while one healthcare organization reported data loss as a...

Read More
U.S. Court of Appeal Grants Stay in FTC V LabMD Case
Nov11

U.S. Court of Appeal Grants Stay in FTC V LabMD Case

There has been a long running battle between the Federal Trade Commission (FTC) and LabMD over the accidental exposure and disclosure of sensitive personal information of patients and the actions LabMD must take to mitigate risk. The accidental disclosure occurred after LabMDs billing manager installed the file sharing program LimeWire on a work computer in 2005. The program was used for downloading and sharing music and video files for her personal use. However, the file sharing folder she used – her “My Documents” folder – also contained a work file which contained 1,718 pages of sensitive information of 9,300 patients.  That file could have been downloaded by other LimeWire users. The file was discovered by the security firm Tiversa in 2008 and was downloaded. Tiversa attempted to get LabMD to purchase its services to mitigate risk. After LabMD refused, Tiversa notified the FTC which launched an investigation. The FTC determined that a lack of appropriate security for its customers’ personal information constituted a violation of the Federal Trade Commission Act, 15 U.S.C. § 45....

Read More
Data Theft and Social Engineering Biggest Concerns for Healthcare CIOs
Oct28

Data Theft and Social Engineering Biggest Concerns for Healthcare CIOs

The College of Healthcare Information Management (CHIME) has explored the deepest, darkest fears of healthcare chief information (CIOs) and chief information security officers (CISOs) in a recent survey, the findings of which were presented to the Department of Health and Human Services Cybersecurity Task Force this week. The survey, which was conducted on 190 CHIME and Association for Executives in Healthcare Information Security (AEHIS) members, explored the biggest perceived threats to healthcare data and some of the challenges faced by the industry. Opinions were also sought on some of the most important ways the federal government could help CISOs/CIOS share cybersecurity information. Respondents were asked to rate threats from 1 to 5 based on their level of concern, with 1 being their biggest concern. Data theft came top with an average rating of 1.75. Social engineering was second with an average rating of 1.88. While the risk from insiders was third with an average rating of 2.36. Perhaps unsurprisingly given the number of reported ransomware and malware infections in...

Read More
Study Highlights Risk of PHI Exposure from Unencrypted Healthcare Pagers
Oct27

Study Highlights Risk of PHI Exposure from Unencrypted Healthcare Pagers

Many healthcare providers have now transitioned from pagers to more secure forms of communication. Secure text messaging platforms allow protected health information to be shared quickly and efficiently between physicians and care team members. Those platforms incorporate the necessary security features to ensure messages cannot be intercepted and viewed by unauthorized individuals. However, pagers typically lack security controls such as encryption. Many even lack the functionality to be able to authenticate users. As such, many pager systems used by healthcare providers are violating HIPAA Rules. A recent study conducted by Trend Micro has clearly shown just how easy it is for healthcare pager messages to be intercepted. Researchers found they could intercept and decode pager messages using only a software-defined radio (SDR) and a USB dongle – Equipment that can be purchased for as little as $20. Further, it is not even necessary to be in close proximity to the source of the pages to intercept messages. The $20 equipment is capable of picking up messages many miles from the...

Read More
Majority of Healthcare Vendors Not Ready to Comply with the HITRUST Data Security Standard
Oct12

Majority of Healthcare Vendors Not Ready to Comply with the HITRUST Data Security Standard

The Department of Health and Human Services’ Office for Civil Rights has stepped up HIPAA enforcement activities in recent years and oversight of covered entities is improving. One area of HIPAA-compliance that has come under increased scrutiny is the effort made by healthcare business associates to ensure protected health information is protected in accordance with HIPAA Rules. Approximately 30% of healthcare data breaches reported to OCR involved a business associate according to a recent analysis conducted by Protenus. Given the number of breaches involving vendors, it is unsurprising that OCR is looking more closely at business associates. The increased scrutiny has prompted many healthcare organizations to conduct a review of the measures employed by their vendors to ensure protected health information is appropriately secured and sufficient controls have been put in place to ensure ePHI remains private. Business associates now need to demonstrate they have implemented appropriate controls and are effectively managing cybersecurity risk. Business associates can demonstrate...

Read More
Boxes of Abandoned Veterans Services’ Files Discovered
Oct11

Boxes of Abandoned Veterans Services’ Files Discovered

The Virginia Department of Veterans Services (DVS) has launched an investigation following the discovery of 20-30 boxes of files in an abandoned storage unit. The files contain a range of documents including unfiled claims and veterans’ medical records. The storage unit had previously been leased by a former DVS employee who was employed by the agency from January 2012 until August 25, 2015 when she was fired. The employee worked at the veterans’ benefits office at the McGuire Veterans Affairs Medical Center office in Richmond. She had rented the storage unit while employed by DVS; however rental payments for the unit ceased. The unit was then repossessed and the contents were sold at auction. The new owner of the contents of the unit alerted the Dinwiddle County Sherriff’s Office after checking the contents of the boxes and DVS was notified on September 29. DVS officials visited the storage facility and have now removed and secured the files. According to the agency’s director of benefits, Thomas Herthel, the boxes contain “everything from claims to medical records to...

Read More
Surgeon General Warns Employees of Personal Information Breach
Oct04

Surgeon General Warns Employees of Personal Information Breach

Another federal agency has experienced a breach of personal information. This time, the data of current, former, and retired members of the United States Public Health Service Commissioned Corps has been compromised. The Commissioned Corps is tasked with providing medical services to underserved populations as well as promoting, protecting, and advancing the health and safety of the nation, including disease control, and ensuring drugs and medical devices are safe and effective. The Commissioned Corps., includes around 6,600 medical professionals including physicians, surgeons, therapists, pharmacists, dentists, and nurses. At this stage it is unclear exactly how many of those individuals – and former and returned members – have been affected by the breach. The security incident is currently under investigation, although employees have been notified by email of the breach by Surgeon General Vice Adm. Vivek H. Murthy. “Based on our investigation, affected individuals are those served by this website-based system: current, retired, and former Commissioned Corps officers...

Read More
Action Taken Against Healthcare Employees for Fraud and Privacy Breaches
Sep30

Action Taken Against Healthcare Employees for Fraud and Privacy Breaches

Earlier this month, New York Attorney General Eric T. Schneiderman announced that four former nursing home aides had been arrested and charged with felonies and misdemeanors relating to the taking of photographs and videos of nursing home residents. Mathew Reynolds and Angel Rood, former employees of Pontiac Nursing Home in Oswego, were charged with Endangering the Welfare of an Incompetent or Physically Disabled Person in the First Degree and Willful Violation of the Public Health Law after taking demeaning pictures of residents. According to the announcement, “Several of the pictures allegedly depict the defendants lying in bed with a resident and touching the resident in a taunting and abusive manner.” In a separate case, Austin Powell and Brittany Bolster were charged with Endangering the Welfare of an Incompetent or Physically Disabled Person in the First Degree, in addition to Willful Violation of the Public Health Law for offenses committed while employed at St. Lukes Health Services in Oswego. In this case, videos were taken of the pair verbally and physically tormenting a...

Read More
Healthcare Cybersecurity Knowledge Gaps Placing ePHI at Risk of Exposure
Sep20

Healthcare Cybersecurity Knowledge Gaps Placing ePHI at Risk of Exposure

A recent report issued by Wombat Security, a provider of security awareness and training software, suggests healthcare employees have gaps in their cybersecurity knowledge which could pose a serious risk to ePHI. Knowledge of the dangers of oversharing on social media, the unsafe use of Wi-Fi, secure data disposal, secure passwords, and phishing was found to be lacking. This undoubtedly would lead to individuals engaging in risky behaviors. For the study, Wombat analyzed the responses to over 20 million questions and answers that were designed to evaluate how proficient end users were at identifying and managing security threats. Respondents came from a wide range of industries, including healthcare. The study revealed that the main problem area was the safe use of social media. In the question-based assessments of cybersecurity knowledge, 31% of questions on safe social media use were missed. The report pointed out that only 55% of companies conduct assessments on safe social media use. The second biggest cause for concern was safe data disposal, with 30% of questions missed....

Read More
Improving Healthcare Cybersecurity: HIMSS Suggests Information Sharing is Key
Sep16

Improving Healthcare Cybersecurity: HIMSS Suggests Information Sharing is Key

Healthcare organizations are committing more funding to cybersecurity and are improving their defenses against cyberattacks, although there is still a long way to go before cybersecurity defenses reach the standards in other industry sectors. Many healthcare organizations are still struggling to plug security gaps and effectively manage risk, and while large healthcare organizations are now being more proactive when it comes to cybersecurity, small to medium sized healthcare organizations are having difficulty overcoming some of the many challenges faced by the industry. As the National Institute of Standards and Technology (NIST) recently pointed out, “Many [healthcare] organizations still have a reactive stance towards cybersecurity.” NIST is attempting to address this issue and has recently submitted a request for information on current and future states of cybersecurity in the digital economy. Its aim is to make detailed recommendations on how cybersecurity can be enhanced to improve public safety and patient privacy. NIST is also looking for ways to foster the discovery and...

Read More
California Anesthetist Alerts Patients to Improper Disposal of PHI
Sep14

California Anesthetist Alerts Patients to Improper Disposal of PHI

An anesthetist based in Los Baros, California has notified a number of his patients that some of their protected health information was accidentally disposed of in regular trash containers. Billing tickets used by the practice of Pratap Kurra, M.D., were discovered in trash containers on August 9, 2016. The matter was brought to the attention of Dr. Kurra who established the documents had been disposed of the previous day. Dr. Kurra says the discarded documents were collected from the trash containers and PHI was only exposed for a maximum of 24 hours. Dr. Kurra does not believe any billing tickets were removed from the trash container by unauthorized individuals and all discarded documents are understood to have been retrieved. An investigation was conducted to determine which patients were affected and how the billing tickets came to be discarded. Dr. Kurra ascertained that this was a one-off incident and occurred by accident during his move. The billing tickets did not contain Social Security numbers, dates of birth, insurance details, or financial information, so the risk of...

Read More
8.8 Million Healthcare Records Breached in August
Sep09

8.8 Million Healthcare Records Breached in August

August was a bad month for healthcare data breaches. More than 8.8 million patient and health plan member records were exposed or stolen. 8,804,608 to be precise. According to the latest installment of the Protenus Breach Barometer, the total number of healthcare records stolen or exposed this summer now exceeds 20 million. In August, 44 breach reports were submitted to the Department of Health and Human Services’ Office for Civil Rights which relate to 42 separate incidents. That makes August the worst month so far this year for healthcare data breaches, and second worst in terms of the number of healthcare records exposed. Only June saw more records breached (11,061,649). The total number of breaches reported so far in 2016 is now up to 233. The Breach Barometer shows that one of the biggest threats to healthcare data security is insiders. Insiders were responsible for causing 42.86% of the data breaches reported in August. Hacking – including ransomware attacks – was the second biggest cause of breaches accounting for 28.57% of incidents. Loss and theft of devices...

