Dedicated to providing the latest
HIPAA compliance news

Our HIPAA breach news section covers HIPAA breaches such as unauthorized disclosures of protected health information (PHI), improper disposal of PHI, unauthorized PHI access by cybercriminals and rogue healthcare employees, and other security and privacy breaches.

When known, we explain how the breach occurred, the consequences to patients that may have had their PHI compromised, and the actions being taken by the affected healthcare organization to improve safeguards to prevent further HIPAA breaches.

We also explain any actions being taken by the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) and state attorneys general in relation to those breaches.

OCR investigates all data breaches that impact more than 500 individuals to determine whether any HIPAA violations have occurred. When HIPAA Rules are discovered to have been violated, financial penalties may be deemed appropriate. It can take many months or years before any financial penalties for HIPAA breaches are decided. Financial penalties for HIPAA violations tend to be reserved for the most serious breaches of HIPAA Rules. OCR prefers to resolve cases with voluntary compliance and by issuing recommendations to bring policies in line with HIPAA Rules.

The HIPAA breach news section is particularly relevant to healthcare information security professionals, privacy officers, and other individuals who have some responsibility for HIPAA compliance.

The HIPAA breach news reports highlight common areas of non-compliance and new attack vectors used by cybercriminals to gain access to healthcare networks and PHI, the security failings that allowed them to happen, and the measures that have been implemented to prevent them from happening again.

No healthcare organization wants to experience a data breach, but when a breach does occur, lessons can be learned. HIPAA-covered entities can use these breach examples to help train their staff as well as to discover some of the methods other covered entities have adopted to improve data security.

As you will be able to see from the volume of posts in the HIPAA breach news category, healthcare data breaches occur frequently. In 2016 and 2017, healthcare data breaches have been reported on an almost daily basis.

Our HIPAA breach news section is an important source of information about potential security issues that covered entities should be identifying when conducting their own risk assessments. Many of the situations in our HIPAA breach news posts could have been avoided if a risk assessment had identified a vulnerability that was later exploited to gain access to PHI.

The main purpose for adding HIPAA breach news to this website is to highlight specific aspects of HIPAA compliance that are commonly overlooked, often with serious consequences for the covered entity and patients/health plan members.

By raising awareness of the volume of healthcare data breaches, the implications of those breaches, and the penalties that can result, it is hoped that healthcare providers will take decisive action to prevent their patients’ and members’ data from being exposed.

The most recent healthcare data breach reports are listed below. If you want to find out if a specific covered entity has experienced a data breach, please use the search function in the top right hand corner of this webpage.

Second Unencrypted Laptop Stolen from Rocky Mountain Health Care Services
Nov21

Second Unencrypted Laptop Stolen from Rocky Mountain Health Care Services

Rocky Mountain Health Care Services of Colorado Springs has discovered an unencrypted laptop has been stolen from one of its employees. This is the second such incident to be discovered in the space of three months. The latest incident was discovered on September 28. The laptop computer was discovered to contain the protected health information of a limited number of patients. The types of information stored on the device included first and last names, addresses, dates of birth, health insurance information, Medicare numbers, and limited treatment information. The incident has been reported to law enforcement and patients impacted by the incident have been notified by mail. Rocky Mountain Health Care Services, which also operates as Rocky Mountain PACE, BrainCare, HealthRide, and Rocky Mountain Options for Long Term Care, also discovered on June 18, 2017 that a mobile phone and laptop computer were stolen from a former employee. The devices contained names, dates of birth, addresses, limited treatment information, and health insurance details. To date, only one of those incidents...

Read More
9,500 Patients Impacted by Medical College of Wisconsin Phishing Attack
Nov21

9,500 Patients Impacted by Medical College of Wisconsin Phishing Attack

A Medical College of Wisconsin phishing attack has resulted in the exposure of approximately 9,500 patients’ protected health information. The attackers managed to gain access to several employees’ email accounts, which contained a range of sensitive information of patients and some faculty staff. The types of information in the compromised email accounts included names, addresses, medical record numbers, dates of birth, health insurance details, medical diagnoses, treatment information, surgical information, and dates of service. A very limited number of individuals also had their Social Security numbers and bank account information exposed. The incident occurred over the space of a week in the summer between July 21 and July 28 when spear phishing emails were sent to specific individuals at the Medical College of Wisconsin. Responding to those emails resulted in the attackers gaining access to email login credentials. Medical College of Wisconsin brought in a computer forensics firm to conduct an investigation into the phishing attack, and while that investigation established...

Read More
November Healthcare Breach Barometer Report Highlights Seriousness of Insider Data Breaches
Nov20

November Healthcare Breach Barometer Report Highlights Seriousness of Insider Data Breaches

Protenus has released its November 2017 healthcare Breach Barometer Report. After a particularly bad September, healthcare data breach incidents fell to more typical levels, with 37 breaches tracked in October. The monthly summary of healthcare data breaches includes incidents reported to the Department of Health and Human Services’ Office for Civil Rights (OCR), and incidents announced via the media and tracked by databreaches.net. Those incidents include several breaches that have yet to be reported to OCR, including a major breach that has impacted at least 150,000 individuals – The actual number of individuals impacted will not be known until the investigation has been completed. The numbers of individuals impacted by 8 breaches have not yet been disclosed. Including the 150,000 individuals impacted by largest breach of the month, there were 246,246 victims of healthcare data breaches in October 2017 – the lowest monthly total since May 2017. The healthcare industry has historically recorded a higher than average number of data breaches due to insiders, although over the...

Read More
Suspected Phishing Attack on UPMC Susquehanna Exposes 1,200 Patients’ PHI
Nov20

Suspected Phishing Attack on UPMC Susquehanna Exposes 1,200 Patients’ PHI

UPMC Susquehanna, a network of hospitals and medical centers in Williamsport, Wellsboro, and Muncy in Pennsylvania, has announced that the protected health information of 1,200 patients has potentially been accessed by unauthorized individuals. Access to patient information is believed to have been gained after an employee responded to a phishing email. While details of the breach date have not been released, UPMC Susquehanna says it discovered the breach on September 21, when an employee reported suspicious activity on their computer. An investigation was launched, which revealed unauthorized individuals had gained access to that individual’s device. It is not known whether the attacker viewed, stole, or misused any patient information, but the possibility of data access and misuse could not be ruled out. The information potentially accessed includes names, contact information, dates of birth, and Social Security numbers. The individuals potentially impacted by the incident had previously received treatment at various UPMC Susquehanna hospitals including Muncy Valley Hospital,...

Read More
Florida Blue Data Breach Impacts 939 Individuals
Nov17

Florida Blue Data Breach Impacts 939 Individuals

Blue Cross and Blue Shield of Florida, dba Florida Blue, has announced that the personally identifiable information of a limited number of insurance applicants has been exposed online. Florida Blue was alerted to the exposure of patient data in late August and immediately launched an investigation. Florida Blue reports that the investigation revealed 475 insurance applications had been backed up to the cloud by an unaffiliated insurance agent, Real Time Health Quotes (RTHQ). The data backup included agency files and copies of health, dental, and life insurance applications from 2009 to 2014. Those files were left vulnerable as an unsecured cloud server was used to store the backup files. Consequently, those files could have been accessed by the public via the Internet. While data access and theft of personally identifiable information remains a possibility, Florida Blue has received no reports that any of the exposed information has been used for malicious purposes. The files contained information such as the names of applicants, dates of birth, demographic information, medical...

Read More
Boxes of Medical Records Stolen from New Jersey Medical Practice
Nov17

Boxes of Medical Records Stolen from New Jersey Medical Practice

Otolaryngology Associates of Central Jersey is alerting patients to a breach of their protected health information, following a burglary at an off-site storage facility in East Brunswick, NJ. The thieves took 13 boxes of paper medical records from the facility, which included information such as names, addresses, health insurance account numbers, birth dates, dates of military service, and the names of treating physicians. A limited number of driver’s license numbers and Social Security numbers were also included in the stolen records. The burglary was quickly identified and law enforcement was notified. An internal investigation was launched, and steps were taken to reduce the likelihood of similar breaches occurring in the future. The medical records were being stored in accordance with state and federal laws, and related to past patients that had received treatment at either of Otolaryngology Associates of Central Jersey’s two facilities in East Brunswick and Franklin townships. All affected individuals have now been notified of the breach. While the perpetrators of many...

Read More
October 2017 Healthcare Data Breaches
Nov16

October 2017 Healthcare Data Breaches

In October 2017, there were 27 healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights. Those data breaches resulted in the theft/exposure of 71,377 patient and plan member records. October saw a significant fall in the number of reported breaches compared to September, and a major fall in the number of records exposed. October saw a major reduction in the number of breached records, with the monthly total almost 85% lower than September and almost 88% lower than the average number of records breached over the preceding three months. Healthcare providers were the worst hit in October with 19 reported data breaches. There were six data breaches reported by health plans and at least two incidents involved business associates of HIPAA-covered entities. October 2017 Healthcare Data Breaches by Covered Entity Type Main Causes of October 2017 Healthcare Data Breaches Unauthorized access/disclosures were the biggest causes of healthcare data breaches in October. There were 14 breaches reported involving unauthorized access/disclosures, 8...

Read More
MongoDB and AWS Incorporate New Security Controls to Prevent Data Breaches
Nov10

MongoDB and AWS Incorporate New Security Controls to Prevent Data Breaches

Amazon has announced that new safeguards have been incorporated into its cloud server that will make it much harder for users to misconfigure their S3 buckets and accidentally leave their data unsecured. While Amazon will sign a business associate agreement with HIPAA-covered entities, and has implemented appropriate controls to ensure data can be stored securely, but user errors can all too easily lead to data exposure and breaches. Those breaches show that even HIPAA-compliant cloud services have potential to leak data. This year has seen many organizations accidentally leave their S3 data exposed online, including several healthcare organizations. Two such breaches were reported by Accenture and Patient Home Monitoring. Accenture was using four unsecured cloud-based storage servers that stored more than 137 GB of data including 40,000 plain-text passwords. The Patient Home Monitoring AWS S3 misconfiguration resulted in the exposure of 150,000 patients’ PHI. In response to multiple breaches, Amazon has announced that new safeguards have been implemented to alert users to exposed...

