Our HIPAA breach news section covers HIPAA breaches such as unauthorized disclosures of protected health information (PHI), improper disposal of PHI, unauthorized PHI access by cybercriminals and rogue healthcare employees, and other security and privacy breaches.

When known, we explain how the breach occurred, the consequences to patients that may have had their PHI compromised, and the actions being taken by the affected healthcare organization to improve safeguards to prevent further HIPAA breaches.

We also explain any actions being taken by the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) and state attorneys general in relation to those breaches.

OCR investigates all data breaches that impact more than 500 individuals to determine whether any HIPAA violations have occurred. When HIPAA Rules are discovered to have been violated, financial penalties may be deemed appropriate. It can take many months or years before any financial penalties for HIPAA breaches are decided. Financial penalties for HIPAA violations tend to be reserved for the most serious breaches of HIPAA Rules. OCR prefers to resolve cases with voluntary compliance and by issuing recommendations to bring policies in line with HIPAA Rules.

The HIPAA breach news section is particularly relevant to healthcare information security professionals, privacy officers, and other individuals who have some responsibility for HIPAA compliance.

The HIPAA breach news reports highlight common areas of non-compliance and new attack vectors used by cybercriminals to gain access to healthcare networks and PHI, the security failings that allowed them to happen, and the measures that have been implemented to prevent them from happening again.

No healthcare organization wants to experience a data breach, but when a breach does occur, lessons can be learned. HIPAA-covered entities can use these breach examples to help train their staff as well as to discover some of the methods other covered entities have adopted to improve data security.

As you will be able to see from the volume of posts in the HIPAA breach news category, healthcare data breaches occur frequently. In 2016 and 2017, healthcare data breaches have been reported on an almost daily basis.

Our HIPAA breach news section is an important source of information about potential security issues that covered entities should be identifying when conducting their own risk assessments. Many of the situations in our HIPAA breach news posts could have been avoided if a risk assessment had identified a vulnerability that was later exploited to gain access to PHI.

The main purpose for adding HIPAA breach news to this website is to highlight specific aspects of HIPAA compliance that are commonly overlooked, often with serious consequences for the covered entity and patients/health plan members.

By raising awareness of the volume of healthcare data breaches, the implications of those breaches, and the penalties that can result, it is hoped that healthcare providers will take decisive action to prevent their patients’ and members’ data from being exposed.

The most recent healthcare data breach reports are listed below. If you want to find out if a specific covered entity has experienced a data breach, please use the search function in the top right hand corner of this webpage.

Lawmakers Accuse Oklahoma Department of Veteran Affairs of Violating HIPAA Rules
Aug13

Lawmakers Accuse Oklahoma Department of Veteran Affairs of Violating HIPAA Rules

The Oklahoma Department of Veteran Affairs has been accused of violating Health Insurance Portability and Accountability Act (HIPAA) Rules by three Democrat lawmakers, who have also called for two top Oklahoma VA officials to be fired over the incident. The alleged HIPAA violation occurred during a scheduled internet outage, during which VA medical aides were prevented from gaining access to veterans’ medical records. The outage had potential to cause major disruption and prevent “hundreds” of veterans from being issued with their medications. To avoid this, the Oklahoma Department of Veteran Affairs allowed medical aides to access electronic medical records using their personal smartphones. In a letter to Oklahoma Governor Mary Fallin, Reps. Brian Renegar, Chuck Hoskin, and David Perryman called for the VA Executive Director Doug Elliot and the clinical compliance director Tina Williams to be fired over the alleged HIPAA violation. They claimed Elliot and Williams “have little regard for, and knowledge of, health care,” and allowing medical aides to access electronic medical...

Read More
MedSpring Urgent Care Breach Impacts 13,034 Patients
Aug10

MedSpring Urgent Care Breach Impacts 13,034 Patients

MedSpring Urgent Care, a network of urgent care clinics in Atlanta, Chicago, Austin, Dallas, Fort Worth, and Houston, has discovered an unauthorized individual has gained access to an email account as a result of an employee being duped by a phishing email. The email account was compromised on May 8, 2018 but the security breach was not detected until May 17. Upon discovery of the breach, the email account was secured to prevent further unauthorized access and a leading cybersecurity forensics firm was contracted to conduct an investigation into the breach and assist with the breach response. MedSpring discovered on May 22, 2018 that the attacker potentially gained access to the protected health information of patients through the emails and email attachments. The breach was limited to a single email account and no other systems were compromised. A full review of all messages in the account was conducted to determine which patients had been affected and the types of information that had been exposed. MedSpring says the breach was limited to patients who had previously visited its...

Read More
At Least 3.14 Million Healthcare Records Were Exposed in Q2, 2018
Aug09

At Least 3.14 Million Healthcare Records Were Exposed in Q2, 2018

In total, there were 143 data breaches reported to the media or the Department of Health and Human Services’ Office for Civil Rights (OCR) in Q2, 2018 and the healthcare records of at least 3,143,642 patients were exposed, impermissibly disclosed, or stolen. Almost three times as many healthcare records were exposed or stolen in Q2, 2018 as Q1, 2018. The figures come from the Q2 2018 Breach Barometer Report from Protenus. The data for the report came from OCR data breach reports, data collected and collated by Databreaches.net, and proprietary data collected through the Protenus compliance and analytics platform, which monitors the tens of trillions of EHR access attempts by its healthcare clients. Q2 2018 Healthcare Data Breaches Month Data Breaches Records Exposed April 45 919,395 May 50 1,870,699 June 47 353,548   Q2, 2018 saw five of the top six breaches of 2018 reported. The largest breach reported – and largest breach of 2018 to date – was the 582,174-record breach at the California Department of Developmental Services – a burglary. It is unclear if any healthcare...

Read More
The Cost of SamSam Ransomware Attacks: $17 Million for the City of Atlanta
Aug09

The Cost of SamSam Ransomware Attacks: $17 Million for the City of Atlanta

The SamSam ransomware attack on the City of Atlanta was initially expected to cost around $6 million to resolve: Substantially more than the $51,000 ransom demand that was issued. However, city officials now believe the final cost could be around $11 million higher, according to a “confidential and privileged” document obtained by The Atlanta Journal-Constitution. The attack has prompted a complete overhaul of the city’s software and systems, including system upgrades, new software, and the purchasing of new security services, computers, tablets, laptops, and mobile phones. The Colorado Department of Transportation was also attacked with SamSam ransomware this year and was issued with a similar ransom demand. As with the City of Atlanta, the ransom was not paid. In its case, the cleanup is expected to cost around $2 million. When faced with extensive disruption and a massive clean up bill it is no surprise that many victims choose to pay the ransom. Now new figures have been released that confirm just how many victims have paid to recover their files and regain control of their...

Read More
Protected Health Information of Three Hundred Thousand SSM Health Patients Exposed
Aug08

Protected Health Information of Three Hundred Thousand SSM Health Patients Exposed

SSM Health St. Mary’s Hospital in Jefferson City, Missouri is informing hundreds of thousands of patients that some of their protected health information has been left unprotected and could potentially have been viewed by unauthorized individuals. On November 16, 2014, St. Mary’s Hospital moved to new premises and all patients’ medical records were transferred to the new facility and were secured at all times. However, on June 1, 2018, the hospital discovered many documents containing protected health information had been left behind. The documents were mostly administrative and operational supporting documents and contained only a limited amount of protected health information. For the majority of patients, the only information that was exposed was their name and medical record number. Some patients also had some clinical data, demographic information, and financial information exposed. Due to the number of documents involved, the hospital has retained a document services firm to catalogue all the documents and determine which patients have had some of their PHI exposed. It has...

Read More
Hacktivist Convicted for DDoS Attack on Children’s Mercy Hospital
Aug07

Hacktivist Convicted for DDoS Attack on Children’s Mercy Hospital

A hacktivist who conducted a Distributed Denial of Service (DDoS) attack on Boston’s Children’s Mercy Hospital in 2014 has been convicted on two counts – conspiracy to intentionally damage protected computers and damaging protected computers – by a jury in the U.S. District Court in Boston. Martin Gottesfeld, 32, of Somerville, MA, conducted the DDoS attacks in March and April of 2014. He first conducted a DDoS attack on Wayside Youth and Family Support Network in Framingham, MA. The attack crippled its systems and took them out of action for more than a week. The attack cost the healthcare facility $18,000 to resolve. Following that attack, Gottesfeld conducted a much larger attack on Boston Children’s Hospital using 40,000 malware-infected network routers that he controlled from his home computer. The attack was planned for a week and occurred on April 19, 2014. Such was the scale of the attack that the hospital and several others in the Longwood medical area were knocked off the internet. 65,000 IP addresses used by the hospital and other healthcare facilities in the area were...

Read More
Phishing Attack, Lost Devices, and System Error Exposed PHI of 9,400 Patients
Aug03

Phishing Attack, Lost Devices, and System Error Exposed PHI of 9,400 Patients

A round up of data breaches recently disclosed to the media and the Department of Health and Human Services’ Office for Civil Rights System Error Exposed Data at Pennsylvania Department of Human Services Pennsylvania Department of Human Services has discovered a system error in its Compass system allowed certain individuals to view the protected health information of others who, at some point, were part of the same benefit household but are now part of a different active case record. The types of information that could have been viewed included names, citizenship, date of birth, and all information reported about employment, although not Social Security numbers. No reports have been received to date to suggest any of the information was accessed and misused. The system glitch was detected on May 23, 2018 and has now been corrected. All 2,130 individuals potentially impacted have been notified of the breach by mail. Lost Laptop Exposes PHI of Ambercare Patients The Ambercare Corporation, a provider of hospice and home care services in New Mexico, has announced that an unencrypted...

Read More
Email Account Compromises Continue Relentless Rise
Aug02

Email Account Compromises Continue Relentless Rise

There has been a steady rise in the number of reported email data breaches over the past year. According to the July edition of the Beazley Breach Insights Report, email compromises accounted for 23% of all breaches reported to Beazley Breach Response (BBR) Services in Q2, 2018. In Q2, 2018 there were 184 reported cases of email compromises, an increase from the 173 in Q1, 2018 and 120 in Q4, 2017. There were 45 such breaches in Q1, 2017, and each quarter has seen the number of email compromise breaches increase. In Q2, 2018, the email account compromises were broadly distributed across a range of industry sectors, although the healthcare industry experienced more than its fair share. Healthcare email accounts often contain a treasure trove of sensitive data that can be used for identity theft, medical identity theft, and other types of fraud. The accounts can contain the protected health information of thousands of patients. The recently discovered phishing attack on Boys Town National Research Hospital resulted in the attackers gaining access to the PHI of more than 105,000...

Read More
Orlando Orthopaedic Center Suffers 19,000-Record Breach Due to Business Associate Error
Aug01

Orlando Orthopaedic Center Suffers 19,000-Record Breach Due to Business Associate Error

An error made by a transcription service provider during a software upgrade on a server has resulted in the exposure of more than 19,000 patients’ protected health information (PHI). Patients affected by the breach had received medical services at Orlando Orthopaedic Center clinics in Orlando, Florida prior to January 2018. The software upgrade took place in December 2017 and throughout the month, PHI stored on the server became accessible over the Internet without any need for authentication. Orlando Orthopaedic Center only became aware of the exposure of patients’ PHI in February 2018. The discovery of the breach prompted a full investigation, which revealed names, dates of birth, insurance information, employer details, and treatment types were accessible. A limited number of patients also had their Social Security numbers exposed. It is unclear whether any PHI was accessed by unauthorized individuals during the time that the protections were removed. Orlando Orthopaedic Center said it has not received any reports from patients that indicate PHI has been misused and no evidence...

Read More
1.4 Million Patients Warned About UnityPoint Health Phishing Attack
Jul31

1.4 Million Patients Warned About UnityPoint Health Phishing Attack

A massive UnityPoint Health phishing attack has been reported, one in which the protected health information of 1.4 million patients has potentially been obtained by hackers. This phishing incident is the largest healthcare data breach of 2018 by some distance, involving more than twice the number of healthcare records as the California Department of Developmental Services data breach reported in April and the LifeBridge Health breach reported in May. This is also the largest phishing incident to be reported by a healthcare provider since the HHS’ Office for Civil Rights (OCR) started publishing data breaches in 2009 and the largest healthcare breach since the 3,466,120-record breach reported by Newkirk Products, Inc., in August 2016. Email Impersonation Attack Fools Several Employees into Disclosing Login Credentials The UnityPoint Health phishing attack was detected on May 31, 2018. The forensic investigation revealed multiple email accounts had been compromised between March 14 and April 3, 2018 as a result of employees being fooled by email impersonation scams. Business email...

Read More
Confluence Health Informs Patients of Phishing Incident
Jul30

Confluence Health Informs Patients of Phishing Incident

Confluence Health, a not-for-profit health system that operates Central Washington Hospital, Wenatchee Valley Hospital and a dozen satellite clinics in Central and North Central Washington, has experienced a data security incident involving an employee’s email account that may have resulted in unauthorized accessing of patients’ protected health information. The security breach was discovered on May 29, 2018. A digital forensics firm was called in to conduct an investigation, which revealed the email account had been accessed by an unauthorized individual on May 28 and May 30, 2018. The email account only contained a limited amount of protected health information and no highly sensitive data such as Social Security numbers or financial information was exposed. Patients impacted by the incident have had information such as their names and treatment information exposed. Confluence Health had multiple security solutions in place to prevent unauthorized account access and staff had received security awareness training, yet those measures were bypassed by the attacker. While PHI access...

Read More
Lane County Health and Human Services and New England Dermatology Alert Patients to PHI Exposure
Jul27

Lane County Health and Human Services and New England Dermatology Alert Patients to PHI Exposure

The medical records of more than 17,000 patients have been exposed in two recent incidents in Oregon and Massachusetts. Lane County Health and Human Services Alerts Patients to Loss of PHI Lane County Health and Human Services in Oregon is notifying more than 700 patients that some of their protected health information has been lost and has potentially been destroyed. 49 boxes containing patient files were moved to a temporary storage facility while the Charnelton Clinic in Eugene was being renovated. During a routine search, the boxes of files were discovered to be missing from the storage facility on June 19. Multiple teams conducted further searches for the missing boxes but they could not be located. Lane County Health and Human Services suspects the boxes of files have been destroyed along with other paperwork as part of its normal document management practice for non-medical records. However, it has not been possible to confirm whether that was definitely the case. The files contained information such as patients’ full names, addresses, telephone numbers, medical histories...

Read More
Flowers Hospital Proposes $150,000 Settlement for 2014 Data Breach
Jul26

Flowers Hospital Proposes $150,000 Settlement for 2014 Data Breach

A class action lawsuit filed in the wake of an employee-related data breach at Flowers Hospital in Dothan, Alabama in 2014 is heading towards being settled. The settlement has yet to receive final court approval, although approval seems likely and a resolution to this four-year legal battle is now in sight. In contrast to most class action lawsuits filed over the exposure/theft of PHI, this case involved the theft of data by an insider rather than a hacker. Further, the former employee used PHI for identity theft and fraud and was convicted of those crimes. The breach in question involved a former lab technician, Kamarian D. Millender, who was found in possession of paper records containing patients protected health information. Millender admitted to using the information for identity theft and for filing false tax returns in victims’ names. In December 2014, Millender was sentenced to serve two years in jail. In the class action lawsuit, filed the same year, it was claimed that between June 2013 and December 2014, paper records were left unprotected and unguarded at the hospital...

Read More
Blue Springs Family Care Ransomware Attack Impacts 45,000 Patients
Jul25

Blue Springs Family Care Ransomware Attack Impacts 45,000 Patients

Blue Springs Family Care in Missouri has experienced a ransomware attack that has resulted in the encryption of sensitive data. The attack was detected by the healthcare provider’s computer vendor on May 12, 2018.  An investigation was launched the same day by the computer vendor with assistance provided by a contracted third-party computer forensics firm. In contrast to many ransomware attacks which involve a single ransomware variant being downloaded and blind file encryption, the attacker managed to gain access to Blue Springs Family Care systems and installed a variety of malicious software programs in addition to the ransomware. Those malware programs would have given the attacker full access to all Blue Springs Family Care computer systems, including access to all patients protected health information. At the time of issuing notifications to patients, Blue Springs Family Care had not received any reports to suggest that any PHI was stolen and misused by the attacker. However, data access and data theft could not be ruled out. The types of information potentially accessed...

Read More
Boys Town National Research Hospital and NorthStar Anesthesia Discover PHI Compromised in Phishing Attacks
Jul24

Boys Town National Research Hospital and NorthStar Anesthesia Discover PHI Compromised in Phishing Attacks

The phishing attacks on healthcare organizations continue… The past few days have seen two further healthcare organizations announce that email accounts were breached when employees responded to phishing emails. Email Account Compromised at Boys Town National Research Hospital Boys Town National Research Hospital (Boys Town), an Omaha, NE hospital specializing in pediatric deafness, visual and communication disorders, has announced that a recent phishing campaign has resulted in the email account of an employee being accessed by an unauthorized individual. The email account contained the protected health information of 105,309 patients Boys Town first became aware of a security breach on May 23, 2018 when unusual email account activity was detected. Computer forensics experts were called in to investigate and a breach was confirmed to have occurred on May 23. Boys Town painstakingly examined the account email-by-email to determine which patients potentially had their PHI exposed and the amount of PHI that was potentially compromised. The breach was confirmed as being confined to a...

Read More
Golden Heart Administrative Professionals Ransomware Attack Impacts 44,600 Patients
Jul20

Golden Heart Administrative Professionals Ransomware Attack Impacts 44,600 Patients

Golden Heart Administrative Professionals, a Fairbanks, AK-based billing company and business associate of several healthcare providers in Alaska, is notifying 44,600 individuals that some of their protected health information has potentially been accessed by unauthorized individuals as a result of a recent ransomware attack. The ransomware was downloaded to a server containing the PHI of patients. According to a press release issued by the company, “All client patient information must assume to be compromised.” Local and federal law enforcement agencies have been notified about the cyberattack and efforts are continuing to recover files. The Golden Heart Administrative Professionals ransomware attack is the largest data breach reported by a healthcare organization in July, and the second major data breach to be reported by an Alaska-based healthcare organization in July. In early July, the Alaska Department of Health and Social Services announced that it had suffered a data breach as a result of a malware infection. The Zeus/Zbot Trojan – an information stealer – had...

