Our HIPAA breach news section covers HIPAA breaches such as unauthorized disclosures of protected health information (PHI), improper disposal of PHI, unauthorized PHI access by cybercriminals and rogue healthcare employees, and other security and privacy breaches.

When known, we explain how the breach occurred, the consequences to patients that may have had their PHI compromised, and the actions being taken by the affected healthcare organization to improve safeguards to prevent further HIPAA breaches.

We also explain any actions being taken by the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) and state attorneys general in relation to those breaches.

OCR investigates all data breaches that impact more than 500 individuals to determine whether any HIPAA violations have occurred. When HIPAA Rules are discovered to have been violated, financial penalties may be deemed appropriate. It can take many months or years before any financial penalties for HIPAA breaches are decided. Financial penalties for HIPAA violations tend to be reserved for the most serious breaches of HIPAA Rules. OCR prefers to resolve cases with voluntary compliance and by issuing recommendations to bring policies in line with HIPAA Rules.

The HIPAA breach news section is particularly relevant to healthcare information security professionals, privacy officers, and other individuals who have some responsibility for HIPAA compliance.

The HIPAA breach news reports highlight common areas of non-compliance and new attack vectors used by cybercriminals to gain access to healthcare networks and PHI, the security failings that allowed them to happen, and the measures that have been implemented to prevent them from happening again.

No healthcare organization wants to experience a data breach, but when a breach does occur, lessons can be learned. HIPAA-covered entities can use these breach examples to help train their staff as well as to discover some of the methods other covered entities have adopted to improve data security.

As you will be able to see from the volume of posts in the HIPAA breach news category, healthcare data breaches occur frequently. In 2016 and 2017, healthcare data breaches have been reported on an almost daily basis.

Our HIPAA breach news section is an important source of information about potential security issues that covered entities should be identifying when conducting their own risk assessments. Many of the situations in our HIPAA breach news posts could have been avoided if a risk assessment had identified a vulnerability that was later exploited to gain access to PHI.

The main purpose for adding HIPAA breach news to this website is to highlight specific aspects of HIPAA compliance that are commonly overlooked, often with serious consequences for the covered entity and patients/health plan members.

By raising awareness of the volume of healthcare data breaches, the implications of those breaches, and the penalties that can result, it is hoped that healthcare providers will take decisive action to prevent their patients’ and members’ data from being exposed.

The most recent healthcare data breach reports are listed below. If you want to find out if a specific covered entity has experienced a data breach, please use the search function in the top right hand corner of this webpage.

6,450 Prairie Fields Family Medicine Patients Notified About Email-Related Privacy Breach
Dec10

6,450 Prairie Fields Family Medicine Patients Notified About Email-Related Privacy Breach

Prairie Fields Family Medicine in Fremont, NE, is alerting 6,450 patients that some of their protected health information was contained in an unencrypted spreadsheet that was inadvertently sent to the wrong email recipient. The email was sent on October 1, 2018, and the error was discovered the same day. Prairie Fields Family Medicine has made multiple attempts to contact the owner of the email account to ensure the spreadsheet is securely deleted but, so far, no response has been received. The lack of contact has led Prairie Fields Family Medicine to believe the email account is no longer in use and has been abandoned, although the possibility remains that the spreadsheet has been opened and patient information has been compromised. The spreadsheet did not contain any financial data or health information typically contained in medical records. The breach was limited to patients’ first and last names, birth date, telephone number, first language spoken, sex, race, and, for certain patients, primary and secondary health insurer information, including providers’ names and account...

Read More
16,000 Redwood Eye Center Patients Impacted by MSP Breach
Dec07

16,000 Redwood Eye Center Patients Impacted by MSP Breach

A managed service provider that hosts the electronic health records of Redwood Eye Center in Vallejo, CA, has experienced a security breach that has resulted in the exposure of 16,000 patients’ protected health information. IT Lighthouse provides computer support and application hosting services, including the hosting of electronic health records. During the evening of September 19, 2018, hackers succeeded in installing ransomware on a server that was hosting the electronic health records of patients of Redwood Eye Center. Redwood Eye Center was notified about the security breach on September 20, 2018. A third-party computer forensics firm was hired by IT Lighthouse to assist with the investigation and a specialized medical software vendor was consulted and helped Redwood Eye Center recover the affected data. The types of data that were potentially accessed by the attackers included patients’ names, addresses, birth dates, health insurance information, and medical treatment information. The investigation did not uncover any evidence to suggest the attackers accessed the PHI of...

Read More
PHI of 41,000 Patients of Cancer Centers of America Potentially Compromised in Phishing Attack
Dec05

PHI of 41,000 Patients of Cancer Centers of America Potentially Compromised in Phishing Attack

Cancer Centers of America’s Western Regional Medical Center in Bullhead City, AZ, has discovered the email account of one of its employees has been compromised as a result of a response to a phishing email. The phishing email appeared to have been sent from the email account of a Cancer Treatment Centers of America executive and used social engineering techniques to fool the employee into disclosing login credentials to the account. The attacker was able to access the account, but only for a limited time as the account compromise was detected by IT staff and the user ‘s account password was reset. However, during the time that the email account was accessible it is possible that some messages containing patients’ protected health information (PHI) was accessed. Cancer Treatment Centers of America called in a nationally recognized computer forensics firm to assist with the investigation. While it was not possible to tell which, if any, emails were accessed, it was discovered that the compromised email account contained the PHI of 41,948 patients. The information in the emails varied...

Read More
Ransomware Attacks Reported by Healthcare Providers in Illinois and Rhode Island
Dec05

Ransomware Attacks Reported by Healthcare Providers in Illinois and Rhode Island

A roundup of recent healthcare ransomware attacks, privacy breaches, and security incidents that have been announced in the past few days. Center for Vitreo-Retinal Diseases Ransomware Attack Impacts 20,371 Patients The Center for Vitreo-Retinal Diseases in Libertyville, IL, experienced a ransomware attack that resulted in the encryption of data on its servers. The attack was detected on September 18, 2018. The investigation into the breach suggests the attacker may have gained access to the protected health information of 20,371 patients that was stored on the affected servers. The attack appeared to have been conducted with the intention of extorting money from the practice. While it is possible that patient information was accessed by the attacker, no evidence of unauthorized data access, data theft, or misuse of patient information has been discovered. The information that was potentially compromised included names, addresses, telephone numbers, birth dates, health insurance information, health data, and the Social Security numbers of Medicare patients. The Center for...

Read More
12 State Attorneys General File HIPAA Breach Lawsuit Against Medical Informatics Engineering
Dec05

12 State Attorneys General File HIPAA Breach Lawsuit Against Medical Informatics Engineering

A multi-state federal lawsuit has been filed against Medical Informatics Engineering and NoMoreClipboard over the 2015 data breach that exposed the data of 3.9 million individuals. Indiana Attorney General Curtis Hill is leading the lawsuit and 11 other states are participating – Arizona, Arkansas, Florida, Iowa, Kansas, Kentucky, Louisiana, Minnesota, Nebraska, North Carolina and Wisconsin. This is the first time that state attorneys general have joined forces in a federal lawsuit over a data breach caused by violations of the Health Insurance Portability and Accountability Act. The lawsuit seeks a financial judgement, civil penalties, and the adoption of a corrective action plan to address all compliance failures. A Failure to Implement Adequate Security Controls The lawsuit alleges Medical Informatics Engineering failed to implement appropriate security to protect its computer systems and sensitive patient data and, as a result of those failures, a preventable data breach occurred. According to the lawsuit, “Defendants failed to implement basic industry-accepted data...

Read More
7,000 Patients Affected by Georgia Spine and Orthopaedics of Atlanta Phishing Attack
Nov29

7,000 Patients Affected by Georgia Spine and Orthopaedics of Atlanta Phishing Attack

Georgia Spine and Orthopaedics of Atlanta (GSOA) is notifying thousands of patients that some of their protected health information has been exposed, and potentially stolen, as a result of a phishing attack. An investigation into the data breach revealed an unauthorized individual gained access to an email account as a result of the employee responding to a phishing email. That response allowed the attacker to obtain the employee’s email account password. Third-party computer forensics experts were contracted to conduct a detailed investigation into the attack to determine the extent of the breach and find out which patients had been affected. The investigation confirmed that a single email account had been compromised on July 11, 2018. An evaluation of GSOA’s technology systems was also conducted to ensure that they were secure. In order to determine which patients had been affected, a painstaking manual analysis of all emails in the compromised account was performed to determine which messages had been accessed by the attacker. GSOA reports that the way the email account was...

Read More
DOJ Indicts Two Iranian Hackers for Role in SamSam Ransomware Attacks
Nov29

DOJ Indicts Two Iranian Hackers for Role in SamSam Ransomware Attacks

The U.S. Department of Justice has announced significant progress has been made in the investigation of the threat actors behind the SamSam ransomware attacks that have plagued the healthcare industry over the past couple of years. The DOJ, assisted the Royal Canadian Mounted Police, Calgary Police Service, and the UK’s National Crime Agency and West Yorkshire Police, have identified two Iranians who are believed to be behind the SamSam ransomware attacks. Both individuals – Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri – have been operating out of Iran since 2016 and have been indicted on four charges: Conspiracy to commit fraud and related computer activity Conspiracy to commit wire fraud Intentional damage to a protected computer Transmitting a demand in relation to damaging a protected computer The DOJ reports that this is the first ever U.S. indictment against criminals over a for-profit ransomware, hacking, and extortion scheme. In contrast to many threat actors who use ransomware for extortion, the SamSam ransomware group conducts targeted, manual attacks on...

Read More
2.65 Million Atrium Health Patients Impacted by Business Associate Data Breach
Nov28

2.65 Million Atrium Health Patients Impacted by Business Associate Data Breach

AccuDoc Solutions Inc., a provider of healthcare billing services, has experienced a major data breach in which the protected health information of 2,650,000 patients of Atrium Health was exposed. Morrisville, NC-based AccuDoc Solutions prepares bills for patients and operates the online payment system used by Atrium Health, a network of 44 hospitals throughout North Carolina, South Carolina and Georgia. On October 1, 2018, AccuDoc Solutions notified Atrium Health that some of its databases had been compromised. The breach investigation revealed hackers had gained access to AccuDoc Solutions databases between September 22 and September 29, 2018. An extensive forensic investigation into the attack confirmed that patient information had been compromised, but the information stored in its databases could only be viewed. No PHI was downloaded by the attackers nor distributed via other channels. AccuDoc Solutions reports that the breach was due to a security vulnerability at a third-party vendor. The business relationship with that vendor has now been terminated. AccuDoc Systems has...

Read More
Tandigm Health Website Vulnerability Exposed 7,000 Patients’ PHI
Nov27

Tandigm Health Website Vulnerability Exposed 7,000 Patients’ PHI

A vulnerability on a website used by the value-based healthcare company Tandigm Health could potentially have been exploited to gain access to patients’ protected health information. The website vulnerability was discovered by Tandigm Health on September 25, 2018. A leading computer forensics firm assisted with the investigation to determine whether the flaw could be exploited remotely, whether patients’ protected health information had been accessed, and the types of information that may have been exposed. The investigation confirmed that the flaw could have been exploited to gain access to sensitive patient information between April 24, 2017 and December 31, 2017. The information accessible through the website was limited to names, birth dates, medical information, and health insurance information. Approximately 7,000 patients’ protected health information was accessible through the website. The investigation did not uncover any evidence to suggest the flaw had been exploited and no reports been received to suggest patient information has been stolen or misused. Out of an...

Read More
Mercy Medical Center North Iowa Notifies 1,900 Patients About Potential PHI Exposure
Nov27

Mercy Medical Center North Iowa Notifies 1,900 Patients About Potential PHI Exposure

Mercy Medical Center North Iowa has discovered a former employee potentially accessed the medical records of patients without authorization over a period of 12 months. An internal investigation suggested a former employee had inappropriately accessed patient information between July 2017 and July 2018. The employee had been given access to patient information to complete work duties, but Mercy Medical Center North Iowa was unable to confirm whether all records had been accessed for appropriate job-related purposes. The types of information the former employee accessed was limited to names, addresses, birth dates, medications, and insurance information. Breach notification letters were mailed to affected patients on November 26, 2018 and all individuals whose personal information was exposed have been offered 12 months of complimentary identity theft protection services. The discovery of the unauthorized access has prompted Mercy Medical Center North Iowa to review its privacy practices and further training will be provided to employees to reinforce past training on hospital and...

Read More
OCR Fines Allergy Practice $125,000 for Impermissible PHI Disclosure
Nov26

OCR Fines Allergy Practice $125,000 for Impermissible PHI Disclosure

The Department of Health and Human Services’ Office for Civil Rights (OCR) has fined a Hartford allergy practice $125,000 over alleged violations of the HIPAA Privacy Rule. On October 6, 2015, OCR received a copy of a civil rights complaint that had been filed with the Department of Justice (DOJ). The complainant alleged Allergy Associates of Hartford – A Connecticut healthcare provider that specializes in treating patients with allergies – had impermissibly disclosed her protected health information to a TV reporter. The complainant had previously contacted a local TV station after she had been turned away from the allergy practice because of her service animal. The TV reporter subsequently contacted the practice seeking comment. A physician at the practice spoke to the reporter and impermissibly disclosed some of the patient’s protected health information. OCR’s investigation confirmed there had been an impermissible disclosure of PHI, in violation of the HIPAA Privacy Rule – 45 C.F.R. § 164.502(a). The physician in question had already been advised by the practice’s...

Read More
53% Of Healthcare Data Breaches Due to Insiders and Negligence
Nov22

53% Of Healthcare Data Breaches Due to Insiders and Negligence

The healthcare industry has had more than its fair share of hacking incidents, but the biggest threat comes from within. The actions of healthcare providers, health insurers, and their employees cause more breaches than hacking, malware, and ransomware attacks. Researchers at Michigan State University and Johns Hopkins University analyzed data breaches reported to the Department of Health and Human Services’ Office for Civil Rights (OCR) over the past 7 years and found that more than half of breaches were the result on internal negligence. The research study, which was recently published in the journal JAMA Internal Medicine, is a follow-on from a 2017 study that explored the risk of hospital data breaches and the types of hospitals that were most prone to data breaches. While the previous research cast light on which hospitals were most vulnerable, little information was available on the main causes of the breaches. The latest study addresses that gap in knowledge. The researchers performed a retrospective analysis of the 1,183 healthcare data breaches reported to OCR between...

Read More
October 2018 Healthcare Data Breach Report
Nov21

October 2018 Healthcare Data Breach Report

Our October 2018 healthcare data breach report shows there has been a month-over-month increase in healthcare data breaches with October seeing more than one healthcare data breach reported per day. 31 healthcare data breaches were reported by HIPAA-covered entities and their business associates in October – 6 incidents more than the previous month. It should be noted that one breach at a business associate was reported to OCR as three separate breaches. The number of breached records in September (134,006) was the lowest total for 6 months, but the downward trend did not continue in October. There was a massive increase in exposed protected health information (PHI) in October. 2,109,730 records were exposed, stolen or impermissibly disclosed – 1,474% more than the previous month. In October, the average breach size was 68,055 records and the median was 4,058 records. Largest Healthcare Data Breaches in October 2018 There were 11 healthcare data breaches of more than 10,000 records reported in October – A 120% increases from the five 10,000+ record breaches in September. The...

Read More
Key Dental Group Alerts Patients About Potential HIPAA Violation
Nov21

Key Dental Group Alerts Patients About Potential HIPAA Violation

Key Dental Group, a dental practice in Pembroke Pines, FL, is informing patients of an alleged HIPAA violation that could potentially result in the unauthorized accessing of patients’ protected health information (PHI). After changing its electronic medical record (EMR) database provider, Key Dental Group requested its former vendor, MOGO, the return its EMR database. Even though the end user license agreement (EULA) stated that all patient data must be returned on termination of the agreement, MOGO has refused to return the database. MOGO communicated to Key Dental Group, via its attorney, that the database would not be returned. The Pembroke Pines dental practice alleges that in addition to violating the EULA, MOGO, as a HIPAA business associate, is in violation of the Health Insurance Portability and Accountability Act. Any security breach, such as the unauthorized accessing of patients’ protected health information, requires notifications to be sent to affected patients. Key Dental Group cannot say whether the database has been accessed after the termination of the EULA,...

Read More
Stolen FHN Healthcare Laptop Contained the PHI of 4,458 Patients
Nov21

Stolen FHN Healthcare Laptop Contained the PHI of 4,458 Patients

FHN Healthcare, which operates FHN Memorial Hospital in Freeport, IL, and a network of family healthcare centers throughout northwest Illinois, has learned that a laptop computer containing the protected health information of 4,458 patients has been stolen from the vehicle of an employee. The theft was immediately reported to law enforcement, but the device has not been recovered. FHN Healthcare reconstructed the data stored on the device and discovered it contained names, addresses, birth dates, medical record numbers, health insurance information, medical information, Social Security numbers, and driver’s license numbers. FHN healthcare already encrypts all its laptop computers, although the investigation into the incident revealed that the stolen device had not been encrypted and was only protected with a password. FHN reports that the lack of encryption was due to a technical issue with its encryption software and that the missed device was an isolated incident. The discovery of the encryption failure has prompted FHN Healthcare to re-encrypt all its laptop computers. The...

Read More
128,400 Employees and Patients Impacted by Phishing Attack on Albany Cancer Treatment Center
Nov20

128,400 Employees and Patients Impacted by Phishing Attack on Albany Cancer Treatment Center

New York Oncology Hematology in Albany, NY, has announced that hackers have gained access to 15 employee email accounts which contained the sensitive information of as many as 128,400 current and former patients and employees. As is common in phishing attacks, the emails contained a hyperlink to a seemingly legitimate email login page which requested usernames and passwords. When the information was entered it was harvested by the attackers. According to the substitute breach notice on the New York Oncology Hematology website, each compromised email account only remained accessible for a short period of time before access was terminated. The email breaches were identified by New York Oncology Hematology’s IT vendor, which shut down access to the compromised accounts by resetting the passwords. Access to 14 email accounts was gained on April 20, and a second attack took place between April 21 and April 27, which resulted in a further email account being compromised. New York Oncology Hematology hired a third-party computer forensics firm to investigate the breach and, on October 1,...