Read More
Cook County Health and Hospitals System Patients Impacted by Experian Health Breach
Nov10

Cook County Health and Hospitals System Patients Impacted by Experian Health Breach

Cook County Health and Hospitals System, a health system comprising two hospitals and more than a dozen community health centers in Cook County Illinois, has alerted patients to a breach of their protected health information. The breach occurred at Experian Health, a business associate of Cook County Health and Hospitals System. Experian Health is contracted to determine insurance eligibility and limited patient information is disclosed to the business associate for this purpose. The breach occurred in March 2017 during an upgrade of Experian Health’s computer system. The protected health information of 727 patients was accidentally sent to other healthcare systems. The PHI disclosed was limited and did not include the types of information sought by cybercriminals to commit identity theft. Due to the limited disclosure of PHI, and the fact that the information was sent to organizations covered by HIPAA Rules, the risk to patients is believed to be low. To date, Experian Health has not been notified of any unauthorized uses of the disclosed information. The breach was limited to...

Read More
2017 Data Breach Report Reveals 305% Annual Rise in Breached Records
Nov09

2017 Data Breach Report Reveals 305% Annual Rise in Breached Records

A 2017 data breach report from Risk Based Security (RBS), a provider of real time information and risk analysis tools, has revealed there has been a 305% increase in the number of records exposed in data breaches in the past year. For its latest breach report, RBS analyzed breach reports from the first 9 months of 2017. RBS explained in a recent blog post, 2017 has been “yet another ‘worst year ever’ for data breaches.” In Q3, 2017, there were 1,465 data breaches reported, bringing the total number of publicly disclosed data breaches up to 3,833 incidents for the year. So far in 2017, more than 7 billion records have been exposed or stolen. RBS reports there has been a steady rise in publicly disclosed data breaches since the end of May, with September the worst month of the year to date. More than 600 data breaches were disclosed in September. Over the past five years there has been a steady rise in reported data breaches, increasing from 1,966 data breaches in 2013 to 3,833 in 2017. Year on year, the number of reported data breaches has increased by 18.2%. The severity of data...

Read More
Long-Term Malware Infection Discovered by Catholic Charities of the Diocese of Albany
Nov09

Long-Term Malware Infection Discovered by Catholic Charities of the Diocese of Albany

In August, while Catholic Charities of the Diocese of Albany (CCDA) was performing an upgrade of its computer security software, malware was discovered to have been installed on one of the computer servers used by its Glens Falls office, which served patients in Saratoga, Warren and Washington Counties in New York. Fast action was taken to block access to the server and CCDA called in a computer security firm to conduct an investigation into the unauthorized access. The investigation, which took several weeks to complete, revealed that access to the server potentially dated back to 2015. While access to the server was possible and malware had been installed, the investigation did not uncover evidence to suggest the protected health information of patients had been viewed or stolen. An analysis of the server revealed the stored files contained the protected health information of 4,624 patients. The information potentially accessed by the attackers included names, addresses, birthdates, diagnosis codes, dates of service, and for some patients, their health insurance ID numbers which...

Read More
Aging Agency Reports Ransomware Attack: 8,750 Patients Impacted
Nov09

Aging Agency Reports Ransomware Attack: 8,750 Patients Impacted

The Ottawa-based East Central Kansas Area Agency on Aging (ECKAAA) has experienced a ransomware attack that has resulted in the encryption of files on one of the agency’s servers. Those files contained the protected health information (PHI) of 8,750 patients. The attack occurred on September 5, 2017 and was immediately recognized by ECKAAA, which took prompt action to limit the spread of the infection. As a result, only parts of the server had files encrypted. Those files were discovered to contain names, telephone numbers, addresses, birthdates, Medicaid numbers, and Social Security numbers. ECKAAA hired a cybersecurity firm to assist with the investigation and determine the true extent and nature of the attack. The investigation revealed the ransomware variant used was a variant of Crysis/Dharma – a ransomware variant known to encrypt files stored locally, on mapped network drives, and unmapped network shares. Crysis/Dharma ransomware also deletes shadow volume copies to hamper recovery. While the investigation uncovered no evidence of exfiltration of data, the possibility of...

Read More
Healthcare Data Breach Analysis Questioned
Nov08

Healthcare Data Breach Analysis Questioned

Large healthcare providers experience more data breaches than smaller healthcare providers, at least that is what a healthcare data breach analysis from Johns Hopkins University Carey School of Business suggests. For the study, the researchers used breach reports submitted to the Department of Health and Human Services’ Office for Civil Rights. HIPAA-covered entities are required to submit breach reports to OCR, and under HITECT Act requirements, OCR publishes the breaches that impact more than 500 individuals. The Ge Bai, PhD., led study, which was published in the journal JAMA Internal Medicine, indicates between 2009 and 2016, 216 hospitals had reported a data breach and 15% of hospitals reported more than one breach. The analysis of the breach reports suggest teaching hospitals are more likely to suffer data breaches – a third of breached hospitals were major teaching centers. The study also suggested larger hospitals were more likely to experience data breaches. Now, a team of doctors from Vanderbilt University, in Nashville, TN have called the data breach statistics details...

Read More
Former Employees of Virginia Medical Practice Inappropriately Used Patient Information
Nov06

Former Employees of Virginia Medical Practice Inappropriately Used Patient Information

Two former employees of Valley Family Medicine in Staunton, VA have been discovered to have inappropriately used a patient list, in violation of the practice’s policies. The list was used to inform patients of a new practice that was opening in the area. One of the employees used the list to send postcards to Valley Family Medicine patients to advise them that a new practice, unaffiliated to Valley Family Medicine, was being opened. Patients were invited to visit the new practice. The mailing was sent in mid-July this year, although it was not discovered by Valley Family Medicine until September 15. The discovery prompted a full investigation of the breach, which confirmed that the only information used by the employees was the information contained on the list. That information was limited to names and addresses. No other protected health information was taken or used by the employees. Those two individuals are no longer employed at the practice and the list has now been recovered. Valley Family Medicine is satisfied that there have been no further misuses or disclosures of the...

Read More
TJ Samson Community Hospital Discovers Inappropriate Accessing of 683 Patients’ PHI
Nov04

TJ Samson Community Hospital Discovers Inappropriate Accessing of 683 Patients’ PHI

An independent care provider who provides care to patients of TJ Samson Community Hospital in South Central Kentucky, has been discovered to have inappropriately accessed the protected health information (PHI) of 683 patients of TJ Samson Community Hospital in Glasgow, KY and the TJ Health Columbia Clinic. The inappropriate access was discovered during a routine audit of PHI access logs on August 25, 2017. The subsequent investigation revealed two individuals from the healthcare provider’s office had accessed the protected health information of patients, without any legitimate work reason for doing so. Access to patients PHI is necessary in order for independent health care providers to conduct their work duties, although in this case, the PHI of patients was accessed even though the patients were not being treated by the individuals. TJ Samson interviewed both individuals about the alleged unauthorized access and is satisfied that no further uses or disclosures of PHI have occurred. In response to the incident, TJ Samson has terminated access for the individuals in question. The...

Read More
Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) Introduced by NY AG
Nov03

Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) Introduced by NY AG

The Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) has been introduced into the legislature in New York by Attorney General Eric T. Schneiderman. The aim of the act is to protect New Yorkers from needless breaches of their personal information and to ensure they are notified when such breaches occur. The program bill, which was sponsored by Senator David Carlucci (D-Clarkstown) and Assembly member Brian Kavanagh (D-Manhattan), is intended to improve protections for New York residents without placing an unnecessary burden on businesses. The introduction of the SHIELD Act comes weeks after the announcement of the Equifax data breach which impacted more than 8 million New Yorkers. In 2016, more than 1,300 data breaches were reported to the New York attorney general’s office – a 60% increase in breaches from the previous year. Attorney General Schneiderman explained that New York’s data security laws are “weak and outdated” and require an urgent update. While federal laws require some organizations to implement data security controls, in New York, there are no...

Read More
Lawnmower Engine Manufacturer Reports HIPAA Breach
Nov01

Lawnmower Engine Manufacturer Reports HIPAA Breach

Briggs Stratton Corporation, a manufacturer of lawnmower engines, may not appear to be a HIPAA covered entity since the firm is not in the healthcare industry and does not provide services to healthcare organizations as a business associate. However, the company is required to comply with HIPAA Rules. When the company experienced a potential breach of employee information, the incident was a reportable security breach, OCR required notification, and notification letters had to be issued to its employees. Just because a company does not operate in the healthcare industry does not mean that HIPAA does not apply. Briggs Stratton was required to comply with HIPAA Rules due to its self-insured group health plan. Employers and health plan sponsors are required to ensure that HIPAA policies are put in place for their group health plans, that any ePHI created, accessed, stored, or transmitted is safeguarded to the standards required by the HIPAA Security Rule and all HIPAA Rules are followed. That includes entering into business associate agreements with any entity that has access to the...

Read More
Tips for Reducing Mobile Device Security Risks
Nov01

Tips for Reducing Mobile Device Security Risks

An essential part of HIPAA compliance is reducing mobile device security risks to a reasonable and acceptable level. As healthcare organizations turn to mobiles devices such as laptop computers, mobile phones, and tablets to improve efficiency and productivity, many are introducing risks that could all too easily result in a data breach and the exposure of protected health information (PHI). As the breach reports submitted to the HHS’ Office for Civil Rights show, mobile devices are commonly involved in data breaches. Between January 2015 and the end of October 2017, 71 breaches have been reported to OCR that have involved mobile devices such as laptops, smartphones, tablets, and portable storage devices. Those breaches have resulted in the exposure of 1,303,760 patients and plan member records. 17 of those breaches have resulted in the exposure of more than 10,000 records, with the largest breach exposing 697,800 records. The majority of those breaches could have easily been avoided. The Health Insurance Portability and Accountability Act (HIPAA) Security Rule does not demand...

