Our HIPAA breach news section covers HIPAA breaches such as unauthorized disclosures of protected health information (PHI), improper disposal of PHI, unauthorized PHI access by cybercriminals and rogue healthcare employees, and other security and privacy breaches.

When known, we explain how the breach occurred, the consequences to patients that may have had their PHI compromised, and the actions being taken by the affected healthcare organization to improve safeguards to prevent further HIPAA breaches.

We also explain any actions being taken by the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) and state attorneys general in relation to those breaches.

OCR investigates all data breaches that impact more than 500 individuals to determine whether any HIPAA violations have occurred. When HIPAA Rules are discovered to have been violated, financial penalties may be deemed appropriate. It can take many months or years before any financial penalties for HIPAA breaches are decided. Financial penalties for HIPAA violations tend to be reserved for the most serious breaches of HIPAA Rules. OCR prefers to resolve cases with voluntary compliance and by issuing recommendations to bring policies in line with HIPAA Rules.

The HIPAA breach news section is particularly relevant to healthcare information security professionals, privacy officers, and other individuals who have some responsibility for HIPAA compliance.

The HIPAA breach news reports highlight common areas of non-compliance and new attack vectors used by cybercriminals to gain access to healthcare networks and PHI, the security failings that allowed them to happen, and the measures that have been implemented to prevent them from happening again.

No healthcare organization wants to experience a data breach, but when a breach does occur, lessons can be learned. HIPAA-covered entities can use these breach examples to help train their staff as well as to discover some of the methods other covered entities have adopted to improve data security.

As you will be able to see from the volume of posts in the HIPAA breach news category, healthcare data breaches occur frequently. In 2016 and 2017, healthcare data breaches have been reported on an almost daily basis.

Our HIPAA breach news section is an important source of information about potential security issues that covered entities should be identifying when conducting their own risk assessments. Many of the situations in our HIPAA breach news posts could have been avoided if a risk assessment had identified a vulnerability that was later exploited to gain access to PHI.

The main purpose for adding HIPAA breach news to this website is to highlight specific aspects of HIPAA compliance that are commonly overlooked, often with serious consequences for the covered entity and patients/health plan members.

By raising awareness of the volume of healthcare data breaches, the implications of those breaches, and the penalties that can result, it is hoped that healthcare providers will take decisive action to prevent their patients’ and members’ data from being exposed.

The most recent healthcare data breach reports are listed below. If you want to find out if a specific covered entity has experienced a data breach, please use the search function in the top right hand corner of this webpage.

Alabama Jury Awards Woman $300,000 Damages over HIPAA Breach
Jun14

Alabama Jury Awards Woman $300,000 Damages over HIPAA Breach

A woman in Alabama has been awarded $300,000 in damages after a doctor illegally accessed and disclosed her protected health information to a third party. Plaintiff Amy Pertuit filed a lawsuit against Medical Center Enterprise (MCE) in Alabama, a former MCE physician, and an attorney over the violation of her privacy in January 2015. According to lawyers for the plaintiff, Amy Pertuit’s husband was experiencing visitation issues and was involved in a custody battle with his former wife, Deanna Mortenson. Mortenson contacted Dr. Lyn Diefendfer, a physician at MCE, and convinced her to obtain health information about Amy Pertuit for use against her husband in the custody battle. The information was disclosed to Mortenson’s attorney, Gary Bradshaw. Dr. Diefendfer accessed Pertuit’s records through the Alabama Prescription Drug Monitoring Program website. Since Dr. Diefendfer had no treatment relationship with Pertuit, she was not authorized to access her medical information. The access and disclosure were violations of hospital policies and HIPAA Rules. After discovering that her...

Read More
PHI Exposed in Union Labor Life Insurance Phishing Attack
Jun14

PHI Exposed in Union Labor Life Insurance Phishing Attack

The Ullico Inc. subsidiary, Union Labor Life Insurance (ULLI), is notifying more than 87,000 plan members that some of their protected health information (PHI) has been exposed as a result of an employee responding to a phishing email. As is often the case in healthcare phishing attacks, the phishing email was realistic and appeared to be a genuine request from a business partner. The email contained a hyperlink which asked for login credentials to be entered when clicked. The employee entered the credentials, which were harvested by the attacker and used to remotely access the account. ULLI had systems in place which alerted the information technology department to the unauthorized access. The IT department blocked third-party access to the account within 90 minutes of the account being compromised on April 1, 2019 and disconnected the device from the network. The prompt action greatly limited the potential for the accessing or theft of protected health information contained in emails and email attachments. ULLI conducted a forensic analysis and determined that access was limited...

Read More
Nurse Fired over Alleged Theft and Impermissible Disclosure of PHI
Jun13

Nurse Fired over Alleged Theft and Impermissible Disclosure of PHI

A former employee of a Germantown, MD-based healthcare provider is suspected of accessing the protected health information of up to 16,542 patients and providing that information to a third party for use in fraudulent activities. On April 10, 2019, Takai, Hoover & Hsu, P.A., which runs THH Paediatrics in Germantown, was notified by county and state police that an individual had been arrested as part of an investigation in a matter unrelated to THH. That individual was associated with an employee of THH who is suspected of accessing and impermissibly disclosing patient information including names, dates of birth, Social Security numbers, and addresses of the parents of patients. Immediate action was taken by THH to investigate the allegations. Access to patient data was restricted for the employee, who was placed on leave on April 16 pending the outcome of the internal and law enforcement investigations. The former employee has not been charged at this stage and no direct evidence has been found to suggest that any patient information was taken and misused; however, THH took the...

Read More
PHI Potentially Compromised at Rosenbaum Dental Group and Kingman Regional Medical Center
Jun11

PHI Potentially Compromised at Rosenbaum Dental Group and Kingman Regional Medical Center

Kingman Regional Medical Center (KRMC) has discovered a flaw on its website resulted in the exposure of the protected health information (PHI) of certain patients. KRMC became aware of the security issue on April 8, 2019 and the website was shut down while the security problem was investigated. Assisted by a third-party computer forensics company, KRMC determined that the configuration of the website was such that unauthorized individuals may have been able to gain access to patient information. The website was housed on an isolated server, so any access to data was limited to the information stored on the server. For a small subset of patients who used the website to enter information related to their care, such as making an appointment, could have had the following information exposed: Name, date of birth, and information supplied related to a medical condition for which medical services were being requested. Affected patients were notified of the breach by mail on June 7, 2019. The KRMC website has been offline now for more than 2 months. KRMC is in the process of rebuilding the...

Read More
Mercy Health Discovers PHI of 978 Patients Was Exposed
Jun11

Mercy Health Discovers PHI of 978 Patients Was Exposed

Mercy Health, MI, has discovered a limited amount of patient data had been saved on a private server which was used for other activities such as online scheduling and electronic physician office check-ins. As a result, patient information could potentially have been accessed by unauthorized individuals. The issue has been corrected and all patient information has now been secured. The investigation did not uncover any evidence of unauthorized access or data theft, but it was not possible to rule out either with a very high degree of certainty. Patient information was accessible on the server from an unspecified date in 2014 to March 25, 2019, when the problem was detected and rectified. The security issue only affected certain individuals who had received medical services at Mercy Health facilities in Grand Rapids or Muskegon in Michigan. The types of information potentially accessed were limited to names, addresses, email addresses, and health insurance information for the vast majority of affected individuals. A limited number of patients may also have had their Social Security...

Read More
Delta Health Systems Alerts Plan Members to Exposure of SSNs Over Internet
Jun10

Delta Health Systems Alerts Plan Members to Exposure of SSNs Over Internet

Employees of Turlock Irrigation District in California who are members of their employer-sponsored health plan are being notified that some of their protected health information has been exposed online as a result of an error at a business associate. Delta Health Systems (DHS) provides administrative services related to the health plan and requires access to certain protected health information. Some of that information was made accessible over the internet through a link to a DHS webpage. The error was made by third-party website developer. While the website had been configured to restrict access, there was a conflicting setting which provided general access to the document which took precedence. Affected plan members have been told that their billing statement for their employee-sponsored health plan could have been accessed by unauthorized individuals during the time it was accessible over the internet. The billing statement contained the plan member’s first and last name, employer’s name and address, DHS ID number, and Social Security number. All affected members have been...

Read More
AMCA Data Breach Tally Passes 20 Million as BioReference Laboratories Added to List of Impacted Entities
Jun07

AMCA Data Breach Tally Passes 20 Million as BioReference Laboratories Added to List of Impacted Entities

The total number of victims of the American Medical Collections Agency (AMCA) data breach has now passed 20 million, as yet another healthcare organizations has been confirmed as being affected by the breach. New Jersey-based laboratory and clinical testing company BioReference Laboratories is the latest confirmed victim, with approximately 422,600 of its customers having had their personal information exposed in the AMCA data breach. BioReference Laboratories joins Quest Diagnostics/Optum360 (11.9 million records) and LabCorp (7.7 million records), with the total number of compromised records now standing at 20,022,600 records. That number may well continue to grow as the investigation progresses and more healthcare entities are notified that their data has also been compromised. BioReference Laboratories confirmed the breach in an 8-K Security and Exchange Commission (SEC) filing on Monday. The OPKO Health subsidiary was notified it has been impacted by the breach on June 3, 2019. The breach at AMCA occurred between August 1, 2018 and March 30, 2019, during which time hackers had...

Read More
Misconfigured University of Chicago Medicine ElasticSearch Instance Exposed More Than 1.68 Million Records
Jun05

Misconfigured University of Chicago Medicine ElasticSearch Instance Exposed More Than 1.68 Million Records

It is certainly a week of massive data breaches. 11.9 million Quest Diagnostics records were exposed, 7.7 million records at LabCorp have potentially been compromised, and now University of Chicago Medicine has discovered more than 1.68 million of its records have been exposed. The records were stored on a misconfigured ElasticSearch server which had accidentally had protections removed allowing it to be accessed over the internet without the need for any authentication. The misconfiguration allowed a database to be accessed which contained 1,679,993 records of donors and prospective donors. The exposed database was discovered by Security Discovery researcher Bob Diachenko on May 28. Diachenko had performed a search using the search engine Shodan to identify unsecured databases. Even though awareness has been raised following the discovery of a large number of exposed ElasticSearch instances and other NoSQL databases in recent months, Security Discovery researchers are still identifying between 5 and 10 ‘big cases’ of unsecured databases every month. The latest find was a sizable...

Read More
Up to 7.7 Million Patients of LabCorp Impacted by AMCA Breach
Jun05

Up to 7.7 Million Patients of LabCorp Impacted by AMCA Breach

Following the news that the data breach at American Medical Collection Agency (AMCA) exposed the records of 11.9 million Quest Diagnostics patients, comes news of another healthcare company that has been affected by the breach. On June 4, 2019, LabCorp, another national network of blood testing centers, announced that 7.7 million individuals whose blood samples were processed by the company may have had their sensitive information exposed. As was the case with Quest Diagnostics, LabCorp disclosed the breach through a U.S. Securities and Exchange Commission (SEC) filing. LabCorp said it had been notified by AMCA that its data had also been exposed as a result of the cyberattack on AMCA’s web payment portal, which saw hackers gain access to the system between August 1, 2018 and March 30, 2019. LabCorp said AMCA held data on 7.7 million of its customers. According to the AMCA website, the company manages more than $1 billion in annual receivables for a diverse client base, which includes “laboratories, hospitals, physician groups, billing services, and medical providers all...

Read More
AMCA Data Breach Impacts 12 Million Quest Diagnostics Patients
Jun04

AMCA Data Breach Impacts 12 Million Quest Diagnostics Patients

A hacker has gained access to the systems of Elmsford, NY-based billing collections company American Medical Collection Agency (AMCA) and potentially viewed and copied the protected health information of 11.9 million patients of Quest Diagnostics. Quest Diagnostics is one of the largest blood testing laboratories in the United States but is just one entity that uses AMCA services. It is possible that the breach could be much larger and impact patients of other healthcare organizations. At almost 12 million records, it is already the second largest healthcare data breach ever to be reported, behind Anthem’s 78.8 million record data breach of 2015. The data breach first came to light in May 2019 when researchers at Gemini Advisory notified databreaches.net that they had discovered the payment card details of around 200,000 patients listed for sale on a darknet marketplace. Gemini Advisory determined that the credit card details came from AMCA and appeared to have been obtained between September 2018 and March 2019. Gemini Advisory notified AMCA about the potential breach, although no...

Read More
7 Month Data Breach Discovered by Communities Connected for Kids
Jun03

7 Month Data Breach Discovered by Communities Connected for Kids

Port St. Lucie, FL-based Communities Connected for Kids (CCK) has discovered an unauthorized individual gained access to databases containing the protected health information of child clients, their parents and staff members. The breach was identified when suspicious activity was detected in the databases by one of its third-party vendors. An external computer forensics expert was hired to conduct an investigation which revealed access to the databases was first gained in August 2018. The breach was detected in March 2019 and access to the databases was promptly blocked. During the 7 months that the individual had access to the databases, range of sensitive information was potentially viewed and downloaded. The information exposed varied from individual to individual, but may have included name, contact information, date of birth, Social Security number, financial information, family information, Medicaid number, medical record number, prescription information, health insurance information, and medical and clinical information such as diagnoses and treatment information. According...

Read More
Health Quest Patients Notified of Historic Phishing Breach
Jun03

Health Quest Patients Notified of Historic Phishing Breach

Health Quest has announced it has suffered a phishing attack that has resulted in the exposure of certain patients’ protected health information. The breach affected its affiliates Health Quest Medical Practice, Health Quest Urgent Care and Hudson Valley Newborn Physician Services, and the exposed information related to medical services provided to patients of those affiliates. According to the breach notice on the Health Quest website, on April 2, 2019, Quest Health learned that patient information was contained in emails and email attachments in several employee email accounts that had been compromised as a result of a phishing attack. Compromised protected health information included names, diagnoses, treatment information, dates of service, provider names, health insurance claims information and other information related to services received between January 2018 and June 2018. When the breach was detected, the accounts were secured, and a leading cybersecurity firm was engaged to assist with the investigation. Quest Health has since implemented multi factor authentication and...

Read More
Data Breaches Reported by TriHealth, Centura Health, and Columbus Community Hospital
May29

Data Breaches Reported by TriHealth, Centura Health, and Columbus Community Hospital

The Cincinnati-based health system TriHealth is alerting 2,433 patients about an impermissible disclosure of their protected health information (PHI) to a student mentee. The student was acting under the direct supervision of a former TriHealth physician and accessed patient information for a potential research project. On June 8 and June 9, 2018, the student was provided with patient information including first and last names, dates of birth, ethnicity, life status, cancer diagnosis information, and zip codes. TriHealth does not believe that there were any further uses or disclosures of patient information nor that any patient information has been misused. PHI was accessed solely in relation to the potential research project. Since the student was not an approved TriHealth workforce member, access to patient information was prohibited. As such, this was an impermissible disclosure of patient information which warranted breach notifications to be issued to affected patients. Those notification letters have now been sent. In its website breach notice, TriHealth said all employees...

Read More
Multi-State Action Results in $900,000 Financial Penalty for Medical Informatics Engineering
May28

Multi-State Action Results in $900,000 Financial Penalty for Medical Informatics Engineering

Medical Informatics Engineering (MIE) is required to pay a financial penalty of $900,000 to resolve a multi-state action over HIPAA violations related to a breach of 3.9 million records in 2015. The announcement comes just a few days after the HHS’ Office for Civil Rights settled its HIPAA violation case with MIE for $100,000. MIE licenses a web-based electronic health record application called WebChart and its subsidiary, NoMoreClipboard (NMC), provides patient portal and personal health record services to healthcare providers that allow patients to access and manage their health information. By providing those services, MIE and NMC are business associates and are required to comply with HIPAA Rules. Between May 7 and May 26 2015, hackers gained access to a server containing data related to its NMC service.  Names, addresses, usernames, passwords, and sensitive health information were potentially accessed and stolen. A lawsuit was filed in December 2018 alleging MIE and NMC had violated state laws and several HIPAA provisions. 16 state attorneys general were named as plaintiffs in...

Read More
Medical Informatics Engineering Settles HIPAA Breach Case for $100,000
May24

Medical Informatics Engineering Settles HIPAA Breach Case for $100,000

Medical Informatics Engineering, Inc (MIE) has settled its HIPAA violation case with the HHS’ Office for Civil Rights for $100,000. MIE, an Indiana-based provider of electronic medical record software and services, experienced a major data breach in 2015 at its NoMoreClipboard subsidiary. Hackers used a compromised username and password to gain access to a server that contained the protected health information (PHI) of 3.5 million individuals. The hackers had access to the server for 19 days between May 7 and May 26, 2015. 239 of its healthcare clients were impacted by the breach. OCR was notified about the breach on July 23, 2015 and launched an investigation to determine whether it was the result of non-compliance with HIPAA Rules. OCR discovered MIE had failed to conduct an accurate and through risk analysis to identify all potential risks to the confidentiality, integrity, and availability of PHI prior to the breach – A violation of the HIPAA Security Rule 45 C.F.R. § 164.308(a)(l)(ii)(A). As a result of that failure, there was an impermissible disclosure of 3.5 million...

Read More
Boxes of Records of Today’s Vision Patients and Employees Discovered in Texas Dumpster
May23

Boxes of Records of Today’s Vision Patients and Employees Discovered in Texas Dumpster

Thousands of medical records have been found abandoned in a publicly accessible dumpster in Texas. The boxes contained records of Today’s Vision patients and employees and included highly sensitive information. Today’s Vision has more than 50 independently owned and operated optometry clinics throughout Texas. Most of the records appear to have come from Today’s Vision in Willowbrook in northwest Houston. The Willowbrook location is no longer operational and was sold to MyEyeDr three months ago. Dr. Donald Glenz owned and ran both the Willowbrook and Tomball Today’s Vision offices, prior to the sale to MyEyeDr in February. Dr. Glenz is unaware how the files came to be dumped and who is responsible. Dr. Glenz told KPRC that the incident is being investigated to determine who was responsible. Prior to any records being deleted they are usually shredded in accordance with HIPAA requirements but that did not occur in this instance. Today’s Vision executive director Greg Watson described the discovery as ‘disturbing.’ The incident is also being investigated by MyEyeDr and the Department...

