Dedicated to providing the latest
HIPAA compliance news

Our HIPAA breach news section covers HIPAA breaches such as unauthorized disclosures of protected health information (PHI), improper disposal of PHI, unauthorized PHI access by cybercriminals and rogue healthcare employees, and other security and privacy breaches.

When known, we explain how the breach occurred, the consequences to patients that may have had their PHI compromised, and the actions being taken by the affected healthcare organization to improve safeguards to prevent further HIPAA breaches.

We also explain any actions being taken by the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) and state attorneys general in relation to those breaches.

OCR investigates all data breaches that impact more than 500 individuals to determine whether any HIPAA violations have occurred. When HIPAA Rules are discovered to have been violated, financial penalties may be deemed appropriate. It can take many months or years before any financial penalties for HIPAA breaches are decided. Financial penalties for HIPAA violations tend to be reserved for the most serious breaches of HIPAA Rules. OCR prefers to resolve cases with voluntary compliance and by issuing recommendations to bring policies in line with HIPAA Rules.

The HIPAA breach news section is particularly relevant to healthcare information security professionals, privacy officers, and other individuals who have some responsibility for HIPAA compliance.

The HIPAA breach news reports highlight common areas of non-compliance and new attack vectors used by cybercriminals to gain access to healthcare networks and PHI, the security failings that allowed them to happen, and the measures that have been implemented to prevent them from happening again.

No healthcare organization wants to experience a data breach, but when a breach does occur, lessons can be learned. HIPAA-covered entities can use these breach examples to help train their staff as well as to discover some of the methods other covered entities have adopted to improve data security.

As you will be able to see from the volume of posts in the HIPAA breach news category, healthcare data breaches occur frequently. In 2016 and 2017, healthcare data breaches have been reported on an almost daily basis.

Our HIPAA breach news section is an important source of information about potential security issues that covered entities should be identifying when conducting their own risk assessments. Many of the situations in our HIPAA breach news posts could have been avoided if a risk assessment had identified a vulnerability that was later exploited to gain access to PHI.

The main purpose for adding HIPAA breach news to this website is to highlight specific aspects of HIPAA compliance that are commonly overlooked, often with serious consequences for the covered entity and patients/health plan members.

By raising awareness of the volume of healthcare data breaches, the implications of those breaches, and the penalties that can result, it is hoped that healthcare providers will take decisive action to prevent their patients’ and members’ data from being exposed.

The most recent healthcare data breach reports are listed below. If you want to find out if a specific covered entity has experienced a data breach, please use the search function in the top right hand corner of this webpage.

Web Portal of Transcription Service Provider Discovered to be Leaking PHI
Apr25

Web Portal of Transcription Service Provider Discovered to be Leaking PHI

A transcription service provider has inadvertently left medical records and patient notes unsecured and freely accessible via a physician portal, which should have been password protected. The error has resulted in the exposure of thousands of patients’ PHI. MEDantex provides medical transcription services to many hospitals and physicians, many of whom choose to upload audio files to the MEDantex website. The audio files are accessed by the firm’s employees and transcribed, and documents containing the transcribed notes are uploaded to the portal where they can be downloaded by providers. In order to gain access the portal, a user must be authenticated by means of a password. According to a report on KrebsOnSecurity, certain portions of the website were recently discovered to lack any authentication controls. Anyone visiting the website could, through their browser, gain access to patient data stored on the site. Brian Krebs reports that several of the tools used by MEDantex staff and could also be accessed and used by unauthorized individuals. Those tools allowed unauthorized...

Read More
Report: Healthcare Data Breaches in Q1, 2018
Apr24

Report: Healthcare Data Breaches in Q1, 2018

The first three months of 2018 have seen 77 healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights (OCR). Those breaches have impacted more than one million patients and health plan members – Almost twice the number of individuals that were impacted by healthcare data breaches in Q4, 2017. There was a 10.5% fall in the number of data breaches reported quarter over quarter, but the severity of breaches increased. The mean breach size increased by 130.57% and there was a 15.37% increase in the median breach size. In Q4, 2017, the mean breach size was 6,048 healthcare records and the median breach size was 1,666 records. In Q1, 2018, the mean breach size was 13,945 records and the median breach size was 1,922 records. Between January 1 and March 31, 2018, 1,073,766 individuals had their PHI exposed, viewed, or stolen compared to 520,141 individuals in Q4, 2017. Individuals Impacted by Healthcare Data Breaches in Q1, 2018 Throughout 2017, healthcare data breaches were occurring at a rate of more than one per day. Compared to 2017,...

Read More
1,000 Mental Health Patients’ PHI Accidentally Disclosed for 3 and a Half Years
Apr20

1,000 Mental Health Patients’ PHI Accidentally Disclosed for 3 and a Half Years

1,071 patients who received medical services at the Des Moines Crisis Observation Center operated by Polk County Health Services Inc., have been informed that some of their protected health information has been “accidentally and unknowingly disseminated” over a period of three and a half years. The breach was discovered on February 14, 2018, although the investigation revealed that information first started being disclosed on June 1, 2014 and continued until January 11, 2018. The types of information disclosed includes patients’ names along with Social Security numbers, home addresses, Medicaid ID numbers, admission dates, and discharge locations. Through the Crisis Observation Center, Polk County Health Services provides mental health services for residents of Polk County, IA and is the regional administrator and governing board for mental health and disability services for the county. Polk County Health Services is aware of the individual(s) to whom the information has been disclosed and was able to determine exactly the types of information that has been received by those...

Read More
California Dept. of Developmental Services Notifies 582,000 Patients of Potential PHI Compromise
Apr19

California Dept. of Developmental Services Notifies 582,000 Patients of Potential PHI Compromise

The California Department of Developmental Services (DDS) is notifying 582,174 patients that their protected health information has potentially been compromised. On February 11, 2018, thieves broke into the DDS legal and audits offices in Sacramento, CA. During the time the thieves were in the offices they potentially had access to the sensitive information of approximately 15,000 employees, contractors, job applicants, and parents of minors who receive DDS services, in addition to the PHI of more than half a million patients. The thieves also stole 12 government computers. It does not appear that the perpetrators were interested in paper records and all computers taken by the thieves were encrypted so data access was not possible. DDS has confirmed that none of the office computers were used to gain access to the department’s network and electronic protected health information remained secure at all times. In its substitute breach notice, DDS explained that its offices were vandalized and a fire was started, which triggered the sprinkler system causing damage to documents and CDs....

Read More
Texas Health Resources Notifies 4,000 Patients of Email Account Breach
Apr17

Texas Health Resources Notifies 4,000 Patients of Email Account Breach

Arlington-based Texas Health Resources, a provider group serving more than 1.7 million patients in North Texas, is notifying ‘fewer than 4,000 patients’ that some of their sensitive information may have been accessed by an unauthorized individual. The data breach occurred as early as October 2017, although it was not discovered until January 17, 2018, when the health system was notified of a breach by law enforcement. The potentially compromised data was saved in email accounts that the attacker had access to for up to three months. The delay in issuing breach notification letters, which would normally have to be issued within 60 days of the discovery of the breach under HIPAA Rules, was at the request of law enforcement. HIPAA covered entities are permitted to delay the issuing of notifications if law enforcement believes such an act would impede an investigation. Law enforcement has only recently given the OK to start sending notifications. It is unclear whether the law enforcement investigation resulted in the apprehension of a suspect. Texas Health Resources explained in its...

Read More
Analysis of March 2018 Healthcare Data Breaches
Apr16

Analysis of March 2018 Healthcare Data Breaches

There has been a month-over-month increase in healthcare data breaches. In March 2018, 29 security incidents were reported by HIPAA covered entities compared to 25 incidents in February. Even though more data breaches were reported in March, there was a fall in the number of individuals impacted by breaches. March 2018 healthcare data breaches saw 268,210 healthcare records exposed – a 13.13% decrease from the 308,780 records exposed in incidents in February. Causes of March 2018 Healthcare Data Breaches March saw the publication of the Verizon Data Breach Investigations Report which confirmed the healthcare industry is the only vertical where more data breaches are caused by insiders than hackers. That trend continued in March. Unauthorized access/disclosures, loss of devices/records, and improper disposal incidents were behind 19 of the 29 incidents reported – 65.5% of all incidents reported in March. The main cause of healthcare data breaches in March 2018 was unauthorized access/disclosure incidents. 14 incidents were reported, with theft/loss incidents the second main cause...

Read More
Several Employee Email Accounts Compromised in UnityPoint Health Phishing Attack
Apr16

Several Employee Email Accounts Compromised in UnityPoint Health Phishing Attack

UnityPoint Health has discovered the email accounts of several employees have been compromised and accessed by unauthorized individuals. Access to the employee email accounts was first gained on November 1, 2017 and continued for a period of three months until February 7, 2018, when the phishing attack was detected and access to the compromised email accounts was blocked. Upon discovery of the phishing attack, UnityPoint Health engaged the services of a computer forensics firm to investigate the scope of the breach and the number of patients impacted. The investigation revealed a wide range of protected health information had potentially been obtained by the attackers, which included names in combination with one or more of the following data elements: Medical record number, date of birth, service dates, treatment information, surgical information, lab test results, diagnoses, provider information, and insurance information. The security breach has yet to appear on the Department of Health and Human Services’ breach portal, so it is currently unclear exactly how many patients have...

Read More
Oxygen Equipment Manufacturer Discovers Credential Theft Incident Potentially Impacts 30,000
Apr16

Oxygen Equipment Manufacturer Discovers Credential Theft Incident Potentially Impacts 30,000

Inogen, a manufacturer of portable oxygen concentrators, has discovered an unauthorized individual has obtained the credentials of an employee and has used them to gain access to the employee’s email account. Phishing and other credentials theft incidents are common in the healthcare sector, although what makes this incident stand out is the number of individuals impacted by the attack. The compromised email account contained the personal information of approximately 30,000 individuals who had previously been provided with oxygen supply devices. The types of information potentially viewed and obtained by the attacker include name, telephone number, address, email address, date of birth, date of death, types of equipment provided, Medicare ID number and health insurance information. Medical records, Social Security numbers, and payment card information were not compromised. Also notable is the length of time it took to discover the breach. Inogen reports that access to the email account was first gained on January 2, 2018 and continued until March 14. Forensic investigators were...

Read More
Integrated Rehab Consultants Takes 16 Months to Notify Patients of PHI Breach
Apr12

Integrated Rehab Consultants Takes 16 Months to Notify Patients of PHI Breach

The Chicago, IL-based physiatry group Integrated Rehab Consultants is sending notification letters to certain patients alerting them to the exposure of some of their protected health information, as is required by HIPAA. However, the breach was not discovered in the past 60 days. Integrated Rehab Consultants (IRC) first became aware of the exposure of PHI on December 2, 2016 – 16 months ago. The data – which included patients’ full names, address, date of birth, gender, medical provider information, visit date, visit status, admission date, appointment visit ID, treatment location, procedure code, and diagnosis codes – had been uploaded to a publicly accessible repository. The PHI was discovered by a healthcare security researcher who notified IRC about the breach. Prompt action was taken to remove and secure the data and an investigation was launched to determine how and why the data had been uploaded to an insecure location. That investigation determined that a business associate who had been provided with the PHI had disclosed the information to a third party. It was that...

Read More
Baptist Health Alerts Almost 1,500 Patients to Possible Abuse of Credit Card Details
Apr11

Baptist Health Alerts Almost 1,500 Patients to Possible Abuse of Credit Card Details

A former employee of Baptist Health’s West Kendall Baptist Hospital in Miami, FL has been discovered to have stolen the credit card details of patients and used the information to make fraudulent purchases. The misuse of credit cards was discovered by Baptist Health on March 9, 2018 and the matter was referred to Miami-Dade law enforcement and the employee was terminated. Baptist Health has not specified exactly how many patients have been confirmed to have been defrauded by the employee, although 1,480 patients have been sent breach notification letters to alert them to the possibility that their credit card details may have been misused. Any patient who paid for medical services using a credit card with the registration employee between August 2014 and March 2018 have potentially had their name, date of birth, and credit card details stolen and misused. As a precaution, all 1,480 patients have been offered identity theft protection and credit monitoring services for 12 months without charge and have been advised to check their credit card statements carefully for any unauthorized...

Read More
63,500 Patients Impacted by Middletown Medical Data Breach
Apr11

63,500 Patients Impacted by Middletown Medical Data Breach

A misconfigured security setting on a radiology interface has resulted in the exposure of tens of thousands of patients’ protected health information. Middletown Medical, a multi-specialty physicians’ group based in Middleton, NY, discovered the misconfigured security setting on January 29, 2018. The following day the interface was secured to ensure unauthorized individuals were prevented from accessing patient information. It is unclear for how long patient data was accessible. Middletown Medical says only a limited number of patients’ PHI could have been accessed by unauthorized individuals. Highly sensitive information such as financial data, Social Security numbers, and insurance information were not exposed. The breach was limited to names, client identification numbers, birth dates, confirmation that radiology services had been received by patients, and the dates those services were provided. A limited number of patients also had diagnosis codes, radiology images, and radiology reports exposed. The discovery of the error prompted Middletown Medical to review its polices and...

Read More
2 to 6 Year Jail Term for Receptionist Who Stole PHI from Dentist Office
Apr11

2 to 6 Year Jail Term for Receptionist Who Stole PHI from Dentist Office

A former receptionist at a New York dental practice has been sentenced to serve 2 to 6 years in state penitentiary for stealing the protected health information of hundreds of patients. Annie Vuong, 31, was given access to the computer system and dental records of patients in order to complete her work duties. Vuong abused the access rights and stole the PHI of more than 650 patients. That information was passed to her co-defendants who used the data to steal identities and make fraudulent purchases of high value items. Vuong was arrested on February 2, 2015, following a two-and-a-half-year investigation into identity theft by the New York District Attorney’s Office. The theft of data occurred between May and November 2012, when the PHI of 653 patients was taken from the dental office. The types of information stolen included names, birth dates, and Social Security numbers. That information was shared with co-defendant Devin Bazile in an email. Bazile used the information to obtain credit lines from Barclaycard in the victims’ names. Credit ranged from $2,000 to $7,000 per...

Read More
Chesapeake Regional Healthcare Reports PHI of 2,100 Patients Was Stored on Lost Hard Drives
Apr09

Chesapeake Regional Healthcare Reports PHI of 2,100 Patients Was Stored on Lost Hard Drives

Body: Chesapeake Regional Healthcare has discovered two hard drives containing the protected health information (PHI) of approximately 2,100 patients are missing from the Chesapeake Regional Medical Center campus in Chesapeake, Virginia. The data stored on the devices relates to individuals who took part in studies at its Sleep Center between April 2015 and February 2018. It is currently unclear exactly when the hard drives went missing. Chesapeake Regional Healthcare discovered the devices were missing on February 6, 2018. An internal investigation was launched, and a full search of the facility was conducted, but the devices could not be located. The missing hard drives have been reported as lost/stolen to law enforcement, but Chesapeake Regional Healthcare said the probability of the devices being recovered is low and it does not expect the devices to be found. The hard drives were not encrypted. If obtained by a third party, the protected health information of patients could potentially be accessed. The types of information stored on the devices includes names, demographic...

Read More
Oregon Data Breach Notification and Information Security Laws Updated
Apr06

Oregon Data Breach Notification and Information Security Laws Updated

Oregon has updated its data breach notification law to improve protections for state residents whose personal information is exposed in a data breach. State governor Kate Brown added her signature to Senate Bill (SB 1551) last month, which updates several regulations, notably Oregon’s Breach Notification Law, O.R.S. 646A.604 and Information Security Law, O.R.S. 646A.622. The updates will become effective in June 2018. Prior to the update, Oregon data breach notification law only applied to persons who own or license personal information. Now, the definition of a person is “an individual, private or public corporation, partnership, cooperative, association, estate, limited liability company, organization or other entity, whether or not organized to operate at a profit, or a public body as defined in ORS 174.109.” A data breach is defined as “an unauthorized acquisition of computerized data that materially compromises the security, confidentiality or integrity of personal information that a person maintains.” The definition of personal information has been expanded to include a first...

Read More
Verizon PHI Breach Report Confirms Healthcare Has Major Problem with Insider Breaches
Apr03

Verizon PHI Breach Report Confirms Healthcare Has Major Problem with Insider Breaches

Verizon has released its annual Protected Health Information Breach Report which delves deep into the main causes of breaches, why they occur, the motivations of internal and external threat actors, and the main threats to the confidentiality, integrity, and availability of PHI. For the report, Verizon analyzed 1,368 healthcare data breaches and incidents where protected health information (PHI) was exposed but not necessarily compromised. The data came from 27 countries, although three quarters of the breached entities were based in the United States where there are stricter requirements for reporting PHI incidents. In contrast to all other industry sectors, the healthcare industry is unique as the biggest security threat comes from within. Insiders were responsible for almost 58% of all breaches with external actors confirmed as responsible for just 42% of incidents. The main reason for insider breaches is financial gain. PHI is stolen to commit identity theft, credit card fraud, insurance fraud, and tax fraud. Verizon determined that 48% of all internal incidents were conducted...

Read More
Law Enforcement Notifies Cambridge Health Alliance About PHI Breach
Apr03

Law Enforcement Notifies Cambridge Health Alliance About PHI Breach

Cambridge Health Alliance (CHA) in Massachusetts has been notified by law enforcement that the protected health information of some of its patients has been discovered in the possession of an unauthorized individual. On January 31, 2018, Everett Massachusetts Police Department notified CHA that files containing the PHI of some of its patients had been discovered in the possession of an individual unauthorized to have the information. After being notified of the breach, CHA conducted an internal investigation into the breach and examined the files. At least one of the files contained PHI related to billing which included patients’ names, addresses, dates of birth, Social Security numbers, employer information, charges for healthcare services, and discharge dates. The data related to billing from 2013. According to a breach notice sent to affected individuals by the law firm BakerHostetler on behalf of CHA, the breach impacted four individuals in New Hampshire, all of whom have been offered complimentary credit monitoring and identity theft protection services through Experian. While...