Read More
8,000 Patients Notified of PHI Exposure After Office Burglary
Oct30

8,000 Patients Notified of PHI Exposure After Office Burglary

A limited amount of protected health information (PHI) of almost 8,000 patients of Brevard Physician Associates has been exposed after a desktop computer was stolen in a burglary. The incident occurred on September 4, 2017 – Labor Day – when the offices were closed. In the early morning, thieves broke in and stole three desktop computers. The burglary triggered the alarm system and police responded to the incident, although not in time to apprehend the criminals. A forensic analysis of the office was performed, although to date the individuals responsible have not been apprehended and the computers not recovered. Two of the computers did not contain any protected health information, but the third computer had five audit files saved to the hard drive. The information in those audit files was limited, although there was sufficient information to warrant the issuing of breach notifications to patients. Brevard Physician Associates acted quickly and dispatched breach notification letters to affected patients well within the timeframe allowed by the HIPAA Breach Notification Rule. In...

Read More
932 Texas Children’s Health Plan Members’ PHI Emailed to Personal Account by Employee
Oct28

932 Texas Children’s Health Plan Members’ PHI Emailed to Personal Account by Employee

The protected health information (PHI) of 932 members of the Texas Children’s Health Plan has been discovered to have been emailed to the personal email account of a former employee. The incident was discovered on September 21, 2017, although the former employee emailed the data late last year in November and December 2016. The emails were discovered during a routine review. Texas Children’s Health Plan responded to the breach promptly and has taken action to mitigate risk. The health insurance plan has also implemented additional safeguards to prevent similar incidents from occurring in the future and employees have been re-trained on hospital policies and HIPAA Rules. While the reason for the PHI being emailed to the personal email account has not been disclosed, the breach report uploaded to the insurance plan website explains no evidence has been uncovered to suggest any plan member information has been used inappropriately. However, the incident has been reported to law enforcement. As is required by the HIPAA Breach Notification Rule, the incident has been reported to the...

Read More
Data Breach Highlights Danger of Using USB Drives to Store PHI
Oct26

Data Breach Highlights Danger of Using USB Drives to Store PHI

The Man-Grandstaff VA Medical Center in Spokane, WA has discovered two USB drives containing the protected health information of almost 2,000 veterans have been stolen. The two devices were being used to store data from a standalone, non-networked server that was being decommissioned. One of the devices was the master drive used to move the medical center’s Anesthesia Record Keeper database to its virtual archive server. According to a statement issued by the medical center, that transfer had taken place in January. It is unclear why the database was still on the drive. The devices were stolen on July 18, 2017 from a contract employee while on a service call to a VA hospital in Oklahoma City. Man-Grandstaff VA Medical Center was not able to determine exactly what information was stored on the USB drives, although the database on the virtual archive server was checked and found to contain full names, addresses, phone numbers, surgical information, insurance information, and Social Security numbers. 1,915 individuals who have potentially been affected are being notified of the breach...

Read More
The Most Common HIPAA Violations You Should Be Aware Of
Oct26

The Most Common HIPAA Violations You Should Be Aware Of

The most common HIPAA violations that have resulted in financial penalties are the failure to perform an organization-wide risk analysis to identify risks to the confidentiality, integrity, and availability of protected health information (PHI); the failure to enter into a HIPAA-compliant business associate agreement; impermissible disclosures of PHI; delayed breach notifications; and the failure to safeguard PHI. The settlements pursued by the Department of Health and Human Services’ Office for Civil Rights (OCR) are for egregious violations of HIPAA Rules. Settlements are also pursued to highlight common HIPAA violations to raise awareness of the need to comply with specific aspects of HIPAA Rules. This article covers five of the most common HIPAA violations that have resulted in settlements with covered entities and their business associates over the past few years. Are Data Breaches HIPAA Violations? Data breaches are now a fact of life. Even with multi-layered cybersecurity defenses, data breaches are still likely to occur from time to time. OCR understands that healthcare...

Read More
FirstHealth Attacked with New WannaCry Ransomware Variant
Oct24

FirstHealth Attacked with New WannaCry Ransomware Variant

FirstHealth of the Carolinas, a Pinehurst, SC-based not for profit health network, has been attacked with a new WannaCry ransomware variant. WannaCry ransomware was used in global attacks in May this year. More than 230,000 computers were infected within 24 hours of the global attacks commencing. The ransomware variant had wormlike properties and was capable of spreading rapidly and affecting all vulnerable networked devices. The campaign was blocked when a kill switch was identified and activated, preventing file encryption.  However, FirstHealth has identified the malware used in its attack and believes it is a new WarnnaCry ransomware variant. The FirstHealth ransomware attack occurred on October 17, 2017. The ransomware is believed to have been introduced via a non-clinical device, although investigations into the initial entry point are ongoing to determine exactly how the virus was introduced. FirstHealth reports that its information system team detected the attack immediately and implemented security protocols to prevent the spread of the malware to other networked devices....

Read More
Beazley Publishes 2017 Healthcare Data Breach Report
Oct23

Beazley Publishes 2017 Healthcare Data Breach Report

Beazley, a provider of data breach insurance and response services, has published a special report on healthcare data breaches covering the first nine months of 2017. While hacking and malware attacks are common, by far the biggest cause of healthcare data breaches in 2017 was unintended disclosures. Hacking and malware accounted for 19% of breaches, while unintended disclosures accounted for 41% of incidents. The figures show healthcare organizations are still struggling to prevent human error from resulting in the exposure of health data. As Beazley explains in its report, it is easier to control and mitigate internal breaches than it is to block cyberattacks by outsiders, yet many healthcare organizations are failing to address the problem effectively. “We urge organizations not to ignore this significant risk and to invest time and resources towards employee training.” Beazley notes that the number of cases of employee snooping on records and other insider incidents is getting worse. This time last year, 12% of healthcare data breaches were insider incidents, but in 2017 the...

Read More
RiverMend Health Email Breach Impacts 1300 Patients
Oct20

RiverMend Health Email Breach Impacts 1300 Patients

Augusta, GA-based RiverMend Health, a provider of specialty behavioral health services including services for drug and alcohol addiction, has discovered an unauthorized individual has gained access to the email account of one of its employees. The unauthorized access was detected on August 10, 2017, when suspicious emails were identified being sent from the employee’s account. The suspicious email activity was investigated and access to the account was blocked on August 11, 2017. The investigation revealed access to the account was first gained two weeks previously on July 27. During the two weeks that the email account was accessible, it is possible that the employee’s emails were accessed by the attacker. Those emails contained a range of protected health information of 1,300 current and former patients.  RiverMend Health has retained the services of a leading computer forensics firm to assist with the investigation and determine the full nature of the breach and the extent of the attack. RiverMend Health has not disclosed how access to the email account was gained, but has said...

Read More
Healthcare Phishing Attack Potentially Impacts 16,500 Patients
Oct19

Healthcare Phishing Attack Potentially Impacts 16,500 Patients

Phishing is arguably the biggest data security threat faced by healthcare organizations. The past few weeks have seen several attacks reported by healthcare organizations, with the latest healthcare phishing attack one of the most serious, having affected as many as 16,562 patients. Chase Brexton Health Care reports that the attack occurred on August 2 and August 3, 2017, when multiple phishing emails were delivered to the inboxes of its employees. Phishing attacks commonly take the form of bogus invoices and fake package delivery notifications, although these emails purported to be surveys. After employees completed the surveys they were required to enter their login information. Four employees fell for the scam and divulged their user account credentials. The phishing attack was discovered on August 4 and access to the employees’ accounts was blocked.  However, on August 2 and 3, the accounts of those employees were accessed and the attackers re-route employee payments to their own bank account. While the aim of the phishing attack did not appear to be to gain access to patient...

Read More
Healthcare Data Breaches in September Saw Almost 500K Records Exposed
Oct19

Healthcare Data Breaches in September Saw Almost 500K Records Exposed

Protenus has released its Breach Barometer report which shows there was a significant increase in healthcare data breaches in September. The report includes healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights and security incidents tracked by databreaches.net. The latter have yet to appear on the OCR ‘Wall of Shame.’ In total, Protenus/databreaches.net tracked 46 healthcare data breaches in September. While the total number of breach victims has not been confirmed for all incidents, at least 499,144 healthcare records are known to have been exposed or stolen. The number of records exposed or stolen in four of the month’s breaches has yet to be disclosed. The high number of incidents makes September the second worst month of 2017 for healthcare industry data breaches. Only June was worse, when 52 data breaches were reported. In August, 33 data breaches were reported by healthcare organizations. The report confirms the worst incident of the month was a ransomware attack that saw the records of 128,000 individuals made...

Read More
Theft of Unencrypted Laptop Potentially Results in PHI Exposure
Oct18

Theft of Unencrypted Laptop Potentially Results in PHI Exposure

An unencrypted laptop computer has been stolen from the vehicle of an employee of Bassett Family Practice in Virginia, potentially resulting in the exposure of patients’ protected health information. The theft is understood to have occurred over the weekend of 12/13 August. Patients were notified of the exposure of their data on October 13, 2017. The delay in issuing notifications was due to the time taken to recover the missing files from backups and to analyse those files to determine which patients had been affected and the types of PHI stored on the device. The laptop computer was discovered to contain some information about patients’ visits to the practice, along with their names, date of birth, account number, and their insurance provider’s name. The laptop also contained information related to account balances. No Social Security numbers or credit or debit card information were stored on the device. It is not company practice to store any protected health information on laptop computers. The files were transferred to the device as Bassett Family Practice was transitioning to...