Read More
PHI of 1.5 Million Individuals Exposed Online by Inmediata
May22

PHI of 1.5 Million Individuals Exposed Online by Inmediata

In April, Inmediata, a provider of clearinghouse services to healthcare organizations, announced that the protected health information of certain patients had been exposed online as a result of a misconfigured setting on an internal web page. The incident has now been reported to the Department of Health and Human Services’ Office for Civil Rights. The breach report indicates 1,565,338 individuals had their PHI exposed. That makes the data breach the largest to be reported in 2019. The information had been made available to employees through an internal web page, but the failure to configure that page correctly allowed the data to be made accessible over the internet without the need for authentication. The page was indexed by Google and patient information could be found through online searches. The information had been provided by hospitals, health plans, and independent physicians and included names, addresses, dates of birth, gender, claims data and, for a small number of patients, Social Security numbers. Inmediata immediately deactivated the web page when it was discovered...

Read More
Phishing Attack on Hematology Oncology Associates Sees Multiple Email Accounts Breached
May22

Phishing Attack on Hematology Oncology Associates Sees Multiple Email Accounts Breached

The email accounts of several employees of Medford, OR-based Hematology Oncology Associates. P.C. have been compromised as a result of responses to phishing emails. The phishing attack was detected on March 19, 2018, although the investigation revealed the first account was breached on December 18, 2018. Further accounts were compromised up until February 22, 2019. Third-party computer forensics experts were retained to investigate the breach, but it was not possible to determine which, if any, emails and attachments had been opened by the attackers. The breach investigation was concluded on April 20 and confirmed that some of the emails and attachments in the compromised accounts contained patients’ protected health information. A password reset has been performed to prevent further unauthorized access and additional security awareness training will be provided to employees. The breach has been reported to the HHS’ Office for Civil Rights and state attorneys general and affected individuals have been offered free membership to Experian’s IdentityWorks credit monitoring and...

Read More
Another Phishing Attack Reported by Cancer Treatment Centers of America
May21

Another Phishing Attack Reported by Cancer Treatment Centers of America

Cancer Treatment Centers of America (CTCA) has discovered the email account of an employee of its Southeastern Regional Medical Center has been compromised as a result of a response to a phishing email. The email account breach occurred on March 10, 2019 after the employee disclosed network login credentials when responding to a seemingly legitimate internal email. CTCA discovered the breach the following day and secured the account by changing the password. The account was accessible for less than two days, but during that time it is possible that information in emails and email attachments may have been viewed. The third-party computer forensics firm that was retained to conduct an investigation and found no evidence to suggest any patient health information was viewed, but it was not possible to rule out PHI access or data theft. The compromised email account contained names, addresses, medical record numbers, government ID numbers, health insurance information, and some medical information. No Social Security numbers or financial information were exposed. Individuals affected...

Read More
April 2019 Healthcare Data Breach Report
May20

April 2019 Healthcare Data Breach Report

April was the worst ever month for healthcare data breaches. More data breaches were reported than any other month since the Department of Health and Human Services’ Office for Civil Rights started publishing healthcare data breach reports in October 2009. In April, 46 healthcare data breaches were reported, which is a 48% increase from March and 67% higher than the average number of monthly breaches over the past 6 years. While breach numbers are up, the number of compromised healthcare records is down. In April 2019, 694,710 healthcare records were breached – A 23.9% reduction from March.  While the breaches were smaller in March, the increase in breaches is of great concern, especially the rise in the number of healthcare phishing attacks. Largest Healthcare Data Breaches in April 2019 Two 100,000+ record data breaches were reported in April. The largest breach of the month was reported by the business associate Doctors Management Services – A ransomware attack that exposed the records of 206,695 patients. The ransomware was deployed 7 months after the attacker had first gained...

Read More
Medical Oncology Hematology Consultants Notifies Patients about June 2018 Data Breach
May17

Medical Oncology Hematology Consultants Notifies Patients about June 2018 Data Breach

Medical Oncology Hematology Consultants (MOHC), a Newark, DE-based cancer treatment center, is alerting certain patients that some of their protected health information (PHI) has been exposed as a result of an email security breach. According to the substitute breach notice on the MOHC website, an email account was compromised between June 7 and June 8, 2018. It is unclear when MOHC learned of the breach, but its ‘extensive investigation’ concluded on March 14, 2019 that the breach had resulted in the exposure of patient information. Third party computer forensics experts were engaged to conduct the investigation, which involved extensive coordination with the company that hosts its email environment. Data access and theft could not be ruled out, although no reports have been received to suggest any patient information has been misused. Names, dates of birth, Social Security numbers, government ID numbers, financial account information, and health and medical information were exposed. All patients affected by the breach have been notified and offered 12 months of membership to...

Read More
UMC Physicians Discovers Patient Information Was Uploaded to Unapproved and Unsecured Cloud Service
May15

UMC Physicians Discovers Patient Information Was Uploaded to Unapproved and Unsecured Cloud Service

The Lubbock, TX-based medical group UMC Physicians is alerting patients of UMC Southwest Gastroenterology that some of their protected health information has been exposed as a result of errors of judgement by two of its employed providers. Those providers had each set up a Google shared drive which was used to track follow up tasks related to the provision of care to patients. While the shared drives were set up with good intentions and were intended to help improve the care provided to patients, the providers used an unapproved cloud storage solution and patient data was inadvertently stored on an unsecured network. UMC Physicians discovered the policy violation on March 12, 2019 and launched an investigation to determine which patients’ protected health information had been exposed. During the course of that investigation, UMC Physicians determined that one of the providers had also been forwarding emails containing patient information to an unsecured Gmail account. The types of information that had been stored on the unsecured network and emailed to the Gmail account included...

Read More
Oregon State Hospital and New York Episcopal Health Services Report Phishing Attacks
May14

Oregon State Hospital and New York Episcopal Health Services Report Phishing Attacks

Oregon State Hospital has announced that the protected health information (PHI) of some of its patients was potentially compromised as a result of an employee being duped by a spear phishing email. The email was received on May 3 and the employee responded on May 6. The response resulted in the disclosure of email login credentials. The unauthorized access was detected quickly, and steps were rapidly taken to secure the account. The employee responded to the message at 9:50 AM and Oregon State Hospital’s IT team detected the breach at 10:30 AM and secured the account. The limited time the attacker had access to the account reduced the potential for any information in emails and email attachments to be viewed or copied. Currently, Oregon State Hospital is unaware whether the attacker gained access to patients protected health information during the 40 minutes that the account was accessible, and the hospital has yet to determine which patients have been affected. A third-party cybersecurity company has been hired to conduct an analysis of the compromised account to determine which...

Read More
Ransomware Attack on the Southeastern Council on Alcoholism and Drug Dependence Impacts 25,148 Patients
May13

Ransomware Attack on the Southeastern Council on Alcoholism and Drug Dependence Impacts 25,148 Patients

The Southeastern Council on Alcoholism and Drug Dependence (SCADD) in Lebanon, CT, has experienced a ransomware attack that has resulted in widespread file encryption. The attack was detected on February 18, 2019 when problems started to be experienced with its network. The investigation confirmed ransomware had been installed on its systems, some of which contained the protected health information (PHI) of patients. While no evidence was uncovered that suggested the attackers accessed files containing PHI, third-party forensic investigators were unable to rule out patient data access. Consequently, the incident was reported to the HHS’ Office for Civil Rights as a potential data breach and notification letters have been sent to affected patients. To date, no reports have been received which suggest any patient information has been misused. Patients have been informed that their name, address, medical history, treatment information, and Social Security number has potentially been compromised. All affected individuals have been offered complimentary credit monitoring and identity...

Read More
Lawsuit Alleges Hospital Worker Disclosed Information about Woman’s Sexual Assault to her Attacker
May13

Lawsuit Alleges Hospital Worker Disclosed Information about Woman’s Sexual Assault to her Attacker

A lawsuit has been filed against Atchison Hospital in Kansas by a rape victim who alleges an x-ray technician at the hospital contacted her attacker and disclosed sensitive information about the treatment she received at the hospital. According to the Kansas City Star, after being raped, the woman sought treatment at the hospital. She underwent a rape kit examination, and allegedly made it clear to the hospital that she did not want her health information to be disclosed to third parties. Despite being against the patient’s wishes and a violation of the HIPAA Privacy Rule, information about the examination was disclosed to her attacker by a female X-ray technician at the hospital. The x-ray technician also told the man that he had been accused of sexually assaulting the patient. Following the disclosure, the man repeatedly harassed and threatened the patient by phone and text message over the following weeks. In addition to receiving a barrage of abuse from her attacker, the lawsuit claims the woman was also harassed by hospital staff. A complaint was filed with the hospital over...

Read More
Phishing Attack Reported by Verity Health’s St. Vincent Medical Center
May09

Phishing Attack Reported by Verity Health’s St. Vincent Medical Center

St. Vincent Medical Center, a part of Verity Health System, has discovered a web email account has been compromised as a result of a response to a phishing email. The breach occurred on March 15, 2016 and involved the email account of a hospital pathologist. The account compromise was detected on March 26 and the account was secured within hours. During the time that the unauthorized individual had access to the account, it was used to send phishing emails to internal and external email addresses. Those messages contained malicious attachments and hyperlinks. According to a substitute breach notice provided to the California Attorney General, no other employee accounts were breached as a result of misuse of the email account. While the intention of the attacker appears to have been to obtain login credentials to other email accounts, during the time that the account was accessible, full access to emails, folders, and email attachments was possible. The investigation into the breach could not confirm whether any patient information in emails and email attachments had been accessed...

Read More
Phishing Attack Impacts 1,100 Spectrum Health Lakeland Patients
May09

Phishing Attack Impacts 1,100 Spectrum Health Lakeland Patients

For the second time in the space of two months, Spectrum Health Lakeland has announced that a breach has exposed the protected health information (PHI) of some of its patients. The previous breach occurred at Wolverine Services Group and impacted around 60,000 of its patients. The latest incident involved an unauthorized individual gaining access to an email account as the result of a response to a phishing email. As with the last breach, the incident occurred at a business associate. OC, Inc., a provider of billing services, discovered an unauthorized individual had gained access to an email account of one of its employees. The email account was discovered to contain the PHI of approximately 1,100 Spectrum Health Lakeland patients. OS Inc. discovered a potential breach on December 21, 2018 after suspicious activity was detected within an employee email account. A third-party computer forensics expert was hired to assist with the investigation and found no evidence to suggest that any PHI in emails and attachments had been accessed or stolen. However, it was not possible to rule...

Read More
Key Findings of the 2019 Verizon Data Breach Investigations Report
May08

Key Findings of the 2019 Verizon Data Breach Investigations Report

Today sees the release of the 2019 Verizon Data Breach Investigations Report. This is the 12th edition of report, which contains a comprehensive summary of data breaches reported by public and private entities around the globe. The extensive report provides in-depth insights and perspectives on the tactics and techniques used in cyberattacks and detailed information on the current threat landscape.  The 2019 Verizon Data Breach Investigations Report is the most comprehensive report released by Verizon to date and includes information from 41,686 reported security incidents and 2,013 data breaches from 86 countries. The report was compiled using data from 73 sources. The report highlights several data breach and cyberattack trends. Some of the key findings of the report are detailed below: C-Suite executives are 12 time more likely to be targeted in social engineering attacks than other employees Cyber-espionage related data breaches increased from 13% of breaches in 2017 to 25% in 2018 Nation-state attacks increased from 12% of attacks in 2017 to 23% in 2018 Financially motivated...

Read More
American Indian Health & Services and Madison Parish Hospital Discover Impermissible PHI Disclosures by Employees
May08

American Indian Health & Services and Madison Parish Hospital Discover Impermissible PHI Disclosures by Employees

American Indian Health & Services, the operator of a community health clinic in Santa Barbara, CA, has discovered a former employee forwarded emails containing the sensitive data of certain employees, patients, and vendors to a personal email account, in violation of HIPAA Rules. The incident was detected on March 7, 2019. An analysis to the email account revealed the former employee, who was employed at the clinic at the time, had forwarded emails to her personal email account between March 26 and February 6, 2019. The emails contained names, billing information, provider names and locations, dates of service, amounts paid/owed for services provided, health insurance and payor information, and Medicare/Medicaid and/or Medical numbers. The incident has been reported to law enforcement, state, and federal regulators and affected individuals have been notified by mail. No reports of misuse of patient information have been received to date, but as a precaution against identity theft and fraud, affected individuals have been offered 12 months of credit monitoring and identity theft...

Read More
Ransomware Attack Reported by American Baptist Homes of the Midwest
May08

Ransomware Attack Reported by American Baptist Homes of the Midwest

American Baptist Homes of the Midwest (ABHM), a provider of assisted living and assisted care facilities throughout the U.S Midwest, has reported a security breach involving the use of ransomware on its network. The attack commenced on or around March 10, 2019. The attack was detected promptly, but only after the encryption routine had commenced. The attack was stopped and affected accounts were secured, but not in time to prevent widespread file encryption. The files encrypted by the ransomware contained the records of many ABHM clients. ABHM’s clinical and billing systems were not affected, only general file systems and email accounts. The attack is believed to have been conducted with the sole purpose of extorting money from ABHM, although due to the nature of access gained to install the ransomware, unauthorized accessing of protected health information could not be ruled. No evidence of data theft or misuse of PHI has been found to date. The types of information stored on the compromised servers and systems included individuals’ names and addresses in combination with the...

Read More
3,193 Employees and Dependents Affected by Bodybuilding.com Data Breach
May07

3,193 Employees and Dependents Affected by Bodybuilding.com Data Breach

The bodybuilding and personal fitness website Bodybuilding.com has announced it has experienced a security incident that may have resulted in the information of customers and employees being accessed by unauthorized individuals. While the breach affecting customers was not a reportable incident under HIPAA, HIPAA does cover group health plans. As such, bodybuilding.com was required to report the breach of group members’ PHI to the Office for Civil Rights. The breach was discovered in February 2019 when suspicious activity was detected on its network. A formal breach investigation was launched which revealed access to the network was gained as a result of an employee falling for a phishing scam. While the data of customers and employees is not believed to have been obtained by unauthorized individuals as a result of the phishing attack, the possibility could not be ruled out. The breach has now been resolved and its systems have been secured. A forced password reset was performed for all users of the website as a precaution. For customers, the information potentially obtained was...

Read More
Touchstone Medical Imaging Fined $3 Million by OCR for Extensive HIPAA Failures
May06

Touchstone Medical Imaging Fined $3 Million by OCR for Extensive HIPAA Failures

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced a settlement has been reached with the Franklin, TN-based diagnostic medical imaging services company, Touchstone Medical Imaging. The settlement resolves multiple violations of HIPAA Rules discovered by OCR during the investigation of a 2014 data breach. Touchstone Medical Imaging has agreed to a settlement of $3,000,000 to resolve the violations and will adopt a corrective action plan (CAP) to address its HIPAA compliance issues. The high settlement amount reflects widespread and prolonged noncompliance with HIPAA Rules. OCR alleged 8 separate violations across 10 HIPAA provisions. The settlement resolves the HIPAA case with no admission of liability. On May 9, 2014, Touchstone Medical Imaging was informed by the FBI that one of its FTP servers was accessible over the Internet and allowed anonymous connections to a shared directory. The directory contained files that included the protected health information (PHI) of 307,839 individuals. As a result of the lack of access controls, files had...

Read More
Mailing Error Sees Inmediata Breach Notification Letters Sent to Incorrect Addresses
May03

Mailing Error Sees Inmediata Breach Notification Letters Sent to Incorrect Addresses

Following a security incident that resulted in the exposure of PHI, Inmediata sent notification letters to affected individuals. However, several individuals have reported receiving notification letters in the mail addressed to other people. The incident that prompted the notifications was a webpage used internally by Inmediata employees that had been accidentally set to allow it to be indexed by search engines. Consequently, the webpage could be found using Internet searches and the PHI of its customers’ patients could be accessed. The forensic investigation did not find evidence to suggest the webpage was subjected to unauthorized access during the time it was accessible online; however, the possibility could not be ruled out. Through the webpage, unauthorized individuals could have accessed the following information: Patients’ names, addresses, dates of birth, gender, doctor’s names, and medical claim information. A small number of individuals also had their Social Security number exposed. Inmediata started sending notification letters to affected individuals on April 22, 2019...

Read More
Class Action Lawsuit Filed Over Baystate Health Phishing Attack
May01

Class Action Lawsuit Filed Over Baystate Health Phishing Attack

In February 2019, Baystate Health experienced a phishing attack that resulted in the exposure of the protected health information (PHI) of 12,000 patients. On April 11, a class action lawsuit was filed on behalf of individuals affected by the breach. The lawsuit was filed by attorney Kevin Chrisanthopoulos in the U.S. District Court in Springfield, MA, three days after Baystate Health announced the breach. The lawsuit alleges plaintiffs now face an elevated risk of identity theft and fraud as a result of the phishing attack and seeks monetary damages for all patients whose PHI was exposed. Upon discovery of the breach, Baystate Health secured its email system and launched an investigation. The investigation revealed the email accounts of nine employees had been compromised as a result of employees responding to phishing emails. The email accounts were subjected to unauthorized access and, as a result, the attacker(s) potentially gained access to patients’ PHI. For most patients, the information exposed was limited to names, birth dates, diagnoses, treatment information, and...

Read More
24,000 Patients Impacted by New Jersey Ransomware Attack
Apr30

24,000 Patients Impacted by New Jersey Ransomware Attack

Paramus, NJ-based orthopedic surgeon, Ronald Snyder, M.D., has learned that an office server containing patient billing information has been compromised and encrypted by ransomware. The attack took place on January 9, 2019 and prevented office staff from accessing patient files. The server was backed up regularly so it was possible to quickly restore almost all files that had been rendered inaccessible without having to pay any ransom demand. Third-party computer forensics consultants were brought in to assist with the investigation, but it was not possible to determine whether patient information had been accessed due to damage caused by the attack. No evidence was uncovered to suggest the attack was conducted as part of an attempt to gain access to patient information, although it was not possible to rule out data access. Consequently, all patients affected by the breach have been notified by mail. The following types of information were stored in files on the server: Names, addresses, dates of birth, genders, co-pay amounts, patient statuses, employment statuses, telephone...

Read More
Three Healthcare Phishing Incidents Result in Exposure of 10,000 Patient Records
Apr30

Three Healthcare Phishing Incidents Result in Exposure of 10,000 Patient Records

National Seating and Mobility, Partners for Quality, and Alana Healthcare have all recently started notifying patients that their protected health information has been exposed as a result of phishing incidents. 3,673 Clients Impacted by Partners For Quality Phishing Attack Partners For Quality, Inc., (PFQ), a provider of services and support for individuals with intellectual and developmental disabilities, discovered unusual activity within certain employee email accounts on February 19, 2019. Assisted by a third-party computer forensics company, PFQ determined that three email accounts had been accessed by an unauthorized individual between January 19 and February 27, 2019. Further analysis of the compromised email accounts revealed they contained the sensitive information of clients and employees. Clients affected by the breach had previously received services from PFQ, Allegheny Children’s Initiative Inc., Citizen Care Inc., Exceptional Adventures, or Milestone Centers Inc. A wide range of highly sensitive protected health information was stored in the compromised email accounts...