Read More
New York Physician Notifies Patients of Exposure of their PHI
Jul19

New York Physician Notifies Patients of Exposure of their PHI

A New York physician has started notifying patients that their protected health information has been exposed and has been potentially accessed unauthorized individuals. Ruben U. Carvajal, MD was alerted to a possible privacy breach on January 3, 2018 and was informed that some of his patients’ health information was accessible over the Internet. An investigation into the possible privacy breach was launched and the matter was reported to the New York Police Department and the Federal Bureau of Investigation (FBI). FBI investigators visited his office and examined his computer. On February 18, 2018, the FBI confirmed that the EMR program on his computer had been accessed by an unauthorized individual. A forensic investigator was called in to conduct a thorough investigation to determine the nature and scope of the breach. On May 22, 2018 the forensic investigator determined that the physician’s computer had been accessed by an unauthorized individual between December 16, 2017 and January 3, 2018. Any individual that gained access to the physicians’ computer could have gained access...

Read More
Investigation Launched Over Snapchat Photo Sharing at M.M. Ewing Continuing Care Center
Jul19

Investigation Launched Over Snapchat Photo Sharing at M.M. Ewing Continuing Care Center

Certain employees of a Canandaigua, NY nursing home have been using their smartphones to take photographs and videos of at least one resident and have shared those images and videos with others on Snapchat – a violation of HIPAA and serious violation of patient privacy. The privacy breaches occurred at Thompson Health’s M.M. Ewing Continuing Care Center and involved multiple employees. Thompson Health has already taken action and has fired several workers over the violations. Now the New York Department of Health and the state attorney general’s office have got involved and are conducting investigations. The state attorney general’s Deputy Press Secretary, Rachel Shippee confirmed to the Daily Messenger that an investigation has been launched, confirming “The Medicaid Fraud Control Unit’s mission includes the protection of nursing home residents from abuse, neglect and mistreatment, including acts that violate a resident’s rights to dignity and privacy.” Thompson Health does not believe the images/videos were shared publicly and sharing was restricted to a group of employees at the...

Read More
June 2018 Healthcare Breach Report
Jul18

June 2018 Healthcare Breach Report

There was a 13.8% month-over-month increase in healthcare data breaches in June 2018. Data breaches were up, but the breaches were far less severe in June, with 42.48% fewer healthcare records exposed or stolen than in May. In June there were 33 healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights and those breaches saw 356,232 healthcare records exposed or stolen – the lowest number of records exposed in healthcare data breaches since March 2018. Healthcare Data Breaches (January-June 2018) Healthcare Records Exposed (January-June 2018) Causes of Healthcare Data Breaches (June 2018) Unauthorized access/disclosure incidents were the biggest problem area in June, followed by hacking IT incidents. As was the case in May, there were 15 unauthorized access/disclosure breaches and 12 hacking/IT incidents. The remaining six breaches involved the theft of electronic devices (4 incidents) and paper records (2 incidents). There were no reported losses of devices or paperwork and no improper disposal incidents. Healthcare Records Exposed...

Read More
Several Email Accounts Compromised in Sunspire Health and UPMC Cole Phishing Attacks
Jul18

Several Email Accounts Compromised in Sunspire Health and UPMC Cole Phishing Attacks

Two more healthcare organizations have reported phishing attacks that have resulted in cybercriminals gaining access to the protected health information of patients, both of which saw the attackers gain access to multiple email accounts. Sunspire Health, which runs a national network of addition treatment facilities, saw several email accounts compromised as a result of a phishing campaign targeting its employees. The attacks were discovered between April 10, 2018 and May 17, 2018. Forensic investigators were called in to determine the nature and scope of the incidents. The investigation revealed the first email account was compromised on March 1, 2018, with further accounts compromised and accessed by unauthorized individuals up until May 4. No patients have reported misuse of protected health information to Sunspire Health to date, and no evidence was found to suggest the email accounts had been misused, although it is possible that protected health information in the compromised email accounts was accessed and may have been downloaded by the attacker(s). The types of information...

Read More
LabCorp Cyberattack Forces Shutdown of Systems: Investigators Currently Determining Scale of Breach
Jul17

LabCorp Cyberattack Forces Shutdown of Systems: Investigators Currently Determining Scale of Breach

LabCorp, one of the largest clinical laboratories in the United States, has experienced a cyberattack that has potentially resulted in hackers gaining access to patients’ sensitive information; however, data theft appears unlikely as the cyberattack has now been confirmed as being a ransomware attack. It has been suggested that variant of SamSam ransomware was used in the brute force RDP attack, although this has not been confirmed by LabCorp. The Burlington, NC-based company runs 36 primary testing laboratories throughout the United States and the Los Angeles National Genetics Institute. The company performs standard blood and urine tests, HIV tests and specialty diagnostic testing services and holds vast quantities of highly sensitive data. The cyberattack occurred over the weekend of July 14, 2018 when suspicious system activity was identified by LabCorp’s intrusion detection system within 50 minutes of the attack commencing. Prompt action was taken to terminate access to its servers and systems were taken offline to contain the attack. With its systems offline, this naturally...

Read More
Two Employees of the Alive Hospice in Tennessee Fooled by Phishing Scam
Jul16

Two Employees of the Alive Hospice in Tennessee Fooled by Phishing Scam

The email accounts of two employees of the Alive Hospice in Tennessee have been compromised as a result of the employees falling for phishing scams. The email account breaches were identified during a review of the email system on May 15, 2018. During the review, ongoing unauthorized access to the email accounts was detected. Alive Hospice immediately took steps to block third-party access by performing a password reset, and third-party forensics investigators were called in to determine the nature and scope of the breach. The investigation revealed the first email account was compromised on or around December 20, 2017, with the second account compromised on or around April 5, 2018. An analysis of both email accounts revealed they contained the protected health information of patients, which may have been accessed by the person(s) responsible for the attacks. The types of information that may have been accessed varied for each patient and included names, dates of birth, Social Security numbers, driver’s license numbers, passport numbers, financial account numbers, copies of...

Read More
Email Account of Billings Clinic Worker Hacked During Overseas Trip
Jul16

Email Account of Billings Clinic Worker Hacked During Overseas Trip

The email account of an employee of Billings Clinic in Billings, MT, that contained the protected health information of 8,435 patients, has been compromised. The breach was detected by the clinic’s cybersecurity systems on May 14, 2018, with unusual activity triggering an alert. Rapid action was taken to secure the account, although it is possible that the PHI of patients could have been viewed or copied. The information in the account was limited. No financial information was exposed, access to medical records was not gained, and no Social Security numbers were stored in the account. Data in the account had been used for scheduling purposes and related to patients who received medical services between 2008 and 2011. The breach was limited to names, dates of birth, contact information, diagnoses, descriptions of medical services provided, medical record numbers, and internal financial control numbers. The investigation confirmed that the breach was limited to a single email account. While data breaches such as this can easily be caused as a result of employees responding to...

Read More
Children’s Mercy Hospital Sued for 63,000-Record Data Breach
Jul13

Children’s Mercy Hospital Sued for 63,000-Record Data Breach

Legal action has been taken over a phishing attack on Children’s Mercy that resulted in the theft of 63,049 patients’ protected health information. In total, five email accounts were compromised between December 2017 and January 2018. On December, 2, 2017  two email accounts were discovered to have been accessed by an unauthorized individual as a result of employees responding to phishing emails. Links in the emails directed the employees to a website where they were fooled into disclosing their email account credentials. Two weeks later, two more email accounts were compromised in a similar attack, with a fifth and final account compromised in early January. The mailbox accounts of four of those compromised email accounts were downloaded by the attacker, resulting in the unauthorized disclosure of patients’ protected health information. Patients were notified of the breach via a substitute breach notice on the Children’s Mercy website and notification letters were sent by mail. Due to the number of people impacted, the letters were sent out in batches. According to a recent...

Read More
UMC Physicians Discovers Hacker Accessed PHI of Up to 18,000 Patients
Jul13

UMC Physicians Discovers Hacker Accessed PHI of Up to 18,000 Patients

A summary of hacking incidents and employee data breaches recently discovered by healthcare organizations. Hacked Email Account Contained PHI of 18,000 UMC Physicians’ Patients UMC Physicians in Texas is notifying approximately 18,000 patients that some of their protected health information has been exposed as a result of the hacking of a physicians’ email account. The breach occurred on March 15, 2018, although it was not discovered by the UMC Physicians’ IT team until May 18, giving the hacker two months to access the data stored in the account. While the investigation did not uncover any evidence of actual or attempted misuse of PHI, it was not possible to determine with a high degree of certainty that PHI had not been compromised. Consequently, all patients whose PHI was potentially accessed have been offered complimentary credit monitoring and identity theft protection services for 12 months. An analysis of the email account revealed the following information was potentially viewed/obtained by the hacker: Patients’ full names, addresses, phone numbers, medical record numbers,...

Read More
Health Information of Thousands of HIV Patients Exposed by Employee Error
Jul12

Health Information of Thousands of HIV Patients Exposed by Employee Error

An error by an employee of Metro Health has resulted in the exposure of highly sensitive information of patients diagnosed with HIV or AIDS, according to a recent report in the Tennessean. The information was stored in a database which had been copied by the employee onto a server that was accessible by all employees in the Nashville Metro Public Health Department, even though the vast majority of those individuals were not authorized to access the information. The database was only supposed to be accessed by three government scientists. The database was present on the server for nine months before the file was found by an employee and Metro Health officials were notified. During the time that the file was on the server, more than 500 employees could potentially have accessed the database. The database contained information such as names, addresses, lab test results, HIV diagnoses, drug usage, sexual orientation, birth dates, and Social Security numbers. The data came from the Enhanced HIV/AIDS Reporting System – a national database that includes details of patients with HIV and...

Read More
Healthcare Data Breach Costs Highest of Any Industry at $408 Per Record
Jul12

Healthcare Data Breach Costs Highest of Any Industry at $408 Per Record

A recent study conducted by the Ponemon Institute on behalf of IBM Security has revealed the hidden cost of data breaches, and for the first time, the cost of mitigating 1 million-record+ data breaches. The study provides insights into the costs of resolving data breaches and the full financial impact on organizations’ bottom lines. For the global study, 477 organizations were recruited and more than 2,200 individuals were interviewed and asked about the data breaches experienced at their organizations and the associated costs. The breach costs were calculated using the activity-based costing (ABC) methodology. The average number of records exposed or stolen in the breaches assessed in the study was 24,615 and 31,465 in the United States. Last year, the Annual Cost of a Data Breach Study by the Ponemon Institute/IBM Security revealed the cost of breaches had fallen year over year to $3.62 million. The 2018 study, conducted between February 2017 and April 2018, showed data breach costs have risen once again. The average cost of a data breach is now $3.86 million – An annual increase...

Read More
MedEvolve Notifies Patients of PHI Exposure Through Unsecured FTP Server
Jul11

MedEvolve Notifies Patients of PHI Exposure Through Unsecured FTP Server

MedEvolve, a provider of electronic billing and record services to healthcare providers, has announced that an FTP server used by the firm had been left unsecured between March 29, 2018 and May 4, 2018. The FTP server contained a file that included the protected health information of patients. On March 29, the day that the protection was removed, the file was accessed by an unauthorized individual. MedEvolve discovered the breach on May 11, 2018. According to the breach notice submitted to the California Attorney General, the file contained the data of patients of Premier Immediate Medical Care. MedEvolve did not mention in the breach notice how many patients had been affected and the incident has yet to appear of the Department of Health and Human Services’ Breach Portal. However, in May, databreaches.net was alerted to the exposure of data by a security researcher who discovered the unprotected FTP server. According to the report, the file contained approximately 205,000 lines of patient data, each corresponding to a different patient. More than 11,000 Social Security number were...

Read More
Cass Regional Medical Center EHR Out of Action Due to Ransomware Attack
Jul11

Cass Regional Medical Center EHR Out of Action Due to Ransomware Attack

Around 11am on Monday July 9, Cass Regional Medical Center in Harrisonville, MO, experienced a ransomware attack that affected its communication system and prevented staff from accessing its electronic medical record (EHR) system. The medical center had policies in place for such an emergency situation. Its incident response protocol was initiated within 30 minutes of the discovery of the attack and staff met to develop detailed plans to minimize the impact to patients. Ransomware attacks typically do not involve the attackers gaining access to data, although as a precaution, it’s EHR vendor – Meditech – shut down the EHR system while the attack was investigated and remediated. At this stage, no evidence has been uncovered to suggest patient data have been accessed. As an additional precautionary measure, ambulances for trauma and stroke have been redirected to other medical facilities. Without access to the EHR system, staff resorted to pen and paper while its IT staff worked to decrypt data and bring its systems back online. A leading international forensics firm was called in to...

Read More
Former Arkansas Children’s Hospital Employee Investigated Over Potential Theft of 4,500 Patients’ PHI
Jul11

Former Arkansas Children’s Hospital Employee Investigated Over Potential Theft of 4,500 Patients’ PHI

A former employee of Arkansas Children’s Hospital is being investigated by law enforcement over the theft and misuse of patients’ protected health information. According to the breach notice submitted to the Department of Health and Human Services’ Office for Civil Rights, the former employee potentially viewed and copied the PHI of up to 4,521 patients. That individual was employed at Arkansas Children’s Hospital for 15 months between November 7, 2016 and February 6, 2018. During that time the employee was provided with access to patient health information to perform essential functions of the job. On May 9, 2018, law enforcement notified Arkansas Children’s Hospital that an investigation had been launched over the possible theft of patients’ Social Security numbers and personal information and the misuse of that information for personal gain. Arkansas Children’s Hospital immediately launched an investigation to determine the types of information that were potentially accessed and whether patients’ PHI had been accessed without authorization. While that internal investigation...

Read More
PHI Stolen As a Result of Manitowoc County Phishing Attack
Jul06

PHI Stolen As a Result of Manitowoc County Phishing Attack

Manitowoc County in Wisconsin has announced protected health information has been stolen as a result of a successful phishing attack. The incident occurred on or around January 14, 2018, although the attack and data breach was not discovered until April 24. While the account was immediately secured to prevent any further access, the attacker had well over two months to view and obtain sensitive data stored in the email account. During the time that the attacker had email account access, emails sent to that account were diverted to a different email account to which Manitowoc County staff had no access. While County officials have not uncovered any evidence to suggest any of the information in the emails has been misused, they have similarly not been able to establish that sensitive data have not been misused or sold on. The types of information that were stolen include names, telephone numbers, email addresses, addresses, and dates of birth. Individuals who received services through the County have also had their health information, insurance information, details of prescriptions,...

Read More
Sophisticated Cyber Spoofing Attack Reported by Humana
Jul03

Sophisticated Cyber Spoofing Attack Reported by Humana

Humana is notifying members in several states that their PHI has potentially been accessed during a ‘sophisticated’ spoofing attack. A spoofing attack is an attempt by a threat actor or bot to gain access to a system or data using stolen or spoofed login credentials. Humana became aware of the attack on June 3, when large numbers of failed login attempts were detected from foreign IP addresses. Prompt action was taken to block the attack, with the foreign IP addresses blocked from accessing its Humana.com and Go365.com websites on June 4. Humana suggests “the nature of the attack and observed behaviors indicated the attacker had a large database of user identifiers (IDs).” It is possible the login credentials are old and that they were obtained in a separate third-party breach, although Humana notes that “the excessive number of log in failures strongly suggests the ID and password combinations did not originate from Humana.” The website accounts did not contain Social Security numbers or financial information; however, the following types of information could potentially have been...

Read More
Zeus Trojan Infection Potentially Resulted in Theft of PHI from Alaska DHSS
Jul03

Zeus Trojan Infection Potentially Resulted in Theft of PHI from Alaska DHSS

The Alaska Department of Health and Social Services (ADHSS) is notifying ‘more than 500’ individuals that some of their protected health information (PHI) has potentially been accessed and stolen by hackers. On April 26, the ADHSS discovered malware had been installed on an employee’s computer after suspicious behavior was detected. The investigation revealed malware had been installed – a variant of the Zeus/Zbot Trojan – which is known to be used to steal sensitive information. The malware was discovered to have communicated with IP addresses in Russia, although it is not known whether the attackers are based in Russia or just using Russian IP addresses. ADHSS has not confirmed whether protected health information was exfiltrated to those IP addresses, although data access and theft of PHI is a possibility. Under the Health Insurance Portability and Accountability Act, HIPAA-covered entities must report data breaches as soon as possible, but no later than 60 days following the discovery of a breach. AHDSS chose to delay the issuing of notifications until just before...

Read More
Healthcare Worker Charged with Criminally Violating HIPAA Rules
Jul03

Healthcare Worker Charged with Criminally Violating HIPAA Rules

A former University of Pittsburgh Medical Center patient information coordinator has been indicted by a federal grand jury over criminal violations of HIPAA Rules, according to an announcement by the Department of Justice on June 29, 2018. Linda Sue Kalina, 61, of Butler, Pennsylvania, has been charged in a six-count indictment that includes wrongfully obtaining and disclosing the protected health information of 111 patients. Kalina worked at the University of Pittsburgh Medical Center and the Allegheny Health Network between March 30, 2016 and August 14, 2017. While employed at the healthcare organizations, Kalina is alleged to have accessed the protected health information (PHI) of those patients without authorization or any legitimate work reason for doing so. Additionally, Kalina is alleged to have stolen PHI and, on four separate occasions between December 30, 2016, and August 11, 2017, disclosed that information to three individuals with intent to cause malicious harm. Kalina was arrested following an investigation by the Federal Bureau of Investigation. The case was taken up...

Read More
Associated Dermatology & Skin Cancer Clinic of Helena Discloses PHI Breach Impacting 1,254 Patients
Jul02

Associated Dermatology & Skin Cancer Clinic of Helena Discloses PHI Breach Impacting 1,254 Patients

This week, Associated Dermatology & Skin Cancer Clinic of Helena, MT, has disclosed a breach of physical protected health information (PHI) affecting 1,254 patients. A journal maintained by an employee of Associate Dermatology was stolen from her vehicle on May 26, 2018. A thief forcibly gained access to the vehicle and stole the personal journal, which contained information to help the employee with the provision of care to patients. The types of information recorded in the journal included names and ages of patients, their referring physicians, brief notes on patients’ medical histories, reasons for visits, and visit notes. Patients whose PHI has been obtained by the thief had received medical services through Associated Dermatology between September 1, 2017 and May 24, 2018. While highly sensitive information – the types that can be used to steal identities – were not stored in the journal, there is potential the information could be misused, although no reports have been received to date to suggest that is the case. The biggest risk is the use of the information in social...