Read More
Namaste Health Care Pays Ransom to Recover PHI
Oct17

Namaste Health Care Pays Ransom to Recover PHI

A hacker gained access to a file server used by Ashland, MI-based Namaste Health Care and installed ransomware, encrypting a wide range of data including patients’ protected health information. Access was gained to the file server over the weekend of August 12-13 and ransomware was installed; however, prior to the installation of ransomware it is unclear whether patients’ PHI was accessed or stolen. The Ashland clinic discovered its data had been encrypted when staff returned to work on Monday, August 14. Prompt action was taken to prevent any further accessing of its file server, including disabling access and taking the server offline. An external contractor was brought in to help remediate the attack and remove all traces of malware from its system. In order to recover data, Namaste Health Care made the decision to pay the attacker’s ransom demand. In this case, a valid key was supplied by that individual and it was possible to unlock the encrypted files. The clinic was able to recover data and bring its systems back online after a few days. The incident prompted the clinic to...

Read More
8,362 Patients Potentially Impacted by Advanced Spine & Pain Center Breach
Oct17

8,362 Patients Potentially Impacted by Advanced Spine & Pain Center Breach

The San Antonio, TX, Advanced Spine & Pain Center (ASPC) has notified patients of a potential breach and unauthorized use of their protected health information. Potentially, as many as 8,362 patients have been affected by the incident. ASPC became aware of a potential breach of ePHI on July 31, 2017 when some patients reported receiving a telephone call claiming payment for an outstanding bill was required. An investigation was launched to determine whether ASPC systems had been breached. That investigation revealed unauthorized individuals had gained access to an ASPC server. Unauthorized access occurred even though extensive protections had been put in place, including firewalls, network filtering, security monitoring, password protection, and antivirus software. While unauthorized access was confirmed, it was unclear whether any sensitive information was accessed by those individuals. It was also not possible to determine whether the telephone calls received by some patients were linked to the security breach. Since it is possible that patients’ ePHI was viewed or obtained...

Read More
Q3, 2017 Healthcare Data Breach Report
Oct16

Q3, 2017 Healthcare Data Breach Report

In Q3, 2017, there were 99 breaches of more than 500 records reported to the Department of Health and Human Services’ Office for Civil Rights (OCR), bringing the total number of data breaches reported in 2017 up to 272 incidents. The 99 data breaches in Q3, 2017 saw 1,767,717 individuals’ PHI exposed or stolen. So far in 2017, the records of 4,601,097 Americans have been exposed or stolen as a result of healthcare data breaches. Q3 Data Breaches by Covered Entity Healthcare providers were the worst hit in Q3, reporting a total of 76 PHI breaches. Health plans reported 17 breaches and there were 6 data breaches experienced by business associates of covered entities. There were 31 data breaches reported in July, 29 in August, and 39 in September. While September was the worst month for data breaches, August saw the most records exposed – 695,228. The Ten Largest Healthcare Data Breaches in Q3, 2017 The ten largest healthcare data breaches reported to OCR in Q3, 2017 were all the result of hacking/IT incidents. In fact, 36 out of the 50 largest healthcare data breaches in...

Read More
Bill Introduced to Standardize State Data Breach Notification Laws
Oct16

Bill Introduced to Standardize State Data Breach Notification Laws

The HIPAA Breach Notification Rule explains how HIPAA covered entities and their business associates’ data breach response should include issuing notifications to patients, plan members and the HHS’ Office for Civil Rights. Healthcare organizations must also comply with state data breach notification laws, which in some U.S. states, requires notifications to be issued more rapidly. Those laws cover different types of information, have additional notification requirements, and in some states, require credit monitoring and identity theft protection services to be offered to breach victims. Currently, there are 48 separate state data breach notification laws. For a small health system operating in one or two states, keeping up to date with relevant state data breach notification laws is straightforward. For large health systems and health plans that operate in multiple states, keeping up to date with changes to state laws, and ensuring compliance with those laws, can be a challenge. Bill Proposes Standardization of State Data Breach Notification Laws Congressman Jim Langevin (D-RI)...

Read More
How Should You Respond to an Accidental HIPAA Violation?
Oct12

How Should You Respond to an Accidental HIPAA Violation?

The majority of HIPAA covered entities, business associates, and healthcare employees take great care to ensure HIPAA Rules are followed, but what happens when there is accidental HIPAA violation? How should healthcare employees, covered entities, and business associates respond? How Should Employees Report an Accidental HIPAA Violation? Accidents happen. If a healthcare employee accidentally views the records of a patient, if a fax is sent to an incorrect recipient, an email containing PHI is sent to the wrong person, or any other accidental disclosure of PHI has occurred, it is essential that the incident is reported to your Privacy Officer. Your Privacy Officer will need to determine what actions need to be taken to mitigate risk and reduce the potential for harm. The incident will need to be investigated, a risk assessment may need to be performed, and a report of the breach may need to be sent to the Department of Health and Human Services’ Office for Civil Rights (OCR). You should explain that a mistake was made and what has happened. You will need to explain which patient’s...

Read More
PHI of 10,500 Patients of an Illinois Psychiatrist Exposed
Oct12

PHI of 10,500 Patients of an Illinois Psychiatrist Exposed

The medical files of more than 10,000 patients of a Naperville, IL-based psychiatrist – Dr. Riaz Baber, M.D. – have been discovered in the basement of an Aurora property by the woman who rented the house from the psychiatrist. The files had been stored in the basement for at least 4 years. The tenant, Barbara Jarvis-Neavins, was allegedly provided with a key to the basement by the psychiatrist’s wife as access was required when workmen had to visit the property. She was told that she was required to accompany workmen when they needed access. Jarvis-Neavins said she wanted to report the presence of the files – and that she could access the storage area – but thought that by doing so she would be asked to vacate the property. When she was told that she had to move out as the house was being sold, she contacted law enforcement – including the FBI – and state regulators to report the unsecured files. The FBI referred her to the Department of Health and Human Services’ Office for Civil Rights and she filed a complaint. She also contacted NBC 5. NBC 5 reporters...

Read More
47GB of Medical Records and Test Results Found in Unsecured Amazon S3 Bucket
Oct11

47GB of Medical Records and Test Results Found in Unsecured Amazon S3 Bucket

Researchers at Kromtech Security have identified another unsecured Amazon S3 bucket used by a HIPAA-covered entity. The unsecured Amazon S3 bucket contained 47.5GB of medical data relating to an estimated 150,000 patients. The medical data in the files included blood test results, physician’s names, case management notes, and the personal information of patients, including their names, addresses, and contact telephone numbers. The researchers said many of the stored documents were PDF files, containing information on multiple patients that were having weekly blood tests performed. In total, approximately 316,000 PDF files were freely accessible. The tests had been performed in patient’s homes, as requested by physicians, by Patient Home Monitoring Corporation. Kromtech researchers said the data could be accessed without a password. Anyone with an Internet connection, that knew where to look, could have accessed all 316,000 files. Whether any unauthorized individuals viewed or downloaded the files is not known. The researchers were also unable to tell how long the Amazon S3 bucket...

Read More
Summary of September 2017 Healthcare Data Breaches
Oct10

Summary of September 2017 Healthcare Data Breaches

There were 39 healthcare data breaches involving more than 500 records reported to the Department of Health and Human Services’ Office for Civil Rights in September 2017. Those breaches resulted in the theft/exposure of 473,074 patients’ protected health information. September 2017 Healthcare Data Breaches September 2017 healthcare data breaches followed a similar pattern to previous months. Healthcare providers suffered the most breaches with 27 reported incidents, followed by health plans with 10 breaches, and 2 breaches reported by business associates of covered entities. The biggest cause of healthcare data breaches in September was unauthorized access/disclosures (18 breaches), closely followed by hacking and IT incidents (17 breaches). Three theft incidents were reported and one covered entity reported the loss of an unencrypted device containing ePHI. All of the incidents involving loss or theft of devices related to laptops. One incident also involved a desktop computer and another the theft of physical records. There were no reported cases of improper disposal of PHI....

Read More
Network Health Phishing Attack Impacts 51,000 Plan Members
Oct10

Network Health Phishing Attack Impacts 51,000 Plan Members

Wisconsin-based insurer Network Health has notified 51,232 of its plan members that some of their protected health information (PHI) has potentially been accessed by unauthorized individuals. In August 2017, some Network Health employees received sophisticated phishing emails. Two of those employees responded to the scam email and divulged their login credentials to the attackers, who used the details to gain access to their email accounts. The compromised email accounts contained a range of sensitive information including names, phone numbers, addresses, dates of birth, ID numbers, and provider information. No financial information or Social Security numbers were included in the compromised accounts, although certain individuals’ health insurance claim numbers and claim information was potentially accessed. The breach was detected rapidly and the affected accounts were shut down to limit the harm caused. An external cybersecurity consultant was brought in to assess the extent of the attack and perform a forensic analysis to determine whether access to other parts of the network...

Read More
Resold Fax Machine Prints Documents Containing PHI
Oct06

Resold Fax Machine Prints Documents Containing PHI

A fax machine used by a physician at Grand Rapids, MI, based Spectrum Health System was recently discovered to contain the PHI of around 20 patients. The fax machine was purchased from resale shop by a local resident, who discovered documents were still stored in the memory of the machine. When attempting to print off a fax transmission report, the device started printing documents containing sensitive patient information such as names, addresses, dates of birth, details of dependents, diagnoses, test results, and insurance information. The incident was brought to the attention of Wood TV’s Target 8 team, which investigated and traced the device to Spectrum Health’s Dr. Wendy Zink. Spectrum Health was contacted about the breach and Chief Privacy Officer Leah Voigt confirmed that all electronic equipment containing ePHI is sent to a business associate that ensures ePHI on the devices is permanently erased in accordance with HIPAA Rules. Spectrum Health has certification to prove that was the case and that the vendor also confirmed data had been permanently destroyed. The fax machine...