Read More
HHS Changes HITECH Act Penalties for HIPAA Violations
Apr29

HHS Changes HITECH Act Penalties for HIPAA Violations

The Department of Health and Human Services has issued a notification of enforcement discretion regarding the civil monetary penalties that are applied when violations of HIPAA Rules are discovered. The HHS has reduced the maximum financial penalty for HIPAA violations in three of the four penalty tiers. The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 increased the penalties for HIPAA violations. The new penalties were based on the level of knowledge a HIPAA covered entity or business associate had about the violation and whether action was voluntarily taken to correct any violations. The 1st penalty tier applies when a covered entity or business associate is unaware that HIPAA Rules were violated and, by exercising a reasonable level of due diligence, would not have known that HIPAA was being violated. The 2nd tier applies when a covered entity knew about the violation or would have known had a reasonable level of due diligence been exercised, but when the violation falls short of willful neglect of HIPAA Rules. The 3rd penalty tier applies...

Read More
The Most Common HIPAA Violations You Should Be Aware Of
Apr26

The Most Common HIPAA Violations You Should Be Aware Of

The most common HIPAA violations that have resulted in financial penalties are the failure to perform an organization-wide risk analysis to identify risks to the confidentiality, integrity, and availability of protected health information (PHI); the failure to enter into a HIPAA-compliant business associate agreement; impermissible disclosures of PHI; delayed breach notifications; and the failure to safeguard PHI. The settlements pursued by the Department of Health and Human Services’ Office for Civil Rights (OCR) are for egregious violations of HIPAA Rules. Settlements are also pursued to highlight common HIPAA violations to raise awareness of the need to comply with specific aspects of HIPAA Rules. This article covers five of the most common HIPAA violations that have resulted in settlements with covered entities and their business associates over the past few years. Are Data Breaches HIPAA Violations? Data breaches are now a fact of life. Even with multi-layered cybersecurity defenses, data breaches are still likely to occur from time to time. OCR understands that healthcare...

Read More
Medical Billing Service Provider Suffers Ransomware Attack 7 Months After Computer Breach
Apr26

Medical Billing Service Provider Suffers Ransomware Attack 7 Months After Computer Breach

Doctors’ Management Service Inc., a Massachusetts-based provider of medical billing services, discovered on December 24, 2018 that malicious software had been downloaded to its network which prevented files from being accessed. An investigation into the security incident was initiated which determined GandCrab ransomware had been deployed. Files were recovered from backups and no ransom was paid. The investigation also revealed that the individual responsible for installing the ransomware had first gained access to its systems on April 1, 2017, 7 months before the ransomware was deployed. Access to the network was gained via Remote Desktop Protocol (RDP) on one of its workstations. Parts of the network that were subjected to unauthorized access contained the protected health information of patients of its clients, which included names, addresses, dates of birth, Social Security numbers, insurance information, Medicare/Medicaid ID numbers, driver’s license numbers, and some diagnostic information. The attack appeared to have been timed to ensure the attack would not be immediately...

Read More
Email Hacking Incidents Result in Exposure of 8,600 Patients’ PHI
Apr25

Email Hacking Incidents Result in Exposure of 8,600 Patients’ PHI

Three more healthcare organizations have discovered unauthorized individuals have gained access to the email accounts of employees and potentially accessed patients’ protected health information. In total, across the three incidents, the PHI of 8,635 patients has been exposed. PHI of 5,319 Patients of Center for Sight and Hearing Exposed Rockford, IL-based Center for Sight and Hearing discovered on January 23, 2019 that an unauthorized individual had gained access to the email account of an employee. The investigation revealed the account was compromised on January 18 and the account contained the PHI of 5,319 patients. A third-party computer forensics company confirmed on February 21, 2019 that names, addresses, and scheduling information was contained in the compromised account. To improve security, Center for Sight and Hearing has implemented a new password management system and multi-factor authentication. 2,290 Patients Notified About Harbor Behavioral Health Phishing Attack Harbor Behavioral Health, a network of counselling and mental health treatment centers in Northwest...

Read More
Washington State University Settles Class Action Data Breach Lawsuit for $4.7 Million
Apr23

Washington State University Settles Class Action Data Breach Lawsuit for $4.7 Million

A $4.7 million settlement has recently been approved by the King County Superior Court to reimburse individuals whose personal information was stolen from Washington State University in April 2017. Washington State University had backed up personal information on portable hard drives which were stored in a safe in a self-storage locker. On April 21, 2017, the university discovered a break-in had occurred at the storage facility and the safe had been stolen. The hard drives contained the sensitive personal information of 1,193,190 individuals. Most of the files on the hard drives were not encrypted. The drives contained the types of information sought by identity thieves: Names, contact information, and Social Security numbers, in addition to health data of patients, college admissions test scores, and other information. The information dated back around 15 years and had been collected by the WSU Social and Economic Sciences Research Center for a research project. While the hard drive was stolen, Washington State University maintains there are no indications any data stored on the...

Read More
Unsecured Database of Addiction Service Provider Potentially Contained Records of 145,000 Patients
Apr23

Unsecured Database of Addiction Service Provider Potentially Contained Records of 145,000 Patients

A database containing highly sensitive information of patients who had previously sought treatment for addiction at rehabilitation centers has been discovered to be freely accessible over the internet. The database contained approximately 4.91 million records which related to an estimated 145,000 patients of the Levittown, PA-based addiction rehabilitation service provider Steps to Recovery. The unsecured database was discovered on March 24, 2019 by Justin Paine, Director of Trust and Safety at Cloudflare. Following the discovery, Paine notified Steps to Recovery and its hosting provider on March 24. No reply was received from Steps to Recovery, but its hosting company made contact and the database has now been secured and is no longer accessible online. Paine had performed a search on the Shodan search engine to identify unsecured databases and devices. According to Paine, the ElasticSearch database contained two indexes which included more than 1.45 GB of data. The information could be accessed by anyone over the internet without the need for any authentication. The database was...

Read More
60,000 Records Exposed in EmCare Phishing Attack
Apr23

60,000 Records Exposed in EmCare Phishing Attack

The Dallas, TX-based physician staffing company EmCare has announced that it has suffered a data breach that has impacted approximately 60,000 individuals, 31,000 of whom were patients. The exposed information was detailed in emails and email attachments in employee email accounts that were accessed by an unauthorized individual after several employees responded to phishing emails and disclosed their email credentials. It is unclear from Emcare’s breach notice when the breach occurred and how long the attackers had access to email accounts. The breach was discovered on February 19, 2019. An investigation was launched and, assisted by a third-party computer forensics company, it was discovered that the compromised email accounts contained information about patients, employees, and contractors. The following information was saved in email accounts and was potentially accessed or copied by the attackers: Names, dates of birth, driver’s license numbers, Social Security numbers, demographic information, and clinical information. The investigation did not uncover evidence to suggest...

Read More
Klaussner Furniture Industries Discovers Health Plan Data of 9,352 Employees Has Potentially Been Compromised
Apr19

Klaussner Furniture Industries Discovers Health Plan Data of 9,352 Employees Has Potentially Been Compromised

The protected health information of 9,352 current and former employees of Klaussner Furniture Industries, Inc., and some dependents of those employees, has been exposed as a result of a security breach. In February 2019, Klaussner Furniture learned that computers had been accessed by unauthorized individuals. A leading cybersecurity firm was retained to conduct a forensic investigation, which confirmed that two computers had been accessed by an unauthorized third party. An analysis of the computers revealed they contained files that included first and last names, dates of birth, addresses, Social Security numbers, health benefit election(s), and some health information. No evidence was found that suggests employee information was accessed, copied, or misused, although it was not possible to rule out data access and exfiltration. Individuals whose information was exposed had either worked at the company in 1998 or were employed at some point between 2004 and February 25, 2019. The sensitive information of dependents of those employees was only exposed if they had been listed on...

Read More
Centrelake Medical Group Discovers Servers Compromised and Virus Deployed
Apr18

Centrelake Medical Group Discovers Servers Compromised and Virus Deployed

Centrelake Medical Group, a network of 8 medical imaging and oncology centers in California, is notifying certain patients that some of their protected health information has been exposed as a result of a computer virus. The computer virus was discovered in February 2019 when it prevented the medical group from accessing its files. The virus appears to be a form of ransomware, although no mention of ransomware or a ransom demand was made in the media notice issued by Centrelake. Centrelake retained a computer forensics company to assist with the investigation to determine the scope of the attack and whether any files containing protected health information had been accessed or copied. The investigation revealed an unauthorized individual had gained access to its servers on January 9, 2019. Prior to deploying the virus on February 19, 2019, the unauthorized individual was able to access the servers undetected. It is not unusual for ransomware to be installed on systems after hackers have breached security defenses. In some cases, ransomware is deployed after the system has been...

Read More
11,639 Individuals Impacted by Riverplace Counseling Center Malware Attack
Apr18

11,639 Individuals Impacted by Riverplace Counseling Center Malware Attack

Riverplace Counseling Center in Anoka, MN, has discovered malware has been installed on its systems which may have allowed unauthorized individuals to gain access to patients’ protected health information. The malware infection was discovered on January 20, 2019. The counseling center engaged an IT firm to conduct a forensic analysis, remove the malware, and restore its systems from backups. The analysis was completed on February 18, 2019. The IT firm did not find evidence that suggested patient information had been subjected to unauthorized access or had been copied, but data access and PHI theft could not be totally ruled out. The types on information stored on the affected systems included names, addresses, dates of birth, health insurance information, Social Security numbers, and treatment information. Affected individuals were notified about the data breach on April 11, 2019 and have been offered identity theft monitoring services via Kroll for 12 months at no cost. No reports have been received to date to suggest any patients’ PHI has been misused. Riverplace Counseling...

Read More
Clearway Pain Solutions Institute Discovers Unauthorized EMR System Access
Apr18

Clearway Pain Solutions Institute Discovers Unauthorized EMR System Access

Gulf Coast Pain Consultants, dba Clearway Pain Solutions Institute, has discovered its EMR system has been accessed by an unauthorized individual. An investigation was launched following the discovery of the breach on February 20, 2019. The investigation revealed the individual accessed a range of patient information. The types of information that were accessed included patients’ names, telephone numbers, home addresses, email addresses, dates of birth, Social Security numbers, health insurance information, name of referring provider, and demographic information. Clinical information contained in medical records could not be accessed and no financial information was exposed. Unauthorized access to the system has now been blocked, a full review of all EMR accounts has been conducted, and access levels and EMR system activity has been validated for all user accounts. A review of policies and procedures is being conducted with regards to the accessing of patient information and updates will be made as appropriate. All patients affected by the breach are now being notified and are...

Read More
Blue Cross of Idaho Website Hacked and Attempts Made to Reroute Payments
Apr17

Blue Cross of Idaho Website Hacked and Attempts Made to Reroute Payments

Blue Cross of Idaho has discovered its website has been hacked and an unauthorized individual gained access to its member portal and viewed the protected health information of some of its members. Blue Cross of Idaho is one of the largest health insurers in the state and serves approximately 560,000 Idahoans. Blue Cross of Idaho’s executive vice president Paul Zurlo said the breach affected around 1% of its members – around 5,600 individuals. (Update 05/03/2019: The HHS breach portal indicates 6,045 individuals have been affected) The website security breach occurred on March 21, 2019 and was discovered the following day. During the time that portal access was possible, the hacker accessed provider remittance documents and attempted to reroute provider financial transactions. Upon discovery of the breach, Blue Cross of Idaho terminated the unauthorized access and secured its portal to prevent financial fraud and further accessing of documents. The incident was reported to the FBI and the investigation remains open. The health insurer is working with internal and external...

Read More
Metrocare Services Suffers Second Phishing Attack in Two Months
Apr17

Metrocare Services Suffers Second Phishing Attack in Two Months

Metrocare Services, a provider of mental health services in North Texas, has experienced a phishing attack which saw the email accounts of several employees accessed by an unauthorized individual. The breach was detected on February 6, 2019 and the affected email accounts were rapidly blocked to prevent further access. The investigation revealed the accounts were first compromised in January 2019. An analysis of the affected accounts revealed they contained the protected health information of 5,290 patients. Patients were notified on April 5, 2019 that the following information could potentially have been accessed as a result of the attack: Name, date of birth, driver’s license information, health insurance information, health information related to the services provided by Metrocare, and for certain patients, Social Security numbers. The breach investigation did not uncover any evidence to suggest emails containing ePHI had been accessed or copied, but ePHI access and theft could not be ruled out. Individuals whose Social Security number was exposed have been offered free access...

Read More
Health Recovery Services Notifies 20,485 Patients About Potential PHI Breach
Apr16

Health Recovery Services Notifies 20,485 Patients About Potential PHI Breach

Health Recovery Services, an Athens, OH-based provider of alcohol and drug addiction services, is notifying 20,485 patients that some of their protected health information may have been accessed by an unauthorized individual. On February 5, 2019, Health Recovery Services discovered an unauthorized IP address had remotely accessed its computer network. Network and information systems were taken offline to prevent further access and a forensic expert was retained to conduct an investigation to determine the nature and scope of the breach. On March 15, 2019, the forensic investigator determined that the IP address first accessed the network on November 14, 2018 and access remained possible until February 5. No evidence was uncovered to suggest any patient information was accessed or copied, although the possibility of data access and theft could not be totally ruled out. Patients whose protected health information was exposed have been notified by mail ‘out of an abundance of caution’. The types of patient information contained in files on the compromised server included names,...

Read More
March 2019 Healthcare Data Breach Report
Apr15

March 2019 Healthcare Data Breach Report

In March 2019, healthcare data breaches continued to be reported at a rate of one a day. 31 healthcare data breaches were reported to the HHS’ Office for Civil Rights by HIPAA-covered entities and their business associates. The March total is almost 14% higher than the average of the past 60 months.   The number of reported breaches fell by 3.12% month over month and there was a 56.79% decrease in the number of breached healthcare records. March saw the healthcare records of 912,992 individuals exposed, impermissibly disclosed, or stolen as a result of healthcare data breaches. Causes of March 2019 Healthcare Data Breaches The HHS’ Office for Civil Rights groups together hacking and other IT incidents such as malware and ransomware attacks. This category dominated the breach reports in March with 19 incidents reported. Hacking/IT incidents accounted for 88.40% of all compromised records (807,128 records). There were 8 unauthorized access/disclosure incidents reported in March. 81,904 healthcare records were impermissibly accessed or disclosed. There were also four theft...

Read More
Minnesota DHS Suffers Another Phishing Attack: State IT Services Struggling to Cope with Barrage of Attacks
Apr12

Minnesota DHS Suffers Another Phishing Attack: State IT Services Struggling to Cope with Barrage of Attacks

The Minnesota Department of Human Services (DHS) has discovered another employee email account has been compromised as a result of a phishing attack. The latest incident has only just been reported, although the breach occurred on or before March 26, 2018. Three Phishing Attacks: 31,800 Records Exposed The breach is in addition to two other phishing attacks that saw email accounts compromised in June and July of 2018. Those attacks were announced in October 2018 and resulted in the exposure of 20,800 Minnesotans’ PHI. The March 26 email account compromise saw the PHI of 10,263 Minnesotans exposed. The March phishing attack allowed the attacker to gain access to the email account of an employee of the Direct care and Treatment Administration. Emails were then sent from that account to co-workers requesting wire transfers be made. The email requests were flagged as suspicious and were reported to MNIT, which secured the account. No wire transfers were made. During the time that the account was accessible, the attacker potentially accessed emails in the account which included...

Read More
PHI of 17,531 Patients Potentially Compromised in Business Associate Phishing Attack
Apr10

PHI of 17,531 Patients Potentially Compromised in Business Associate Phishing Attack

Women’s Health USA Inc., an Avon, CT-based business associate that provides a range of practice management services to healthcare organizations, has experienced a phishing attack that has resulted in the exposure of patients’ protected health information. An investigation was launched following the discovery of suspicious activity within certain employee email accounts. The affected email accounts were secured, and a leading cybersecurity firm was engaged to assist with the investigation and determine the nature and extent of the breach. The investigation confirmed that the email accounts of two employees had been accessed by unauthorized individuals as a result of the employees responding to phishing emails and disclosing their email credentials. The first email account breach occurred on April 5, 2018 and the second account was breached on August 13, 2018. A review of the emails and email attachments in the account revealed they contained a limited amount of protected health information. The exposed information varied from patient to patient but may have included name, date of...

Read More
PHI of 23,811 Palmetto Health Patients Exposed in Phishing Attack
Apr10

PHI of 23,811 Palmetto Health Patients Exposed in Phishing Attack

Palmetto Health – Now Prisma Health – has experienced a phishing attack that has resulted in several email accounts being accessed by unauthorized individuals. Emails were sent to Palmetto Health employees which contained a malicious hyperlink. When the link in the emails was clicked, employees were directed to a realistic-looking web page where they were required to enter their email credentials. Doing so disclosed those credentials to the attackers, who used them to gain access to the email accounts. A third-party computer forensics firm was retained to conduct an investigation into the breach to determine the nature and extent of access and whether any patients’ protected health information had been accessed or obtained. The forensics firm determined that the first of the email accounts were compromised in November 2018. The review process took some time to complete as emails had to be manually checked to determine whether they contained any protected health information. The review process was completed on February 19, 2019 and revealed the protected health information of...

Read More
12,000 Patients of Baystate Health Notified of PHI Exposure Due to Phishing Attack
Apr09

12,000 Patients of Baystate Health Notified of PHI Exposure Due to Phishing Attack

Massachusetts-based Baystate Health has experienced a phishing attack that has resulted in the exposure of the protected health information of approximately 12,000 patients. Several employee email accounts were compromised between February 7 and March 7, 2019. The phishing attacks were identified during the same time frame and in each case, the compromised email accounts were immediately secured. A third-party computer forensics firm was engaged to assist with the investigation. An analysis of the compromised email accounts revealed they contained patients’ names, dates of birth, diagnoses, treatment information, medications and, in some cases, Social Security numbers, health insurance information, and Medicare numbers. All patients whose protected health information was potentially accessed as a result of the attack were notified by mail on April 5. Patients whose Social Security number was exposed have been offered one year of credit monitoring and identity theft protection services without charge. Those services have been offered as a precaution. No evidence has been uncovered...