Read More
Email Hacking Incident Reported by Episcopal Health Services
Nov20

Email Hacking Incident Reported by Episcopal Health Services

Certain current and former patients of St. John’s Episcopal Hospital and Episcopal Health Services in New York are being notified that some of their protected health information has potentially been compromised. On September 18, 2018, Episcopal Health Services became aware of suspicious activity in several employee email accounts. An investigation was immediately launched, and a third-party digital forensics firm was called in to determine the nature and scope of the breach. The investigation revealed multiple employee email accounts had been compromised between August 28, 2018 and October 5, 2018. A thorough review of the compromised email accounts was completed on November 1. The types of information exposed differed from patient to patient but may have included name, date of birth, Social Security number, medical history, prescription information, diagnoses, treatment information, medical record number, financial information, and health insurance information. “Episcopal Health Services is committed to, and takes very seriously, its responsibility to protect all data entrusted to...

Read More
HealthEquity Notifies 165,800 Individuals of Email Security Breach
Nov19

HealthEquity Notifies 165,800 Individuals of Email Security Breach

HealthEquity is notifying 165,800 individuals that some of their protected health information has been exposed as a result of a email security attack. HealthEquity is a Utah-based company that provides services to help individuals gain tax advantages to offset the cost of healthcare, either through employers or health plans. These services include health savings accounts (HSAs), health flexible spending arrangements (FSAs), limited purpose FSAs, and dependent care reimbursement accounts (DCRAs). In order to provide those services, HealthEquity has access to protected health information, some of which is communicated via email for business purposes. On October 5, 2018, HealthEquity’s security team discovered two Office 365 email accounts had been accessed by an unauthorized individual. On October 20, 2018, following an analysis into the cyberattack, HealthEquity confirmed that two employee email accounts had been breached and that those accounts contained the sensitive personal information of employees and individuals who benefited from its services through their health plan or...

Read More
2,393 Patients of Southwest Washington Regional Surgery Center Impacted by Phishing Attack
Nov16

2,393 Patients of Southwest Washington Regional Surgery Center Impacted by Phishing Attack

Southwest Washington Regional Surgery Center in Vancouver, WA, has suffered a phishing attack that has resulted in the exposure of 2,393 patients’ protected health information. The breach was confined to a single email account and no evidence was uncovered to suggest any emails have been accessed or downloaded by the attacker. An extensive investigation was conducted with assistance provided by a third-party cybersecurity firm. The investigation concluded on September 25. The investigation included a manual review of all emails in the compromised account to identify patients affected and the types of information that may have been compromised. Southwest Washington Regional Surgery Center explained in its breach notice that the beach was limited to the following PHI elements: Names, driver’s license numbers, Social Security numbers, medical information, and for a limited number of patients, credit card numbers. The investigation revealed the email account was compromised on May 27, 2018 and access remained possible until August 13, 2018. Patients impacted by the breach were sent...

Read More
HealthCare.gov Data Breach Exposed Personal Information of 94,000 Individuals
Nov15

HealthCare.gov Data Breach Exposed Personal Information of 94,000 Individuals

Last month, the Centers for Medicare & Medicaid Services (CMS) announced that the HealthCare.gov website had been hacked and the sensitive data of approximately 75,000 individuals had potentially been compromised. This week, the CMS issued an update on the breach confirming more people had been affected than was initially thought. The revised estimate has seen the number of breach victims increased to 93,689. The initial breach announcement was light on details about the exact nature of the breach and the types of information that had potentially been compromised. In the initial announcement the CMS explained that suspicious activity was detected on the site on October 13 and on October 16 a breach was confirmed. Steps were immediately taken to secure the site and prevent any further data access or data theft. The CMS started sending out breach notification letters on November 7 which explain the breach in more detail, including the types of information that were potentially accessed. CMS explained that the ‘suspicious activity’ it detected was certain agent and broker...

Read More
30,000 Patients Impacted by May Eye Care Center Ransomware Attack
Nov14

30,000 Patients Impacted by May Eye Care Center Ransomware Attack

A July 2018 ransomware attack on May Eye Care Center in Hanover, PA saw a range of sensitive patient information encrypted, including data in its electronic medical record system. The ransomware attack was discovered by May Eye Care on July 29, 2018. The ransomware was downloaded on a server that contained patients’ names, addresses, dates of birth, insurance information, diagnoses, treatment information, clinical information, and a limited number of Social Security numbers. May Eye Care Center called in a leading computer forensics company to investigate the breach and an IT firms that specializes in data security was engaged to conduct a full review of security systems and protocols. Security has now been improved to prevent further attacks. A ransom demand was received, but no payment was made. May Eye Care Center was able to recover all of the files encrypted by the ransomware from backups without any loss of data. Al patients impacted by the incident have been notified and the breach was reported to the Department of Health and Human Services’ Office for Civil Rights on...

Read More
1,800 Patients’ PHI Compromised in Metrocare Services Phishing Attack
Nov14

1,800 Patients’ PHI Compromised in Metrocare Services Phishing Attack

Metrocare Services, the largest provider of mental health services in North Texas, has suffered a phishing attack that has resulted in the exposure of 1,804 patients’ protected health information. Several employee email accounts were compromised in the attack, with the first account breach occurring on August 2, 2018. Metrocare did not discover the phishing attacks until September 4. As soon as the breach was discovered, steps were taken to secure the accounts. Metrocare has also given its employees additional training on information security, additional measures are being introduced to improve the security of its information technology infrastructure, and email security has been strengthened. The investigation into the breach could not determine whether any emails containing patients’ protected health information were accessed by the attackers, but data access could not be ruled out. No reports have been received that suggest any PHI has been misused. The types of information that were exposed differed from patient to patient and included data such as names, dates of birth,...

Read More
Former Chilton Medical Center IT Worker Gets 5 Years’ Probation for Theft of Equipment Containing ePHI
Nov13

Former Chilton Medical Center IT Worker Gets 5 Years’ Probation for Theft of Equipment Containing ePHI

A former IT worker at Chilton Medical Center in New Jersey has been sentenced to 5 years’ probation for the theft of IT equipment that contained the protected health information of some of its patients. Sergiu Jitcu, of Saddle Brook, NJ, had previously been employed by Chilton Medical Center. On October 31, 2017, Chilton Medical Center learned that one of its hard drives had been sold on eBay. The purchaser discovered databases on the hard drive that appeared to include the protected health information (PHI) of some of its patients. The subsequent investigation revealed the hard drive contained the PHI of 4,600 patients who had received medical services at Chilton Medical Center between May 1, 2008 and October 15, 2017. The types of information on the hard drive included names, addresses, dates of birth, allergy information, medical record numbers, and medications. The theft was reported to the Morris County Prosecutor’s Office and was linked to Jitcu. The Morris County Prosecutor’s Office Specialized Crime Division obtained a search warrant for Jitcu’s home and vehicle and...

Read More
1,216 Patient Records Impermissibly Accessed by Former Upstate University Hospital Employee
Nov12

1,216 Patient Records Impermissibly Accessed by Former Upstate University Hospital Employee

Upstate University Hospital in Syracuse, NY, is notifying 1,216 patients that some of their protected health information (PHI) has been impermissibly accessed by a former employee. Upstate University Hospital discovered the breach on September 12, 2018, which prompted a full investigation to determine which patients had had their privacy violated. The investigation revealed that the former employee first accessed patient health records without any legitimate work reason for doing so on November 3, 2016. Patient records continued to be accessed until October 23, 2017. The investigation did not uncover any evidence to suggest any information had been printed, copied, or forwarded outside the organization. It is unclear why the former employee accessed the records. No information on the motives behind the privacy violations has been made public. Highly sensitive information such as Social Security numbers, financial information, health insurance information and other information typically sought by identity thieves were not compromised and remained secure at all times. The breach was...

Read More
Billing Records of 12,331 Patients of Inova Health System Have Been Compromised
Nov09

Billing Records of 12,331 Patients of Inova Health System Have Been Compromised

Falls Church, VA-based Inova Health System has started notifying 12,331 patients that some of their protected health information has been accessed by an unauthorized individual. Inova Health System was contacted by law enforcement on September 5, 2018 over a suspected breach of patients’ billing information. A leading computer forensics firm was engaged to conduct an investigation into the breach to determine the nature of the attack and the extent of the breach. The investigation revealed its billing system was first accessed by an unauthorized individual in January 2017, and again between July and October 2017. Access was gained using the login credentials of an Inova employee. Peculiarly, Inova also reported that the same individual also gained access to paper billing records of a small number of patients in December 2016, which suggests that this may have been an insider breach involving a former employee, business associate or another individual with access to Inova facilities. However, no information about the individual responsible for the breach has been made public by...

Read More
Altus Hospital Baytown Suffers Dharma Ransomware Attack
Nov09

Altus Hospital Baytown Suffers Dharma Ransomware Attack

Altus Hospital in Baytown, TX, has experienced a ransomware attack that resulted in the encryption of many hospital records. The electronic medical record system was not affected, although some of the encrypted files contained patients’ protected health information including names, home addresses, contact telephone numbers, birth dates, Social Security numbers, credit card information, driver’s license numbers, and medical information. The attack was discovered on September 3, 2018. Altus Hospital received a ransom demand; however, assisted by a third-party security consultant, Altus Hospital was able to restore all affected files from backups. The investigator determined that the attacker gained access to the hospital’s servers before deploying a Dharma ransomware variant. Altus Hospital believes the aim of the attack was solely to extort money from the hospital. Data access and theft of patient information is not believed to have occurred. While the attack was limited to Baytown hospital servers, some of the information stored on those servers came from the following affiliated...

Read More
566,217 Customers of Chicago-Based Health Insurer Impacted by Data Breach
Nov07

566,217 Customers of Chicago-Based Health Insurer Impacted by Data Breach

The Chicago-based health insurer Bankers Life, a division of CNO Financial Group Inc., has discovered hackers gained access to its systems and potentially stole the personal information of more than half a million individuals. Bankers Life provides a range of insurance services to customers, including life insurance, long term care insurance, health insurance, and Medicare supplemental insurance and is the largest division of CNO Financial Group. Hackers first gained access to its systems between May 30 and September 13, 2018. Bankers Life said it discovered the breach on August 7, 2018. The hackers gained access to a range of sensitive personal information of a ‘limited number’ of its employees. A ‘limited group’ of customers had names, Social Security numbers, driver’s license numbers, bank account numbers, state identification numbers, medication information, diagnoses, and treatment information exposed. The protected health information of a much larger group of customers was also potentially accessed by the hackers. For that group, names, addresses, dates of birth, insurance...

Read More
Q3 Healthcare Data Breach Report: 4.39 Million Records Exposed in 117 Breaches
Nov07

Q3 Healthcare Data Breach Report: 4.39 Million Records Exposed in 117 Breaches

The latest installment of the Breach Barometer Report from Protenus shows there was a quarterly fall in the number of healthcare data breaches compared to Q2, 2018; however, the number of healthcare records exposed, stolen, or impermissibly disclosed increased in Q3. In each quarter of 2018, the number of healthcare records exposed in data breaches has risen. Between January and March 1,129,744 healthcare records were exposed in 110 breaches. Between April and June, 3,143,642 records were exposed in 142 breaches, and 4,390,512 healthcare records were exposed, stolen, or impermissibly disclosed between July and September in 117 breaches. The largest healthcare data breach in Q3 was reported by the Iowa Health System UnityPoint Health. The breach was due to a phishing attack that saw multiple email accounts compromised. Those accounts contained the protected health information of more than 1.4 million patients. That breach was the second phishing attack experienced by UnityPoint Health. An earlier phishing attack resulted in the exposure of 16,400 healthcare records. In Q3, hacking...

Read More
Ransomware Attacks Increase: Healthcare Industry Most Heavily Targeted
Nov02

Ransomware Attacks Increase: Healthcare Industry Most Heavily Targeted

Ransomware attacks are on the rise once again and healthcare is the most targeted industry, according to the recently published Beazley’s Q3 Breach Insights Report. 37% of ransomware attacks managed by Beazley Breach Response (BBR) Services affected healthcare organizations – more than three times the number of attacks as the second most targeted industry: Professional services (11%). Kaspersky Lab, McAfee, and Malwarebytes have all released reports in 2018 that suggest ransomware attacks are in decline; however, Beazley’s figures show monthly increases in attacks in August and September, with twice the number of attacks in September compared to the previous month. It is too early to tell if this is just a blip or if attacks will continue to rise. The report highlights a growing trend in cyberattacks involving multiple malware variants. One example of which was a campaign over the summer that saw the Emotet banking Trojan downloaded as the primary payload with a secondary payload of ransomware. Emotet is used to steal bank credentials and has the capability to download further...

Read More
Stolen Raley’s Pharmacy Laptop May Have Contained PHI of 10,000 Patients
Oct30

Stolen Raley’s Pharmacy Laptop May Have Contained PHI of 10,000 Patients

Approximately 10,000 patients of Raley’s Pharmacy are being notified that some of their protected health information (PHI) has potentially been compromised. On September 24, 2018, a laptop computer was stolen from a Raley’s pharmacy that may have contained some patients’ PHI. Raley’s pharmacy immediately launched an investigation to determine what information was stored on the device. Interviews were conducted with staff members who had used the device in an attempt to understand the types of content that may have been exposed. The email accounts of employees were also checked for attachments and links to documents that contained ePHI, to determine which files had been downloaded or were stored in cache files in a temporary directory on the laptop. After careful analysis, Raley’s Pharmacy was able to determine that the only patients affected by the security incident were those that had visited a Raley’s, Bel Air, and Nob Hill Foods pharmacy between January 1, 2017 and September 24, 2018 to have prescriptions filled. An analysis of the files which had potentially been downloaded to...

Read More
PHI of 40,000 Patients of Sioux City Eye Clinic Potentially Compromised
Oct26

PHI of 40,000 Patients of Sioux City Eye Clinic Potentially Compromised

The protected health information of up to 40,000 patients of the Jones Eye Clinic and its affiliated surgery center, CJ Elmwood Partners, L.P, in Sioux City, IA has potentially been compromised. The breach is the result of a ransomware attack which affected data stored in an information system used for scheduling appointments and billing patients. Electronic medical records were unaffected as they were housed in a separate system which was not accessed by the attacker. Jones Eye Clinic discovered the ransomware attack on August 23, 2018, although an investigation by a third-party forensic investigator revealed that the attacker gained access to its system and installed the ransomware on the evening of August 22. A ransom was demanded for the keys to decrypt the files; however, no payment was made as it was possible to recover the files from backups. A full data restoration was completed on August 23. The investigation into the ransomware attack did not uncover any evidence to suggest that the attacker viewed or obtained patient data, although since data theft could not be ruled...

Read More
Catawba Valley Medical Center Phishing Attack Impacts 20,000 Patients
Oct25

Catawba Valley Medical Center Phishing Attack Impacts 20,000 Patients

On August 13, 2018, Catawba Valley Medical Center (CVMC) in Hickory, NC discovered an unauthorised individual accessed the email account of a CVMC employee. Upon discovery of the email breach, steps were taken to secure the account and prevent further access and a third-party computer forensics firm was called in to assist with the investigation and determine the extent of the breach. That investigation revealed that between July 4 and August 17, 2018, three employees’ email accounts had been compromised after the employees responded to phishing emails. Some of the emails in those accounts contained patients’ protected health information including names, dates of birth, details of medical services received at CVMC, health insurance details, and for certain patients, Social Security numbers. No evidence was found to suggest that any emails had been accessed or copied and no information has been received to suggest patient health information has been misused in any way. The phishing incidents have prompted CVMC to hire security experts to enhance employee education, more robust email...

Read More
Email Error Exposed the PHI of 8,000 Members of FirstCare Health Plans
Oct24

Email Error Exposed the PHI of 8,000 Members of FirstCare Health Plans

Texas-based First Care Health Plans is notifying more than 8,000 plan members that some of their personal information may have been impermissibly disclosed as a result of automated reports being accidentally emailed to an incorrect recipient. The daily reports were automatically generated and sent to an email distribution list. The reports contained medical requests which included members’ names, member ID numbers, procedure codes, descriptions of treatments, authorization numbers, and names of treating providers. On August 15, 2018, the FirstCare IT security team became aware that the reports had been sent to an external email address in error and the emails had not been encrypted. An investigation into the incident revealed the reports had been sent over a period of 17 months, starting on March 22, 2017. The reports contained the protected health information of 8,056 plan members. FirstCare explained in its breach notice that various security solutions had been deployed to monitor for unauthorized access, acquisition, and unauthorized use of ePHI, but they had failed to identify...

Read More
Phishing Attack on Children’s Hospital of Philadelphia Results in Double Account Breach
Oct24

Phishing Attack on Children’s Hospital of Philadelphia Results in Double Account Breach

Children’s Hospital of Philadelphia (CHOP) has discovered the email accounts of two employees have been compromised following successful phishing attacks on August 23 and August 29, 2018. On August 24, CHOP discovered an unauthorized individual had gained access to the email account of a one of its physicians. The investigation revealed the account was first accessed the previous day. Two weeks later, on September 6, CHOP discovered a second email account had also been compromised. In that case, access to the account was first gained on August 29. In both cases, prompt action was taken to secure the accounts and prevent further access. A leading computer forensics firm was also retained to assist with the investigation and assess the scope of the breach. An analysis of the email accounts revealed the individual(s) behind the phishing attacks may have been able to gain access to the protected health information (PHI) of a limited number of patients of CHOP’s neonatal and fetal programs. The information that was exposed differs from patient to patient and may have included a full...

Read More
September 2018 Healthcare Data Breach Report
Oct23

September 2018 Healthcare Data Breach Report

For the second consecutive month there has been a reduction in both the number of reported healthcare data breaches and the number of exposed healthcare records. In September, there were 25 breaches of 500 or more records reported to the Department of Health and Human Services’ Office for Civil Rights – the lowest breach tally since February. There was also a substantial reduction in the number of exposed/stolen healthcare records in September. Only 134,000 healthcare records were exposed/stolen in September – A 78.5% reduction in compared to August. Fewer records were exposed in September than in any other month in 2018. Causes of September 2018 Healthcare Data Breaches In August, hacking/IT incidents dominated the healthcare breach reports, but there was a major increase (55.55%) in unauthorized access/disclosure breaches in September, most of which involved paper records. There were no reported cases of lost paperwork or electronic devices containing ePHI, nor any improper disposal incidents. While there were fewer hacking/IT incidents than unauthorized access/disclosure...

Read More
OIG Publishes 2016 Medicaid Data Breach Report
Oct23

OIG Publishes 2016 Medicaid Data Breach Report

A new report released by the Department of Health and Human Services’ Office of Inspector General (OIG) has revealed the vast majority of Medicaid data breaches are relatively minor and only affect an extremely limited number of individuals. For the study, OIG assessed all breaches reported by Medicaid agencies and their contractors in 2016. According to the report, the records of 515,000 Medicaid beneficiaries were exposed in 2016, spread across 1,260 data breaches. Almost two thirds of Medicaid data breaches reported in 2016 affected a single person with a further 29% of breaches affecting between 1 and 9 individuals. Large-scale breaches, which resulted in the data of 500 or more beneficiaries being exposed, accounted for 1% of the annual total. While the breach causes were highly varied, the majority of incidents were the result of simple errors such as misaddressing a letter, fax, or email. Those breaches only resulted in a very limited amount of PHI being exposed, such as a beneficiary name and Medicaid or other ID number. Out of the 1,260 breaches only 303 resulted in the...