Read More
6,800 CareFirst BCBS Members Impacted by Phishing Attack
Apr02

6,800 CareFirst BCBS Members Impacted by Phishing Attack

A phishing attack on CareFirst Blue Cross Blue Shield has resulted in the exposure of 6,800 plan members’ protected health information. The attack was detected by CareFirst on March 12, 2018, prompting a thorough investigation, which included a forensic analysis of the email system and CareFirst’s systems in general. In addition to the internal investigation by the CareFirst IT security team, a third-party information security firm also investigated the attack. The analyses did not uncover any evidence to suggest emails in the compromised account had been opened by the attacker; however, the emails in the account did contain some protected health information and data access could not be ruled out with a high degree of certainty. Once access to the account was gained, the attacker sent phishing emails to individuals in a contact list. Those individuals were not employed by or affiliated with CareFirst BCBS. The emails were sent with the intention of gaining further login credentials. No malware was involved. While 6,800 individuals have potentially been impacted by the incident,...

Read More
Security Breaches in Healthcare in the Last Three Years
Mar30

Security Breaches in Healthcare in the Last Three Years

There have been 955 major security breaches in healthcare in the last three years that have resulted in the exposure/theft of 135,060,443 healthcare records. More than 41% of the population of the United States have had some of their protected health information exposed as a result of those breaches, which have been occurring at a rate of almost one a day over the past three years. There has been a steady rise in reported security beaches in healthcare in the last three years. In 2015 there were 270 data breaches involving more than 500 records reported to the Department of Health and Human Services’ Office for Civil Rights. The figure rose to 327 security breaches in 2016, and 342 security breaches in 2017. More healthcare security breaches are being reported than at any other time since HIPAA required covered entities to disclose data breaches, although the number of individuals affected by healthcare data breaches has been declining year-over year for the past three years. In 2015, a particularly bad year for healthcare industry data breaches, 112,107,579 healthcare records were...

Read More
3,751 Patients’ PHI Exposed on Internet for More Than 30 Months
Mar30

3,751 Patients’ PHI Exposed on Internet for More Than 30 Months

The Arc of Erie County New York (The Arc), a provider of person-centered services to individuals with developmental disabilities, has discovered two spreadsheets containing the protected health information of 3,751 patients were accessible on the Internet without the need for authentication for more than 30 months. Between July 2015 and February 2018, the two spreadsheets could be accessed over the Internet by unauthorized individuals as a result of a coding error on the website. The coding error saw a link included on the website that allowed the spreadsheets to be accessed. Individuals affected by the breach, many of whom are developmentally disabled, had been enrolled in certain programs offered by The Arc. The Arc spreadsheets contained sensitive information such as names, Social Security numbers and diagnosis codes. When the error was discovered in February, The Arc deactivated the link to prevent any further disclosures of PHI and contacted a computer forensics and data security firm to investigate the breach and help take corrective action to limit the harm caused to...

Read More
Data Breach Impacts Almost 14,000 Family Members of Subscribers
Mar30

Data Breach Impacts Almost 14,000 Family Members of Subscribers

The Special Agents Mutual Benefit Association (SAMBA) health plan is alerting almost 14,000 individuals about a February 2018 breach of protected health information. The breach affects eligible family members of subscribers who were covered by the Federal Employees Health Benefits Plan in 2017. It is an Internal Revenue Service (IRS) requirement for SAMBA to mail a copy of Form 1095-B to all plan subscribers each tax year. The form supports plan members’ and covered family members’ compliance with the Affordable Care Act’s individual mandate. The forms for the 2017 tax year were mailed on or soon after February 19, 2018; however, a programming error resulted in the forms being populated with information relating to other subscribers’ family members. Instead of detailing the subscribers’ family members covered by their health plan, the forms included the names and Social Security numbers of other subscribers’ family members and the dates of health insurance coverage in 2017.  The forms were also incorrectly dated 2016. SAMBA notes that no subscribers’ Social Security numbers were...

Read More
Server Misconfiguration Results in the Exposure of 42,000 Patients’ PHI
Mar28

Server Misconfiguration Results in the Exposure of 42,000 Patients’ PHI

Tens of thousands of patients of a New York medical practice have had their protected health information exposed online due to a misconfigured server. It is currently unclear if anyone other than the security researcher who discovered the problem has accessed the data. The server misconfiguration was identified on January 25, 2018 by Chris Vickery, director of cyber risk research at Upguard. In a March 26 blog post Vickery explained that he identified an exposed port typically used for remote synchronization (rsync). While access should have been limited to specific whitelisted IP addresses, the port was misconfigured and allowed anyone to access the data. All that was required to access the server was its IP address. Vickery identified two sections in the repository, one of which – named backupwscohen – was publicly accessible and contained several files that included highly sensitive information. A virtual hard drive was also accessible that was discovered to contain staff details, including spouse information, children’s names, and in some cases, Social Security numbers. An...

Read More
Research Suggests Healthcare Data Breaches Cause 2,100 Deaths a Year
Mar27

Research Suggests Healthcare Data Breaches Cause 2,100 Deaths a Year

A researcher at Vanderbilt University has conducted a study that suggests mortality rates at hospitals increase following a data breach as a result of a drop in the standard of care. The researcher estimates healthcare data breaches may cause as many as 2,100 deaths a year in the United States. The study was conducted by Owen Graduate School of Management researcher, Dr. Sung Choi. The findings of the study were presented at a recent cyberrisk quantification conference at Philadelphia’s Drexel University LeBow College of Business. Cyberattacks can have a direct impact on patient care, which has been clearly highlighted on numerous occasions over the past 12 months. Ransomware and wiper malware attacks have crippled information systems and have forced healthcare providers to cancel appointments, while the lack of access to patient health records can cause treatment delays. Notable attacks that caused major disruption were the NotPetya wiper and WannaCry ransomware attacks last year, with the latter causing major problems for the National Health Service in the UK. Choi explained that...

Read More
Class Action Lawsuit Seeks Damages for Victims of CVS Caremark Data Breach
Mar26

Class Action Lawsuit Seeks Damages for Victims of CVS Caremark Data Breach

An alleged healthcare data breach that saw the protected health information of patients of CVS Caremark exposed has resulted in legal action against CVS, Caremark, and its mailing vendor, Fiserv. The lawsuit, which was filed in Ohio federal court on March 21, 2018, relates to an alleged privacy breach that occurred as a result of an error that affected a July/August 2017 mailing sent to approximately 6,000 patients. In July 2017, CVS Caremark was contracted to operate as the pharmacy benefits manager for the Ohio HIV Drug Assistance Program (PhDAP), and under that program, CVS Caremark provides eligible patients with HIV medications and communicates with them about prescriptions. In July/August 2017, CSV Caremark’s mailing vendor Fiserve sent letters to patients containing their membership cards and information about how they could obtain their HIV medications. In the lawsuit the complaint alleges HIV-related information was clearly visible through the plastic windows of the envelopes, allowing the information to be viewed by postal service workers, family members, and roommates....

Read More
Theft of Unencrypted Laptop Sees Pathology Lab Patients’ PHI Exposed
Mar26

Theft of Unencrypted Laptop Sees Pathology Lab Patients’ PHI Exposed

An unencrypted laptop computer issued to an employee of Clinical Pathology Laboratories Southeast, Inc., (CPLSE) has been stolen, exposing the protected health information of certain patients and their payment guarantors. Prompt action was taken by CPLSE to prevent the laptop from being used to connect to its network and the theft was reported to law enforcement; however, it is possible that the protected health information stored on the laptop could have been viewed by unauthorized individuals. An internal investigation was conducted to determine the types of information stored on the device which indicated the following PHI elements were potentially exposed: Names, addresses, driver’s license numbers, Social Security numbers, government ID numbers, medical record numbers, and medical treatment information. Patients have now been notified of the breach and advised of the steps they can take to protect themselves against misuse of their data. Complimentary credit monitoring and identity theft protection services have been offered to affected individuals. Steps have also been taken...

Read More
ATI Physical Therapy Data Breach Impacts 35,000 Patients
Mar22

ATI Physical Therapy Data Breach Impacts 35,000 Patients

ATI Physical Therapy has discovered the protected health information of more than 35,000 patients has potentially been compromised when threat actors gained access to the email accounts of some of its employees. A security breach was identified on January 18, 2018 when ATI Physical Therapy discovered the direct deposit information of some of its employees had been changed in its payroll platform. Prompt action was taken to protect its employees and external forensic investigators were called in to determine the full extent and scope of the breach. The investigation revealed the email accounts of certain employees had been compromised and were accessed by unauthorized individuals between January 9 and January 12, 2018. An analysis of the emails in the accounts revealed they contained the protected health information of tens of thousands of patients. The types of information potentially compromised varied per impacted individual, but may have included names, dates of birth, credit/debit card numbers, driver’s license numbers, state ID numbers, Social Security numbers,...

Read More
Insider Data Breaches Continue to Plague the Healthcare Industry
Mar21

Insider Data Breaches Continue to Plague the Healthcare Industry

Protenus has published its February Healthcare Breach Barometer Report. The report includes healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights or disclosed to the media in February 2018. The report, compiled from data collected from databreaches.net, indicates at least 348,889 healthcare records were confirmed as breached in February, although that figure will be considerably higher as the number of people affected by 11 breaches is not yet known. There were 39 security breaches involving protected health information in February – a slight rise from the 37 breaches reported in January, although the number of records exposed was down from January’s total of 473,807 records. Insider breaches continue to pose problems for healthcare providers with 16/39 incidents (41%) involving insiders. Those incidents resulted in the exposure/theft of 51% of all records confirmed as having been exposed or stolen in February. Protenus notes that 94% of insider breaches were the result of errors by healthcare employees, with only one confirmed...

Read More
Ransomware Attack on Finger Lakes Health Cripples Computers
Mar21

Ransomware Attack on Finger Lakes Health Cripples Computers

Geneva, NY-based Finger Lakes Health has experienced a ransomware attack that has crippled its computer system. Staff have been forced to work on pen and paper while the health system attempts to remove the malware and restore access to electronic data. The ransomware attack on the health system started at around midnight on Sunday March 18, 2018, with staff becoming aware of the attack when a ransom demand was issued by the attackers. Finger Lakes Health operates Geneva General Hospital and Soldiers & Sailors Memorial Hospital in Pen Yan and several specialty care practices, primary care physician practices, long-term health facilities, and day care centers in upstate New York. It is unclear exactly how many facilities have been impacted by the ransomware attack. Finger Lakes Health has developed emergency procedures for attack scenarios such as this, which were immediately implemented when the attack was discovered. On March 20, the health system issued a statement to local media channels about the attack explaining that while some of its information systems were...

Read More
RoxSan Pharmacy Notifies 1,049 Patients About 2015 Email Breach
Mar20

RoxSan Pharmacy Notifies 1,049 Patients About 2015 Email Breach

Beverly Hills, CA-based RoxSan Pharmacy has notified 1,049 patients that some of their protected health information has been disclosed to a business associate via unencrypted email. The notification letters were mailed to affected individuals last month, although the incident occurred on January 20, 2015. In a recent press release, RoxSan explained that affected individuals are being notified in “as timely a manner as possible”. The delay in issuing notifications was due to “the protected nature of the forensic investigation”. It is unclear when RoxSan Pharmacy became aware of the error. The protected health information was included in a data file that was sent to a single individual – A business associate of the pharmacy – who worked in the legal field. That individual had signed a business associate agreement with the pharmacy and was aware of the responsibilities of HIPAA with respect to patients’ PHI. However, the PHI was exposed as the data file was sent via unencrypted email. The data file only contained a limited amount of protected health information and did not...

Read More
Healthcare Data Breach Statistics
Mar20

Healthcare Data Breach Statistics

We have compiled healthcare data breach statistics from October 2009 when the Department of Health and Human Services’ Office for Civil Rights first started publishing summaries of healthcare data breaches on its website. The healthcare data breach statistics below only include data breaches of 500 or more records as smaller breaches are not published by OCR. The breaches include closed cases and breaches still being investigated by OCR. Our healthcare data breach statistics clearly show there has been an upward trend in data breaches over the past 9 years, with 2017 seeing more data breaches reported than any other year since records first started being published. There have also been notable changes over the years in the main causes of breaches. The loss/theft of healthcare records and electronic protected health information dominated the breach reports between 2009 and 2015, although better policies and procedures and the use of encryption has helped reduce these easily preventable breaches. Our healthcare data breach statistics show the main causes of healthcare data breaches...

Read More
Analysis of February 2018 Healthcare Data Breaches
Mar19

Analysis of February 2018 Healthcare Data Breaches

Our February 2018 healthcare data breach report details the major data breaches reported by healthcare providers, health plans, and business associates in February 2018. Summary of February 2018 Healthcare Data Breaches February may have been a shorter month, but there was an increase in the number of healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights. In February, HIPAA covered entities and business associates reported 25 breaches – a 19% month on month increase in breaches. While there was a higher breach tally this month, the number of healthcare records exposed as a result of healthcare data breaches fell by more than 100,000. In January 428,643 healthcare records were exposed. February 2018 healthcare data breaches saw 308,780 healthcare records exposed. Largest Healthcare Data Breaches of February 2018 The largest healthcare data breaches reported to the Office for Civil Rights in February are listed below. Covered Entity Covered Entity Type Individuals Affected Type of Breach Location of PHI St. Peter’s Surgery...

Read More
Multiple Email Accounts Compromised at Primary Health Care
Mar18

Multiple Email Accounts Compromised at Primary Health Care

Primary Health Care Inc., a non-profit network of community health centers in Des Moines, Marshalltown and Ames, IA, has discovered malicious actors have gained access to the email accounts of four employees and have potentially viewed or obtained patients’ protected health information. Primary Health Care issued a press release and uploaded a substitute breach notice to its website on March 16, 2018 explaining the breach occurred on February 28, 2017. The breach was detected the following day on March 1, 2017. Primary Health Care is in the process of notifying affected patients and will be reporting the incident to the Department of Health and Human Services’ Office for Civil Rights. No explanation is provided as to why the breach took a year to report. Primary Health Care responded quickly to the breach and terminated access to the compromised email accounts and hired a third-party computer forensics expert to conduct an investigation into the attack. The investigation revealed access to four email accounts and their associated Google Drives was gained by the attacker(s),...

Read More
Almost 10,000 Individuals Notified of Improper PHI Disposal Incident by ShopRite
Mar15

Almost 10,000 Individuals Notified of Improper PHI Disposal Incident by ShopRite

A ShopRite pharmacy in Millville, New Jersey has discovered an electronic device used to capture the signatures of customers has been disposed of without first wiping the device of all stored protected health information. A limited amount of protected health information was stored on the device, which included patients’ names, dates of birth, phone numbers, zip codes, prescription numbers, medication names, signatures, date and time of collection/delivery, and in some cases, details of over-the-counter medications containing pseudoephedrine (PSE). The device was used by customers to acknowledge the store’s privacy policy and payment for prescriptions by insurance carriers. Information was also collected on sales of products containing PSE to meet legal requirements. Individuals affected by the incident had collected prescriptions or purchased PSE products between 2007 and 2013. The device was disposed of in June 2016. The improper disposal of the device is not understood to have resulted in PHI being compromised and no reports of PHI access or misuse have been received by ShopRite,...

Read More
QuadMed Discovers PHI of More than 9,850 Patients Was Impermissibly Disclosed to Employees
Mar14

QuadMed Discovers PHI of More than 9,850 Patients Was Impermissibly Disclosed to Employees

QuadMed, a Wisconsin-based provider of medical, laboratory, pharmacy, fitness, and physical therapy services, has discovered the protected health information of 9,854 patients has potentially been impermissibly disclosed to certain employees. In November 2013, QuadMed took over an onsite clinic at Hillenbrand Inc. Occupational health information of employees of the Batesville, IN-based manufacturer was maintained in an electronic medical record system and access to the system was shared with QuadMed. Certain QuadMed employees required access to the data for the administration of occupational health matters. Take overs of clinics at WI-based Stoughton Trailers and Whirlpool Corporation’s Clyde, OH plant also saw occupational health-related information in EMRs shared with the firm and made accessible to some of its employees. On December 26, 2017, QuadMed discovered a technical issue affected the PHI stored in the EMRs used at the Hillenbrand and Stoughton Trailers clinics which allowed its employees to access more than the minimum necessary amount of PHI than was permissible....

Read More
PHI of 33,420 BJC Healthcare Patients Exposed on Internet for 8 Months
Mar13

PHI of 33,420 BJC Healthcare Patients Exposed on Internet for 8 Months

The protected health information of 33,420 patients of BJC Healthcare has been accessible on the Internet for eight months without any need for authentication to view the information. BJC Healthcare is one of the largest not-for profit healthcare systems in the United States. The St. Louis-based healthcare organization runs two nationally recognized hospitals in Missouri – Barnes-Jewish Hospital and St. Louis Children’s Hospital along with 13 others. The health system employs more than 31,000 individuals, has over 154,000 hospital admissions and performs more than 175,000 home health visits a year. On January 23, 2018, BJC Healthcare performed a security scan which revealed one of its servers had been misconfigured which allowed sensitive information to be accessed without authentication. Action was immediately taken to reconfigure and secure the server to prevent data from being accessed. The investigation revealed an error had been made configuring the server on May 9, 2017, leaving documents and copies of identification documents accessible. Highly sensitive...

Read More
HIMSS Survey Reveals Top Healthcare Security Threats
Mar09

HIMSS Survey Reveals Top Healthcare Security Threats

HIMSS has published the results of its annual healthcare cybersecurity survey, which provides insights into the state of cybersecurity in healthcare and identifies the top healthcare security threats. The HIMSS 2018 cybersecurity survey was conducted on 239 respondents from the healthcare industry between December 2017 and January 2018. The results of the survey were announced at the HIMSS 2018 Conference & Exhibition in Las Vegas. 36.8% of respondents had positions in executive management and 37.2% were employed in non-executive management positions. The remaining 25.9% were in non-management positions such as cybersecurity specialists and analysts. 41.2% of respondents were primarily responsible for cybersecurity, 32.6% had some responsibility, and 11.8% sometimes had responsibility for cybersecurity. Most Healthcare Organizations Have Experienced a Significant Security Incident in the Past 12 Months The threat of healthcare cyberattacks is greater than ever and the past 12 months has been a torrid year. In the past 12 months, 75.7% of respondents said they had experienced a...

Read More
Alabama Data Breach Notification Act Passed by State Senate
Mar08

Alabama Data Breach Notification Act Passed by State Senate

The Alabama Data Breach Notification Act (Senate Bill 318) has advanced for consideration by the House of Representatives after being unanimously passed by the Alabama Senate last week. Alabama is one of two states that has yet to introduce legislation that requires companies to issue notifications to individuals whose personal information is exposed in data breaches. The other state – South Dakota – is also considering introducing similar legislation to protect state residents. The Alabama Data Breach Notification Act, proposed by Sen. Arthur Orr (R-Decatur), requires companies doing business in the state of Alabama to issue notifications to state residents when their sensitive personal information has been exposed and it is reasonably likely to result in breach victims coming to substantial harm. Entities that would be required to comply with the Alabama Data Breach Notification Act are persons, sole proprietorships, partnerships, government entities, corporations, non-profits, trusts, estates, cooperative associations, and other business entities that acquire or use sensitive...