Read More
Hardin Memorial Health Cyberattack Results in EHR Downtime
Apr09

Hardin Memorial Health Cyberattack Results in EHR Downtime

Hardin Memorial Health in Kentucky has experienced a cyberattack which caused disruption to its IT systems and EHR downtime. The cyberattack started on the evening of Friday April 5. A statement issued by a spokesperson for the health system confirmed that IT systems were disrupted as a result of a security breach. Details of the cyberattack have not yet been released so it is unclear whether this was a hacking incident, malware or ransomware attack. The health system has been working round the clock to restore affected systems and servers. Hardin Memorial Health’s IT team has already brought most IT systems back online and has restored access to its EHR system in some units. Despite the lack of access to its EHR system, business continued as usual and the hospital did not have to cancel appointments. All 50 of its locations remained open. “At no time during this event has the quality and safety of patient care been affected,” said HMH Vice President and Chief Marketing and Development Officer, Tracee Troutt. Upon discovery of the security breach, emergency procedures were...

Read More
Emotet Malware Potentially Exfiltrated PHI of Oregon Endodontic Group Patients
Apr08

Emotet Malware Potentially Exfiltrated PHI of Oregon Endodontic Group Patients

Oregon Endodontic Group has discovered malware has been installed on an office computer which potentially exported data contained in the office’s email account. On November 13, 2018, Oregon Endodontic Group detected suspicious activity within an email account used at its offices. A third -party forensic firm was engaged to assist with the investigation and identify the nature and scope of the security breach. The firm confirmed that a malware variant called Emotet had been downloaded onto an office computer. Emotet is a banking Trojan that is capable of exfiltrating data contained in email accounts. The computer forensics firm could not confirm whether any email data had been exfiltrated, but the possibility could not be ruled out. The email account concerned was analyzed to determine whether it contained any protected health information. The analysis was completed on February 11, 2019. The types of information contained in the account were limited to names along with one of more of the following data elements: Date of birth, diagnosis information, treatment information, and health...

Read More
1,600 Ohio Patients Notified of Impermissible PHI Disclosure
Apr08

1,600 Ohio Patients Notified of Impermissible PHI Disclosure

993 Ohioans who receive benefits from Medicaid or the Ohio Department of Job and Family Services (ODJFS) are being notified that some of their protected health information has been disclosed to unauthorized individuals as a result of a computer error. Three separate incidents were identified. On February 16, 2019, a computer error resulted in a limited amount of protected health information (PHI) of 250 users of the Ohio Benefits Self-Service Portal to appear in another user’s account. The error was identified and corrected the same day. Two further incidents occurred on March 20, 2019. A computer error caused information entered into the Ohio Benefits portal to be saved to incorrect accounts. The computer error has been temporarily fixed and a permanent solution is being developed to prevent any recurrences. As many as 100 individuals were affected. 608 members of ODJFS, 34 recipients of Medicaid benefits, and one individual who received both types of benefits, had some of their PHI mailed to 5 different people as a result of a computer error. The computer error was corrected on...

Read More
Phishing Attack Impacts 14,305 Patients of Main Line Endoscopy Centers
Apr04

Phishing Attack Impacts 14,305 Patients of Main Line Endoscopy Centers

Main Line Endoscopy Centers, a network of outpatient endoscopy facilities in the Malvern, Bala Cynwyd, and Media regions of Pennsylvania, has discovered an unauthorized individual has gained access to the email account of one of its employees following a response to a phishing email. It is not clear exactly when the account was breached, but it was discovered by Main Line on January 30, 2019. A leading computer forensics firm was retained to assist with the investigation and determine which, if any, emails in the account had been opened and whether any patient information had been compromised. The investigation confirmed that the attackers potentially gained access to the protected health information of certain patients, which included names, dates of birth, and limited clinical information. Some patients also had their Social Security number, driver’s license number, and/or health insurance information exposed. All patients affected by the breach were sent breach notification letters on March 29, 2019 and individuals whose Social Security number or driver’s license number were...

Read More
Michigan Practice Forced to Close Following Ransomware Attack
Apr02

Michigan Practice Forced to Close Following Ransomware Attack

A ransomware attack can prove costly to resolve. That cost was not deemed worth it by one Michigan practice, which has now permanently closed its doors. The ransomware encrypted the system at Brookside ENT and Hearing Center in Battle Creek which housed patient records, appointment schedules, and payment information rendering the data inaccessible. The attackers claimed to be able to provide a key to unlock the encryption, but in order to obtain the key to decrypt files, a payment of $6,500 was required. The two owners of the practice, William Scalf, MD and John Bizon, MD, decided not to pay the ransom as there was no guarantee that a valid key would be supplied and, after paying, the attackers could simply demand another payment. Since no payment was made, the attackers deleted all files on the system ensuring no information could be recovered. The partners decided to take early retirement rather than having to rebuild their practice from scratch. The FBI was alerted to the security incident and explained that this appeared to be an isolated attack. No patient data appeared to...

Read More
Lawsuit Alleges Sharp Grossmont Hospital Secretly Recorded Patients Having Gynecology Operations
Apr01

Lawsuit Alleges Sharp Grossmont Hospital Secretly Recorded Patients Having Gynecology Operations

A lawsuit has been filed against Sharp HealthCare and Sharp Grossmont Hospital which alleges the hospital secretly recorded video footage of female patients undressing and having gynaecological examinations performed. According to the lawsuit, the hospital installed video cameras in three operating rooms as part of an internal investigation into the theft of the anaesthesia drug, propofol, from drug carts. The cameras were actively recording between July 17, 2012 and June 30, 2013 at its facility on Grossmont Center Drive in El Cajon, San Diego. During the time that the cameras were recording 1,800 patients were filmed undergoing procedures such as hysterectomies, Caesarean births, dilation and curettage for miscarriages, and other surgical procedures. The motion-activated cameras had been installed on drug carts and continued to record even after motion had stopped. A spokesperson for Sharp Grossmont Hospital confirmed that three cameras had been installed to ensure patient safety by determining the cause of missing drugs from the carts. The lawsuit states that, “At times,...

Read More
Security Breaches Reported by DePaul and Southern Hills Eye Care
Apr01

Security Breaches Reported by DePaul and Southern Hills Eye Care

DePaul, a provider of assisted living facilities and healthcare services in New York, North Carolina, and South Carolina, is alerting certain members of its behavioral health program that some of their protected health information has been exposed as a result of a phishing attack. The breach was discovered on February 1, 2019 and the account was immediately secured. The investigation into the breach confirmed that a single email account had been compromised as a result of an employee being fooled by a phishing scam. The email account contained approximately 41,000 emails, which needed to be checked to determine whether they contained any sensitive information. The vast majority of the emails in the account did not contain any significant medical or psychiatric information; however, a small number of emails contained information such as first and last names, dates of birth, and/or Social Security numbers. The aim of the attack appeared to be to use the compromised email account to send further phishing emails. No evidence was found to suggest the attacker viewed or copied emails...

Read More
67,493 Patients of Burrell Behavioral Health Impacted by Business Associate Breach
Apr01

67,493 Patients of Burrell Behavioral Health Impacted by Business Associate Breach

Burrell Behavioral Health is notifying 67,493 patients that their medical records have been accidentally exposed as a result of an error made by an unnamed business associate in August 2018. The error was introduced into the business associate’s internet-facing portal, which resulted in images of Burrell Behavioral Health patients’ protected health information being exposed. The images contained information such as: Name, address, telephone number, birth date, gender, dates of service, types of service provided, health insurance information, driver’s license number, and Social Security number. The exposure of patient data was brought to the attention of Burrell Behavioral Health on January 30, 2019. Burrell Behavioral Health notified its business associate about the data exposure and the server was immediately secured. A forensic investigation was conducted to determine which information had been exposed and whether it was subjected to unauthorized access. The investigation revealed patient information was uploaded to the server in August 2018. No evidence was uncovered to suggest...

Read More
Texas Department of Aging and Disability Services Agrees to $1.6 Million Settlement Over 2015 Data Breach
Mar27

Texas Department of Aging and Disability Services Agrees to $1.6 Million Settlement Over 2015 Data Breach

The Department of Health and Human Services’ Office for Civil Rights has agreed to settle a HIPAA violation case with the Texas Department of Aging and Disability Services (DADS) to resolve HIPAA violations discovered during the investigation of a 2015 data breach that exposed the protected health information of 6,617 Medicaid recipients. The breach was caused by an error in a web application which made ePHI accessible over the internet for around 8 years. DADS submitted a breach report to OCR on June 11, 2015. OCR launched an investigation into the breach to determine whether there had been any violation of HIPAA Rules. On July 2015, OCR notified DADS that the investigation had revealed there had been multiple violations of HIPAA Rules. DADS was deemed to have violated the risk analysis provision of the HIPAA Security Rule – 45 C.F.R. § 164.308(a)(1)(ii)(A) – by failing to conduct a comprehensive, organization-wide risk analysis to identify potential risks to the confidentiality, integrity, and availability of ePHI. There had also been a failure to implement appropriate...

Read More
Superior Dental Care Patients Informed of PHI Exposure Due to Email Account Breach
Mar26

Superior Dental Care Patients Informed of PHI Exposure Due to Email Account Breach

The Centerville, Ohio dental insurance carrier, Superior Dental Care, has discovered an unauthorized individual has gained access to an employee’s email account and potentially viewed the protected health information of certain members. The email account breach was detected on January 23, 2019 following the identification of suspicious activity within the employee’s email account. The password for the account was immediately changed and further unauthorized access was prevented. A third-party computer forensics firm was called in to assist with the investigation and determine the nature and scope of the breach. On February 11, 2019, Superior Dental Care learned that the account had been accessed by an unidentified third party and unauthorized access to the email account was first gained on December 21, 2018. The email account contained information such as names, addresses, Social Security numbers, medical information, and payment information related to dental services received. All individuals affected by the breach have now been notified by mail and the breach has been reported to...

Read More
D.C. Attorney General Proposes Tougher Breach Notification Laws
Mar25

D.C. Attorney General Proposes Tougher Breach Notification Laws

Washington D.C. Attorney General Karl. A. Racine is looking to strengthen data breach notification laws to provide greater protection for D.C. residents when their personal information is exposed in a data breach. On March 21, 2019, Attorney General Racine introduced the Security Breach Protection Amendment Act, which expands the definition of personal information that warrants notifications to be sent to consumers in the event of a data breach. Currently laws in the District of Columbia require breach notifications to be sent if there has been a breach of Social Security numbers, driver’s license numbers, or financial information such as credit and debit card numbers. If passed, the Security Breach Protection Amendment Act will expand the definition of personal information to include taxpayer ID numbers, genetic information including DNA profiles, biometric information, passport numbers, military Identification data, and health insurance information. Attorney General Racine said one of the main reasons why the update was required was to better protect state residents from breaches...

Read More
PHI Exposed in Three Recent Email Security Incidents
Mar25

PHI Exposed in Three Recent Email Security Incidents

Three email system breaches have been reported in the past few days that have resulted in unauthorized individuals gaining access to email accounts containing protected health information. Navicent Health Notifies Patients About July 2018 Phishing Attack Macon, GA-based Navicent Health is notifying certain patients that some of their protected health information has potentially been compromised as a result of an cyberattack on its email system. Upon discovery of the breach in July 2018, law enforcement was notified and a leading computer forensics firm was hired to investigate the breach. Navicent Health explained in a substitute breach notice on its website that it only became clear on January 24 that email accounts containing patient information had been breached. No reason was given as to why it took 6 months from the discovery of the breach to determine that patients’ PHI had been compromised. The types of information potentially accessed by the attackers included names, addresses, dates of birth, and some medical information such as appointment dates and billing information....

Read More
350,000 Affected by Oregon Department of Human Services Phishing Attack
Mar22

350,000 Affected by Oregon Department of Human Services Phishing Attack

Oregon Department of Human Services (ODHS) has experienced a phishing attack that has potentially allowed unauthorized individuals to view or obtain the protected health information of more than 350,000 individuals. ODHS learned on January 28, 2019 that unauthorized individuals had gained access to email accounts containing clients’ personal information. Third-party forensics experts from IDExperts were called in to determine the number of individuals affected, the types of data that could have been accessed, and whether clients’ personal information had been extracted. The investigation conformed that nine employees had clicked links in phishing emails and divulged their login credentials, which allowed the attackers to gain access to their email accounts. The first account was compromised on January 8, 2019. The compromised email accounts contained almost 2 million emails. Checks are still being performed to find out which individuals have been affected. ODHS has confirmed that emails in the account contained information such as clients’ first and last names, addresses, birth...

Read More
UCLA Health Settles Class Action Data Breach Lawsuit for $7.5 Million
Mar22

UCLA Health Settles Class Action Data Breach Lawsuit for $7.5 Million

UCLA Health has settled a class action lawsuit filed on behalf of victims of data breach that was discovered in October 2014. UCLA Health has agreed to pay $7.5 million to settle the lawsuit. UCLA Health detected suspicious activity on its network in October 2014 and contacted the FBI to assist with the investigation. The forensic investigation confirmed that hackers had succeeded in gaining access to its network, although at the time it was thought that they did not access the parts of the network where patients’ medical information was stored. However, on May 5, 2015, UCLA confirmed that the hackers had gained access to parts of the network containing patients’ protected health information and may have viewed/copied names, addresses, dates of birth, Medicare IDs, health insurance information, and Social Security numbers. In total, 4.5 million patients were affected by the breach. The Department of Health and Human Services’ Office for Civil Rights investigated the breach and was satisfied with UCLA Health’s breach response and the technical and administrative safeguards that had...

Read More
Verity Health System Suffers Third Phishing Breach in 3 Months
Mar21

Verity Health System Suffers Third Phishing Breach in 3 Months

Verity Health System patients’ PHI was exposed in a phishing attack in 2016, in two further phishing attacks in November 2018, and the 6-hospital health system has now announced yet another attack occurred in January 2019. The latest phishing incident has impacted 14,894 patients. Three employees’ email accounts were compromised in the last three phishing attacks. Verity Health System explained in its breach notification letters that no evidence was uncovered to suggest any patients’ protected health information had been accessed by unauthorized individuals. The attacks are believed to have been conducted for use in further phishing attacks on other individuals in the organization, although PHI access could not be ruled out. The types of information exposed in the latest attack includes names, addresses, contact telephone numbers, dates of birth, diagnoses, treatment information, health insurance policy numbers, subscriber numbers, patient ID numbers, and billing codes. Some of the files attached to emails also included Social Security numbers and driver’s license numbers. Some...

Read More
Medical Device Manufacturer Notifies 277,319 Patients About PHI Exposure
Mar21

Medical Device Manufacturer Notifies 277,319 Patients About PHI Exposure

The Pennsylvania medical device manufacturer and software developer, ZOLL Medical Corporation, has started notifying 277,319 patients about the accidental exposure of some of their personal and medical information. The information was contained in emails that had been archived using a third-party email archiving solution. During a server migration, archived emails were exposed and could potentially have been accessed by unauthorized individuals. Upon discovery of the breach, ZOLL initiated an investigation and hired a third-party computer forensics company to determine whether any unauthorized individuals had accessed emails and viewed or downloaded patient information. The investigation revealed protections had been removed on November 8, 2018 and emails remained accessible until December 28, 2018. No evidence was uncovered to suggest any sensitive information was accessed by unauthorized individuals, but it was not possible to rule out the possibility that personal and medical information had been compromised. An analysis of the archived emails revealed they contained patient...

Read More
Northwestern Medicine Sued Over Medical Information Disclosure on Twitter
Mar20

Northwestern Medicine Sued Over Medical Information Disclosure on Twitter

Northwestern Medicine Regional Medical Group is being sued by a patient whose sensitive medial information was disclosed on Twitter and Facebook. Gina Graziano discovered some of her sensitive medical information had been disclosed on social media websites and contacted Northwestern Medicine to complain about the privacy investigation. Northwestern Medicine investigated the complaint and determined that Graziano’s medical records had been accessed on two separate occasions by a hospital employee who had no treatment relationship with Graziano. The records were accessed on March 5 and 6, 2019, using an employee’s login credentials. Graziano’s medical file contained a range of sensitive information, including her personal details, the reason for a recent visit to the emergency department, lab test results, medications, medical history, imaging results, and other information. Sensitive information which Graziano did not want to be placed in the public domain was disseminated on social media sites causing her to be publicly humiliated. While Northwestern Medicine did not disclose the...

Read More
Database of New Jersey Healthcare Provider Found to be Leaking Patient Data
Mar20

Database of New Jersey Healthcare Provider Found to be Leaking Patient Data

Another unsecured healthcare database has been discovered which contains an estimated 37,000 records. The discovery was made on March 1, 2019 by security researcher Jeremiah Fowler. A brief analysis of the database appeared to show the records belonged to the New Jersey healthcare provider, Home Health Radiology Services LLC. The database contained highly sensitive patient information such as names, addresses, phone numbers, and dates of birth along with medical notes, diagnoses, treatment information, insurance information, and in some cases, Social Security numbers. In a recent blog post on securitydiscovery.com, Fowler explained that 37,000 case files were found along with 1,540 doctor’s information records, chat logs, emails, support tickets, and many other sensitive files. The records were mostly contained in an Elastic database which could be accessed over the internet by anyone without the need for any authentication. The unsecured database was reported to Home Health Radiology Services, which promptly secured the database to prevent any further unauthorized access. It is...

Read More
Potentially Massive Breach of Protected Health Information Discovered
Mar19

Potentially Massive Breach of Protected Health Information Discovered

Sacramento, CA-based medical software provider Meditab Software Inc., and it’s San Juan, PR-based affiliate, MedPharm Services have suffered a massive breach of protected health information. Meditab provides electronic medical record (EMR) and practice management software to hospitals, physician’s offices, and pharmacies. According to the company website, its software is used by more than 2,200 healthcare clients. Meditab also provides a fax processing service and one of the servers used for processing faxes has been discovered to be leaking data and could be accessed over the internet without the need for any authentication. The unprotected fax server was discovered by the Dubai-based cybersecurity firm SpiderSilk. The fax server was hosted on a subdomain of MedPharm Services and housed an Elastisearch database containing fax communications. Those faxes could be accessed in real time. The database was created in March 2018 and housed more than 6 million records. It is currently unclear how many of those records contained protected health information. According to a recent report...