Read More
Business Email Compromise Attacks Dominate 2017 FBI Internet Crime Report
Jun29

Business Email Compromise Attacks Dominate 2017 FBI Internet Crime Report

The FBI has released its 2017 Internet Crime Report. Data for the report came from complaints made through its Internet Crime Complaints Center (IC3). The report highlights the most common online scams, the scale of Internet crime, and the substantial losses suffered as a result of Internet-related crimes. In 2017, there were 301,580 complaints made to IC3 about Internet crime, with total losses for the year exceeding $1.4 billion. Since 2013, when the first Internet Crime Report was first published, more than $5.52 billion has been lost in online scams and more than 1.4 million complaints have been received. The leading types of online crime in 2017 were non-payment/non-delivery, personal data breaches, and phishing; however, the biggest losses came from business email compromise (BEC) attacks, confidence scams/romance fraud, and non-payment/non-delivery. The losses from business email compromise scams (and email account compromise scams on consumers) exceeded $675 million. BEC/EAC scams resulted in more than three times the losses as confidence fraud/romance scams – the second...

Read More
Michigan Medicine Informs Hundreds of Patients of PHI Exposure
Jun28

Michigan Medicine Informs Hundreds of Patients of PHI Exposure

An unencrypted laptop computer containing the protected health information (PHI) of 870 patients of Michigan Medicine has been stolen. The PHI was saved on a personal laptop computer which had been left unattended in an employee’s vehicle. A thief broke into the car and stole the employee’s bag, which contacted the device. The theft occurred on June 3, 2018 and it was immediately reported to law enforcement. Michigan Medicine was informed of the theft the following day on June 4. The laptop contained a range of protected health information of patients who had participated in research studies. The types of information exposed varied depending on the type of research the patients had participated in. Highly sensitive information such as Social Security numbers, health plan ID numbers, and financial information were not stored on the device and addresses and contact telephone numbers were not exposed. The information exposed was limited to names, medical record numbers, gender, race, diagnoses, and treatment information. All of the research studies had been approved by the...

Read More
Protected Health Information Sent to Incorrect Fax Recipient Over Several Months
Jun27

Protected Health Information Sent to Incorrect Fax Recipient Over Several Months

Faxes containing the protected health information (PHI) of a patient have been sent to an incorrect recipient by OhioHealth’s Grant Medical Center over a period of several months – A violation of patient privacy and the Health Insurance Portability and Accountability Act (HIPAA). The recipient of the faxes, Elizabeth Spilker, tried on numerous occasions to notify Grant Medical Center about the problem and stop the faxes being sent, but her efforts were unsuccessful. She tried faxing back a message on the same number requesting a change to the programmed fax number and tried contacting the medical center by telephone. Spilker later notified ABC6 about the issue and the story was covered in a June 18 report. In the report, Spilker explained that faxes had been received from Grant Medical Center for more than a year. The messages contained a range of protected health information including name, age, weight, medical history, medications prescribed, and other sensitive health information. Typically, the faxes were received at the end of the day. Repeated attempts were made to send the...

Read More
Unencrypted Hospital Pager Messages Intercepted and Viewed by Radio Hobbyist
Jun26

Unencrypted Hospital Pager Messages Intercepted and Viewed by Radio Hobbyist

Many healthcare organizations have now transitioned to secure messaging systems and have retired their outdated pager systems. Healthcare organizations that have not yet made the switch to secure text messaging platforms should take note of a recent security breach that saw pages from multiple hospitals intercepted by a ‘radio hobbyist’ in Missouri. Intercepting pages using software defined radio (SDR) is nothing new. There are various websites that explain how the SDR can be used and its capabilities, including the interception of private communications. The risk of PHI being obtained by hackers using this tactic has been well documented.  All that is required is some easily obtained hardware that can be bought for around $30, a computer, and some free software. In this case, an IT worker from Johnson County, MO purchased an antenna and connected it to his laptop in order to pick up TV channels. However, he discovered he could pick up much more. By accident, he intercepted pages sent by physicians at several hospitals. The man told the Kansas City Star he intercepted pages...

Read More
Washington Health System Suspends Several Employees for Inappropriate PHI Access
Jun21

Washington Health System Suspends Several Employees for Inappropriate PHI Access

Following the alleged inappropriate accessing of patient health records by employees, Washington Health System has taken the decision to suspend several employees while the privacy breach is investigated. While it has not been confirmed how many employees have been suspended, Washington Health System VP of strategy and clinical services, Larry Pantuso, issued a statement to the Observer Reporter indicating around a dozen employees have been suspended, although at this stage, no employees have been fired for inappropriate medical record access. The privacy breaches are believed to relate to the death of an employee of the WHS Neighbor Health Center. Kimberly Dollard, 57, was killed when an out of control car driven by Chad Spence, 43, rammed into the building where she worked. Spence and one other individual were admitted to the hospital after sustaining injuries in the accident. Pantuso did not confirm that this was the incident that prompted the employees to access patients’ medical records, although he did confirm that the alleged inappropriate access related to a “high profile...

Read More
Florida Agency for Persons with Disabilities and Black River Medical Center Report Phishing Incidents
Jun20

Florida Agency for Persons with Disabilities and Black River Medical Center Report Phishing Incidents

Two HIPAA-covered entities have recently disclosed they have been victims of phishing attacks that have potentially resulted in the exposure of patients’ protected health information (PHI).   Further Phishing Attack Reported by Florida Agency for Persons with Disabilities The Florida Agency for Persons with Disabilities (FAPD), which provides support services for people with disabilities such as autism, cerebral palsy, spina bifida, and Downs syndrome, has experienced another phishing attack The phishing attack occurred on April 10, 2018 and was limited to a single email account; however, that account contained the PHI of 1,951 customers or guardians. While no evidence was uncovered to suggest any PHI was viewed or copied by the attacker, PHI access could not be ruled out with 100% certainty. The compromised email account contained information such as names, birth dates, addresses, telephone numbers, health information, and Social Security numbers. All patients have now been notified of the breach and have been offered credit monitoring services for a year without charge. Three...

Read More
May 2018 Healthcare Data Breach Report
Jun19

May 2018 Healthcare Data Breach Report

April was a particularly bad month for healthcare data breaches with 41 reported incidents. While it is certainly good news that there has been a month-over-month reduction in healthcare data breaches, the severity of some of the breaches reported last month puts May on a par with April. There were 29 healthcare data breaches reported by healthcare providers, health plans, and business associates of covered entities in May – a 29.27% month-over month reduction in reported breaches. However, 838,587 healthcare records were exposed or stolen in those incidents – only 56,287 records fewer than the 41 incidents in April. In May, the mean breach size was 28,917 records and the median was 2,793 records. In April the mean breach size was 21,826 records and the median was 2,553 records. Causes of May 2018 Healthcare Data Breaches Unauthorized access/disclosure incidents were the most numerous type of breach in May 2018 with 15 reported incidents (51.72%). There were 12 hacking/IT incidents reported (41.38%) and two theft incidents (6.9%). There were no lost unencrypted electronic devices...

Read More
3-Year Jail Term for VA Employee Who Stole Patient Data
Jun18

3-Year Jail Term for VA Employee Who Stole Patient Data

A former employee of the Veteran Affairs Medical Center in Long Beach, CA who stole the protected health information (PHI) of more than 1,000 patients has been sentenced to three years in jail. Albert Torres, 51, was employed as a clerk in the Long Beach Health System-run medical center – a position he held for less than a year. Torres was pulled over by police officers on April 12 after a check of his license plates revealed an anomaly – plates had been used on a private vehicle, which were typically reserved for commercial vehicles. The police officers found prescription medications which Torres’ did not have a prescription for and the Social Security numbers and other PHI of 14 patients in his vehicle. A subsequent search of Torres’ apartment revealed he had hard drives and zip drives containing the PHI of 1,030 patients and more than $1,000 in cleaning supplies that had been stolen from the hospital. After pleading guilty to several crimes, including identity theft and grand theft, Torres was sentenced to three years in state penitentiary on June 4. Sutter Health Fires...

Read More
PHI Stolen in San Francisco and Corpus Christi Burglaries
Jun15

PHI Stolen in San Francisco and Corpus Christi Burglaries

Two HIPAA-covered entities are alerting patients that some of their protected health information (PHI) has been obtained by thieves in recent burglaries. PHI Taken from Employee of Christus Spohn Hospitals The protected health information of patients of two Christus Spohn Hospitals in Corpus Christi has been stolen in a burglary. A Christus Spohn employee was burgled on April 16, 2018 and PHI was taken including information such as names, birth dates, dates of service, medical record numbers, account numbers, ages, and other medical data. No financial information, driver’s license numbers, or Social Security numbers were compromised. Patients affected by the breach had previously received treatment at Christus Spohn Health System’s Memorial or Shoreline hospitals. While PHI was obtained, the information does not appear to have been misused. Christus Spohn has confirmed that approximately 1,800 patients have been affected by the incident. Steps have already been taken to prevent further incidents of this nature from occurring, and the employee in question has received further...

Read More
PHI Compromised in HealthEquity Phishing Attack
Jun13

PHI Compromised in HealthEquity Phishing Attack

A phishing attack on Draper, UT-based HealthEquity Inc., has resulted in the exposure of members’ protected health information. The data breach was limited to one email account, although an analysis of the messages in the account revealed a range of PHI was potentially obtained by the attacker. Information possibly compromised in the attack was limited to names, email addresses, HealthEquity member ID numbers, employer ID numbers, employer names, health account type, deduction amounts, and for some Michigan-based employees, Social Security numbers. The breach was identified on April 13, 2018 and was discovered to have occurred two days previously, giving the attacker 48 hours to access messages in the account. Access to the compromised account was immediately terminated to prevent any further unauthorized access. A third-party computer forensics firm was engaged to conduct a full investigation into the attack. The investigation confirmed that the breach was limited to a single email account and access was gained due to human error – the employee responding to a phishing message. No...

Read More
1,600 Patients Potentially Impacted by Terros Health Phishing Attack
Jun12

1,600 Patients Potentially Impacted by Terros Health Phishing Attack

An employee of Phoenix-based Terros Health was fooled by a phishing scam and inadvertently handed over login credentials to the attacker. That individual accessed the employee’s email account and potentially viewed or obtained a range of protected health information detailed in individual emails in the account. The breach was limited to one email account and access to other systems was not gained. Terros Health learned of the phishing attack on April 12, 2018 and notified the media on June 8. All patients impacted by the breach have now been notified by mail. An investigation into the attack revealed the employee responded to the phishing email on or around November 16, 2017, which was when the email account was first accessed by the attacker. While almost 1,600 patients potentially had some of their PHI compromised as a result of the attack, for the majority of patients (1,241) the exposed information was limited to names and dates of birth. The remaining patients also had their addresses, email addresses, diagnoses, medical record numbers, and other protected health information...

Read More
3,700 Rise Wisconsin Plan Participants Potentially Impacted by Ransomware Attack
Jun11

3,700 Rise Wisconsin Plan Participants Potentially Impacted by Ransomware Attack

Rise Wisconsin is alerting more than 3,700 plan members that some of their protected health information was potentially accessed by unauthorized individuals during a recent ransomware attack. The ransomware was installed on its network on or around April 8, 2018. The ransomware attack was detected rapidly, although not in time to prevent the encryption of data. Rise Wisconsin (formerly Community Partnerships Inc., and Center for Families) called in third party computer forensics experts to assist with the breach investigation and recovery process. While the investigation did not uncover any evidence to suggest protected health information was accessed or stolen in the attack, it was not possible to rule out data access and data theft with a high degree of certainty. Potentially, the types of data that could have been accessed by the attackers includes names, addresses, dates of birth, Social Security numbers and, for certain patients, a limited amount of health information.  No financial information was compromised. Rise Wisconsin has not disclosed how much the attackers demanded...

Read More
Impostor, Burglar, and Hackers Obtain PHI of Patients
Jun08

Impostor, Burglar, and Hackers Obtain PHI of Patients

A round up of healthcare data security incidents reported in the past few days that have resulted in the protected health information of patients being obtained by unauthorized individuals. Blue Cross Blue Shield of Illinois Discovers PHI was Provided to an Imposter Blue Cross Blue Shield of Illinois has discovered the protected health information of some plan members has been disclosed to a doctor who was impersonating another physician. The doctor was employed by its business associate Dane Street and conducted peer to peer reviews for the firm – Further reviews when requests for services have been denied by an insurance company. Dane Street was notified by law enforcement on April 9, 2018 that the doctor had been fraudulently impersonating another physician in order to perform peer to peer reviews. Those reviews required the doctor to view information such as names, addresses, dates of birth, phone numbers, medical service information, and Social Security numbers. Since Social Security numbers were disclosed, affected patients have been offered complimentary credit...

Read More
Healthcare Employees Accused of Taking PHI to New Employers
Jun07

Healthcare Employees Accused of Taking PHI to New Employers

Two HIPAA-covered entities are notifying patients that former employees have accessed databases and stolen protected health information to take to new employers. Former Hair Free Forever Employee Contacts Patients to Solicit Customers Hair Free Forever, a Ventura, CA-based provider of permanent hair removal treatments, has announced that a former employee has stolen patient information and has been contacting its patients in an attempt to solicit customers. The company uses Thermolysis to permanently remove hair. Since the technique is classed as a medical procedure, Hair Free Forever and its employees are required to comply with HIPAA Rules. In a data breach notice provided to the California attorney general, Hair Free Forever’s Cheryl Conway informs patients that the former employee accessed patient files and the company’s database and stole patients’ protected health information, in clear violation of HIPAA Rules. The data theft came to light when complaints were received from customers who had been contacted and told about the former employee’s new practice. An investigation...

Read More
Multiple Data Breaches Reported by Dignity Health
Jun04

Multiple Data Breaches Reported by Dignity Health

Dignity Health has discovered multiple data breaches and violations of HIPAA Rules in the past few weeks. One incident involved an employee accessing the PHI of patients without authorization, an error occurred that allowed a business associate to receive PHI without a valid BAA being in place, and most recently, a 55,947-record unauthorized access/disclosure incident has been reported to the Department of Health and Human Services’ Office for Civil Rights (OCR). Business Associate Agreement Error Discovered On May 10, 2018, Dignity Health notified OCR of a data breach affecting patients of its St. Rose Dominican Hospitals at the San Martin, Siena, and Rose de Lima campuses in Nevada. Dignity Health reports that on April 6, 2018, St Rose Dominican Hospitals shared the protected health information of 6,036 patients with a third-party contractor to process health-related court documents for hearings. The contractor had been used for ten years and a valid business associate agreement was previously in place; however, that document had expired and data continued to be shared with the...

Read More
Purdue University Uncovers Data Security Incidents that Potentially Compromised PHI
May31

Purdue University Uncovers Data Security Incidents that Potentially Compromised PHI

Two security breaches have been discovered by Purdue University’s security team that have potentially resulted in unauthorized individuals gaining access to the protected health information of patients. In April, Purdue University’s security team discovered a file on computers used by Purdue University Pharmacy indicating the devices had been remotely accessed by an unauthorized individual. The file was placed on the devices around September 1, 2017. The computers contained a limited amount of protected health information including patients’ names, dates of birth, dates of service, identification numbers, internal identification numbers, diagnoses, treatment information, and amounts billed. No personal financial information or Social Security numbers were stored on the computer. An investigation into the breach did not uncover any evidence to suggest any patient information was stolen and no reports have been received to suggest any patient data have been misused. However, since it was not possible to rule out unauthorized PHI access with a high degree of certainty, patients have...

Read More
42,600 Patients Potentially Impacted by Aultman Health Foundation Phishing Attack
May28

42,600 Patients Potentially Impacted by Aultman Health Foundation Phishing Attack

Aultman Health Foundation, which runs Aultman Hospital in Canton, OH, is notifying approximately 42,600 patients that some of their protected health information may have been compromised as a result of a phishing attack. Unauthorized and unknown individuals succeeded in gaining access to several email accounts used by employees of Aultman Hospital, its AultWorks Occupational Medicine division, and certain Aultman physician offices. The unauthorized access was first detected on March 28, 2018 prompting a full investigation to determine the scope of the breach and whether any sensitive information was potentially accessed. Third-party information security experts were engaged to assist with the investigation and determined access to the email accounts occurred on several occasions starting in mid-February and continued until the breach was detected and remediated in late March. The breach was limited to email accounts. The system that stores electronic medical records was not compromised. Email accounts used by Aultman hospital and certain physician practices contained names,...

Read More
More than 6,500 Patients Potentially Impacted by Minnesota Ransomware Attack
May25

More than 6,500 Patients Potentially Impacted by Minnesota Ransomware Attack

Rochester, MN-based Associates in Psychiatry and Psychology (APP) has experienced a ransomware attack that affected several computers containing patients’ protected health information. The ransomware attack was discovered on March 31, 2018. Patient information stored on the affected computers was not in a “human-readable” format, and no evidence was uncovered to suggest any protected health information was accessed or copied by the attackers. Since it was not possible to rule out data access with 100% certainty, all patients whose data were stored on the affected devices have been notified of the security breach. The types of information potentially accessed includes names, birth dates, addresses, Social Security numbers, insurance information, and treatment records. APP acted promptly when the attack was discovered and took its systems offline to prevent the spread of the ransomware and limit the potential for further encryption of data and data theft. APP’s systems remained offline for four days while the attack was assessed. APP notes in its Q&A about the incident that the...

Read More
OCR Plans to Share HIPAA Violation Settlements with Breach Victims
May23

OCR Plans to Share HIPAA Violation Settlements with Breach Victims

The Health Information Technology for Economic and Clinical Health (HITECH) Act was enacted in 2009 and includes a provision that calls for the Department of Health and Human Services to share a percentage of HIPAA settlements with victims of HIPAA violations and data breaches. This month has seen some progress in that area. The Department of Health and Human Services’ Office for Civil Rights has announced it is planning on issuing an advance notice of proposed rulemaking in November about sharing a percentage of the fines it collects through its HIPAA enforcement activities with the victims of data breaches. OCR officials have previously made it clear that steps will be taken to meet the requirements of this HITECH provision, but little progress has been made. This is not the first time that OCR has announced it plans to issue an advance notice of proposed rulemaking on the matter only for the advance notice of proposed rulemaking to be delayed. If OCR follows through on its plans this fall, feedback will be sought from the public and industry stakeholders on how it can achieve...

Read More
538,000 Patients Notified of LifeBridge Health Data Breach
May23

538,000 Patients Notified of LifeBridge Health Data Breach

Earlier this month, the Baltimore-based healthcare provider LifeBridge Health announced it had experienced a data breach. A press release about the breach was issued on May 16, although there was no mention of the number of patients impacted. Further information has now been released on the extent of the breach. On March 18, 2018, LifeBridge Health discovered malware had been installed on a server that hosted the electronic medical record system used by LifeBridge Potomac Professionals and LifeBridge Health’s patient registration and billing systems. The discovery of malware prompted a through investigation to determine when access to the server was first gained. LifeBridge Health contracted a national computer forensics firm to assist with the investigation with the firm establishing that access to the server was first gained 18 months previously on September 27, 2016. The types of information stored on the server included patients’ names, dates of birth, addresses, diagnoses, medications prescribed, clinical and treatment information, insurance details, and a limited number of...