Read More
EmblemHealth Fined $575,000 by NY Attorney General for HIPAA Breach
Mar07

EmblemHealth Fined $575,000 by NY Attorney General for HIPAA Breach

A 2016 mailing error by EmblemHealth that saw the Health Insurance Claim Numbers of 81,122 plan members printed on the outside of envelopes has resulted in a $575,000 settlement with the New York Attorney General. While all mailings include a unique patient identifier on the envelope, in this case the potential for harm was considerable as Health Insurance Claim numbers are formed using the Social Security numbers of plan members. Announcing the settlement, New York Attorney General Eric T. Schneiderman explained that Health Insurance Portability and Accountability Act (HIPAA) Rules require HIPAA covered entities to implement administrative, physical, and technical safeguards to ensure the confidentiality of patients’ and plan members’ protected health information. The error that saw Social Security numbers exposed violated HIPAA Rules. EmblemHealth failed to comply with “many standards and procedural specifications” required by HIPAA. Attorney General Schneiderman also said that printing Social Security numbers on the outside of envelopes violated New York General Business Law §...

Read More
16,000 Individuals Impacted by Two Email-Related Breaches
Mar06

16,000 Individuals Impacted by Two Email-Related Breaches

Two email-related data breaches have been reported that have resulted in the disclosure of the protected health information of more than 16,000 individuals. Flexible Benefit Service Corporation Breach Impacts 5,123 Individuals Flexible Benefit Service Corporation (Flex), a Chicago-Il-based general agency and benefit administrator serving health insurance carriers, has announced the discovery of a phishing attack that resulted in an unauthorized individual gaining access to a corporate email account. The security breach was detected on December 6, 2017 when an email account of a company employee was discovered to be sending phishing emails. The email account was compromised after a single employee responded to a phishing email and disclosed login credentials to the email account. A third-party forensics firm was contracted to conduct an investigation into the breach and ascertain the extent of the attacker’s activities. The investigation highlighted the likely intentions of the attacker. Once access to the email account was gained, the attacker performed searches looking for details...

Read More
How to Report a HIPAA Violation Anonymously
Mar06

How to Report a HIPAA Violation Anonymously

In this post we explain how to report a HIPAA violation anonymously if you feel your (or someone else’s) privacy has been violated of if HIPAA Rules are not being followed in your organization. When Can an Alleged HIPAA Violation be Reported? Most healthcare organizations go to great lengths to ensure they are in compliance with HIPAA Rules, but occasionally HIPAA regulations are violated by management or employees. In such cases, a complaint can be lodged with the Department of Health and Human Services’ Office for Civil Rights (OCR) – the main enforcer of HIPAA Rules. However, complaints will only result in action being taken if the complaint is submitted within 180 days of the date of discovery that HIPAA Rules were violated. In limited cases, when there is ‘good cause’ that it was not possible to file a complaint within 180 days, an extension may be granted. Note that OCR cannot investigate any alleged violation of the HIPAA Privacy Rule that occurred before April 14, 2003 or Security Rule violations that occurred before April 20, 2005 because compliance with those...

Read More
New York Surgery & Endoscopy Center Discovers 135,000-Record Data Breach
Mar05

New York Surgery & Endoscopy Center Discovers 135,000-Record Data Breach

A malware infection at St. Peter’s Surgery & Endoscopy Center in New York has potentially allowed hackers to gain access to the medical records of almost 135,000 patients. This is the second largest healthcare data breach of 2018, the largest to hit New York state since the 3,466,120-record data breach at Newkirk Products, Inc. in August 2016, and the fifth largest healthcare data breach in New York since the Department of Health and Human Services’ Office for Civil Rights started publishing data breach summaries in October 2009. The data breach at St. Peter’s Surgery & Endoscopy Center was discovered on January 8, 2018: The same day as hackers gained access to its server. The rapid detection of the malware limited the time the hackers had access to the server and potentially prevented patients’ data from being viewed or copied. However, while no evidence of data access or data theft was discovered, it was not possible to rule either out with a high degree of certainty. In its substitute branch notice, St. Peter’s Surgery & Endoscopy Center says the servers it uses...

Read More
Window Envelope Privacy Breach Exposes ID Numbers of 70,320 Tufts Health Plan Members
Mar02

Window Envelope Privacy Breach Exposes ID Numbers of 70,320 Tufts Health Plan Members

Tufts Health Plan is alerting 70,320 of its members that their health plan member ID numbers have been exposed. A mailing vendor used by Tufts Health Plan sent Tufts Medicare Preferred ID cards to Medicare Advantage members between December 11, 2017 and January 2, 2018. Window envelopes were used which naturally allowed plan members’ names and addresses to be seen, but Tufts Health Plan member IDs were also visible through the plastic windows of the envelopes. The mailing error was discovered by Tufts Health Plan on January 18. Tufts Health Plan notes that its member IDs are not comprised of Social Security numbers or Medicare numbers, but potentially the member ID numbers could be misused by individuals to receive services covered by the health plan. Legal experts were consulted about the breach to assess the potential risk to plan members. The risk of misuse of the numbers is believed to be very low as the only individuals likely to see the member IDs would be employees of the postal service. Plan members have been told that in the unlikely event that their member IDs are misused...

Read More
Hacking Responsible for 83% of Breached Healthcare Records in January
Mar01

Hacking Responsible for 83% of Breached Healthcare Records in January

The latest installment of the Protenus Healthcare Breach Barometer report has been released. Protenus reports that overall, at least 473,807 patient records were exposed or stolen in January, although the number of individuals affected by 11 of the 37 breaches is not yet known. The actual total is likely to be considerably higher, possibly taking the final total to more than half a million records. The report shows insiders are continuing to cause problems for healthcare organizations. Insiders were the single biggest cause of healthcare data breaches in January. Out of the 37 healthcare data breaches reported in January 12 were attributed to insiders – 32% of all data breaches. While insiders were the main cause of breaches, the incidents affected a relatively low number of individuals – just 1% of all records breached. Insiders exposed 6,805 patient records, although figures could only be obtained for 8 of the 12 breaches. 7 incidents were attributed to insider error and five were due to insider wrongdoing. Protenus has drawn attention to one particular insider breach. A nurse...

Read More
Ransomware Attack Impacts 6,550 Jemison Internal Medicine Patients
Feb28

Ransomware Attack Impacts 6,550 Jemison Internal Medicine Patients

On December 20, 2017, a ransomware attack on Jemison Internal Medicine of Alabama resulted in electronic health records being encrypted, preventing the healthcare provider from gaining access to patient data. A ransom demand was issued for the keys to unlock the encryption although no payment was made to the attacker. Jemison Internal Medicine had viable backups of electronic protected health information and restored data after reinstalling the operating system on affected computers. An analysis of its system post-data restoration revealed no traces of the malicious software remained. While ransomware attacks are often indiscriminate and occur as a result of employees responding to phishing emails, this attack was more targeted. The investigation into the security breach revealed an unauthorized individual had gained access to Jemison Internal Medicine’s computer system and had access for a period of approximately 3 months. The investigation did not uncover any evidence to suggest the EMR system was accessed by the attacker, although it was not possible to rule out data access with...

Read More
Medical University of South Carolina’s Hard Line on HIPAA Violations Sees 13 Fired in a Year
Feb27

Medical University of South Carolina’s Hard Line on HIPAA Violations Sees 13 Fired in a Year

According to a recent report in the Post and Courier, the Medical University of South Carolina (MUSC) terminated 13 employees last year for violating HIPAA Rules by snooping on patient records. In total, there were 58 privacy violations in 2017 at MUSC, all of which have been reported to the Department of Health and Human Services’ Office for Civil Rights. All of the breaches affected only small numbers of patients. Out of the 58 breaches, 11 incidents were categorized as snooping on medical records. Other breaches were unauthorized disclosures such as when the health information of a patient is accidentally sent or faxed to the wrong person. Over the past five years, there have been 307 breaches detected at MUSC, resulting in 30 members of non-physician staff being fired. None of the breaches have been listed on the OCR breach portal, which only shows breaches impacting 500 or more individuals. Under HIPAA Rules, all PHI breaches must be reported, although it is only large breaches of more than 500 records that are made public and are detailed on the breach portal. The revelations...

Read More
Patients Notified of White and Bright Family Dental Server Hack
Feb22

Patients Notified of White and Bright Family Dental Server Hack

Fresno, CA-based White and Bright Family Dental has discovered one of its servers containing patients’ protected health information has been accessed by hackers. Access to the server was gained by the attackers on January 30, 2018. The Fresno Police Department was immediately notified of the incident “so that identification and prosecution of those involved could begin.” That investigation, along with the internal White and Bright Family Dental investigations, are continuing. The dental practice is also in the process of augmenting its security protections to prevent further incidents of this nature from occurring. While HIPAA covered entities have up to 60 days following the discovery of a breach to issue notifications to patients and the Department of Health and Human Services, White and Bright Family Dental acted quickly and sent notifications in the shortest possible time frame to allow victims to take steps to protect their identities. Letters were sent to patients on February 16 and the state attorney general’s office was notified of the breach on February 19. White and...

Read More
1,900 UVA Patients’ PHI Accessed by Hacker Behind FruitFly Malware
Feb22

1,900 UVA Patients’ PHI Accessed by Hacker Behind FruitFly Malware

Almost 1,900 patients of University of Virginia Health System are being notified that an unauthorized individual has gained access to their medical records as a result of a malware infection. The malware had been loaded onto the devices used by a physician at UVa Medical Center. When medical records were accessed by the physician, the malware allowed the hacker to view the data in real time. The malware was first loaded onto the physician’s electronic devices on May 3, 2015, with access possible until December 27, 2016. Over those 19 months, the hacker was able to view the medical records of 1,882 patients. The types of information seen by the hacker included names, addresses, dates of birth, diagnoses, and treatment information, according to a UVa spokesperson. Financial information and Social Security numbers were not exposed as they were not accessible by the physician. Access to the protected health information of its patients stopped in late 2016, although UVa did not discover the breach for almost a year. UVa was notified of the security breach by the FBI on December 23,...

Read More
Sutter Health Notifies Patients of Business Associate Phishing Incident
Feb20

Sutter Health Notifies Patients of Business Associate Phishing Incident

Sutter Health is notifying certain patients that some of their protected health information has been exposed following a phishing attack on one of its business associates – the legal firm Salem and Green. On or around October 11, 2017, a phishing email was received by a staff member at Salem and Green, the response to which gave the attackers access to that individual’s email account. Upon discovery of the attack, a forensics firm was contracted to perform an analysis of the affected computer and network to determine the extent of the attack and whether any sensitive information had been obtained. The investigation revealed the security breach was limited to a single email account and that access to the account was only possible for two days. During the time that the email account was accessible, the attacker had access to all emails in the account, some of which contained the protected health information of certain Sutter Health patients. The types of information potentially accessed by the attacker was limited to names, dates of birth, driver’s license numbers, Social Security...

Read More
AJMC Study Reveals Common Characteristics of Hospital Data Breaches
Feb20

AJMC Study Reveals Common Characteristics of Hospital Data Breaches

The American Journal of Managed Care has published a study of hospital data breaches in the United States. The aim of the study was to identify common characteristics of hospital data breaches, what the biggest problem areas are, the main causes of security incidents and the types of information most at risk. The study revealed hospitals are the most commonly breached type of healthcare provider, accounting for approximately 30% of all large healthcare security incidents reported to the Department of Health and Human Services’ Office for Civil Rights by providers between 2009 and 2016. Over that 7-year time period there were 215 breaches reported by 185 nonfederal acute care hospitals and 30 hospitals experienced multiple breaches of 500 or more healthcare records. One hospital experienced 4 separate breaches in the past 7 years, five hospitals had 3 breaches, and 24 hospitals experienced 2 breaches. In addition to hospitals experiencing the highest percentage of security breaches, those breaches also resulted in the theft/exposure of the highest number of health records. While...

Read More
Another Major Triple-S Advantage Data Breach Has Occurred: 36,000 Affected
Feb15

Another Major Triple-S Advantage Data Breach Has Occurred: 36,000 Affected

The Puerto Rico Health Plan Triple-S Advantage has experienced a privacy breach that has impacted 36,000 plan members. The breach was the result of a mailing error which saw sensitive information of plan members disclosed to incorrect individuals. The protected health information exposed as a result of the mailing was limited and did not include Social Security numbers or financial information; however, plan members’ ID numbers were impermissibly disclosed along with names, dates of service, and treatment codes. The mailing error occurred in November but was not discovered by Triple-S until December 5, 2017. An extensive investigation was launched to determine how the error occurred and action has now been taken to ensure that similar errors do not occur in future mailings to plan members and healthcare providers. Triple-S said in its substitute breach notice that its mailing processes have been changed and that those processes have now been tested. Another mailing run has been conducted and copies of the original letters have now been sent to the correct addresses. Affected plan...

Read More
January 2018 Healthcare Data Breach Report
Feb14

January 2018 Healthcare Data Breach Report

Our January 2018 Healthcare Data Breach Report details the healthcare security incidents reported to the Department of Health and Human Services’ Office for Civil Rights in January 2018. There were 21 security breaches reported to OCR in January which is a considerable improvement on the 39 incidents reported in December 2017. Last month saw 428,643 healthcare records exposed. While there was a 46.15% drop in the number of healthcare data breaches reported in January month over month, 87,022 more records were exposed or stolen than in December. January was the third consecutive month where the number of breached records increased month over month. The mean breach size in January was 20,412 records – very similar to the mean breach size in December 2017 (20,487 records). However, the high mean value was due to a particularly large breach of 279,865 records reported by Oklahoma State University Center for Health Sciences. In January, the healthcare data breaches reported were far less severe than in December. In January the median breach size was 1,500 records. In December it was...

Read More
Coastal Cape Fear Eye Associates Ransomware Attack Impacts 925 Patients
Feb14

Coastal Cape Fear Eye Associates Ransomware Attack Impacts 925 Patients

A Coastal Cape Fear Eye Associates ransomware attack has seen the protected health information of 925 patients compromised. North Carolina’s Coastal Cape Fear Eye Associates, P.A., discovered its systems had been breached on December 5. 2017. Upon discovery of the ransomware attack, Coastal Cape Fear Eye Associates brought in external IT professionals to contain the attack and remove the ransomware. The IT consultants were able to limit the harm caused and the malware was removed, although some files remained locked and inaccessible for some time. According to a substitute breach notice uploaded to the healthcare provider’s website on February 1, 2018, the delay in issuing notifications to affected patients was because it was not possible to access certain files to determine what information was involved and which patients were affected. Coastal Cape Fear Eye Associates has only recently been able to access all encrypted files. Under HIPAA Rules, healthcare organizations are required to report ransomware attacks unless the attacked entity establishes there was a low probability of...

Read More
$100,000 Settlement Shows HIPAA Obligations Don’t End When a Business Closes
Feb14

$100,000 Settlement Shows HIPAA Obligations Don’t End When a Business Closes

HIPAA covered entities and their business associates must abide by HIPAA Rules, yet when businesses close the HIPAA obligations do not end. The HHS’ Office for Civil Rights (OCR) has made this clear with a $100,000 penalty for FileFax Inc., for violations that occurred after the business had ceased trading. FileFax is a Northbrook, IL-based firm that offers medical record storage, maintenance, and delivery services for HIPAA covered entities. The firm ceased trading during the course of OCRs investigation into potential HIPAA violations. An investigation was launched following an anonymous tip – received on February 10, 2015 – about an individual that had taken documents containing protected health information to a recycling facility and sold the paperwork. That individual was a “dumpster diver”, not an employee of FileFax. OCR determined that the woman had taken files to the recycling facility on February 6 and 9 and sold the paperwork to the recycling firm for cash. The paperwork, which included patients’ medical records, was left unsecured at the recycling facility. In...

Read More
How Many HIPAA Violations in 2017 Resulted in Financial Penalties?
Feb11

How Many HIPAA Violations in 2017 Resulted in Financial Penalties?

We are often asked about healthcare data breaches and HIPAA violations and two of the most recent questions are how many HIPAA violations in 2017 resulted in data breaches and how many HIPAA violations occurred in 2017. How Many HIPAA Violations Occurred in 2017? The problem with determining how many HIPAA violations occurred in 2017 is many violations are not reported, and out of those that are, it is only the HIPAA breaches that impact more than 500 individuals that are published by the Department of Health and Human Services’ Office for Civil Rights on its breach portal – often incorrectly referred to as the “Wall of Shame”. To call it a ‘Wall of Shame’ is not fair on healthcare organizations because the breach reports show organizations that have experienced data breaches, NOT organizations that have violated HIPAA Rules. Even organizations with multi-million-dollar cybersecurity budgets, mature security defenses, and advanced employee security awareness training programs can experience data breaches. All it takes if for a patch not to be applied immediately or an employee to...

Read More
Ron’s Pharmacy Services Notifies Patients of Email Account Breach
Feb09

Ron’s Pharmacy Services Notifies Patients of Email Account Breach

San Diego, CA-based Ron’s Pharmacy Services has discovered an email account containing limited protected health information has been compromised by an unknown individual. Suspicious activity was identified on an employee’s email account on October 3, 2017 prompting an investigation; however, it was not until December 21, 2017 that it was determined that an unauthorized individual had accessed messages in the email account containing patient information. An analysis of the emails in the account showed only a limited amount of PHI was compromised: Names, internal account numbers, and payment adjustment information, while a small number of patients also had details of their prescription medications compromised. While PHI access was confirmed, Ron’s Pharmacy is unaware of any misuse of patient information. Ron’s Pharmacy has now notified patients about the breach and reported the incident to the appropriate authorities. In its Feb 2 substitute breach notice, Ron’s Pharmacy explained that rapid action was taken to secure the account and prevent further access. Login credentials were...