Read More
February 2019 Healthcare Data Breach Report
Mar18

February 2019 Healthcare Data Breach Report

Healthcare data breaches continued to be reported at a rate of more than one a day in February. February saw 32 healthcare data breaches reported, one fewer than January. The number of reported breaches may have fell by 3%, but February’s breaches were far more severe. More than 2.11 million healthcare records were compromised in February breaches – A 330% increase from the previous month. Causes of Healthcare Data Breaches in February 2019 Commonly there is a fairly even split between hacking/IT incidents and unauthorized access/disclosure incidents; however, in February, hacking and IT incidents such as malware infections and ransomware attacks dominated the healthcare data breach reports. 75% of all reported breaches in February (24 incidents) were hacking/IT incidents and those incidents resulted in the theft/exposure of 96.25% of all records that were breached. All but one of the top ten healthcare data breaches in February were due to hacks and IT incidents. There were four unauthorized access/disclosure incidents and 4 cases of theft of physical or electronic PHI. The...

Read More
Three Healthcare Ransomware Attacks Reported: 70,000 Individuals Affected
Mar13

Three Healthcare Ransomware Attacks Reported: 70,000 Individuals Affected

Three ransomware attacks have been reported by healthcare organizations and vendors in the past few days. The PHI of almost 70,000 patients has potentially been compromised in the attacks. 50,000 Individuals Affected by Ransomware Attack on Delaware Guidance Services for Children and Youth Delaware Guidance Services for Children and Youth (DGS) was forced to pay a ransom to recover files that had been encrypted in a Christmas Day ransomware attack. DGS has not publicly disclosed how much was paid for the decryption keys to unlock the files on its data servers. After recovering files, DGS engaged an IT firm to conduct a forensic analysis to determine whether the attackers had gained access to sensitive information prior to encrypting files. The firm found no evidence to suggest that any protected health information had been compromised or stolen. The attack appeared to have been conducted solely for the purpose of extorting money from DGS. DGS started sending notification letters to the parents and guardians on February 26, 2019 alerting them that sensitive information had been...

Read More
More Than 600,000 Michigan Residents Affected by Wolverine Solutions Breach, Warns AG Nessel
Mar13

More Than 600,000 Michigan Residents Affected by Wolverine Solutions Breach, Warns AG Nessel

Michigan Attorney General Dana Nessel has issued a warning to Michigan residents about the ransomware attack on Detroit-based Wolverine Solutions Group, which she says may have affected more than 600,000 Michigan residents. Nessel has advised all individuals who receive a breach notification letter to sign up for credit monitoring services, to monitor their accounts and EoB statements for signs of fraudulent use of their data, to place a fraud alert on their credit file and to consider freezing their credit file as a protection against fraud and identity theft. The cyberattack on Wolverine Solutions Group occurred on or around September 23, 2018. Critical systems were mostly restored within a month, but it has taken considerably longer to determine which clients had been affected. Some clients were only notified about the extent of the attack in March. While the types of information differ from company to company and individual to individual, the exposed information may include data elements such as names, addresses, dates of birth, social security numbers, insurance contract...

Read More
Business Associate Starts Issuing Notifications About August 2018 Laptop Theft
Mar12

Business Associate Starts Issuing Notifications About August 2018 Laptop Theft

A Massachusetts business associate has discovered the electronic protected health information (ePHI) of 2,088 individuals has potentially been viewed by unauthorized individuals. The ePHI was stored on an employee’s laptop computer that was stolen on August 23, 2018. RSC Insurance Brokerage, dba Re-Solutions, started notifying affected healthcare providers about the breach of their patients’ PHI on January 22, 2019, 5 months after the discovery of the theft of the laptop. According to the breach notice submitted to the California Attorney General, a third-party cyber security firm was called in to help determine what files had been stored on the laptop, the types of information that was accessible, and how many individuals had potentially been impacted. The theft was reported to law enforcement at the time and the employee’s credentials were changed to ensure that the laptop could not be used to access RSC systems. However, files were stored on the laptop and could potentially be accessed as while the device was protected with a password, it was not encrypted. No evidence of...

Read More
20K Patients of Pasquotank-Camden Emergency Medical Services Impacted by Server Hack
Mar11

20K Patients of Pasquotank-Camden Emergency Medical Services Impacted by Server Hack

Pasquotank-Camden Emergency Medical Services (PCEMS) has discovered hackers have infiltrated a server that housed its billing system, which contained the protected health information of 20,420 patients. As a result of the intrusion, the hackers potentially gained access to the highly sensitive information of individuals who had previously received medical services from PCEMS. The types of information stored on the server included names, birth dates, Social Security numbers, and some medical information that had been collected by PCEMS. The breach was reported immediately to the Sheriff of Pasquotank County and federal law enforcement agencies, who determined that the hackers were based outside the United States. No evidence was found to indicate patients’ protected health information was stolen and at the time of issuing notification letters to patients, no reports had been received to suggest patient information had been misused. Since data theft could not be ruled out, PCEMS has offered all affected patients 12 months of free credit monitoring and identity theft protection...

Read More
Emerson Hospital Alerts Patients to May 2018 Breach at Claims Processing Vendor
Mar11

Emerson Hospital Alerts Patients to May 2018 Breach at Claims Processing Vendor

Emerson Hospital in Concord, MA, is alerting 6,314 patients that some of their protected health information has been exposed due to a security breach at a third-party vendor in May 2018. The hospital explained that the breach occurred between May 9 and May 17, 2018 and was an unauthorized disclosure incident. A former employee of MiraMed Global Services, a company that helps the hospital collect payments, was discovered to have sent files containing protected health information to a third-party who was not authorized to receive the information. The files contained the types of information usually sought by identity thieves, including names, addresses, Social Security numbers, and insurance policy information. Financial information and health information were not compromised. The employee responsible was fired over the breach and the matter was reported to law enforcement. It is unclear whether the employee responsible has been charged over the theft. A forensic investigation confirmed that ePHI had been stolen, but a spokesperson for the hospital issued a statement saying, “A...

Read More
‘Dozens’ of Northwestern Memorial Hospital Employees Fired for Accessing Jussie Smollett’s Medical Records
Mar08

‘Dozens’ of Northwestern Memorial Hospital Employees Fired for Accessing Jussie Smollett’s Medical Records

A major case of snooping on celebrity medical records has been reported that has resulted in dozens of healthcare workers being fired from Chicago’s Northwestern Memorial Hospital for allegedly accessing the medical records of Jussie Smollett without authorization. Jussie Smollett reportedly attended the hospital’s emergency room for treatment for injuries sustained in an alleged racially motivated attack by two men on January 29, 2019. Following a police investigation into the alleged attack, Chicago Police Superintendent Eddie Johnson announced that the Empire actor had been arrested on February 21 and charged with disorderly conduct and filing a false police report. The police allege that the attack was a hoax and that it had been staged by Smollett as a publicity stunt. The charges against Smollett were dropped on Tuesday 26, March. After Smollett was treated at Northwestern Memorial Hospital, curiosity got the better of some employees who searched for Smollett on the hospital’s system, some of whom accessed his chart and viewed his medical records. Accessing the medical...

Read More
Covenant Care Email Account Breach Impacts 7,858 Patients
Mar08

Covenant Care Email Account Breach Impacts 7,858 Patients

The Aliso Viejo, CA-based provider of residential care and skilled nursing facilities, Covenant Care, has discovered an unauthorized individual gained access to an employee’s email account and may have viewed or obtained the protected health information of 7,858 patients. On January 29, 2019, suspicious activity was detected in relation to the employee’s email account. Third-party forensics investigators were called in to help determine the nature and scale of the breach. The investigation revealed the email account was compromised on January 22, 2019. Access remained possible until the account was secured on January 29. A review of the compromised email account was completed on February 13, 2019 and confirmed that during the time that the account was accessible, emails and email attachments could have been opened. An analysis of the messages revealed they contained patient information. The information on each patient varied from individual to individual and may have included full name, date of birth, Social Security number, health insurance claim number, medical record number,...

Read More
Beazley Report Reveals Major Increase in Healthcare Hacking and Malware Incidents
Mar07

Beazley Report Reveals Major Increase in Healthcare Hacking and Malware Incidents

The latest Beazley Breach Insights Report confirms healthcare is the most targeted industry sector, accounting for 41% of all breaches reported to Beazley Breach Response (BBR) Services. Across all industry sectors, hacking and malware attacks were the most common cause of breaches and accounted for 47% of all incidents, followed by accidental disclosures of sensitive data (20%), insider breaches (8%), portable device loss/theft (6%), and the loss of physical records (5%). Hacking/malware incidents have increased significantly since 2017, which BBR notes is largely due to a 133% increase in business email compromise (BEC) attacks. Accidental disclosure incidents fell across all industries and insider breaches remained at a similar level to 2017. While hacking/malware incidents were the main cause of breaches in all other industry sectors, in healthcare they were on a par with accidental disclosures of protected health information, each accounting for 31% of reported breaches. Insider data breaches were significantly higher than other industry sectors and accounted for 17% of all...

Read More
Ransomware Attack Impacts up to 400,000 Patients of Columbia Surgical Specialists of Spokane
Mar06

Ransomware Attack Impacts up to 400,000 Patients of Columbia Surgical Specialists of Spokane

A ransomware attack on Columbia Surgical Specialists of Spokane in Washington has potentially allowed unauthorized individuals to access the protected health information of up to 400,000 patients. Columbia Surgical Specialists learned of the ransomware attack on January 9, 2019. The security breach was immediately investigated and assistance was provided by IT security provider Intrinium. Files encrypted by the ransomware were found to contain patient information, which included names, driver’s license numbers, Social security numbers and other types of protected health information. Columbia Surgical Specialists told HIPAA Journal that the data security firm “went through our systems with a fine-tooth comb,” and concluded that patient data had not been stolen by the attackers. “but due to the nature of the ransomware and how the infection first began, there cannot be a guarantee.” Columbia Surgical Specialists believes the risk to patients is very low, and notifications were sent to patients out of an abundance of caution. The vulnerability that was exploited to gain access to the...

Read More
Rush University Medical Center Notifies 45,000 Patients of PHI Incident
Mar05

Rush University Medical Center Notifies 45,000 Patients of PHI Incident

Rush University Medical Center is notifying approximately 45,000 patients that their PHI has been exposed as a result of a data incident at a financial services vendor. Rush learned of the incident on January 22, 2019. An employee of the financial services vendor was discovered to have disclosed a file containing patients’ PHI to an unauthorized third party in May 2018. The types of information in the file varied from patient to patient and may have included names, home addresses, dates of birth, health insurance information, and Social Security numbers. No health information was contained in the file and financial data was not exposed. Rush conducted an investigation into the breach and while no evidence was found to suggest patient information had been misused, affected patients have been offered membership to the Experian IdentityWorks Credit 3B service to protect against identity theft and fraud as a precaution. Affected patients have been advised to monitor their financial accounts and explanation of benefits statements from their insurers for any sign of fraudulent activity....

Read More
St. Francis Physicians Services Notifies Patients of Milestone Family Medicine Data Breach
Mar04

St. Francis Physicians Services Notifies Patients of Milestone Family Medicine Data Breach

Bon Secours St. Francis Health System is notifying patients about a security breach that may have resulted in some of their protected health information (PHI) being viewed/obtained by unauthorized individuals who gained access to the systems of Milestone Family Medicine in Greenville, SC. Milestone Family Medicine was affiliated with St. Francis Physicians Services (SFPS) until February 24, 2019, and had previously employed physicians at the practice. SFPS learned of a security breach at the practice on January 4, 2019 and took steps to secure systems and prevent further unauthorized access. An investigation was launched and, assisted by a third-party computer forensics firm, SFPS determined that one of the servers that was accessed included the PHI of certain patients. The attack appears to have targeted EHR systems that were accessible over the Internet. Internet connections providing access to Milestone Family Medicine systems that are not actively being used have been shut down. The types of information that have been compromised include names, addresses, dates of birth, health...

Read More
January 2019 Healthcare Data Breach Report
Feb25

January 2019 Healthcare Data Breach Report

After a relatively quiet month for healthcare data breaches, breach numbers rose to more typical levels and were reported at a rate of more than one per day in January. There were 33 healthcare data breaches reported in January 2019. January was the second successive month where there was a fall in the number of individuals impacted by healthcare data breaches. January’s healthcare data breaches saw 490,937 healthcare records exposed, stolen or impermissibly disclosed. Largest Healthcare Data Breaches in January 2019   Rank Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach 1 Centerstone Insurance and Financial Services (BenefitMall) Business Associate 111589 Hacking/IT Incident 2 Las Colinas Orthopedic Surgery & Sports Medicine, PA Healthcare Provider 76000 Theft 3 Valley Hope Association Healthcare Provider 70799 Hacking/IT Incident 4 Roper St. Francis Healthcare Healthcare Provider 35253 Hacking/IT Incident 5 Managed Health Services Health Plan 31300 Hacking/IT Incident 6 EyeSouth Partners Business Associate 24113 Hacking/IT Incident 7 Dr....

Read More
UConn Health Phishing Attack Sees PHI of 326,000 Patients Exposed
Feb25

UConn Health Phishing Attack Sees PHI of 326,000 Patients Exposed

UConn Health is notifying approximately 326,000 patients that some of their personal information has been exposed as a result of a phishing attack on some of its employees. UConn Health learned about the phishing attack on December 24, 2018. All email accounts were secured, and an internal investigation was launched. The investigation confirmed that multiple email accounts had been accessed by unauthorized individuals. A third-party computer forensics company was retained to investigate the attack and search for protected health information in emails and email attachments in the compromised accounts. While it was not possible to determine who was responsible for the attack nor whether emails and email attachments in the compromised accounts had been viewed by the attacker(s), PHI access could not be ruled out. UConn Health explained in its substitute breach notice that no reports have been received to indicate any patient information has been misused. The majority of individuals affected by the attack were patients. Some employees have also had personal information exposed....

Read More
Multiple Rutland Regional Medical Center Email Accounts Hacked
Feb25

Multiple Rutland Regional Medical Center Email Accounts Hacked

Rutland Regional Medical Center in Rutland City, the largest community hospital in the state of Vermont, has discovered hackers have gained access to the email accounts of nine employees and potentially viewed/obtained patients’ protected health information. On December 21, 2018, an employee of the medical center noticed that their email account had been used to send large quantities of spam emails and on December 28, 2018, a potential security breach was reported to the medical center’s IT department. The IT department determined, on December 31, that the employee’s email account had been remotely accessed by an unauthorized individual. The account was immediately secured and a third-party forensic expert was called in to conduct an investigation into the breach. While the investigation into the breach is ongoing, the forensics expert concluded on February 6, 2019, that nine email accounts had been compromised between November 2, 2018 and February 6, 2019. The types of sensitive information in the compromised email accounts included patients’ full names, dates of birth, contact...

Read More
Insider Wrongdoing Breach at Kentucky Counseling Center Impacts 16,440 Patients
Feb22

Insider Wrongdoing Breach at Kentucky Counseling Center Impacts 16,440 Patients

Kentucky Counseling Center (KCC) has discovered a list of 16,440 patients has been stolen and disclosed to another individual. A current employee is suspected of accessing and copying patient information without authorization, uploading the data to an anonymous file sharing service, and subsequently sending a hyperlink to the list to a former employee of KCC. The former employee received the link to the patient list on January 6, 2019 and reported the privacy breach to KCC. KCC launched an investigation into the insider breach to determine when the list was obtained and who was responsible. KCC believes the list was downloaded and stolen on December 6, 2018 by a then current employee of KCC. That person is no longer employed at the Counseling Center. The motivations behind the HIPAA violations are unclear – Both the unauthorized access/theft and the subsequent impermissible disclosure to a former employee. KCC explained in its breach notification letter that there is no reason to believe that the list was taken with the intent of causing harm to patients. However, due to the nature...

Read More
PHI of Almost 1 Million UW Medicine Patients Exposed Online
Feb21

PHI of Almost 1 Million UW Medicine Patients Exposed Online

Approximately 974,000 patients of UW Medicine have had their protected health information exposed online due to the accidental removal of protections on a website server. The error resulted in sensitive internal files being indexed by search engines. Internet searches allowed sensitive patient information to be accessed by unauthorized individuals without any need for authentication. Seattle-based UW Medicine discovered a vulnerability on a website server on December 26, 2018, following a tip-off from a patient who was performing a Google search of their own name. An investigation was launched to determine how information was exposed, for how long, and how many patients had potentially been affected. UW Medicine determined that an error had been made in the configuration of a database which resulted in internal files being temporarily available over the Internet. The server misconfiguration occurred on December 4, 2019. The incident was attributed to human error. Ironically, the exposed database was used by UW Medicine to keep track of patient health information disclosures. The...

Read More
Patients Receive Notifications of PHI Theft 8 Months After Business Associate Data Breach was Detected
Feb19

Patients Receive Notifications of PHI Theft 8 Months After Business Associate Data Breach was Detected

Sharecare Health Data Services (SHDS), a San Diego company that provides secure electronic exchange and medical records management services for healthcare organizations, has alerted some of its clients that hackers gained access to parts of its systems that contained sensitive patient information. SHDS detected abnormal network activity on June 26, 2018, prompting an in-depth investigation. The investigation revealed hackers gained access to systems containing protected health information as early as May 21, 2018. Access remained possible until June 26, 2018, during which time PHI was accessed and exfiltrated by the hackers to locations outside the U.S. SHDS engaged the services of cybersecurity firm Mandiant to assist with the forensic investigation of the breach. The breach was also reported to the FBI and SHDS has been assisting with its investigation. SHDS has since taken steps to enhance security and prevent further breaches. Data retention policies have been revised, maintenance communications and protocols have been improved to ensure continuity across its network, and SHDS...

Read More
30,000 Patients Notified of Phishing Incident at Memorial Hospital at Gulfport
Feb18

30,000 Patients Notified of Phishing Incident at Memorial Hospital at Gulfport

Memorial Hospital at Gulfport, MS, is notifying approximately 30,000 patients that some of their protected health information has potentially been accessed by an unauthorized individual as a result of a phishing incident. Memorial Hospital discovered a breach of an employee’s email account on December 17, 2018. The compromised account was immediately secured and an investigation was launched to determine the extent of the breach. The investigation revealed the employee responded to a phishing email on December 6, 2018, which gave the attacker access to patients’ protected health information stored in emails and email attachments. Memorial Hospital reports that the breach was limited to names, dates of birth, health insurance information, and information about medical services received at the hospital. A small number of Social Security numbers were also contained in the compromised email account. Patients affected by the incident were notified by mail on February 15, 2019. Complimentary credit monitoring services have been offered to all patients whose Social Security numbers were...