Read More
Indiana Physicians Group Suffers SamSam Ransomware Attack
May22

Indiana Physicians Group Suffers SamSam Ransomware Attack

Allied Physicians Group of Michiana has experienced a ransomware attack that took part of its network out of action. The attack occurred on Thursday May 17, 2018 and resulted in the encryption of several files on its network. It is currently unclear whether any protected health information encrypted. An investigation into the security incident is continuing to determine whether any protected health information was compromised in the attack. The attack was detected promptly and action was immediately taken to shut down its network to protect the PHI of patients. Allied Physicians Group of Michiana has been working with its incident responder, outside counsel, and other professionals to determine the scope of the breach and recover encrypted data. The Indiana Physicians Group reports that all data have now been recovered in a secure format and the attack did not cause significant disruption to patients. Steps have already been taken to improve security and prevent future attacks of this nature from occurring. CEO Shery Roussarie explained in a May 21 press release that the attack...

Read More
Healthcare Data Breach Report: April 2018
May18

Healthcare Data Breach Report: April 2018

April was a particularly bad month for healthcare data breaches with both the number of breaches and the number of individuals impacted by breaches both substantially higher than in March. There were 41 healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights in April. Those breaches resulted in the theft/exposure of 894,874 healthcare records. Healthcare Data Breach Trends For the past four months, the number of healthcare data breaches reported to OCR has increased month over month. For the third consecutive month, the number of records exposed in healthcare data breaches has increased. Causes of Healthcare Data Breaches in April 2018 The healthcare industry may be a big target for hackers, but the biggest cause of healthcare data breaches in April was unauthorized access/disclosure incidents. While cybersecurity defences have been improved to make it harder for hackers to gain access to healthcare data, there is still a major problem preventing accidental data breaches by insiders and malicious acts by healthcare employees....

Read More
Former Employee of Nuance Communications Stole PHI of 45,000 Patients
May16

Former Employee of Nuance Communications Stole PHI of 45,000 Patients

In a recent filing with the U.S. Securities and Exchange Commission, Burlington, MA-based Nuance Communications disclosed it experienced a data breach involving the protected health information of 45,000 individuals in December 2017. Nuance Communications stated in its May 10, 2018 SEC filing that a third party accessed certain reports hosted on a single Nuance transcription platform, which was promptly shut down when unauthorized access was discovered. The filing states law enforcement was notified about the breach and assisted with the investigation and apprehended the individual responsible. There is no mention of when the breach was discovered, although the company has notified all customers who used the platform to allow them to issue notifications to affected individuals. One of those customers, The San Francisco Health Network, published a substitute breach notice on its website on May 11 providing further information on the breach. The breach notice explains that the protected health information of 895 patients who received medical services at Zuckerberg San Francisco...

Read More
Eye Care Surgery Center Data Breach Impacts 2,553 Patients
May15

Eye Care Surgery Center Data Breach Impacts 2,553 Patients

A laptop computer containing the protected health information of 2,553 patients of Eye Care Surgery Center, Inc., of Baton Rouge, LA has been stolen. The theft was discovered by Eye Care Surgery Center on February 26, 2018 although it is unclear where the device was stolen from. The theft prompted Eye Care Surgery Center to install a new multi-camera system at its facilities, both inside and outside buildings. The decision has also been taken to use encryption on most of the portable electronic devices used by Eye Care Surgery Center to prevent protected health information from being exposed in the event that any further portable electronic devices are stolen. An investigation was conducted to determine the types of information stored on the stolen device and the patients affected by the incident. Highly sensitive information such as health insurance information, Social Security numbers, and financial information were not stored on the device and remained secure at all times. The breach was limited to names, birth dates, and diagnosis information. No reports have been received to...

Read More
8,300 Cerebral Palsy Research Foundation of Kansas Patients Informed of 10-Month Exposure of PHI
May14

8,300 Cerebral Palsy Research Foundation of Kansas Patients Informed of 10-Month Exposure of PHI

An oversight has caused a database used by Cerebral Palsy Research Foundation of Kansas (CPRF) to have its security protections removed for a period of 10 months, exposing the protected health information (PHI) of 8,300 patients. The vulnerable demographic database was discovered on March 10, 2018 and was immediately secured. The investigation into the breach determined that while the database had been created on a secure subdomain in early 2000, when CPRF switched its servers in 2017 the database was not identified resulting in the accidental removal of security protections. During the time that the database was vulnerable it is possible that personal and health information was accessed by unauthorized individuals. The breach was limited to personal information and personal health information relating to the type of disability suffered by patients. No financial information or donor information was exposed. Individuals affected by the breach had received services from CPRF between 2001 and 2010. It is unclear whether any of the exposed information was accessed by unauthorized...

Read More
Spate of Phishing Attacks on Healthcare Organizations Sees 90,000 Records Exposed
May10

Spate of Phishing Attacks on Healthcare Organizations Sees 90,000 Records Exposed

The past few weeks have seen a significant rise in successful phishing attacks on healthcare organizations. In a little over four weeks there have been 10 major email hacking incidents reported to the Department of Health and Human Services’ Office for Civil Rights, each of which has resulted in the exposure and potential theft of more than 500 healthcare records. Those ten incidents alone have seen almost 90,000 healthcare records compromised. Recent Email Hacking and Phishing Attacks on Healthcare Organizations HIPAA-Covered Entity Records Exposed Inogen Inc. 29,529 Knoxville Heart Group 15,995 USACS Management Group Ltd 15,552 UnityPoint Health 16,429 Texas Health Physicians Group 3,808 Scenic Bluffs Health Center 2,889 ATI Holdings LLC 1,776 Worldwide Insurance Services 1,692 Billings Clinic 949 Diagnostic Radiology & Imaging, LLC 800 The Oregon Clinic Undisclosed   So far this year there have been three data breaches involving the hacking of email accounts that have exposed more than 30,000 records. Agency for Health Care Administration suffered a 30,000-record breach in...

Read More
Class Action Lawsuit Claims UnityPoint Health Mislead Patients over Severity of Phishing Attack
May08

Class Action Lawsuit Claims UnityPoint Health Mislead Patients over Severity of Phishing Attack

A class action lawsuit has been filed in response to a data breach at UnityPoint Health that saw the protected health information (PHI) of 16,429 patients exposed and potentially obtained by unauthorized individuals. As with many other healthcare data breaches, PHI was exposed as a result of employees falling for phishing emails. UnityPoint Health discovered the security breach on February 15, 2018 and sent breach notification letters to affected patients two months later, on or around April 16, 2018. HIPAA-covered entities have up to 60 days following the discovery of a data breach to issue notifications to patients. Many healthcare organizations wait before issuing breach notifications and submitting reports of the incident to the Department of Health and Human Services’ Office for Civil Rights. Waiting for two months to issue notifications to breach victims could be viewed as a violation of HIPAA Rules. While the maximum time limit for reporting was not exceeded, the HIPAA Breach Notification Rule requires notifications to be sent ‘without unnecessary delay.’ The HHS’ Office for...

Read More
Capital Digestive Care Notifies 17,639 Individuals of PHI Exposure
May08

Capital Digestive Care Notifies 17,639 Individuals of PHI Exposure

The Silver Spring, MD-based gastroenterology group Capital Digestive Care has discovered one of its business associates uploaded files to a commercial cloud server that lacked appropriate security controls, exposing the protected health information of up to 17,639 patients. The availability of sensitive patient data over the Internet was brought to the attention of Capital Digestive Care on February 23, 2018 and action was promptly taken to secure the files and prevent further unauthorized access. An investigation into the privacy breach was launched to determine the types of information that had been exposed and the number of patients impacted. The investigation confirmed some sensitive data had been exposed, although the breach was limited to individuals that had visited its website and submitted information via the Schedule a Visit and Contact pages on the site. The types of information exposed was limited to names, addresses, email addresses, telephone numbers, and birth dates. Patients may also have had a limited amount of health information exposed. The login page to the...

Read More
3 University of Arkansas Medical Sciences Employees Fired for Violation of Patient Privacy
May07

3 University of Arkansas Medical Sciences Employees Fired for Violation of Patient Privacy

University of Arkansas Medical Sciences (UAMS) has fired three employees over alleged HIPAA violations that saw a patient’s protected health information impermissibly disclosed and published on Facebook. UAMS provides training to all employees to make them aware of their responsibilities with respect to patient privacy and the requirements of HIPAA, yet despite that training, one employee violated the privacy of a patient by disclosing that individual’s name, age, HIV status, employment information, and surgical history to a colleague. That employee shared the information with a friend who uploaded the PHI to Facebook. A third employee allegedly played no part in the violation but was aware of the disclosures yet failed to report the incident to the hospital. The hospital took prompt action when the HIPAA violations were discovered and terminated all three employees for violating HIPAA Rules and the hospital’s code of conduct. The hospital is taking steps to ensure similar incidents are prevented and is working with the patient to resolve the privacy violation. The motives of the...

Read More
Protenus Report Highlights Extent of Insider Breaches in Healthcare
May04

Protenus Report Highlights Extent of Insider Breaches in Healthcare

The quarterly breach barometer report from Protenus provides insights into the extent to which insiders are violating HIPAA Rules and snooping on patient health information. The Breach Barometer report is compiled using breach data supplied by Databreaches.net and proprietary data collected through the artificial intelligence platform developed by Protenus that allows healthcare organizations to track and analyze employee EHR activity. Insider breaches are a major problem in healthcare, yet many insider breaches go undetected. When insider breaches are identified, it is often months after the breach has occurred. One healthcare employee was recently discovered to have been accessing medical records without authorization for 14 years. 1.13 Million Patient Records Exposed in Q1, 2018 The latest Breach Barometer report shows the records of 1,129,744 patients and health plan members has been viewed by unauthorized individuals, exposed, or stolen in the first quarter of 2018. Data breaches occurred at a rate of more than one per day, with 110 healthcare data breaches reported in Q1....

Read More
2,889 Patients of Scenic Bluffs Community Health Centers Notified of PHI Breach
May04

2,889 Patients of Scenic Bluffs Community Health Centers Notified of PHI Breach

An unauthorized individual has gained access to the email account of an employee of Scenic Bluffs Community Health Centers and potentially viewed the protected health information of up to 2,889 patients. The email account breach was discovered by the health centers on March 1, 2018, the day after access to the account was gained. The attacker had set up a mail forwarder on the account, which had forwarded 44 messages to an email address controlled by the attacker. None of the forwarded emails contained any protected health information and following the discovery of the mail forwarding rule it was deleted, the account was closed, and all PHI was secured. While no PHI appeared to have been obtained by the attacker, it is possible that during the time that access to the email account was possible, PHI detailed in the emails could potentially have been viewed. It is unclear how access to the email account was gained. Typically email accounts are compromised after employees respond to phishing emails and inadvertently disclose their login credentials, or via brute force attacks that...

Read More
PHI of 3,000 Patients Exposed Due to Mailing Printing Error
May03

PHI of 3,000 Patients Exposed Due to Mailing Printing Error

Maximus Inc, a provider of business process management and technology solutions to government health and human services agencies, is alerting more than 3,000 individuals that some of their protected health information has been accidentally disclosed to other individuals as a result of a printing error on a recent mailing. The mailing was prepared and sent by its business associate, Business Ink, between February 10 and February 13, 2018. The mailing was sent to approximately 1,100 families in Texas who participated in Medicaid and the Children’s Health Insurance Program (CHIP). The error was discovered by Maximus on February 16. The 6-page letter included one mismatched page that included information relating to another individual. The types of information detailed on the page were limited to names, addresses, group numbers, case numbers, and program type. No highly sensitive information such as Social Security numbers, birth dates, insurance information, or financial information was exposed, and none of the information detailed on the mismatched pages would allow another...

Read More
Malware Installed on Florida Hospital Websites May Have Provided Access to PHI
May03

Malware Installed on Florida Hospital Websites May Have Provided Access to PHI

Three websites used by Florida Hospital have been infected with malware that has potentially allowed the threat actors behind the attack to obtain patients’ protected health information. PHI access has not been confirmed and no reports have been received to suggest any protected health information has been misused. Patients are being informed of the breach and, out of an abundance of caution, have been offered complimentary credit monitoring services. The websites impacted are FloridaBariatric.com, FHOrthoInstitute.com and FHExecutiveHealth.com. The data potentially compromised was limited and did not involve any financial information. Potentially, patients’ names, birth dates, email addresses, phone numbers, insurance carriers, the last four digits of their social security numbers, any comments uploaded via the sites, and their height and weight have potentially been obtained by the attackers. The malware attack was limited to the above websites and no other systems were affected. It is unclear what type of malware was uploaded to the websites and how long the malware was present...

Read More
Employee Sent PHI After Being Fired
Apr27

Employee Sent PHI After Being Fired

A bizarre mistake by the Texas Health and Human Services Commission has seen a former employee sent the protected health information of approximately 100 patients after she had been fired. She was sent boxes containing items that had been collected from her old desk, but was also sent a box of benefits application forms. After Tracy Ryans, 51, of Houston, was terminated, HHSC mailed her two boxes containing her personal items, which were left on her porch by the delivery driver. One of the boxes contained personal belongings that included pens, a coffee cup, and old shoes. The other box contained paperwork. Ryans told the Texas Tribune that one of the boxes contained personal items that did not belong to her. They had been taken from a desk she shared with coworkers. The other box was full of paperwork containing highly sensitive personal information of clients. The paperwork included benefits applications that included the Social Security numbers, billing statements, copies of driver’s licenses, and check stubs relating to approximately 100 individuals. The documents were dated...

Read More
85,000 Patients Impacted by California Ransomware Attack
Apr26

85,000 Patients Impacted by California Ransomware Attack

Center for Orthopaedic Specialists is notifying its patients that some of their protected health information was potentially accessed by unauthorized individuals who installed ransomware on its network. The attack impacts all current and former patients of three of its facilities in West Hills, Simi Valley and Westlake Village in California. According to Databreaches.net, 85,000 patients have potentially been impacted. Center for Orthopaedic Specialists was notified by its IT vendor that an unauthorized individual began attempting to access its network on February 18, 2018. Access to the network was gained and ransomware was installed, which was used to encrypt a wide range of files, many of which contained the protected health information of patients. The types of information encrypted by the ransomware included names, details about medical records, dates of birth, and Social Security numbers. Prompt action was taken by the IT vendor to limit the harm caused and the affected system was taken offline rapidly to prevent any exfiltration of data. An investigation into the breach has...

Read More
Web Portal of Transcription Service Provider Discovered to be Leaking PHI
Apr25

Web Portal of Transcription Service Provider Discovered to be Leaking PHI

A transcription service provider has inadvertently left medical records and patient notes unsecured and freely accessible via a physician portal, which should have been password protected. The error has resulted in the exposure of thousands of patients’ PHI. MEDantex provides medical transcription services to many hospitals and physicians, many of whom choose to upload audio files to the MEDantex website. The audio files are accessed by the firm’s employees and transcribed, and documents containing the transcribed notes are uploaded to the portal where they can be downloaded by providers. In order to gain access the portal, a user must be authenticated by means of a password. According to a report on KrebsOnSecurity, certain portions of the website were recently discovered to lack any authentication controls. Anyone visiting the website could, through their browser, gain access to patient data stored on the site. Brian Krebs reports that several of the tools used by MEDantex staff and could also be accessed and used by unauthorized individuals. Those tools allowed unauthorized...

Read More
Report: Healthcare Data Breaches in Q1, 2018
Apr24

Report: Healthcare Data Breaches in Q1, 2018

The first three months of 2018 have seen 77 healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights (OCR). Those breaches have impacted more than one million patients and health plan members – Almost twice the number of individuals that were impacted by healthcare data breaches in Q4, 2017. There was a 10.5% fall in the number of data breaches reported quarter over quarter, but the severity of breaches increased. The mean breach size increased by 130.57% and there was a 15.37% increase in the median breach size. In Q4, 2017, the mean breach size was 6,048 healthcare records and the median breach size was 1,666 records. In Q1, 2018, the mean breach size was 13,945 records and the median breach size was 1,922 records. Between January 1 and March 31, 2018, 1,073,766 individuals had their PHI exposed, viewed, or stolen compared to 520,141 individuals in Q4, 2017. Individuals Impacted by Healthcare Data Breaches in Q1, 2018 Throughout 2017, healthcare data breaches were occurring at a rate of more than one per day. Compared to 2017,...

Read More
1,000 Mental Health Patients’ PHI Accidentally Disclosed for 3 and a Half Years
Apr20

1,000 Mental Health Patients’ PHI Accidentally Disclosed for 3 and a Half Years

1,071 patients who received medical services at the Des Moines Crisis Observation Center operated by Polk County Health Services Inc., have been informed that some of their protected health information has been “accidentally and unknowingly disseminated” over a period of three and a half years. The breach was discovered on February 14, 2018, although the investigation revealed that information first started being disclosed on June 1, 2014 and continued until January 11, 2018. The types of information disclosed includes patients’ names along with Social Security numbers, home addresses, Medicaid ID numbers, admission dates, and discharge locations. Through the Crisis Observation Center, Polk County Health Services provides mental health services for residents of Polk County, IA and is the regional administrator and governing board for mental health and disability services for the county. Polk County Health Services is aware of the individual(s) to whom the information has been disclosed and was able to determine exactly the types of information that has been received by those...

Read More
California Dept. of Developmental Services Notifies 582,000 Patients of Potential PHI Compromise
Apr19

California Dept. of Developmental Services Notifies 582,000 Patients of Potential PHI Compromise

The California Department of Developmental Services (DDS) is notifying 582,174 patients that their protected health information has potentially been compromised. On February 11, 2018, thieves broke into the DDS legal and audits offices in Sacramento, CA. During the time the thieves were in the offices they potentially had access to the sensitive information of approximately 15,000 employees, contractors, job applicants, and parents of minors who receive DDS services, in addition to the PHI of more than half a million patients. The thieves also stole 12 government computers. It does not appear that the perpetrators were interested in paper records and all computers taken by the thieves were encrypted so data access was not possible. DDS has confirmed that none of the office computers were used to gain access to the department’s network and electronic protected health information remained secure at all times. In its substitute breach notice, DDS explained that its offices were vandalized and a fire was started, which triggered the sprinkler system causing damage to documents and CDs....