Read More
Rotech Healthcare Reports 967-Record PHI Breach
Aug19

Rotech Healthcare Reports 967-Record PHI Breach

The protected health information of 967 patients of Orlando, FL-based Rotech Healthcare Inc., has been discovered in the residence of third party who was unauthorized to have the information. Rotech Healthcare, a provider of respiratory and sleep apnea equipment, was notified of the PHI breach by law enforcement officers on June 13, 2016. The data listed on the recovered documents include names, addresses, patient ID numbers, Social Security numbers, phone numbers, dates of birth, and the name of the facility where patients received healthcare services. The data appears to have been taken from Rotech Systems; a subsidiary of Rotech Healthcare Inc. It is not clear at this stage how the data came to be in the possession of an unauthorized individual, but a full investigation is underway. Rotech Healthcare has enlisted the services of a third party cybersecurity firm to perform a forensic analysis of its systems to determine the source of the breach. While the breach was discovered in June and Rotech was informed of the incident promptly, it has taken some time to recover the...

Read More
HITRUST CyberAid Cybersecurity Initiative Trialed in North Texas on Small Healthcare Organizations
Aug17

HITRUST CyberAid Cybersecurity Initiative Trialed in North Texas on Small Healthcare Organizations

Large healthcare organizations have the budgets and resources for complex cybersecurity solutions to prevent intrusions and keep the protected health information of patients secure. However, smaller healthcare organizations, in particular physician groups with fewer than 75 employees, face considerable challenges. Many cybersecurity solutions are not ideal for the small business environment and the cost of implementing appropriate defenses against cyberattacks can be prohibitively expensive. However, effective cybersecurity solutions must be deployed. Healthcare organizations are now being targeted by cybercriminals and smaller organizations face a high risk of attack. Hackers are well aware that the defenses of small healthcare organizations can lack sophistication. This can make small practices a target for hackers. If a successful cyberattack occurs it can be catastrophic for small practices. The cost of mitigating risk after a cyberattack is considerable. Many healthcare organizations lack the funds to deal with cyberattacks. This was clearly demonstrated by the cyberattack on...

Read More
CMS Cracks Down on Social Media Abuse of Nursing Home Residents
Aug15

CMS Cracks Down on Social Media Abuse of Nursing Home Residents

A significant number of cases of abuse of nursing home and assisted living center residents have come to light in recent months. The cases involved the taking of degrading and demeaning photographs and videos of residents by employees of nursing facilities, and sharing the images and videos on social media websites. Photographs of residents in various states of undress, covered in feces, or made to pose in degrading positions have been published on social media websites such as Snapchat, Instagram, and Facebook. The cases were recently highlighted in a ProPublica report, which uncovered 47 reports of such abuse since 2012. That report, along with other media coverage of abuse in nursing facilities, has spurred the Centers for Medicare and Medicaid Services (CMS) to take action. The CMS recently sent a memo to state health departments reminding them of facility and state agency responsibilities and the rights of residents to be free from all types of abuse, including mental abuse. The taking of demeaning videos and/or photographs and publishing the imagery on social media websites...

Read More
Walgreens Improper PHI Dumping Case Closed by OCR After 9 Years
Aug15

Walgreens Improper PHI Dumping Case Closed by OCR After 9 Years

Ten years ago, WTHR 13 conducted an investigation into the improper disposal of sensitive information by pharmacies. The investigation was conducted following a robbery that took place at the home of an Indiana resident. A drug addict targeted the individual knowing that she had pain medication. That information was obtained from a pharmacy dumpster. The investigation involved reporters checking the dumpsters behind a number of pharmacies in Indiana. The reporters discovered bags of trash, many of which contained sensitive information such as prescription details, names, addresses, and phone numbers. Reporters also discovered that in some cases, credit card details were also printed on documents discarded with regular trash. The investigation was first conducted on Walgreens, although it was later expanded to a number of other pharmacy chains including CVS and Rite Aid. The investigation was expanded to 12 states. Initially reporters were told by Walgreen’s representatives that the improper dumping of sensitive information was not company policy and occurred in isolated incidents....

Read More
Karen DeSalvo Leaves ONC: Vindell Washington Takes Over
Aug12

Karen DeSalvo Leaves ONC: Vindell Washington Takes Over

For the past two years, Karen DeSalvo has served as the National Coordinator for Health Information Technology of the Office of the National Coordinator for Health Information Technology (ONC). That role has now come to an end, as today, DeSalvo will be stepping down. The new ONC head will be the former deputy national coordinator, Dr. Vindell Washington. DeSalvo will not be leaving the Department of Health and Human Services (HHS) as she will continue in her role as acting assistant secretary for health, a position she has held since October 2014. DeSalvo took on that post to oversee the nation’s response to the Ebola crisis. Leaving the position of national coordinator will allow DeSalvo to concentrate on that position. Before DeSalvo joined the ONC, one of the ONC’s main roles was to oversee the adoption of electronic health records by the healthcare industry. When DeSalvo took over as head the ONC was becoming increasingly involved with promoting interoperability. DeSalvo played an important part in driving the meaningful use EHR incentive program forward and advancing...

Read More
BA Error Exposes PHI of Patients for Four Months
Aug11

BA Error Exposes PHI of Patients for Four Months

An error by a business associate of Carle Health System has resulted in the protected health information of 1,185 patients being made accessible to unauthorized individuals. The error occurred on February 17, 2016 and was not discovered until June 14. Files containing PHI had been supplied to the business associate in order for specific contracted duties to be performed. However, the files were copied onto a Carle server that could be accessed by other vendors who were not authorized to view PHI. According to a press release issued by Carle, the server was used for sharing large documents but the business associate was unaware that the server was not supposed to be used for sharing protected health information. No evidence has been uncovered to suggest that the files were accessed by other vendors, and at no point were the data accessible via the search engines. The server could only be accessed if a user name and password were entered, although login credentials had been supplied to a number of Carle vendors. Patients have been notified of the potential privacy breach as a...

Read More
Hacker Steals PHI of 23,000 Patients of Prosthetic and Orthotic Care
Aug11

Hacker Steals PHI of 23,000 Patients of Prosthetic and Orthotic Care

Prosthetic and Orthotic Care (POC), an independent prosthetics and orthotics company serving disabled individuals in Southern Illinois and Eastern Missouri, has discovered that an unauthorized individual has stolen the protected health information of 23,015 patients. The cyberattack occurred in June 2016, although POC only became aware of the hacking incident on July 10. The hacker gained access to patient data by exploiting security flaw in a third party software system that had been purchased by POC. The attack was conducted by a hacker operating under the name – TheDarkOverlord – who was also responsible for the cyberattacks on Athens Orthopedic Clinic and Midwest Orthopedics Group, in addition to a hack of as of yet unnamed health insurer. In total, the records of over 9.5 million patients are understood to have been obtained by the hacker. According to a breach notice issued by POC, the stolen data include names, addresses and other contact information, internal ID numbers, billing amounts, appointment dates, and diagnostic codes. Some patients also had their Social Security...

Read More
Potential 2,000 Record PHI Breach Reported by California Physician
Aug11

Potential 2,000 Record PHI Breach Reported by California Physician

Brian D. Halevie-Goldman M.D. has notified 2,000 patients that some of their protected health information has been exposed – and potentially accessed – by unauthorized individuals. The data – which includes patient names, chart notes, and birthdates – were stored on two laptop computers which had been left in a locked vehicle. The laptop computers were protected with passwords, but were not encrypted. No highly sensitive information such as insurance information, Social Security numbers, or financial data were stored on the laptops. The theft occurred on July 19, 2016 and the incident was immediately reported to the Vacaville California Police Department, although the devices have not been recovered. It is probable that the laptops were stolen for their value, rather than with the intention of accessing and using data stored on the devices, although that possibility cannot be ruled out. However, Dr. Halevie-Goldman believes that the risk of patient information being used inappropriately is limited. Staff at Dr. Halevie-Goldman’s medical office are in the process of conducting...

Read More
OCR Warns of Threat of Insider Data Breaches
Aug03

OCR Warns of Threat of Insider Data Breaches

Cyberattacks on healthcare organizations have increased significantly in recent months. According to research conducted by the Ponemon Institute, criminal activity is now the leading cause of healthcare data breaches. So far in 2016, 51 hacking incidents have been reported to the Department of Health and Human Services’ Office for Civil Rights (OCR). Those hacks have resulted in the exposure and/or theft of the protected health information of 2,801,082 individuals. The OCR breach portal shows that 114,604,625 patients have had their PHI exposed as a result of hacking incidents since January 1, 2015, not including the 9.3 million records that were stolen from a U.S. health insurer last month by hacker The Dark Overlord. While attacks by external malicious actors have resulted in the exposure and theft of a huge amount of patient data, healthcare organizations should not ignore the threat from within. The threat of insider data breaches is considerable and insider data breaches are fast becoming one of the biggest threats to healthcare organizations. Cyberattacks conducted by...

Read More
FTC Reverses ALJ Decision on LabMD Data Security Case
Aug02

FTC Reverses ALJ Decision on LabMD Data Security Case

Last year, an Administrative Law Judge (ALJ) dismissed a data security case filed against the medical testing laboratory LabMD Inc., by the Federal Trade Commission (FTC). On Friday last week, the FTC announced that the decision has been overturned and LabMD is liable for unfair data security practices. The FTC had accused LabMD of violating Section 5 of the Federal Trade Commission Act by failing to protect sensitive information of consumers. The FTC maintained that data security practices at LabMD were “unreasonable and constituted an unfair act or practice”. In a 3-0 vote, the ALJ’s decision was overturned. The ALJ had previously dismissed the case as the FTC had failed to establish that consumers had come to harm as a result of the security failures. The FTC concluded that the ALJ had applied the wrong legal standard for unfairness. LabMD had been supplied with a substantial amount of consumer data which was stored for a number of years. The types of data supplied to the company included sensitive medical and personal information of healthcare patients. In total, the data of...