Read More
Aetna Seeks At Least $20 Million in Damages from Firm Responsible for HIV Status Data Breach
Feb08

Aetna Seeks At Least $20 Million in Damages from Firm Responsible for HIV Status Data Breach

Aetna has taken legal action against an administrative support company over a July 2017 data breach that saw details of HIV medications visible through the clear plastic windows of envelopes in a mailing. Letters inside some of the envelopes had slipped, making the words ““when filling prescriptions for HIV medications” clearly visible to anyone who saw the envelopes. The privacy breach was condemned by the Legal Action Center and AIDS Law Project of Pennsylvania, who along with Berger & Montague, P.C., filed a class action lawsuit against Aetna seeking damages for breach victims. In January, Aetna settled the lawsuit for $17.16 million. Last month, Aetna also settled violations of HIPAA and state laws for $1.15 million with the New York attorney general over the same breach. The class action was only one of seven filed against the health insurer, and further fines from state attorneys general are to be expected. Several other attorneys general have opened investigations into the breach and may also determine that state laws have been violated. The costs associated with the...

Read More
24,000 Decatur County General Hospital Patients Notified About Malware-Related Data Breach
Feb08

24,000 Decatur County General Hospital Patients Notified About Malware-Related Data Breach

Decatur County General Hospital in Tennessee has discovered malware has been installed on a server housing its electronic medical record system. The attacker potentially gained access to the medical records of up to 24,000 patients. An unauthorized software installation was discovered on November 27, 2017 by the hospital’s medical record system vendor, which is also responsible for maintaining the server on which the system is installed. An investigation revealed the software was a form of malware known as a cryptocurrency miner. Crytptocurrency mining is the use of computer processors to verify cryptocurrency transactions and add them to the public ledger containing details of all transactions since the currency was created. The process of verifying transactions requires computers to solve complex computational problems. Cryptocurrency mining can be performed by anyone with a computer, and in return for solving those computational problems, the miner is rewarded with a small payment for verifying the transaction. A single computer can be used to earn a few dollars a day performing...

Read More
PHI of 842 Western Washington Medical Group Patients Exposed
Feb07

PHI of 842 Western Washington Medical Group Patients Exposed

The protected health information of 842 patients of Western Washington Medical Group was exposed in November 2017. Documents containing sensitive health information were accidentally disposed of with regular trash. On November 13, 2017, the janitorial service used by the medical group emptied shredding bins with regular trash. Instead of sensitive documents being permanently destroyed in accordance with HIPAA Rules, they were emptied into regular trash bins. Western Washington Medical Group discovered the error the following day, but too late to recover the documents as the trash had already been collected and taken to landfill sites for disposal. The breach was limited, but individuals impacted have had a range of sensitive information exposed including names, addresses, medical history forms, diagnoses, medical histories, appointment dates, and health insurance billing information. Patients impacted by the breach had previously visited WWMG Orthopedic, Sports and Spine centers for medical services. Notification letters were sent to all affected individuals by first class mail on...

Read More
Partners HealthCare Notifies 2,600 Patients About May 2017 Breach of PHI
Feb06

Partners HealthCare Notifies 2,600 Patients About May 2017 Breach of PHI

Partners HealthCare System is alerting approximately 2,600 patients that some of their protected health information has been compromised. While HIPAA covered entities have up to 60 days following the discovery of a breach to report the incident to OCR (if the breach impacts 500 or more individuals) and notify breach victims, this incident occurred and was discovered in May 2017. The delay in reporting the incident was due to difficulty identifying patient data which was mixed together with computer code. The breach was a malware incident that was discovered on May 8, 2017 when the healthcare system’s intrusion monitoring system detected suspicious activity. Prompt action was taken to block the malware and third-party forensics consultants were called in to assist with the investigation. The investigators concluded that this was not a targeted attack on Partners HealthCare, and the malware did not provide the attackers with access to its electronic medical record system. However, the investigation did reveal access to certain data was possible as a result of user activity on...

Read More
11,200 CarePlus Health Plan Members Notified of PHI Breach
Feb05

11,200 CarePlus Health Plan Members Notified of PHI Breach

A privacy incident has been experienced by Miami, FL-based CarePlus Health Plans which has seen certain plan members’ protected health information accidentally disclosed to other plan members. Explanation of benefits statements were mailed to its plan members on January 9 and January 16, 2018, although on January 17, CarePlus became aware that some of the statements had been sent to incorrect individuals. The EoB statements included names, addresses, dates of service, providers of services, the services that had been provided, CarePlus identification numbers and CarePlus health plan names. Highly sensitive information such as Social Security numbers and financial information were not detailed on the EoB statements. CarePlus has not received any reports to suggest any of the disclosed information has been misused. The mismailing incident has been investigated by CarePlus and action has been taken to prevent any similar privacy incidents from occurring in the future. CarePlus says the mismailing incident was due to a series of programming and printing errors. Breach...

Read More
Lawsuit Over HIPAA Breach by Mail Service Survives Motion to Dismiss
Feb02

Lawsuit Over HIPAA Breach by Mail Service Survives Motion to Dismiss

A mail service – Press America, Inc – used by a pharmacy benefit manager – CVS Pharmacy – is being sued over an accidental disclosure of 41 individuals’ protected health information. CVS Pharmacy is a business associate of a health plan and is contracted to provide a mail-order pharmacy service for the health plan. The mail service is a subcontractor of CVS Pharmacy, and both entities are bound by HIPAA Rules. CVS Pharmacy signed a business associate agreement with the health plan, and Press America did likewise with CVS Pharmacy as PHI was required in order to perform the mailings. CVS Pharmacy alleges the HIPAA Privacy Rule was violated by Press America when it inadvertently disclosed PHI to unauthorized individuals due to a mismailing incident. The disclosure of some plan members’ PHI was accidental, but the privacy breach violated a performance standard in the CVS Pharmacy’s contract with the health plan. By violating the performance standard, the CVS Pharmacy was required to pay the health plan $1.8 million. A lawsuit was filed by the CVS Pharmacy seeking...

Read More
Phishing Attack on Business Associate Exposes Forrest General Hospital Patients’ PHI
Feb02

Phishing Attack on Business Associate Exposes Forrest General Hospital Patients’ PHI

The management consulting company HORNE LLP, a business associate of Forrest Health’s Forrest General Hospital, is notifying certain hospital patients that some of their protected health information (PHI) has potentially been obtained by a third party after access was gained to the email account of one of its employees. HORNE provides certain Medicare reimbursement services to Forrest General Hospital and as such, requires access to patients’ PHI. HORNE became aware of an email account breach on November 1, 2017 when it discovered the email account of an employee was being used to send phishing emails. The discovery prompted the shut down of the email account and an investigation into a potential breach was launched. That investigation revealed an unauthorized individual had gained access to the employee’s email account the previous day as a result of the employee responding to a phishing email. The phishing attack was investigated by a third-party investigator to determine the nature and extent of the breach and whether the PHI of any patients had been exposed. The investigation...

Read More
PHI of 660 Eastern Maine Medical Center Patients Exposed
Feb02

PHI of 660 Eastern Maine Medical Center Patients Exposed

Eastern Maine Medical Center is notifying 660 patients that some of their protected health information has been exposed. The sensitive information was stored on a portable hard drive that has gone missing from its State Street facility, in Bangor, ME. The device lacked encryption and data on the device could be accessed without the need for a password. Theft has not been confirmed, but the device could not be located during a search of its facility. The drive was last seen in its usual place on December 19, 2017 and was noticed to be missing on December 22. The device belonged to a business associate of Eastern Maine Medical Center and contained limited patient information. No Social Security numbers, financial information, or health insurance details were present on the device, only full names, birth dates, dates of service, medical record numbers, one-word condition descriptors, and procedural images. The patients impacted by the breach had visited the medical center for cardiac ablation procedures between January 3, 2011 and December 11, 2017. Not all patients who visited the...

Read More
Massachusetts Online Breach Reporting Tool Launched: Data Breaches Soon to Be Publicly Listed
Feb02

Massachusetts Online Breach Reporting Tool Launched: Data Breaches Soon to Be Publicly Listed

Massachusetts Attorney General Maura Healey has announced the launch of a new online data breach reporting tool. The aim is to make it as easy as possible for breached entities to submit breach notifications to the Attorney General’s office. Under Massachusetts data breach notification law (M.G.L. c. 93H), organizations experiencing a breach of personal information must submit a notification to the Massachusetts attorney general’s office as soon as it is practicable to do so and without unnecessary delay. Breaches must also be reported to the Director of the Office of Consumer Affairs and Business Regulation (OCABR) and notifications must be issued to affected individuals. “Data breaches are damaging, costly and put Massachusetts residents at risk of identity theft and financial fraud – so it’s vital that businesses come forward quickly after a breach to inform consumers and law enforcement,” said Healey. “This new feature allows businesses to more efficiently report data breaches so we can take action and share information with the public.” Regarding the latter, the Mass. Attorney...

Read More
Class Action Lawsuit against Allscripts Filed following Ransomware Attack
Jan31

Class Action Lawsuit against Allscripts Filed following Ransomware Attack

Last week, a ransomware attack against the EHR vendor Allscripts resulted in thousands of healthcare providers being unable to access patient data or use the e-prescription service. Already, a class action lawsuit against Allscripts has been filed by Florida-based Surfside Non-Surgical Orthopedics. Allscripts provides EHR and e-prescription services to 2,500 hospitals and 19,000 post-acute care organizations. Last week, a new variant of SamSam ransomware infected the company´s data centers in Raleigh and Charlotte, NC, leaving several application offline for up to 1,500 clients. Microsoft and Cisco incident response teams helped the company restore its e-prescribing service by Saturday; but, for many clients, the Allscripts PRO EHR system is still unavailable or experiencing outages. An Allscripts spokesperson has been unable to confirm when a full restore will be completed. The Class Action Lawsuit against AllScripts The class action lawsuit against Allscripts was filed in the United States District Court for the Northern District of Illinois where the company is based. It alleges...

Read More
Malware Causes 5,200-Record Data Breach at DC Assisted Living Facility
Jan26

Malware Causes 5,200-Record Data Breach at DC Assisted Living Facility

A malware infection at Westminster Ingleside King Farm Presbyterian Retirement Communities has potentially enabled the attackers to gain access to the protected health information of thousands of its residents. The Washington D.C., based assisted living facility had implemented a wide range of security solutions to prevent unauthorized access to its systems, although in this instance they were unable to block the attack. The malware was discovered on November 21, 2017, with rapid action taken to identify all instances of the malware on its network and remove the malicious code to prevent further access. While the malware was successfully removed, assistance was sought from third party experts to determine how the attackers had managed to bypass its security defenses, and whether access to the protected health information of its residents had been gained. The investigation into the breach highlighted a number of areas where security could be improved to further protect its systems from attack. Ingleside has now implemented a new firewall, upgraded its antimalware and antivirus...

Read More
Aetna Agrees to Pay $1.15 Million Settlement to Resolve NY Attorney General Data Breach Case
Jan25

Aetna Agrees to Pay $1.15 Million Settlement to Resolve NY Attorney General Data Breach Case

Last July, Aetna sent a mailing to members in which details of HIV medications were clearly visible through the plastic windows of envelopes, inadvertently disclosing highly sensitive HIV information to individuals’ house mates, friends, families, and loved ones. Two months later, a similar privacy breach occurred. This time the mailing related to a research study regarding atrial fibrillation (AFib) in which the term IMACT-AFIB was visible through the window of the envelope. Anyone who saw the envelope could have deduced the intended recipient had an AFib diagnosis. The July breach triggered a class action lawsuit which was recently settled by Aetna for $17.2 million. Aetna must now also cover a $1.15 million settlement with the New York Attorney General to resolve violations of federal and state laws. Attorney General Schneiderman launched an investigation following the breach of HIV information in July, which violated the privacy of 2,460 Aetna members in New York. The September privacy breach was discovered during the course of that investigation. 163 New York Aetna members had...

Read More
Senate Attorney Judiciary Committee Advances South Dakota Data Breach Notification Bill
Jan24

Senate Attorney Judiciary Committee Advances South Dakota Data Breach Notification Bill

The Senate Attorney Judiciary Committee in South Dakota has overwhelmingly voted in favor of introducing data breach notification legislation. The bill, introduced by the Committee on Judiciary at the request of the Attorney General Marty Jackley, advanced after a 7-0 vote. Currently there are only two states in the US that have yet to introduce data breach legislation to protect state residents. With South Dakota now looking likely to introduce new protections for state residents, Alabama looks like it will be the only state lacking a data breach notification law. The Bill – South Dakota Senate Bill No. 62 – requires notifications to be issued to state residents and the Attorney General following a breach that impacts 250 or more state residents. The breach notifications would need to be issued without unnecessary delay and no later than 45 days following the discovery of a breach, unless a delay is requested by law enforcement. Breach notifications would not be required if the breached entity, along with the attorney general, determines that consumers would be unlikely to be...

Read More
Analysis of Healthcare Data Breaches in 2017
Jan24

Analysis of Healthcare Data Breaches in 2017

A summary and analysis of healthcare data breaches in 2017 has been published by Protenus. Data for the report is obtained from Databreaches.net, which tracks healthcare data breaches reported to OCR, the media, and other sources. The 2017 breach report gives an indication of the state of healthcare cybersecurity.  So how has 2017 been? There Were at Least 477 Healthcare Data Breaches in 2017 In some respects, 2017 was a good year. The super-massive data breaches of 2015 were not repeated, and even the large-scale breaches of 2016 were avoided. However, healthcare data breaches in 2017 occurred at rate of more than one per day. There were at least 477 healthcare data breaches in 2017 according to the report. While all those breaches have been reported via one source or another, details of the nature of all the breaches is not known. It is also unclear at this stage exactly how many healthcare records were exposed. Numbers have only been obtained for 407 of the breaches. There was a slight increase (6%) in reported breaches in 2017, up from 450 incidents in 2016. However, there was...

Read More
Pedes Orange County Discovers Physician Accessed and Disclosed PHI Without Authorization
Jan23

Pedes Orange County Discovers Physician Accessed and Disclosed PHI Without Authorization

Pedes Orange County Inc., a California healthcare provider specializing in treatments for vascular disease, is alerting some of its patients that a physician accessed their medical records, without authorization, and provided some of that information to an attorney. Pedes shares its facilities with another medical group, which conducts surgical procedures at the facility during the week. A scheduling tool is also shared with other physicians that use the same facility. On November 14, 2017, Pedes became aware that a physician employed by a different medical group had accessed its electronic medical records database and viewed the records of some of its patients. Pedes did not provide authorization for the EMR to be accessed. Pedes reports that the physician subsequently shared some of the information in the database with an attorney. After discovering the breach, the physician was contacted and Pedes has been working to ensure all copies of patients’ PHI that were obtained from its EMR system are securely destroyed and that no copies remain. The types of information potentially...

Read More
Analysis of Q4 2017 Healthcare Security Breaches
Jan22

Analysis of Q4 2017 Healthcare Security Breaches

Q4, 2017 saw a 13% reduction in healthcare security breaches reported to the Department of Health and Human Services’ Office for Civil Rights. There were 99 data breaches reported in Q3, 2017. In Q4, there were 86 security breaches reported. There were 27 healthcare security breaches reported in September, following by a major decline in breaches in November, when 21 incidents were reported. However, December saw a significant uptick in incidents with 38 reported breaches. Accompanied by the quarterly decline in security incidents was a marked decrease in the severity of breaches. In Q3, there were 8 data breaches reported that impacted more than 50,000 individuals. In Q4, no breaches on that scale were reported. The largest incident in Q4 impacted 47,000 individuals.  Largest Q4, 2017 Healthcare Security Breaches   Covered Entity Entity Type Number of Records Breached Cause of Breach Oklahoma Department of Human Services Health Plan 47000 Hacking/IT Incident Henry Ford Health System Healthcare Provider 43563 Theft Coplin Health Systems Healthcare Provider 43000 Theft Pulmonary...

Read More
Allscripts Ransomware Attack Impacts Cloud EHR and EPCS Services
Jan22

Allscripts Ransomware Attack Impacts Cloud EHR and EPCS Services

An Allscripts ransomware attack occurred on Thursday January 18, resulting in several of the firm’s applications being taken offline, including its cloud EHR and electronic prescriptions platform. The attack came just a few days after two Indiana hospitals experienced SamSam ransomware attacks. The Allscripts ransomware attack is also believed to have involved a variant of SamSam ransmware – a ransomware family extensively used in attacks on healthcare providers. Allscripts is a popular electronic health record (EHR) system and Electronic Prescriptions for Controlled Substances (EPCS) provider, with its platform used by many U.S healthcare organizations, including 2,500 hospitals and 19,000 post-acute care organizations. More than 180,000 physicians, 100,000 electronic prescribing physicians, and 40,000 in-home clinicians use Allscripts. The Allscripts ransomware attack commenced in the early hours of Thursday morning. Rapid action was taken to remove the ransomware and restore data, with the incident response teams at Microsoft and Cisco called in to assist. An investigation...

Read More
Email Hack Sees PHI of 53,000 Pharmacy Patients Exposed
Jan19

Email Hack Sees PHI of 53,000 Pharmacy Patients Exposed

53,173 patients who received services from Onco360 and CareMed Specialty Pharmacy have been notified that some of their protected health information has been compromised. A security breach was suspected on November 14, 2017, when suspicious activity involving an employee’s email account was detected. Third party computer forensics experts were called in to conduct an investigation to determine the nature and scope of the breach. On November 30, it was determined that the breach involved three email accounts. An analysis of the emails in those accounts revealed some messages contained the PHI of patients, which could potentially have been accessed and stolen by the hacker. The information potentially compromised included names, demographic information, clinical information, details of medications provided by the pharmacy, Social Security numbers, and health insurance information. A limited number of patients may also have had some financial information exposed. No reports have been received to suggest any protected health information has been misused, although patients have been...

Read More
Summary of Healthcare Data Breaches in December 2017
Jan18

Summary of Healthcare Data Breaches in December 2017

There was a sharp rise in healthcare data breaches in December, reversing a two-month downward trend. There were 38 healthcare data breaches in December 2017 that impacted more than 500 individuals: An increase of 81% from last month.     Unsurprisingly given the sharp increase in reported breaches, the number of records exposed in December also increased month over month. The records of 341,621 individuals were exposed or stolen in December: An increase of 219% from last month.     December saw a similar pattern of breaches to past months, with healthcare providers experiencing the most data breaches; however, there was a notable increase in breaches reported by health plans in December – rising from 2 in November to six in December.   Causes of Healthcare Data Breaches in December 2017 As was the case last month, hacking/IT incidents and unauthorized access/disclosures were the most common causes of healthcare data breaches in December, although there was a notable increase in theft/loss incidents involving portable electronic devices and paper records.     While hacking...