Read More
Texas Health Resources Notifies 4,000 Patients of Email Account Breach
Apr17

Texas Health Resources Notifies 4,000 Patients of Email Account Breach

Arlington-based Texas Health Resources, a provider group serving more than 1.7 million patients in North Texas, is notifying ‘fewer than 4,000 patients’ that some of their sensitive information may have been accessed by an unauthorized individual. The data breach occurred as early as October 2017, although it was not discovered until January 17, 2018, when the health system was notified of a breach by law enforcement. The potentially compromised data was saved in email accounts that the attacker had access to for up to three months. The delay in issuing breach notification letters, which would normally have to be issued within 60 days of the discovery of the breach under HIPAA Rules, was at the request of law enforcement. HIPAA covered entities are permitted to delay the issuing of notifications if law enforcement believes such an act would impede an investigation. Law enforcement has only recently given the OK to start sending notifications. It is unclear whether the law enforcement investigation resulted in the apprehension of a suspect. Texas Health Resources explained in its...

Read More
Analysis of March 2018 Healthcare Data Breaches
Apr16

Analysis of March 2018 Healthcare Data Breaches

There has been a month-over-month increase in healthcare data breaches. In March 2018, 29 security incidents were reported by HIPAA covered entities compared to 25 incidents in February. Even though more data breaches were reported in March, there was a fall in the number of individuals impacted by breaches. March 2018 healthcare data breaches saw 268,210 healthcare records exposed – a 13.13% decrease from the 308,780 records exposed in incidents in February. Causes of March 2018 Healthcare Data Breaches March saw the publication of the Verizon Data Breach Investigations Report which confirmed the healthcare industry is the only vertical where more data breaches are caused by insiders than hackers. That trend continued in March. Unauthorized access/disclosures, loss of devices/records, and improper disposal incidents were behind 19 of the 29 incidents reported – 65.5% of all incidents reported in March. The main cause of healthcare data breaches in March 2018 was unauthorized access/disclosure incidents. 14 incidents were reported, with theft/loss incidents the second main cause...

Read More
Several Employee Email Accounts Compromised in UnityPoint Health Phishing Attack
Apr16

Several Employee Email Accounts Compromised in UnityPoint Health Phishing Attack

UnityPoint Health has discovered the email accounts of several employees have been compromised and accessed by unauthorized individuals. Access to the employee email accounts was first gained on November 1, 2017 and continued for a period of three months until February 7, 2018, when the phishing attack was detected and access to the compromised email accounts was blocked. Upon discovery of the phishing attack, UnityPoint Health engaged the services of a computer forensics firm to investigate the scope of the breach and the number of patients impacted. The investigation revealed a wide range of protected health information had potentially been obtained by the attackers, which included names in combination with one or more of the following data elements: Medical record number, date of birth, service dates, treatment information, surgical information, lab test results, diagnoses, provider information, and insurance information. The security breach has yet to appear on the Department of Health and Human Services’ breach portal, so it is currently unclear exactly how many patients have...

Read More
Oxygen Equipment Manufacturer Discovers Credential Theft Incident Potentially Impacts 30,000
Apr16

Oxygen Equipment Manufacturer Discovers Credential Theft Incident Potentially Impacts 30,000

Inogen, a manufacturer of portable oxygen concentrators, has discovered an unauthorized individual has obtained the credentials of an employee and has used them to gain access to the employee’s email account. Phishing and other credentials theft incidents are common in the healthcare sector, although what makes this incident stand out is the number of individuals impacted by the attack. The compromised email account contained the personal information of approximately 30,000 individuals who had previously been provided with oxygen supply devices. The types of information potentially viewed and obtained by the attacker include name, telephone number, address, email address, date of birth, date of death, types of equipment provided, Medicare ID number and health insurance information. Medical records, Social Security numbers, and payment card information were not compromised. Also notable is the length of time it took to discover the breach. Inogen reports that access to the email account was first gained on January 2, 2018 and continued until March 14. Forensic investigators were...

Read More
Integrated Rehab Consultants Takes 16 Months to Notify Patients of PHI Breach
Apr12

Integrated Rehab Consultants Takes 16 Months to Notify Patients of PHI Breach

The Chicago, IL-based physiatry group Integrated Rehab Consultants is sending notification letters to certain patients alerting them to the exposure of some of their protected health information, as is required by HIPAA. However, the breach was not discovered in the past 60 days. Integrated Rehab Consultants (IRC) first became aware of the exposure of PHI on December 2, 2016 – 16 months ago. The data – which included patients’ full names, address, date of birth, gender, medical provider information, visit date, visit status, admission date, appointment visit ID, treatment location, procedure code, and diagnosis codes – had been uploaded to a publicly accessible repository. The PHI was discovered by a healthcare security researcher who notified IRC about the breach. Prompt action was taken to remove and secure the data and an investigation was launched to determine how and why the data had been uploaded to an insecure location. That investigation determined that a business associate who had been provided with the PHI had disclosed the information to a third party. It was that...

Read More
Baptist Health Alerts Almost 1,500 Patients to Possible Abuse of Credit Card Details
Apr11

Baptist Health Alerts Almost 1,500 Patients to Possible Abuse of Credit Card Details

A former employee of Baptist Health’s West Kendall Baptist Hospital in Miami, FL has been discovered to have stolen the credit card details of patients and used the information to make fraudulent purchases. The misuse of credit cards was discovered by Baptist Health on March 9, 2018 and the matter was referred to Miami-Dade law enforcement and the employee was terminated. Baptist Health has not specified exactly how many patients have been confirmed to have been defrauded by the employee, although 1,480 patients have been sent breach notification letters to alert them to the possibility that their credit card details may have been misused. Any patient who paid for medical services using a credit card with the registration employee between August 2014 and March 2018 have potentially had their name, date of birth, and credit card details stolen and misused. As a precaution, all 1,480 patients have been offered identity theft protection and credit monitoring services for 12 months without charge and have been advised to check their credit card statements carefully for any unauthorized...

Read More
63,500 Patients Impacted by Middletown Medical Data Breach
Apr11

63,500 Patients Impacted by Middletown Medical Data Breach

A misconfigured security setting on a radiology interface has resulted in the exposure of tens of thousands of patients’ protected health information. Middletown Medical, a multi-specialty physicians’ group based in Middleton, NY, discovered the misconfigured security setting on January 29, 2018. The following day the interface was secured to ensure unauthorized individuals were prevented from accessing patient information. It is unclear for how long patient data was accessible. Middletown Medical says only a limited number of patients’ PHI could have been accessed by unauthorized individuals. Highly sensitive information such as financial data, Social Security numbers, and insurance information were not exposed. The breach was limited to names, client identification numbers, birth dates, confirmation that radiology services had been received by patients, and the dates those services were provided. A limited number of patients also had diagnosis codes, radiology images, and radiology reports exposed. The discovery of the error prompted Middletown Medical to review its polices and...

Read More
2 to 6 Year Jail Term for Receptionist Who Stole PHI from Dentist Office
Apr11

2 to 6 Year Jail Term for Receptionist Who Stole PHI from Dentist Office

A former receptionist at a New York dental practice has been sentenced to serve 2 to 6 years in state penitentiary for stealing the protected health information of hundreds of patients. Annie Vuong, 31, was given access to the computer system and dental records of patients in order to complete her work duties. Vuong abused the access rights and stole the PHI of more than 650 patients. That information was passed to her co-defendants who used the data to steal identities and make fraudulent purchases of high value items. Vuong was arrested on February 2, 2015, following a two-and-a-half-year investigation into identity theft by the New York District Attorney’s Office. The theft of data occurred between May and November 2012, when the PHI of 653 patients was taken from the dental office. The types of information stolen included names, birth dates, and Social Security numbers. That information was shared with co-defendant Devin Bazile in an email. Bazile used the information to obtain credit lines from Barclaycard in the victims’ names. Credit ranged from $2,000 to $7,000 per...

Read More
Chesapeake Regional Healthcare Reports PHI of 2,100 Patients Was Stored on Lost Hard Drives
Apr09

Chesapeake Regional Healthcare Reports PHI of 2,100 Patients Was Stored on Lost Hard Drives

Body: Chesapeake Regional Healthcare has discovered two hard drives containing the protected health information (PHI) of approximately 2,100 patients are missing from the Chesapeake Regional Medical Center campus in Chesapeake, Virginia. The data stored on the devices relates to individuals who took part in studies at its Sleep Center between April 2015 and February 2018. It is currently unclear exactly when the hard drives went missing. Chesapeake Regional Healthcare discovered the devices were missing on February 6, 2018. An internal investigation was launched, and a full search of the facility was conducted, but the devices could not be located. The missing hard drives have been reported as lost/stolen to law enforcement, but Chesapeake Regional Healthcare said the probability of the devices being recovered is low and it does not expect the devices to be found. The hard drives were not encrypted. If obtained by a third party, the protected health information of patients could potentially be accessed. The types of information stored on the devices includes names, demographic...

Read More
Oregon Data Breach Notification and Information Security Laws Updated
Apr06

Oregon Data Breach Notification and Information Security Laws Updated

Oregon has updated its data breach notification law to improve protections for state residents whose personal information is exposed in a data breach. State governor Kate Brown added her signature to Senate Bill (SB 1551) last month, which updates several regulations, notably Oregon’s Breach Notification Law, O.R.S. 646A.604 and Information Security Law, O.R.S. 646A.622. The updates will become effective in June 2018. Prior to the update, Oregon data breach notification law only applied to persons who own or license personal information. Now, the definition of a person is “an individual, private or public corporation, partnership, cooperative, association, estate, limited liability company, organization or other entity, whether or not organized to operate at a profit, or a public body as defined in ORS 174.109.” A data breach is defined as “an unauthorized acquisition of computerized data that materially compromises the security, confidentiality or integrity of personal information that a person maintains.” The definition of personal information has been expanded to include a first...

Read More
Verizon PHI Breach Report Confirms Healthcare Has Major Problem with Insider Breaches
Apr03

Verizon PHI Breach Report Confirms Healthcare Has Major Problem with Insider Breaches

Verizon has released its annual Protected Health Information Breach Report which delves deep into the main causes of breaches, why they occur, the motivations of internal and external threat actors, and the main threats to the confidentiality, integrity, and availability of PHI. For the report, Verizon analyzed 1,368 healthcare data breaches and incidents where protected health information (PHI) was exposed but not necessarily compromised. The data came from 27 countries, although three quarters of the breached entities were based in the United States where there are stricter requirements for reporting PHI incidents. In contrast to all other industry sectors, the healthcare industry is unique as the biggest security threat comes from within. Insiders were responsible for almost 58% of all breaches with external actors confirmed as responsible for just 42% of incidents. The main reason for insider breaches is financial gain. PHI is stolen to commit identity theft, credit card fraud, insurance fraud, and tax fraud. Verizon determined that 48% of all internal incidents were conducted...

Read More
Law Enforcement Notifies Cambridge Health Alliance About PHI Breach
Apr03

Law Enforcement Notifies Cambridge Health Alliance About PHI Breach

Cambridge Health Alliance (CHA) in Massachusetts has been notified by law enforcement that the protected health information of some of its patients has been discovered in the possession of an unauthorized individual. On January 31, 2018, Everett Massachusetts Police Department notified CHA that files containing the PHI of some of its patients had been discovered in the possession of an individual unauthorized to have the information. After being notified of the breach, CHA conducted an internal investigation into the breach and examined the files. At least one of the files contained PHI related to billing which included patients’ names, addresses, dates of birth, Social Security numbers, employer information, charges for healthcare services, and discharge dates. The data related to billing from 2013. According to a breach notice sent to affected individuals by the law firm BakerHostetler on behalf of CHA, the breach impacted four individuals in New Hampshire, all of whom have been offered complimentary credit monitoring and identity theft protection services through Experian. While...

Read More
6,800 CareFirst BCBS Members Impacted by Phishing Attack
Apr02

6,800 CareFirst BCBS Members Impacted by Phishing Attack

A phishing attack on CareFirst Blue Cross Blue Shield has resulted in the exposure of 6,800 plan members’ protected health information. The attack was detected by CareFirst on March 12, 2018, prompting a thorough investigation, which included a forensic analysis of the email system and CareFirst’s systems in general. In addition to the internal investigation by the CareFirst IT security team, a third-party information security firm also investigated the attack. The analyses did not uncover any evidence to suggest emails in the compromised account had been opened by the attacker; however, the emails in the account did contain some protected health information and data access could not be ruled out with a high degree of certainty. Once access to the account was gained, the attacker sent phishing emails to individuals in a contact list. Those individuals were not employed by or affiliated with CareFirst BCBS. The emails were sent with the intention of gaining further login credentials. No malware was involved. While 6,800 individuals have potentially been impacted by the incident,...

Read More
Security Breaches in Healthcare in the Last Three Years
Mar30

Security Breaches in Healthcare in the Last Three Years

There have been 955 major security breaches in healthcare in the last three years that have resulted in the exposure/theft of 135,060,443 healthcare records. More than 41% of the population of the United States have had some of their protected health information exposed as a result of those breaches, which have been occurring at a rate of almost one a day over the past three years. There has been a steady rise in reported security beaches in healthcare in the last three years. In 2015 there were 270 data breaches involving more than 500 records reported to the Department of Health and Human Services’ Office for Civil Rights. The figure rose to 327 security breaches in 2016, and 342 security breaches in 2017. More healthcare security breaches are being reported than at any other time since HIPAA required covered entities to disclose data breaches, although the number of individuals affected by healthcare data breaches has been declining year-over year for the past three years. In 2015, a particularly bad year for healthcare industry data breaches, 112,107,579 healthcare records were...

Read More
3,751 Patients’ PHI Exposed on Internet for More Than 30 Months
Mar30

3,751 Patients’ PHI Exposed on Internet for More Than 30 Months

The Arc of Erie County New York (The Arc), a provider of person-centered services to individuals with developmental disabilities, has discovered two spreadsheets containing the protected health information of 3,751 patients were accessible on the Internet without the need for authentication for more than 30 months. Between July 2015 and February 2018, the two spreadsheets could be accessed over the Internet by unauthorized individuals as a result of a coding error on the website. The coding error saw a link included on the website that allowed the spreadsheets to be accessed. Individuals affected by the breach, many of whom are developmentally disabled, had been enrolled in certain programs offered by The Arc. The Arc spreadsheets contained sensitive information such as names, Social Security numbers and diagnosis codes. When the error was discovered in February, The Arc deactivated the link to prevent any further disclosures of PHI and contacted a computer forensics and data security firm to investigate the breach and help take corrective action to limit the harm caused to...

Read More
Data Breach Impacts Almost 14,000 Family Members of Subscribers
Mar30

Data Breach Impacts Almost 14,000 Family Members of Subscribers

The Special Agents Mutual Benefit Association (SAMBA) health plan is alerting almost 14,000 individuals about a February 2018 breach of protected health information. The breach affects eligible family members of subscribers who were covered by the Federal Employees Health Benefits Plan in 2017. It is an Internal Revenue Service (IRS) requirement for SAMBA to mail a copy of Form 1095-B to all plan subscribers each tax year. The form supports plan members’ and covered family members’ compliance with the Affordable Care Act’s individual mandate. The forms for the 2017 tax year were mailed on or soon after February 19, 2018; however, a programming error resulted in the forms being populated with information relating to other subscribers’ family members. Instead of detailing the subscribers’ family members covered by their health plan, the forms included the names and Social Security numbers of other subscribers’ family members and the dates of health insurance coverage in 2017.  The forms were also incorrectly dated 2016. SAMBA notes that no subscribers’ Social Security numbers were...

Read More
Server Misconfiguration Results in the Exposure of 42,000 Patients’ PHI
Mar28

Server Misconfiguration Results in the Exposure of 42,000 Patients’ PHI

Tens of thousands of patients of a New York medical practice have had their protected health information exposed online due to a misconfigured server. It is currently unclear if anyone other than the security researcher who discovered the problem has accessed the data. The server misconfiguration was identified on January 25, 2018 by Chris Vickery, director of cyber risk research at Upguard. In a March 26 blog post Vickery explained that he identified an exposed port typically used for remote synchronization (rsync). While access should have been limited to specific whitelisted IP addresses, the port was misconfigured and allowed anyone to access the data. All that was required to access the server was its IP address. Vickery identified two sections in the repository, one of which – named backupwscohen – was publicly accessible and contained several files that included highly sensitive information. A virtual hard drive was also accessible that was discovered to contain staff details, including spouse information, children’s names, and in some cases, Social Security numbers. An...

Read More
Research Suggests Healthcare Data Breaches Cause 2,100 Deaths a Year
Mar27

Research Suggests Healthcare Data Breaches Cause 2,100 Deaths a Year

A researcher at Vanderbilt University has conducted a study that suggests mortality rates at hospitals increase following a data breach as a result of a drop in the standard of care. The researcher estimates healthcare data breaches may cause as many as 2,100 deaths a year in the United States. The study was conducted by Owen Graduate School of Management researcher, Dr. Sung Choi. The findings of the study were presented at a recent cyberrisk quantification conference at Philadelphia’s Drexel University LeBow College of Business. Cyberattacks can have a direct impact on patient care, which has been clearly highlighted on numerous occasions over the past 12 months. Ransomware and wiper malware attacks have crippled information systems and have forced healthcare providers to cancel appointments, while the lack of access to patient health records can cause treatment delays. Notable attacks that caused major disruption were the NotPetya wiper and WannaCry ransomware attacks last year, with the latter causing major problems for the National Health Service in the UK. Choi explained that...

Read More
Class Action Lawsuit Seeks Damages for Victims of CVS Caremark Data Breach
Mar26

Class Action Lawsuit Seeks Damages for Victims of CVS Caremark Data Breach

An alleged healthcare data breach that saw the protected health information of patients of CVS Caremark exposed has resulted in legal action against CVS, Caremark, and its mailing vendor, Fiserv. The lawsuit, which was filed in Ohio federal court on March 21, 2018, relates to an alleged privacy breach that occurred as a result of an error that affected a July/August 2017 mailing sent to approximately 6,000 patients. In July 2017, CVS Caremark was contracted to operate as the pharmacy benefits manager for the Ohio HIV Drug Assistance Program (PhDAP), and under that program, CVS Caremark provides eligible patients with HIV medications and communicates with them about prescriptions. In July/August 2017, CSV Caremark’s mailing vendor Fiserve sent letters to patients containing their membership cards and information about how they could obtain their HIV medications. In the lawsuit the complaint alleges HIV-related information was clearly visible through the plastic windows of the envelopes, allowing the information to be viewed by postal service workers, family members, and roommates....