Read More
Med Students Violating HIPAA by Tracking Patients on EHRs
Aug02

Med Students Violating HIPAA by Tracking Patients on EHRs

Medical students are using hospital electronic health records to track former patients, even though by doing so they are potentially violating the Health Insurance Portability and Accountability Act (HIPAA). While it is known that the practice occurs, little research has been performed to determine the extent to which EHRs are accessed and the exact reasons why patients are tracked. In August 2013, Gregory E. Brisson, MD of Northwestern University Feinberg School of Medicine in Chicago, IL and Patrick D. Tyler, MD of Beth Israel Deaconess Medical Center in Boston, MA conducted a survey on 169 students from one academic healthcare center to investigate medical students’ use of EHRs to track patients. The findings of the study have recently been published in JAMA Internal Medicine. The study revealed that the vast majority of medical students were using EHRs to track former patients. 96.1% of medical students admitted that they had previously used EHRs to track former patients. 92.9% of students said there were educational benefits to be gained from following up on patients’ progress...

Read More
Two Cases of Unauthorized PHI Access by Employees Reported
Jul29

Two Cases of Unauthorized PHI Access by Employees Reported

Two healthcare providers have announced they have discovered employees have improperly accessed the protected health information of patients. In one case, the medical records of 5,400 were improperly accessed over a period of 4 years. Providence Health & Services in Oregon recently conducted an internal audit which included the checking of ePHI access logs. Auditors discovered that a Portland-based employee had been accessing patient files without any legitimate work reason for doing so. The improper access first started in July 2012 and continued until April 2016. During that time, the records of approximately 5,400 patients were accessed. The files included patient names, demographic information, details of medical treatments, and potentially also medical insurance details and Social Security numbers. Providence Health & Services does not believe that the employee disclosed any patient information to any other individuals nor that any information has been used inappropriately. The discovery has prompted Providence Health & Services to introduce new controls to prevent...

Read More
StarCare Specialty Health System Reports Potential PHI Breach
Jul28

StarCare Specialty Health System Reports Potential PHI Breach

The protected health information of 2,844 StarCare Specialty Health System patients has potentially been compromised following the burglary of StarCare/StarQuest offices in Lubbock, Texas on May 30, 2016. Thieves broke into the offices at 3315 East Broadway and stole five laptop computers. One of those devices contained the ePHI of patients including names, telephone numbers, Social Security numbers, medical record numbers, Medicaid/Medicare numbers, diagnoses, and admission and discharge dates. It is unclear whether the laptop was password protected, although the data were not encrypted. A box of patient files was also in the office and it is possible that the information contained in some of the files may have been viewed by the burglars, although the paperwork was not removed from the office. All affected individuals had previously received Behavioral Health program services, Intellectual Developmental Disabilities program services, and/or and Therapeutic Treatment Community services from StarCare. While it is not possible to prevent break-ins and theft of equipment, it is...

Read More
Athens Orthopedic Clinic Confirms Cyberattack: TDO Dumps More Data
Jul26

Athens Orthopedic Clinic Confirms Cyberattack: TDO Dumps More Data

Athens Orthopedic Clinic has confirmed that its patients have been impacted by a cyberattack which was conducted using the login credentials of one of its software vendors. Electronic medical records of current and former patients were breached according to the notice on the healthcare provider’s website. While the substitute breach notice did not explain the exact nature of the attack nor the number of patients affected by the breach, the incident to which the breach notice refers is the cyberattack conducted by TheDarkOverlord. Athens Orthopedic Clinic is the Georgia healthcare provider from which 397,000 records were stolen. In addition to patient data being offered for sale on darknet marketplace, TheRealDeal, more data have been recently dumped on data sharing website Pastebin. The records of 500 patients were initially disclosed by TDO for verification purposes. A further 509 records have recently been uploaded to Pastebin. The posting, which is still accessible, includes names, genders, ages, dates of birth, client type, social security numbers, addresses, and other raw...

Read More
Large Privacy and Security Gaps at Non-HIPAA Covered Entities Highlighted by ONC Report
Jul20

Large Privacy and Security Gaps at Non-HIPAA Covered Entities Highlighted by ONC Report

Consumers’ health data is potentially being placed at risk by entities that are not covered by HIPAA Rules, according to a recent report issued by the ONC. The report – Examining Oversight of the Privacy & Security of Health Data Collected by Entities Not Regulated by HIPAA – was produced following a study of the application of privacy and security requirements to non-HIPAA covered entities and business associates.  The report also draws on work conducted by the FTC, National Committee on Vital and Health Statistics (NCVHS), and OCR. The ONC explains in the report that a large number of organizations are now collecting, storing, and transmitting health data, yet many of those organizations are not subject to the same rules concerning the protection of ePHI as traditional healthcare organizations. Data and privacy protections at non-HIPAA-covered entities are not always robust and numerous gaps exist that place the health data of individuals at risk. The Scope of HIPAA is Limited HIPAA covers traditional healthcare organizations that perform electronic transactions –...

Read More
OCR Publishes Report on Hospital Reviews to Assess Privacy Protections for HIV/AIDS Patients
Jul19

OCR Publishes Report on Hospital Reviews to Assess Privacy Protections for HIV/AIDS Patients

The Department of Health and Human Services’ Office for Civil Rights has published a new report on its National HIV/AIDS Compliance Review Initiative. The National HIV/AIDS Compliance Review Initiative commenced in 2014 and involved compliance reviews at 12 hospitals in regions of the country which are experiencing the greatest numbers of new HIV infections. The compliance reviews took place at hospitals in Atlanta, Baltimore, Chicago, Dallas, Houston, Los Angeles, Miami, New York City, Philadelphia, San Francisco, Washington DC, and San Juan in Puerto Rico. The aim of the compliance reviews was to ensure that individuals suffering from HIV and AIDS were being provided with equal access to medical services and programs and to ensure LEP individuals were provided with meaningful access. The reviews were also conducted to ensure hospitals were complying with the Health Insurance Portability and Accountability Act (HIPAA). Healthcare facilities must ensure that privacy protections are implemented to ensure individuals’ health information is appropriately secured and kept private and...

Read More
Lifting of Joint Commission Ban on Secure Text Orders Delayed until Fall
Jul18

Lifting of Joint Commission Ban on Secure Text Orders Delayed until Fall

The lifting of the Joint Commission ban on secure text orders was welcomed by healthcare organizations and secure messaging providers; however, the ban is now back in place. Text orders cannot currently be sent, even if a secure messaging platform is used. Joint Commission Ban on Secure Text Orders Lifted Only for a Month The lifting of the Joint Commission ban on secure text orders was announced in the May Perspectives newsletter, although the June Newsletter explained that organizations wishing to use a secure messaging platform must first be provided with further guidance to help them incorporate the texting of orders into their policies and procedures. The May Perspectives newsletter explained that “effective immediately” the Joint Commission ban on secure text orders was lifted. The newsletter explained that in order for healthcare organizations to start using text messages to transmit orders a number of conditions needed to be satisfied. Standard text messaging platforms could not be used due to the risk of data being intercepted. The texting of orders would only be permitted...

Read More
Arkansas Spine & Pain Informs Patients About Bizmatics Security Breach
Jul15

Arkansas Spine & Pain Informs Patients About Bizmatics Security Breach

Little Rock, AR-based Arkansas Pain and Spine is the latest healthcare provider to alert its patients that their protected health information was potentially viewed and copied during the Bizmatics data breach in 2015. In May, healthcare organizations who used the PrognoCIS EMR management tool were notified that patient data have potentially been accessed as a result of a malware infection on a Bizmatics server. The malware was understood to have been loaded on the server in January 2015, but the infection was not discovered until late 2015. Healthcare organizations have up to 60 days to notify patients who have had their PHI exposed. Over the past couple of months, affected healthcare organizations have been sending out breach notifications. Arkansas Pain and Spine was informed on May 12, 2016 that some of its patients had been affected by the security breach. Patients potentially had their names, dates of birth, addresses, health insurance information, Social Security numbers, and other clinical information exposed. Bizmatics contracted an external cybersecurity firm to assist...

Read More
PHI Exposed Due to Retirement Systems of Alabama Website Error
Jul15

PHI Exposed Due to Retirement Systems of Alabama Website Error

An error on the website of the Retirement Systems of Alabama (RSA) has resulted in the exposure of hundreds of retirees’ protected health information. The PHI of members of the Public Education Employees’ Health Insurance Plan (PEEHIP) was accessible via the member portal of the RSA website for a number of days. Social Security numbers, dates of birth, plan members’ names and those of their dependents, ID numbers, and retirement dates were temporarily accessible to other members who accessed the PEEHIP member’s portal. The privacy breach was discovered by a woman from Mobile who was accessing the patient portal on behalf of her parents. After gaining access to the portal she was able to view the PHI of hundreds of other retirees. The incident occurred late on Friday. Realizing the error, the woman contacted PEEHIP but was unable to speak to anyone. On Monday she alerted the FBI and was able to get a message to the RSA IT department, according to an Alabama Media Group report. RSA is aware of the patient portal was undergoing maintenance and the issue was resolved on or...

Read More
Pennsylvania Ambulatory Surgery Center Alerts 13K Patients to Ransomware Attack
Jul15

Pennsylvania Ambulatory Surgery Center Alerts 13K Patients to Ransomware Attack

Langhorne, PA-based Ambulatory Surgery Center at St. Mary has announced that it was the victim of a ransomware attack on June 1, 2016, according to the Bucks County Courier Times. The IT department was alerted to the ransomware infection by staff members who were prevented from accessing files stored on its computer network. While other ransomware victims have been forced to give in to attacker’s demands in order to recover encrypted files, the Ambulatory Surgery Center was able to restore all affected files from a backup and did not have to resort to paying the ransom demand. As was confirmed this week by the Department of Health and Human Services’ Office for Civil Rights, a ransomware attack on a healthcare organization requires notifications to be sent to patients to alert them to the possible disclosure of their protected health information. The Ambulatory Surgery Center sent breach notification letters to almost 13,000 patients last week to advise them that their PHI may have been accessed. All individuals affected by the security breach have been offered credit monitoring...

Read More
Stolen Ultrasound Machines Contained PHI, says Kaiser Permanente
Jul14

Stolen Ultrasound Machines Contained PHI, says Kaiser Permanente

Kaiser Permanente discovered that some of its ultrasound machines and other medical equipment had been stolen by two company employees. Kaiser Permanente was alerted to the theft of equipment on June 10 and immediately launched an investigation. Efforts were then made to recover the missing equipment. Kaiser Permanente has now recovered the stolen equipment and has performed an analysis to determine whether any patient data were stored on the devices. Kaiser Permanente determined that some of the machines contained a limited amount of patients’ protected health information including MRN’s, patients first and last names, and ultrasound images. The equipment had been taken from a number of different Kaiser Permanente facilities and had been temporarily moved to a storage unit. The Kaiser Permanente investigation is ongoing, but it is believed that the ultrasound machines and medical equipment were only taken by the employees to sell on for profit, and not for any data stored on the devices. The theft of equipment has been reported to law enforcement and a criminal investigation has...