Read More
1.25 Million Records Exposed in Employees Retirement System of Texas Data Breach
Oct23

1.25 Million Records Exposed in Employees Retirement System of Texas Data Breach

The Employees Retirement System of Texas (ERS) has discovered a flaw in its ERS OnLine portal allowed certain individuals to view information of other members after logging into the portal. ERS explained that a coding error, introduced on January 1, 2018, affected the “Annual Out-of-Pocket Premium” function of its ERS OnLine system. The function is used by some retirees, direct-pay members, employees on leave without pay and COBRA participants. The function “allows participants who pay their Texas Employees Group Benefits Program (GBP) premiums with after-tax dollars to see their own premium payment information.” However, the flaw meant that certain ERS members were displayed information about other members and in some cases, certain beneficiaries – if those beneficiaries had received some form of payment from ERS and had information in the ERS OnLine system. ERS notes that the coding error only returned other members’ information when individuals performed a modified search via the affected function and therefore it is “very unlikely” than most members information was...

Read More
Ransomware Attack Impacts 16,000 National Ambulatory Hernia Institute Patients
Oct22

Ransomware Attack Impacts 16,000 National Ambulatory Hernia Institute Patients

On September 13, 2018, the National Ambulatory Hernia Institute in California experienced a ransomware attack that resulted in certain files on its network being encrypted. According to the breach notice uploaded to the healthcare provider’s website, the attackers were potentially able to gain access to demographic data of patients recorded prior to July 19, 2018. In total, 15,974 patients have had some of their protected health information exposed as a result of the attack. The information potentially accessed by the attackers was limited to names, addresses, birth dates, diagnoses, appointment dates and times, and Social Security numbers. Patients who visited National Ambulatory Hernia Institute facilities for the first time after July 19, 2018 were unaffected by the breach. Due to the sensitive nature of the exposed information, the National Ambulatory Hernia Institute has advised affected patients to obtain identity monitoring services for a period of at least one year. The breach notice does not state whether those services are being provided to patients free of charge. The...

Read More
$16 Million Anthem HIPAA Breach Settlement Takes OCR HIPAA Penalties Past $100 Million Mark
Oct16

$16 Million Anthem HIPAA Breach Settlement Takes OCR HIPAA Penalties Past $100 Million Mark

OCR has announced that an Anthem HIPAA breach settlement has been reached to resolve potential HIPAA violations discovered during the investigation of its colossal 2015 data breach that saw the records of 78.8 million of its members stolen by cybercriminals. Anthem has agreed to pay OCR $16 million and will undertake a robust corrective action plan to address the compliance issues discovered by OCR during the investigation. The previous largest ever HIPAA breach settlement was $5.55 million, which was agreed with Advocate Health Care in 2016. “The largest health data breach in U.S. history fully merits the largest HIPAA settlement in history,” said OCR Director Roger Severino. Anthem Inc., an independent licensee of the Blue Cross and Blue Shield Association, is America’s second largest health insurer. In January 2015, Anthem discovered cybercriminals had breached its defenses and had gained access to its systems and members’ sensitive data. With assistance from cybersecurity firm Mandiant, Anthem determined this was an advanced persistent threat attack – a continuous and targeted...

Read More
Email Accounts Compromised at Biomarin Pharmaceutical and Envision Healthcare Corporation
Oct12

Email Accounts Compromised at Biomarin Pharmaceutical and Envision Healthcare Corporation

Novato, CA-based Biomarin Pharmaceutical has discovered two employee email accounts have been compromised as a result of a phishing attack in which a temporary employee’s login credentials were obtained by the attacker. The attack was discovered on June 21, 2018 and immediate action was taken to prevent further unauthorized account access. The investigation into the breach determined that the email accounts had been accessed by an unauthorized individual, but it was not possible to tell whether any emails were opened or copied by the attacker. An analysis of the compromised accounts suggests a document containing names, health insurance information and Social Security numbers may have been in one or both email accounts at the time the breach. Due to the nature of exposed data, affected individuals have been advised to place a fraud alert on their credit files as a precaution against identity theft and fraud and urged to monitor explanation of benefits statements from insurers for medical services which have not been received. Biomarin Pharmaceutical has now secured its network and...

Read More
Minnesota DHS Notifies 21,000 Patients That Their PHI Has Potentially Been Compromised
Oct12

Minnesota DHS Notifies 21,000 Patients That Their PHI Has Potentially Been Compromised

The Minnesota Department of Human Services has mailed letters to approximately 21,000 individuals on medical assistance to alert them to a possible breach of their protected health information (PHI) due to two recent phishing attacks. Two DHS employees’ email accounts have been confirmed as having been compromised as a result of the employees clicking on links in phishing emails. The investigation into the breach determined that the attackers accessed both email accounts although it was not possible to determine which, if any, emails in the account had been accessed or copied by the attackers. Minnesota DHS has reason to believe that other employees may also have been targeted and could also have clicked on links in phishing emails, but it has not yet been confirmed whether their accounts have been breached. The investigation into the phishing attacks is ongoing. The two email account breaches occurred on June 28 and July 9, 2018, although the IT department only determined that the accounts had been breached in August. Upon discovery of the phishing attack, both accounts were...

Read More
Michigan Medicine Notifies 3,600 Patients of PHI Disclosure Due to Mailing Error
Oct09

Michigan Medicine Notifies 3,600 Patients of PHI Disclosure Due to Mailing Error

Michigan Medicine is notifying more than 3,600 patients of an impermissible disclosure of a limited amount of their protected health information. In early September 2018, the Michigan Medicine Development Office launched a fundraising campaign that involved sending letters to a large number of its patients. A third-party vendor was contracted to print the letters for the mailing and while many of the letters were printed correctly, an error was made by the printing company that resulted in an impermissible disclosure of certain patients’ personal information. According to Michigan Medicine, the error was introduced when the printing company installed new software. As a result of the error, a proportion of the letters contained information that was intended for other Michigan Medicine patients and did not match the name and address on the outside of the envelope. Since this was a fundraising mailing, the letters did not contain any medical information, Social Security numbers, financial data, or other highly sensitive information. Patients affected by the error has their name,...

Read More
California HIV Patient PHI Breach Lawsuit Allowed to Move Forward
Oct08

California HIV Patient PHI Breach Lawsuit Allowed to Move Forward

A lawsuit filed by Lambda Legal on behalf of a victim of a data breach that saw the highly sensitive protected health information of 93 lower-income HIV positive individuals stolen by unauthorized individuals has survived a motion to dismiss. The former administrator of the California AIDS Drug Assistance Program (ADAP), A.J. Boggs & Company, submitted a motion to dismiss but it was recently rejected by the Superior Court of California in San Francisco. In the lawsuit, Lambda Legal alleges A.J. Boggs & Company violated the California AIDS Public Health Records Confidentiality Act, the California Confidentiality of Medical Information Act, and other state medical privacy laws by failing to ensure an online system was secure prior to implementing that system and allowing patients to enter sensitive information. A.J. Boggs & Company made its new online enrollment system live on July 1, 2016, even though it had previously received several warnings from nonprofits and the LA County Department of Health that the system had not been tested for vulnerabilities. It was...

Read More
PHI of 37,000 Gold Coast Health Plan Members Potentially Compromised
Oct08

PHI of 37,000 Gold Coast Health Plan Members Potentially Compromised

Camarillo, CA-based Gold Coast Health Plan is informing approximately 37,000 plan members that some of their protected health information has potentially been obtained by hackers who succeeded in compromising the email account of one of its employees. The employee was fooled by a phishing email and the attackers gained access to the email account on June 18, 2018. Access remained possible until August 1, 2018. Gold Coast Health Plan discovered the security breach on August 8 and took steps to secure the account and prevent any further remote access. A leading third-party cybersecurity firm was engaged to conduct an investigation into the breach and assess the scope of the incident and determine whether any patients’ health information was accessed. It was not possible to rule out PHI access and data theft with 100% certainty, although no reports have been received to date that suggest any PHI in the account has been misused. Gold Coast Health Plan believes the attack was financially motivated and the purpose of the attackers was to gain access to banking information in order to...

Read More
Summary of Recent Healthcare Data Breaches
Oct05

Summary of Recent Healthcare Data Breaches

A round up of healthcare data breaches recently announced by healthcare providers and business associates of HIPAA covered entities. Tillamook Chiropractic Clinic Discovers 26-Month Malware Infection The medical records of 4,058 patients of the Tillamook Chiropractic Clinic in Tillamook, OR have been stolen as a result of a malware infection. On August 3, 2018, the clinic conducted an internal security audit which showed that malware had been installed on its network, even though a firewall was in place, antivirus and antimalware software were installed and up to date, and its software was fully patched. An investigation into the security breach revealed the malware had been installed on May 24, 2016 and had remained undetected for 26 months. The malware had been installed on the primary insurance billing system, which the clinic reports was used as a staging area by the attackers to collect patient records before exfiltrating the data. The information believed to have been stolen includes full names, home addresses, work addresses, dates of birth, phone numbers, diagnoses, lab...

Read More
PHI of 1,800 Patients Found Abandoned in Houston Street
Oct03

PHI of 1,800 Patients Found Abandoned in Houston Street

Paperwork containing the protected health information of approximately 1,800 patients has been discovered abandoned in a Midtown, Houston street by an employee of the CBS-affiliated television station KBOU 11. The paperwork contained information such as patients’ names, birth dates, diagnoses, treatment information, medications, vital signs, and admission dates. KBOU launched an investigation into the breach and determined the paperwork related to patients from five Houston hospitals – MD Anderson Cancer Center, LBJ Hospital, Children’s Memorial Hermann, Memorial Hermann Hospital, and TIRR Memorial Hermann. The investigation led to UT Health. According to the report, the records were stolen from the locked trunk of a vehicle belonging of a medical resident who, while studying at UT Health’s McGovern Medical School, had worked at the above hospitals. The records were stolen from his vehicle in July. Officials at UT Health confirmed to KBOU that they are aware of the breach. Reporters spoke to the medical graduate and confirmed that the incident had not been reported to the...

Read More
Study Reveals 70% Increase in Healthcare Data Breaches Between 2010 and 2017
Sep28

Study Reveals 70% Increase in Healthcare Data Breaches Between 2010 and 2017

There has been a 70% increase in healthcare data breaches between 2010 and 2017, according to a study conducted by two physicians at the Massachusetts General Hospital Center for Quantitative Health. The study, published in the Journal of the American Medical Association on September 25, involved a review of 2,149 healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights between 2010 and 2017. “While we conduct scientific programs designed to recognize the enormous research potential of large, centralized electronic health record databases, we designed this study to better understand the potential downsides for our patients – in this case the risk of data disclosure,” said Dr. Thomas McCoy Jr, director of research at Massachusetts General Hospital’s Center for Quantitative Health in Boston and lead author of the study. Every year, with the exception of 2015, the number of healthcare data breaches has increased, rising from 199 breaches in 2010 to 344 breaches in 2017. Those breaches have resulted in the loss, theft, exposure, or...

Read More
Claxton-Hepburn Medical Center Fires Several Employees for Inappropriate PHI Access
Sep27

Claxton-Hepburn Medical Center Fires Several Employees for Inappropriate PHI Access

Claxton-Hepburn Medical Center, a not-for-profit 115-bed community hospital in Ogdensburg, NY, has fired several employees for accessing patient health records without authorization. The PHI breaches were discovered during an internal investigation. It is unclear whether that investigation was launched following a complaint that had been received or if the patient privacy violations were uncovered during a routine audit of PHI access logs – A requirement of HIPAA. Claxton-Hepburn Medical Center has not publicly disclosed how many employees were terminated over the violations, only reporting that all employees who purposely committed the acts were terminated. It is also currently unclear exactly how many patients’ PHI was breached. Claxton-Hepburn Medical Center has confirmed that training is given to all employees on the first day of employment detailing the requirements of HIPAA and the importance of protecting the privacy of patients. All employees are made aware that accessing patient health information is only permitted when PHI needs to be viewed to complete work duties or...

Read More
Protected Health Information Stolen in Aspire Health Phishing Attack
Sep27

Protected Health Information Stolen in Aspire Health Phishing Attack

Aspire Health, a Nashville, TN-based provider of in-home services for patients diagnosed with serious illnesses, has experienced a phishing attack that resulted in the email account of an employee being accessed by an unauthorized individual. Once access to the email account was gained, the attacker forwarded 124 emails to an external email account. Several of the forwarded email messages contained the protected health information of patients and “confidential and proprietary information and files”. According to a statement issued by a spokesperson for Aspire Health, breach notification letters have already been sent to a “small handful” of its patients, although the exact number affected by the breach has not been disclosed. The data breach has yet to appear on the Department of Health and Human Services’ Office for Civil Rights’ breach portal. As is the case with many phishing scams, an email was sent to the employee which contained a hyperlink to a website which requested login credentials. The website, created on August 28, 2018, is hosted in the Russian Federation and was...

Read More
UMass Memorial Health Care Pays $230,000 to Resolve Alleged HIPAA Violations
Sep24

UMass Memorial Health Care Pays $230,000 to Resolve Alleged HIPAA Violations

Mass Memorial Health Care has been fined $230,000 by the Massachusetts attorney general for HIPAA failures related to two data breaches that exposed the protected health information (PHI) of more than 15,000 state residents. A lawsuit was filed against UMass Memorial Health Care in which attorney general Maura Healey claimed UMass Memorial Medical Group Inc., and UMass Memorial Medical Center Inc., failed to implement sufficient measures to protect patients’ sensitive health information. In two separate incidents, employees accessed and copied patient health information without authorization and used that information to open cell phone and credit card accounts in the victims’ names. It was also alleged that UMass Memorial Medical Group Inc., and UMass Memorial Medical Center Inc., were both aware of employee misconduct, yet failed to properly investigate complaints related to data breaches and discipline the employees concerned in a timely manner. Both entities also failed to ensure that patients’ PHI was properly safeguarded. These failures violated Massachusetts data security...

Read More
August 2018 Healthcare Data Breach Report
Sep21

August 2018 Healthcare Data Breach Report

August was a much better month for the healthcare industry with fewer data breaches reported than in July. In August, 28 healthcare data breaches were reported to the HHS’ Office for Civil Rights, a 17.86% month-over-month reduction in data breaches. There was also a major reduction in the number of healthcare records that were exposed or stolen. In August, 623,688 healthcare records were exposed or stolen – A 267.56% reduction from August, when 2,292,522 healthcare records were breached. Causes of Healthcare Data Breaches in August 2018 Hacking incidents dominated the breach reports in August, accounting for 53.57% of all reported data breaches and 95.73% of all records exposed or disclosed in August. Eight of the top ten breaches were the result of hacks, malware, or ransomware attacks. Insider breaches are a major problem in the healthcare industry, more so than other verticals. In August there were nine insider breaches – 32.14% of the healthcare data breaches in August. Those breaches involved the unauthorized access or impermissible disclosure of 18,488 healthcare...

Read More
$999,000 in HIPAA Penalties for Three Hospitals for Boston Med HIPAA Violations
Sep20

$999,000 in HIPAA Penalties for Three Hospitals for Boston Med HIPAA Violations

Three hospitals that allowed an ABC film crew to record footage of patients as part of the Boston Med TV series have been fined $999,000 by the Department of Health and Human Services’ Office for Civil Rights (OCR) for violating Health Insurance Portability and Accountability Act (HIPAA) Rules. This is the second HIPAA violation case investigated by OCR related to the Boston Med TV series. On April 16, 2016, New York Presbyterian Hospital settled its HIPAA violation case with OCR for $2.2 million to resolve the impermissible disclosure of PHI to the ABC film crew during the recording of the series and for failing to obtain consent from patients. Fines for Boston Medical Center, Brigham and Women’s Hospital, & Massachusetts General Hospital Boston Medical Center (BMC) settled its HIPAA violations with OCR for $100,000. OCR investigators determined that BMC had impermissibly disclosed the PHI of patients to ABC employees during production and filming of the TV series, violating 45 C.F.R. § 164.502(a). Brigham and Women’s Hospital (BWH) settled its HIPAA violations...

Read More
Phishing Attack on Ohio Living Exposed PHI of 6,500 Individuals
Sep20

Phishing Attack on Ohio Living Exposed PHI of 6,500 Individuals

Ohio Living, a provider of life plan communities and home health services in Ohio, has discovered an unauthorized individual has gained access to the email accounts of some of its employees. Ohio Living detected suspicious activity related to an employee’s email account on July 10, 2018. An investigation was immediately launched, and a third-party computer forensics expert was hired to investigate the breach and determine how access to the account was gained. On July 19, 2018, Ohio Living was informed that several email accounts had been compromised on July 10 and that those accounts had been accessed by an unauthorized individual. It was not possible to determine whether any emails were opened or if any emails were downloaded by the attacker. A review of the compromised accounts revealed they contained the protected health information of 6,510 individuals. Upon discovery of the breach, passwords were reset on all accounts known to have been compromised and a full password reset was performed on all other employees’ email accounts. Ohio Living has also provided further training to...

Read More
Brooklyn Emergency Room Worker Accused of Stealing and Selling Patients’ PHI
Sep20

Brooklyn Emergency Room Worker Accused of Stealing and Selling Patients’ PHI

A former employee of the emergency department of Brooklyn’s Kings County Hospital is alleged to have stolen the protected health information of at least 100 individuals while working at the hospital and disclosed that information to another individual using an encrypted smartphone app. Orlando Jemmott, 52, was employed at the hospital for 12 years between March 2006 and April 2018 and was given access to patient health records in order to complete his work duties. Jemmott was required to enter patient information into the hospital’s system such as demographic data and information on patients’ symptoms and health complaints. In June 2017, the FBI received a tip that Jemmott was stealing patient information and selling the data to another individual. The woman claimed the information was being sent via the WhatsApp encrypted messaging app. The woman took Jemmott’s mobile phone from his house and handed it over to the FBI along with a photo from his WhatsApp profile. A warrant was then obtained by the FBI to search the phone. The search revealed hundreds of communications between...