Read More
Aetna Settles Class Action Lawsuit Filed by Victims of HIV Status Data Breach
Jan18

Aetna Settles Class Action Lawsuit Filed by Victims of HIV Status Data Breach

Aetna has agreed to settle a class action lawsuit filed by victims of a mailing error that resulted in details of HIV medications prescribed to patients being visible through the clear plastic windows of the envelopes. Aetna was not directly responsible for the mailing, instead an error was made by a third-party vendor. For some of the patients, the letters had slipped inside the envelope revealing the patient had been prescribed HIV drugs. In many cases, those envelopes were viewed by flat mates, family members, neighbors, friends, and other individuals, thus disclosing each patient’s HIV information. Is not known how many patients had their HIV information disclosed, although the mailing was sent to 13,487 individuals. Some of the patients were being prescribed medications to treat HIV, others were taking the medication as Pre-exposure Prophylaxis (PrEP) to prevent contracting the disease. Many of the patients who were outed as a result of the breach have faced considerable hardship and discrimination. Several patients have had to seek alternative accommodation after been forced...

Read More
Deadline for Reporting 2017 HIPAA Data Breaches Approaches
Jan17

Deadline for Reporting 2017 HIPAA Data Breaches Approaches

The deadline for reporting 2017 HIPAA data breaches to the Department of Health and Human Services’ Office for Civil Rights is fast approaching. HIPAA-covered entities have a maximum of 60 days from the discovery of a data breach to report security incidents to OCR and notify affected patients. Smaller breaches of PHI do not need to be reported to OCR within this time frame, instead covered entities can delay reporting those breaches to OCR until the end of the calendar year. The maximum allowable time for reporting breaches impacting fewer than 500 individuals is 60 days from the end of the year in which the breach was experienced. The final day for reporting 2017 HIPAA data breaches to OCR is therefore March 1, 2018. A HIPAA data breach is defined as an “acquisition, access, use, or disclosure” of unsecured protected health information (PHI) that is not permitted by the HIPAA Privacy Rule. Unsecured PHI is defined as PHI that is “not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology,”...

Read More
1,300 Patients’ Medical Records Viewed Without Authorization by Palomar Health Nurse
Jan16

1,300 Patients’ Medical Records Viewed Without Authorization by Palomar Health Nurse

More than 1,300 patients of Palomar Medical Center Escondido are being notified that a former nurse viewed their medical records without authorization while they were receiving treatment at the hospital. The privacy violations occurred over a 15-month period between February 10, 2016 and May 7, 2017. The unauthorized access was discovered when access logs were reviewed. The audit revealed a pattern of access that was not consistent with the nurse’s work duties. The audit showed the nurse had viewed the records of patients that had been assigned to her, in addition to patients assigned to another nurse in the same unit. The incident appears to be a case of snooping, rather than data access with malicious intent. Palomar Health has uncovered no evidence to suggest any information was recorded and removed from the hospital, and no reports have been received to suggest any patient information has been misused. Following an internal investigation into the privacy violations, the nurse resigned. The information viewed was limited to names, dates of birth, genders, medical record numbers,...

Read More
Indiana Health System Pays $55K Ransom to Recover Files
Jan16

Indiana Health System Pays $55K Ransom to Recover Files

A ransomware attack on Greenfield, Indiana-based Hancock Health on Thursday forced staff at the hospital to switch to pen and paper to record patient health information, while IT staff attempted to block the attack and regain access to encrypted files. The attack started around 9.30pm on Thursday night when files on its network started to be encrypted. The attack initially caused the network to run slowly, with ransom notes appearing on screens indicating files had been encrypted. The IT team responded rapidly and started shutting down the network to limit the extent of the attack and a third-party incident response firm was called upon to help mitigate the attack. An attack such as this has potential to cause major disruption to patient services, although Hancock Health said patient services were unaffected and appointments and operations continued as normal. An analysis of the attack uncovered no evidence to suggest any patient health information was stolen by the attacker(s). The purpose of the attack was solely to cause disruption and lock files to force the hospital to pay a...

Read More
20% of RNs Had Breaches of Patient Data at Their Organization
Jan15

20% of RNs Had Breaches of Patient Data at Their Organization

A recent survey conducted by the University of Phoenix College of Health Professions indicates registered nurses (RNs) are confident in their organization’s ability to prevent data breaches. The survey was conducted on 504 full time RNs and administrative staff across the United States. Respondents had held their position for at least two years. Almost half of RNs (48%) and 57% of administrative staff said they were very confident that their organization could prevent data breaches and protect against the theft of patient data, even though 19% of administrative staff and 20% of RNs said their organization had had a data breach in the past. 21% did not know if a breach had occurred. The survey confirmed that healthcare organizations have made many changes over the years to better protect data and patient privacy, with most of the changes occurring in the past year, according to a quarter of RNs and 40% of administrative staff. Those changes have occurred across the organization. The biggest areas for change were safety, quality of care, population health, data security and the...

Read More
43,000 Patients of Coplin Health Systems Potentially Impacted by Laptop Theft
Jan11

43,000 Patients of Coplin Health Systems Potentially Impacted by Laptop Theft

West Virginia-based Coplin Health Systems has informed 43,000 patients that their PHI has potentially been exposed as a result of the theft of an unencrypted laptop computer from the vehicle of an employee. Coplin Health was alerted to the theft on November 2, 2017. The theft was immediately reported to law enforcement and an investigation was launched, although at the time of issuing notifications, the laptop computer has not been recovered. While it is possible that protected health information of patients was stored on the laptop, Coplin Health does not believe that was the case, although the possibility of data exposure cannot be ruled out with 100% certainty. Coplin Health notes that the laptop had various security protections in place to ensure the privacy of patients in the event of the laptop being stolen. While the laptop could potentially be used to gain access to patient data, a password would have been required and it is not suspected that the thief had “the sophisticated knowledge and resources necessary to bypass the laptop’s security mechanisms.” Further, Coplin...

Read More
St. Rose Dominican Hospital Patients Impacted by DJO Global PHI Breach
Jan10

St. Rose Dominican Hospital Patients Impacted by DJO Global PHI Breach

DJO Global, a provider of medical technologies to help patients maintain and regain natural motion, has discovered that some patients’ information has been exposed, and potentially disclosed, to unauthorized individuals. Individuals who had received a DJO Global device in the emergency room, Urgent Care Site, or the Same Day Surgery Center of the Siena, San Martin or De Lima campuses of St. Rose Dominican Hospital in Las Vegas, NV between July 17 and October 16, 2017 have potentially been affected. Those individuals are likely to have signed a DJO Global Patient Product Agreement confirming they had received one of the company’s devices. Those consent forms should have been sent to DJO Global; hhowever, a batch of consent forms was not received. A DJO employee collected the forms from St. Rose Dominican Hospital and should have taken them to DHL to be delivered to DJO Global; however, the forms were lost in transit. They are believed to have been lost between collection from the hospital and delivery to DHL. The forms contained the following information: Name, phone number,...

Read More
Lack of Encryption on Hard Drive Results in the Exposure of 9387 Patients’ PHI
Jan10

Lack of Encryption on Hard Drive Results in the Exposure of 9387 Patients’ PHI

Framingham, MA-based Charles River Medical Associates has discovered the danger of failing to use encryption to protect data stored on portable hard drives. In late November, the practice discovered one of its portable hard drives was missing. The device contained x-ray images, names, patient ID numbers, and birth dates. Every patient who had visited the Framingham radiology lab for a bone density scan since 2010 had their x-ray images exposed – almost 9,400 individuals. The hard drive was used by the practice as a backup device and updated the stored data each month with bone density scans from the past four weeks. The last time the device was used was for the October data backup. In late November, when the monthly backup was scheduled to be made, the portable drive could not be found. A full search of the premises was conducted, which took several weeks, but the device could not be located. All staff members were questioned about the whereabouts of the drive, but no one had seen the device in the past four weeks. Charles River Medical Associates has now declared the device lost...

Read More
Oklahoma State University Center for Health Sciences Informs Patients of PHI Breach
Jan09

Oklahoma State University Center for Health Sciences Informs Patients of PHI Breach

Oklahoma State University Center for Health Sciences (OSUCHS) has discovered an unauthorized individual has gained access to parts of its computer network and potentially accessed files containing billing information of Medicaid patients. The security breach was discovered on November 7, 2017 with access to the network terminated the following day. Third party computer forensics experts were called upon to conduct a comprehensive investigation to determine which parts of the network had been accessed, and whether patient health information had been accessed or stolen. The investigation confirmed that patient health information could potentially have been viewed, although it was not possible to determine whether patient information had been accessed or stolen. OSUCHS reports that it has not received conclusive information to suggest any patient information has been misused. Out of an abundance of caution, all individuals potentially impacted by the incident have been notified of the breach by mail and advised that they should be alert to the possibility that their personal...

Read More
Phishing Attack on Florida Agency for Health Care Administration Impacts 30,000 Medicaid Recipients
Jan09

Phishing Attack on Florida Agency for Health Care Administration Impacts 30,000 Medicaid Recipients

The Agency for Health Care Administration in Florida has discovered an unauthorized individual has gained access to a single email account as a result of an employee falling for a phishing scam. The employee received and responded to the malicious phishing email on November 15, 2017 and disclosed login credentials that allowed the attacker to remotely access his/her email account and, potentially, the protected health information of as many as 30,000 Medicaid enrollees. The agency discovered the security breach on November 20 and performed a password reset to prevent further access. The incident was also reported to the agency’s inspector general, who launched an investigation into the attack. Preliminary findings of that investigation were released late last week. According to an agency press release issued on Friday, the unauthorized individual may have partially or fully accessed information such as names, Medicaid ID numbers, addresses, dates of birth, diagnoses, medical conditions, and Social Security numbers. Approximately 6% of individuals impacted by the incident had either...

Read More
Compassion Care Hospice Hack Impacts 1,128 Patients
Jan05

Compassion Care Hospice Hack Impacts 1,128 Patients

Compassionate Care Hospice Las Vegas (CCHLV) has discovered an unauthorized individual gained access to its network and server and potentially viewed 1,128 patients’ protected health information. On October 28, 2017, CCHLV discovered its network had been accessed by an unauthorized individual. Upon discovery of the breach, CCHLV hired third-party forensics experts to conduct a thorough investigation to determine the nature of the breach and to identify all patients who were potentially affected. While the investigation confirmed access to data was possible, no evidence was uncovered to suggest any sensitive information was viewed or stolen by the attacker. However, it was not possible to rule out data access and theft with 100% certainty. The types of information stored on the parts of the network that could have been accessed included names, dates of birth, addresses, Medicare numbers, medical treatment information, health insurance information, and archived electronic health records. Financial information was not stored on the part of the network compromised in the attack and...

Read More
Kaiser Permanente Reports Two Security Incidents Impacting 5,000 Members
Jan04

Kaiser Permanente Reports Two Security Incidents Impacting 5,000 Members

Kaiser Permanente has experienced two security incidents which have recently been reported to the Department of Health and Human Services’ Office for Civil Rights. In total, more than 5,000 individuals have been impacted by the breaches. Both breaches affect members of the Kaiser Foundation Group Health Plan. The most serious incident, in terms of the number of individuals impacted, was an email-related breach affecting 4,389 health plan members in the San Bernardino County area of Southern California. An unauthorized individual was discovered to have gained access to the email account of a Southern California Permanente physician, which contained a limited amount of protected health information. Kaiser Permanente conducted an extensive investigation to determine the nature and full extent of the breach. While the email account was accessed, Kaiser Permanente believes the risk to plan members is low due to the nature of data contained in the email account. The email account did not contain highly sensitive information such as bank account details, credit card numbers, insurance...

Read More
Largest Healthcare Data Breaches of 2017
Jan04

Largest Healthcare Data Breaches of 2017

This article details the largest healthcare data breaches of 2017 and compares this year’s breach tally to the past two years, which were both record-breaking years for healthcare data breaches. 2015 was a particularly bad year for the healthcare industry, with some of the largest healthcare data breaches ever discovered. There was the massive data breach at Anthem Inc., the likes of which had never been seen before. 78.8 million healthcare records were compromised in that single cyberattack, and there were also two other healthcare data breaches involving 10 million or more records. 2015 was the worst ever year in terms of the number of healthcare records exposed or stolen. 2016 was a better year for the healthcare industry in terms of the number of healthcare records exposed in data breaches. There was no repeat of the mega data breaches of the previous year. Yet, the number of incidents increased significantly. 2016 was the worst ever year in terms of the number of breaches reported by HIPAA-covered entities and their business associates. So how have healthcare organizations...

Read More
29,000 Patients Notified of Employee-Related Data Breach at SSM Health
Jan02

29,000 Patients Notified of Employee-Related Data Breach at SSM Health

The St. Louis, MO-based not-for-profit health system SSM Health has discovered a former employee has been accessing the health records of patients without any legitimate work reason for doing so for 8 months. The former employee worked in SSM Health’s customer service call center, and as such, did not have access to financial information, only demographic, health, and clinical information. The improper access was detected by SSM health on October 30, prompting a thorough investigation to determine the records that had been accessed and which patients were potentially at risk. The investigation revealed the records of patients in multiple states were accessed by the employee between February 13 and October 20, 2017. The employee was primarily interested in the records of patients of a primary care physician in the St. Louis area, specifically patients who had been prescribed a controlled substance. While that subset of patients was relatively small, it was not possible to determine the full scope of the privacy breach, so SSM Health took the decision to notify all patients whose...

Read More
Colorado Practice Hacked Twice in a Week
Jan02

Colorado Practice Hacked Twice in a Week

A family and sports medicine practice in Colorado has discovered a hacker gained access to its systems and encrypted files with ransomware. Longs Peak Family Practice (LPFP) in Longmont CO, identified suspicious activity on its network on November 5, 2017 and took rapid action to secure its systems. However, before that was possible, the attacker ran ransomware code which encrypted files on certain parts of its network. LPFP was prepared for such attacks, and was able to recover the encrypted files and rebuild its systems from backups. However, five days after the initial intrusion was detected, LPFP discovered a second attack had occurred, and its systems had been accessed in a second attack. Ransomware was not involved in the second incident. While the first incident was dealt with internally, when the second attack was discovered, LPFP called in a leading computer forensics form to assist with the investigation, conduct scans for malware and backdoors, and ensure that unauthorized access to its systems was blocked. That investigation revealed that an unauthorized individual had...

Read More
24,000 Patients Impacted by Emory Healthcare Data Breach
Dec29

24,000 Patients Impacted by Emory Healthcare Data Breach

Emory Healthcare (EHC) has discovered a former employee obtained the protected health information of several thousand EHC patients and uploaded the data to a Microsoft Office 365 OneDrive account, where it could potentially be accessed by other individuals. The former employee was a physician at Emory Healthcare, who now works for the University of Arizona (UA) College of Medicine. EHC says patient information was taken without authorization and without its knowledge. EHC was alerted to the incident by the University of Arizona, and received a list of affected individuals on October 18, 2017. The OneDrive account could only be accessed by the physician, other former EHC physicians now at UA, UA staff who investigated the incident, and potentially a limited number of other UA staff members who had a specific type of UA email account. PHI was not exposed on the Internet and no other individuals are believed to have been able to view the information. UA hired a third-party forensic team to conduct an investigation, although no evidence was uncovered to suggest patient information was...

Read More
Jones Memorial Hospital Alerts Patients to Ongoing Cyberattack
Dec29

Jones Memorial Hospital Alerts Patients to Ongoing Cyberattack

University of Rochester Medicine’s Jones Memorial Hospital in Wellsville, NY is currently experiencing a cyberattack that has caused unexpected downtime. The attack is understood to have started on Wednesday December 27 and has caused disruption to some of its information services. At the time of writing, the nature of the cyberattack is unclear and it has yet to be resolved.  The cyberattack is limited to Jones Memorial Hospital. No other locations have been impacted. While some systems are unavailable, Jones Memorial Hospital has announced on its website that the financial and medical information of its patients does not appear to have been compromised. If the investigation concludes that there has been a breach of health information, patients will be notified accordingly. Further information on the attack will also be posted on the hospital’s website as and when new information becomes available. The hospital notified law enforcement and the New York State Department of the attack when its systems went down. Hospital IT staff are being assisted by the IT departments at the...

Read More
Scrub Nurse Fired for Photographing Employee-Patient’s Genitals
Dec28

Scrub Nurse Fired for Photographing Employee-Patient’s Genitals

A scrub nurse who took photographs of a patient’s genitals and shared the images with colleagues has been fired, while the patient, who is also an employee at the same hospital, has filed a lawsuit seeking damages for the harm caused by the incident. The employee-patient was undergoing incisional hernia surgery at Washington Hospital. She alleges in a complaint filed in Washington County Court, that while she was unconscious, a scrub nurse took photographs of her genitals on a mobile phone and shared the photographs with co-workers. Photographing patients without their consent is a violation of HIPAA Rules, and one that can attract a significant financial penalty. Last Year, New York Hospital settled a HIPAA violation case with the Department of Health and Human Services’ Office for Rights and paid a financial penalty of $2.2 million. In that case, a television crew had been authorized to film in the hospital, but consent from the patients in the footage had not been obtained. In the Washington Hospital HIPAA breach, the patient, identified in the lawsuit only as Jane Doe, claims...

Read More
Children’s Hospital Los Angeles Alerts Parents to Impermissible Disclosure of Children’s PHI
Dec28

Children’s Hospital Los Angeles Alerts Parents to Impermissible Disclosure of Children’s PHI

Children’s Hospital Los Angeles is notifying parents of a privacy breach that saw the protected health information (PHI) of children disclosed to incorrect insurance payors. The privacy breach was discovered on November 29, 2017, with notifications sent to affected patients on December 19. The impermissible disclosure of PHI included names, addresses, medical record numbers, birth dates, dates of service, and descriptions of the services provided. Upon discovery of the privacy breach, the insurance payors were contacted and instructed to delete the information. Satisfactory assurances have been received that the information has now been deleted and the medical records of affected patients have been updated to include correct payor information. No reports have been received to suggest any of the disclosed information has been used inappropriately; however, out of an abundance of caution, affected patients have been offered credit monitoring/protection services with ID Experts without charge. In the breach notification letters, parents have been advised to monitor insurance...