Read More
Major 2016 Healthcare Data Breaches: Mid Year Summary
Jul11

Major 2016 Healthcare Data Breaches: Mid Year Summary

Cyberattacks on healthcare organizations are now a fact of life. As long as it remains profitable for hackers to conduct attacks on healthcare organizations, the cyberattacks will continue. Given the volume of healthcare data breaches now being reported, it is clear that the healthcare industry must do more to strengthen defenses against cyberattacks, insider threats. To do that, healthcare organizations need to look beyond HIPAA compliance. Healthcare organizations had a torrid time in 2015. In 2015, more healthcare records were stolen than in any other year since records of breaches started being published by the Office for Civil Rights. Some of the cyberattacks on healthcare providers and health insurers resulted in staggering amounts of data being stolen. Major 2016 Healthcare Data Breaches Until the last week in June it looked like the healthcare industry had avoided mega data breaches on the scale of the cyberattacks on Anthem, Premera BlueCross, and Excellus BlueCross BlueShield in 2015. However, as the first half of the year came to an end, a hacker offered a 9.3-million...

Read More
Another Hacked Healthcare Database Listed for Sale: Some Victims Confirmed
Jul11

Another Hacked Healthcare Database Listed for Sale: Some Victims Confirmed

The listing of three healthcare databases containing 655,000 healthcare records in late June was followed by a posting of a much larger health insurer database containing 9.3 million records. Now, a fifth database has been offered for sale. The latest batch of healthcare data contains 23,565 patient records. The latest database was obtained by the hacker TheDarkOverlord “through the token impersonation of an employee.” The organizations whose data have been listed for sale have not come forward and confirmed that they are the victims, although further information has emerged linking two organizations to the latest breaches. After performing some investigative work on the samples provided by the hacker to confirm authenticity of the stolen data, Databreaches.net was able to determine that the database containing 48,000 records most likely came from Midwest Orthopedic Pain & Spine. This batch of data was initially claimed to have come from a healthcare organization in Farmington, Missouri. The DarkOverlord has since confirmed that the data came from the Scott A. Vanness-owned...

Read More
North Ottawa Medical Group Notifies 22,000 of Bizmatics Breach
Jul08

North Ottawa Medical Group Notifies 22,000 of Bizmatics Breach

North Ottawa Medical Group (NOMG) has notified 22,000 of its patients that they have been impacted by a malware infection that was discovered by its EMR management company, Bizmatics. NOMG joins a long list of organizations that have been impacted by the breach. The latest announcement takes the total number of patients affected by the security breach to over 265,000 individuals. The data potentially exposed as a result of the malware infection on Bizmatics’ server include patients’ names, addresses, health visit data, treatment information, health insurance information, and in some cases, Social Security numbers. The last four digits of payment cards could potentially also have been exposed. Patients affected by the breach had previously sought medical services at NOMG’s Internal Medicine, Family Practice, or Women’s Health physician practices. The investigation into the security incident conducted by Bizmatics did not uncover evidence to suggest that patient data had in fact been accessed by unauthorized individuals. The company also could not confirm whether the malware was...

Read More
Midland Memorial Hospital Announces Potential PHI Breach
Jul08

Midland Memorial Hospital Announces Potential PHI Breach

Midland Memorial Hospital has announced that some of its patients’ protected health information has potentially been viewed by unauthorized individuals. On April 8, 2016, the Midland, Texas-based hospital was alerted to a privacy breach that exposed patients’ names, addresses, dates of birth, medical diagnoses, medications, medical procedures, physician’s notes, medical record unit numbers, medical account numbers, and health information. In some cases, patients also had their Social Security numbers exposed. Patients’ PHI was left unprotected at a private residence by Mario M. Gross, M.D., a physician who had previously worked at the hospital. The paper files were left in an area where they could potentially have been accessed by members of the public. Once alerted to the security breach, staff from the hospital visited the residence and retrieved and secured the records. The hospital was unable to determine whether the records had actually been viewed by unauthorized individuals during the time that they were accessible; however, no evidence has been uncovered to suggest that any...

Read More
Potential Privacy Breach at Planned Parenthood Dubuque Health Center
Jul05

Potential Privacy Breach at Planned Parenthood Dubuque Health Center

On July 1, 2016, Planned Parenthood of the Heartland announced that the protected health information (PHI) of certain patients of its Dubuque health center in Iowa may have been accessed by unauthorized individuals. The health center permanently closed its doors to patients this April year and the premises was listed for sale and was sold. However, hard copies of patient files were left in the Dubuque health center. In April 2016, individuals entered the medical center and could potentially have viewed and/or copied patient files. The potential breach was discovered by Planned Parenthood on May 6, 2016. The files have now been removed from the premises and have been secured. Planned Parenthood said this was an isolated incident and is not representative of the stringent privacy standards usually maintained by the healthcare organization. Patients affected by the potential privacy breach had sought treatment at the Dubuque health center between August 1, 2008 and April 30, 2014. In total, the PHI of 2,506 patients may have been compromised. Patients have now been notified of the...

Read More
CMS Finalizes New Rules for QEs on Sale and Sharing of Medicare Claims Data
Jul05

CMS Finalizes New Rules for QEs on Sale and Sharing of Medicare Claims Data

The Centers for Medicare and Medicaid Services (CMS) has finalized a new set of Rules for qualified entities that will allow the sharing or sale of Medicare claims data to healthcare providers, employers, and other entities. The rule changes will help to ensure that healthcare organizations, employers, and other organizations have access to the data they need to make informed decisions about the provision of care to patients. With access to all Medicare and private sector claims data, it is hoped that the quality of care provided to patients will be improved. The rule changes, which were required under the Medicare Access and CHIP Reauthorization Act (MACRA), will permit organizations classed as qualified entities to confidentially share analyses of Medicare and private sector claims with healthcare providers, employers, and other groups that are able to use the data to improve patient care. The sale of data is also permitted. Qualified entities will be permitted to sell data to healthcare providers such as doctors, nurses, and skilled nursing facilities. While data can be sold or...

Read More
Pruitt Health Alerts Patients to Potential Privacy Breaches after Two Break-ins
Jun29

Pruitt Health Alerts Patients to Potential Privacy Breaches after Two Break-ins

PruittHealth, a provider of home health and hospice services in the southeast United States, has started notifying 1,437 patients of a potential breach of protected health information following two break-ins at its offices in South Carolina. In both cases, it would appear that the thieves were not interested in patient health information, although patients’ files could potentially have been viewed. The first break-in occurred on March 2, 2016. Thieves smashed the glass in the front door and entered the PruittHealth Home Health – Low Country office. No electronic devices were stolen by the thieves and only petty cash was believed to have been taken. However, patient files were stored in the office and could potentially have been accessed. On discovery of the break-in on March 3, PruittHealth staff alerted law enforcement and checked to determine whether any patient files had been accessed or stolen. The files did not appear to have been disturbed and no paper files appeared to have been removed by the thieves. Patients have now been notified that if the files were accessed, their...

Read More
Case Manager Duped naviHealth; Dignity Health Alerts Patients to Privacy Breach
Jun27

Case Manager Duped naviHealth; Dignity Health Alerts Patients to Privacy Breach

Dignity Health is notifying 520 patients that their privacy was violated by a naviHealth employee who gained employment as a case worker using a false name and nursing license. Dignity Health is a not-for-profit public benefit corporation operating in 17 states. The San Francisco-based health system is the fifth largest hospital system in the United States, and is the largest non-profit hospital provider in the state of California. Dignity Health works with a large number of hospitals and provides in-home health services to patients after they have been discharged from hospital. Dignity Health outsources some of its services to the Nashville, Tennessee-based post-acute care management company naviHealth. naviHealth provides PAC management services to over 1.5 million beneficiaries throughout the United States. On June 6, 2016., Dignity Health was informed by naviHealth that an individual had gained employment under false pretenses. The individual was employed by naviHealth as a case worker between June 2015 and May 2016. The case worker was provided with access to the protected...

Read More
Bizmatics Data Breach Victim Count Rises to Almost 177,000
Jun24

Bizmatics Data Breach Victim Count Rises to Almost 177,000

Two further healthcare providers have reported security breaches that have potentially exposed patients’ protected health information, both of which have links to the Bizmatics data breach discovered in December 2015. The Vein Doctor, a Liberty MO-based provider of treatment services for varicose and spider veins, recently submitted a breach report to the Department of Health and Human Services’ Office for Civil Rights indicating 3,000 patients had been affected by a network server and EMR hack. A breach notice has not appeared on the healthcare provider’s website at the time of posting, and it is unclear how much protected health information was exposed in the cyberattack. However, the breach does appear to be linked to Bizmatics. The Vein Doctor uses the PrognoCIS EMR tool developed and maintained by Bizmatics. Other healthcare providers impacted by the Bizmatics breach also used the PrognoCIS tool. Grace Primary Care P.C., also reported a data breach to the OCR which was similarly caused by the hacking of a network server. The breach report, submitted to the OCR on June 7,...

Read More
Bill Introduced to Better Protect Veterans from Identity Theft and Fraud
Jun24

Bill Introduced to Better Protect Veterans from Identity Theft and Fraud

Last week, a bipartisan Senate bill was introduced by Sen. Tammy Baldwin, D-Wis., and co-sponsor Sen. Jerry Moran, R-Kansas., to reduce the risk of veterans becoming victims of identity theft and fraud. The new bill would require the Department of Veteran Affairs (VA) to discontinue the use of veterans’ Social Security numbers as identifiers in all VA information systems. The bill would require the VA to phase out the use of SSNs as identifiers for all veterans in its system within five years, although a deadline of two years would be set to replace SSNs for new claims for benefits. The new Senate bill has now been referred to the Senate Veterans Affairs Committee. Should the new bill be passed it would certainly be a major step in the right direction and could significantly reduce the risk of veterans becoming victims of identity theft and fraud in the event of a VA security breach. However, changing identifiers is not a straightforward process and it could prove costly. Any exchange of information between other agencies may still require the use of SSNs. The phasing out of the...

Read More
Call Issued for Further Guidance on HIPAA Minimum Necessary Standard
Jun23

Call Issued for Further Guidance on HIPAA Minimum Necessary Standard

Melissa Martin, Board President for the American Health Information Management Association (AHIMA) gave a testimony at a National Committee on Vital and Health Statistics (NCVHS) hearing last week on the minimum necessary standard of the HIPAA Privacy Rule. The aim of the hearing was to determine whether the Department of Health and Human Services should issue an update to the standard to ensure it can continue to be met by healthcare organizations, and to assess whether there is a need for further guidance in light of the technology changes in the healthcare industry since its introduction. According to Martin’s testimony, there is still considerable confusion over the standard and what constitutes the “minimum necessary information”. Under the minimum necessary standard, HIPAA -covered entities are required to make reasonable efforts to ensure that access to PHI is limited to the minimum necessary information to accomplish the intended purpose of the use, disclosure or request. Organizations must identify individuals or groups of persons within the organization who are required...