Read More
Texas Patients Just Informed of 2015 CoPilot Data Breach
Oct04

Texas Patients Just Informed of 2015 CoPilot Data Breach

Patients of a Texas orthopedic clinic are just finding out that some of their protected health information was exposed in a 2015 CoPilot data breach. In October 2015, a website maintained by CoPilot Provider Support Services was accessed by an unauthorized individual. That individual gained access to, and downloaded, the PHI of more than 220,000 patients. The website was used by providers to find out whether two drugs – ORTHOVISC® and MONOVISC® – were covered by the patients’ health insurance. CoPilot discovered its website had been breached on December 23, 2015, and launched an investigation. The individual who accessed the data was identified and the matter was reported to law enforcement. No information was believed to have been accessible by the public. While the incident was resolved, CoPilot delayed issuing breach notifications until January 2017. That delay resulted in a $130,000 fine from the New York Attorney General in June 2017. It has been two years since the breach, and eight months from when notifications were issued, but some breach victims are only just...

Read More
What are the HIPAA Breach Notification Requirements?
Oct04

What are the HIPAA Breach Notification Requirements?

All HIPAA covered entities must familiarize themselves with the HIPAA breach notification requirements and develop a breach response plan that can be implemented as soon as a breach of unsecured protected health information is discovered. While most HIPAA covered entities should understand the HIPAA breach notification requirements, organizations that have yet to experience a data breach may not have a good working knowledge of the requirements of the Breach Notification Rule. Vendors that have only just started serving healthcare clients may similarly be unsure of the reporting requirements and actions that must be taken following a breach. The issuing of notifications following a breach of unencrypted protected health information is an important element of HIPAA compliance. The failure to comply with HIPAA breach notification requirements can result in a significant financial penalty. With this in mind, we have compiled a summary of the HIPAA breach notification requirements for covered entities and their business associates. Summary of the HIPAA Breach Notification Requirements...

Read More
13,000 Patients Potentially Impacted by Mercy Health Love County Hospital Breach
Sep30

13,000 Patients Potentially Impacted by Mercy Health Love County Hospital Breach

A Mercy Health Love County Hospital breach has potentially impacted more than 13,000 patients in Oklahoma. On June 23, 2017, the hospital discovered an employee had stolen a laptop computer and paper records from a storage unit used by the hospital. According to the breach notice issued by Mercy Health, the records of 10 patients were taken from the storage unit along with the laptop. The theft of PHI was initially investigated by the Love County Sheriff’s Office. That investigation revealed the former employee had used the stolen information to fraudulently obtain credit cards in the patients’ names. A second individual is also understood to have been involved. While Mercy Health had up to 60 days to notify patients of the breach under HIPAA Rules, all ten patients were notified immediately. Mercy Health is working with the Love County Sherriff’s Office, the United States Postal Services, and the U.S. Secret Service which are all investigating the incident. Mercy Health said in its breach notice, “Although there is no evidence that files belonging to patients aside from the ten...

Read More
Our Lady of the Angels Hospital Breach Impacts 1,140 Patients
Sep29

Our Lady of the Angels Hospital Breach Impacts 1,140 Patients

Our Lady of the Angels Hospital has discovered a former employee accessed the medical records of 1,140 patients without authorization. The employee had been granted access to the protected health information in order to conduct work duties; however, hospital staff became aware the employee was accessing medical records without any legitimate work reason for doing so. The improper access was discovered on July 25, 2017, and the employee’s access to the medical record system was immediately terminated, as was the employee. Rene Ragas, President and CEO, Our Lady of the Angels Hospital, said, “Patient privacy is a top priority and we have a zero-tolerance policy for employees who improperly access patient data.” A thorough investigation was conducted to determine which patients had been impacted, which revealed the former employee had been inappropriately accessing the medical records of patients for more than three years. The Bogalusa, LA hospital was acquired by the Franciscan Missionaries of Our Lady Health System on March 17, 2014, which is the date given for when the improper...

Read More
PeaceHealth Employee Accessed Medical Records Without Authorization for Almost 6 Years
Sep29

PeaceHealth Employee Accessed Medical Records Without Authorization for Almost 6 Years

PeaceHealth, a not-for-profit Catholic health system based in Vancouver, WA, has discovered one of its former employees had accessed the medical records of almost 2,000 of its patients without any legitimate work reason for doing so. The unauthorized access was discovered by PeaceHealth on August 9, 2017, triggering an investigation. PeaceHealth determined the improper access started in November 2011 and continued until July 2017. The investigation confirmed Social Security numbers and financial information were not accessed by the employee, although patient names, medical record numbers, admission and discharge dates, medical diagnoses, and progress notes were all viewed. Due to the nature of information that was accessed, and the results of the internal investigation, PeaceHealth does not believe any patients impacted by the breach are at risk of identity theft. However, all impacted individuals have been advised to remain vigilant and review their credit reports and account statements for any sign of fraudulent activity. Patients impacted by the breach had visited either the...

Read More
Ransomware Attack Potentially Impacts 128,000 Arkansas Patients
Sep28

Ransomware Attack Potentially Impacts 128,000 Arkansas Patients

Arkansas Oral Facial Surgery Center in Fayetteville has experienced a ransomware attack that has potentially impacted up to 128,000 of its patients. Ransomware was believed to have been installed on its network between July 25 and 26, 2017. The attack was detected rapidly, although not before files, x-ray images, and documents had been encrypted. The incident did not result in the encryption of its patient database, except for a ‘relatively limited’ set of patients who data related to their recent visits encrypted. Those patients had visited the center for medical services in the three weeks prior to the ransomware attack. The ransomware attack is still under investigation, although to date, no evidence of data theft has been found. Arkansas Oral Facial Surgery Center believes the sole purpose of the attack was to extort money, and not to steal data; however, it has not been possible to rule out data access or data theft with a high degree of certainty. The files and images that were potentially accessed included information such as names, addresses, dates of birth, Social Security...

Read More
Another Healthcare Organization Attacked by The Dark Overlord
Sep26

Another Healthcare Organization Attacked by The Dark Overlord

Following a couple of months of relative quiet, the hacking group TheDarkOverlord has announced another successful attack on a U.S. healthcare provider, Mass-based SMART Physical Therapy (SMART PT). The hack reportedly occurred on September 13, 2017, with the announcement of the data theft disclosed by TDO on Twitter on Friday 22, 2017.  No mention was made about how access to the data was gained, although it was confirmed to databreaches.net that the attack took advantage of the use of weak passwords. The entire database of patients was reportedly stolen. Databreaches.net was provided with the patient database and has confirmed the authenticity of the attack. The database contained a wide range of information on 16,428 patients, including contact information, dates of birth and Social Security numbers. This was an extortion attempt and a demand for payment in Bitcoin was reportedly sent to SMART PT, although no payment has been made, nor will it be. SMART PT spokesperson Joanne Ponte confirmed to databreaches.net that they refuse to communicate with criminals and give in to the...

Read More
Lost Laptop Sees PHI of 3,725 Veterans Exposed
Sep25

Lost Laptop Sees PHI of 3,725 Veterans Exposed

A decommissioned laptop computer previously used by the Mann-Grandstaff VA Medical Center (MGVAMC) in Spokane, WA, has been discovered to be missing, potentially resulting in the exposure of sensitive patient data. The laptop was paired with a hematology analyzer and stored data related to hematology tests. The laptop was in use between April 2013 and May 2016, but was decommissioned when the device became unusable. The laptop, which had been supplied by a vendor, was replaced; however, an equipment inventory revealed the device to be missing. The device should have been returned to the vendor, although the vendor has no record of the laptop ever being recalled from MGVAMC. An inventory of equipment at the MGVAMC lab determined the device was missing. A full search of the medical center was conducted but the laptop could not be located. It was not possible to tell exactly what information had been stored on the device, or the exact number of patients whose protected health information may have been exposed. MGVAMC concluded all patients who submitted samples for hematology tests...

Read More
HIPAA Business Associate Data Breach Impacts 21,856 Individuals
Sep21

HIPAA Business Associate Data Breach Impacts 21,856 Individuals

The importance of reviewing system activity logs has been underscored by recent HIPAA business associate data breach. Nebraska-based CBS Consolidated Inc., doing business as Cornerstone Business & Management Solutions, conducted a routine review of system logs on July 10, 2017 and discovered an unfamiliar account on the server. Closer examination of that account revealed it was being used to download sensitive data from the server, including the protected health information of patients that used its medical supplies. 21,856 patients who received durable medical supplies from the company through their Medicare coverage have potentially been affected. The types of data obtained by the hacker included names, addresses, dates of birth, insurance details, and Social Security numbers. While personal information was exposed, the hacker was not able to obtain details of any medical conditions suffered by patients, nor details of any items purchased or financial information. It is currently unclear how the account was created, although an investigation into the incident is ongoing. CBS...

Read More
Fall in Healthcare Data Breaches in August: Rise in Breach Severity
Sep21

Fall in Healthcare Data Breaches in August: Rise in Breach Severity

Healthcare data breaches have fallen for the second month in a row, according to the latest installment of the Breach Barometer report from Protenus/Databreaches.net. In August, there were 33 reported healthcare data breaches, down from 36 incidents in July and 56 in June. While the reduction in data breaches is encouraging, that is still more than one healthcare data breach per day. August may have been the second best month of the year to date in terms of the number of reported incidents, but it was the third worst in terms of the number of individuals impacted. 575,142 individuals were impacted by healthcare data breaches in July, with the figure rising to 673,934 individuals in August. That figure will rise further still, since two incidents were not included in that total since it is not yet known how many individuals have been affected. The worst incident of the month was reported by Pacific Alliance Medical Center – A ransomware attack that impacted 266,133 patients – one of the worst ransomware incidents of the year to date. Throughout the year, insider incidents have...