Read More
Mailing Vendor Blamed for Blue Cross and Blue Shield of Rhode Island Privacy Breach
Sep19

Mailing Vendor Blamed for Blue Cross and Blue Shield of Rhode Island Privacy Breach

Blue Cross and Blue Shield of Rhode Island (BCBSRI) is alerting 1,567 plan members that some of their protected health information has been impermissibly disclosed by one of its business associates. A BCBSRI vendor was contracted to send explanation of benefits statements to plan members which contain summaries of the healthcare services members have received under their health plan. However, an error was made which resulted in statements being sent to incorrect individuals. The explanation of benefits statements included members’ BCBSRI ID number, their service provider(s), the service(s) provided, and the cost of the claims. The impermissible disclosure of PHI was attributed to an error made by the vendor when combining the explanation of benefits statements for certain individuals who are covered under the same policy. Combining the statements was intended to reduce the number of summaries received by some members. The error resulted in some explanation of benefits statements being incorrectly combined in the mid-July mailings, which resulted in the summaries being sent to...

Read More
Independence Blue Cross Notifies 17,000 Members of Online Exposure of Their PHI
Sep18

Independence Blue Cross Notifies 17,000 Members of Online Exposure of Their PHI

Independence Blue Cross is notifying thousands of plan members that some of their protected health information has been exposed online and has potentially been accessed by unauthorized individuals. The Independence Blue Cross privacy office was informed about the exposed information on July 19 and immediately launched an investigation. A leading forensics investigation firm was hired to investigate the incident and establish whether any plan members’ information was accessed during the time it was exposed. Independence Blue Cross said an employee had uploaded a file containing plan members’ protected health information to a public facing website on April 23, 2018. The file remained accessible until July 20 when it was removed from the website. The information contained in the file was limited. No financial information or Social Security numbers were exposed. Affected plan members only had their name, diagnosis codes, provider information, date of birth, and information used for processing claims exposed. Despite a thorough investigation, it was not possible to determine whether any...

Read More
CMS: Fairview Southdale Hospital Videotaped Patients Without Knowledge or Consent
Sep17

CMS: Fairview Southdale Hospital Videotaped Patients Without Knowledge or Consent

The HHS’ Centers for Medicare and Medicaid Services (CMS) has investigated Fairview Southdale Hospital in Edina, MN over an alleged violation of patient privacy. The CMS confirmed that patients were videotaped during psychiatric evaluations in the emergency department without their knowledge or consent.  The hospital was cited for violating patient privacy. According to the Star Tribune, the CMS launched an investigation following a complaint from a patient who had been taken to the hospital for a psychiatric evaluation against her will in May 2017. The patient was escorted to the hospital as police officers were concerned about her state of mental health and feared she may cause harm to herself or others. After being released, the patient took legal action over her admission to the hospital and how she was treated by the police. As part of that lawsuit, the patient requested a copy of the security camera footage from the hospital. While the patient expected to receive a copy of the videotape from the front of the hospital showing her entering the facility, the videotape showed her...

Read More
Fetal Diagnostic Institute of the Pacific Experiences Ransomware Attack
Sep17

Fetal Diagnostic Institute of the Pacific Experiences Ransomware Attack

The Fetal Diagnostic Institute of the Pacific (FDIP) in Honolulu, HI, experienced a ransomware attack on June 30, 2018. File-encrypting software was installed on an FDIP server and encrypted a wide range of file types, including patient medical records. FDIP engaged the services of a leading cybersecurity company to conduct a full investigation into the breach to determine whether patient data was accessed by the attackers and also to assist with breach remediation. The investigation did not uncover any evidence to suggest that patients’ protected health information was accessed, viewed, or stolen by the individuals behind the attack, although it was not possible to rule out data access and data theft with a high level of confidence. Consequently, the incident is being treated as a HIPAA breach, patients are being notified, and the Department of Health and Human Services’ Office for Civil Rights (OCR) has been informed. An analysis of the files encrypted by the ransomware revealed they contained a range of protected health information. Patients affected by the security breach may...

Read More
Email Security Breaches Reported by Hopebridge (IN) and United Methodist Homes (NY)
Sep14

Email Security Breaches Reported by Hopebridge (IN) and United Methodist Homes (NY)

Hopebridge, an Indiana-based network of 28 autism treatment centers throughout the Midwest, has discovered it has been the victim of a phishing attack that has potentially resulted in an unauthorized individual gaining access to the protected health information (PHI) of its patients. A security breach was detected on July 19, 2018 prompting a thorough investigation. A leading third-party computer forensics firm was engaged to assess the nature and scope of the breach and all accounts and systems were immediately secured to lock out the attacker. The investigation revealed several employees had been fooled by phishing emails that had been sent between March and July 2018. Several email accounts were compromised as a result of employees’ responses to those emails. An analysis of the compromised email accounts revealed they contained a limited amount of patients’ PHI – Their names, the services they received from Hopebridge, and an inferred autism diagnosis. The results of the forensic investigation suggest that it was not the intention of the attacker to gain access to PHI, instead...

Read More
Texas Nurse Fired for Social Media HIPAA Violation
Sep13

Texas Nurse Fired for Social Media HIPAA Violation

A nurse at a Texas children’s hospital has been fired for violating Health Insurance Portability and Accountability Act (HIPAA) Rules by posting protected health information on a social media website. The pediatric ICU/ER nurse worked at Texas Children’s Hospital and posted a series of comments on Facebook about a rare case of measles at the hospital. The nurse was an anti-vaxxer and posted about the experience of seeing a boy at the hospital suffering from the disease – a disease that could have been prevented through vaccination. Her comments explained how the disease was much worse that she expected it to be, having not encountered anyone with the measles in the past.  She explained that it was a “rough” experience seeing the boy suffering from the disease. She also explained in one of her posts, “I think it’s easy for us non-vaxxers to make assumptions, but most of us have never and will never see one of these diseases,” according to the Houston Chronicle, which obtained screenshots of her Facebook posts. “By no means have I changed my vax stance, and I never will. But this...

Read More
Phishing Attack on Acadiana Computer Systems Exposed the PHI of 31,000 Individuals
Sep12

Phishing Attack on Acadiana Computer Systems Exposed the PHI of 31,000 Individuals

Acadiana Computer Services Inc., a Lafayette, LA-based provider of software and business solutions for the healthcare industry, has discovered an unauthorized individual has gained access to the email account of one of its employees. The security breach was detected on July 6, 2018 and external access to the account was immediately disabled. An independent cybersecurity expert was retained to conduct a forensic analysis of the breach and determine the nature and scope of the attack. An analysis of the emails in the compromised account revealed they contained the personal information of several of its clients’ patients. The information potentially accessed was limited to names, addresses, treatment information, billing information, and for a limited number of individuals, Social Security numbers. The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates 31,151 individuals have had their protected health information exposed as a result of the email account breach. Those individuals had previously received medical services from the...

Read More
Reliable Respiratory Phishing Attack Impacts 21,000 Patients
Sep10

Reliable Respiratory Phishing Attack Impacts 21,000 Patients

The Norwood, MA-based respiratory care provider Reliable Respiratory has experienced a phishing attack that has affected several thousand of its patients. A cyberattack was suspected on July 3, 2018, following the detection of unusual activity in an employee’s email account. An investigation was launched to determine the cause of that activity, which revealed the employee had been targeted with a phishing campaign. The response to a phishing email resulted in the disclosure of that individual’s login credentials. The unusual account activity was detected on July 3 and the account was immediately secured. Computer forensic specialists were retained to determine the nature and extent of the breach. The breach investigation confirmed that the account had been accessed by an unauthorized individual between June 28 and July 2. An analysis of the emails contained in the account showed a wide range of protected health information could potentially have been accessed by the attacker. Patients are now being notified of the breach by mail and have been advised to monitor their account...

Read More
Medical Records from New Mexico Hospital Found Scattered in Street
Sep07

Medical Records from New Mexico Hospital Found Scattered in Street

The New Mexico Department of Health is currently investigating how the private medical records of some of its patients came to fall from a truck during transportation from the hospital to a secure storage facility. The records came from Turquoise Lodge Hospital, a rehabilitation center run by the New Mexico Department of Health that specializes in the treatment of parents and pregnant women who are recovering from substance abuse. The hospital had arranged for patients’ medical records to be collected and transported to a new location for storage. The paperwork was collected from the hospital on Thursday August 30; however, during transit some of those records fell out of the delivery truck onto a busy Albuquerque street. KRQE News 13 sent reporters to the scene who discovered medical records strewn along Avenida Cesar Chavez at I-25. Some of the paperwork had been collected by members of the public. The paperwork contained highly sensitive personally identifiable information (PII) and protected health information (PHI), including patients’ names, their medical histories, billing...

Read More
NY Attorney General Fines Arc of Erie County $200,000 for Security Breach
Sep04

NY Attorney General Fines Arc of Erie County $200,000 for Security Breach

The Arc of Erie County has been fined $200,000 by the New York Attorney General for violating HIPAA Rules by failing to secure the electronic protected health information (ePHI) of its clients. In February 2018, The Arc of Erie County, a nonprofit social services agency and chapter of the The Arc Of New York, was notified by a member of the public that some of its clients’ sensitive personal information was accessible through its website. The information could also be found through search engines. The investigation into the security breach revealed sensitive information had been accessible online for two and a half years, from July 2015 to February 2018 when the error was corrected. The forensic investigation into the security incident revealed multiple individuals from outside the United States had accessed the information on several occasions. The webpage should only have been accessible internally by staff authorized to view ePHI and should have required a username and password to be entered before access to the data could be gained. In total, 3,751 clients in New York had...

Read More
Mailing Error Resulted in Impermissible Disclosure of 19,570 Missouri Care Members’ PHI
Aug30

Mailing Error Resulted in Impermissible Disclosure of 19,570 Missouri Care Members’ PHI

An error in a mailing to Missouri Care members reminding them to book well-child visits has resulted in the accidental disclosure of the personal information of almost 20,000 children to other Missouri Care members. The personal information detailed in the letters was limited to children’s names, ages, and the names of their provider’s. Health information and other sensitive data was not exposed, so the potential for the information to be misused is low. However, out of an abundance of caution, parents and legal guardians of affected children have been advised to monitor their credit card bills and account statements for any suspicious activity and told not to respond to any email requests asking for further personal information. Free credit monitoring services have been offered to all individuals affected by the breach. WellCare Health Plans Inc., discovered the error on July 25, 2018 and launched an investigation to determine how the error occurred and the individuals that were impacted. The mailing had been sent to 19,570 individuals, although it is unclear how many of those...

Read More
1,790 Patients Impacted by Phishing Attack on Los Angeles Drug and Alcohol Treatment Center
Aug29

1,790 Patients Impacted by Phishing Attack on Los Angeles Drug and Alcohol Treatment Center

The West Los Angeles-based drug and alcohol treatment center, Authentic Recovery Center, is alerting 1,790 individuals that some of their personally identifiable information (PII) and protected health information (PHI) has potentially been obtained by an unauthorized individual as a result of a phishing attack. The phishing attack was discovered on June 21, 2018 prompting a full investigation. The investigation confirmed that the breach was limited to a single email account. All other email accounts and systems remained secure at all times. Access was first gained the email account on June 7, 2018 and continued until the breach was detected on June 21 and the account was secured. An email-by-email analysis of the compromised account revealed it contained the PII and PHI of clients and employees. Employee information accessible through the account was limited to name and driver’s license number, with the exception of two individuals who also had their address, contact telephone number, date of birth, and Social Security number exposed. Clients impacted by the incident had their name...

Read More
July 2018 Healthcare Data Breach Report
Aug24

July 2018 Healthcare Data Breach Report

July 2018 was the worst month of 2018 for healthcare data breaches by a considerable distance. There were 33 breaches reported in July – the same number of breaches as in June – although 543.6% more records were exposed in July than the previous month. The breaches reported in July 2018 impacted 2,292,552 patients and health plan members, which is 202,859 more records than were exposed in April, May, and June combined. A Bad Year for Patient Privacy So far in 2018 there have been 221 data breaches of more than 500 records reported to the Department of Health and Human Services’ Office for Civil Rights. Those breaches have resulted in the protected health information of 6,112,867 individuals being exposed, stolen, or impermissibly disclosed. To put that figure into perspective, it is 974,688 more records than were exposed in healthcare data breaches in all of 2017 and there are still five months left of 2018. Largest Healthcare Data Breaches of 2018 (Jan-July) Entity Name Entity Type Records Exposed Breach Type UnityPoint Health Business Associate 1,421,107 Hacking/IT Incident CA...

Read More
Central Colorado Dermatology Ransomware Attack Potentially Resulted in PHI Access
Aug21

Central Colorado Dermatology Ransomware Attack Potentially Resulted in PHI Access

Central Colorado Dermatology (CCD) has notified more than 4,000 patients that some of their protected health information (PHI) has potentially been accessed by hackers during a ransomware attack on its computer network. An unauthorized individual gained access to CCD’s computer network and deployed ransomware on a server. Medical records and patients’ medical charts were not accessed, although certain files and scanned fax communications were encrypted. Some of those files contained PHI. An investigation was launched to determine whether protected health information was accessed or stolen although it was not possible to determine with a high degree of certainty whether any PHI was viewed or copied. CCD did not uncover any evidence to suggest that PHI had been accessed or stolen, although some of the software that had been installed on its network could have allowed files to be downloaded. The files that could have been accessed including the following information: Names, addresses, contact telephone numbers, dates of birth, email addresses, Insurance information, Social Security...

Read More
Phishing Attack on Legacy Health Results In Exposure of 38,000 Patients’ PHI
Aug21

Phishing Attack on Legacy Health Results In Exposure of 38,000 Patients’ PHI

Legacy Health has discovered an unauthorized individual has gained access to its email system and the protected health information (PHI) of approximately 38,000 patients. The Portland, OR-based health system operates two regional hospitals, four community hospitals, and 70 clinics in Oregon, Southwest Washington, and the and the Mid-Willamette Valley and is the second largest health system in the Portland Metro Area. The data breach was discovered on June 21, 2018, although the email accounts were first accessed by an unauthorized individual in May. Legacy Health determined that access was gained to the email accounts as a result of employees being duped by phishing emails. Email breaches can take a considerable amount of time to investigate. While tools are available to scan email accounts for protected health information, many of the emails in compromised accounts need to be individually checked, which can involve manual checks of hundreds of thousands of messages.  According to Legacy Health Spokesperson Kelly Love, “We’ve been moving at as fast a pace as we can to...

Read More
9,350 Patients of Gordon Schanzlin New Vision Institute Notified of Data Breach
Aug20

9,350 Patients of Gordon Schanzlin New Vision Institute Notified of Data Breach

The Gordon Schanzlin New Vision Institute in La Jolla, CA, is alerting thousands of patients that their medical records may have been stolen after files containing protected health information were discovered in the possession of an individual unauthorized to hold the information. The data breach came to light following an investigation conducted by the U.S. Postal Inspection Service. A raid was conducted on a property in Southern California and a box of medical records was discovered in the property. The files contained information such as names, dates of service, addresses, health insurance information, Social Security numbers, and health and clinical information. Gordon Schanzlin was notified of the discovery on June 15, 2018, and an internal investigation was immediately launched to determine the nature and scope of the breach and how the medical records had been stolen. While it could not be confirmed with 100% certainty, Gordon Schanzlin believes the medical records were part of a batch of files that were stolen from a storage unit that was broken into in October 2017. The...

Read More
Court Approves Anthem $115 Million Data Breach Settlement
Aug20

Court Approves Anthem $115 Million Data Breach Settlement

The $115 million settlement proposed by Anthem Inc., in 2017 to resolve the class action lawsuits filed by victims of its 78.8 million-record data breach in 2015 received final approval on Thursday, August 16. The Anthem cyberattack resulted in plan members’ names, dates of birth, health insurance information, Social Security numbers and other data elements stolen by cybercriminals. Several class-action lawsuits were filed in the wake of the breach, which were consolidated into a single lawsuit by the Judicial Panel for Multidistrict Litigation in June 2015. The case was assigned to the U.S District Court for the Northern District of California, where a large proportion of the class members reside. While 78.8 million individuals had protected health information (PHI) exposed when Anthem’s network was hacked, there are only 19.1 million members of the class action lawsuit, all of whom were able to demonstrate that their personal information was stored in the data center that was attacked by hackers. Following the data breach, Anthem offered breach victims 24 months of credit...

Read More
InterAct of Michigan Discovers Email Account Compromise
Aug17

InterAct of Michigan Discovers Email Account Compromise

InterAct of Michigan, a provider of mental health and substance abuse treatments through clinics in Kalamazoo and Grand Rapids, has discovered an unauthorized individual has gained access to the email account of an employee and potentially viewed and copied the protected health information of 1,290 patients. The attack was discovered on June 8, 2018 prompting a thorough investigation to determine the nature and scope of the breach. Immediate action was taken to terminate access to the compromised account and an internal investigation was launched. A leading computer forensics company was retained to provide assistance with the investigation. On July 30, 2018, InterAct of Michigan determined that the protected health information of certain patients had potentially been accessed. The information was present in emails and email attachments in the compromised account. The exposed PHI included clients’ names and Social Security numbers. For some patients, date of birth, prescription details, and treatment history may also have been accessed. Due to the sensitive nature of the...

Read More
258,000 Wisconsin Residents Notified of Adams County Government Data Breach
Aug17

258,000 Wisconsin Residents Notified of Adams County Government Data Breach

More than 258,000 people have had their personal health information, personal identification information and/or tax information exposed as a result of a data security incident in Adams County, Wisconsin. A potential security breach was detected on March 28, 2018 after questionable activity was identified on the Adams County computer system and network. An investigation was launched to determine whether any sensitive data had been accessed and on June 29, a data breach was confirmed to have occurred. Some evidence has been found that suggests PHI and PII has been accessed and potentially obtained by an unauthorized individual. 258,102 individuals have potentially been affected. The exposed data was collected between January 1, 2013 and March 28, 2018 and were stored on the systems used by the departments of Health and Human Services, Child Support, Veteran Service Office, Extension Office, Adams County Employees, Solid Waste, and the Sheriff’s Office. A criminal investigation has been launched into the breach and the suspect(s) have been prevented from accessing the entire...

Read More
417,000 Individuals Affected by Augusta University Health Phishing Attack
Aug17

417,000 Individuals Affected by Augusta University Health Phishing Attack

A serious data breach has been reported by Augusta University Health that has impacted an estimated 417,000 individuals including patients, faculty members and a limited number of students. Most of the patients affected by the breach had previously received medical services at Augusta University Medical Center or Children’s Hospital of Georgia, although patients from over 80 outpatient clinics in Georgia have also been affected and had their personally identifiable information (PII) and protected health information (PHI) exposed. A wide range of PII and PHI was exposed, including names, addresses, dates of birth, lab test results, diagnoses, medications, treatment information, dates of service, medical record numbers, surgical information, and health insurance details. Augusta University Health said only a small percentage of individuals had a driver’s license number or Social Security number exposed. The PII and PHI were saved in emails and email attachments. Augusta University Health said a data security incident was discovered on September 11, 2017 following a phishing attack on...