Read More
ONC Reminds App Developers to Check Regulatory Requirements
Jun22

ONC Reminds App Developers to Check Regulatory Requirements

The Office of the National Coordinator for Health Information Technology (ONC) has reminded developers of health apps not only to put more thought into data security, but also to build security controls into the core of their apps. Data security features should not simply be bolted as an afterthought. They are an essential part of the design of the apps and therefore must be incorporated during the initial design process. The ONC points out that health apps are no longer just being developed by computer science graduates. Health apps have been developed by clinicians who have identified a need for an app and a gap in the market. Even patients have been working on health apps to log and record a wide variety of health data or to issue appointment and medication reminders. No matter who conceives and develops a new health app, it is essential that the legal implications are considered and incorporated into the design. App developers must become familiar with the legislation covering health apps and the data they record. The Health Insurance Portability and Accountability Act (HIPAA)...

Read More
16K ENT and Allergy Center Patients Affected by Bizmatics Breach
Jun18

16K ENT and Allergy Center Patients Affected by Bizmatics Breach

ENT and Allergy Care, P.A. has announced that its patients have been affected by the data breach at Bizmatics. In early 2015, the server used to host the Bizmatics PrognoCIS tool was hacked. Access to the server was gained and data stored on the server were potentially accessed. In December, 2015., the intrusion was detected and access to the server was rapidly shut down. Bizmatics started investigating the cyberattack and enlisted the services of an external computer forensics company. Law enforcement was also notified on the security breach. Bizmatics notified ENT and Allergy Care of the security breach by mail in January 2016; however, at the time it was not possible to tell whether ENT and Allergy Care patients had been affected. The Bizmatics investigation continued, and in April 2016 ENT and Allergy Care was notified that “at least some” data stored in the PrognoCIS tool had been accessed and possibly copied. Bizmatics was unable to determine exactly which patients’ data were accessed. The data stored in the PrognoCIS tool included patients’ names, addresses, and information...

Read More
Aspen Hospital Sued for HIPAA Breach by Former Employee
Jun16

Aspen Hospital Sued for HIPAA Breach by Former Employee

A healthcare IT worker formerly employed by Aspen Hospital is suing the hospital and five of its employees for an alleged HIPAA breach after it was disclosed he had contracted HIV. The former employee, only identified as John Doe in the suit, was also a patient at the hospital. His attorneys, Mari Newman, Darold Killmer and Eudoxie Dickey, filed the suit on his behalf and are seeking compensatory and punitive damages, legal fees, and an apology from the hospital for the violation of his privacy. Doe also wants the hospital to change its policies to prohibit the disclosure of sensitive medical information to members of the hospital staff. John Doe had worked in the IT department of Aspen Hospital for 11 years prior to losing his job. Doe was an excellent employee and was well respected in the department according to the suit. He was regularly told he had exceeded expected standards and had often been rated as ‘outstanding’ in his performance evaluations. After filing complaints against the hospital for the disclosure of his HIV status and subsequent retaliatory acts by hospital...

Read More
Ponemon Institute Publishes 2016 Cost of Data Breach Study
Jun16

Ponemon Institute Publishes 2016 Cost of Data Breach Study

For the past 11 years, the Ponemon Institute has conducted an annual benchmark study on the cost of data breaches. This week, the Ponemon Institute published the results of its 2016 Cost of Data Breach Study, which shows the cost of breach resolution continues to rise. The IBM-sponsored study indicates the average total cost of the breach response and resolution has increased to $7.01 million from $6.53 million last year: A rise of 7% year on year. Ponemon puts the average cost per compromised record at $221: A rise of 2% from last year’s figures or $4 per record. The 2016 cost of data breach study was conducted on organizations around the world, including companies based in Australia, Brazil, Canada, France, Germany, India, Italy, Japan, Saudi Arabia, the United Arab Emirates, and the United Kingdom. The global average data breach cost increased from $154 per record to $158 per record, with the total cost increasing from $3.8 million to $4 million per data breach. 383 companies took part in the global study. 64 U.S. companies took part in this year’s benchmark study and 16...

Read More
Kern County Mental Health Department Announces Privacy Breach
Jun14

Kern County Mental Health Department Announces Privacy Breach

Kern County Mental Health Department, CA., (KCMH) has reported a breach of protected health information which occurred during the relocation of its administrative department in April, 2016. The breach involved the exposure of a limited amount of protected health information of patients who had previously received care from KCMH between September 1, and September 30, 2006. When the administrative department relocated, the former offices were renovated. A single document was left behind in the offices and could potentially have been viewed by construction workers. The document was discovered by a KCMH staff member upon return to the offices. During the time that the report was left unprotected, staff members did not have access to the area. The report contained patients’ full names, internal record numbers, service codes, and the unit where treatment was provided. While patients could have been identified as having previously received treatment from KCMH and/or its contractors, the mental health services received were only identifiable by their codes. KCMH confirmed that highly...

Read More
Two More Healthcare Organizations Inform Patients of Bizmatics Breach
Jun13

Two More Healthcare Organizations Inform Patients of Bizmatics Breach

Two more healthcare organizations have started notifying patients that their protected health information was exposed when a hacker infiltrated the PrognoCIS application of third party vendor, Bizmatics Inc. Earlier this year, Bizmatics started notifying some of its clients that its systems had been infiltrated by a hacker, who may have accessed and copied clients’ data from its PrognoCIS electronic medical record (EMR) database. An attacker had succeeded in installing malware on its systems in January 2015, although the malicious software was discovered almost a year later toward the end of 2015. Many of the healthcare organizations affected by the breach were notified in March 2016. The latest two U.S. healthcare providers to announce that their patients had been affected by the Bizmatics breach are the California Health & Longevity Institute, based in Westlake Village near Los Angeles, and the Grand Junction, CO-based Vincent Vein Center. California Health & Longevity Institute submitted a breach report to the Department of Health and Human Services’ Office for Civil...

Read More
Cloud-Based EHR Company Settles with FTC over Alleged Privacy Violations
Jun10

Cloud-Based EHR Company Settles with FTC over Alleged Privacy Violations

Cloud-based EHR company Practice Fusion has agreed to settle a case with the Federal Trade Commission (FTC) after allegedly misleading consumers about the privacy of information collected by the company. In 2012, Practice Fusion sent emails to consumers asking them to write reviews of their healthcare providers in order to populate its healthcare provider directory with data ahead of a planned 2013 launch. Patients names and email addresses were taken from the company’s electronic health record service and emails were sent to patients asking them to review their physicians. Patients were told that the reviews would “help improve your service in the future.” The emails appeared to have been sent by the patients’ healthcare providers. By clicking the link in the email, patients were directed to an online form where they were asked questions relating to their most recent healthcare visit. Patients were provided with a text box on the form where they were able to enter information. Many patients used the text box to submit highly personal information – Information that under HIPAA...

Read More
Two Healthcare Providers Announce Billing-Related PHI Breaches
Jun07

Two Healthcare Providers Announce Billing-Related PHI Breaches

Loyola University Medical Center and University of New Mexico Hospital have discovered separate mailing-related privacy breaches and have started notifying patients of the exposure of a limited amount of their protected health information. Loyola University Medical Center Privacy Breach On April 5, 2016., Loyola University Medical Center discovered billing statements had been sent to incorrect addresses in February 2016. The University had undertaken a project to acquire accurate addresses; however, some billing statements ended up being released to addresses that had not been verified. A limited amount of protected health information was inadvertently disclosed to unauthorized individuals including patients’ names, along with their account number, dates of service, procedure codes, general descriptions of the medical services provided, and the balances due to be paid. No Social Security numbers, credit card details, or insurance information were disclosed. In an effort to minimize the probability of similar privacy breaches occurring, Loyola University Medical Center will also be...

Read More
Up to 400,000 Prisoners’ PHI and SSNs Exposed
Jun07

Up to 400,000 Prisoners’ PHI and SSNs Exposed

Up to 400,000 current and former prisoners incarcerated by the California Department of Corrections and Rehabilitation between 1996 and 2014 have potentially had their Social Security numbers, medical data, and personally identifiable information exposed. The data breach was reported last month by California Correctional Healthcare Services (CCHCS) and a substitute breach notice was posted on the CCHCS website on May 13; however, at the time it was unclear exactly how many prisoners had been affected. While this is still uncertain, the Office for Civil Rights breach report indicates as many as 400,000 individuals may have been affected. An exact figure is not known as the investigation conducted by CCHCS has not determined which individuals’ data were stored on the device. The figure of 400,000 is the total number of patients who had received healthcare services from CCHCS between 1996 and 2014. That makes this the third largest healthcare data breach so far reported in 2016, behind only the 483,000-record breach at Radiology Regional Center, and the 2.2 million-record data breach...

Read More
ONC Releases Videos Explaining Patients’ HIPAA Rights
Jun03

ONC Releases Videos Explaining Patients’ HIPAA Rights

Earlier this year, the HHS’ Office for Civil Right (OCR) released guidance for healthcare organizations on patients’ HIPAA rights in an attempt to clear up confusion over access and ensure that covered entities were aware of their obligations under the HIPAA Privacy Rule. The guidance covered many of the questions commonly asked by healthcare organizations, including the models that can be adopted by healthcare organizations for charging for PHI copies. Now that covered entities are prepared, efforts have shifted to advising patients of their access rights under HIPAA. This week, the Office of the National Coordinator for Health Information Technology (ONC) -in conjunction with the OCR – released a series of educational videos to improve understanding of patients’ HIPAA rights. The ONC wants to improve patient engagement and get patients to take greater interest in their health. Encouraging patients to obtain copies of their ePHI can help in this regard. Having access to medical records allows patients to check for errors, provide their data to other healthcare providers or...

Read More
ProMedica Uncovers Unauthorized Accessing of PHI by 7 Employees
Jun03

ProMedica Uncovers Unauthorized Accessing of PHI by 7 Employees

ProMedica has recently discovered that seven of its employees had been improperly accessing the protected health information of patients for almost two years. The employees in question had been granted access to patient files in order to perform their work duties, but had accessed the medical records of patients who they were not required to treat, nor was there any legitimate business reason for patient data being accessed. ProMedica was alerted to the privacy breaches on April 7, 2016., and a thorough internal investigation was launched. That investigation revealed that the records of 3,500 patients had been improperly accessed over a period of two years, from May 1, 2014., to April 26, 2016. Affected patients had received medical services at either ProMedica’s Bixby Hospital in Adrian, MI., or Herrick Hospital in Tecumseh, MI. The type of data viewed by the employees include patients’ names, addresses, dates of birth, contact telephone numbers, insurance information, medical diagnoses, details of medications that had been prescribed, and other clinical data. ProMedica’s...