Read More
The Compliancy Group Helps Imperial Valley Family Care Medical Group Pass HIPAA Audit
Sep20

The Compliancy Group Helps Imperial Valley Family Care Medical Group Pass HIPAA Audit

The Department of Health and Human Services’ Office for Civil Rights commenced the second round of HIPAA compliance audits late last year. The audit program consists of desk-based audits of HIPAA-covered entities and business associates, followed by a round of in-depth audits involving site visits. The desk audits have been completed, with the site audits put on hold and expected to commence in early 2018. Only a small number of covered entities have been selected to be audited as part of the second phase of compliance audits; however, covered entities that have escaped an audit may still be required to demonstrate they are in compliance with HIPAA Rules. In addition to the audit program, any HIPAA-covered entities that experiences a breach of more than 500 records will be investigated by OCR to determine whether the breach was the result of violations of HIPAA Rules. OCR also investigates complaints submitted through the HHS website. The first round of HIPAA compliance audits in 2011/2012 did not result in any financial penalties being issued, but that may not be the case for the...

Read More
1,081 St. Louis Patients Alerted About Improper PHI Disclosure
Sep20

1,081 St. Louis Patients Alerted About Improper PHI Disclosure

1,081 patients of the MS Center of Saint Louis and Mercy Clinic Neurology Town and Country are being informed that they may be contacted for marketing and research purposes by pharmaceutical companies and other third-parties, even though they may not have given their permission to be contacted. HIPAA Rules do not permit patients to be contacted for marketing or research purposes unless consent to do so has first been obtained. However, an error has resulted in patients’ information being disclosed to third parties in error and patients may be contacted by telephone, mail or email as a result. The MS Center and Mercy Clinic Neurology Town and Country report that medication onboarding forms were accidentally provided to pharmaceutical companies, even though the forms had not been signed by patients. The error also means patients’ protected health information has been impermissibly disclosed. Protected health information detailed on the forms includes names, email addresses, telephone numbers, home addresses, health insurance information, and in some cases, treatment and prescription...

Read More
Florida Healthy Kids Corporation Announces 2,000 Patients’ Impacted by Phishing Scam
Sep20

Florida Healthy Kids Corporation Announces 2,000 Patients’ Impacted by Phishing Scam

Reports of phishing attacks on healthcare organizations are arriving thick and fast. The latest HIPAA-covered entity to announce it has fallen victim to a phishing scam is Florida Healthy Kids Corporation, an administrator of the Florida KidCare program. On July 25, 2017, phishing emails started to arrive in the inboxes of members of staff, some of whom responded and inadvertently gave the attackers access to the sensitive information of members of the KidCare program. The phishing attack was identified the following day and access to the compromised email accounts was immediately blocked. While the incident was mitigated promptly, the attackers had access to email accounts and data contained in those accounts for approximately 24 hours. During that time, it is possible that the emails were accessed and sensitive information copied, although no reports of abuse of that information have been received and it is not clear whether any information was actually stolen. An analysis of the compromised email accounts revealed the personal information of 2,000 individuals was potentially...

Read More
5 Months to Notify Patients of Augusta University Medical Center Phishing Attack
Sep18

5 Months to Notify Patients of Augusta University Medical Center Phishing Attack

An Augusta University Medical Center phishing attack has resulted in an unauthorized individual gaining access to the email accounts of two employees. It is unclear exactly when the phishing attack was discovered, although an investigation into the breach was concluded on July 18, 2017. That investigation confirmed access to the employees’ email accounts was gained between April 20-21, 2017. Upon discovery of the breach, access to the email accounts was disabled and passwords were reset. The investigation did not confirm whether any of the information in the accounts had been accessed or copied by the attackers. Patients impacted by the breach have now been notified – five months after the breach occurred. Patients have been informed that the compromised email accounts contained sensitive information such as names, addresses, dates of birth, driver’s license numbers, financial account information, prescription details, diagnoses, treatment information, medical record numbers and Social Security numbers. The amount of information exposed varied for each patient. It is currently...

Read More
Phishing Attack Results in the Exposure of PHI at Morehead Memorial Hospital
Sep18

Phishing Attack Results in the Exposure of PHI at Morehead Memorial Hospital

Morehead Memorial Hospital in Eden, NC has announced two employees have fallen victim to a phishing attack that resulted in an unauthorized individual gaining access to their email accounts. Those accounts contained the protected health information of patients and sensitive information on employees. Upon discovery of the breach, access to the email accounts was blocked and the hospital performed a network-wide password reset. Leading computer forensics experts were hired to assist with the investigation and determine the extent of the breach. The investigation confirmed that access to the accounts was possible and sensitive patient and employee information could have been accessed. While no reports have been received to suggest any information in the accounts has been misused, the possibility of data access and data theft could not be ruled out. The types of information exposed includes names, health insurance payment summaries, health insurance information, treatment overviews, and a limited number of Social Security numbers. Phishing attacks such as this are common. Emails are...

Read More
Hospital Employee Fired Over 26,000-Record Arkansas DHS Privacy Breach
Sep18

Hospital Employee Fired Over 26,000-Record Arkansas DHS Privacy Breach

A former employee of the Arkansas Department of Human Services (DHS) has been fired from her new position at the state hospital for emailing spreadsheets containing the protected health information of patients to a personal email account. Yolanda Farrar worked as a payment integrity coding analyst for the DHS, but was fired on March 24, 2017. According to a statement issued by DHS spokesperson Amy Webb, Farrar was fired for “violations of DHS policy on professionalism, teamwork and diligent and professional performance.” The day previously, Farrar had spoken with her supervisor about issues relating to her performance and learned that she was about to be terminated. Within minutes of that conversation, Farrar emailed spreadsheets from her work email account to a personal email address. Farrar decided to take legal action against DHS for unfair dismissal. Attorneys working for DHS were preparing to represent the agency in court and were checking emails sent by Farrar through her work email account. They discovered the emails and spreadsheets on August 7. The DHS privacy...

Read More
Hospital Staff Discovered to Have Taken and Shared Photographs of Patient’s Genital Injury
Sep15

Hospital Staff Discovered to Have Taken and Shared Photographs of Patient’s Genital Injury

An investigation has been conducted into a privacy violation at the University of Pittsburgh Medical Center’s Bedford Memorial hospital, in which photographs and videos of a patient’s genitals were taken by hospital staff and in some cases, were shared with other individuals including non-hospital staff. The patient was admitted to the hospital in late December 2017, with photos/videos shared over the following few weeks. The patient was admitted to the hospital on December 23, 2016 with a genital injury – a foreign object had been inserted into the patient’s penis and was protruding from the end. The bizarre injury attracted a lot of attention and several staff members not involved with the treatment of the patient were called into the operating room to view the injury. Multiple staff members took photographs and videos of the patient’s genitals while the patient was sedated and unconscious. The privacy breach was reported by one hospital employee who alleged images/videos were being shared with other staff members not involved in the treatment of the patient. The complaint...

Read More
Hand Rehabilitation Specialists Suffers Breach of Almost 13,000 Patients’ PHI
Sep15

Hand Rehabilitation Specialists Suffers Breach of Almost 13,000 Patients’ PHI

Hand & Upper Extremity Centers has announced a security breach has potentially impacted almost 13,000 patients. The breach occurred at Thousand Oaks, CA-based Hand Rehabilitation Specialists (HRS). While it is unclear when the breach actually occurred, HRS was notified about a potential security incident on July 5, 2017. According to the substitute breach notice uploaded to the HBS website, an unauthorized individual is believed to have gained access to HBS systems and potentially viewed and exfiltrated patient data. As soon as HBS became aware of the incident, law enforcement was contacted and the Ventura County Sherriff’s Office conducted a forensic investigation of the computer system used by HBS. The incident was also reported to the Federal Bureau of Investigation. Law enforcement found no evidence to suggest any patient data had been exfiltrated, although it was not possible to rule out data theft with a high degree of certainty. The breach affects patients seen between 2004 and 2013, as well as their payment guarantors. The types of information potentially accessed...

Read More
New York Hospital Sued for Disclosing Patient’s HIV Status to Employer
Sep14

New York Hospital Sued for Disclosing Patient’s HIV Status to Employer

Earlier this year, the Department of Health and Human Services’ Office for Civil Rights settled a case with Mount Sinai St. Luke’s Hospital to resolve alleged HIPAA violations over a 2014 impermissible disclosure of a patient’s HIV positive status to his employer. St. Luke’s Hospital had faxed a document to the mailroom of the patient’s employer, rather than sending the information to a post office box as requested by the patient via his Authorization for Release of Medical Information form. The hospital, formerly known as the Spencer Cox Center for Health, also faxed the PHI of another patient to an office where he volunteered. St. Luke’s Hospital agreed to pay OCR $387,000 to resolve the case. St. Luke’s Hospital also agreed to a corrective action plan that required a review of its policies and procedures concerning PHI disclosures and further training of its employees. St. Luke’s Hospital accepted a mistake was made and the measures being undertaken will help to ensure similar incidents do not occur in the future. However, the hospital has refused to enter into a settlement...

Read More
Patient Health Records Discovered in a Denver Alley
Sep14

Patient Health Records Discovered in a Denver Alley

Approximately 70 patient files containing sensitive personal and medical information have been discovered in an alley in Denver, CO. The files contained details of patients’ medical histories, insurance information, and Social Security numbers – The types of information sought by identity thieves and fraudsters. The paperwork had been disposed of in a dumpster accessible by the public. The records came from the Blue Skies Clinic in Boulder, CO., which was purchased more than a decade ago from chiropractor Otsie Stowell, according to Fox31, Denver. Two chiropractors took control of the records of approximately 800-1000 patients when they bought the practice. Some of those records were stored in the basement of the practice, which was recently cleared. It is unclear how many records were disposed in the alley, although only 70 files were recovered. The records were disposed of by mistake and no one at the clinic was aware that sensitive information was being stored in the basement, according to a statement provided to FOX31 by one of the chiropractors, Rory Lee. Lee also apologized...