Read More
Lawmakers Accuse Oklahoma Department of Veteran Affairs of Violating HIPAA Rules
Aug13

Lawmakers Accuse Oklahoma Department of Veteran Affairs of Violating HIPAA Rules

The Oklahoma Department of Veteran Affairs has been accused of violating Health Insurance Portability and Accountability Act (HIPAA) Rules by three Democrat lawmakers, who have also called for two top Oklahoma VA officials to be fired over the incident. The alleged HIPAA violation occurred during a scheduled internet outage, during which VA medical aides were prevented from gaining access to veterans’ medical records. The outage had potential to cause major disruption and prevent “hundreds” of veterans from being issued with their medications. To avoid this, the Oklahoma Department of Veteran Affairs allowed medical aides to access electronic medical records using their personal smartphones. In a letter to Oklahoma Governor Mary Fallin, Reps. Brian Renegar, Chuck Hoskin, and David Perryman called for the VA Executive Director Doug Elliot and the clinical compliance director Tina Williams to be fired over the alleged HIPAA violation. They claimed Elliot and Williams “have little regard for, and knowledge of, health care,” and allowing medical aides to access electronic medical...

Read More
MedSpring Urgent Care Breach Impacts 13,034 Patients
Aug10

MedSpring Urgent Care Breach Impacts 13,034 Patients

MedSpring Urgent Care, a network of urgent care clinics in Atlanta, Chicago, Austin, Dallas, Fort Worth, and Houston, has discovered an unauthorized individual has gained access to an email account as a result of an employee being duped by a phishing email. The email account was compromised on May 8, 2018 but the security breach was not detected until May 17. Upon discovery of the breach, the email account was secured to prevent further unauthorized access and a leading cybersecurity forensics firm was contracted to conduct an investigation into the breach and assist with the breach response. MedSpring discovered on May 22, 2018 that the attacker potentially gained access to the protected health information of patients through the emails and email attachments. The breach was limited to a single email account and no other systems were compromised. A full review of all messages in the account was conducted to determine which patients had been affected and the types of information that had been exposed. MedSpring says the breach was limited to patients who had previously visited its...

Read More
At Least 3.14 Million Healthcare Records Were Exposed in Q2, 2018
Aug09

At Least 3.14 Million Healthcare Records Were Exposed in Q2, 2018

In total, there were 143 data breaches reported to the media or the Department of Health and Human Services’ Office for Civil Rights (OCR) in Q2, 2018 and the healthcare records of at least 3,143,642 patients were exposed, impermissibly disclosed, or stolen. Almost three times as many healthcare records were exposed or stolen in Q2, 2018 as Q1, 2018. The figures come from the Q2 2018 Breach Barometer Report from Protenus. The data for the report came from OCR data breach reports, data collected and collated by Databreaches.net, and proprietary data collected through the Protenus compliance and analytics platform, which monitors the tens of trillions of EHR access attempts by its healthcare clients. Q2 2018 Healthcare Data Breaches Month Data Breaches Records Exposed April 45 919,395 May 50 1,870,699 June 47 353,548   Q2, 2018 saw five of the top six breaches of 2018 reported. The largest breach reported – and largest breach of 2018 to date – was the 582,174-record breach at the California Department of Developmental Services – a burglary. It is unclear if any healthcare...

Read More
The Cost of SamSam Ransomware Attacks: $17 Million for the City of Atlanta
Aug09

The Cost of SamSam Ransomware Attacks: $17 Million for the City of Atlanta

The SamSam ransomware attack on the City of Atlanta was initially expected to cost around $6 million to resolve: Substantially more than the $51,000 ransom demand that was issued. However, city officials now believe the final cost could be around $11 million higher, according to a “confidential and privileged” document obtained by The Atlanta Journal-Constitution. The attack has prompted a complete overhaul of the city’s software and systems, including system upgrades, new software, and the purchasing of new security services, computers, tablets, laptops, and mobile phones. The Colorado Department of Transportation was also attacked with SamSam ransomware this year and was issued with a similar ransom demand. As with the City of Atlanta, the ransom was not paid. In its case, the cleanup is expected to cost around $2 million. When faced with extensive disruption and a massive clean up bill it is no surprise that many victims choose to pay the ransom. Now new figures have been released that confirm just how many victims have paid to recover their files and regain control of their...

Read More
Protected Health Information of Three Hundred Thousand SSM Health Patients Exposed
Aug08

Protected Health Information of Three Hundred Thousand SSM Health Patients Exposed

SSM Health St. Mary’s Hospital in Jefferson City, Missouri is informing hundreds of thousands of patients that some of their protected health information has been left unprotected and could potentially have been viewed by unauthorized individuals. On November 16, 2014, St. Mary’s Hospital moved to new premises and all patients’ medical records were transferred to the new facility and were secured at all times. However, on June 1, 2018, the hospital discovered many documents containing protected health information had been left behind. The documents were mostly administrative and operational supporting documents and contained only a limited amount of protected health information. For the majority of patients, the only information that was exposed was their name and medical record number. Some patients also had some clinical data, demographic information, and financial information exposed. Due to the number of documents involved, the hospital has retained a document services firm to catalogue all the documents and determine which patients have had some of their PHI exposed. It has...

Read More
Hacktivist Convicted for DDoS Attack on Children’s Mercy Hospital
Aug07

Hacktivist Convicted for DDoS Attack on Children’s Mercy Hospital

A hacktivist who conducted a Distributed Denial of Service (DDoS) attack on Boston’s Children’s Mercy Hospital in 2014 has been convicted on two counts – conspiracy to intentionally damage protected computers and damaging protected computers – by a jury in the U.S. District Court in Boston. Martin Gottesfeld, 32, of Somerville, MA, conducted the DDoS attacks in March and April of 2014. He first conducted a DDoS attack on Wayside Youth and Family Support Network in Framingham, MA. The attack crippled its systems and took them out of action for more than a week. The attack cost the healthcare facility $18,000 to resolve. Following that attack, Gottesfeld conducted a much larger attack on Boston Children’s Hospital using 40,000 malware-infected network routers that he controlled from his home computer. The attack was planned for a week and occurred on April 19, 2014. Such was the scale of the attack that the hospital and several others in the Longwood medical area were knocked off the internet. 65,000 IP addresses used by the hospital and other healthcare facilities in the area were...

Read More
Phishing Attack, Lost Devices, and System Error Exposed PHI of 9,400 Patients
Aug03

Phishing Attack, Lost Devices, and System Error Exposed PHI of 9,400 Patients

A round up of data breaches recently disclosed to the media and the Department of Health and Human Services’ Office for Civil Rights System Error Exposed Data at Pennsylvania Department of Human Services Pennsylvania Department of Human Services has discovered a system error in its Compass system allowed certain individuals to view the protected health information of others who, at some point, were part of the same benefit household but are now part of a different active case record. The types of information that could have been viewed included names, citizenship, date of birth, and all information reported about employment, although not Social Security numbers. No reports have been received to date to suggest any of the information was accessed and misused. The system glitch was detected on May 23, 2018 and has now been corrected. All 2,130 individuals potentially impacted have been notified of the breach by mail. Lost Laptop Exposes PHI of Ambercare Patients The Ambercare Corporation, a provider of hospice and home care services in New Mexico, has announced that an unencrypted...

Read More
Email Account Compromises Continue Relentless Rise
Aug02

Email Account Compromises Continue Relentless Rise

There has been a steady rise in the number of reported email data breaches over the past year. According to the July edition of the Beazley Breach Insights Report, email compromises accounted for 23% of all breaches reported to Beazley Breach Response (BBR) Services in Q2, 2018. In Q2, 2018 there were 184 reported cases of email compromises, an increase from the 173 in Q1, 2018 and 120 in Q4, 2017. There were 45 such breaches in Q1, 2017, and each quarter has seen the number of email compromise breaches increase. In Q2, 2018, the email account compromises were broadly distributed across a range of industry sectors, although the healthcare industry experienced more than its fair share. Healthcare email accounts often contain a treasure trove of sensitive data that can be used for identity theft, medical identity theft, and other types of fraud. The accounts can contain the protected health information of thousands of patients. The recently discovered phishing attack on Boys Town National Research Hospital resulted in the attackers gaining access to the PHI of more than 105,000...

Read More
Orlando Orthopaedic Center Suffers 19,000-Record Breach Due to Business Associate Error
Aug01

Orlando Orthopaedic Center Suffers 19,000-Record Breach Due to Business Associate Error

An error made by a transcription service provider during a software upgrade on a server has resulted in the exposure of more than 19,000 patients’ protected health information (PHI). Patients affected by the breach had received medical services at Orlando Orthopaedic Center clinics in Orlando, Florida prior to January 2018. The software upgrade took place in December 2017 and throughout the month, PHI stored on the server became accessible over the Internet without any need for authentication. Orlando Orthopaedic Center only became aware of the exposure of patients’ PHI in February 2018. The discovery of the breach prompted a full investigation, which revealed names, dates of birth, insurance information, employer details, and treatment types were accessible. A limited number of patients also had their Social Security numbers exposed. It is unclear whether any PHI was accessed by unauthorized individuals during the time that the protections were removed. Orlando Orthopaedic Center said it has not received any reports from patients that indicate PHI has been misused and no evidence...

Read More
1.4 Million Patients Warned About UnityPoint Health Phishing Attack
Jul31

1.4 Million Patients Warned About UnityPoint Health Phishing Attack

A massive UnityPoint Health phishing attack has been reported, one in which the protected health information of 1.4 million patients has potentially been obtained by hackers. This phishing incident is the largest healthcare data breach of 2018 by some distance, involving more than twice the number of healthcare records as the California Department of Developmental Services data breach reported in April and the LifeBridge Health breach reported in May. This is also the largest phishing incident to be reported by a healthcare provider since the HHS’ Office for Civil Rights (OCR) started publishing data breaches in 2009 and the largest healthcare breach since the 3,466,120-record breach reported by Newkirk Products, Inc., in August 2016. Email Impersonation Attack Fools Several Employees into Disclosing Login Credentials The UnityPoint Health phishing attack was detected on May 31, 2018. The forensic investigation revealed multiple email accounts had been compromised between March 14 and April 3, 2018 as a result of employees being fooled by email impersonation scams. Business email...

Read More
Confluence Health Informs Patients of Phishing Incident
Jul30

Confluence Health Informs Patients of Phishing Incident

Confluence Health, a not-for-profit health system that operates Central Washington Hospital, Wenatchee Valley Hospital and a dozen satellite clinics in Central and North Central Washington, has experienced a data security incident involving an employee’s email account that may have resulted in unauthorized accessing of patients’ protected health information. The security breach was discovered on May 29, 2018. A digital forensics firm was called in to conduct an investigation, which revealed the email account had been accessed by an unauthorized individual on May 28 and May 30, 2018. The email account only contained a limited amount of protected health information and no highly sensitive data such as Social Security numbers or financial information was exposed. Patients impacted by the incident have had information such as their names and treatment information exposed. Confluence Health had multiple security solutions in place to prevent unauthorized account access and staff had received security awareness training, yet those measures were bypassed by the attacker. While PHI access...

Read More
Lane County Health and Human Services and New England Dermatology Alert Patients to PHI Exposure
Jul27

Lane County Health and Human Services and New England Dermatology Alert Patients to PHI Exposure

The medical records of more than 17,000 patients have been exposed in two recent incidents in Oregon and Massachusetts. Lane County Health and Human Services Alerts Patients to Loss of PHI Lane County Health and Human Services in Oregon is notifying more than 700 patients that some of their protected health information has been lost and has potentially been destroyed. 49 boxes containing patient files were moved to a temporary storage facility while the Charnelton Clinic in Eugene was being renovated. During a routine search, the boxes of files were discovered to be missing from the storage facility on June 19. Multiple teams conducted further searches for the missing boxes but they could not be located. Lane County Health and Human Services suspects the boxes of files have been destroyed along with other paperwork as part of its normal document management practice for non-medical records. However, it has not been possible to confirm whether that was definitely the case. The files contained information such as patients’ full names, addresses, telephone numbers, medical histories...

Read More
Flowers Hospital Proposes $150,000 Settlement for 2014 Data Breach
Jul26

Flowers Hospital Proposes $150,000 Settlement for 2014 Data Breach

A class action lawsuit filed in the wake of an employee-related data breach at Flowers Hospital in Dothan, Alabama in 2014 is heading towards being settled. The settlement has yet to receive final court approval, although approval seems likely and a resolution to this four-year legal battle is now in sight. In contrast to most class action lawsuits filed over the exposure/theft of PHI, this case involved the theft of data by an insider rather than a hacker. Further, the former employee used PHI for identity theft and fraud and was convicted of those crimes. The breach in question involved a former lab technician, Kamarian D. Millender, who was found in possession of paper records containing patients protected health information. Millender admitted to using the information for identity theft and for filing false tax returns in victims’ names. In December 2014, Millender was sentenced to serve two years in jail. In the class action lawsuit, filed the same year, it was claimed that between June 2013 and December 2014, paper records were left unprotected and unguarded at the hospital...

Read More
Blue Springs Family Care Ransomware Attack Impacts 45,000 Patients
Jul25

Blue Springs Family Care Ransomware Attack Impacts 45,000 Patients

Blue Springs Family Care in Missouri has experienced a ransomware attack that has resulted in the encryption of sensitive data. The attack was detected by the healthcare provider’s computer vendor on May 12, 2018.  An investigation was launched the same day by the computer vendor with assistance provided by a contracted third-party computer forensics firm. In contrast to many ransomware attacks which involve a single ransomware variant being downloaded and blind file encryption, the attacker managed to gain access to Blue Springs Family Care systems and installed a variety of malicious software programs in addition to the ransomware. Those malware programs would have given the attacker full access to all Blue Springs Family Care computer systems, including access to all patients protected health information. At the time of issuing notifications to patients, Blue Springs Family Care had not received any reports to suggest that any PHI was stolen and misused by the attacker. However, data access and data theft could not be ruled out. The types of information potentially accessed...

Read More
Boys Town National Research Hospital and NorthStar Anesthesia Discover PHI Compromised in Phishing Attacks
Jul24

Boys Town National Research Hospital and NorthStar Anesthesia Discover PHI Compromised in Phishing Attacks

The phishing attacks on healthcare organizations continue… The past few days have seen two further healthcare organizations announce that email accounts were breached when employees responded to phishing emails. Email Account Compromised at Boys Town National Research Hospital Boys Town National Research Hospital (Boys Town), an Omaha, NE hospital specializing in pediatric deafness, visual and communication disorders, has announced that a recent phishing campaign has resulted in the email account of an employee being accessed by an unauthorized individual. The email account contained the protected health information of 105,309 patients Boys Town first became aware of a security breach on May 23, 2018 when unusual email account activity was detected. Computer forensics experts were called in to investigate and a breach was confirmed to have occurred on May 23. Boys Town painstakingly examined the account email-by-email to determine which patients potentially had their PHI exposed and the amount of PHI that was potentially compromised. The breach was confirmed as being confined to a...

Read More
Golden Heart Administrative Professionals Ransomware Attack Impacts 44,600 Patients
Jul20

Golden Heart Administrative Professionals Ransomware Attack Impacts 44,600 Patients

Golden Heart Administrative Professionals, a Fairbanks, AK-based billing company and business associate of several healthcare providers in Alaska, is notifying 44,600 individuals that some of their protected health information has potentially been accessed by unauthorized individuals as a result of a recent ransomware attack. The ransomware was downloaded to a server containing the PHI of patients. According to a press release issued by the company, “All client patient information must assume to be compromised.” Local and federal law enforcement agencies have been notified about the cyberattack and efforts are continuing to recover files. The Golden Heart Administrative Professionals ransomware attack is the largest data breach reported by a healthcare organization in July, and the second major data breach to be reported by an Alaska-based healthcare organization in July. In early July, the Alaska Department of Health and Social Services announced that it had suffered a data breach as a result of a malware infection. The Zeus/Zbot Trojan – an information stealer – had...

Read More
New York Physician Notifies Patients of Exposure of their PHI
Jul19

New York Physician Notifies Patients of Exposure of their PHI

A New York physician has started notifying patients that their protected health information has been exposed and has been potentially accessed unauthorized individuals. Ruben U. Carvajal, MD was alerted to a possible privacy breach on January 3, 2018 and was informed that some of his patients’ health information was accessible over the Internet. An investigation into the possible privacy breach was launched and the matter was reported to the New York Police Department and the Federal Bureau of Investigation (FBI). FBI investigators visited his office and examined his computer. On February 18, 2018, the FBI confirmed that the EMR program on his computer had been accessed by an unauthorized individual. A forensic investigator was called in to conduct a thorough investigation to determine the nature and scope of the breach. On May 22, 2018 the forensic investigator determined that the physician’s computer had been accessed by an unauthorized individual between December 16, 2017 and January 3, 2018. Any individual that gained access to the physicians’ computer could have gained access...

Read More
Investigation Launched Over Snapchat Photo Sharing at M.M. Ewing Continuing Care Center
Jul19

Investigation Launched Over Snapchat Photo Sharing at M.M. Ewing Continuing Care Center

Certain employees of a Canandaigua, NY nursing home have been using their smartphones to take photographs and videos of at least one resident and have shared those images and videos with others on Snapchat – a violation of HIPAA and serious violation of patient privacy. The privacy breaches occurred at Thompson Health’s M.M. Ewing Continuing Care Center and involved multiple employees. Thompson Health has already taken action and has fired several workers over the violations. Now the New York Department of Health and the state attorney general’s office have got involved and are conducting investigations. The state attorney general’s Deputy Press Secretary, Rachel Shippee confirmed to the Daily Messenger that an investigation has been launched, confirming “The Medicaid Fraud Control Unit’s mission includes the protection of nursing home residents from abuse, neglect and mistreatment, including acts that violate a resident’s rights to dignity and privacy.” Thompson Health does not believe the images/videos were shared publicly and sharing was restricted to a group of employees at the...