Read More
Integrated Health Solutions Notifies 20K Patients of EHR Breach
Jun02

Integrated Health Solutions Notifies 20K Patients of EHR Breach

Easton, Pennsylvania-based healthcare provider Integrated Health Solutions P.C., has notified 19,776 of its patients that their protected health information may have been accessed by a hacker. The sleep medicine specialists were informed of a security breach by EHR vendor Bizmatics on March 30, 2016. Bizmatics was unable to confirm whether Integrated Health Solutions patient data had been viewed or copied by the unauthorized individual who gained access to its servers, but the company was unable to rule out the possibility. Patients’ names, addresses, health information, and Social Security numbers were stored on the compromised server. Bizmatics provides EHR/EMR software solutions to approximately 15,000 healthcare providers in the United States. The company has not disclosed exactly how many of its clients were affected by the breach, although a number of healthcare providers have now issued breach notifications to patients and have informed the Department of Health and Human Services’ Office for Civil Rights of the breach. Florida-based Eye Associates of Pinellas appears to be...

Read More
OCR Rules Townsend Violated the HIPAA Privacy Rule
Jun02

OCR Rules Townsend Violated the HIPAA Privacy Rule

The Department of Health and Human Services’ Office for Civil Rights (OCR) has recently ruled that a former town administrator of Townsend, MA., violated the HIPAA Privacy Rule in June last year when he posting an “information packet” online containing the protected health information of individuals who had used the town’s ambulance service. The information was intended to be viewed by Selectmen in order that a vote could be taken about whether or not to write off the unpaid bills. Rather than sharing the document securely, former town administrator Andrew Sheehan posted the information on the town website. The packet was only accessible for 18 hours before it was removed, but during that time it had been downloaded and shared on social media. The privacy breach was also reported to the OCR. The information packet contained the names of patients who had not yet paid their ambulance bills along with some sensitive medical information including medical conditions and whether patients were alive, dead, or were now living in a hospice. Prior to the uploading of the files, all...

Read More
40K Podiatry Patients Warned of PHI Exposure
Jun02

40K Podiatry Patients Warned of PHI Exposure

Stamford Podiatry Group P.C., has discovered an unauthorized third party gained access to its computer systems for a period of almost two months earlier this year. The intruder was able to view company data and potentially also accessed the electronic medical record database (EMR). 40,491 patients have now been notified of the privacy breach and potential accessing/theft of their protected health information. EMR data potentially accessed/copied include names, addresses, dates of birth, email addresses, telephone numbers, Social Security numbers, health insurance information, names of treating and referring physicians, and patients’ gender and marital status. Diagnoses, details of treatments, and medical histories were also stored in the EMR and may have been accessed. An investigation into the breach revealed that access was first gained to the company’s systems on February 22, 2016 and continued until the data breach was discovered on April 14, 2016. While the investigation determined that data access was possible, no evidence was uncovered to suggest that data were actually...

Read More
CHIME Launches New Cybersecurity Center and Program Office
May31

CHIME Launches New Cybersecurity Center and Program Office

The College of Healthcare Information Executives (CHIME) has announced the opening of a new Cybersecurity Center and Program Office which will help healthcare organizations deal with cyber threats and better protect patient data and information systems. Announcing the opening of the new office, CHIME President and CEO Russell Branzell explained the need for better collaboration within the healthcare industry. “Cyber threats are becoming more sophisticated and more dangerous every day.” He went on to say, “Today the focus is ransomware, tomorrow it will be something else. As an industry, we need to pull together and share what’s working so that we can effectively safeguard our systems and protect patients.” The new office will be manned by CHIME staff, although assistance will be sought from Association for Executives in Healthcare Information Security (AEHIS) members, who will serve as security advisors to the center as well as to the healthcare industry. The Cybersecurity Center and Program Office will develop a range of resources to help healthcare organizations develop better...

Read More
Tucson Emergency Room Patients’ PHI Stolen from Physician’s Vehicle
May30

Tucson Emergency Room Patients’ PHI Stolen from Physician’s Vehicle

Approximately 1,000 patients in Southern Arizona have been notified of a breach of protected health information following the theft of a physician’s logbook. The logbook had been left in the vehicle of a physician who worked for Emergency Medicine Associates, which provided ER staff for Carondelet Health Network hospitals in Tucson, Arizona. A thief broke into the physician’s vehicle on or around March 25, 2016 and took the logbook. The physician had used the logbook to record brief notes relating to emergency room patients she had treated at Carondelet St. Joseph’s and Carondelet St. Mary’s hospitals in Tucson, AZ., between October 12, 2015 and March 25, 2016. The types of data recorded in the logbook include names, ages, genders, dates of birth, and medical record numbers along with the name of the hospital visited, hospital ID numbers, and dates of emergency room visits. Social Security numbers and health insurance information were not exposed, although some patients’ medical conditions had been noted in the logbook. Dr. Lori Levine, privacy officer for Emergency Medicine...

Read More
HHS Announces Release of the Final Data Security Policy Principles Framework
May27

HHS Announces Release of the Final Data Security Policy Principles Framework

HHS Secretary Sylvia Matthews Burwell has announced the release of the final Data Security Policy Principles Framework for the Precision Medicine Initiative (PMI) which was launched by President Obama in early 2015. The Security Principles Framework was developed to help healthcare organizations that participate in the PMI understand the security measures that must be adopted to protect sensitive health, genetic, and environmental information. According to the HHS, the PMI will help to “enable a new era of medicine – one where doctors and clinicians are empowered to tailor their treatments to their patients’ needs, and patients can get individualized care,” The PMI is intended to help “deliver the right treatment to the right patient at the right time, taking into account an individual’s health history, genetics, environment, and lifestyle.” In February, the Obama Administration announced that great progress has been made so far, and that more than 40 commitments have been made by the private sector to advance precision medicine. Those commitments include a promise by leading EHR...

Read More
Medical Colleagues of Texas Hacking Incident Impacts 68K Patients
May26

Medical Colleagues of Texas Hacking Incident Impacts 68K Patients

Medical Colleagues of Texas, a physicians’ group in Katy, TX., has discovered an unauthorized individual gained access to its system containing the records of more than 68,000 patients. The exact nature of the incident has not been disclosed and an investigation into the security breach is ongoing. The physicians’ group was unaware how access was gained to its systems at the time of posting the breach notice; however, the investigation into the breach has determined that personnel files and patient medical records have potentially been accessed. Data stored on the compromised system include patients’ names, addresses, Social Security numbers, and health insurance information. The intrusion was first detected on March 8, 2016 when an office employee noticed unusual activity on the computer network of the obstetrics group. The activity was determined to be caused by an unauthorized individual who had gained remote access to the network. A computer forensics firm was called in to investigate the security breach. An attorney for the Medical Colleagues of Texas, Lindsay Nickle, issued a...

Read More
95K More Patients Discovered to Have Been Impacted by Bizmatics Data Breach
May25

95K More Patients Discovered to Have Been Impacted by Bizmatics Data Breach

The Office for Civil Rights has received two further breach reports from healthcare providers impacted by the Bizmatics data breach. Almost 95,000 patients of the two healthcare facilities have potentially had their data accessed by hackers. Southeast Eye Institute P.A, doing business as Eye Associates of Pinellas, has notified 87,314 patients of the breach, while Lafayette Pain Care, PC., has potentially had the data of 7,500 individuals scanned by hackers. Eye Associates of Pinellas was notified by Bizmatics on March 30, 2016., that some of its patients’ data were accessed by unauthorized third parties. The data potentially viewed include patients’ names, telephone numbers, home addresses, dates of birth, health insurance information, and Social Security numbers.  Patients affected by the breach had visited Eye Associates of Pinellas prior to November 15, 2015. According to the breach notice posted by Eye Associates of Pinellas, Bizmatics had segregated data to improve security, but the company was unable to determine if the separated data fields had been matched by the...

Read More
Apology Issued by Sharp Grossmont Hospital for Filming and Sharing Videos of Obstetrics Patients
May19

Apology Issued by Sharp Grossmont Hospital for Filming and Sharing Videos of Obstetrics Patients

An apology has been issued by Sharp Grossmont Hospital for violating the privacy of patients by filming them undergoing surgical procedures and subsequently sharing those videos with a third party. Videos were recorded using hidden surveillance cameras as part of a sting operation to catch a thief who was believed to be stealing narcotic drugs from anesthesia carts in the operating theater of the Women’s Health Center. The hospital set up surveillance cameras hidden inside moveable monitors in three operating rooms at the Women’s Health Center at Sharp Grossmont Hospital to obtain evidence of drug thefts from anesthesia carts. Some of the recorded clips show an anesthesiologist taking bottles of the anesthetic propofol from the carts and placing them in his top pocket. Over the course of the surveillance operation – which took place between July 2012 and July 2013 – 12 bottles of propofol were allegedly stolen from the cart by the anesthesiologist. The video footage of the thefts was submitted to the California Medical Board as evidence. The accused anesthesiologist’s...

Read More
4000 Michigan Chiropractic Patients Notified of Potential Data Breach
May19

4000 Michigan Chiropractic Patients Notified of Potential Data Breach

4,082 patients of Complete Chiropractic & Bodywork Therapies (CCBT) of Ann Arbor, MI., have been notified of a potential breach of protected health information after malware was discovered on one of the company’s servers. The malware was discovered on March 19, 2016., after the server malfunctioned. The malfunctioning of the server triggering CCBT’s security protocols which included isolating the server, blocking Internet access, and changing all workstation and third party passwords. CCBT also installed an additional firewall as an extra precaution. External forensics experts were brought in to investigate the security incident. Their investigation revealed malware had been installed which scanned the network for passwords and login information and transmitted sensitive data to the hacker(s) command and control server. The server stored patient data including treatment and billing information, in addition to encrypted medical record data. Encrypted information included patient names, addresses, dates of birth, health and diagnosis information, and Social Security numbers. The...

Read More
Zocdoc Notifies Patients of Breach Discovered in June 2015
May18

Zocdoc Notifies Patients of Breach Discovered in June 2015

This week, Zocdoc – an online medical booking system – notified the California Attorney General’s office of a breach of personal information that was first identified almost a year ago. Programming errors were discovered in June 2015., that allowed past and present practice staff members to gain access to their Provider Dashboard’s after their usernames had been removed from the system or their access had otherwise been limited. The usernames had been provided to medical and dental practices that had signed up to use the Zocdoc appointment system. Patients affected by the data breach have now been sent notification letters advising them that their name, phone number, email address, appointment history, and in some cases Social Security number, could have been accessed by staff members at each practice that were unauthorized to view the information. Health insurance information and medical histories could also have potentially been accessed if patients had provided that information via Zocdoc when making appointments. According to the breach notice, “Access may have...