Read More
CareFirst Data Breach Lawsuit May be Heading to the Supreme Court
Sep14

CareFirst Data Breach Lawsuit May be Heading to the Supreme Court

In June 2014, hackers succeeded in gaining access to a database maintained by CareFirst BlueCross BlueShield and the protected health information of 1.1 million of its members. The types of information exposed as a result of the hack included names, email addresses, dates of birth, and subscriber ID numbers. Lawsuits were filed following the breach, with the plaintiffs seeking damages for the elevated risk of identity theft and fraud they faced as a result of the breach. In 2016, the U.S. District Court for the District of Columbia and dismissed one punitive class action lawsuit against CareFirst – Chantal Attias vs. Carefirst, Inc. – for lack of standing. Further complaints were also dismissed by two federal district courts. However, on August 1, 2017, the case was revived when the U.S. District Court for the District of Columbia allowed the case to proceed, even though there was not a concrete, identifiable injury to plaintiffs. CareFirst submitted a motion for a stay to allow an appeal to be filed with the Supreme Court. Last week, U.S. District Court for the...

Read More
Healthcare Industry Tops List for Class Action Data Breach Lawsuits
Sep13

Healthcare Industry Tops List for Class Action Data Breach Lawsuits

In 2016, the healthcare industry faced the most class-action data breach lawsuits, according to a new analysis of data breach lawsuits by the law firm, Bryan Cave, LLP, although the risk of litigation following a breach is still relatively low. To produce the 2017 data breach litigation report, Bryan Cave conducted a comprehensive review and analysis of all class action lawsuits filed by victims of data security breaches in 2016. The report explains that while there is always a threat of legal action being taken by data breach victims, the risk of a company facing litigation following a data breach is fairly low due to the difficult plaintiffs have establishing an injury has been caused. Year over year, there was a slight (7%) increase in class action lawsuits filed against companies that have experienced a data breach although there was a fall in the number of breaches that resulted in lawsuits. The report shows only 3.3% of data breaches in 2016 resulted in class action lawsuits compared to between 4%-5% in previous years. In total, 76 class actions were filed in 2016 as a result...

Read More
3,400 Patients of Children’s Hospital Colorado Potentially Impacted by Email Hack
Sep11

3,400 Patients of Children’s Hospital Colorado Potentially Impacted by Email Hack

Almost 3,400 patients of Children’s Hospital Colorado are being notified that some of their protected health information has potentially been accessed by an unauthorized individual who gained access to the email account of a staffer. The incident was discovered by the Aurora, CO hospital on July 11, 2017, prompting a full investigation to determine the scale and scope of the breach. A third-party computer forensics firm was hired to assist with the investigation to help identify how access to the email account was gained, whether any other systems had been compromised, and to identify any actions taken by the attacker. An analysis of data in the email account showed a limited amount of PHI was potentially compromised, including names, addresses, dates of birth, telephone numbers, medical diagnoses, treatment information and other clinical information. No financial information, insurance details, Social Security numbers or other highly sensitive data were exposed. The investigation confirmed the breach was limited to a single email account and its EHR was not affected. While access...

Read More
Mailing Error and PHI Breach Underscores Need for Greater Oversight
Sep08

Mailing Error and PHI Breach Underscores Need for Greater Oversight

Healthcare organizations must take care not to expose protected health information in mailings. Recently, there have been two incidents reported that involved sensitive information being disclosed as a result of a lack of oversight when corresponding with patients by mail. A third-party error resulted in details of HIV medications used by Aetna plan members being improperly disclosed. Letters were sent in sealed envelopes, although prescribed HIV medications were clearly visible through the clear plastic windows of the envelopes. Last year, Emblem Health sent a mailing in which patients’ Social Security numbers were accidentally printed on the outside of envelopes and the Ohio Department of Mental Health and Addiction Services sent a survey to patients on a postcard rather than using letters in sealed envelopes. In that case, the fact that the patient was, or had been, undergoing treatment for mental health issues was disclosed to any individual who happened to view the postcard. A similar incident has recently affected patients of University of Wisconsin-Madison’s Department of...

Read More
Community Memorial Health System Phishing Attack Reported
Sep07

Community Memorial Health System Phishing Attack Reported

The protected health information of almost 1,000 patients has potentially been accessed as a result of a recent Community Memorial Health System phishing attack. On June 22, 2017, a Community Memorial Health System employee responded to a phishing email and divulged his/her login credentials, allowing an unauthorized individual to gain access to a single email account. The employee realized the mistake the following day and reported the breach to the IT department, which launched an investigation to determine whether any patient information could have been accessed. The email account was discovered to contain a selection of protected health information including patients’ names, medical record numbers, dates of services, and a limited amount of health information. The Social Security numbers of some patients were also potentially compromised. No bank account information or credit/debit card numbers were exposed. The discovery of protected health information in the email account prompted Community Memorial Health System to bring in a computer forensics expert to determine whether...

Read More
OCR Head Expects Major HIPAA Settlement for a Big, Juicy, Egregious Breach in 2017
Sep06

OCR Head Expects Major HIPAA Settlement for a Big, Juicy, Egregious Breach in 2017

Roger Severino, the Director of the Department of Health and Human Services’ Office for Civil Rights (OCR) has stated his main enforcement priority for 2017 is to find a “big, juicy, egregious” HIPAA breach and to use it as an example for other healthcare organizations on the dangers of failing to follow HIPAA Rules. When deciding on which cases to pursue, OCR considers the opportunity to use the case as an educational tool to remind covered entities of the need to comply with specific aspects of HIPAA Rules. At the recent ‘Safeguarding Health Information’ conference run by OCR and NIST, Severino explained that “I have to balance that law enforcement instinct with the educational component that we do.” Severino went on to say, “I really want to make sure people come into compliance without us having to enforce. I want to underscore that.” Severino did not explain what aspect of noncompliance with HIPAA Rules OCR is hoping to highlight with its next big, juicy settlement, although no healthcare organization is immune to a HIPAA penalty if they are found to have violated HIPAA...

Read More
Alaska DHSS Discovers Malware Infection and Possible PHI Breach
Sep05

Alaska DHSS Discovers Malware Infection and Possible PHI Breach

A Trojan horse virus has been discovered on two computers used by the Alaska Department of Health and Social Services. The virus potentially allowed malicious actors to gain access to the data stored on the devices. Katie Marquette, Communications Director of the Alaska DHSS, issued a statement confirming there was “a potential HIPAA breach of more than 500 individuals.” At present, the exact number of individuals affected has not been disclosed. An analysis of the two malware-infected computers revealed the attackers, who are believed to be located in the Western region, may have been able to obtain sensitive information such as Office of Children’s Services (OCS) documents and reports. Those documents contained details of family case files, medical diagnoses and observations, personal information and other related information. The investigation into the breach is ongoing and the DHSS Information Technology and Security team is currently attempting to determine the exact nature of the breach and whether any sensitive data were accessed or exfiltrated. Individuals impacted by the...

Read More
Former Employee of The Neurology Foundation Discovered to Have Obtained Patient Data
Sep05

Former Employee of The Neurology Foundation Discovered to Have Obtained Patient Data

The Neurology Foundation in Providence, RI has investigated an employee who had been discovered to be using a company credit card to make unauthorized purchases. The investigation revealed that individual copied and removed a range of sensitive patient information from the organization. In breach of the Neurology Foundation’s policies, the former employee copied data relating to the Foundation’s patients onto an external hard drive which was stored in the employee’s home. The Neurology Foundation discovered the employee had copied data onto the hard drive during an exit interview on May 3, 2017. That revelation prompted the Foundation to retain a computer forensics firm to conduct an investigation into the employee’s activities and determine the types of data copied to the storage device and the number of patients impacted. That investigation also revealed the former employee had breached company policies by copying sensitive data onto his/her desktop computer and several zip drives. The information copied to the external storage device included patients’ names, addresses, phone...

Read More
19,000 Impacted by Medical Oncology Hematology Consultants Ransowmare Incident
Sep04

19,000 Impacted by Medical Oncology Hematology Consultants Ransowmare Incident

A server and several workstations used by Newark, Delaware-based Medical Oncology Hematology Consultants (MOHC) have had sensitive data encrypted by ransomware. The ransomware attack was discovered on July 7, 2017, although the attack first started around three weeks previously on June 17. The attack resulted in certain electronic files being encrypted, preventing access to data. Upon discovery of the attack, MOHC launched an investigation to determine the extent of the attack, the files affected, and whether any protected health information had been accessed or stolen. In addition to the Internal investigation, a third-party cybersecurity firm was contracted to assist with the recovery of encrypted data. MOHC determined that some of the encrypted files contained patients’ protected health information which could potentially have been accessed during the attack. The types of information potentially compromised were limited to patients’ names, phone numbers, dates of birth, health and treatment information. In total, 19,203 patients were potentially impacted by the incident. MOHC...

Read More
106,000 Mid-Michigan Physicians’ Patients Potentially Impacted by Breach
Aug31

106,000 Mid-Michigan Physicians’ Patients Potentially Impacted by Breach

The protected health information of 106,000 current and former patients of the radiology center of Mid-Michigan Physicians has potentially been compromised. McLaren Medical Group, which manages Mid-Michigan Physicians, has announced that the breach affected a system that stored scanned internal documents such as physician orders and scheduling information, which included protected health information such as names, addresses, telephone numbers, dates of birth, Social Security numbers, medical record numbers, and diagnoses. McLaren Medical Group discovered the breach in March this year, although the investigation into the security breach was protracted and notifications were delayed until the investigation was completed. That investigation confirmed the protected health information of seven individuals was definitely accessed, although potentially, the records of 106,000 patients could also have been viewed as a result of the radiology center’s system being compromised. McLaren Medical Group says its computer system has been reconstructed with additional security protections in place...

Read More
Lawsuit Filed Against Aetna for Disclosure of HIV Status of Patients
Aug31

Lawsuit Filed Against Aetna for Disclosure of HIV Status of Patients

A class action lawsuit has been filed against Aetna following a privacy breach that saw the HIV positive status of up to 12,000 individuals impermissibly disclosed. Details of prescribed HIV medications were visible through the clear plastic windows of envelopes, along with individuals’ names and addresses, in a recent mailing. The letters related to pharmacy benefits and information on how HIV medications could be received. As a result of an error, which has been attributed to letters slipping inside the envelopes, many individuals had had their HIV status disclosed to neighbors, family members and roommates. While breach notification letters have been sent to 12,000 individuals who received the mailing, it is unclear exactly how many individuals had details of their HIV medications disclosed. Last week, Aetna announced that “this type of mistake is unacceptable,” and confirmed action was being taken to ensure proper safeguards are put in place to prevent similar incidents from happening. However, for individuals affected by the error, serious and irreparable harm has been caused....