Read More
Theft of Unencrypted Laptop Sees Pathology Lab Patients’ PHI Exposed
Mar26

Theft of Unencrypted Laptop Sees Pathology Lab Patients’ PHI Exposed

An unencrypted laptop computer issued to an employee of Clinical Pathology Laboratories Southeast, Inc., (CPLSE) has been stolen, exposing the protected health information of certain patients and their payment guarantors. Prompt action was taken by CPLSE to prevent the laptop from being used to connect to its network and the theft was reported to law enforcement; however, it is possible that the protected health information stored on the laptop could have been viewed by unauthorized individuals. An internal investigation was conducted to determine the types of information stored on the device which indicated the following PHI elements were potentially exposed: Names, addresses, driver’s license numbers, Social Security numbers, government ID numbers, medical record numbers, and medical treatment information. Patients have now been notified of the breach and advised of the steps they can take to protect themselves against misuse of their data. Complimentary credit monitoring and identity theft protection services have been offered to affected individuals. Steps have also been taken...

Read More
ATI Physical Therapy Data Breach Impacts 35,000 Patients
Mar22

ATI Physical Therapy Data Breach Impacts 35,000 Patients

ATI Physical Therapy has discovered the protected health information of more than 35,000 patients has potentially been compromised when threat actors gained access to the email accounts of some of its employees. A security breach was identified on January 18, 2018 when ATI Physical Therapy discovered the direct deposit information of some of its employees had been changed in its payroll platform. Prompt action was taken to protect its employees and external forensic investigators were called in to determine the full extent and scope of the breach. The investigation revealed the email accounts of certain employees had been compromised and were accessed by unauthorized individuals between January 9 and January 12, 2018. An analysis of the emails in the accounts revealed they contained the protected health information of tens of thousands of patients. The types of information potentially compromised varied per impacted individual, but may have included names, dates of birth, credit/debit card numbers, driver’s license numbers, state ID numbers, Social Security numbers,...

Read More
Insider Data Breaches Continue to Plague the Healthcare Industry
Mar21

Insider Data Breaches Continue to Plague the Healthcare Industry

Protenus has published its February Healthcare Breach Barometer Report. The report includes healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights or disclosed to the media in February 2018. The report, compiled from data collected from databreaches.net, indicates at least 348,889 healthcare records were confirmed as breached in February, although that figure will be considerably higher as the number of people affected by 11 breaches is not yet known. There were 39 security breaches involving protected health information in February – a slight rise from the 37 breaches reported in January, although the number of records exposed was down from January’s total of 473,807 records. Insider breaches continue to pose problems for healthcare providers with 16/39 incidents (41%) involving insiders. Those incidents resulted in the exposure/theft of 51% of all records confirmed as having been exposed or stolen in February. Protenus notes that 94% of insider breaches were the result of errors by healthcare employees, with only one confirmed...

Read More
Ransomware Attack on Finger Lakes Health Cripples Computers
Mar21

Ransomware Attack on Finger Lakes Health Cripples Computers

Geneva, NY-based Finger Lakes Health has experienced a ransomware attack that has crippled its computer system. Staff have been forced to work on pen and paper while the health system attempts to remove the malware and restore access to electronic data. The ransomware attack on the health system started at around midnight on Sunday March 18, 2018, with staff becoming aware of the attack when a ransom demand was issued by the attackers. Finger Lakes Health operates Geneva General Hospital and Soldiers & Sailors Memorial Hospital in Pen Yan and several specialty care practices, primary care physician practices, long-term health facilities, and day care centers in upstate New York. It is unclear exactly how many facilities have been impacted by the ransomware attack. Finger Lakes Health has developed emergency procedures for attack scenarios such as this, which were immediately implemented when the attack was discovered. On March 20, the health system issued a statement to local media channels about the attack explaining that while some of its information systems were...

Read More
RoxSan Pharmacy Notifies 1,049 Patients About 2015 Email Breach
Mar20

RoxSan Pharmacy Notifies 1,049 Patients About 2015 Email Breach

Beverly Hills, CA-based RoxSan Pharmacy has notified 1,049 patients that some of their protected health information has been disclosed to a business associate via unencrypted email. The notification letters were mailed to affected individuals last month, although the incident occurred on January 20, 2015. In a recent press release, RoxSan explained that affected individuals are being notified in “as timely a manner as possible”. The delay in issuing notifications was due to “the protected nature of the forensic investigation”. It is unclear when RoxSan Pharmacy became aware of the error. The protected health information was included in a data file that was sent to a single individual – A business associate of the pharmacy – who worked in the legal field. That individual had signed a business associate agreement with the pharmacy and was aware of the responsibilities of HIPAA with respect to patients’ PHI. However, the PHI was exposed as the data file was sent via unencrypted email. The data file only contained a limited amount of protected health information and did not...

Read More
Healthcare Data Breach Statistics
Mar20

Healthcare Data Breach Statistics

We have compiled healthcare data breach statistics from October 2009 when the Department of Health and Human Services’ Office for Civil Rights first started publishing summaries of healthcare data breaches on its website. The healthcare data breach statistics below only include data breaches of 500 or more records as smaller breaches are not published by OCR. The breaches include closed cases and breaches still being investigated by OCR. Our healthcare data breach statistics clearly show there has been an upward trend in data breaches over the past 9 years, with 2017 seeing more data breaches reported than any other year since records first started being published. There have also been notable changes over the years in the main causes of breaches. The loss/theft of healthcare records and electronic protected health information dominated the breach reports between 2009 and 2015, although better policies and procedures and the use of encryption has helped reduce these easily preventable breaches. Our healthcare data breach statistics show the main causes of healthcare data breaches...

Read More
Analysis of February 2018 Healthcare Data Breaches
Mar19

Analysis of February 2018 Healthcare Data Breaches

Our February 2018 healthcare data breach report details the major data breaches reported by healthcare providers, health plans, and business associates in February 2018. Summary of February 2018 Healthcare Data Breaches February may have been a shorter month, but there was an increase in the number of healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights. In February, HIPAA covered entities and business associates reported 25 breaches – a 19% month on month increase in breaches. While there was a higher breach tally this month, the number of healthcare records exposed as a result of healthcare data breaches fell by more than 100,000. In January 428,643 healthcare records were exposed. February 2018 healthcare data breaches saw 308,780 healthcare records exposed. Largest Healthcare Data Breaches of February 2018 The largest healthcare data breaches reported to the Office for Civil Rights in February are listed below. Covered Entity Covered Entity Type Individuals Affected Type of Breach Location of PHI St. Peter’s Surgery...

Read More
Multiple Email Accounts Compromised at Primary Health Care
Mar18

Multiple Email Accounts Compromised at Primary Health Care

Primary Health Care Inc., a non-profit network of community health centers in Des Moines, Marshalltown and Ames, IA, has discovered malicious actors have gained access to the email accounts of four employees and have potentially viewed or obtained patients’ protected health information. Primary Health Care issued a press release and uploaded a substitute breach notice to its website on March 16, 2018 explaining the breach occurred on February 28, 2017. The breach was detected the following day on March 1, 2017. Primary Health Care is in the process of notifying affected patients and will be reporting the incident to the Department of Health and Human Services’ Office for Civil Rights. No explanation is provided as to why the breach took a year to report. Primary Health Care responded quickly to the breach and terminated access to the compromised email accounts and hired a third-party computer forensics expert to conduct an investigation into the attack. The investigation revealed access to four email accounts and their associated Google Drives was gained by the attacker(s),...

Read More
Almost 10,000 Individuals Notified of Improper PHI Disposal Incident by ShopRite
Mar15

Almost 10,000 Individuals Notified of Improper PHI Disposal Incident by ShopRite

A ShopRite pharmacy in Millville, New Jersey has discovered an electronic device used to capture the signatures of customers has been disposed of without first wiping the device of all stored protected health information. A limited amount of protected health information was stored on the device, which included patients’ names, dates of birth, phone numbers, zip codes, prescription numbers, medication names, signatures, date and time of collection/delivery, and in some cases, details of over-the-counter medications containing pseudoephedrine (PSE). The device was used by customers to acknowledge the store’s privacy policy and payment for prescriptions by insurance carriers. Information was also collected on sales of products containing PSE to meet legal requirements. Individuals affected by the incident had collected prescriptions or purchased PSE products between 2007 and 2013. The device was disposed of in June 2016. The improper disposal of the device is not understood to have resulted in PHI being compromised and no reports of PHI access or misuse have been received by ShopRite,...

Read More
QuadMed Discovers PHI of More than 9,850 Patients Was Impermissibly Disclosed to Employees
Mar14

QuadMed Discovers PHI of More than 9,850 Patients Was Impermissibly Disclosed to Employees

QuadMed, a Wisconsin-based provider of medical, laboratory, pharmacy, fitness, and physical therapy services, has discovered the protected health information of 9,854 patients has potentially been impermissibly disclosed to certain employees. In November 2013, QuadMed took over an onsite clinic at Hillenbrand Inc. Occupational health information of employees of the Batesville, IN-based manufacturer was maintained in an electronic medical record system and access to the system was shared with QuadMed. Certain QuadMed employees required access to the data for the administration of occupational health matters. Take overs of clinics at WI-based Stoughton Trailers and Whirlpool Corporation’s Clyde, OH plant also saw occupational health-related information in EMRs shared with the firm and made accessible to some of its employees. On December 26, 2017, QuadMed discovered a technical issue affected the PHI stored in the EMRs used at the Hillenbrand and Stoughton Trailers clinics which allowed its employees to access more than the minimum necessary amount of PHI than was permissible....

Read More
PHI of 33,420 BJC Healthcare Patients Exposed on Internet for 8 Months
Mar13

PHI of 33,420 BJC Healthcare Patients Exposed on Internet for 8 Months

The protected health information of 33,420 patients of BJC Healthcare has been accessible on the Internet for eight months without any need for authentication to view the information. BJC Healthcare is one of the largest not-for profit healthcare systems in the United States. The St. Louis-based healthcare organization runs two nationally recognized hospitals in Missouri – Barnes-Jewish Hospital and St. Louis Children’s Hospital along with 13 others. The health system employs more than 31,000 individuals, has over 154,000 hospital admissions and performs more than 175,000 home health visits a year. On January 23, 2018, BJC Healthcare performed a security scan which revealed one of its servers had been misconfigured which allowed sensitive information to be accessed without authentication. Action was immediately taken to reconfigure and secure the server to prevent data from being accessed. The investigation revealed an error had been made configuring the server on May 9, 2017, leaving documents and copies of identification documents accessible. Highly sensitive...

Read More
HIMSS Survey Reveals Top Healthcare Security Threats
Mar09

HIMSS Survey Reveals Top Healthcare Security Threats

HIMSS has published the results of its annual healthcare cybersecurity survey, which provides insights into the state of cybersecurity in healthcare and identifies the top healthcare security threats. The HIMSS 2018 cybersecurity survey was conducted on 239 respondents from the healthcare industry between December 2017 and January 2018. The results of the survey were announced at the HIMSS 2018 Conference & Exhibition in Las Vegas. 36.8% of respondents had positions in executive management and 37.2% were employed in non-executive management positions. The remaining 25.9% were in non-management positions such as cybersecurity specialists and analysts. 41.2% of respondents were primarily responsible for cybersecurity, 32.6% had some responsibility, and 11.8% sometimes had responsibility for cybersecurity. Most Healthcare Organizations Have Experienced a Significant Security Incident in the Past 12 Months The threat of healthcare cyberattacks is greater than ever and the past 12 months has been a torrid year. In the past 12 months, 75.7% of respondents said they had experienced a...

Read More
Alabama Data Breach Notification Act Passed by State Senate
Mar08

Alabama Data Breach Notification Act Passed by State Senate

The Alabama Data Breach Notification Act (Senate Bill 318) has advanced for consideration by the House of Representatives after being unanimously passed by the Alabama Senate last week. Alabama is one of two states that has yet to introduce legislation that requires companies to issue notifications to individuals whose personal information is exposed in data breaches. The other state – South Dakota – is also considering introducing similar legislation to protect state residents. The Alabama Data Breach Notification Act, proposed by Sen. Arthur Orr (R-Decatur), requires companies doing business in the state of Alabama to issue notifications to state residents when their sensitive personal information has been exposed and it is reasonably likely to result in breach victims coming to substantial harm. Entities that would be required to comply with the Alabama Data Breach Notification Act are persons, sole proprietorships, partnerships, government entities, corporations, non-profits, trusts, estates, cooperative associations, and other business entities that acquire or use sensitive...

Read More
EmblemHealth Fined $575,000 by NY Attorney General for HIPAA Breach
Mar07

EmblemHealth Fined $575,000 by NY Attorney General for HIPAA Breach

A 2016 mailing error by EmblemHealth that saw the Health Insurance Claim Numbers of 81,122 plan members printed on the outside of envelopes has resulted in a $575,000 settlement with the New York Attorney General. While all mailings include a unique patient identifier on the envelope, in this case the potential for harm was considerable as Health Insurance Claim numbers are formed using the Social Security numbers of plan members. Announcing the settlement, New York Attorney General Eric T. Schneiderman explained that Health Insurance Portability and Accountability Act (HIPAA) Rules require HIPAA covered entities to implement administrative, physical, and technical safeguards to ensure the confidentiality of patients’ and plan members’ protected health information. The error that saw Social Security numbers exposed violated HIPAA Rules. EmblemHealth failed to comply with “many standards and procedural specifications” required by HIPAA. Attorney General Schneiderman also said that printing Social Security numbers on the outside of envelopes violated New York General Business Law §...

Read More
16,000 Individuals Impacted by Two Email-Related Breaches
Mar06

16,000 Individuals Impacted by Two Email-Related Breaches

Two email-related data breaches have been reported that have resulted in the disclosure of the protected health information of more than 16,000 individuals. Flexible Benefit Service Corporation Breach Impacts 5,123 Individuals Flexible Benefit Service Corporation (Flex), a Chicago-Il-based general agency and benefit administrator serving health insurance carriers, has announced the discovery of a phishing attack that resulted in an unauthorized individual gaining access to a corporate email account. The security breach was detected on December 6, 2017 when an email account of a company employee was discovered to be sending phishing emails. The email account was compromised after a single employee responded to a phishing email and disclosed login credentials to the email account. A third-party forensics firm was contracted to conduct an investigation into the breach and ascertain the extent of the attacker’s activities. The investigation highlighted the likely intentions of the attacker. Once access to the email account was gained, the attacker performed searches looking for details...

Read More
How to Report a HIPAA Violation Anonymously
Mar06

How to Report a HIPAA Violation Anonymously

In this post we explain how to report a HIPAA violation anonymously if you feel your (or someone else’s) privacy has been violated of if HIPAA Rules are not being followed in your organization. When Can an Alleged HIPAA Violation be Reported? Most healthcare organizations go to great lengths to ensure they are in compliance with HIPAA Rules, but occasionally HIPAA regulations are violated by management or employees. In such cases, a complaint can be lodged with the Department of Health and Human Services’ Office for Civil Rights (OCR) – the main enforcer of HIPAA Rules. However, complaints will only result in action being taken if the complaint is submitted within 180 days of the date of discovery that HIPAA Rules were violated. In limited cases, when there is ‘good cause’ that it was not possible to file a complaint within 180 days, an extension may be granted. Note that OCR cannot investigate any alleged violation of the HIPAA Privacy Rule that occurred before April 14, 2003 or Security Rule violations that occurred before April 20, 2005 because compliance with those...

Read More
New York Surgery & Endoscopy Center Discovers 135,000-Record Data Breach
Mar05

New York Surgery & Endoscopy Center Discovers 135,000-Record Data Breach

A malware infection at St. Peter’s Surgery & Endoscopy Center in New York has potentially allowed hackers to gain access to the medical records of almost 135,000 patients. This is the second largest healthcare data breach of 2018, the largest to hit New York state since the 3,466,120-record data breach at Newkirk Products, Inc. in August 2016, and the fifth largest healthcare data breach in New York since the Department of Health and Human Services’ Office for Civil Rights started publishing data breach summaries in October 2009. The data breach at St. Peter’s Surgery & Endoscopy Center was discovered on January 8, 2018: The same day as hackers gained access to its server. The rapid detection of the malware limited the time the hackers had access to the server and potentially prevented patients’ data from being viewed or copied. However, while no evidence of data access or data theft was discovered, it was not possible to rule either out with a high degree of certainty. In its substitute branch notice, St. Peter’s Surgery & Endoscopy Center says the servers it uses...

Read More
Window Envelope Privacy Breach Exposes ID Numbers of 70,320 Tufts Health Plan Members
Mar02

Window Envelope Privacy Breach Exposes ID Numbers of 70,320 Tufts Health Plan Members

Tufts Health Plan is alerting 70,320 of its members that their health plan member ID numbers have been exposed. A mailing vendor used by Tufts Health Plan sent Tufts Medicare Preferred ID cards to Medicare Advantage members between December 11, 2017 and January 2, 2018. Window envelopes were used which naturally allowed plan members’ names and addresses to be seen, but Tufts Health Plan member IDs were also visible through the plastic windows of the envelopes. The mailing error was discovered by Tufts Health Plan on January 18. Tufts Health Plan notes that its member IDs are not comprised of Social Security numbers or Medicare numbers, but potentially the member ID numbers could be misused by individuals to receive services covered by the health plan. Legal experts were consulted about the breach to assess the potential risk to plan members. The risk of misuse of the numbers is believed to be very low as the only individuals likely to see the member IDs would be employees of the postal service. Plan members have been told that in the unlikely event that their member IDs are misused...

Read More
Hacking Responsible for 83% of Breached Healthcare Records in January
Mar01

Hacking Responsible for 83% of Breached Healthcare Records in January

The latest installment of the Protenus Healthcare Breach Barometer report has been released. Protenus reports that overall, at least 473,807 patient records were exposed or stolen in January, although the number of individuals affected by 11 of the 37 breaches is not yet known. The actual total is likely to be considerably higher, possibly taking the final total to more than half a million records. The report shows insiders are continuing to cause problems for healthcare organizations. Insiders were the single biggest cause of healthcare data breaches in January. Out of the 37 healthcare data breaches reported in January 12 were attributed to insiders – 32% of all data breaches. While insiders were the main cause of breaches, the incidents affected a relatively low number of individuals – just 1% of all records breached. Insiders exposed 6,805 patient records, although figures could only be obtained for 8 of the 12 breaches. 7 incidents were attributed to insider error and five were due to insider wrongdoing. Protenus has drawn attention to one particular insider breach. A nurse...