Read More
16-Month Malware Infection at Florida Pulmonary & Sleep Medicine Center Impacts 42,000 Patients
Feb15

16-Month Malware Infection at Florida Pulmonary & Sleep Medicine Center Impacts 42,000 Patients

AdventHealth Medical Group’s Pulmonary & Sleep Medicine in Tavares, FL, formerly known as Lake Pulmonary Critical Care, has discovered hackers gained access to its systems and may have viewed or obtained the protected health information of up to 42,161 patients. Hackers first gained access to the Pulmonary & Sleep Medicine center’s systems in August 2017 as a result of the installation of malware. The malware infection was not discovered until December 27, 2018. The malware was removed and its systems were secured and an investigation was launched to determine the extent of the breach and which patients had been affected. The investigation revealed the hackers gained access to parts of its system where patients’ protected health information was stored. The information that was potentially accessed included names, addresses, email addresses, telephone numbers, dates of birth, health insurance information, Social Security numbers, medical histories, and the race, gender, weight, and height of patients. It is unclear how the malware was installed and why it took 16 months to...

Read More
Anesthesia Associates of Kansas City Discovers Theft of Patient Schedules
Feb13

Anesthesia Associates of Kansas City Discovers Theft of Patient Schedules

Paperwork containing patient information has been stolen from an employee of Anesthesia Associates of Kansas City. The incident occurred on December 14, 2018. The employee had left a bag containing patient schedules in his vehicle. Thieves broke into the vehicle and stole the bag and paperwork. Anesthesia Associates of Kansas City learned of the incident on December 16, 2018 and launched an investigation to determine what paperwork had been stolen. It was not possible to determine with a high degree of certainty exactly which schedules were in the stolen bag. Consequently, the decision was taken to issue notification letters to all patients who had undergone surgical treatment between April 4, 2018 and December 14, 2018. The types of information listed in patient schedules includes names, birth dates, types of surgical procedures, dates of surgery, and the name of the surgeon. Schedules do not contain sensitive information such as addresses, Social Security numbers, insurance information, and financial information. The theft was reported to law enforcement but neither the bag nor...

Read More
United Hospital District Phishing Attack Impacts 2,143 Patients
Feb13

United Hospital District Phishing Attack Impacts 2,143 Patients

Blue Earth, MN-based United Hospital District has discovered patient information was exposed and potentially accessed by an unauthorized individual as a result of a June 2018 phishing attack. The phishing incident resulted in the compromise of a single email account, the credentials to which were obtained as a result of an employee responding to a phishing email. The substitute breach notice on the healthcare provider’s website indicates the account was compromised between June 10, 2018 and June 27, 2018. An in-depth analysis of the compromised account was conducted by third-party cybersecurity professionals who determined on December 12, 2018, that patient information had potentially been accessed. Emails and file attachments in the account were found to contain the protected health information of 2,143 patients. The types of information contained in the email account varied from patient to patient and may have included names, addresses, internal patient identification numbers, health insurance information and, for a limited number of affected patients, diagnoses, treatment...

Read More
2019 Data Breach Barometer Report Shows Massive Increase in Exposed Healthcare Records
Feb13

2019 Data Breach Barometer Report Shows Massive Increase in Exposed Healthcare Records

Protenus has released its 2019 Breach Barometer report: An analysis of healthcare data breaches reported in 2018. The data for the report came from Databreaches.net, which tracks data breaches reported in the media as well as breach notifications sent to the Department of Health and Human Services’ Office for Civil Rights and state attorneys general. The report shows there was a small annual increase in the number of healthcare data breaches but a tripling of the number of healthcare records exposed in data breaches. According to the report, there were 503 healthcare data breaches reported in 2018, up from 477 in 2017. 2017 was a relatively good year in terms of the number of healthcare records exposed – 5,579,438 – but the number rose to 15,085,302 exposed healthcare records in 2018. In 2017, March was the worst month of the year in terms of the number of records exposed and there was a general downward trend in exposed records throughout the rest of the year. In 2018, there was a general increase in exposed records as the year progressed. The number of exposed records increased...

Read More
7,000 Patients Notified About Pawnee County Memorial Hospital Malware Attack
Feb11

7,000 Patients Notified About Pawnee County Memorial Hospital Malware Attack

Pawnee County Memorial Hospital in Pawnee City, Nebraska, is alerting 7,038 patients that some of their protected health information has potentially been accessed by a hacker. On November 29, 2018, the hospital learned that malware had been installed which allowed an unauthorized individual to gain access to its email system. Malware was injected into the hospital’s email system when an employee opened a malicious email attachment. According to Pawnee County Memorial Hospital’s substitute breach notice, the email appeared to have been sent from a trusted source and the email attachment seemed genuine. Assisted by a third-party computer forensics expert, the hospital determined that the email attachment had been opened on November 16, 2018. The hacker was able to access employees’ email accounts from November 16 to November 24. The compromised email accounts contained a range of business reports, clinical reports, clinical summaries, and other internal documents. Those documents contained patients’ full names along with one or more of the following data elements: Date of birth,...

Read More
EyeSouth Partners Email Account Breach Impacts 24,000 Patients of Georgia Eye Associates
Feb08

EyeSouth Partners Email Account Breach Impacts 24,000 Patients of Georgia Eye Associates

EyeSouth Partners has announced that a hacker has gained access to an employee’s email account and has potentially viewed/obtained the electronic protected health information (ePHI) of as many as 24,000 patients. EyeSouth Partners is a business associate of Georgia Eye Associates, South Georgia Eye Partners, Cobb Eye Center, and Georgia Ophthalmology Associates. On October 25, 2018, EyeSouth Partners became aware that an unauthorized individual had gained access to the email account of one of its employees. Prompt action was taken to secure the email account and assess the security of its systems. Procedures were also implemented to enhance information security safeguards to prevent any further email account breaches. The breach investigation revealed the hacker first gained access to the email account on September 11, 2018. Access remained possible until October 25. Third-party computer forensics experts were hired to assist with the investigation and determine which patients had had their ePHI exposed. On December 19, 2018, EyeSouth Partners was informed that the hacker had...

Read More
OCR Settles Cottage Health HIPAA Violation Case for $3 Million
Feb08

OCR Settles Cottage Health HIPAA Violation Case for $3 Million

The Department of Health and Human Services’ Office for Civil Rights (OCR) has agreed to settle a HIPAA violation case with the Santa Barbara, CA-based healthcare provider Cottage Health for $3,000,000. Cottage Health operates four hospitals in California – Santa Barbara Cottage Hospital, Santa Ynez Cottage Hospital, Goleta Valley Cottage Hospital and Cottage Rehabilitation Hospital. In 2013 and 2015, Cottage Health experienced two security incidents that resulted in the exposure of the electronic protected health information (ePHI) of 62,500 patients. In 2013, Cottage Health discovered a server containing patients’ ePHI had not been properly secured. Files containing patients’ ePHI could be accessed over the internet without the need for a username or password. Files on the server contained patient names, addresses, dates of birth, diagnoses, conditions, lab test results and other treatment information. Another server misconfiguration was discovered in 2015. After responding to a troubleshooting ticket, the IT team removed protection on a server which similarly exposed...

Read More
Settlement Reached in Community Health Systems 4.5 Million-Record Data Breach Case
Feb05

Settlement Reached in Community Health Systems 4.5 Million-Record Data Breach Case

Community Health Systems’ (CHS) patients whose protected health information (PHI) was stolen in a cyberattack in 2014 have been offered compensation for the theft of their PHI. Tennessee-based Community Health Systems operates over 200 hospitals, making it one of the largest healthcare systems in the U.S. In 2014, CHS discovered malware had been installed on its network. The malware allowed unauthorized individuals to gain access to patient information between April and June 2014. The cyberattack is believed to have been conducted by threat actors based in China. An advanced malware variant was used in the attack, which had the sole purpose of obtaining sensitive information. An investigation into the breach confirmed that patient data including names, addresses, phone numbers, dates of birth, and Social Security numbers had been exfiltrated. The PHI of 4.5 million patients was stolen by the attackers. At the time it was the largest healthcare data breach to be reported to the Department of Health and Human Services’ Office for Civil Rights and still ranks as one of the top six...

Read More
Malware Attack Reported by Minnesota Infertility Clinic
Feb05

Malware Attack Reported by Minnesota Infertility Clinic

Malware has been installed on the network of Reproductive Medicine and Infertility Associates: A Woodbury, MN, infertility clinic. While no evidence was uncovered to suggest any patient information was accessed or exfiltrated by the malware, the possibility of a data breach could not be ruled out. The malware attack was detected by the clinic on December 5, 2018 and a third-party computer forensics firm was hired to investigate and clean the malware from its systems. While the malware was successfully removed, it was not possible to determine exactly how it was installed on the network. Information stored on systems potentially accessible by the malware included names, dates of birth, addresses, treatment information, health insurance information, and donors’ Social Security numbers. All individuals whose PHI was exposed were notified about the incident on February 1, 2019. As a precaution against fraud, all individuals affected by the breach have been offered complimentary identity theft monitoring services. Anti-malware defenses have now been improved, which include an additional...

Read More
23,500 Patients Impacted by Connecticut Eye Clinic Ransomware Attack
Feb05

23,500 Patients Impacted by Connecticut Eye Clinic Ransomware Attack

Dr. DeLuca Dr. Marciano & Associates, P.C., a primary eye care clinic in Prospect, CT, has experienced a ransomware attack that has resulted in the encryption of files containing patients’ protected health information. The attack occurred on November 29, 2018. Prompt action was taken to shut down the network to prevent the spread of the infection, but it was not possible to stop the encryption of files on two servers used to store patient-related files. A ransom demand was received but no payment was made. The encrypted files were successfully restored from backups. An investigation of the breach revealed that the two servers affected by the attack contained patient files that included information such as patient names, Social Security numbers, and some treatment information. Dr. DeLuca Dr. Marciano & Associates has taken steps to prevent further cyberattacks, which include closing remote access to the network, implementing technical solutions to protect against ransomware, and enhancing its anti-virus software. While there is no indication that patient information was...

Read More
12,000 Patients Impacted by Valley Professionals Community Health Center Phishing Attack
Feb04

12,000 Patients Impacted by Valley Professionals Community Health Center Phishing Attack

Valley Professionals Community Health Center in Indiana has experienced a phishing attack that has resulted an employee’s email account being accessed by an unauthorized individual. Phishing attacks often involve the impersonation of companies. In this case, the attacker impersonated a healthcare organization that had previously worked with Valley Professionals Community Health Center. The supposed sender of the email was known to staff at the health center and the email appeared genuine. On November 27, 2018, Valley Professionals Community Health Center detected suspicious activity relating to the employee’s email account. Prompt action was taken to secure the account and an investigation was launched to determine the cause of the activity. Assistance was provided by a third-party computer forensics company, which determined that the account had been accessed by an unauthorized individual between October 26 and November 27, 2018. The emails in the account contained information such as patient names, addresses, dates of birth, Social Security numbers, medical record numbers,...

Read More
13 Accounts Compromised in Roper St. Francis Healthcare Phishing Attack
Feb04

13 Accounts Compromised in Roper St. Francis Healthcare Phishing Attack

A large-scale phishing attack on Charleston, SC-based Roper St. Francis Healthcare has seen attackers gain access to the email accounts of 13 employees. The phishing attack was detected on November 30, 2018 and action was taken to block access to a corporate email account. The investigation into the breach revealed further email accounts had been compromised. The affected accounts were accessed by the attacker between November 15 and December 1, 2018. A third-party computer forensics firm was hired to investigate the breach, which revealed some of the compromised accounts contained patient information including names, medical record numbers, health insurance information, details about services received from Roper St. Francis Healthcare, and for a limited number of patients, Social Security numbers and financial information. All affected patients were notified by mail on January 25, 2019 and have been offered complimentary credit monitoring services. While PHI was potentially accessed, no reports have been received to suggest any PHI has been misused. The HHS’ Office for Civil...

Read More
Aetna Settles HIV Status Breach Case with California AG for $935,000
Feb01

Aetna Settles HIV Status Breach Case with California AG for $935,000

Hartford, CT-based health insurer Aetna has agreed to pay the California Attorney General $935,000 to resolve alleged violations of state laws related to a 2017 privacy breach that exposed state residents’ HIV status. On July 28, 2017, Aetna’s mailing vendor sent letters to plan members who were receiving HIV medications or pre-exposure prophylaxis to prevent them from contracting HIV. The letters contained instructions for their HIV medications; however, information about the HIV medications was clearly visible through the window of the envelopes, resulting in the impermissible disclosure of highly sensitive information to postal workers, friends, family members, and roommates.  Approximately 12,000 individuals were sent letter, 1,991 of whom lived in California. The privacy breach was a violation of HIPAA Rules, and according to California Attorney General Xavier Becerra, also a violation of several California laws including the Unfair Competition Law, the Confidentiality of Medical Information Act, the Health and Safety Code (section 120980), and the State Constitution. In...

Read More
FABEN Obstetrics and Gynecology Informs 6,092 Patients of Ransomware-Related Data Loss
Jan31

FABEN Obstetrics and Gynecology Informs 6,092 Patients of Ransomware-Related Data Loss

Jacksonville, FL-based FABEN Obstetrics and Gynecology has experienced a ransomware attack on a server that housed patients’ protected health information (PHI). The ransomware was detected on November 21, 2018 and resulted in widespread file encryption. An investigation was launched to determine the extent of the attack and whether any patients’ PHI was accessed or stolen by the attackers. An analysis of the files on the server confirmed that files containing patients’ PHI had been encrypted. FABEN determined that the attackers had not accessed the files and that no data had been exfiltrated from the server. The ransomware variant used in the attack was GandCrab. While free decryptors have been made available for some GandCrab ransomware variants, they do not work on the latest versions of the ransomware. A ransom demand was received by FABEN although the decision was taken not to pay the attackers for the key to decrypt the files. The files that had been encrypted were created between January 2007 and April 10, 2017, and included clinical electronic medical records containing...

Read More
Thieves Stole Devices Containing PHI of 7,200 Patients of Integrity House
Jan30

Thieves Stole Devices Containing PHI of 7,200 Patients of Integrity House

A burglary at the offices of the addiction treatment services provider Integrity House has resulted in the exposure of patients’ protected health information. Several electronic devices were stolen in the burglary, including desktop computers, laptop computers and tablets. An investigation by the Integrity House IT team confirmed that some patients’ protected health information was stored on the devices. The burglary was discovered by staff on November 25, 2018. Law enforcement was notified but the stolen devices have not been recovered. The IT department determined that one of the stolen devices contained information such as names, birth dates, Social Security numbers, health insurance information, and a limited amount of treatment information. While it is probable that the devices were stolen for their resale value rather than any sensitive information they contained, it is possible that patient information could be accessed and may be misused. Consequently, as a precaution, Integrity House has offered all affected individuals free identity theft protection and credit monitoring...

Read More
PHI Exposed in Verity Health System Phishing Attack
Jan29

PHI Exposed in Verity Health System Phishing Attack

Verity Health System, a Redwood City-based network of 6 hospitals in California, has announced that the protected health information of certain patients has potentially been compromised as a result of a November 27, 2018 phishing attack. The Office 365 credentials of a Verity Health employee were obtained by a hacker as a result of a response to a phishing email. For a period of approximately one and a half hours, an unauthorized individual gained access to the employee’s email account and sent further phishing emails to Verity Health employees and other individuals in the employee’s contact list. The emails contained a hyperlink that directed the recipients to a malicious website. An investigation into the breach confirmed that none of the recipients of the phishing emails had disclosed their login credentials. The aim of the attacker appeared to be to gain access to further account credentials rather than to obtain sensitive data contained in the compromised account; however, it is possible that some patients’ personal information was viewed or possibly obtained while account...

Read More
Analysis of 2018 Healthcare Data Breaches
Jan28

Analysis of 2018 Healthcare Data Breaches

Our 2018 healthcare data breach report reveals healthcare data breach trends, details the main causes of 2018 healthcare data breaches, the largest healthcare data breaches of the year, and 2018 healthcare data breach fines. The report was compiled using data from the Department of Health and Human Services’ Office for Civil Rights (OCR). 2018 Was a Record-Breaking Year for Healthcare Data Breaches Since October 2009, the Department of Health and Human Services’ Office for Civil Rights has been publishing summaries of U.S. healthcare data breaches. In that time frame, 2,545 healthcare data breaches have been reported. Those breaches have resulted in the theft, exposure, or impermissible disclosure of 194,853,404 healthcare records. That equates to the records of 59.8% of the population of the United States. The number of reported healthcare data breaches has been steadily increasing each year. Except for 2015, the number of reported healthcare data breaches has increased every year. In 2018, 365 healthcare data breaches of 500 or more records were reported, up almost 2% from the...

Read More
23,300 Patients Affected by Critical Care, Pulmonary & Sleep Associates Email Hack
Jan28

23,300 Patients Affected by Critical Care, Pulmonary & Sleep Associates Email Hack

Critical Care, Pulmonary & Sleep Associates (CCPSA) in Colorado has experienced a data breach that has impacted more than 23,300 patients. An email account breach was detected by CCPSA on November 23, 2018 when suspicious activity was detected related to an employee’s email account. The account appeared to have been used to send phishing emails to individuals in the employee’s contact list. Those emails attempted to convince the recipients to make fraudulent payments. Action was promptly taken to lock the hacker out of the account and the entire email environment was secured. All users were required to set new, complex passwords. A third-party computer forensics firm was hired to investigate the attack and determine the scale of the breach. That investigation was concluded on December 14, 2018. The investigation revealed the attacker had gained access to multiple email accounts between August 14 and November 23, 2018. The breach was determined to be limited to the email system. Its medical record system was unaffected. An analysis of the compromised email accounts revealed they...

Read More
Stolen Hard Drive Contained PHI of 76,000 Texas Patients
Jan25

Stolen Hard Drive Contained PHI of 76,000 Texas Patients

All-Star Orthopaedics is alerting patients of Irving, TX-based Las Colinas Orthopedic Surgery & Sports Medicine, PA, that some of their protected health information (PHI) was stored on a hard drive that has been stolen. The hard drive contained X-ray and other diagnostic images of 76,000 patients, along with patients’ names and dates of birth. The hard drive was not encrypted, but special software is required to access the images. The image files would need to be opened in order to see patients’ names and dates of birth. The hard drive was stolen on November 20, 2018 and the theft was reported to the Department of Health and Human Services’ Office for Civil Rights on January 18, 2019. Breach notification letters have now been sent to all affected patients. The theft has prompted All-Star Orthopaedics to implement new security protocols and all portable hard drives will now be encrypted prior to transport. Dermacare Brickell Data Breach Impacts 1,800 Patients On November 20, 2018, the Miami medical practice Dermacare Brickell discovered paperwork containing the PHI of around...