Read More
2,100 Veterans Had Their PHI Exposed in April
May17

2,100 Veterans Had Their PHI Exposed in April

Each month the Department of Veteran Affairs issues a report to congress on the information security incidents experienced by VA facilities over the course of the month. Protected health information (PHI) exposures increased considerably in April, with 2,105 veterans’ PHI being accidentally disclosed or exposed. In total, 2556 veterans were affected by information security incidents in April, resulting in the VA sending 1,690 breach notification letters. Due to the relatively high risk of misuse of data, 866 veterans were offered credit protection services. While the number of veterans affected by these security incidents was considerably higher than in March – when 522 veterans were affected by information security incidents and 417 had their PHI exposed – fewer incidents were reported by VA facilities. In April there were 39 lost and stolen device incidents compared to 54 in April, lost PIV cards fell from 172 to 128, mishandling incidents dropped from 89 to 87, and 146 mis-mailed incidents were reported compared to 147 incidents last month. Major VA Data Breaches Reported in...

Read More
Laptop Thefts Expose the PHI of California Healthcare Patients
May16

Laptop Thefts Expose the PHI of California Healthcare Patients

Three potential healthcare data breaches have been recently reported, two of which occurred as a result of the theft of laptop computers and exposed the protected health information (PHI) of healthcare patients in California. California Correctional Health Care Services Reports Theft of Laptop Computer On February 25, 2016., an unencrypted password-protected laptop computer was stolen from the vehicle of an employee of California Correctional Health Care Services (CCHCS). The laptop may have been used to store the PHI of patients of the California Department of Corrections and Rehabilitation. According to a May 14 substitute breach notice submitted to the California Office of the Attorney General, CCHCS identified the breach on April 25. CCHCS conducted an investigation into the incident but was not able to determine whether sensitive data were actually stored on the device. CCHCS believes that if sensitive data were exposed, affected individuals would be those who had been imprisoned between 1996 and 2014. Data potentially stored on the laptop include custodial information,...

Read More
Ponemon: 89 Percent of Healthcare Organizations Have Experienced a Data Breach
May13

Ponemon: 89 Percent of Healthcare Organizations Have Experienced a Data Breach

This week saw the publication of the Ponemon Institute’s Sixth Annual Benchmark Study on Privacy and Security of Healthcare Data. This year’s study shows 89% of healthcare organizations have now experienced a data breach while 60% of business associates of healthcare organizations have experienced a breach of healthcare data. All of these healthcare data breaches are taking their toll and are costing the industry dearly. An estimated $6.2 billion is being spend on resolving healthcare data breaches. This year’s report shows that cybercriminals caused 50% of the healthcare data breaches reported over the course of the last 12 months; an increase of 5% year on year. The remaining data breaches were caused by mistakes made by healthcare employees and their vendors. Frequency and Severity of Cyberattacks Continue to Rise The healthcare industry is uniquely vulnerable to cyberattacks. Healthcare organizations store vast quantities of valuable data, yet many organizations do not have sufficiently robust defenses to keep those data secured. Security infrastructure is often found to be...

Read More
Florida Medical Clinic Notifies 1,000 Patients of Privacy Breach
May13

Florida Medical Clinic Notifies 1,000 Patients of Privacy Breach

Florida Medical Clinic, PA., has notified 1,000 patients that their due balance statements were exposed online as a result of a misconfiguration of its Patient Portal. Between November 18, and January 6, 2016., due balance statements of some patients were viewed by industrial account patients when they logged onto the Patient Portal. Only a limited amount of patient data was viewable so there is not believed to be a high risk of patients coming to harm or suffering losses as a result of the breach. Patients’ names, mailing address, provider names, dates of service, descriptions of procedures, and charges due were viewable by individuals unauthorized to view the information. At no point were Social Security numbers, dates of birth, credit card numbers, financial information, or other highly sensitive data accessed. Upon discovery of the privacy breach, Florida Medical Clinic launched an investigation which revealed that the vendor of its Patient Portal – Greenway Health – had turned on a setting on the Portal by accident which resulted in due balance statements being viewable...

Read More
UnityPoint Health’s Allen Hospital Discovers 7-Year Privacy Breach
May12

UnityPoint Health’s Allen Hospital Discovers 7-Year Privacy Breach

An employee of UnityPoint Health’s Allen Hospital in Waterloo, Iowa, was recently discovered to have abused her access rights to patient health information over a period of seven years. During that time, the employee is understood to have improperly accessed the protected health information of 1,620 patients. The inappropriate accessing of PHI was discovered by Allen Hospital on March 14, 2016. The discovery triggered a full review, which revealed the employee had first started inappropriately accessing patient records in September 2009. The data potentially accessed by the employee include patients’ names, dates of birth, home addresses, health insurance information, medical record numbers, and treatment information. Some patients’ Social Security numbers may also have been viewed. Many employees are discovered to have accessed patient records without authorization, although what makes this case stand out is how long it took Allen Hospital to discover the HIPAA breach. Jim Waterbury, Allen Hospital’s vice president for institutional advancement, said the reason it took so long for...

Read More
Brookings Offers Breach Prevention Advice to OCR and Healthcare Organizations
May11

Brookings Offers Breach Prevention Advice to OCR and Healthcare Organizations

A recent report issued by the Brookings Institution delves into the problems faced by the healthcare industry now that so much patient data is being collected, stored, and transmitted by healthcare institutions. In its report, Brookings offers advice to healthcare organizations and the Department of Health and Human Services’ Office for Civil Rights (OCR) about how patient privacy can be better protected, and strategies that can be adopted to prevent data breaches. 23% of All Data Breaches Affect the Healthcare Industry Over the past two years, the number of breaches suffered by healthcare organizations has increased significantly. 23% of all data breaches now affect the healthcare industry. Since OCR started publishing details of data breaches reported by healthcare organizations six years ago, almost 1,500 separate data breaches have occurred. Those breaches have exposed the healthcare data of over 155 million Americans. To investigate the problem, the Brookings Institution conducted a study to find out more about why healthcare data breaches are occurring with such regularity,...

Read More
Transcription Service Provider Exposes PHI of Children’s National Health System Patients
May11

Transcription Service Provider Exposes PHI of Children’s National Health System Patients

Washington D.C.-based Children’s National Health System (CNHS) has alerted patients to a breach of their protected health information following an error by a transcription service provider which allowed patients’ data to be indexed by the search engines. CNHS is one of a number of healthcare clients affected by the data breach. Ascend Healthcare Systems was contracted by CNHS to transcribe physician’s notes and was supplied with transcription documents in 2014; however, those documents could potentially have been accessed via search engines due to a misconfiguration with a File Transfer Protocol (FTP) site. Transcription services were provided to CNHS by Ascend between May 1, 2014 and June 23, 2014; however, on February 25, 2016, CNHS discovered that some of its patients’ data had been exposed online. An investigation into the privacy breach was immediately launched and CNHS determined that for a period of one week in February, data were accessible via Google. The breach is understood to have lasted between February 19 and February 25, 2016. The data stored in the transcription...

Read More
Are You Prepared for A Business Associate Data Breach?
May09

Are You Prepared for A Business Associate Data Breach?

HIPAA-covered entities may be prepared to execute their breach response procedures for a security breach that exposes patients’ Protected Health Information (PHI), but what about business associate data breaches? Have policies and procedures been developed to ensure a rapid breach response can be executed if a business associate suffers a data breach? The Department of Health and Human Services’ Office for Civil Rights has recently warned HIPAA-covered entities that they must take steps to ensure they can deal with a business associate data breach should one occur. OCR: HIPAA-Covered Entities Find Business Associate Data Breach Management Difficult The recent OCR cyber-awareness bulletin confirmed the need for action to be taken by HIPAA-covered entities to prepare for data breaches experienced by their vendors. The bulletin indicates a large percentage of covered entities are concerned that business associate data breaches may not be reported to them. OCR also suggests that when a business associate data breach does occur, covered entities are often unsure whether their vendors’...

Read More
Bay Area Children’s Association Notifies Patients of PHI Theft
May09

Bay Area Children’s Association Notifies Patients of PHI Theft

On April 1, 2016, Bay Area Children’s Association (BACA) was notified that the electronic health records of its patients may have been stolen by hackers. The notice was received from BACA’s electronic health record (EHR) provider which had discovered access to its systems had been gained by unauthorized individuals and malware had been installed. The EHR provider, which was not named in the breach notice, believes the malware was first installed on its systems in January 2015. Consequently, patients’ health data and personal information could conceivably have been in the hands of criminals for over 15 months. After being notified of the potential theft of protected health information, BACA contacted it’s EHR provider to find out more about the extent of the breach and the data that could have been accessed. BACA was informed on April 22, 2016 that there was no way of telling which patients had been affected, and whether data had actually been obtained by the attackers. Consequently, all patients whose data were stored in the EHR have had to be notified of security breach. The data...

Read More
Ohio MHAS Exposes PHI of 59K Patients by Mailing Surveys on Postcards
May09

Ohio MHAS Exposes PHI of 59K Patients by Mailing Surveys on Postcards

This week, patients of the Ohio Department of Mental Health and Addiction Services (OMHAS) were notified of a privacy incident that occurred on February 3, 2016. Patients were sent a satisfaction survey by mail; however, the survey request was sent on postcards rather than in sealed envelopes. Consequently, the fact that each patient had received services related to mental health and addition was inadvertently exposed along with patients’ names and addresses. This was not the first time that these mailings were sent to patients. Each year, OMHAS sends customer satisfaction surveys to patients to obtain feedback about the services they received. The aim of the mailings is to obtain data from patients that can be used to improve the services OMHAS provides and as part of the reporting requirements required for the federal Mental Health Block Grant. On February 25, 2016, OMHAS became aware that the mailing breached Health Insurance Portability and Accountability Act Rules. An investigation into the privacy breach revealed that similar mailings had been sent in the past. In total,...

Read More
Saint Agnes Medical Center Victim of BEC Attack
May06

Saint Agnes Medical Center Victim of BEC Attack

Saint Agnes Medical Center of Fresno, CA., is in the process of notifying 2,812 employees of a cyberattack that occurred on May 2, 2016. On Monday this week, an employee of Saint Agnes responded to a phishing email and sent copies of employees’ W-2 data to an attacker. The disclosed data included the names of employees along with their home addresses, salary details, withholding information, and Social Security numbers. The email request appeared to have come from the Chief Executive Office of Saint Agnes. The phishing attack was rapidly identified, although not before data were disclosed to the attacker. All employees affected by the data breach have been provided with a year of credit monitoring and identity restoration services through Experian without charge. Affected employees have also been advised to contact the IRS to find out if a fraudulent tax refund has been claimed in their name. The email scam is referred to as a Business Email Compromise (BEC) attack. This year has seen a number of BEC attacks on healthcare providers. The phishing scam is convincing as the emails...