Read More
June 2018 Healthcare Breach Report
Jul18

June 2018 Healthcare Breach Report

There was a 13.8% month-over-month increase in healthcare data breaches in June 2018. Data breaches were up, but the breaches were far less severe in June, with 42.48% fewer healthcare records exposed or stolen than in May. In June there were 33 healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights and those breaches saw 356,232 healthcare records exposed or stolen – the lowest number of records exposed in healthcare data breaches since March 2018. Healthcare Data Breaches (January-June 2018) Healthcare Records Exposed (January-June 2018) Causes of Healthcare Data Breaches (June 2018) Unauthorized access/disclosure incidents were the biggest problem area in June, followed by hacking IT incidents. As was the case in May, there were 15 unauthorized access/disclosure breaches and 12 hacking/IT incidents. The remaining six breaches involved the theft of electronic devices (4 incidents) and paper records (2 incidents). There were no reported losses of devices or paperwork and no improper disposal incidents. Healthcare Records Exposed...

Read More
Several Email Accounts Compromised in Sunspire Health and UPMC Cole Phishing Attacks
Jul18

Several Email Accounts Compromised in Sunspire Health and UPMC Cole Phishing Attacks

Two more healthcare organizations have reported phishing attacks that have resulted in cybercriminals gaining access to the protected health information of patients, both of which saw the attackers gain access to multiple email accounts. Sunspire Health, which runs a national network of addition treatment facilities, saw several email accounts compromised as a result of a phishing campaign targeting its employees. The attacks were discovered between April 10, 2018 and May 17, 2018. Forensic investigators were called in to determine the nature and scope of the incidents. The investigation revealed the first email account was compromised on March 1, 2018, with further accounts compromised and accessed by unauthorized individuals up until May 4. No patients have reported misuse of protected health information to Sunspire Health to date, and no evidence was found to suggest the email accounts had been misused, although it is possible that protected health information in the compromised email accounts was accessed and may have been downloaded by the attacker(s). The types of information...

Read More
LabCorp Cyberattack Forces Shutdown of Systems: Investigators Currently Determining Scale of Breach
Jul17

LabCorp Cyberattack Forces Shutdown of Systems: Investigators Currently Determining Scale of Breach

LabCorp, one of the largest clinical laboratories in the United States, has experienced a cyberattack that has potentially resulted in hackers gaining access to patients’ sensitive information; however, data theft appears unlikely as the cyberattack has now been confirmed as being a ransomware attack. It has been suggested that variant of SamSam ransomware was used in the brute force RDP attack, although this has not been confirmed by LabCorp. The Burlington, NC-based company runs 36 primary testing laboratories throughout the United States and the Los Angeles National Genetics Institute. The company performs standard blood and urine tests, HIV tests and specialty diagnostic testing services and holds vast quantities of highly sensitive data. The cyberattack occurred over the weekend of July 14, 2018 when suspicious system activity was identified by LabCorp’s intrusion detection system within 50 minutes of the attack commencing. Prompt action was taken to terminate access to its servers and systems were taken offline to contain the attack. With its systems offline, this naturally...

Read More
Two Employees of the Alive Hospice in Tennessee Fooled by Phishing Scam
Jul16

Two Employees of the Alive Hospice in Tennessee Fooled by Phishing Scam

The email accounts of two employees of the Alive Hospice in Tennessee have been compromised as a result of the employees falling for phishing scams. The email account breaches were identified during a review of the email system on May 15, 2018. During the review, ongoing unauthorized access to the email accounts was detected. Alive Hospice immediately took steps to block third-party access by performing a password reset, and third-party forensics investigators were called in to determine the nature and scope of the breach. The investigation revealed the first email account was compromised on or around December 20, 2017, with the second account compromised on or around April 5, 2018. An analysis of both email accounts revealed they contained the protected health information of patients, which may have been accessed by the person(s) responsible for the attacks. The types of information that may have been accessed varied for each patient and included names, dates of birth, Social Security numbers, driver’s license numbers, passport numbers, financial account numbers, copies of...

Read More
Email Account of Billings Clinic Worker Hacked During Overseas Trip
Jul16

Email Account of Billings Clinic Worker Hacked During Overseas Trip

The email account of an employee of Billings Clinic in Billings, MT, that contained the protected health information of 8,435 patients, has been compromised. The breach was detected by the clinic’s cybersecurity systems on May 14, 2018, with unusual activity triggering an alert. Rapid action was taken to secure the account, although it is possible that the PHI of patients could have been viewed or copied. The information in the account was limited. No financial information was exposed, access to medical records was not gained, and no Social Security numbers were stored in the account. Data in the account had been used for scheduling purposes and related to patients who received medical services between 2008 and 2011. The breach was limited to names, dates of birth, contact information, diagnoses, descriptions of medical services provided, medical record numbers, and internal financial control numbers. The investigation confirmed that the breach was limited to a single email account. While data breaches such as this can easily be caused as a result of employees responding to...

Read More
Children’s Mercy Hospital Sued for 63,000-Record Data Breach
Jul13

Children’s Mercy Hospital Sued for 63,000-Record Data Breach

Legal action has been taken over a phishing attack on Children’s Mercy that resulted in the theft of 63,049 patients’ protected health information. In total, five email accounts were compromised between December 2017 and January 2018. On December, 2, 2017  two email accounts were discovered to have been accessed by an unauthorized individual as a result of employees responding to phishing emails. Links in the emails directed the employees to a website where they were fooled into disclosing their email account credentials. Two weeks later, two more email accounts were compromised in a similar attack, with a fifth and final account compromised in early January. The mailbox accounts of four of those compromised email accounts were downloaded by the attacker, resulting in the unauthorized disclosure of patients’ protected health information. Patients were notified of the breach via a substitute breach notice on the Children’s Mercy website and notification letters were sent by mail. Due to the number of people impacted, the letters were sent out in batches. According to a recent...

Read More
UMC Physicians Discovers Hacker Accessed PHI of Up to 18,000 Patients
Jul13

UMC Physicians Discovers Hacker Accessed PHI of Up to 18,000 Patients

A summary of hacking incidents and employee data breaches recently discovered by healthcare organizations. Hacked Email Account Contained PHI of 18,000 UMC Physicians’ Patients UMC Physicians in Texas is notifying approximately 18,000 patients that some of their protected health information has been exposed as a result of the hacking of a physicians’ email account. The breach occurred on March 15, 2018, although it was not discovered by the UMC Physicians’ IT team until May 18, giving the hacker two months to access the data stored in the account. While the investigation did not uncover any evidence of actual or attempted misuse of PHI, it was not possible to determine with a high degree of certainty that PHI had not been compromised. Consequently, all patients whose PHI was potentially accessed have been offered complimentary credit monitoring and identity theft protection services for 12 months. An analysis of the email account revealed the following information was potentially viewed/obtained by the hacker: Patients’ full names, addresses, phone numbers, medical record numbers,...

Read More
Health Information of Thousands of HIV Patients Exposed by Employee Error
Jul12

Health Information of Thousands of HIV Patients Exposed by Employee Error

An error by an employee of Metro Health has resulted in the exposure of highly sensitive information of patients diagnosed with HIV or AIDS, according to a recent report in the Tennessean. The information was stored in a database which had been copied by the employee onto a server that was accessible by all employees in the Nashville Metro Public Health Department, even though the vast majority of those individuals were not authorized to access the information. The database was only supposed to be accessed by three government scientists. The database was present on the server for nine months before the file was found by an employee and Metro Health officials were notified. During the time that the file was on the server, more than 500 employees could potentially have accessed the database. The database contained information such as names, addresses, lab test results, HIV diagnoses, drug usage, sexual orientation, birth dates, and Social Security numbers. The data came from the Enhanced HIV/AIDS Reporting System – a national database that includes details of patients with HIV and...

Read More
Healthcare Data Breach Costs Highest of Any Industry at $408 Per Record
Jul12

Healthcare Data Breach Costs Highest of Any Industry at $408 Per Record

A recent study conducted by the Ponemon Institute on behalf of IBM Security has revealed the hidden cost of data breaches, and for the first time, the cost of mitigating 1 million-record+ data breaches. The study provides insights into the costs of resolving data breaches and the full financial impact on organizations’ bottom lines. For the global study, 477 organizations were recruited and more than 2,200 individuals were interviewed and asked about the data breaches experienced at their organizations and the associated costs. The breach costs were calculated using the activity-based costing (ABC) methodology. The average number of records exposed or stolen in the breaches assessed in the study was 24,615 and 31,465 in the United States. Last year, the Annual Cost of a Data Breach Study by the Ponemon Institute/IBM Security revealed the cost of breaches had fallen year over year to $3.62 million. The 2018 study, conducted between February 2017 and April 2018, showed data breach costs have risen once again. The average cost of a data breach is now $3.86 million – An annual increase...

Read More
MedEvolve Notifies Patients of PHI Exposure Through Unsecured FTP Server
Jul11

MedEvolve Notifies Patients of PHI Exposure Through Unsecured FTP Server

MedEvolve, a provider of electronic billing and record services to healthcare providers, has announced that an FTP server used by the firm had been left unsecured between March 29, 2018 and May 4, 2018. The FTP server contained a file that included the protected health information of patients. On March 29, the day that the protection was removed, the file was accessed by an unauthorized individual. MedEvolve discovered the breach on May 11, 2018. According to the breach notice submitted to the California Attorney General, the file contained the data of patients of Premier Immediate Medical Care. MedEvolve did not mention in the breach notice how many patients had been affected and the incident has yet to appear of the Department of Health and Human Services’ Breach Portal. However, in May, databreaches.net was alerted to the exposure of data by a security researcher who discovered the unprotected FTP server. According to the report, the file contained approximately 205,000 lines of patient data, each corresponding to a different patient. More than 11,000 Social Security number were...

Read More
Cass Regional Medical Center EHR Out of Action Due to Ransomware Attack
Jul11

Cass Regional Medical Center EHR Out of Action Due to Ransomware Attack

Around 11am on Monday July 9, Cass Regional Medical Center in Harrisonville, MO, experienced a ransomware attack that affected its communication system and prevented staff from accessing its electronic medical record (EHR) system. The medical center had policies in place for such an emergency situation. Its incident response protocol was initiated within 30 minutes of the discovery of the attack and staff met to develop detailed plans to minimize the impact to patients. Ransomware attacks typically do not involve the attackers gaining access to data, although as a precaution, it’s EHR vendor – Meditech – shut down the EHR system while the attack was investigated and remediated. At this stage, no evidence has been uncovered to suggest patient data have been accessed. As an additional precautionary measure, ambulances for trauma and stroke have been redirected to other medical facilities. Without access to the EHR system, staff resorted to pen and paper while its IT staff worked to decrypt data and bring its systems back online. A leading international forensics firm was called in to...

Read More
Former Arkansas Children’s Hospital Employee Investigated Over Potential Theft of 4,500 Patients’ PHI
Jul11

Former Arkansas Children’s Hospital Employee Investigated Over Potential Theft of 4,500 Patients’ PHI

A former employee of Arkansas Children’s Hospital is being investigated by law enforcement over the theft and misuse of patients’ protected health information. According to the breach notice submitted to the Department of Health and Human Services’ Office for Civil Rights, the former employee potentially viewed and copied the PHI of up to 4,521 patients. That individual was employed at Arkansas Children’s Hospital for 15 months between November 7, 2016 and February 6, 2018. During that time the employee was provided with access to patient health information to perform essential functions of the job. On May 9, 2018, law enforcement notified Arkansas Children’s Hospital that an investigation had been launched over the possible theft of patients’ Social Security numbers and personal information and the misuse of that information for personal gain. Arkansas Children’s Hospital immediately launched an investigation to determine the types of information that were potentially accessed and whether patients’ PHI had been accessed without authorization. While that internal investigation...

Read More
PHI Stolen As a Result of Manitowoc County Phishing Attack
Jul06

PHI Stolen As a Result of Manitowoc County Phishing Attack

Manitowoc County in Wisconsin has announced protected health information has been stolen as a result of a successful phishing attack. The incident occurred on or around January 14, 2018, although the attack and data breach was not discovered until April 24. While the account was immediately secured to prevent any further access, the attacker had well over two months to view and obtain sensitive data stored in the email account. During the time that the attacker had email account access, emails sent to that account were diverted to a different email account to which Manitowoc County staff had no access. While County officials have not uncovered any evidence to suggest any of the information in the emails has been misused, they have similarly not been able to establish that sensitive data have not been misused or sold on. The types of information that were stolen include names, telephone numbers, email addresses, addresses, and dates of birth. Individuals who received services through the County have also had their health information, insurance information, details of prescriptions,...

Read More
Sophisticated Cyber Spoofing Attack Reported by Humana
Jul03

Sophisticated Cyber Spoofing Attack Reported by Humana

Humana is notifying members in several states that their PHI has potentially been accessed during a ‘sophisticated’ spoofing attack. A spoofing attack is an attempt by a threat actor or bot to gain access to a system or data using stolen or spoofed login credentials. Humana became aware of the attack on June 3, when large numbers of failed login attempts were detected from foreign IP addresses. Prompt action was taken to block the attack, with the foreign IP addresses blocked from accessing its Humana.com and Go365.com websites on June 4. Humana suggests “the nature of the attack and observed behaviors indicated the attacker had a large database of user identifiers (IDs).” It is possible the login credentials are old and that they were obtained in a separate third-party breach, although Humana notes that “the excessive number of log in failures strongly suggests the ID and password combinations did not originate from Humana.” The website accounts did not contain Social Security numbers or financial information; however, the following types of information could potentially have been...

Read More
Zeus Trojan Infection Potentially Resulted in Theft of PHI from Alaska DHSS
Jul03

Zeus Trojan Infection Potentially Resulted in Theft of PHI from Alaska DHSS

The Alaska Department of Health and Social Services (ADHSS) is notifying ‘more than 500’ individuals that some of their protected health information (PHI) has potentially been accessed and stolen by hackers. On April 26, the ADHSS discovered malware had been installed on an employee’s computer after suspicious behavior was detected. The investigation revealed malware had been installed – a variant of the Zeus/Zbot Trojan – which is known to be used to steal sensitive information. The malware was discovered to have communicated with IP addresses in Russia, although it is not known whether the attackers are based in Russia or just using Russian IP addresses. ADHSS has not confirmed whether protected health information was exfiltrated to those IP addresses, although data access and theft of PHI is a possibility. Under the Health Insurance Portability and Accountability Act, HIPAA-covered entities must report data breaches as soon as possible, but no later than 60 days following the discovery of a breach. AHDSS chose to delay the issuing of notifications until just before...

Read More
Healthcare Worker Charged with Criminally Violating HIPAA Rules
Jul03

Healthcare Worker Charged with Criminally Violating HIPAA Rules

A former University of Pittsburgh Medical Center patient information coordinator has been indicted by a federal grand jury over criminal violations of HIPAA Rules, according to an announcement by the Department of Justice on June 29, 2018. Linda Sue Kalina, 61, of Butler, Pennsylvania, has been charged in a six-count indictment that includes wrongfully obtaining and disclosing the protected health information of 111 patients. Kalina worked at the University of Pittsburgh Medical Center and the Allegheny Health Network between March 30, 2016 and August 14, 2017. While employed at the healthcare organizations, Kalina is alleged to have accessed the protected health information (PHI) of those patients without authorization or any legitimate work reason for doing so. Additionally, Kalina is alleged to have stolen PHI and, on four separate occasions between December 30, 2016, and August 11, 2017, disclosed that information to three individuals with intent to cause malicious harm. Kalina was arrested following an investigation by the Federal Bureau of Investigation. The case was taken up...

Read More
Associated Dermatology & Skin Cancer Clinic of Helena Discloses PHI Breach Impacting 1,254 Patients
Jul02

Associated Dermatology & Skin Cancer Clinic of Helena Discloses PHI Breach Impacting 1,254 Patients

This week, Associated Dermatology & Skin Cancer Clinic of Helena, MT, has disclosed a breach of physical protected health information (PHI) affecting 1,254 patients. A journal maintained by an employee of Associate Dermatology was stolen from her vehicle on May 26, 2018. A thief forcibly gained access to the vehicle and stole the personal journal, which contained information to help the employee with the provision of care to patients. The types of information recorded in the journal included names and ages of patients, their referring physicians, brief notes on patients’ medical histories, reasons for visits, and visit notes. Patients whose PHI has been obtained by the thief had received medical services through Associated Dermatology between September 1, 2017 and May 24, 2018. While highly sensitive information – the types that can be used to steal identities – were not stored in the journal, there is potential the information could be misused, although no reports have been received to date to suggest that is the case. The biggest risk is the use of the information in social...

Read More
Business Email Compromise Attacks Dominate 2017 FBI Internet Crime Report
Jun29

Business Email Compromise Attacks Dominate 2017 FBI Internet Crime Report

The FBI has released its 2017 Internet Crime Report. Data for the report came from complaints made through its Internet Crime Complaints Center (IC3). The report highlights the most common online scams, the scale of Internet crime, and the substantial losses suffered as a result of Internet-related crimes. In 2017, there were 301,580 complaints made to IC3 about Internet crime, with total losses for the year exceeding $1.4 billion. Since 2013, when the first Internet Crime Report was first published, more than $5.52 billion has been lost in online scams and more than 1.4 million complaints have been received. The leading types of online crime in 2017 were non-payment/non-delivery, personal data breaches, and phishing; however, the biggest losses came from business email compromise (BEC) attacks, confidence scams/romance fraud, and non-payment/non-delivery. The losses from business email compromise scams (and email account compromise scams on consumers) exceeded $675 million. BEC/EAC scams resulted in more than three times the losses as confidence fraud/romance scams – the second...

Read More
Michigan Medicine Informs Hundreds of Patients of PHI Exposure
Jun28

Michigan Medicine Informs Hundreds of Patients of PHI Exposure

An unencrypted laptop computer containing the protected health information (PHI) of 870 patients of Michigan Medicine has been stolen. The PHI was saved on a personal laptop computer which had been left unattended in an employee’s vehicle. A thief broke into the car and stole the employee’s bag, which contacted the device. The theft occurred on June 3, 2018 and it was immediately reported to law enforcement. Michigan Medicine was informed of the theft the following day on June 4. The laptop contained a range of protected health information of patients who had participated in research studies. The types of information exposed varied depending on the type of research the patients had participated in. Highly sensitive information such as Social Security numbers, health plan ID numbers, and financial information were not stored on the device and addresses and contact telephone numbers were not exposed. The information exposed was limited to names, medical record numbers, gender, race, diagnoses, and treatment information. All of the research studies had been approved by the...