Read More
Ransomware Attack Impacts 6,550 Jemison Internal Medicine Patients
Feb28

Ransomware Attack Impacts 6,550 Jemison Internal Medicine Patients

On December 20, 2017, a ransomware attack on Jemison Internal Medicine of Alabama resulted in electronic health records being encrypted, preventing the healthcare provider from gaining access to patient data. A ransom demand was issued for the keys to unlock the encryption although no payment was made to the attacker. Jemison Internal Medicine had viable backups of electronic protected health information and restored data after reinstalling the operating system on affected computers. An analysis of its system post-data restoration revealed no traces of the malicious software remained. While ransomware attacks are often indiscriminate and occur as a result of employees responding to phishing emails, this attack was more targeted. The investigation into the security breach revealed an unauthorized individual had gained access to Jemison Internal Medicine’s computer system and had access for a period of approximately 3 months. The investigation did not uncover any evidence to suggest the EMR system was accessed by the attacker, although it was not possible to rule out data access with...

Read More
Medical University of South Carolina’s Hard Line on HIPAA Violations Sees 13 Fired in a Year
Feb27

Medical University of South Carolina’s Hard Line on HIPAA Violations Sees 13 Fired in a Year

According to a recent report in the Post and Courier, the Medical University of South Carolina (MUSC) terminated 13 employees last year for violating HIPAA Rules by snooping on patient records. In total, there were 58 privacy violations in 2017 at MUSC, all of which have been reported to the Department of Health and Human Services’ Office for Civil Rights. All of the breaches affected only small numbers of patients. Out of the 58 breaches, 11 incidents were categorized as snooping on medical records. Other breaches were unauthorized disclosures such as when the health information of a patient is accidentally sent or faxed to the wrong person. Over the past five years, there have been 307 breaches detected at MUSC, resulting in 30 members of non-physician staff being fired. None of the breaches have been listed on the OCR breach portal, which only shows breaches impacting 500 or more individuals. Under HIPAA Rules, all PHI breaches must be reported, although it is only large breaches of more than 500 records that are made public and are detailed on the breach portal. The revelations...

Read More
Patients Notified of White and Bright Family Dental Server Hack
Feb22

Patients Notified of White and Bright Family Dental Server Hack

Fresno, CA-based White and Bright Family Dental has discovered one of its servers containing patients’ protected health information has been accessed by hackers. Access to the server was gained by the attackers on January 30, 2018. The Fresno Police Department was immediately notified of the incident “so that identification and prosecution of those involved could begin.” That investigation, along with the internal White and Bright Family Dental investigations, are continuing. The dental practice is also in the process of augmenting its security protections to prevent further incidents of this nature from occurring. While HIPAA covered entities have up to 60 days following the discovery of a breach to issue notifications to patients and the Department of Health and Human Services, White and Bright Family Dental acted quickly and sent notifications in the shortest possible time frame to allow victims to take steps to protect their identities. Letters were sent to patients on February 16 and the state attorney general’s office was notified of the breach on February 19. White and...

Read More
1,900 UVA Patients’ PHI Accessed by Hacker Behind FruitFly Malware
Feb22

1,900 UVA Patients’ PHI Accessed by Hacker Behind FruitFly Malware

Almost 1,900 patients of University of Virginia Health System are being notified that an unauthorized individual has gained access to their medical records as a result of a malware infection. The malware had been loaded onto the devices used by a physician at UVa Medical Center. When medical records were accessed by the physician, the malware allowed the hacker to view the data in real time. The malware was first loaded onto the physician’s electronic devices on May 3, 2015, with access possible until December 27, 2016. Over those 19 months, the hacker was able to view the medical records of 1,882 patients. The types of information seen by the hacker included names, addresses, dates of birth, diagnoses, and treatment information, according to a UVa spokesperson. Financial information and Social Security numbers were not exposed as they were not accessible by the physician. Access to the protected health information of its patients stopped in late 2016, although UVa did not discover the breach for almost a year. UVa was notified of the security breach by the FBI on December 23,...

Read More
Sutter Health Notifies Patients of Business Associate Phishing Incident
Feb20

Sutter Health Notifies Patients of Business Associate Phishing Incident

Sutter Health is notifying certain patients that some of their protected health information has been exposed following a phishing attack on one of its business associates – the legal firm Salem and Green. On or around October 11, 2017, a phishing email was received by a staff member at Salem and Green, the response to which gave the attackers access to that individual’s email account. Upon discovery of the attack, a forensics firm was contracted to perform an analysis of the affected computer and network to determine the extent of the attack and whether any sensitive information had been obtained. The investigation revealed the security breach was limited to a single email account and that access to the account was only possible for two days. During the time that the email account was accessible, the attacker had access to all emails in the account, some of which contained the protected health information of certain Sutter Health patients. The types of information potentially accessed by the attacker was limited to names, dates of birth, driver’s license numbers, Social Security...

Read More
AJMC Study Reveals Common Characteristics of Hospital Data Breaches
Feb20

AJMC Study Reveals Common Characteristics of Hospital Data Breaches

The American Journal of Managed Care has published a study of hospital data breaches in the United States. The aim of the study was to identify common characteristics of hospital data breaches, what the biggest problem areas are, the main causes of security incidents and the types of information most at risk. The study revealed hospitals are the most commonly breached type of healthcare provider, accounting for approximately 30% of all large healthcare security incidents reported to the Department of Health and Human Services’ Office for Civil Rights by providers between 2009 and 2016. Over that 7-year time period there were 215 breaches reported by 185 nonfederal acute care hospitals and 30 hospitals experienced multiple breaches of 500 or more healthcare records. One hospital experienced 4 separate breaches in the past 7 years, five hospitals had 3 breaches, and 24 hospitals experienced 2 breaches. In addition to hospitals experiencing the highest percentage of security breaches, those breaches also resulted in the theft/exposure of the highest number of health records. While...

Read More
Another Major Triple-S Advantage Data Breach Has Occurred: 36,000 Affected
Feb15

Another Major Triple-S Advantage Data Breach Has Occurred: 36,000 Affected

The Puerto Rico Health Plan Triple-S Advantage has experienced a privacy breach that has impacted 36,000 plan members. The breach was the result of a mailing error which saw sensitive information of plan members disclosed to incorrect individuals. The protected health information exposed as a result of the mailing was limited and did not include Social Security numbers or financial information; however, plan members’ ID numbers were impermissibly disclosed along with names, dates of service, and treatment codes. The mailing error occurred in November but was not discovered by Triple-S until December 5, 2017. An extensive investigation was launched to determine how the error occurred and action has now been taken to ensure that similar errors do not occur in future mailings to plan members and healthcare providers. Triple-S said in its substitute breach notice that its mailing processes have been changed and that those processes have now been tested. Another mailing run has been conducted and copies of the original letters have now been sent to the correct addresses. Affected plan...

Read More
January 2018 Healthcare Data Breach Report
Feb14

January 2018 Healthcare Data Breach Report

Our January 2018 Healthcare Data Breach Report details the healthcare security incidents reported to the Department of Health and Human Services’ Office for Civil Rights in January 2018. There were 21 security breaches reported to OCR in January which is a considerable improvement on the 39 incidents reported in December 2017. Last month saw 428,643 healthcare records exposed. While there was a 46.15% drop in the number of healthcare data breaches reported in January month over month, 87,022 more records were exposed or stolen than in December. January was the third consecutive month where the number of breached records increased month over month. The mean breach size in January was 20,412 records – very similar to the mean breach size in December 2017 (20,487 records). However, the high mean value was due to a particularly large breach of 279,865 records reported by Oklahoma State University Center for Health Sciences. In January, the healthcare data breaches reported were far less severe than in December. In January the median breach size was 1,500 records. In December it was...

Read More
Coastal Cape Fear Eye Associates Ransomware Attack Impacts 925 Patients
Feb14

Coastal Cape Fear Eye Associates Ransomware Attack Impacts 925 Patients

A Coastal Cape Fear Eye Associates ransomware attack has seen the protected health information of 925 patients compromised. North Carolina’s Coastal Cape Fear Eye Associates, P.A., discovered its systems had been breached on December 5. 2017. Upon discovery of the ransomware attack, Coastal Cape Fear Eye Associates brought in external IT professionals to contain the attack and remove the ransomware. The IT consultants were able to limit the harm caused and the malware was removed, although some files remained locked and inaccessible for some time. According to a substitute breach notice uploaded to the healthcare provider’s website on February 1, 2018, the delay in issuing notifications to affected patients was because it was not possible to access certain files to determine what information was involved and which patients were affected. Coastal Cape Fear Eye Associates has only recently been able to access all encrypted files. Under HIPAA Rules, healthcare organizations are required to report ransomware attacks unless the attacked entity establishes there was a low probability of...

Read More
$100,000 Settlement Shows HIPAA Obligations Don’t End When a Business Closes
Feb14

$100,000 Settlement Shows HIPAA Obligations Don’t End When a Business Closes

HIPAA covered entities and their business associates must abide by HIPAA Rules, yet when businesses close the HIPAA obligations do not end. The HHS’ Office for Civil Rights (OCR) has made this clear with a $100,000 penalty for FileFax Inc., for violations that occurred after the business had ceased trading. FileFax is a Northbrook, IL-based firm that offers medical record storage, maintenance, and delivery services for HIPAA covered entities. The firm ceased trading during the course of OCRs investigation into potential HIPAA violations. An investigation was launched following an anonymous tip – received on February 10, 2015 – about an individual that had taken documents containing protected health information to a recycling facility and sold the paperwork. That individual was a “dumpster diver”, not an employee of FileFax. OCR determined that the woman had taken files to the recycling facility on February 6 and 9 and sold the paperwork to the recycling firm for cash. The paperwork, which included patients’ medical records, was left unsecured at the recycling facility. In...

Read More
How Many HIPAA Violations in 2017 Resulted in Financial Penalties?
Feb11

How Many HIPAA Violations in 2017 Resulted in Financial Penalties?

We are often asked about healthcare data breaches and HIPAA violations and two of the most recent questions are how many HIPAA violations in 2017 resulted in data breaches and how many HIPAA violations occurred in 2017. How Many HIPAA Violations Occurred in 2017? The problem with determining how many HIPAA violations occurred in 2017 is many violations are not reported, and out of those that are, it is only the HIPAA breaches that impact more than 500 individuals that are published by the Department of Health and Human Services’ Office for Civil Rights on its breach portal – often incorrectly referred to as the “Wall of Shame”. To call it a ‘Wall of Shame’ is not fair on healthcare organizations because the breach reports show organizations that have experienced data breaches, NOT organizations that have violated HIPAA Rules. Even organizations with multi-million-dollar cybersecurity budgets, mature security defenses, and advanced employee security awareness training programs can experience data breaches. All it takes if for a patch not to be applied immediately or an employee to...

Read More
Ron’s Pharmacy Services Notifies Patients of Email Account Breach
Feb09

Ron’s Pharmacy Services Notifies Patients of Email Account Breach

San Diego, CA-based Ron’s Pharmacy Services has discovered an email account containing limited protected health information has been compromised by an unknown individual. Suspicious activity was identified on an employee’s email account on October 3, 2017 prompting an investigation; however, it was not until December 21, 2017 that it was determined that an unauthorized individual had accessed messages in the email account containing patient information. An analysis of the emails in the account showed only a limited amount of PHI was compromised: Names, internal account numbers, and payment adjustment information, while a small number of patients also had details of their prescription medications compromised. While PHI access was confirmed, Ron’s Pharmacy is unaware of any misuse of patient information. Ron’s Pharmacy has now notified patients about the breach and reported the incident to the appropriate authorities. In its Feb 2 substitute breach notice, Ron’s Pharmacy explained that rapid action was taken to secure the account and prevent further access. Login credentials were...

Read More
Aetna Seeks At Least $20 Million in Damages from Firm Responsible for HIV Status Data Breach
Feb08

Aetna Seeks At Least $20 Million in Damages from Firm Responsible for HIV Status Data Breach

Aetna has taken legal action against an administrative support company over a July 2017 data breach that saw details of HIV medications visible through the clear plastic windows of envelopes in a mailing. Letters inside some of the envelopes had slipped, making the words ““when filling prescriptions for HIV medications” clearly visible to anyone who saw the envelopes. The privacy breach was condemned by the Legal Action Center and AIDS Law Project of Pennsylvania, who along with Berger & Montague, P.C., filed a class action lawsuit against Aetna seeking damages for breach victims. In January, Aetna settled the lawsuit for $17.16 million. Last month, Aetna also settled violations of HIPAA and state laws for $1.15 million with the New York attorney general over the same breach. The class action was only one of seven filed against the health insurer, and further fines from state attorneys general are to be expected. Several other attorneys general have opened investigations into the breach and may also determine that state laws have been violated. The costs associated with the...

Read More
24,000 Decatur County General Hospital Patients Notified About Malware-Related Data Breach
Feb08

24,000 Decatur County General Hospital Patients Notified About Malware-Related Data Breach

Decatur County General Hospital in Tennessee has discovered malware has been installed on a server housing its electronic medical record system. The attacker potentially gained access to the medical records of up to 24,000 patients. An unauthorized software installation was discovered on November 27, 2017 by the hospital’s medical record system vendor, which is also responsible for maintaining the server on which the system is installed. An investigation revealed the software was a form of malware known as a cryptocurrency miner. Crytptocurrency mining is the use of computer processors to verify cryptocurrency transactions and add them to the public ledger containing details of all transactions since the currency was created. The process of verifying transactions requires computers to solve complex computational problems. Cryptocurrency mining can be performed by anyone with a computer, and in return for solving those computational problems, the miner is rewarded with a small payment for verifying the transaction. A single computer can be used to earn a few dollars a day performing...

Read More
PHI of 842 Western Washington Medical Group Patients Exposed
Feb07

PHI of 842 Western Washington Medical Group Patients Exposed

The protected health information of 842 patients of Western Washington Medical Group was exposed in November 2017. Documents containing sensitive health information were accidentally disposed of with regular trash. On November 13, 2017, the janitorial service used by the medical group emptied shredding bins with regular trash. Instead of sensitive documents being permanently destroyed in accordance with HIPAA Rules, they were emptied into regular trash bins. Western Washington Medical Group discovered the error the following day, but too late to recover the documents as the trash had already been collected and taken to landfill sites for disposal. The breach was limited, but individuals impacted have had a range of sensitive information exposed including names, addresses, medical history forms, diagnoses, medical histories, appointment dates, and health insurance billing information. Patients impacted by the breach had previously visited WWMG Orthopedic, Sports and Spine centers for medical services. Notification letters were sent to all affected individuals by first class mail on...

Read More
Partners HealthCare Notifies 2,600 Patients About May 2017 Breach of PHI
Feb06

Partners HealthCare Notifies 2,600 Patients About May 2017 Breach of PHI

Partners HealthCare System is alerting approximately 2,600 patients that some of their protected health information has been compromised. While HIPAA covered entities have up to 60 days following the discovery of a breach to report the incident to OCR (if the breach impacts 500 or more individuals) and notify breach victims, this incident occurred and was discovered in May 2017. The delay in reporting the incident was due to difficulty identifying patient data which was mixed together with computer code. The breach was a malware incident that was discovered on May 8, 2017 when the healthcare system’s intrusion monitoring system detected suspicious activity. Prompt action was taken to block the malware and third-party forensics consultants were called in to assist with the investigation. The investigators concluded that this was not a targeted attack on Partners HealthCare, and the malware did not provide the attackers with access to its electronic medical record system. However, the investigation did reveal access to certain data was possible as a result of user activity on...

Read More
11,200 CarePlus Health Plan Members Notified of PHI Breach
Feb05

11,200 CarePlus Health Plan Members Notified of PHI Breach

A privacy incident has been experienced by Miami, FL-based CarePlus Health Plans which has seen certain plan members’ protected health information accidentally disclosed to other plan members. Explanation of benefits statements were mailed to its plan members on January 9 and January 16, 2018, although on January 17, CarePlus became aware that some of the statements had been sent to incorrect individuals. The EoB statements included names, addresses, dates of service, providers of services, the services that had been provided, CarePlus identification numbers and CarePlus health plan names. Highly sensitive information such as Social Security numbers and financial information were not detailed on the EoB statements. CarePlus has not received any reports to suggest any of the disclosed information has been misused. The mismailing incident has been investigated by CarePlus and action has been taken to prevent any similar privacy incidents from occurring in the future. CarePlus says the mismailing incident was due to a series of programming and printing errors. Breach...

Read More
Lawsuit Over HIPAA Breach by Mail Service Survives Motion to Dismiss
Feb02

Lawsuit Over HIPAA Breach by Mail Service Survives Motion to Dismiss

A mail service – Press America, Inc – used by a pharmacy benefit manager – CVS Pharmacy – is being sued over an accidental disclosure of 41 individuals’ protected health information. CVS Pharmacy is a business associate of a health plan and is contracted to provide a mail-order pharmacy service for the health plan. The mail service is a subcontractor of CVS Pharmacy, and both entities are bound by HIPAA Rules. CVS Pharmacy signed a business associate agreement with the health plan, and Press America did likewise with CVS Pharmacy as PHI was required in order to perform the mailings. CVS Pharmacy alleges the HIPAA Privacy Rule was violated by Press America when it inadvertently disclosed PHI to unauthorized individuals due to a mismailing incident. The disclosure of some plan members’ PHI was accidental, but the privacy breach violated a performance standard in the CVS Pharmacy’s contract with the health plan. By violating the performance standard, the CVS Pharmacy was required to pay the health plan $1.8 million. A lawsuit was filed by the CVS Pharmacy seeking...

Read More
Phishing Attack on Business Associate Exposes Forrest General Hospital Patients’ PHI
Feb02

Phishing Attack on Business Associate Exposes Forrest General Hospital Patients’ PHI

The management consulting company HORNE LLP, a business associate of Forrest Health’s Forrest General Hospital, is notifying certain hospital patients that some of their protected health information (PHI) has potentially been obtained by a third party after access was gained to the email account of one of its employees. HORNE provides certain Medicare reimbursement services to Forrest General Hospital and as such, requires access to patients’ PHI. HORNE became aware of an email account breach on November 1, 2017 when it discovered the email account of an employee was being used to send phishing emails. The discovery prompted the shut down of the email account and an investigation into a potential breach was launched. That investigation revealed an unauthorized individual had gained access to the employee’s email account the previous day as a result of the employee responding to a phishing email. The phishing attack was investigated by a third-party investigator to determine the nature and extent of the breach and whether the PHI of any patients had been exposed. The investigation...