Read More
Phishing Attack on Colorado Mental Health Institute Sees PHI Exposed
Dec27

Phishing Attack on Colorado Mental Health Institute Sees PHI Exposed

The Colorado Mental Health Institute at Pueblo has discovered one of its employees has fallen for a phishing scam that potentially allowed the attacker to gain access to the protected health information of as many as 650 patients. The Colorado Mental Health Institute at Pueblo is a 449-bed hospital providing inpatient care for patients. The hospital serves patients with pending criminal charges that require competency evaluations, individuals found by the courts to be incompetent to proceed, and individuals found not guilty of crimes due to insanity. The phishing attack occurred on November 1, 2017. The employee inadvertently disclosed login credentials that allowed the attacker to gain access to a state-issued computer. Unauthorized activity on the computer was detected the following day and access to the device was promptly blocked. The forensic investigation did not uncover any evidence to suggest the protected health information of patients had been accessed or stolen, although the possibility of unauthorized access and data theft could not be ruled out with complete certainty....

Read More
Access to Dental Records Lost for 5 Days Due to Ransomware
Dec27

Access to Dental Records Lost for 5 Days Due to Ransomware

A dental practice in Reno, NV has experienced a ransomware attack that prevented dental records and images from being accessed for five days. Wager Evans Dental experienced the ransomware attack on October 30, 2017. The malicious software was installed on one computer and one server used by the practice. Ransomware can be installed in a number of ways, although most commonly attacks occur via email. That appears to be the case with this attack, with the practice suspecting ransomware was downloaded when an employee clicked on a malicious hyperlink or email attachment. IT staff and other experts were able to restore the encrypted files and remove the ransomware, although the process took five days. Access to patient records and images was not regained until November 4. The files encrypted by the ransomware contained sensitive information such as names, dates of birth, addresses, diagnoses, treatment plans, images, health insurance information, and Social Security numbers. A comprehensive investigation of the attack was conducted and while it is possible that data could have been...

Read More
Protenus Releases November Healthcare Data Breach Report
Dec21

Protenus Releases November Healthcare Data Breach Report

Protenus has released its November healthcare data breach report – a summary of healthcare data breaches reported by HIPAA-covered entities. The report shows there has been a month on month fall in healthcare data breaches, and a major reduction in the number of records exposed by data breaches. November saw the lowest total of the year to date for breaches with 28 incidents included in the report – four incidents fewer than February, the previous best month when 32 breaches were reported. This is the second consecutive month when reported breaches have fallen. There were 46 breaches reported in September and 37 in October. November was also the best month of the year in terms of the number of records exposed. 83,925 individuals were impacted by healthcare data breaches in November. The previous lowest total was May, when 138,957 records were exposed. November was the third consecutive month where the number of breached records fell. While the November healthcare data breach report offers some good news, the fall in breaches and breached records should be taken with a large pinch...

Read More
Almost 10,000 Patients Impacted by Nebraska Ransomware Attack
Dec21

Almost 10,000 Patients Impacted by Nebraska Ransomware Attack

Columbus Surgery Center, LLC and Eye Physicians, P.C., in Columbus, Nebraska have experienced a ransomware attack that has potentially resulted in the protected health information of almost 10,000 patients being accessed by the attackers. The ransomware attack occurred on October 7, 2017 and saw a wide range of files on some servers being encrypted by the ransomware. A ransom demand was issued by the attackers, although it was not paid. The encrypted files were restored from a recent backup to allow services to be continued to be offered to patients. Third-party computer forensics professionals were called in to assist with the investigation of the attack to determine whether the attackers gained access to, viewed, or copied patient information and to investigate how access to the servers was gained and how the ransomware was installed. The investigation did not uncover evidence to suggest any patient health information was stolen, but data access could not be ruled out with a high degree of confidence. Consequently, the incident was reportable to the Department of Health and Human...

Read More
Potential Data Theft Incident Reported by Austin Manual Therapy
Dec20

Potential Data Theft Incident Reported by Austin Manual Therapy

1,750 patients of Austin Manual Therapy (AMT) have been notified that some of their protected health information may have been accessed and stolen by a criminal attacker who gained access to AMT’s computer system. A forensic investigation by a leading national cybersecurity team revealed access was first gained on October 3, 2017 and continued until October 9, when the intrusion was detected and blocked. According to the breach notice posted on the AMT website, access was not gained to the company’s electronic medical record system. Only a limited portion of the network was accessed – one computer and a shared file system. While the forensic investigation confirmed that access to some files had been gained, it was not clear how much information was viewed and which, if any, documents had been stolen. An analysis of the file system and computer showed that the following information could have been accessed: Names, addresses, dates of birth, phone numbers, dates of service, charge amounts, occupations, insurance coverage and policy information, health screening information,...

Read More
1,900 MidMichigan Medical Center Patients Notified After Documents Found in the Street
Dec20

1,900 MidMichigan Medical Center Patients Notified After Documents Found in the Street

MidMichigan Medical Center (MMC) in Alpena has alerted patients to a potential breach of their health information, which may have literally fallen into the hands of individuals unauthorized to view the information. On the evening of November 18, a MMC cardiologist removed patient files from the Alpena cardiology office without authorization. The files were transported to the cardiologist’s vehicle in a storage container, but the container had not been properly secured. Close to a parking lot near 12th Avenue/Chisholm Street, the container was dropped, spilling the contents on the ground. The documents were caught by the wind and started blowing round the street. Some of the documents were picked up by members of the public, who informed the hospital that documents containing sensitive patient information was blowing around the street. The hospital contacted law enforcement to provide assistance collecting the paperwork. Dr. Richard Bates, vice president of medical affairs at MMC issued a statement saying all of the paperwork is believed to have been retrieved, so the risk to...

Read More
6,600 Patients Discover PHI Has Been Exposed
Dec20

6,600 Patients Discover PHI Has Been Exposed

NYU Langone Health System has discovered a binder containing a log of presurgical insurance authorizations was accidentally recycled by a cleaning company in October. The binder contained records relating to around 2,000 patients. Information in the binder included names, birth dates, dates of service, current procedural terminology code, diagnosis codes, insurer names, and insurance ID numbers. In some cases, brief notes may have been present, along with insurance approvals/denials and inpatient/outpatient status. No Social Security numbers were recorded in the paperwork, and neither any financial information. As required by HIPAA, NYU Langone Health System had implemented a policy that requires all PHI to be disposed of securely when it is no longer required, typically by shredding documents. Since the binder was taken for recycling by accident, that did not occur. Since insurance ID numbers were present in the logs, NYU Langone Health System has offered all affected patients complimentary identity theft protection services and cyber monitoring services through ID Experts for one...

Read More
$2.3 Million 21st Century Oncology HIPAA Settlement Agreed with OCR
Dec15

$2.3 Million 21st Century Oncology HIPAA Settlement Agreed with OCR

A 21st Century Oncology HIPAA settlement has been agreed with the Department of Health and Human Services’ Office for Civil Rights (OCR) to resolve potential HIPAA violations discovered during the investigation of a 2015 breach of 2.2 million patients’ PHI. The breach in question was discovered by the Federal Bureau of Investigation (FBI) in 2015. The FBI informed 21st Century Oncology on November 13 and December 13, 2015, that an unauthorized individual accessed and stole information from one of its patient databases. 21st Century Oncology conducted an investigation with the assistance of a third-party computer forensics company and discovered the network SQL database was potentially first accessed on October 3, 2015. The database was accessed through Remote Desktop Protocol from an Exchange Server within 21st Century Oncology’s network. The database contained the protected health information of 2,213,597 individuals. As occurs after all data breaches that impact more than 500 individuals, OCR conducted an investigation into the 21st Century Oncology data breach. That...

Read More
Texas and Pennsylvania Data Breaches Exposed More than 5,000 Patients’ PHI
Dec15

Texas and Pennsylvania Data Breaches Exposed More than 5,000 Patients’ PHI

Midland Memorial Hospital in Midland, TX, and Washington Health System Greene in Waynesburg, PA, have announced they have discovered patients’ protected health information has been exposed. Washington Health System Greene Discovers Hard Drive Missing Washington Health System Greene is alerting 4,145 patients that some of their protected health information has been exposed after a hard drive was discovered to be missing. A portable hard drive used with a bone densitometry machine in the Radiology department was discovered to be missing on October 11, 2017. While it is possible that the hard drive may have been misplaced, a search of the hospital did not uncover the device, and the missing device has been reported to the Pennsylvania State Police Department as a potential theft. The device contained information on patients who visited the hospital for bone density scans between 2007 and October 11, 2017. The information stored on the device was limited to names, height, weight, race, and gender, while some patients also had details of health issues, the name of their prescribing...

Read More
Illinois Physicians Network Discovers Paper Records Missing from Storage Facility
Dec14

Illinois Physicians Network Discovers Paper Records Missing from Storage Facility

Over the past two months there have been several data breaches reported by HIPAA-covered entities involving the loss or theft of physical records. In November, 7 breaches involving paper records were reported to the HHS’ Office for Civil Rights, and a further 5 incidents were reported the previous month. Now another incident has been reported in Illinois. Franciscan Physician Network of Illinois and Specialty Physicians of Illinois LLC have discovered payment records that were kept in a storage facility are missing. The storage facility in Chicago Heights was shared by both physician groups. The loss/theft of the paperwork is one of the largest breaches of the past few months, potentially impacting as many as 22,000 patients. The payment records were from 2015-2017 and 2010. The boxes of files were confirmed as missing on November 21, 2017, with notifications issued on December 13, 2017. The loss of files was discovered following a routine records request, but the records could not be located. An inventory of the storage facility was conducted, and 40 boxes of files were determined...

Read More
November 2017 Healthcare Data Breach Report
Dec14

November 2017 Healthcare Data Breach Report

In November 2017, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) received 21 reports of healthcare data breaches that impacted more than 500 individuals; the second consecutive month when reported breaches have fallen. While the number of breaches was down month on month, the number of individuals impacted by healthcare data breaches increased from 71,377 to 107,143. Main Causes of November 2017 Healthcare Data Breaches In November there was an even spread between hacking/IT incidents, unauthorized disclosures, and theft/loss of paper records or devices containing ePHI, with six breaches each. There were also three breaches reported involving the improper disposal of PHI and ePHI. Two of those incidents involved paper records and one involved a portable electronic device. The two largest data breaches reported in November – the 32,000-record breach at Pulmonary Specialists of Louisville and the 16,474-record breach at Hackensack Sleep and Pulmonary Center – were both hacking/IT incidents. The former involved an unauthorized individual potentially...

Read More
Noncompliance with HIPAA Costs Healthcare Organizations Dearly
Dec13

Noncompliance with HIPAA Costs Healthcare Organizations Dearly

Noncompliance with HIPAA can carry a significant cost for healthcare organizations, yet even though the penalties for HIPAA violations can be considerable, many healthcare organizations have substandard compliance programs and are violating multiple aspects of HIPAA Rules. The Department of Health and Human Services’ Office for Civil Rights (OCR) commenced the much delayed second phase of HIPAA compliance audits last year with a round of desk audits, first on healthcare organizations and secondly on business associates of covered entities. Those desk audits revealed many healthcare organizations are either struggling with HIPAA compliance, or are simply not doing enough to ensure HIPAA Rules are followed. The preliminary results of the desk audits, released by OCR in September, showed healthcare organizations’ compliance efforts were largely inadequate. 94% of organizations had inadequate risk management plans, 89% were rated as inadequate on patients’ right to access their PHI, and 83% had performed inadequate risk analyses. It would appear that for many healthcare organizations,...

Read More
AMA Study Reveals 83% of Physicians Have Experienced a Cyberattack
Dec13

AMA Study Reveals 83% of Physicians Have Experienced a Cyberattack

Following the HIMSS Analytics/Mimecast survey that revealed 78% of healthcare organizations have experienced a ransomware or malware attack in the past 12 months, comes a new report on healthcare cybersecurity from the American Medical Association (AMA) and Accenture. The Accenture/AMA survey was conducted on 1,300 physicians across the United States and aimed to take the ‘physician’s pulse on cybersecurity.’ The survey confirmed that it is no longer a case of whether a cyberattack will be experienced, it is just a matter of when cyberattacks will occur and how frequently. 83% of physicians who took part in the survey said they had previously experienced a cyberattack. When asked about the nature of the cyberattacks, the most common type was phishing. 55% of physicians who had experienced a cyberattack said the incident involved phishing – A similar finding to the HIMSS Analytics survey which revealed email was the top attack vector in healthcare. 48% of physicians who experienced a cyberattack said computer viruses such as malware and ransomware were involved. Physicians at medium...

Read More
Email Top Attack Vector in Healthcare Cyberattacks
Dec12

Email Top Attack Vector in Healthcare Cyberattacks

A recent study conducted by HIMSS Analytics for email security firm Mimecast has revealed 78% of healthcare organizations have experienced a ransomware or malware attack in the past 12 months. Far from ransomware or malware attacks being occasional events, many of the healthcare organizations that participated in the survey have experienced more than a dozen malware or ransomware attacks in the past year. While there are several possible ways that ransomware and malware can be installed, healthcare providers rated email as the number one attack vector. When asked to rank attack vectors, Email was rated as the most likely source of a data breach by 37% of respondents, with the second most likely source of a data breach being ‘other portable devices’, ranked as the main threat by 10% of organizations. 59% of organizations ranked email first, second, or third as the most likely attack vector. In second place was laptops, which were ranked 1, 2, or 3 by 44% of organizations. Given the frequency of email based attacks this year, it is no surprise that healthcare organizations believe...

Read More
Oklahoma Health Department Re-Notifies 47,000 of 2016 Data Breach
Dec11

Oklahoma Health Department Re-Notifies 47,000 of 2016 Data Breach

In April 2016, the Oklahoma Department of Human Services experienced a data breach, and while notifications were sent to affected individuals and the DHS’ Office of Inspector General shortly after the breach was detected, a breach notice was not submitted to the HHS’ Office for Civil Rights – A breach of HIPAA Rules. Now, more than 18 months after the 60-day reporting window stipulated in the HIPAA Breach Notification Rule has passed, OCR has been notified. OCR has instructed the Oklahoma Department of Human Services to re-notify the 47,000 Temporary Assistance for Needy Families clients that were impacted by the breach to meet the requirements of HIPAA. The breach in question occurred in April 2016 when an unauthorized individual gained access to a computer at Carl Albert State College in Poteau, Oklahoma. The computer contained records of current and former Temporary Assistance for Needy Families clients. The data on the server included names, addresses, dates of birth, and Social Security numbers. Once the breach was identified, Carl Albert State College secured its systems to...

Read More
UNC Health Care Breach Potentially Impacts 24,000 Patients
Dec11

UNC Health Care Breach Potentially Impacts 24,000 Patients

A computer used by UNC Dermatology & Skin Cancer Center in Chapel Hill, NC, has been stolen, exposing the protected health information of approximately 24,000 patients. The computer was stolen by thieves during a burglary on October 8, 2017. UNC Health Care said a database on the stolen computer contained the protected health information of patients who had previously visited the Burlington Dermatology Center at 1522 Vaughn Road. UNC Healthcare took over the practice in September 2015, and details of patients who had visited the center for treatment prior to September 2015 were stored in the password-protected database. Since the database requires a password to gain access to patient information, it is possible that no PHI has been disclosed. However, since passwords can be guessed, and the database was not encrypted, patients are being notified of the potential privacy breach to meet HIPAA and N.C. Identity Theft Act requirements. The database contained information such as names, addresses, phone numbers, dates of birth, Social Security numbers, and the employment status of...

Read More
11,350 Sinai Health System Patients Potentially Impacted by Phishing Attack
Dec08

11,350 Sinai Health System Patients Potentially Impacted by Phishing Attack

The email accounts of two employees of Chicago’s Sinai Health System have been compromised in a recent phishing attack. Sinai Health System reports that the phishing attack occurred on October 2, and that it was quickly identified and mitigated. Access to the compromised accounts was possible only for a matter of hours. Cybersecurity experts were called in to assist with the investigation, and while the possibility of PHI access cannot be ruled out, the risk faced by patients is believed to be low. No evidence has been uncovered to suggest any financial information was accessed, although an analysis of the email accounts revealed a range of protected health information of 11,350 patients was contained in the email accounts and could potentially have been viewed. As a precaution against identity theft and fraud, patients impacted by the breach have been offered identity theft protection and credit monitoring services free of charge for 12 months. Mitigating the Ever-present Threat from Phishing Phishing is the biggest cybersecurity threat faced by organizations, with the healthcare...

Read More
New Jersey Sleep Medicine Specialists Experience Ransomware Attack
Dec08

New Jersey Sleep Medicine Specialists Experience Ransomware Attack

The New Jersey-based Hackensack Sleep and Pulmonary Center, specialists in sleep disorders and pulmonary conditions and diseases, has experienced a ransomware attack that resulted in the protected health information of certain patients being encrypted. The ransomware attack occurred on September 24, 2017 and resulted in medical record files being encrypted by the virus. The attack was discovered the following day. As is typical in these attacks, the attackers issued a ransom demand, the payment of which was necessary in order to obtain the keys to unlock the encryption. Hackensack Sleep and Pulmonary Center was prepared for ransomware attacks, and had made backups of all files, and the backups were stored securely offline. The backups were used to recover all encrypted data without paying the ransom. While data access is a possibility with ransomware attacks, the purpose of ransomware is usually to make data inaccessible and force victims to pay for the key to unlock the encryption. Ransomware attacks typically do not involve data access or data theft. Hackensack Sleep and...

Read More
880 Patients Potentially Impacted by Baptist Health Louisville Phishing Attack
Dec06

880 Patients Potentially Impacted by Baptist Health Louisville Phishing Attack

Baptist Health in Louisville, KY has notified 880 patients that some of their protected health information has potentially been accessed and stolen by hackers. The security breach was discovered on October 3, 2017, when irregular activity was detected on the email account of an employee. Baptist Health was able to determine that a third party sent a phishing email to the employee, who responded and disclosed login credentials allowing the email account to be accessed. Those login credentials were subsequently used by an unknown individual to gain access the email account. The email account contained the protected health information of 880 patients, although it is unclear whether any of the emails were viewed. The motive behind the attack may not have been to gain access to sensitive information. What is known, is access was used to send further phishing emails to other email accounts. Following the discovery of the breach, Baptist Health responded quickly to limit the potential for harm and disabled the affected email accounts and performed a password reset to prevent further...