Read More
Alaska Department of Health and Social Services Revises 2018 Breach Victim Total from 501 to 500K-700K
Jan24

Alaska Department of Health and Social Services Revises 2018 Breach Victim Total from 501 to 500K-700K

A laptop computer malware infection discovered by the Alaska Department of Health and Social Services (ADHSS) in April 2018 was initially thought to have potentially allowed hackers to gain access to the electronic protected health information (ePHI) of 501 individuals; however, the breach has been determined to be far more extensive than was initially thought. On January 22, 2019, state officials said the malware potentially allowed the attackers to access and obtain the ePHI of between 500,000 and 700,000 individuals and that notification letters to the additional breach victims people had started to be sent. Two days later, the number of breach victims was revised to 87,000 individuals. The malware variant used in the attack was a variant of the Zeus/Zbot Trojan – An information stealer. The individuals whose ePHI was potentially obtained by the hackers had interacted at some point with the Department of Public Assistance (DPA) through the DPA Northern regional offices. Last year, ADHSS said the laptop had accessed sites in Russia, had unauthorized software installed, and other...

Read More
Valley Hope Association Notifies Patients of Email Account Breach
Jan22

Valley Hope Association Notifies Patients of Email Account Breach

Valley Hope Association has announced that an unauthorized individual has gained access to the email account of an employee. Valley Hope Association became aware of a potential account breach on October 10, 2018, when unusual account activity was detected. Prompt action was taken to prevent further account access and a third-party computer forensics firm was hired to determine the nature and scope of the breach. The investigation confirmed on November 23, 2018, that an unauthorized individual had accessed a single email account between October 9-10, 2018, and potentially viewed emails and attachments containing patients’ protected health information. After a thorough review of all emails and email attachments, the forensics firm confirmed that certain patients’ PHI may have been accessed. The types of information contained in the emails varied from patient to patient and may have included one or more of the following data elements: Name, address, date of birth, Social Security number, medication and prescription information, claims and billing information, medical record number,...

Read More
December 2018 Healthcare Data Breach Report
Jan22

December 2018 Healthcare Data Breach Report

November was a particularly bad month for healthcare data breaches, so it is no surprise that there was an improvement in December. November was the worst month of the year in terms of the number of healthcare records exposed (3,230,063) and the second worst for breaches (34). December was the second-best month for healthcare data breaches with 23 incidents reported, only one more than January. In total, 516,370 records were exposed, impermissibly disclosed, or stolen in breaches reported in December: A considerable improvement on November. Were it not for the late reporting of the Adams County breach, December would have been the best month of the year to date in terms of the records exposed. The Adams County breach was experienced in March 2018, confirmed on June 29, yet reporting to OCR was delayed until December 11. Largest Healthcare Data Breaches in December 2018 Rank Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach 1 Adams County Healthcare Provider 258,120 Unauthorized Access/Disclosure 2 JAND Inc. d/b/a Warby Parker Healthcare Provider 177,890...

Read More
Physician Receives Probation for Criminal HIPAA Violation
Jan18

Physician Receives Probation for Criminal HIPAA Violation

A physician who pleaded guilty to a criminal violation of HIPAA Rules has received 6 months’ probation and has escaped a jail term and fine. The case concerned the wrongful disclosure of patients’ PHI to a pharmaceutical firm. The case was prosecuted by the Department of Justice in Massachusetts in conjunction with a case against Massachusetts-based pharma firm Aegerion. In September 2017, the Novelion Therapeutics subsidiary Aegerion agreed to plead guilty to mis-branding the prescription drug Juxtapid. The case also included deferred prosecution related to criminal liability under HIPAA for causing false claims to be submitted to federal healthcare programs for the drug. Aegerion admitted to conspiring to obtain the individually identifiable health information of patients without authorization for financial gain, in violation of 42 U.S.C. §§ 1320d-6(a) and 1320-6(b)(3) and HIPAA Rules. Aegerion agreed to pay more than $35 million in fines to resolve criminal and civil liability. The DOJ also charged a Georgia-based pediatric cardiologist with criminal violations of HIPAA Rules...

Read More
PHI of Almost 1,000 Lebanon VA Medical Center Patients Impermissibly Disclosed
Jan17

PHI of Almost 1,000 Lebanon VA Medical Center Patients Impermissibly Disclosed

Lebanon VA Medical Center in Pennsylvania has discovered the protected health information of hundreds of elderly patients has been impermissibly disclosed to a family member of a veteran. In November 2018, a member of staff at Lebanon VA Medical Center emailed a document to a family member of a veteran who was searching for nursing home facilities. The list should have contained nursing home facilities that work with the Department of Veteran Affairs; however, a historical list of residents of nursing homes was sent in error. The list contained veterans’ names, abbreviated Social Security numbers, the nursing home where the veteran had been admitted, diagnoses, and service-connection disability rating percentages. “Lebanon VA Medical Center and our employees take our responsibility to protect patient information very seriously,” explained Lebanon VA privacy officer Tonya Hromco. “Along with assistance from national offices, we immediately investigated this inadvertent, unauthorized release of information which occurred in late November.” The incident was an isolated error and steps...

Read More
New Massachusetts Data Breach Notification Law Enacted
Jan16

New Massachusetts Data Breach Notification Law Enacted

A new Massachusetts data breach notification law has been enacted. The new legislation was signed into law by Massachusetts governor Charlie Baker on January 10, 2019 and will come into effect on April 11, 2019. The new legislation updates existing Massachusetts data breach notification law and introduces new requirements for notifications. Under Massachusetts law, a breach is defined as the unauthorized acquisition or use of sensitive personal information that carries a substantial risk of identity theft or fraud. Notifications must be issued if one or more of the following data elements are obtained by an unauthorized individual along with an individual’s first name and last name or first initial and last name. Social Security number Driver’s license number State issued ID card number Financial account number, or credit/ debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account. As with the previous law, there is no set timescale for issuing breach...

Read More
111K Individuals Notified of 4-Month Email Account Compromise
Jan15

111K Individuals Notified of 4-Month Email Account Compromise

Centerstone Insurance and Financial Services, operating as BenefitMall, has started notifying more than 111,000 individuals that some of their protected health information has been exposed, and potentially stolen, in a recent email security incident. Dallas, TX-based BenefitMall is a provider of employee benefits, payroll, HR, and employer services and employs more than 20,000 advisors, brokers, and CPAs across the country. The company is a business associate of several HIPAA-covered entities. On October 11, 2018, the company became aware that email accounts used by its employees had been accessed by an unauthorized individual. A third-party computer forensics firm was retained and an internal investigation was conducted to assess the nature and scope of the breach. The investigation revealed the first email accounts had been compromised in June 2018 and further email accounts were breached and accessed up to October 11 when the attack was detected. Prompt action was taken to secure the compromised email accounts and prevent further remote email account access. The email accounts...

Read More
Sacred Heart Rehabilitation Center Notifies Patients of Phishing Incident
Jan11

Sacred Heart Rehabilitation Center Notifies Patients of Phishing Incident

Memphis, MI-based Sacred Heart Rehabilitation Center, a provider of substance abuse treatment and care services for patients diagnosed with HIV/AIDS, has discovered an unauthorized individual has gained access to the email account of an employee following a response to a phishing email. The email account was breached between April 5 and April 7, 2018. It is unclear when the phishing attack was detected by the rehabilitation center, but the investigation into the breach concluded in November and revealed the account contained some patients’ protected health information. Individuals whose PHI was exposed were sent notification letters on January 9, 2018. The types of information contained in the compromised account included patients’ names, home addresses, diagnoses, treatment information, health insurance information, and Social Security numbers. The number of patients affected by the breach has not been publicly disclosed at this point and the breach has not yet been listed on the Department of Health and Human Services’ Office for Civil Rights breach portal. Sacred Heart...

Read More
Solis Mammography Notifies 500 Patients of PHI Exposure
Jan09

Solis Mammography Notifies 500 Patients of PHI Exposure

An unencrypted laptop computer has been stolen from Ben-Ora, Hansen, Vanesian Imaging Ltd., dba Solis Mammography. Solis Mammography learned on October 17, 2018 that the laptop had been stolen from its Phoenix, AZ clinic and reported the theft to law enforcement. To date the device has not been recovered. Attempts were made to reconstruct the data stored assisted by a leading computer forensics firm. While the investigation confirmed that some patients’ protected health information had been downloaded to the device, it was not possible to ascertain the exact information that had been exposed. Solis Mammography believes information such as patients names, birth dates, health insurance information, lab test results, medical images, and other information could have been stored on the device and have potentially been accessed by the individual in possession of the computer. Solis Mammography does not believe any financial information was downloaded onto the laptop. Solis Mammography has taken steps to further secure patient information including strengthening access controls and...

Read More
Phishing Attack Impacts 2,200 Kent County Community Mental Health Authority Patients
Jan09

Phishing Attack Impacts 2,200 Kent County Community Mental Health Authority Patients

Starting on October 28, 2018, Kent County Community Mental Health Authority, dba Network180, experienced a targeted phishing attack. As is common in advanced phishing attacks, the emails appeared to have been sent from a trusted source. Between November 2 and November 13, three employees responded to the emails and disclosed their credentials, which allowed their encrypted email accounts to be accessed by an unauthorized individual. At least one of the compromised email accounts contained the protected health information (PHI) of patients. A wide range of PHI was included in the emails stored in the compromised account. The types of information that could potentially have been accessed by the attacker varied from patient to patient, but may have included names, addresses, dates of birth, Medicaid/Medicare ID numbers, Internal ID numbers, Waiver Support Application (WSA) numbers, names of healthcare providers, schools that were attended, names of relatives, ethnicity/race, and the Social Security numbers of 20 patients. No financial information is believed to have been exposed. The...

Read More
31,876 Managed Health Services of Indiana Health Plan Members Notified of Impermissible Disclosure of PHI
Jan08

31,876 Managed Health Services of Indiana Health Plan Members Notified of Impermissible Disclosure of PHI

Managed Health Services, the Indianapolis, IN-based managed care entity that runs the Hoosier Healthwise and Hoosier Care Connect Medicaid programs, has discovered the protected health information (PHI) of 31,876 plan members has potentially been disclosed in two separate breaches that were announced in December 2018. 31,300 Plan Members Notified of Phishing-Related PHI Breach A phishing attack on a business associate of Managed Health Services has potentially resulted in the disclosure of some plan members PHI. On or around July 30, 2018, employees of LCP Transportation responded to phishing emails and provided the attacker with credentials that allowed their email accounts to be remotely accessed. LCP Transportation disabled the affected email accounts on September 7, 2018. A third-party computer forensics firm was hired to assist with the investigation. While no evidence of PHI misuse has been detected, it is possible that emails in the accounts were accessed by the attacker. Some of the emails in the compromised accounts contained plan members’ PHI including names, addresses,...

Read More
1,080 Chaplaincy Health Care Patients Potentially Impacted by Phishing Attack
Jan07

1,080 Chaplaincy Health Care Patients Potentially Impacted by Phishing Attack

Chaplaincy Health Care, a not-for-profit healthcare provider based in Richland, WA, has experienced a phishing attack that has resulted in the exposure of 1,080 patients’ protected health information. The phishing attack occurred on November 20, 2018 and was discovered within 4 hours. Prompt action was taken to block unauthorized access and a third-party computer forensics firm was hired to assist with the breach investigation. The investigation confirmed that a single email account was accessed by the attacker. After gaining access to the email account, the attacker attempted to access further accounts. The breach was discovered when the employee was alerted that her account had been used to send a phishing email to an email contact. No evidence was uncovered to suggest any patient health information was viewed or copied but, out of an abundance of caution, all patients affected by the breach have been offered complimentary credit monitoring and identity theft protection services through LifeLock for 12 months. Patients were notified about the breach on January 3, 2019. The firm...

Read More
Ransomware Attack on Podiatric Offices of Bobby Yee Impacts 24,000 Patients
Jan07

Ransomware Attack on Podiatric Offices of Bobby Yee Impacts 24,000 Patients

A ransomware attack on the Podiatric Offices of Bobby Yee has resulted in the encryption of files containing the protected health information (PHI) of up to 24,000 patients and other individuals. The attack took place on October 29, 2018. Medical records were encrypted by the ransomware along with files containing information such as full name, address, contact telephone number(s), gender, birth date, Social Security number, and health insurance information. Prompt action was taken to protect patient data and an investigation into the breach did not uncover any evidence to suggest the attacker viewed or copied any patients’ PHI. The Podiatric Offices of Bobby Yee explained in a December 20, 2018, press release “We may need to reconfirm or reconstruct the information, including your medical information.” It is unclear whether the ransom was paid to obtain the key to decrypt patient data or whether files were recovered from backups. Humana Insurance Applicants Affected by Bankers Life Data Breach Humana has announced that certain insurance applicants have had some of their personal...

Read More
Advertising Expenditures Increase 64% Following a Healthcare Data Breach
Jan07

Advertising Expenditures Increase 64% Following a Healthcare Data Breach

A recent study has explored the relationship between advertising expenditures and healthcare data breaches. The study shows hospitals significantly increase advertising spending following a data breach. Healthcare Data Breaches Are the Costliest to Mitigate Healthcare data breaches are the most expensive to mitigate, far higher than breaches in other industry sectors. According to the Ponemon Institute/IBM Security’s 2018 cost of a data breach study, healthcare data breaches cost, on average, $408 per lost or stolen record. The costs are double, or in some cases almost triple, those in other industry sectors. Healthcare data breaches are the most expensive to mitigate, far higher than breaches in other industry sectors. Click To Tweet In addition to the high costs of mitigating the breaches, the same study confirmed that loss of patients to competitors is a very real threat. Data breaches cause damage to a brand and trust in an organization can be easily lost when confidential personal information is exposed or stolen. The Ponemon Institute study revealed healthcare organizations...

Read More
Blue Cross Blue Shield of Michigan Members Notified of Business Associate Ransomware Attack
Jan04

Blue Cross Blue Shield of Michigan Members Notified of Business Associate Ransomware Attack

A business associate of Blue Cross Blue Shield of Michigan has experienced a ransomware attack that has potentially resulted in the theft of plan members’ protected health information. This is the second data breach affecting Blue Cross Blue Shield of Michigan plan members to be reported in December. Some plan members’ PHI was stored on a laptop computer that was stolen from a different business associate. The latest breach was experienced by Austin, TX-based Wolverine Solutions Group, a vendor that provides business services to Blue Cross Blue Shield of Michigan and several other healthcare clients. On September 23, 2018, ransomware was installed on its network that resulted in the encryption of files on servers and workstations, including files containing protected health information. A third-party computer forensics firm conducted an investigation into the breach but found no evidence of data exfiltration; however, data theft could not be entirely ruled out. The types of information that was potentially accessed and copied included demographic data, health plan contract numbers,...

Read More
Email Account Breach Impacts Thousands of Choice Rehabilitation Residents
Jan03

Email Account Breach Impacts Thousands of Choice Rehabilitation Residents

Choice Rehabilitation of Creve Coeur, MO, has discovered an unauthorized individual hacked into a corporate email account of one of its employees and set up a mail forwarder to send emails to a personal email account. The breach occurred on July 1, 2018 and the mail forwarder remained active until September 30, 2018. A detailed analysis of the email account revealed the protected health information of certain residents was included in billing documents attached to emails that had been sent to its associated skilled nursing facilities. Highly sensitive information such as financial data, Social Security numbers, Medicare and Medicaid numbers, dates of birth and contact information remained secure at all times. The breach was limited to billing information related to physical, speech, and occupational therapy provided to patients such as names, payor information, medical record numbers, start and end dates of therapy, diagnoses, treatment information, billing codes, and the name of the facility where care was provided. Upon discovery of the breach, access to the compromised email...

Read More
Vendor of Dental Center of Northwest Ohio Suffers Ransomware Attack
Jan02

Vendor of Dental Center of Northwest Ohio Suffers Ransomware Attack

Current and former patients of the Dental Center of Northwest Ohio in Toledo, OH, are being notified that some of their protected health information has potentially been compromised as a result of a ransomware attack on one of its vendors. Arakyta, a managed IT service provider, notified the dental center on September 1, 2018, of a security breach on a server hosting certain dental center systems. Assisted by third-party computer experts, the dental center determined on November 7, 2018, that an unknown, unauthorized individual had gained access to the server and had potentially viewed or copied patient data. No evidence of data theft was detected and no reports have been received from patients to suggest any protected health information was stolen and misused. However, since it was not possible to rule out data theft with a high degree of certainty, the decision was taken to issue notifications to patients and to provide them with complimentary credit monitoring and identity theft restoration services. The types of data potentially viewed/copied by the attacker included full...

Read More
Orlando Family Physicians Group Phishing Attack Impacts 8,400 Patients
Jan02

Orlando Family Physicians Group Phishing Attack Impacts 8,400 Patients

8,400 patients of the Humana-owned Family Physicians Group in Orlando are being notified that some of their protected health information has potentially been compromised as a result of a phishing attack. Family Physicians Group is one of the largest providers of healthcare for Medicare and Medicaid beneficiaries in Central Florida and operates 22 clinics in the region. An investigation into the breach confirmed that an employee’s email account was accessed by an unauthorized individual on August 7, 2018. Unauthorized account access remained possible until August 21, 2018, when the breach was discovered and login credentials were changed. The login credentials were obtained by the attacker when the employee responded to a phishing email. Affected patients were notified about the incident on December 28, 2018. It is unclear why it took more than 4 months to issue notifications to patients. An analysis of the emails in the compromised account confirmed certain messages contained the protected health information of patients. No financial data or Social Security numbers were recorded in...

Read More
15,000 Customers Notified About Blue Cross Blue Shield of Michigan Data Breach
Dec31

15,000 Customers Notified About Blue Cross Blue Shield of Michigan Data Breach

Approximately 15,000 customers of Blue Cross Blue Shield of Michigan have been notified that some of their private information was stored on a laptop computer that was stolen from an employee of a business associate of one of its subsidiaries. The laptop computer was stolen on October 26, 2018, and Blue Cross Blue Shield of Michigan was alerted to the exposure of plan members’ protected health information (PHI) on November 12, 2018. The breach affects members of Blue Cross’ Medicare Advantage health insurance plans. Notifications are now being mailed to all plan members affected by the breach. The laptop computer was protected with a password and plan members’ data stored on the device had been encrypted; however, the employee’s credentials may also have been stolen. Consequently, there is a risk that PHI could have been accessed. The data stored on the stolen laptop was limited to names, addresses, members’ identification numbers, dates of birth, genders, provider information, diagnoses, and medications. The laptop did not contain Social Security numbers or financial data....