Read More
Protected Health Information Sent to Incorrect Fax Recipient Over Several Months
Jun27

Protected Health Information Sent to Incorrect Fax Recipient Over Several Months

Faxes containing the protected health information (PHI) of a patient have been sent to an incorrect recipient by OhioHealth’s Grant Medical Center over a period of several months – A violation of patient privacy and the Health Insurance Portability and Accountability Act (HIPAA). The recipient of the faxes, Elizabeth Spilker, tried on numerous occasions to notify Grant Medical Center about the problem and stop the faxes being sent, but her efforts were unsuccessful. She tried faxing back a message on the same number requesting a change to the programmed fax number and tried contacting the medical center by telephone. Spilker later notified ABC6 about the issue and the story was covered in a June 18 report. In the report, Spilker explained that faxes had been received from Grant Medical Center for more than a year. The messages contained a range of protected health information including name, age, weight, medical history, medications prescribed, and other sensitive health information. Typically, the faxes were received at the end of the day. Repeated attempts were made to send the...

Read More
Unencrypted Hospital Pager Messages Intercepted and Viewed by Radio Hobbyist
Jun26

Unencrypted Hospital Pager Messages Intercepted and Viewed by Radio Hobbyist

Many healthcare organizations have now transitioned to secure messaging systems and have retired their outdated pager systems. Healthcare organizations that have not yet made the switch to secure text messaging platforms should take note of a recent security breach that saw pages from multiple hospitals intercepted by a ‘radio hobbyist’ in Missouri. Intercepting pages using software defined radio (SDR) is nothing new. There are various websites that explain how the SDR can be used and its capabilities, including the interception of private communications. The risk of PHI being obtained by hackers using this tactic has been well documented.  All that is required is some easily obtained hardware that can be bought for around $30, a computer, and some free software. In this case, an IT worker from Johnson County, MO purchased an antenna and connected it to his laptop in order to pick up TV channels. However, he discovered he could pick up much more. By accident, he intercepted pages sent by physicians at several hospitals. The man told the Kansas City Star he intercepted pages...

Read More
Washington Health System Suspends Several Employees for Inappropriate PHI Access
Jun21

Washington Health System Suspends Several Employees for Inappropriate PHI Access

Following the alleged inappropriate accessing of patient health records by employees, Washington Health System has taken the decision to suspend several employees while the privacy breach is investigated. While it has not been confirmed how many employees have been suspended, Washington Health System VP of strategy and clinical services, Larry Pantuso, issued a statement to the Observer Reporter indicating around a dozen employees have been suspended, although at this stage, no employees have been fired for inappropriate medical record access. The privacy breaches are believed to relate to the death of an employee of the WHS Neighbor Health Center. Kimberly Dollard, 57, was killed when an out of control car driven by Chad Spence, 43, rammed into the building where she worked. Spence and one other individual were admitted to the hospital after sustaining injuries in the accident. Pantuso did not confirm that this was the incident that prompted the employees to access patients’ medical records, although he did confirm that the alleged inappropriate access related to a “high profile...

Read More
Florida Agency for Persons with Disabilities and Black River Medical Center Report Phishing Incidents
Jun20

Florida Agency for Persons with Disabilities and Black River Medical Center Report Phishing Incidents

Two HIPAA-covered entities have recently disclosed they have been victims of phishing attacks that have potentially resulted in the exposure of patients’ protected health information (PHI).   Further Phishing Attack Reported by Florida Agency for Persons with Disabilities The Florida Agency for Persons with Disabilities (FAPD), which provides support services for people with disabilities such as autism, cerebral palsy, spina bifida, and Downs syndrome, has experienced another phishing attack The phishing attack occurred on April 10, 2018 and was limited to a single email account; however, that account contained the PHI of 1,951 customers or guardians. While no evidence was uncovered to suggest any PHI was viewed or copied by the attacker, PHI access could not be ruled out with 100% certainty. The compromised email account contained information such as names, birth dates, addresses, telephone numbers, health information, and Social Security numbers. All patients have now been notified of the breach and have been offered credit monitoring services for a year without charge. Three...

Read More
May 2018 Healthcare Data Breach Report
Jun19

May 2018 Healthcare Data Breach Report

April was a particularly bad month for healthcare data breaches with 41 reported incidents. While it is certainly good news that there has been a month-over-month reduction in healthcare data breaches, the severity of some of the breaches reported last month puts May on a par with April. There were 29 healthcare data breaches reported by healthcare providers, health plans, and business associates of covered entities in May – a 29.27% month-over month reduction in reported breaches. However, 838,587 healthcare records were exposed or stolen in those incidents – only 56,287 records fewer than the 41 incidents in April. In May, the mean breach size was 28,917 records and the median was 2,793 records. In April the mean breach size was 21,826 records and the median was 2,553 records. Causes of May 2018 Healthcare Data Breaches Unauthorized access/disclosure incidents were the most numerous type of breach in May 2018 with 15 reported incidents (51.72%). There were 12 hacking/IT incidents reported (41.38%) and two theft incidents (6.9%). There were no lost unencrypted electronic devices...

Read More
3-Year Jail Term for VA Employee Who Stole Patient Data
Jun18

3-Year Jail Term for VA Employee Who Stole Patient Data

A former employee of the Veteran Affairs Medical Center in Long Beach, CA who stole the protected health information (PHI) of more than 1,000 patients has been sentenced to three years in jail. Albert Torres, 51, was employed as a clerk in the Long Beach Health System-run medical center – a position he held for less than a year. Torres was pulled over by police officers on April 12 after a check of his license plates revealed an anomaly – plates had been used on a private vehicle, which were typically reserved for commercial vehicles. The police officers found prescription medications which Torres’ did not have a prescription for and the Social Security numbers and other PHI of 14 patients in his vehicle. A subsequent search of Torres’ apartment revealed he had hard drives and zip drives containing the PHI of 1,030 patients and more than $1,000 in cleaning supplies that had been stolen from the hospital. After pleading guilty to several crimes, including identity theft and grand theft, Torres was sentenced to three years in state penitentiary on June 4. Sutter Health Fires...

Read More
PHI Stolen in San Francisco and Corpus Christi Burglaries
Jun15

PHI Stolen in San Francisco and Corpus Christi Burglaries

Two HIPAA-covered entities are alerting patients that some of their protected health information (PHI) has been obtained by thieves in recent burglaries. PHI Taken from Employee of Christus Spohn Hospitals The protected health information of patients of two Christus Spohn Hospitals in Corpus Christi has been stolen in a burglary. A Christus Spohn employee was burgled on April 16, 2018 and PHI was taken including information such as names, birth dates, dates of service, medical record numbers, account numbers, ages, and other medical data. No financial information, driver’s license numbers, or Social Security numbers were compromised. Patients affected by the breach had previously received treatment at Christus Spohn Health System’s Memorial or Shoreline hospitals. While PHI was obtained, the information does not appear to have been misused. Christus Spohn has confirmed that approximately 1,800 patients have been affected by the incident. Steps have already been taken to prevent further incidents of this nature from occurring, and the employee in question has received further...

Read More
PHI Compromised in HealthEquity Phishing Attack
Jun13

PHI Compromised in HealthEquity Phishing Attack

A phishing attack on Draper, UT-based HealthEquity Inc., has resulted in the exposure of members’ protected health information. The data breach was limited to one email account, although an analysis of the messages in the account revealed a range of PHI was potentially obtained by the attacker. Information possibly compromised in the attack was limited to names, email addresses, HealthEquity member ID numbers, employer ID numbers, employer names, health account type, deduction amounts, and for some Michigan-based employees, Social Security numbers. The breach was identified on April 13, 2018 and was discovered to have occurred two days previously, giving the attacker 48 hours to access messages in the account. Access to the compromised account was immediately terminated to prevent any further unauthorized access. A third-party computer forensics firm was engaged to conduct a full investigation into the attack. The investigation confirmed that the breach was limited to a single email account and access was gained due to human error – the employee responding to a phishing message. No...

Read More
1,600 Patients Potentially Impacted by Terros Health Phishing Attack
Jun12

1,600 Patients Potentially Impacted by Terros Health Phishing Attack

An employee of Phoenix-based Terros Health was fooled by a phishing scam and inadvertently handed over login credentials to the attacker. That individual accessed the employee’s email account and potentially viewed or obtained a range of protected health information detailed in individual emails in the account. The breach was limited to one email account and access to other systems was not gained. Terros Health learned of the phishing attack on April 12, 2018 and notified the media on June 8. All patients impacted by the breach have now been notified by mail. An investigation into the attack revealed the employee responded to the phishing email on or around November 16, 2017, which was when the email account was first accessed by the attacker. While almost 1,600 patients potentially had some of their PHI compromised as a result of the attack, for the majority of patients (1,241) the exposed information was limited to names and dates of birth. The remaining patients also had their addresses, email addresses, diagnoses, medical record numbers, and other protected health information...

Read More
3,700 Rise Wisconsin Plan Participants Potentially Impacted by Ransomware Attack
Jun11

3,700 Rise Wisconsin Plan Participants Potentially Impacted by Ransomware Attack

Rise Wisconsin is alerting more than 3,700 plan members that some of their protected health information was potentially accessed by unauthorized individuals during a recent ransomware attack. The ransomware was installed on its network on or around April 8, 2018. The ransomware attack was detected rapidly, although not in time to prevent the encryption of data. Rise Wisconsin (formerly Community Partnerships Inc., and Center for Families) called in third party computer forensics experts to assist with the breach investigation and recovery process. While the investigation did not uncover any evidence to suggest protected health information was accessed or stolen in the attack, it was not possible to rule out data access and data theft with a high degree of certainty. Potentially, the types of data that could have been accessed by the attackers includes names, addresses, dates of birth, Social Security numbers and, for certain patients, a limited amount of health information.  No financial information was compromised. Rise Wisconsin has not disclosed how much the attackers demanded...

Read More
Impostor, Burglar, and Hackers Obtain PHI of Patients
Jun08

Impostor, Burglar, and Hackers Obtain PHI of Patients

A round up of healthcare data security incidents reported in the past few days that have resulted in the protected health information of patients being obtained by unauthorized individuals. Blue Cross Blue Shield of Illinois Discovers PHI was Provided to an Imposter Blue Cross Blue Shield of Illinois has discovered the protected health information of some plan members has been disclosed to a doctor who was impersonating another physician. The doctor was employed by its business associate Dane Street and conducted peer to peer reviews for the firm – Further reviews when requests for services have been denied by an insurance company. Dane Street was notified by law enforcement on April 9, 2018 that the doctor had been fraudulently impersonating another physician in order to perform peer to peer reviews. Those reviews required the doctor to view information such as names, addresses, dates of birth, phone numbers, medical service information, and Social Security numbers. Since Social Security numbers were disclosed, affected patients have been offered complimentary credit...

Read More
Healthcare Employees Accused of Taking PHI to New Employers
Jun07

Healthcare Employees Accused of Taking PHI to New Employers

Two HIPAA-covered entities are notifying patients that former employees have accessed databases and stolen protected health information to take to new employers. Former Hair Free Forever Employee Contacts Patients to Solicit Customers Hair Free Forever, a Ventura, CA-based provider of permanent hair removal treatments, has announced that a former employee has stolen patient information and has been contacting its patients in an attempt to solicit customers. The company uses Thermolysis to permanently remove hair. Since the technique is classed as a medical procedure, Hair Free Forever and its employees are required to comply with HIPAA Rules. In a data breach notice provided to the California attorney general, Hair Free Forever’s Cheryl Conway informs patients that the former employee accessed patient files and the company’s database and stole patients’ protected health information, in clear violation of HIPAA Rules. The data theft came to light when complaints were received from customers who had been contacted and told about the former employee’s new practice. An investigation...

Read More
Multiple Data Breaches Reported by Dignity Health
Jun04

Multiple Data Breaches Reported by Dignity Health

Dignity Health has discovered multiple data breaches and violations of HIPAA Rules in the past few weeks. One incident involved an employee accessing the PHI of patients without authorization, an error occurred that allowed a business associate to receive PHI without a valid BAA being in place, and most recently, a 55,947-record unauthorized access/disclosure incident has been reported to the Department of Health and Human Services’ Office for Civil Rights (OCR). Business Associate Agreement Error Discovered On May 10, 2018, Dignity Health notified OCR of a data breach affecting patients of its St. Rose Dominican Hospitals at the San Martin, Siena, and Rose de Lima campuses in Nevada. Dignity Health reports that on April 6, 2018, St Rose Dominican Hospitals shared the protected health information of 6,036 patients with a third-party contractor to process health-related court documents for hearings. The contractor had been used for ten years and a valid business associate agreement was previously in place; however, that document had expired and data continued to be shared with the...

Read More
Purdue University Uncovers Data Security Incidents that Potentially Compromised PHI
May31

Purdue University Uncovers Data Security Incidents that Potentially Compromised PHI

Two security breaches have been discovered by Purdue University’s security team that have potentially resulted in unauthorized individuals gaining access to the protected health information of patients. In April, Purdue University’s security team discovered a file on computers used by Purdue University Pharmacy indicating the devices had been remotely accessed by an unauthorized individual. The file was placed on the devices around September 1, 2017. The computers contained a limited amount of protected health information including patients’ names, dates of birth, dates of service, identification numbers, internal identification numbers, diagnoses, treatment information, and amounts billed. No personal financial information or Social Security numbers were stored on the computer. An investigation into the breach did not uncover any evidence to suggest any patient information was stolen and no reports have been received to suggest any patient data have been misused. However, since it was not possible to rule out unauthorized PHI access with a high degree of certainty, patients have...

Read More
42,600 Patients Potentially Impacted by Aultman Health Foundation Phishing Attack
May28

42,600 Patients Potentially Impacted by Aultman Health Foundation Phishing Attack

Aultman Health Foundation, which runs Aultman Hospital in Canton, OH, is notifying approximately 42,600 patients that some of their protected health information may have been compromised as a result of a phishing attack. Unauthorized and unknown individuals succeeded in gaining access to several email accounts used by employees of Aultman Hospital, its AultWorks Occupational Medicine division, and certain Aultman physician offices. The unauthorized access was first detected on March 28, 2018 prompting a full investigation to determine the scope of the breach and whether any sensitive information was potentially accessed. Third-party information security experts were engaged to assist with the investigation and determined access to the email accounts occurred on several occasions starting in mid-February and continued until the breach was detected and remediated in late March. The breach was limited to email accounts. The system that stores electronic medical records was not compromised. Email accounts used by Aultman hospital and certain physician practices contained names,...

Read More
More than 6,500 Patients Potentially Impacted by Minnesota Ransomware Attack
May25

More than 6,500 Patients Potentially Impacted by Minnesota Ransomware Attack

Rochester, MN-based Associates in Psychiatry and Psychology (APP) has experienced a ransomware attack that affected several computers containing patients’ protected health information. The ransomware attack was discovered on March 31, 2018. Patient information stored on the affected computers was not in a “human-readable” format, and no evidence was uncovered to suggest any protected health information was accessed or copied by the attackers. Since it was not possible to rule out data access with 100% certainty, all patients whose data were stored on the affected devices have been notified of the security breach. The types of information potentially accessed includes names, birth dates, addresses, Social Security numbers, insurance information, and treatment records. APP acted promptly when the attack was discovered and took its systems offline to prevent the spread of the ransomware and limit the potential for further encryption of data and data theft. APP’s systems remained offline for four days while the attack was assessed. APP notes in its Q&A about the incident that the...

Read More
OCR Plans to Share HIPAA Violation Settlements with Breach Victims
May23

OCR Plans to Share HIPAA Violation Settlements with Breach Victims

The Health Information Technology for Economic and Clinical Health (HITECH) Act was enacted in 2009 and includes a provision that calls for the Department of Health and Human Services to share a percentage of HIPAA settlements with victims of HIPAA violations and data breaches. This month has seen some progress in that area. The Department of Health and Human Services’ Office for Civil Rights has announced it is planning on issuing an advance notice of proposed rulemaking in November about sharing a percentage of the fines it collects through its HIPAA enforcement activities with the victims of data breaches. OCR officials have previously made it clear that steps will be taken to meet the requirements of this HITECH provision, but little progress has been made. This is not the first time that OCR has announced it plans to issue an advance notice of proposed rulemaking on the matter only for the advance notice of proposed rulemaking to be delayed. If OCR follows through on its plans this fall, feedback will be sought from the public and industry stakeholders on how it can achieve...

Read More
538,000 Patients Notified of LifeBridge Health Data Breach
May23

538,000 Patients Notified of LifeBridge Health Data Breach

Earlier this month, the Baltimore-based healthcare provider LifeBridge Health announced it had experienced a data breach. A press release about the breach was issued on May 16, although there was no mention of the number of patients impacted. Further information has now been released on the extent of the breach. On March 18, 2018, LifeBridge Health discovered malware had been installed on a server that hosted the electronic medical record system used by LifeBridge Potomac Professionals and LifeBridge Health’s patient registration and billing systems. The discovery of malware prompted a through investigation to determine when access to the server was first gained. LifeBridge Health contracted a national computer forensics firm to assist with the investigation with the firm establishing that access to the server was first gained 18 months previously on September 27, 2016. The types of information stored on the server included patients’ names, dates of birth, addresses, diagnoses, medications prescribed, clinical and treatment information, insurance details, and a limited number of...

Read More
Indiana Physicians Group Suffers SamSam Ransomware Attack
May22

Indiana Physicians Group Suffers SamSam Ransomware Attack

Allied Physicians Group of Michiana has experienced a ransomware attack that took part of its network out of action. The attack occurred on Thursday May 17, 2018 and resulted in the encryption of several files on its network. It is currently unclear whether any protected health information encrypted. An investigation into the security incident is continuing to determine whether any protected health information was compromised in the attack. The attack was detected promptly and action was immediately taken to shut down its network to protect the PHI of patients. Allied Physicians Group of Michiana has been working with its incident responder, outside counsel, and other professionals to determine the scope of the breach and recover encrypted data. The Indiana Physicians Group reports that all data have now been recovered in a secure format and the attack did not cause significant disruption to patients. Steps have already been taken to improve security and prevent future attacks of this nature from occurring. CEO Shery Roussarie explained in a May 21 press release that the attack...

Read More
Healthcare Data Breach Report: April 2018
May18

Healthcare Data Breach Report: April 2018

April was a particularly bad month for healthcare data breaches with both the number of breaches and the number of individuals impacted by breaches both substantially higher than in March. There were 41 healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights in April. Those breaches resulted in the theft/exposure of 894,874 healthcare records. Healthcare Data Breach Trends For the past four months, the number of healthcare data breaches reported to OCR has increased month over month. For the third consecutive month, the number of records exposed in healthcare data breaches has increased. Causes of Healthcare Data Breaches in April 2018 The healthcare industry may be a big target for hackers, but the biggest cause of healthcare data breaches in April was unauthorized access/disclosure incidents. While cybersecurity defences have been improved to make it harder for hackers to gain access to healthcare data, there is still a major problem preventing accidental data breaches by insiders and malicious acts by healthcare employees....