Read More
18,500 Patients PHI Exposed After Multiple Email Accounts Were Compromised
Dec06

18,500 Patients PHI Exposed After Multiple Email Accounts Were Compromised

The Detroit-based Henry Ford Health System has started notifying almost 18,500 patients that some of their protected health information has potentially been accessed by an unauthorized individual. The breach was detected on October 3, 2017 when unauthorized access to the email accounts of several employees was detected. While protected health information was potentially accessed or stolen, the health system’s EHR system was not compromised at any point. All data was confined to the compromised email accounts. It is currently unclear exactly how access to the email accounts was gained. Typically, breaches such as this involve phishing attacks, where multiple emails are sent to healthcare employees that fool them into disclosing their login credentials. An internal investigation into the breach is ongoing to determine the cause of the attack and how the login credentials of some of its employees were stolen. Henry Ford Health System has conducted a review of all emails in the accounts and has determined that 18,470 patients have been affected. The emails contained a range of...

Read More
Hospital Employee Fired for Accessing Medical Records Without Authorization
Dec06

Hospital Employee Fired for Accessing Medical Records Without Authorization

Lowell General Hospital in Massachusetts has discovered the medical records of 769 patients have been accessed by an employee without any legitimate work reason for doing so. By accessing the medical records, the employee breached hospital policies and violated the privacy of patients. Upon discovery of the breach, and completion of the subsequent investigation, the employee was terminated. Lowell General Hospital was satisfied that only one person was involved, and that this was not a widespread problem at the hospital. Patients impacted by the security incident have been notified and a breach notice has been placed on the hospital website. Patients have been informed that the types of information accessed by the former employee included names, dates of birth, medical diagnoses, and information relating to treatments provided to patients. No financial information, health insurance details, or Social Security numbers were viewed by the employee, and the investigation uncovered no evidence to suggest that any of the information that was accessed has been misused. Lowell General...

Read More
PHI of 28,000 Mental Health Patients Allegedly Stolen by Healthcare Employee
Dec05

PHI of 28,000 Mental Health Patients Allegedly Stolen by Healthcare Employee

Center for Health Care Services (CHCS) in San Antonio, a provider of mental health treatment and support services for individuals with intellectual and developmental disabilities, has discovered documents containing the protected health information of patients have been stolen by a former employee. Breach notification letters have been sent to 28,434 patients who received services at CHCS before the summer of 2016 informing them of the breach. The breach was only discovered on November 7, 2017, but the data theft occurred more than 17 months ago. The former employee was terminated on May 31, 2016, with the data downloaded onto a personal laptop after the individual was fired, according to a recent CHCS press release. The breach came to light during discovery in a litigation case between the former employee and CHCS. No details have been released about the nature of the litigation. The stolen documents contained a wide range of highly sensitive data on patients, including adults and children. The data included names, dates of birth, addresses, Social Security numbers, dates and...

Read More
Medical Records from Pennsylvania Obs/Gyn Clinic Found at Public Recycling Center
Dec04

Medical Records from Pennsylvania Obs/Gyn Clinic Found at Public Recycling Center

Paper files containing names, Social Security numbers, and medical histories, including details of cancer diagnoses and sexually transmitted diseases, have been dumped at a recycling center in Allentown, Pennsylvania. The files appear to have come from Women’s Health Consultants, an obstetrics and gynecology practice that had centers in South Whitehall Township and Hanover Township, PA. Women’s Health Consultants is no longer in business. How the records came to be dumped at the recycling center is unknown as the container where the records were disposed of was not covered by surveillance cameras. The center does have a locked recycling container where sensitive documents containing confidential information can be disposed of securely, but that container was not used. The records were dumped in a container where they could be accessed by unauthorized individuals. The person who discovered the files left an anonymous tip on the non-emergency line of the Allentown communication center. According to The Morning Call, a city employee visited the recycling center and pushed...

Read More
UAB Medicine Alerts 652 Patients of PHI Exposure
Dec01

UAB Medicine Alerts 652 Patients of PHI Exposure

The UAB Medicine Viral Hepatitis Clinic in Birmingham, AL has experienced a breach of patients’ protected health information (PHI). UAB Medicine uses flash drives to transfer data from its Fibroscan machine to a computer. On October 25, 2017, two flash drives were discovered to be missing. The portable storage devices contained a limited amount of PHI of 652 patients. Information stored on the devices included first and last names, gender, birth dates, images and numbers relating to test results, medical diagnosis, names of referring physician, and the dates and times of the examination. UAB Medicine has confirmed that no Social Security numbers, financial information, insurance details, addresses, or phone numbers were stored on the flash drives. An extensive search of Viral Hepatitis Clinic was conducted, but the flash drives could not be located. The investigation into the breach is continuing. It is not known whether the flash drives were accidentally disposed of, lost within the facility, or if they were stolen. UAB Medicine therefore cannot say whether the PHI on the devices...

Read More
Personal Information of New York Pharmacy Customers Exposed in Improper Disposal Incident
Nov30

Personal Information of New York Pharmacy Customers Exposed in Improper Disposal Incident

ShopRite Supermarkets, Inc., has announced that some of its pharmacy customers have been impacted by a security breach involving the improper disposal of a device used to capture customers’ signatures. The device was used at the ShopRite, Kingston, NY location between 2005 and 2015 and stored personal and medical information. Customers who visited the pharmacy and had prescriptions filled between 2005 and 2015 have potentially been impacted by the incident. For those customers, the device stored information such as names, phone numbers, prescription numbers, dates and times of pickup or delivery, zip codes, medication names, and customers’ signatures. The device was also used for customers who bought an over-the-counter product containing pseudoephedrine. Those customers have had their driver’s license number, zip code, details of the product purchased, and personal and medical information exposed. In the substitute breach notice posted on the Wakefern Food Corp., website, customers have been advised that the device was disposed of by accident in February 2016, although ShopRite...

Read More
7,000 Patients Impacted by Extortion Attempt on Sports Medicine Provider
Nov28

7,000 Patients Impacted by Extortion Attempt on Sports Medicine Provider

Massachusetts-based Sports Medicine & Rehabilitation Therapy (SMART) has alerted 7,000 patients to a breach of their protected health information. Potentially, the breach impacted all patients whose information was recorded during a visit to a SMART center prior to December 31, 2016. The breach, which occurred in September 2017, was an extortion attempt. Hackers gained access to SMART systems, allegedly stole data, and demanded a ransom payment to prevent the information from being released online. No indication was provided in the breach notification letters to suggest the ransom was paid, although SMART has informed its patients that there is “no reason to believe that the data has been or will be used for further nefarious purposes.” The matter has been investigated by the FBI and Homeland Security although the details of the investigations have not been released. An attempt was made by SMART to obtain a copy of the police report through the Freedom of Information Act, although at the time the notifications were sent, no copy had been received. The information potentially...

Read More
Cottage Health Fined $2 Million By California Attorney General’s Office
Nov28

Cottage Health Fined $2 Million By California Attorney General’s Office

Santa Barbara-based Cottage Health has agreed to settle a data breach case with the California attorney general’s office. Cottage Health will pay $2 million to resolve multiple violations of state and federal laws. Cottage Health was investigated by the California attorney general’s office over a breach of confidential patient data in 2013. The breach was discovered by Cottage Health on December 2, 2013, when someone contacted the healthcare network and left a message on its voicemail system warning that sensitive patient information had been indexed by the search engines and was freely available via Google. The sensitive information of more than 50,000 patients was available online, without any need for authentication such as a password and the server on which the information was stored was not protected by a firewall. The types of information exposed included names, medical histories, diagnoses, prescriptions, and lab test results. In addition to the individual who alerted Cottage Health to the breach, the server had been accessed by other individuals during the time that it was...

Read More
Second Unencrypted Laptop Stolen from Rocky Mountain Health Care Services
Nov21

Second Unencrypted Laptop Stolen from Rocky Mountain Health Care Services

Rocky Mountain Health Care Services of Colorado Springs has discovered an unencrypted laptop has been stolen from one of its employees. This is the second such incident to be discovered in the space of three months. The latest incident was discovered on September 28. The laptop computer was discovered to contain the protected health information of a limited number of patients. The types of information stored on the device included first and last names, addresses, dates of birth, health insurance information, Medicare numbers, and limited treatment information. The incident has been reported to law enforcement and patients impacted by the incident have been notified by mail. Rocky Mountain Health Care Services, which also operates as Rocky Mountain PACE, BrainCare, HealthRide, and Rocky Mountain Options for Long Term Care, also discovered on June 18, 2017 that a mobile phone and laptop computer were stolen from a former employee. The devices contained names, dates of birth, addresses, limited treatment information, and health insurance details. To date, only one of those incidents...

Read More
9,500 Patients Impacted by Medical College of Wisconsin Phishing Attack
Nov21

9,500 Patients Impacted by Medical College of Wisconsin Phishing Attack

A Medical College of Wisconsin phishing attack has resulted in the exposure of approximately 9,500 patients’ protected health information. The attackers managed to gain access to several employees’ email accounts, which contained a range of sensitive information of patients and some faculty staff. The types of information in the compromised email accounts included names, addresses, medical record numbers, dates of birth, health insurance details, medical diagnoses, treatment information, surgical information, and dates of service. A very limited number of individuals also had their Social Security numbers and bank account information exposed. The incident occurred over the space of a week in the summer between July 21 and July 28 when spear phishing emails were sent to specific individuals at the Medical College of Wisconsin. Responding to those emails resulted in the attackers gaining access to email login credentials. Medical College of Wisconsin brought in a computer forensics firm to conduct an investigation into the phishing attack, and while that investigation established...

Read More
November Healthcare Breach Barometer Report Highlights Seriousness of Insider Data Breaches
Nov20

November Healthcare Breach Barometer Report Highlights Seriousness of Insider Data Breaches

Protenus has released its November 2017 healthcare Breach Barometer Report. After a particularly bad September, healthcare data breach incidents fell to more typical levels, with 37 breaches tracked in October. The monthly summary of healthcare data breaches includes incidents reported to the Department of Health and Human Services’ Office for Civil Rights (OCR), and incidents announced via the media and tracked by databreaches.net. Those incidents include several breaches that have yet to be reported to OCR, including a major breach that has impacted at least 150,000 individuals – The actual number of individuals impacted will not be known until the investigation has been completed. The numbers of individuals impacted by 8 breaches have not yet been disclosed. Including the 150,000 individuals impacted by largest breach of the month, there were 246,246 victims of healthcare data breaches in October 2017 – the lowest monthly total since May 2017. The healthcare industry has historically recorded a higher than average number of data breaches due to insiders, although over the...

Read More
Suspected Phishing Attack on UPMC Susquehanna Exposes 1,200 Patients’ PHI
Nov20

Suspected Phishing Attack on UPMC Susquehanna Exposes 1,200 Patients’ PHI

UPMC Susquehanna, a network of hospitals and medical centers in Williamsport, Wellsboro, and Muncy in Pennsylvania, has announced that the protected health information of 1,200 patients has potentially been accessed by unauthorized individuals. Access to patient information is believed to have been gained after an employee responded to a phishing email. While details of the breach date have not been released, UPMC Susquehanna says it discovered the breach on September 21, when an employee reported suspicious activity on their computer. An investigation was launched, which revealed unauthorized individuals had gained access to that individual’s device. It is not known whether the attacker viewed, stole, or misused any patient information, but the possibility of data access and misuse could not be ruled out. The information potentially accessed includes names, contact information, dates of birth, and Social Security numbers. The individuals potentially impacted by the incident had previously received treatment at various UPMC Susquehanna hospitals including Muncy Valley Hospital,...

Read More
Florida Blue Data Breach Impacts 939 Individuals
Nov17

Florida Blue Data Breach Impacts 939 Individuals

Blue Cross and Blue Shield of Florida, dba Florida Blue, has announced that the personally identifiable information of a limited number of insurance applicants has been exposed online. Florida Blue was alerted to the exposure of patient data in late August and immediately launched an investigation. Florida Blue reports that the investigation revealed 475 insurance applications had been backed up to the cloud by an unaffiliated insurance agent, Real Time Health Quotes (RTHQ). The data backup included agency files and copies of health, dental, and life insurance applications from 2009 to 2014. Those files were left vulnerable as an unsecured cloud server was used to store the backup files. Consequently, those files could have been accessed by the public via the Internet. While data access and theft of personally identifiable information remains a possibility, Florida Blue has received no reports that any of the exposed information has been used for malicious purposes. The files contained information such as the names of applicants, dates of birth, demographic information, medical...

Read More
Boxes of Medical Records Stolen from New Jersey Medical Practice
Nov17

Boxes of Medical Records Stolen from New Jersey Medical Practice

Otolaryngology Associates of Central Jersey is alerting patients to a breach of their protected health information, following a burglary at an off-site storage facility in East Brunswick, NJ. The thieves took 13 boxes of paper medical records from the facility, which included information such as names, addresses, health insurance account numbers, birth dates, dates of military service, and the names of treating physicians. A limited number of driver’s license numbers and Social Security numbers were also included in the stolen records. The burglary was quickly identified and law enforcement was notified. An internal investigation was launched, and steps were taken to reduce the likelihood of similar breaches occurring in the future. The medical records were being stored in accordance with state and federal laws, and related to past patients that had received treatment at either of Otolaryngology Associates of Central Jersey’s two facilities in East Brunswick and Franklin townships. All affected individuals have now been notified of the breach. While the perpetrators of many...

Read More
October 2017 Healthcare Data Breaches
Nov16

October 2017 Healthcare Data Breaches

In October 2017, there were 27 healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights. Those data breaches resulted in the theft/exposure of 71,377 patient and plan member records. October saw a significant fall in the number of reported breaches compared to September, and a major fall in the number of records exposed. October saw a major reduction in the number of breached records, with the monthly total almost 85% lower than September and almost 88% lower than the average number of records breached over the preceding three months. Healthcare providers were the worst hit in October with 19 reported data breaches. There were six data breaches reported by health plans and at least two incidents involved business associates of HIPAA-covered entities. October 2017 Healthcare Data Breaches by Covered Entity Type Main Causes of October 2017 Healthcare Data Breaches Unauthorized access/disclosures were the biggest causes of healthcare data breaches in October. There were 14 breaches reported involving unauthorized access/disclosures, 8...

Read More
MongoDB and AWS Incorporate New Security Controls to Prevent Data Breaches
Nov10

MongoDB and AWS Incorporate New Security Controls to Prevent Data Breaches

Amazon has announced that new safeguards have been incorporated into its cloud server that will make it much harder for users to misconfigure their S3 buckets and accidentally leave their data unsecured. While Amazon will sign a business associate agreement with HIPAA-covered entities, and has implemented appropriate controls to ensure data can be stored securely, but user errors can all too easily lead to data exposure and breaches. Those breaches show that even HIPAA-compliant cloud services have potential to leak data. This year has seen many organizations accidentally leave their S3 data exposed online, including several healthcare organizations. Two such breaches were reported by Accenture and Patient Home Monitoring. Accenture was using four unsecured cloud-based storage servers that stored more than 137 GB of data including 40,000 plain-text passwords. The Patient Home Monitoring AWS S3 misconfiguration resulted in the exposure of 150,000 patients’ PHI. In response to multiple breaches, Amazon has announced that new safeguards have been implemented to alert users to exposed...

Read More
Cook County Health and Hospitals System Patients Impacted by Experian Health Breach
Nov10

Cook County Health and Hospitals System Patients Impacted by Experian Health Breach

Cook County Health and Hospitals System, a health system comprising two hospitals and more than a dozen community health centers in Cook County Illinois, has alerted patients to a breach of their protected health information. The breach occurred at Experian Health, a business associate of Cook County Health and Hospitals System. Experian Health is contracted to determine insurance eligibility and limited patient information is disclosed to the business associate for this purpose. The breach occurred in March 2017 during an upgrade of Experian Health’s computer system. The protected health information of 727 patients was accidentally sent to other healthcare systems. The PHI disclosed was limited and did not include the types of information sought by cybercriminals to commit identity theft. Due to the limited disclosure of PHI, and the fact that the information was sent to organizations covered by HIPAA Rules, the risk to patients is believed to be low. To date, Experian Health has not been notified of any unauthorized uses of the disclosed information. The breach was limited to...

Read More
2017 Data Breach Report Reveals 305% Annual Rise in Breached Records
Nov09

2017 Data Breach Report Reveals 305% Annual Rise in Breached Records

A 2017 data breach report from Risk Based Security (RBS), a provider of real time information and risk analysis tools, has revealed there has been a 305% increase in the number of records exposed in data breaches in the past year. For its latest breach report, RBS analyzed breach reports from the first 9 months of 2017. RBS explained in a recent blog post, 2017 has been “yet another ‘worst year ever’ for data breaches.” In Q3, 2017, there were 1,465 data breaches reported, bringing the total number of publicly disclosed data breaches up to 3,833 incidents for the year. So far in 2017, more than 7 billion records have been exposed or stolen. RBS reports there has been a steady rise in publicly disclosed data breaches since the end of May, with September the worst month of the year to date. More than 600 data breaches were disclosed in September. Over the past five years there has been a steady rise in reported data breaches, increasing from 1,966 data breaches in 2013 to 3,833 in 2017. Year on year, the number of reported data breaches has increased by 18.2%. The severity of data...

Read More
Long-Term Malware Infection Discovered by Catholic Charities of the Diocese of Albany
Nov09

Long-Term Malware Infection Discovered by Catholic Charities of the Diocese of Albany

In August, while Catholic Charities of the Diocese of Albany (CCDA) was performing an upgrade of its computer security software, malware was discovered to have been installed on one of the computer servers used by its Glens Falls office, which served patients in Saratoga, Warren and Washington Counties in New York. Fast action was taken to block access to the server and CCDA called in a computer security firm to conduct an investigation into the unauthorized access. The investigation, which took several weeks to complete, revealed that access to the server potentially dated back to 2015. While access to the server was possible and malware had been installed, the investigation did not uncover evidence to suggest the protected health information of patients had been viewed or stolen. An analysis of the server revealed the stored files contained the protected health information of 4,624 patients. The information potentially accessed by the attackers included names, addresses, birthdates, diagnosis codes, dates of service, and for some patients, their health insurance ID numbers which...

Read More
Aging Agency Reports Ransomware Attack: 8,750 Patients Impacted
Nov09

Aging Agency Reports Ransomware Attack: 8,750 Patients Impacted

The Ottawa-based East Central Kansas Area Agency on Aging (ECKAAA) has experienced a ransomware attack that has resulted in the encryption of files on one of the agency’s servers. Those files contained the protected health information (PHI) of 8,750 patients. The attack occurred on September 5, 2017 and was immediately recognized by ECKAAA, which took prompt action to limit the spread of the infection. As a result, only parts of the server had files encrypted. Those files were discovered to contain names, telephone numbers, addresses, birthdates, Medicaid numbers, and Social Security numbers. ECKAAA hired a cybersecurity firm to assist with the investigation and determine the true extent and nature of the attack. The investigation revealed the ransomware variant used was a variant of Crysis/Dharma – a ransomware variant known to encrypt files stored locally, on mapped network drives, and unmapped network shares. Crysis/Dharma ransomware also deletes shadow volume copies to hamper recovery. While the investigation uncovered no evidence of exfiltration of data, the possibility of...