Read More
Data Breach Class-Action Lawsuit Denied by Penn. Superior Court
May05

Data Breach Class-Action Lawsuit Denied by Penn. Superior Court

A proposed class-action lawsuit filed against two health plans for the exposure of members’ protected health information has been rejected by the Pennsylvania Supreme Court. Avrum Baum filed a lawsuit against Keystone Mercy Health Plan and AmeriHealth Mercy Health Plan in 2010 following the loss of a flash drive containing the data of approximately 286,000 patients. One of the patients affected by the data breach was Baum’s special needs daughter. Baum claimed in the suit that the loss of the device violated the privacy rights of patients. He also claimed the health plans had been negligent by failing to protect the data of patients, and the health plans had inaccurately told patients that their protected health information (PHI) was secured. Baum claimed that deceptive practices were used, which violated Uniform Trade Practices and Consumer Protection Law (UTPCPL). In July 2013, the class-action lawsuit was denied by a trial judge as Baum could not show that his daughter’s PHI was stored on the device and that the case did not have standing because Baum had not purchased his...

Read More
Buffalo Medical Group Says Alleged HIPAA Violations Are Unfounded
May04

Buffalo Medical Group Says Alleged HIPAA Violations Are Unfounded

Last month, a breach notification letter was received by media outlets and at least one patient of the Buffalo Medical Group (BMG) warning that the protected health information (PHI) of certain patients had been impermissibly disclosed to an unauthorized individual. The letters were sent on BMG headed paper, and the letter indicated that it had been authored by three members of the BMG staff who chose to remain anonymous. The letter claims that the PHI of certain patients had been impermissibly disclosed and the privacy violations had been brought to the attention of a dermatologist at BMG, yet nothing had been done. The letter claimed that the privacy of patients was violated by a licensed practice nurse who had been disclosing patients’ PHI to a boyfriend. The offenses, which if true would have violated the Health Insurance Portability and Accountability Act (HIPAA), had allegedly taken place some years previously. According to the letter, when the nurse broke off the relationship in August 2015 the ex-boyfriend notified a dermatologist of the privacy violations. No action...

Read More
HIPAA Business Associate Notifies Patients of Data Breach
May03

HIPAA Business Associate Notifies Patients of Data Breach

EqualizeRCM Services, an Austin, TX-based vendor of billing services, is in the process of sending breach notification letters to patients to alert them to the potential exposure of their Protected Health Information after an employee’s laptop computer was stolen. At this stage it is unclear how many individuals have been impacted as the security breach has not yet been added to the Department of Health and Human Services’ Office for Civil Rights breach portal. Patients of the following healthcare facilities have been impacted by the data breach: Central Dallas Surgery Center Hermann Drive Surgical Hospital Kirby Surgical Center Microsurgery Institute (Houston, Dallas) Northstar Healthcare Surgery Center (Scottsdale, Houston, Dallas) Plano Surgical Hospital Southwest Freeway Surgery Center Victory Medical Center Houston The laptop computer contained a number of unencrypted documents which could potentially be accessed by unauthorized individuals. The documents did not contain any Social Security numbers or financial account numbers, although personally identifiable information and...

Read More
Review of Medicare Administrative Contractors Shows 8pc Annual Rise in Data Security Gaps
May02

Review of Medicare Administrative Contractors Shows 8pc Annual Rise in Data Security Gaps

An annual review of Medicare administrative contractors (MAC) conducted by Pricewaterhouse Coopers (PwC) on behalf of the Office of Inspector General revealed 129 data security gaps existed in 2014, representing an increase of 8% from the previous year. The Social Security Act requires the information security programs of all MACs to be assessed by an independent entity on an annual basis. This year PwC was contracted to assess all nine MACs on the eight major requirements of the Federal Information Security Management Act of 2002 (FISMA) in addition to the Centers for Medicare and Medicaid Services (CMS) core security requirements. Data security gaps are defined as the incomplete implementation of FISMA or CMS core security requirements. Each data security gap is rated as high risk, medium risk, or low risk. For high and medium risk data security gaps, each MAC must develop an action plan to address the issues and the CMS is required to follow up and ensure that those data security gaps have been addressed. PwC discovered 18 high risk, 45 medium risk, and 66 low risk gaps. The...

Read More
Mailing Error Exposes PHI of American Fidelity Customers
Apr28

Mailing Error Exposes PHI of American Fidelity Customers

Oklahoma City-based American Fidelity Assurance Company has notified 2,664 customers that some of their data have been disclosed to other customers as a result of a mailing error. The mailing error, which has been attributed to human error, occurred on February 15, 2015. American Fidelity mailed debit card substantiation letters to some of its customers which contained a section of information intended for other customers. The information printed on the letters included names and addresses, employer names and ID numbers, dates of service, provider names, payment amounts, and the last four digits of another customer’s debit card number. The letters also included details of customers’ recent flexible spending account debit card usage. No Social Security numbers or dates of birth were included in the mailings. Affected customers had their data exposed to another individual, although due to the nature of the incident and limited amount of data exposed, American Fidelity does not believe customers are at risk of data being used inappropriately. Customers have been notified of the...

Read More
Edwin Shaw Rehabilitation Hospital Patients’ PHI Exposed
Apr28

Edwin Shaw Rehabilitation Hospital Patients’ PHI Exposed

Akron General Health System is notifying 975 patients of the Akron General Edwin Shaw Rehabilitation hospital that some of their protected health information has been exposed after an employee lost an unencrypted flash drive. The flash drive contained “generic” data on patients that had visited the hospital for treatment between 2010 and 2011. No Social Security numbers, financial information, dates of birth, addresses, or phone numbers were exposed. Patients therefore face a low risk of the information being used inappropriately, should the device have been recovered by a third party. Data stored on the device include patient names, medical record numbers, treatment provided, name of the insurance carrier, and referring provider. The flash drive was believed to have been lost on February 19, 2015. An Edwin Shaw employee who worked at the Cuyahoga Falls rehab center had taken the portable storage device off-site while attending a business meeting. The employee discovered the drive to be missing five days later. The loss was reported to the hospital and an investigation was...

Read More
Vail Valley Medical Center Notifies 3,118 Patients of Unauthorized PHI Disclosure
Apr27

Vail Valley Medical Center Notifies 3,118 Patients of Unauthorized PHI Disclosure

Vail Valley Medical Center (VVMC) is in the process of notifying 3,118 patients of the inappropriate disclosure of some of their protected health information (PHI). A physical therapist formerly employed at Howard Head Sports Medicine was discovered to have copied the PHI of patients and taken the data to his new employer. Prior to leaving employment, the physical therapist downloaded patient PHI onto a USB drive on two separate occasions. VVMC discovered the former employee’s HIPAA violations on February 16, 2016. An internal investigation revealed that the physical therapist had inappropriately accessed patient PHI and copied data on December 1, and December 30, 2015. No Social Security numbers, credit card numbers, bank account details, dates of birth, or addresses were taken, although the former employee did obtain patient names, patient ages, dates of service, amounts paid for medical services, and details of medical diagnoses, conditions, treatments, functional test outcomes, and progress information. Patients affected by the breach had previously attended the Vail Valley...

Read More
Mail Delivery Truck Stolen: 2400 Inland Empire Health Plan Members’ PHI Exposed
Apr25

Mail Delivery Truck Stolen: 2400 Inland Empire Health Plan Members’ PHI Exposed

Kaiser Permanente is in the process of notifying 2,400 members of the Inland Empire Health Plan of the theft of Evidence of Coverage handbooks from a mail delivery truck. The names and addresses of plan members were also exposed. The data, which are classed as Protected Health Information under the Health Insurance Portability and Accountability Act, were stolen from a mail delivery truck at some point between March 12 and March 14, 2016. In a breach of Kaiser Permanente’s vendor mail delivery policies, the truck containing the handbooks was left unattended in a non-secure area. It would appear that the delivery truck had been left in a parking lot in the city of Santa Clarita, CA., over the weekend. Thieves gained entry to the vehicle and drove it to an unspecified location where they robbed the vehicle of its contents. The theft was reported to law enforcement in Santa Clarita and the vehicle was subsequently recovered, but not the Evidence of Coverage handbooks. The handbooks were for California Medi-Cal members in Southern California. Kaiser Permanente does not believe the...

Read More
Flash Drive Theft Exposes PHI of 2700 Oneida Health Center Dental Clinic Patients
Apr22

Flash Drive Theft Exposes PHI of 2700 Oneida Health Center Dental Clinic Patients

An unencrypted flash drive containing the protected health information of 2,700 patients of the Oneida Health Center Dental Clinic has been discovered to be missing. The portable storage device is believed to have been stolen internally and an investigation into the theft is still being conducted by the dental clinic. Local law enforcement was also notified and an investigation was conducted, although the flash drive has not been recovered. The drive was stolen from the Oneida Health Center on the Oneida Reservation at 525 Airport Drive on February 17, 2016. The device contained a limited amount of patient data including patient names, patient identification numbers, and dental insurance identification numbers. Patients affected by the breach had visited the dental clinic between February 2, 2015 and February 17, 2016. No Social Security numbers, dates of birth, or financial information were stored on the device. Patients have now been notified of the breach by mail in accordance with Health Insurance Portability and Accountability Act Rules. Oneida Health Center has no reason to...

Read More
Wyoming Medical Center Phishing Attack Exposes PHI of 3,184 Patients
Apr22

Wyoming Medical Center Phishing Attack Exposes PHI of 3,184 Patients

A phishing attack on Wyoming Medical Center of Casper in February has resulted in the exposure of 3,184 patients’ protected health information. Two employees clicked on links contained in phishing emails and compromised their accounts. The first employee to fall for the phishing scam clicked on the link on February 22, 2016, with the second employee falling for the scam three days later. Wyoming Medical Center quickly became aware that email accounts had been compromised because the accounts were used by the attackers to send spam emails to other hospital employees. According to a statement released by hospital spokeswoman Kristy Bleizeffer, access to the email accounts was gained for 15 minutes only. As soon as the intrusion was discovered, IT staff started updating passwords to lock out the attackers. An investigation into the breach did not uncover any evidence to suggest emails were accessed by the attacker. Due to the limited time that the email accounts were compromised it is unlikely that the attackers succeeded in gaining access to the PHI of patients. An investigation into...

Read More