Read More
PHI of 660 Eastern Maine Medical Center Patients Exposed
Feb02

PHI of 660 Eastern Maine Medical Center Patients Exposed

Eastern Maine Medical Center is notifying 660 patients that some of their protected health information has been exposed. The sensitive information was stored on a portable hard drive that has gone missing from its State Street facility, in Bangor, ME. The device lacked encryption and data on the device could be accessed without the need for a password. Theft has not been confirmed, but the device could not be located during a search of its facility. The drive was last seen in its usual place on December 19, 2017 and was noticed to be missing on December 22. The device belonged to a business associate of Eastern Maine Medical Center and contained limited patient information. No Social Security numbers, financial information, or health insurance details were present on the device, only full names, birth dates, dates of service, medical record numbers, one-word condition descriptors, and procedural images. The patients impacted by the breach had visited the medical center for cardiac ablation procedures between January 3, 2011 and December 11, 2017. Not all patients who visited the...

Read More
Massachusetts Online Breach Reporting Tool Launched: Data Breaches Soon to Be Publicly Listed
Feb02

Massachusetts Online Breach Reporting Tool Launched: Data Breaches Soon to Be Publicly Listed

Massachusetts Attorney General Maura Healey has announced the launch of a new online data breach reporting tool. The aim is to make it as easy as possible for breached entities to submit breach notifications to the Attorney General’s office. Under Massachusetts data breach notification law (M.G.L. c. 93H), organizations experiencing a breach of personal information must submit a notification to the Massachusetts attorney general’s office as soon as it is practicable to do so and without unnecessary delay. Breaches must also be reported to the Director of the Office of Consumer Affairs and Business Regulation (OCABR) and notifications must be issued to affected individuals. “Data breaches are damaging, costly and put Massachusetts residents at risk of identity theft and financial fraud – so it’s vital that businesses come forward quickly after a breach to inform consumers and law enforcement,” said Healey. “This new feature allows businesses to more efficiently report data breaches so we can take action and share information with the public.” Regarding the latter, the Mass. Attorney...

Read More
Class Action Lawsuit against Allscripts Filed following Ransomware Attack
Jan31

Class Action Lawsuit against Allscripts Filed following Ransomware Attack

Last week, a ransomware attack against the EHR vendor Allscripts resulted in thousands of healthcare providers being unable to access patient data or use the e-prescription service. Already, a class action lawsuit against Allscripts has been filed by Florida-based Surfside Non-Surgical Orthopedics. Allscripts provides EHR and e-prescription services to 2,500 hospitals and 19,000 post-acute care organizations. Last week, a new variant of SamSam ransomware infected the company´s data centers in Raleigh and Charlotte, NC, leaving several application offline for up to 1,500 clients. Microsoft and Cisco incident response teams helped the company restore its e-prescribing service by Saturday; but, for many clients, the Allscripts PRO EHR system is still unavailable or experiencing outages. An Allscripts spokesperson has been unable to confirm when a full restore will be completed. The Class Action Lawsuit against AllScripts The class action lawsuit against Allscripts was filed in the United States District Court for the Northern District of Illinois where the company is based. It alleges...

Read More
Malware Causes 5,200-Record Data Breach at DC Assisted Living Facility
Jan26

Malware Causes 5,200-Record Data Breach at DC Assisted Living Facility

A malware infection at Westminster Ingleside King Farm Presbyterian Retirement Communities has potentially enabled the attackers to gain access to the protected health information of thousands of its residents. The Washington D.C., based assisted living facility had implemented a wide range of security solutions to prevent unauthorized access to its systems, although in this instance they were unable to block the attack. The malware was discovered on November 21, 2017, with rapid action taken to identify all instances of the malware on its network and remove the malicious code to prevent further access. While the malware was successfully removed, assistance was sought from third party experts to determine how the attackers had managed to bypass its security defenses, and whether access to the protected health information of its residents had been gained. The investigation into the breach highlighted a number of areas where security could be improved to further protect its systems from attack. Ingleside has now implemented a new firewall, upgraded its antimalware and antivirus...

Read More
Aetna Agrees to Pay $1.15 Million Settlement to Resolve NY Attorney General Data Breach Case
Jan25

Aetna Agrees to Pay $1.15 Million Settlement to Resolve NY Attorney General Data Breach Case

Last July, Aetna sent a mailing to members in which details of HIV medications were clearly visible through the plastic windows of envelopes, inadvertently disclosing highly sensitive HIV information to individuals’ house mates, friends, families, and loved ones. Two months later, a similar privacy breach occurred. This time the mailing related to a research study regarding atrial fibrillation (AFib) in which the term IMACT-AFIB was visible through the window of the envelope. Anyone who saw the envelope could have deduced the intended recipient had an AFib diagnosis. The July breach triggered a class action lawsuit which was recently settled by Aetna for $17.2 million. Aetna must now also cover a $1.15 million settlement with the New York Attorney General to resolve violations of federal and state laws. Attorney General Schneiderman launched an investigation following the breach of HIV information in July, which violated the privacy of 2,460 Aetna members in New York. The September privacy breach was discovered during the course of that investigation. 163 New York Aetna members had...

Read More
Senate Attorney Judiciary Committee Advances South Dakota Data Breach Notification Bill
Jan24

Senate Attorney Judiciary Committee Advances South Dakota Data Breach Notification Bill

The Senate Attorney Judiciary Committee in South Dakota has overwhelmingly voted in favor of introducing data breach notification legislation. The bill, introduced by the Committee on Judiciary at the request of the Attorney General Marty Jackley, advanced after a 7-0 vote. Currently there are only two states in the US that have yet to introduce data breach legislation to protect state residents. With South Dakota now looking likely to introduce new protections for state residents, Alabama looks like it will be the only state lacking a data breach notification law. The Bill – South Dakota Senate Bill No. 62 – requires notifications to be issued to state residents and the Attorney General following a breach that impacts 250 or more state residents. The breach notifications would need to be issued without unnecessary delay and no later than 45 days following the discovery of a breach, unless a delay is requested by law enforcement. Breach notifications would not be required if the breached entity, along with the attorney general, determines that consumers would be unlikely to be...

Read More
Analysis of Healthcare Data Breaches in 2017
Jan24

Analysis of Healthcare Data Breaches in 2017

A summary and analysis of healthcare data breaches in 2017 has been published by Protenus. Data for the report is obtained from Databreaches.net, which tracks healthcare data breaches reported to OCR, the media, and other sources. The 2017 breach report gives an indication of the state of healthcare cybersecurity.  So how has 2017 been? There Were at Least 477 Healthcare Data Breaches in 2017 In some respects, 2017 was a good year. The super-massive data breaches of 2015 were not repeated, and even the large-scale breaches of 2016 were avoided. However, healthcare data breaches in 2017 occurred at rate of more than one per day. There were at least 477 healthcare data breaches in 2017 according to the report. While all those breaches have been reported via one source or another, details of the nature of all the breaches is not known. It is also unclear at this stage exactly how many healthcare records were exposed. Numbers have only been obtained for 407 of the breaches. There was a slight increase (6%) in reported breaches in 2017, up from 450 incidents in 2016. However, there was...

Read More
Pedes Orange County Discovers Physician Accessed and Disclosed PHI Without Authorization
Jan23

Pedes Orange County Discovers Physician Accessed and Disclosed PHI Without Authorization

Pedes Orange County Inc., a California healthcare provider specializing in treatments for vascular disease, is alerting some of its patients that a physician accessed their medical records, without authorization, and provided some of that information to an attorney. Pedes shares its facilities with another medical group, which conducts surgical procedures at the facility during the week. A scheduling tool is also shared with other physicians that use the same facility. On November 14, 2017, Pedes became aware that a physician employed by a different medical group had accessed its electronic medical records database and viewed the records of some of its patients. Pedes did not provide authorization for the EMR to be accessed. Pedes reports that the physician subsequently shared some of the information in the database with an attorney. After discovering the breach, the physician was contacted and Pedes has been working to ensure all copies of patients’ PHI that were obtained from its EMR system are securely destroyed and that no copies remain. The types of information potentially...

Read More
Analysis of Q4 2017 Healthcare Security Breaches
Jan22

Analysis of Q4 2017 Healthcare Security Breaches

Q4, 2017 saw a 13% reduction in healthcare security breaches reported to the Department of Health and Human Services’ Office for Civil Rights. There were 99 data breaches reported in Q3, 2017. In Q4, there were 86 security breaches reported. There were 27 healthcare security breaches reported in September, following by a major decline in breaches in November, when 21 incidents were reported. However, December saw a significant uptick in incidents with 38 reported breaches. Accompanied by the quarterly decline in security incidents was a marked decrease in the severity of breaches. In Q3, there were 8 data breaches reported that impacted more than 50,000 individuals. In Q4, no breaches on that scale were reported. The largest incident in Q4 impacted 47,000 individuals.  Largest Q4, 2017 Healthcare Security Breaches   Covered Entity Entity Type Number of Records Breached Cause of Breach Oklahoma Department of Human Services Health Plan 47000 Hacking/IT Incident Henry Ford Health System Healthcare Provider 43563 Theft Coplin Health Systems Healthcare Provider 43000 Theft Pulmonary...

Read More
Allscripts Ransomware Attack Impacts Cloud EHR and EPCS Services
Jan22

Allscripts Ransomware Attack Impacts Cloud EHR and EPCS Services

An Allscripts ransomware attack occurred on Thursday January 18, resulting in several of the firm’s applications being taken offline, including its cloud EHR and electronic prescriptions platform. The attack came just a few days after two Indiana hospitals experienced SamSam ransomware attacks. The Allscripts ransomware attack is also believed to have involved a variant of SamSam ransmware – a ransomware family extensively used in attacks on healthcare providers. Allscripts is a popular electronic health record (EHR) system and Electronic Prescriptions for Controlled Substances (EPCS) provider, with its platform used by many U.S healthcare organizations, including 2,500 hospitals and 19,000 post-acute care organizations. More than 180,000 physicians, 100,000 electronic prescribing physicians, and 40,000 in-home clinicians use Allscripts. The Allscripts ransomware attack commenced in the early hours of Thursday morning. Rapid action was taken to remove the ransomware and restore data, with the incident response teams at Microsoft and Cisco called in to assist. An investigation...

Read More
Email Hack Sees PHI of 53,000 Pharmacy Patients Exposed
Jan19

Email Hack Sees PHI of 53,000 Pharmacy Patients Exposed

53,173 patients who received services from Onco360 and CareMed Specialty Pharmacy have been notified that some of their protected health information has been compromised. A security breach was suspected on November 14, 2017, when suspicious activity involving an employee’s email account was detected. Third party computer forensics experts were called in to conduct an investigation to determine the nature and scope of the breach. On November 30, it was determined that the breach involved three email accounts. An analysis of the emails in those accounts revealed some messages contained the PHI of patients, which could potentially have been accessed and stolen by the hacker. The information potentially compromised included names, demographic information, clinical information, details of medications provided by the pharmacy, Social Security numbers, and health insurance information. A limited number of patients may also have had some financial information exposed. No reports have been received to suggest any protected health information has been misused, although patients have been...

Read More
Summary of Healthcare Data Breaches in December 2017
Jan18

Summary of Healthcare Data Breaches in December 2017

There was a sharp rise in healthcare data breaches in December, reversing a two-month downward trend. There were 38 healthcare data breaches in December 2017 that impacted more than 500 individuals: An increase of 81% from last month.     Unsurprisingly given the sharp increase in reported breaches, the number of records exposed in December also increased month over month. The records of 341,621 individuals were exposed or stolen in December: An increase of 219% from last month.     December saw a similar pattern of breaches to past months, with healthcare providers experiencing the most data breaches; however, there was a notable increase in breaches reported by health plans in December – rising from 2 in November to six in December.   Causes of Healthcare Data Breaches in December 2017 As was the case last month, hacking/IT incidents and unauthorized access/disclosures were the most common causes of healthcare data breaches in December, although there was a notable increase in theft/loss incidents involving portable electronic devices and paper records.     While hacking...

Read More
Aetna Settles Class Action Lawsuit Filed by Victims of HIV Status Data Breach
Jan18

Aetna Settles Class Action Lawsuit Filed by Victims of HIV Status Data Breach

Aetna has agreed to settle a class action lawsuit filed by victims of a mailing error that resulted in details of HIV medications prescribed to patients being visible through the clear plastic windows of the envelopes. Aetna was not directly responsible for the mailing, instead an error was made by a third-party vendor. For some of the patients, the letters had slipped inside the envelope revealing the patient had been prescribed HIV drugs. In many cases, those envelopes were viewed by flat mates, family members, neighbors, friends, and other individuals, thus disclosing each patient’s HIV information. Is not known how many patients had their HIV information disclosed, although the mailing was sent to 13,487 individuals. Some of the patients were being prescribed medications to treat HIV, others were taking the medication as Pre-exposure Prophylaxis (PrEP) to prevent contracting the disease. Many of the patients who were outed as a result of the breach have faced considerable hardship and discrimination. Several patients have had to seek alternative accommodation after been forced...

Read More
Deadline for Reporting 2017 HIPAA Data Breaches Approaches
Jan17

Deadline for Reporting 2017 HIPAA Data Breaches Approaches

The deadline for reporting 2017 HIPAA data breaches to the Department of Health and Human Services’ Office for Civil Rights is fast approaching. HIPAA-covered entities have a maximum of 60 days from the discovery of a data breach to report security incidents to OCR and notify affected patients. Smaller breaches of PHI do not need to be reported to OCR within this time frame, instead covered entities can delay reporting those breaches to OCR until the end of the calendar year. The maximum allowable time for reporting breaches impacting fewer than 500 individuals is 60 days from the end of the year in which the breach was experienced. The final day for reporting 2017 HIPAA data breaches to OCR is therefore March 1, 2018. A HIPAA data breach is defined as an “acquisition, access, use, or disclosure” of unsecured protected health information (PHI) that is not permitted by the HIPAA Privacy Rule. Unsecured PHI is defined as PHI that is “not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology,”...

Read More
1,300 Patients’ Medical Records Viewed Without Authorization by Palomar Health Nurse
Jan16

1,300 Patients’ Medical Records Viewed Without Authorization by Palomar Health Nurse

More than 1,300 patients of Palomar Medical Center Escondido are being notified that a former nurse viewed their medical records without authorization while they were receiving treatment at the hospital. The privacy violations occurred over a 15-month period between February 10, 2016 and May 7, 2017. The unauthorized access was discovered when access logs were reviewed. The audit revealed a pattern of access that was not consistent with the nurse’s work duties. The audit showed the nurse had viewed the records of patients that had been assigned to her, in addition to patients assigned to another nurse in the same unit. The incident appears to be a case of snooping, rather than data access with malicious intent. Palomar Health has uncovered no evidence to suggest any information was recorded and removed from the hospital, and no reports have been received to suggest any patient information has been misused. Following an internal investigation into the privacy violations, the nurse resigned. The information viewed was limited to names, dates of birth, genders, medical record numbers,...

Read More
Indiana Health System Pays $55K Ransom to Recover Files
Jan16

Indiana Health System Pays $55K Ransom to Recover Files

A ransomware attack on Greenfield, Indiana-based Hancock Health on Thursday forced staff at the hospital to switch to pen and paper to record patient health information, while IT staff attempted to block the attack and regain access to encrypted files. The attack started around 9.30pm on Thursday night when files on its network started to be encrypted. The attack initially caused the network to run slowly, with ransom notes appearing on screens indicating files had been encrypted. The IT team responded rapidly and started shutting down the network to limit the extent of the attack and a third-party incident response firm was called upon to help mitigate the attack. An attack such as this has potential to cause major disruption to patient services, although Hancock Health said patient services were unaffected and appointments and operations continued as normal. An analysis of the attack uncovered no evidence to suggest any patient health information was stolen by the attacker(s). The purpose of the attack was solely to cause disruption and lock files to force the hospital to pay a...

Read More
20% of RNs Had Breaches of Patient Data at Their Organization
Jan15

20% of RNs Had Breaches of Patient Data at Their Organization

A recent survey conducted by the University of Phoenix College of Health Professions indicates registered nurses (RNs) are confident in their organization’s ability to prevent data breaches. The survey was conducted on 504 full time RNs and administrative staff across the United States. Respondents had held their position for at least two years. Almost half of RNs (48%) and 57% of administrative staff said they were very confident that their organization could prevent data breaches and protect against the theft of patient data, even though 19% of administrative staff and 20% of RNs said their organization had had a data breach in the past. 21% did not know if a breach had occurred. The survey confirmed that healthcare organizations have made many changes over the years to better protect data and patient privacy, with most of the changes occurring in the past year, according to a quarter of RNs and 40% of administrative staff. Those changes have occurred across the organization. The biggest areas for change were safety, quality of care, population health, data security and the...

Read More
43,000 Patients of Coplin Health Systems Potentially Impacted by Laptop Theft
Jan11

43,000 Patients of Coplin Health Systems Potentially Impacted by Laptop Theft

West Virginia-based Coplin Health Systems has informed 43,000 patients that their PHI has potentially been exposed as a result of the theft of an unencrypted laptop computer from the vehicle of an employee. Coplin Health was alerted to the theft on November 2, 2017. The theft was immediately reported to law enforcement and an investigation was launched, although at the time of issuing notifications, the laptop computer has not been recovered. While it is possible that protected health information of patients was stored on the laptop, Coplin Health does not believe that was the case, although the possibility of data exposure cannot be ruled out with 100% certainty. Coplin Health notes that the laptop had various security protections in place to ensure the privacy of patients in the event of the laptop being stolen. While the laptop could potentially be used to gain access to patient data, a password would have been required and it is not suspected that the thief had “the sophisticated knowledge and resources necessary to bypass the laptop’s security mechanisms.” Further, Coplin...

Read More
St. Rose Dominican Hospital Patients Impacted by DJO Global PHI Breach
Jan10

St. Rose Dominican Hospital Patients Impacted by DJO Global PHI Breach

DJO Global, a provider of medical technologies to help patients maintain and regain natural motion, has discovered that some patients’ information has been exposed, and potentially disclosed, to unauthorized individuals. Individuals who had received a DJO Global device in the emergency room, Urgent Care Site, or the Same Day Surgery Center of the Siena, San Martin or De Lima campuses of St. Rose Dominican Hospital in Las Vegas, NV between July 17 and October 16, 2017 have potentially been affected. Those individuals are likely to have signed a DJO Global Patient Product Agreement confirming they had received one of the company’s devices. Those consent forms should have been sent to DJO Global; hhowever, a batch of consent forms was not received. A DJO employee collected the forms from St. Rose Dominican Hospital and should have taken them to DHL to be delivered to DJO Global; however, the forms were lost in transit. They are believed to have been lost between collection from the hospital and delivery to DHL. The forms contained the following information: Name, phone number,...

Read More