Read More
Healthcare Data Breach Analysis Questioned
Nov08

Healthcare Data Breach Analysis Questioned

Large healthcare providers experience more data breaches than smaller healthcare providers, at least that is what a healthcare data breach analysis from Johns Hopkins University Carey School of Business suggests. For the study, the researchers used breach reports submitted to the Department of Health and Human Services’ Office for Civil Rights. HIPAA-covered entities are required to submit breach reports to OCR, and under HITECT Act requirements, OCR publishes the breaches that impact more than 500 individuals. The Ge Bai, PhD., led study, which was published in the journal JAMA Internal Medicine, indicates between 2009 and 2016, 216 hospitals had reported a data breach and 15% of hospitals reported more than one breach. The analysis of the breach reports suggest teaching hospitals are more likely to suffer data breaches – a third of breached hospitals were major teaching centers. The study also suggested larger hospitals were more likely to experience data breaches. Now, a team of doctors from Vanderbilt University, in Nashville, TN have called the data breach statistics details...

Read More
Former Employees of Virginia Medical Practice Inappropriately Used Patient Information
Nov06

Former Employees of Virginia Medical Practice Inappropriately Used Patient Information

Two former employees of Valley Family Medicine in Staunton, VA have been discovered to have inappropriately used a patient list, in violation of the practice’s policies. The list was used to inform patients of a new practice that was opening in the area. One of the employees used the list to send postcards to Valley Family Medicine patients to advise them that a new practice, unaffiliated to Valley Family Medicine, was being opened. Patients were invited to visit the new practice. The mailing was sent in mid-July this year, although it was not discovered by Valley Family Medicine until September 15. The discovery prompted a full investigation of the breach, which confirmed that the only information used by the employees was the information contained on the list. That information was limited to names and addresses. No other protected health information was taken or used by the employees. Those two individuals are no longer employed at the practice and the list has now been recovered. Valley Family Medicine is satisfied that there have been no further misuses or disclosures of the...

Read More
TJ Samson Community Hospital Discovers Inappropriate Accessing of 683 Patients’ PHI
Nov04

TJ Samson Community Hospital Discovers Inappropriate Accessing of 683 Patients’ PHI

An independent care provider who provides care to patients of TJ Samson Community Hospital in South Central Kentucky, has been discovered to have inappropriately accessed the protected health information (PHI) of 683 patients of TJ Samson Community Hospital in Glasgow, KY and the TJ Health Columbia Clinic. The inappropriate access was discovered during a routine audit of PHI access logs on August 25, 2017. The subsequent investigation revealed two individuals from the healthcare provider’s office had accessed the protected health information of patients, without any legitimate work reason for doing so. Access to patients PHI is necessary in order for independent health care providers to conduct their work duties, although in this case, the PHI of patients was accessed even though the patients were not being treated by the individuals. TJ Samson interviewed both individuals about the alleged unauthorized access and is satisfied that no further uses or disclosures of PHI have occurred. In response to the incident, TJ Samson has terminated access for the individuals in question. The...

Read More
Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) Introduced by NY AG
Nov03

Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) Introduced by NY AG

The Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) has been introduced into the legislature in New York by Attorney General Eric T. Schneiderman. The aim of the act is to protect New Yorkers from needless breaches of their personal information and to ensure they are notified when such breaches occur. The program bill, which was sponsored by Senator David Carlucci (D-Clarkstown) and Assembly member Brian Kavanagh (D-Manhattan), is intended to improve protections for New York residents without placing an unnecessary burden on businesses. The introduction of the SHIELD Act comes weeks after the announcement of the Equifax data breach which impacted more than 8 million New Yorkers. In 2016, more than 1,300 data breaches were reported to the New York attorney general’s office – a 60% increase in breaches from the previous year. Attorney General Schneiderman explained that New York’s data security laws are “weak and outdated” and require an urgent update. While federal laws require some organizations to implement data security controls, in New York, there are no...

Read More
Lawnmower Engine Manufacturer Reports HIPAA Breach
Nov01

Lawnmower Engine Manufacturer Reports HIPAA Breach

Briggs Stratton Corporation, a manufacturer of lawnmower engines, may not appear to be a HIPAA covered entity since the firm is not in the healthcare industry and does not provide services to healthcare organizations as a business associate. However, the company is required to comply with HIPAA Rules. When the company experienced a potential breach of employee information, the incident was a reportable security breach, OCR required notification, and notification letters had to be issued to its employees. Just because a company does not operate in the healthcare industry does not mean that HIPAA does not apply. Briggs Stratton was required to comply with HIPAA Rules due to its self-insured group health plan. Employers and health plan sponsors are required to ensure that HIPAA policies are put in place for their group health plans, that any ePHI created, accessed, stored, or transmitted is safeguarded to the standards required by the HIPAA Security Rule and all HIPAA Rules are followed. That includes entering into business associate agreements with any entity that has access to the...

Read More
Tips for Reducing Mobile Device Security Risks
Nov01

Tips for Reducing Mobile Device Security Risks

An essential part of HIPAA compliance is reducing mobile device security risks to a reasonable and acceptable level. As healthcare organizations turn to mobiles devices such as laptop computers, mobile phones, and tablets to improve efficiency and productivity, many are introducing risks that could all too easily result in a data breach and the exposure of protected health information (PHI). As the breach reports submitted to the HHS’ Office for Civil Rights show, mobile devices are commonly involved in data breaches. Between January 2015 and the end of October 2017, 71 breaches have been reported to OCR that have involved mobile devices such as laptops, smartphones, tablets, and portable storage devices. Those breaches have resulted in the exposure of 1,303,760 patients and plan member records. 17 of those breaches have resulted in the exposure of more than 10,000 records, with the largest breach exposing 697,800 records. The majority of those breaches could have easily been avoided. The Health Insurance Portability and Accountability Act (HIPAA) Security Rule does not demand...

Read More
8,000 Patients Notified of PHI Exposure After Office Burglary
Oct30

8,000 Patients Notified of PHI Exposure After Office Burglary

A limited amount of protected health information (PHI) of almost 8,000 patients of Brevard Physician Associates has been exposed after a desktop computer was stolen in a burglary. The incident occurred on September 4, 2017 – Labor Day – when the offices were closed. In the early morning, thieves broke in and stole three desktop computers. The burglary triggered the alarm system and police responded to the incident, although not in time to apprehend the criminals. A forensic analysis of the office was performed, although to date the individuals responsible have not been apprehended and the computers not recovered. Two of the computers did not contain any protected health information, but the third computer had five audit files saved to the hard drive. The information in those audit files was limited, although there was sufficient information to warrant the issuing of breach notifications to patients. Brevard Physician Associates acted quickly and dispatched breach notification letters to affected patients well within the timeframe allowed by the HIPAA Breach Notification Rule. In...

Read More
932 Texas Children’s Health Plan Members’ PHI Emailed to Personal Account by Employee
Oct28

932 Texas Children’s Health Plan Members’ PHI Emailed to Personal Account by Employee

The protected health information (PHI) of 932 members of the Texas Children’s Health Plan has been discovered to have been emailed to the personal email account of a former employee. The incident was discovered on September 21, 2017, although the former employee emailed the data late last year in November and December 2016. The emails were discovered during a routine review. Texas Children’s Health Plan responded to the breach promptly and has taken action to mitigate risk. The health insurance plan has also implemented additional safeguards to prevent similar incidents from occurring in the future and employees have been re-trained on hospital policies and HIPAA Rules. While the reason for the PHI being emailed to the personal email account has not been disclosed, the breach report uploaded to the insurance plan website explains no evidence has been uncovered to suggest any plan member information has been used inappropriately. However, the incident has been reported to law enforcement. As is required by the HIPAA Breach Notification Rule, the incident has been reported to the...

Read More
Data Breach Highlights Danger of Using USB Drives to Store PHI
Oct26

Data Breach Highlights Danger of Using USB Drives to Store PHI

The Man-Grandstaff VA Medical Center in Spokane, WA has discovered two USB drives containing the protected health information of almost 2,000 veterans have been stolen. The two devices were being used to store data from a standalone, non-networked server that was being decommissioned. One of the devices was the master drive used to move the medical center’s Anesthesia Record Keeper database to its virtual archive server. According to a statement issued by the medical center, that transfer had taken place in January. It is unclear why the database was still on the drive. The devices were stolen on July 18, 2017 from a contract employee while on a service call to a VA hospital in Oklahoma City. Man-Grandstaff VA Medical Center was not able to determine exactly what information was stored on the USB drives, although the database on the virtual archive server was checked and found to contain full names, addresses, phone numbers, surgical information, insurance information, and Social Security numbers. 1,915 individuals who have potentially been affected are being notified of the breach...

Read More
The Most Common HIPAA Violations You Should Be Aware Of
Oct26

The Most Common HIPAA Violations You Should Be Aware Of

The most common HIPAA violations that have resulted in financial penalties are the failure to perform an organization-wide risk analysis to identify risks to the confidentiality, integrity, and availability of protected health information (PHI); the failure to enter into a HIPAA-compliant business associate agreement; impermissible disclosures of PHI; delayed breach notifications; and the failure to safeguard PHI. The settlements pursued by the Department of Health and Human Services’ Office for Civil Rights (OCR) are for egregious violations of HIPAA Rules. Settlements are also pursued to highlight common HIPAA violations to raise awareness of the need to comply with specific aspects of HIPAA Rules. This article covers five of the most common HIPAA violations that have resulted in settlements with covered entities and their business associates over the past few years. Are Data Breaches HIPAA Violations? Data breaches are now a fact of life. Even with multi-layered cybersecurity defenses, data breaches are still likely to occur from time to time. OCR understands that healthcare...

Read More
FirstHealth Attacked with New WannaCry Ransomware Variant
Oct24

FirstHealth Attacked with New WannaCry Ransomware Variant

FirstHealth of the Carolinas, a Pinehurst, SC-based not for profit health network, has been attacked with a new WannaCry ransomware variant. WannaCry ransomware was used in global attacks in May this year. More than 230,000 computers were infected within 24 hours of the global attacks commencing. The ransomware variant had wormlike properties and was capable of spreading rapidly and affecting all vulnerable networked devices. The campaign was blocked when a kill switch was identified and activated, preventing file encryption.  However, FirstHealth has identified the malware used in its attack and believes it is a new WarnnaCry ransomware variant. The FirstHealth ransomware attack occurred on October 17, 2017. The ransomware is believed to have been introduced via a non-clinical device, although investigations into the initial entry point are ongoing to determine exactly how the virus was introduced. FirstHealth reports that its information system team detected the attack immediately and implemented security protocols to prevent the spread of the malware to other networked devices....

Read More
Beazley Publishes 2017 Healthcare Data Breach Report
Oct23

Beazley Publishes 2017 Healthcare Data Breach Report

Beazley, a provider of data breach insurance and response services, has published a special report on healthcare data breaches covering the first nine months of 2017. While hacking and malware attacks are common, by far the biggest cause of healthcare data breaches in 2017 was unintended disclosures. Hacking and malware accounted for 19% of breaches, while unintended disclosures accounted for 41% of incidents. The figures show healthcare organizations are still struggling to prevent human error from resulting in the exposure of health data. As Beazley explains in its report, it is easier to control and mitigate internal breaches than it is to block cyberattacks by outsiders, yet many healthcare organizations are failing to address the problem effectively. “We urge organizations not to ignore this significant risk and to invest time and resources towards employee training.” Beazley notes that the number of cases of employee snooping on records and other insider incidents is getting worse. This time last year, 12% of healthcare data breaches were insider incidents, but in 2017 the...

Read More
RiverMend Health Email Breach Impacts 1300 Patients
Oct20

RiverMend Health Email Breach Impacts 1300 Patients

Augusta, GA-based RiverMend Health, a provider of specialty behavioral health services including services for drug and alcohol addiction, has discovered an unauthorized individual has gained access to the email account of one of its employees. The unauthorized access was detected on August 10, 2017, when suspicious emails were identified being sent from the employee’s account. The suspicious email activity was investigated and access to the account was blocked on August 11, 2017. The investigation revealed access to the account was first gained two weeks previously on July 27. During the two weeks that the email account was accessible, it is possible that the employee’s emails were accessed by the attacker. Those emails contained a range of protected health information of 1,300 current and former patients.  RiverMend Health has retained the services of a leading computer forensics firm to assist with the investigation and determine the full nature of the breach and the extent of the attack. RiverMend Health has not disclosed how access to the email account was gained, but has said...

Read More
Healthcare Phishing Attack Potentially Impacts 16,500 Patients
Oct19

Healthcare Phishing Attack Potentially Impacts 16,500 Patients

Phishing is arguably the biggest data security threat faced by healthcare organizations. The past few weeks have seen several attacks reported by healthcare organizations, with the latest healthcare phishing attack one of the most serious, having affected as many as 16,562 patients. Chase Brexton Health Care reports that the attack occurred on August 2 and August 3, 2017, when multiple phishing emails were delivered to the inboxes of its employees. Phishing attacks commonly take the form of bogus invoices and fake package delivery notifications, although these emails purported to be surveys. After employees completed the surveys they were required to enter their login information. Four employees fell for the scam and divulged their user account credentials. The phishing attack was discovered on August 4 and access to the employees’ accounts was blocked.  However, on August 2 and 3, the accounts of those employees were accessed and the attackers re-route employee payments to their own bank account. While the aim of the phishing attack did not appear to be to gain access to patient...

Read More
Healthcare Data Breaches in September Saw Almost 500K Records Exposed
Oct19

Healthcare Data Breaches in September Saw Almost 500K Records Exposed

Protenus has released its Breach Barometer report which shows there was a significant increase in healthcare data breaches in September. The report includes healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights and security incidents tracked by databreaches.net. The latter have yet to appear on the OCR ‘Wall of Shame.’ In total, Protenus/databreaches.net tracked 46 healthcare data breaches in September. While the total number of breach victims has not been confirmed for all incidents, at least 499,144 healthcare records are known to have been exposed or stolen. The number of records exposed or stolen in four of the month’s breaches has yet to be disclosed. The high number of incidents makes September the second worst month of 2017 for healthcare industry data breaches. Only June was worse, when 52 data breaches were reported. In August, 33 data breaches were reported by healthcare organizations. The report confirms the worst incident of the month was a ransomware attack that saw the records of 128,000 individuals made...

Read More
Theft of Unencrypted Laptop Potentially Results in PHI Exposure
Oct18

Theft of Unencrypted Laptop Potentially Results in PHI Exposure

An unencrypted laptop computer has been stolen from the vehicle of an employee of Bassett Family Practice in Virginia, potentially resulting in the exposure of patients’ protected health information. The theft is understood to have occurred over the weekend of 12/13 August. Patients were notified of the exposure of their data on October 13, 2017. The delay in issuing notifications was due to the time taken to recover the missing files from backups and to analyse those files to determine which patients had been affected and the types of PHI stored on the device. The laptop computer was discovered to contain some information about patients’ visits to the practice, along with their names, date of birth, account number, and their insurance provider’s name. The laptop also contained information related to account balances. No Social Security numbers or credit or debit card information were stored on the device. It is not company practice to store any protected health information on laptop computers. The files were transferred to the device as Bassett Family Practice was transitioning to...

Read More
Namaste Health Care Pays Ransom to Recover PHI
Oct17

Namaste Health Care Pays Ransom to Recover PHI

A hacker gained access to a file server used by Ashland, MI-based Namaste Health Care and installed ransomware, encrypting a wide range of data including patients’ protected health information. Access was gained to the file server over the weekend of August 12-13 and ransomware was installed; however, prior to the installation of ransomware it is unclear whether patients’ PHI was accessed or stolen. The Ashland clinic discovered its data had been encrypted when staff returned to work on Monday, August 14. Prompt action was taken to prevent any further accessing of its file server, including disabling access and taking the server offline. An external contractor was brought in to help remediate the attack and remove all traces of malware from its system. In order to recover data, Namaste Health Care made the decision to pay the attacker’s ransom demand. In this case, a valid key was supplied by that individual and it was possible to unlock the encrypted files. The clinic was able to recover data and bring its systems back online after a few days. The incident prompted the clinic to...

Read More
8,362 Patients Potentially Impacted by Advanced Spine & Pain Center Breach
Oct17

8,362 Patients Potentially Impacted by Advanced Spine & Pain Center Breach

The San Antonio, TX, Advanced Spine & Pain Center (ASPC) has notified patients of a potential breach and unauthorized use of their protected health information. Potentially, as many as 8,362 patients have been affected by the incident. ASPC became aware of a potential breach of ePHI on July 31, 2017 when some patients reported receiving a telephone call claiming payment for an outstanding bill was required. An investigation was launched to determine whether ASPC systems had been breached. That investigation revealed unauthorized individuals had gained access to an ASPC server. Unauthorized access occurred even though extensive protections had been put in place, including firewalls, network filtering, security monitoring, password protection, and antivirus software. While unauthorized access was confirmed, it was unclear whether any sensitive information was accessed by those individuals. It was also not possible to determine whether the telephone calls received by some patients were linked to the security breach. Since it is possible that patients’ ePHI was viewed or obtained...

Read More
Q3, 2017 Healthcare Data Breach Report
Oct16

Q3, 2017 Healthcare Data Breach Report

In Q3, 2017, there were 99 breaches of more than 500 records reported to the Department of Health and Human Services’ Office for Civil Rights (OCR), bringing the total number of data breaches reported in 2017 up to 272 incidents. The 99 data breaches in Q3, 2017 saw 1,767,717 individuals’ PHI exposed or stolen. So far in 2017, the records of 4,601,097 Americans have been exposed or stolen as a result of healthcare data breaches. Q3 Data Breaches by Covered Entity Healthcare providers were the worst hit in Q3, reporting a total of 76 PHI breaches. Health plans reported 17 breaches and there were 6 data breaches experienced by business associates of covered entities. There were 31 data breaches reported in July, 29 in August, and 39 in September. While September was the worst month for data breaches, August saw the most records exposed – 695,228. The Ten Largest Healthcare Data Breaches in Q3, 2017 The ten largest healthcare data breaches reported to OCR in Q3, 2017 were all the result of hacking/IT incidents. In fact, 36 out of the 50 largest healthcare data breaches in...

Read More