Read More
Former Employee of Nuance Communications Stole PHI of 45,000 Patients
May16

Former Employee of Nuance Communications Stole PHI of 45,000 Patients

In a recent filing with the U.S. Securities and Exchange Commission, Burlington, MA-based Nuance Communications disclosed it experienced a data breach involving the protected health information of 45,000 individuals in December 2017. Nuance Communications stated in its May 10, 2018 SEC filing that a third party accessed certain reports hosted on a single Nuance transcription platform, which was promptly shut down when unauthorized access was discovered. The filing states law enforcement was notified about the breach and assisted with the investigation and apprehended the individual responsible. There is no mention of when the breach was discovered, although the company has notified all customers who used the platform to allow them to issue notifications to affected individuals. One of those customers, The San Francisco Health Network, published a substitute breach notice on its website on May 11 providing further information on the breach. The breach notice explains that the protected health information of 895 patients who received medical services at Zuckerberg San Francisco...

Read More
Eye Care Surgery Center Data Breach Impacts 2,553 Patients
May15

Eye Care Surgery Center Data Breach Impacts 2,553 Patients

A laptop computer containing the protected health information of 2,553 patients of Eye Care Surgery Center, Inc., of Baton Rouge, LA has been stolen. The theft was discovered by Eye Care Surgery Center on February 26, 2018 although it is unclear where the device was stolen from. The theft prompted Eye Care Surgery Center to install a new multi-camera system at its facilities, both inside and outside buildings. The decision has also been taken to use encryption on most of the portable electronic devices used by Eye Care Surgery Center to prevent protected health information from being exposed in the event that any further portable electronic devices are stolen. An investigation was conducted to determine the types of information stored on the stolen device and the patients affected by the incident. Highly sensitive information such as health insurance information, Social Security numbers, and financial information were not stored on the device and remained secure at all times. The breach was limited to names, birth dates, and diagnosis information. No reports have been received to...

Read More
8,300 Cerebral Palsy Research Foundation of Kansas Patients Informed of 10-Month Exposure of PHI
May14

8,300 Cerebral Palsy Research Foundation of Kansas Patients Informed of 10-Month Exposure of PHI

An oversight has caused a database used by Cerebral Palsy Research Foundation of Kansas (CPRF) to have its security protections removed for a period of 10 months, exposing the protected health information (PHI) of 8,300 patients. The vulnerable demographic database was discovered on March 10, 2018 and was immediately secured. The investigation into the breach determined that while the database had been created on a secure subdomain in early 2000, when CPRF switched its servers in 2017 the database was not identified resulting in the accidental removal of security protections. During the time that the database was vulnerable it is possible that personal and health information was accessed by unauthorized individuals. The breach was limited to personal information and personal health information relating to the type of disability suffered by patients. No financial information or donor information was exposed. Individuals affected by the breach had received services from CPRF between 2001 and 2010. It is unclear whether any of the exposed information was accessed by unauthorized...

Read More
Spate of Phishing Attacks on Healthcare Organizations Sees 90,000 Records Exposed
May10

Spate of Phishing Attacks on Healthcare Organizations Sees 90,000 Records Exposed

The past few weeks have seen a significant rise in successful phishing attacks on healthcare organizations. In a little over four weeks there have been 10 major email hacking incidents reported to the Department of Health and Human Services’ Office for Civil Rights, each of which has resulted in the exposure and potential theft of more than 500 healthcare records. Those ten incidents alone have seen almost 90,000 healthcare records compromised. Recent Email Hacking and Phishing Attacks on Healthcare Organizations HIPAA-Covered Entity Records Exposed Inogen Inc. 29,529 Knoxville Heart Group 15,995 USACS Management Group Ltd 15,552 UnityPoint Health 16,429 Texas Health Physicians Group 3,808 Scenic Bluffs Health Center 2,889 ATI Holdings LLC 1,776 Worldwide Insurance Services 1,692 Billings Clinic 949 Diagnostic Radiology & Imaging, LLC 800 The Oregon Clinic Undisclosed   So far this year there have been three data breaches involving the hacking of email accounts that have exposed more than 30,000 records. Agency for Health Care Administration suffered a 30,000-record breach in...

Read More
Class Action Lawsuit Claims UnityPoint Health Mislead Patients over Severity of Phishing Attack
May08

Class Action Lawsuit Claims UnityPoint Health Mislead Patients over Severity of Phishing Attack

A class action lawsuit has been filed in response to a data breach at UnityPoint Health that saw the protected health information (PHI) of 16,429 patients exposed and potentially obtained by unauthorized individuals. As with many other healthcare data breaches, PHI was exposed as a result of employees falling for phishing emails. UnityPoint Health discovered the security breach on February 15, 2018 and sent breach notification letters to affected patients two months later, on or around April 16, 2018. HIPAA-covered entities have up to 60 days following the discovery of a data breach to issue notifications to patients. Many healthcare organizations wait before issuing breach notifications and submitting reports of the incident to the Department of Health and Human Services’ Office for Civil Rights. Waiting for two months to issue notifications to breach victims could be viewed as a violation of HIPAA Rules. While the maximum time limit for reporting was not exceeded, the HIPAA Breach Notification Rule requires notifications to be sent ‘without unnecessary delay.’ The HHS’ Office for...

Read More
Capital Digestive Care Notifies 17,639 Individuals of PHI Exposure
May08

Capital Digestive Care Notifies 17,639 Individuals of PHI Exposure

The Silver Spring, MD-based gastroenterology group Capital Digestive Care has discovered one of its business associates uploaded files to a commercial cloud server that lacked appropriate security controls, exposing the protected health information of up to 17,639 patients. The availability of sensitive patient data over the Internet was brought to the attention of Capital Digestive Care on February 23, 2018 and action was promptly taken to secure the files and prevent further unauthorized access. An investigation into the privacy breach was launched to determine the types of information that had been exposed and the number of patients impacted. The investigation confirmed some sensitive data had been exposed, although the breach was limited to individuals that had visited its website and submitted information via the Schedule a Visit and Contact pages on the site. The types of information exposed was limited to names, addresses, email addresses, telephone numbers, and birth dates. Patients may also have had a limited amount of health information exposed. The login page to the...

Read More
3 University of Arkansas Medical Sciences Employees Fired for Violation of Patient Privacy
May07

3 University of Arkansas Medical Sciences Employees Fired for Violation of Patient Privacy

University of Arkansas Medical Sciences (UAMS) has fired three employees over alleged HIPAA violations that saw a patient’s protected health information impermissibly disclosed and published on Facebook. UAMS provides training to all employees to make them aware of their responsibilities with respect to patient privacy and the requirements of HIPAA, yet despite that training, one employee violated the privacy of a patient by disclosing that individual’s name, age, HIV status, employment information, and surgical history to a colleague. That employee shared the information with a friend who uploaded the PHI to Facebook. A third employee allegedly played no part in the violation but was aware of the disclosures yet failed to report the incident to the hospital. The hospital took prompt action when the HIPAA violations were discovered and terminated all three employees for violating HIPAA Rules and the hospital’s code of conduct. The hospital is taking steps to ensure similar incidents are prevented and is working with the patient to resolve the privacy violation. The motives of the...

Read More
Protenus Report Highlights Extent of Insider Breaches in Healthcare
May04

Protenus Report Highlights Extent of Insider Breaches in Healthcare

The quarterly breach barometer report from Protenus provides insights into the extent to which insiders are violating HIPAA Rules and snooping on patient health information. The Breach Barometer report is compiled using breach data supplied by Databreaches.net and proprietary data collected through the artificial intelligence platform developed by Protenus that allows healthcare organizations to track and analyze employee EHR activity. Insider breaches are a major problem in healthcare, yet many insider breaches go undetected. When insider breaches are identified, it is often months after the breach has occurred. One healthcare employee was recently discovered to have been accessing medical records without authorization for 14 years. 1.13 Million Patient Records Exposed in Q1, 2018 The latest Breach Barometer report shows the records of 1,129,744 patients and health plan members has been viewed by unauthorized individuals, exposed, or stolen in the first quarter of 2018. Data breaches occurred at a rate of more than one per day, with 110 healthcare data breaches reported in Q1....

Read More
2,889 Patients of Scenic Bluffs Community Health Centers Notified of PHI Breach
May04

2,889 Patients of Scenic Bluffs Community Health Centers Notified of PHI Breach

An unauthorized individual has gained access to the email account of an employee of Scenic Bluffs Community Health Centers and potentially viewed the protected health information of up to 2,889 patients. The email account breach was discovered by the health centers on March 1, 2018, the day after access to the account was gained. The attacker had set up a mail forwarder on the account, which had forwarded 44 messages to an email address controlled by the attacker. None of the forwarded emails contained any protected health information and following the discovery of the mail forwarding rule it was deleted, the account was closed, and all PHI was secured. While no PHI appeared to have been obtained by the attacker, it is possible that during the time that access to the email account was possible, PHI detailed in the emails could potentially have been viewed. It is unclear how access to the email account was gained. Typically email accounts are compromised after employees respond to phishing emails and inadvertently disclose their login credentials, or via brute force attacks that...

Read More
PHI of 3,000 Patients Exposed Due to Mailing Printing Error
May03

PHI of 3,000 Patients Exposed Due to Mailing Printing Error

Maximus Inc, a provider of business process management and technology solutions to government health and human services agencies, is alerting more than 3,000 individuals that some of their protected health information has been accidentally disclosed to other individuals as a result of a printing error on a recent mailing. The mailing was prepared and sent by its business associate, Business Ink, between February 10 and February 13, 2018. The mailing was sent to approximately 1,100 families in Texas who participated in Medicaid and the Children’s Health Insurance Program (CHIP). The error was discovered by Maximus on February 16. The 6-page letter included one mismatched page that included information relating to another individual. The types of information detailed on the page were limited to names, addresses, group numbers, case numbers, and program type. No highly sensitive information such as Social Security numbers, birth dates, insurance information, or financial information was exposed, and none of the information detailed on the mismatched pages would allow another...

Read More
Malware Installed on Florida Hospital Websites May Have Provided Access to PHI
May03

Malware Installed on Florida Hospital Websites May Have Provided Access to PHI

Three websites used by Florida Hospital have been infected with malware that has potentially allowed the threat actors behind the attack to obtain patients’ protected health information. PHI access has not been confirmed and no reports have been received to suggest any protected health information has been misused. Patients are being informed of the breach and, out of an abundance of caution, have been offered complimentary credit monitoring services. The websites impacted are FloridaBariatric.com, FHOrthoInstitute.com and FHExecutiveHealth.com. The data potentially compromised was limited and did not involve any financial information. Potentially, patients’ names, birth dates, email addresses, phone numbers, insurance carriers, the last four digits of their social security numbers, any comments uploaded via the sites, and their height and weight have potentially been obtained by the attackers. The malware attack was limited to the above websites and no other systems were affected. It is unclear what type of malware was uploaded to the websites and how long the malware was present...

Read More
Employee Sent PHI After Being Fired
Apr27

Employee Sent PHI After Being Fired

A bizarre mistake by the Texas Health and Human Services Commission has seen a former employee sent the protected health information of approximately 100 patients after she had been fired. She was sent boxes containing items that had been collected from her old desk, but was also sent a box of benefits application forms. After Tracy Ryans, 51, of Houston, was terminated, HHSC mailed her two boxes containing her personal items, which were left on her porch by the delivery driver. One of the boxes contained personal belongings that included pens, a coffee cup, and old shoes. The other box contained paperwork. Ryans told the Texas Tribune that one of the boxes contained personal items that did not belong to her. They had been taken from a desk she shared with coworkers. The other box was full of paperwork containing highly sensitive personal information of clients. The paperwork included benefits applications that included the Social Security numbers, billing statements, copies of driver’s licenses, and check stubs relating to approximately 100 individuals. The documents were dated...

Read More
85,000 Patients Impacted by California Ransomware Attack
Apr26

85,000 Patients Impacted by California Ransomware Attack

Center for Orthopaedic Specialists is notifying its patients that some of their protected health information was potentially accessed by unauthorized individuals who installed ransomware on its network. The attack impacts all current and former patients of three of its facilities in West Hills, Simi Valley and Westlake Village in California. According to Databreaches.net, 85,000 patients have potentially been impacted. Center for Orthopaedic Specialists was notified by its IT vendor that an unauthorized individual began attempting to access its network on February 18, 2018. Access to the network was gained and ransomware was installed, which was used to encrypt a wide range of files, many of which contained the protected health information of patients. The types of information encrypted by the ransomware included names, details about medical records, dates of birth, and Social Security numbers. Prompt action was taken by the IT vendor to limit the harm caused and the affected system was taken offline rapidly to prevent any exfiltration of data. An investigation into the breach has...

Read More
Web Portal of Transcription Service Provider Discovered to be Leaking PHI
Apr25

Web Portal of Transcription Service Provider Discovered to be Leaking PHI

A transcription service provider has inadvertently left medical records and patient notes unsecured and freely accessible via a physician portal, which should have been password protected. The error has resulted in the exposure of thousands of patients’ PHI. MEDantex provides medical transcription services to many hospitals and physicians, many of whom choose to upload audio files to the MEDantex website. The audio files are accessed by the firm’s employees and transcribed, and documents containing the transcribed notes are uploaded to the portal where they can be downloaded by providers. In order to gain access the portal, a user must be authenticated by means of a password. According to a report on KrebsOnSecurity, certain portions of the website were recently discovered to lack any authentication controls. Anyone visiting the website could, through their browser, gain access to patient data stored on the site. Brian Krebs reports that several of the tools used by MEDantex staff and could also be accessed and used by unauthorized individuals. Those tools allowed unauthorized...

Read More
Report: Healthcare Data Breaches in Q1, 2018
Apr24

Report: Healthcare Data Breaches in Q1, 2018

The first three months of 2018 have seen 77 healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights (OCR). Those breaches have impacted more than one million patients and health plan members – Almost twice the number of individuals that were impacted by healthcare data breaches in Q4, 2017. There was a 10.5% fall in the number of data breaches reported quarter over quarter, but the severity of breaches increased. The mean breach size increased by 130.57% and there was a 15.37% increase in the median breach size. In Q4, 2017, the mean breach size was 6,048 healthcare records and the median breach size was 1,666 records. In Q1, 2018, the mean breach size was 13,945 records and the median breach size was 1,922 records. Between January 1 and March 31, 2018, 1,073,766 individuals had their PHI exposed, viewed, or stolen compared to 520,141 individuals in Q4, 2017. Individuals Impacted by Healthcare Data Breaches in Q1, 2018 Throughout 2017, healthcare data breaches were occurring at a rate of more than one per day. Compared to 2017,...

Read More
1,000 Mental Health Patients’ PHI Accidentally Disclosed for 3 and a Half Years
Apr20

1,000 Mental Health Patients’ PHI Accidentally Disclosed for 3 and a Half Years

1,071 patients who received medical services at the Des Moines Crisis Observation Center operated by Polk County Health Services Inc., have been informed that some of their protected health information has been “accidentally and unknowingly disseminated” over a period of three and a half years. The breach was discovered on February 14, 2018, although the investigation revealed that information first started being disclosed on June 1, 2014 and continued until January 11, 2018. The types of information disclosed includes patients’ names along with Social Security numbers, home addresses, Medicaid ID numbers, admission dates, and discharge locations. Through the Crisis Observation Center, Polk County Health Services provides mental health services for residents of Polk County, IA and is the regional administrator and governing board for mental health and disability services for the county. Polk County Health Services is aware of the individual(s) to whom the information has been disclosed and was able to determine exactly the types of information that has been received by those...

Read More
California Dept. of Developmental Services Notifies 582,000 Patients of Potential PHI Compromise
Apr19

California Dept. of Developmental Services Notifies 582,000 Patients of Potential PHI Compromise

The California Department of Developmental Services (DDS) is notifying 582,174 patients that their protected health information has potentially been compromised. On February 11, 2018, thieves broke into the DDS legal and audits offices in Sacramento, CA. During the time the thieves were in the offices they potentially had access to the sensitive information of approximately 15,000 employees, contractors, job applicants, and parents of minors who receive DDS services, in addition to the PHI of more than half a million patients. The thieves also stole 12 government computers. It does not appear that the perpetrators were interested in paper records and all computers taken by the thieves were encrypted so data access was not possible. DDS has confirmed that none of the office computers were used to gain access to the department’s network and electronic protected health information remained secure at all times. In its substitute breach notice, DDS explained that its offices were vandalized and a fire was started, which triggered the sprinkler system causing damage to documents and CDs....

Read More
Texas Health Resources Notifies 4,000 Patients of Email Account Breach
Apr17

Texas Health Resources Notifies 4,000 Patients of Email Account Breach

Arlington-based Texas Health Resources, a provider group serving more than 1.7 million patients in North Texas, is notifying ‘fewer than 4,000 patients’ that some of their sensitive information may have been accessed by an unauthorized individual. The data breach occurred as early as October 2017, although it was not discovered until January 17, 2018, when the health system was notified of a breach by law enforcement. The potentially compromised data was saved in email accounts that the attacker had access to for up to three months. The delay in issuing breach notification letters, which would normally have to be issued within 60 days of the discovery of the breach under HIPAA Rules, was at the request of law enforcement. HIPAA covered entities are permitted to delay the issuing of notifications if law enforcement believes such an act would impede an investigation. Law enforcement has only recently given the OK to start sending notifications. It is unclear whether the law enforcement investigation resulted in the apprehension of a suspect. Texas Health Resources explained in its...

Read More
Analysis of March 2018 Healthcare Data Breaches
Apr16

Analysis of March 2018 Healthcare Data Breaches

There has been a month-over-month increase in healthcare data breaches. In March 2018, 29 security incidents were reported by HIPAA covered entities compared to 25 incidents in February. Even though more data breaches were reported in March, there was a fall in the number of individuals impacted by breaches. March 2018 healthcare data breaches saw 268,210 healthcare records exposed – a 13.13% decrease from the 308,780 records exposed in incidents in February. Causes of March 2018 Healthcare Data Breaches March saw the publication of the Verizon Data Breach Investigations Report which confirmed the healthcare industry is the only vertical where more data breaches are caused by insiders than hackers. That trend continued in March. Unauthorized access/disclosures, loss of devices/records, and improper disposal incidents were behind 19 of the 29 incidents reported – 65.5% of all incidents reported in March. The main cause of healthcare data breaches in March 2018 was unauthorized access/disclosure incidents. 14 incidents were reported, with theft/loss incidents the second main cause...

Read More