Read More
Largest Healthcare Data Breaches of 2018
Dec27

Largest Healthcare Data Breaches of 2018

This post summarizes the largest healthcare data breaches of 2018: Healthcare data breaches that have resulted in the loss, theft, unauthorized accessing, impermissible disclosure, or improper disposal of 100,000 or more healthcare records. 2018 has seen 18 data breaches that have exposed 100,000 or more healthcare records. 8 of those breaches saw more than half a million healthcare records exposed, and three of those breaches exposed more than 1 million healthcare records. A Bad Year for Healthcare Data Breaches As of December 27, 2018, the Department of Health and Human Services’ Office for Civil Rights (OCR) has received notifications of 351 data breaches of 500 or more healthcare records. Those breaches have resulted in the exposure of 13,020,821 healthcare records. It is likely that the year will finish on a par with 2017 in terms of the number of reported healthcare data breaches; however, more than twice as many healthcare records have been exposed in 2018 than in 2017. In 2017, there were 359 data breaches of 500 or more records reported to OCR. Those breaches resulted in...

Read More
Data of More Than 500,000 Staff and Students Compromised in San Diego School District Phishing Attack
Dec27

Data of More Than 500,000 Staff and Students Compromised in San Diego School District Phishing Attack

The San Diego School District has announced it has suffered a major phishing attack that has resulted in the exposure of the personal data, including health information, of more than 500,000 staff and students. The phishing attack was detected in October 2018; however, an investigation into the breach revealed the hacker had network access for almost a year. Access to the network was first gained in January 2018 and the attacker continued to access the network until November 2018. The decision was taken not to alert the hacker to the discovery of the breach immediately. Instead, the school district first investigated the breach to determine the nature of the attack and the extent to which its network had been compromised. Access was only terminated when the initial phase of the investigation was completed. San Diego School District conducted the investigation in conjunction with the San Diego Unified Police and has identified the hacker responsible for the attack. All compromised accounts have now been reset and unauthorized access to staff and student data is no longer possible....

Read More
Massachusetts Attorney General Issues $75,000 HIPAA Violation Fine to McLean Hospital
Dec21

Massachusetts Attorney General Issues $75,000 HIPAA Violation Fine to McLean Hospital

Massachusetts Attorney General Maura Healey has issued a $75,000 HIPAA violation fine to McLean Hospital over a 2015 data breach that exposed the protected health information (PHI) of approximately 1,500 patients. McLean Hospital, a psychiatric hospital in Belmont, MA, allowed an employee to regularly take 8 backup tapes home. When the employee was terminated in May 2015, McLean Hospital was only able to recover four of the backup tapes. The backup tapes were unencrypted and contained the PHI of approximately 1,500 patients, employees, and deceased donors of the Harvard Brain Tissue Resource Center. The lost backup tapes included clinical and demographic information such as names, Social Security numbers, medical diagnoses, and family histories. In addition to the exposure of PHI, the state AG’s investigation revealed there had been employee training failures and McLean Hospital had not identified, assessed, and planned for security risks. The loss of the tapes was also not reported in a timely manner and the hospital had failed to encrypt PHI stored on portable devices or use an...

Read More
November 2018 Healthcare Data Breach Report
Dec20

November 2018 Healthcare Data Breach Report

For the second consecutive month there has been an increase in both the number of reported healthcare data breaches and the number of records exposed, stolen, or impermissibly disclosed. November was the worst month of the year to date for healthcare data breaches in terms of the number of exposed healthcare records. 3,230,063 records were exposed, stolen, or impermissibly disclosed in the breaches reported in November. To put that figure into perspective, that’s more records than were exposed in all 180 data breaches reported to the HHS’ Office for Civil Rights (OCR) in the first half of 2018. There were 34 healthcare data breaches reported to OCR in November, making it the second worst month of the year to date for breaches, behind June when 41 breaches were reported. Largest Healthcare Data Breaches in November 2018 The largest healthcare data breach of 2018 was reported in November by Accudoc Solutions, a business associate of Atrium Health that provides healthcare billing services. That single breach resulted in the exposure of more than 2.65 million healthcare records....

Read More
Credit Card Numbers Exposed in BJC Healthcare Breach
Dec19

Credit Card Numbers Exposed in BJC Healthcare Breach

BJC HealthCare, one of the largest not-for-profit healthcare networks in the United States, has discovered hackers have gained access to the website hosting its patient portal and have uploaded malware that potentially intercepted credit/debit card numbers as they were entered in the payment portal. The breach was discovered on November 19, 2018. The internal investigation revealed malware had been uploaded to the payment portal on October 25, 2018 and payment information may have been intercepted until November 8, 2018. During that time, 5,850 credit/debit card payments had been processed. BJC HealthCare reports that no Social Security numbers or medical information was compromised. The breach was limited to patients’ names, addresses, and dates of birth, along with the name, billing address, and credit card information or bank information of the person making the payment. While the above information was potentially intercepted, BJC HealthCare has not received any reports to suggest the attackers obtained and misused patients’ or payors’ data. However, all affected individuals...

Read More
Up to 32,000 Patients Impacted by Elizabethtown Community Hospital Email Account Breach
Dec18

Up to 32,000 Patients Impacted by Elizabethtown Community Hospital Email Account Breach

Approximately 32,000 patients of the University of Vermont Health Network’s Elizabethtown Community Hospital are being notified that some of their protected health information (PHI) has been exposed as a result of email account breach. On October 18, 2018, Elizabethtown Community Hospital discovered an unauthorized individual had gained access to an employee’s email account. The password for the compromised email account was immediately changed and a leading forensic security firm was retained to conduct an investigation into the breach. The investigation, which lasted 60 days, confirmed that a single email account was compromised on October 9, 2018. The hospital’s information technology systems were not accessed and medical records remained secure at all times. An analysis of the breached email account revealed it contained the PHI of around 32,000 patients. The types of information that were exposed differed from patient to patient and may have included names, addresses, dates of birth, primary information such as medical record numbers, dates of service, summaries of services...

Read More
PHI Accessed by Contra Costa Health Plan Contractor Who Falsified Identity to Win Contracts
Dec17

PHI Accessed by Contra Costa Health Plan Contractor Who Falsified Identity to Win Contracts

Contra Costa Health Plan (CCHP) has started notifying certain patients that some of their protected health information may have been viewed by an unauthorized individual. That individual was a contractor who won a series of contracts related to utilization management. The contractor first started working with CCHP on December 1, 2014, and was given access to systems containing health plan records to complete her contracted duties. On May 22, 2018, CCHP learned that the contractor had falsified her identity in order to win the contracts. Upon discovery of the fraud, CCHP terminated the contract and blocked access to its systems. A full audit of the activities of the contractor was conducted to determine what systems had been accessed and whether plan members’ data had been viewed. The audit revealed that the contractor had accessed plan members’ health plan records while performing her utilization management duties, although no evidence was uncovered to suggest any of the information contained in those records has been further disclosed by the contractor or used inappropriately. The...

Read More
16,000 Mind & Motion Patients Impacted by Ransomware Attack
Dec14

16,000 Mind & Motion Patients Impacted by Ransomware Attack

Mind & Motion Developmental Centers of Georgia has announced that hackers have succeeded in installing ransomware and malware on a server, which has potentially allowed them to gain access to patients’ protected health information. The ransomware was downloaded and executed on a server housing Mind & Motion medical records. The types of data that were potentially compromised includes names, addresses, birth dates, patients’ gender, medical histories, medical diagnoses, health insurance information, and Social Security numbers. It is also possible that medical records were compromised as a result of the attack. Mind & Motion discovered the ransomware attack on September 30, 2018. An IT vendor, TeamLogic IT, was retained to investigate the breach, determine how the attack occurred, and help recover data that had been rendered inaccessible by the ransomware. In addition to the ransomware infection, TeamLogic IT discovered an inactive keylogger and a spam emailer on the server. All malware was successfully removed and associated accounts were deleted. TeamLogic IT did not...

Read More
EmblemHealth Pays $100,000 HIPAA Violation Penalty to New Jersey for 2016 Data Breach
Dec11

EmblemHealth Pays $100,000 HIPAA Violation Penalty to New Jersey for 2016 Data Breach

The health insurance provider EmblemHealth has been fined $100,000 by New Jersey for a 2016 data breach that exposed the protected health information (PHI) of more than 6,000 New Jersey plan members. On October 3, 2016, EmblemHealth sent Medicare Part D Prescription Drug Plan Evidence of Coverage documents to its members. The mailing labels included beneficiary identification codes and Medicare Health Insurance Claim Numbers (HCIN), which mirror Social Security numbers. The documents were sent to more than 81,000 policy members, 6,443 of whom were New Jersey residents. The New Jersey Division of Consumer Affairs investigated the breach and identified policy, procedural, and training failures. Previous mailings of Evidence of Coverage documents were handled by a trained employee, but when that individual left EmblemHealth, mailing duties were handed to a team manager who had only been given minimal task-specific training and worked unsupervised. That individual sent a data file to EmblemHealth’s mailing vendor without first removing HCINs, which resulted in the HCINs being printed...

Read More
48,000 Patients of Frisco Medical Center Notified of Breach of Payment Information
Dec11

48,000 Patients of Frisco Medical Center Notified of Breach of Payment Information

Baylor Scott & White Medical Center in Frisco, TX, has discovered the payment information of almost 48,000 patients and guarantors may have been compromised. The medical center, which is jointly managed by United Surgical Partners International (USPI) and Baylor Scott & White Health, discovered an issue with the credit card processing system of one of its vendors. The investigation revealed there had been a week-long computer intrusion between September 22 and September 29. Upon discovery of the issue, the medical center informed the vendor and stopped all credit card processing through the vendor’s system. Baylor Scott & White Health did not uncover evidence to suggest any patient/guarantor information had been further disclosed or misused; however, as a precaution, all individuals affected by the incident have been offered one year of complimentary credit monitoring services through TransUnion Interactive. The security breach was limited to the third-party vendor’s system. Hospital information and clinical systems remained secure at all times. No health information or...

Read More
6,450 Prairie Fields Family Medicine Patients Notified About Email-Related Privacy Breach
Dec10

6,450 Prairie Fields Family Medicine Patients Notified About Email-Related Privacy Breach

Prairie Fields Family Medicine in Fremont, NE, is alerting 6,450 patients that some of their protected health information was contained in an unencrypted spreadsheet that was inadvertently sent to the wrong email recipient. The email was sent on October 1, 2018, and the error was discovered the same day. Prairie Fields Family Medicine has made multiple attempts to contact the owner of the email account to ensure the spreadsheet is securely deleted but, so far, no response has been received. The lack of contact has led Prairie Fields Family Medicine to believe the email account is no longer in use and has been abandoned, although the possibility remains that the spreadsheet has been opened and patient information has been compromised. The spreadsheet did not contain any financial data or health information typically contained in medical records. The breach was limited to patients’ first and last names, birth date, telephone number, first language spoken, sex, race, and, for certain patients, primary and secondary health insurer information, including providers’ names and account...

Read More
16,000 Redwood Eye Center Patients Impacted by MSP Breach
Dec07

16,000 Redwood Eye Center Patients Impacted by MSP Breach

A managed service provider that hosts the electronic health records of Redwood Eye Center in Vallejo, CA, has experienced a security breach that has resulted in the exposure of 16,000 patients’ protected health information. IT Lighthouse provides computer support and application hosting services, including the hosting of electronic health records. During the evening of September 19, 2018, hackers succeeded in installing ransomware on a server that was hosting the electronic health records of patients of Redwood Eye Center. Redwood Eye Center was notified about the security breach on September 20, 2018. A third-party computer forensics firm was hired by IT Lighthouse to assist with the investigation and a specialized medical software vendor was consulted and helped Redwood Eye Center recover the affected data. The types of data that were potentially accessed by the attackers included patients’ names, addresses, birth dates, health insurance information, and medical treatment information. The investigation did not uncover any evidence to suggest the attackers accessed the PHI of...

Read More
PHI of 41,000 Patients of Cancer Centers of America Potentially Compromised in Phishing Attack
Dec05

PHI of 41,000 Patients of Cancer Centers of America Potentially Compromised in Phishing Attack

Cancer Centers of America’s Western Regional Medical Center in Bullhead City, AZ, has discovered the email account of one of its employees has been compromised as a result of a response to a phishing email. The phishing email appeared to have been sent from the email account of a Cancer Treatment Centers of America executive and used social engineering techniques to fool the employee into disclosing login credentials to the account. The attacker was able to access the account, but only for a limited time as the account compromise was detected by IT staff and the user ‘s account password was reset. However, during the time that the email account was accessible it is possible that some messages containing patients’ protected health information (PHI) was accessed. Cancer Treatment Centers of America called in a nationally recognized computer forensics firm to assist with the investigation. While it was not possible to tell which, if any, emails were accessed, it was discovered that the compromised email account contained the PHI of 41,948 patients. The information in the emails varied...

Read More
Ransomware Attacks Reported by Healthcare Providers in Illinois and Rhode Island
Dec05

Ransomware Attacks Reported by Healthcare Providers in Illinois and Rhode Island

A roundup of recent healthcare ransomware attacks, privacy breaches, and security incidents that have been announced in the past few days. Center for Vitreo-Retinal Diseases Ransomware Attack Impacts 20,371 Patients The Center for Vitreo-Retinal Diseases in Libertyville, IL, experienced a ransomware attack that resulted in the encryption of data on its servers. The attack was detected on September 18, 2018. The investigation into the breach suggests the attacker may have gained access to the protected health information of 20,371 patients that was stored on the affected servers. The attack appeared to have been conducted with the intention of extorting money from the practice. While it is possible that patient information was accessed by the attacker, no evidence of unauthorized data access, data theft, or misuse of patient information has been discovered. The information that was potentially compromised included names, addresses, telephone numbers, birth dates, health insurance information, health data, and the Social Security numbers of Medicare patients. The Center for...

Read More
12 State Attorneys General File HIPAA Breach Lawsuit Against Medical Informatics Engineering
Dec05

12 State Attorneys General File HIPAA Breach Lawsuit Against Medical Informatics Engineering

A multi-state federal lawsuit has been filed against Medical Informatics Engineering and NoMoreClipboard over the 2015 data breach that exposed the data of 3.9 million individuals. Indiana Attorney General Curtis Hill is leading the lawsuit and 11 other states are participating – Arizona, Arkansas, Florida, Iowa, Kansas, Kentucky, Louisiana, Minnesota, Nebraska, North Carolina and Wisconsin. This is the first time that state attorneys general have joined forces in a federal lawsuit over a data breach caused by violations of the Health Insurance Portability and Accountability Act. The lawsuit seeks a financial judgement, civil penalties, and the adoption of a corrective action plan to address all compliance failures. A Failure to Implement Adequate Security Controls The lawsuit alleges Medical Informatics Engineering failed to implement appropriate security to protect its computer systems and sensitive patient data and, as a result of those failures, a preventable data breach occurred. According to the lawsuit, “Defendants failed to implement basic industry-accepted data...

Read More
7,000 Patients Affected by Georgia Spine and Orthopaedics of Atlanta Phishing Attack
Nov29

7,000 Patients Affected by Georgia Spine and Orthopaedics of Atlanta Phishing Attack

Georgia Spine and Orthopaedics of Atlanta (GSOA) is notifying thousands of patients that some of their protected health information has been exposed, and potentially stolen, as a result of a phishing attack. An investigation into the data breach revealed an unauthorized individual gained access to an email account as a result of the employee responding to a phishing email. That response allowed the attacker to obtain the employee’s email account password. Third-party computer forensics experts were contracted to conduct a detailed investigation into the attack to determine the extent of the breach and find out which patients had been affected. The investigation confirmed that a single email account had been compromised on July 11, 2018. An evaluation of GSOA’s technology systems was also conducted to ensure that they were secure. In order to determine which patients had been affected, a painstaking manual analysis of all emails in the compromised account was performed to determine which messages had been accessed by the attacker. GSOA reports that the way the email account was...

Read More
DOJ Indicts Two Iranian Hackers for Role in SamSam Ransomware Attacks
Nov29

DOJ Indicts Two Iranian Hackers for Role in SamSam Ransomware Attacks

The U.S. Department of Justice has announced significant progress has been made in the investigation of the threat actors behind the SamSam ransomware attacks that have plagued the healthcare industry over the past couple of years. The DOJ, assisted the Royal Canadian Mounted Police, Calgary Police Service, and the UK’s National Crime Agency and West Yorkshire Police, have identified two Iranians who are believed to be behind the SamSam ransomware attacks. Both individuals – Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri – have been operating out of Iran since 2016 and have been indicted on four charges: Conspiracy to commit fraud and related computer activity Conspiracy to commit wire fraud Intentional damage to a protected computer Transmitting a demand in relation to damaging a protected computer The DOJ reports that this is the first ever U.S. indictment against criminals over a for-profit ransomware, hacking, and extortion scheme. In contrast to many threat actors who use ransomware for extortion, the SamSam ransomware group conducts targeted, manual attacks on...

Read More
2.65 Million Atrium Health Patients Impacted by Business Associate Data Breach
Nov28

2.65 Million Atrium Health Patients Impacted by Business Associate Data Breach

AccuDoc Solutions Inc., a provider of healthcare billing services, has experienced a major data breach in which the protected health information of 2,650,000 patients of Atrium Health was exposed. Morrisville, NC-based AccuDoc Solutions prepares bills for patients and operates the online payment system used by Atrium Health, a network of 44 hospitals throughout North Carolina, South Carolina and Georgia. On October 1, 2018, AccuDoc Solutions notified Atrium Health that some of its databases had been compromised. The breach investigation revealed hackers had gained access to AccuDoc Solutions databases between September 22 and September 29, 2018. An extensive forensic investigation into the attack confirmed that patient information had been compromised, but the information stored in its databases could only be viewed. No PHI was downloaded by the attackers nor distributed via other channels. AccuDoc Solutions reports that the breach was due to a security vulnerability at a third-party vendor. The business relationship with that vendor has now been terminated. AccuDoc Systems has...

Read More
Tandigm Health Website Vulnerability Exposed 7,000 Patients’ PHI
Nov27

Tandigm Health Website Vulnerability Exposed 7,000 Patients’ PHI

A vulnerability on a website used by the value-based healthcare company Tandigm Health could potentially have been exploited to gain access to patients’ protected health information. The website vulnerability was discovered by Tandigm Health on September 25, 2018. A leading computer forensics firm assisted with the investigation to determine whether the flaw could be exploited remotely, whether patients’ protected health information had been accessed, and the types of information that may have been exposed. The investigation confirmed that the flaw could have been exploited to gain access to sensitive patient information between April 24, 2017 and December 31, 2017. The information accessible through the website was limited to names, birth dates, medical information, and health insurance information. Approximately 7,000 patients’ protected health information was accessible through the website. The investigation did not uncover any evidence to suggest the flaw had been exploited and no reports been received to suggest patient information has been stolen or misused. Out of an...

Read More