Read More
Website Update Exposes PHI of 8,800 Silver Cross Hospital Patients
Aug29

Website Update Exposes PHI of 8,800 Silver Cross Hospital Patients

Silver Cross Hospital in New Lenox, IL, has learned that the protected health information of 8,862 patients has been exposed as a result of a software update performed by a business associate that manages certain parts of its website. The software upgrade was performed on the website in November 2016, which resulted in security settings being inadvertently reconfigured. As a result, information entered by patients in webforms was made available over the Internet and could potentially have been accessed by unauthorized individuals. Silver Cross Hospital said change to the security settings was discovered internally on June 14, 2017. The vendor was immediately contacted and the site was rapidly secured. A computer forensics firm was contracted to perform an analysis of the website to establish whether any of the exposed information had been accessed by unauthorized individuals during the seven months that data were accessible. The investigation did not uncover any evidence to suggest unauthorized individuals navigated to the forms and viewed patient health information, although the...

Read More
Ransomware Attack on Salina Family Healthcare Impacts 77,000 Patients
Aug29

Ransomware Attack on Salina Family Healthcare Impacts 77,000 Patients

In June, ransomware was installed on servers and workstations at Salina Family Healthcare in Kansas resulting in the encryption and potential disclosure of patients’ protected health information. The attack occurred on June 18, 2017. Salina Family Healthcare was able to limit the extent of the attack by taking swift action to secure its systems. It was also possible to restore the encrypted data from recent backups so no ransom needed to be paid. A third-party computer forensics firm was contracted to analyze its systems to determine how the ransomware was installed and whether the attackers succeeded in gaining access to or stealing patient data. While evidence of data theft was not uncovered, the firm was unable to rule out the possibility that the actors behind the attack viewed or copied patient data. The protected health information potentially accessed includes names, addresses, dates of birth, Social Security numbers, medical treatment information, and health insurance details. While data access was possible, no reports have been received to suggest any information has...

Read More
Third-Party Mailing Error Sees Aetna Plan Members’ HIV Status Disclosed
Aug25

Third-Party Mailing Error Sees Aetna Plan Members’ HIV Status Disclosed

Aetna is in the news again for the wrong reasons, having experienced another protected health information breach. The latest incident impacts approximately 12,000 Aetna plan members and resulted in highly sensitive information being disclosed to unauthorized individuals. An error was made in a recent mailing to plan members. That error resulted in the HIV positive of members being disclosed to other individuals. The letters advised plan members about their options for filling in their HIV prescriptions. However, some of that information was visible through the transparent plastic window in the envelope along with names and addresses. The mailing was sent by a third-party vendor on July 28, 2017. Aetna was notified of the error by the Legal Action Center and the AIDS Law Project of Pennsylvania, which in turn were notified of the error by some individuals whose HIV status had been disclosed. Those individuals said that in addition to the information being visible to the mailman, the letters had been viewed by roommates, neighbors and family members. The potential harm caused by an...

Read More
Credit Monitoring Services Must Now Be Offered to Breach Victims in Delaware
Aug24

Credit Monitoring Services Must Now Be Offered to Breach Victims in Delaware

For the first time in 10 years, Delaware has amended its data breach notification law and has now introduced some of the strictest requirements of any state. Any ‘person’ operating in the state of Delaware must now notify individuals of the exposure or theft of their sensitive information and must offer breach victims complimentary credit monitoring services for 12 months. Connecticut was the first state to introduce similar laws, with California also requiring the provision of credit monitoring services to breach victims. Breach victims must also be advised of security incidents involving their sensitive information ‘as soon as possible’ and no later than 60 days following the discovery of a breach. The new law also requires companies operating in the state to implement “reasonable” security measures to safeguard personal information – Delaware is the 14th state to require companies to adopt security measures to ensure sensitive information is protected. The definition of ‘personal information’ has also been expanded and now includes usernames/email addresses in combination with a...

Read More
MJHS Phishing Attack Result in the Exposure of 28,000 Individuals’ PHI
Aug24

MJHS Phishing Attack Result in the Exposure of 28,000 Individuals’ PHI

There has been a spate of phishing attacks on healthcare organizations in the past few weeks. The increased threat of attacks prompted the Department of Health and Human Services’ Office for Civil Rights to issue a warning to healthcare organizations, urging them to improve their defenses by conducting regular security awareness training sessions for employees. Phishing is the number one attack vector for delivering malware and successful attacks can result in the theft of considerable amounts of sensitive data. Email accounts contain a wide range of sensitive data on patients – information that can be used to commit identity theft and medical fraud, although oftentimes attacks are conducted to gain access to emails accounts for the purposes of spamming. In the case of the phishing attack on MJHS, the motive of the malicious actor is unknown. Fortunately, rapid identification and mitigation of the attack limited the attacker’s window of opportunity. The compromised email accounts were secured before the accounts could be used to send any emails, although it is possible that the...

Read More
34,000 Impacted by Ransomware Attack at St. Mark’s Surgical Center
Aug23

34,000 Impacted by Ransomware Attack at St. Mark’s Surgical Center

Another healthcare organization has been attacked with ransomware, resulting in the protected health information of almost 34,000 patients being encrypted and made inaccessible. St. Mark’s Surgical Center in Fort Myers, FL experienced the ransomware attack on April 13, 2017, which prevented patient data from being accessed until April 17, 2017. The ransomware was installed on the center’s server which contained patient’s names, dates of birth, Social Security numbers and treatment information. An investigation into the breach was immediately conducted to determine the extent of the attack and to find out which data had been encrypted and the number of patients impacted. That investigation revealed the protected health information of 33,877 patients was potentially accessed by the attackers. A third-party cybersecurity firm was called in to assist with the removal of the ransomware and to conduct a thorough forensic investigation. The firm was able to confirm that all traces of the malware were removed and further access to the server was blocked. The firm also investigated whether...

Read More
Institute for Women’s Health Hacked: PHI Potentially Compromised
Aug21

Institute for Women’s Health Hacked: PHI Potentially Compromised

Ransomware attacks on healthcare organizations have increased, although that is far from the only malware threat. Keylogging malware can be used to obtain sensitive information such as login credentials, or in the case of the San Antonio Institute for Women’s Health (IFWH), credit and debit card information as it was entered into its system. The keylogging malware was discovered on the IFWH network on July 6, 2017, prompting a forensic investigation of its systems. That investigation revealed the malware had been installed on June 5, although it took until July 11 for the malware to be removed from the majority of its systems and a further two days for IFWH to confirm that the malware had been completely removed from all terminal servers and workstations. During the time that the malware was present, it recorded and transmitted sensitive data as information was entered into its system. The types of data recorded by the malware between June 5 and July 11 includes names, dates of birth, addresses, Social Security numbers, scheduling notes, current procedural technology and other...

Read More
Healthcare Hacking Incidents Overtook Insider Breaches in July
Aug18

Healthcare Hacking Incidents Overtook Insider Breaches in July

Throughout 2017, the leading cause of healthcare data breaches has been insiders; however, in July hacking incidents dominated the breach reports. Almost half of the breaches (17 incidents) reported in July for which the cause of the breach is known were attributed to hacking, which includes ransomware and malware attacks. Ransomware was involved in 10 of the 17 incidents. The Protenus Breach Barometer report for July shows there were 36 reported breaches – The third lowest monthly total in 2017 and a major reduction from the previous month when 52 data breaches were reported – the worst month of the year to date by some distance. In July, 575,142 individuals are known to have been impacted by healthcare data breaches, although figures have only been released for 29 of the incidents. The worst breach reported in July – a ransomware attack on Women’s Health Care Group of PA – impacted 300,000 individuals. While hacking incidents are usually lower than insider breaches, they typically result in the theft or exposure of the most healthcare records. July was no exception....

Read More
Lake Health Informs OB Patients of TriPoint Medical Center Breach
Aug18

Lake Health Informs OB Patients of TriPoint Medical Center Breach

A log book containing the protected health information of approximately 750 obstetrics patients of TriPoint Medical Center in Concord Township, Ohio has been discovered to be missing. All obstetrics departments are required by the Ohio Department of Health to maintain a log book detailing deliveries. The log book contained only limited protected health information of patients and the loss/theft of the logbook did not result in the exposure of any highly sensitive information such as Social Security numbers, financial information, or details of health insurance. However, out of an abundance of caution, all individuals affected by the incident have been notified of the breach by mail and have been offered membership to an identity theft protection program for 12 months without charge. Lake Health, which operates the medical center, was informed of the lost logbook in June and launched an investigation and conducted a risk assessment the same day. While the logbook has not been located, Lake Health has confirmed that none of the information in the log book has been lost. All...

Read More
Ransomware Attack Suffered by Cove Family and Sports Medicine
Aug17

Ransomware Attack Suffered by Cove Family and Sports Medicine

A ransomware attack on Cove Family and Sports Medicine and Krichev Family Medicine, P.C., in Huntsville, Alabama resulted in the medical records and personal information of 4,300 patients being encrypted. Ransomware was installed on April 14, 2017. Cove Medicine had backed up its data and was able to reinstall its operating system and recover encrypted files from backups, without having to resort to paying the ransom. However, while the majority of PHI could be recovered, the backup devices were connected to its system at the time of the attack and some data were encrypted. Consequently, some information could not be recovered. Lost data was restricted to internal notes taken during visits dating back two years. Cove Medicine believes all other data have been recovered and the ability to provide medical services to patients has not been affected. Some ransomware attacks have involved data theft although, in this case, no evidence of data theft has been uncovered and there was no indication systems were accessed prior to the deployment of ransomware. The purpose of the attack is...

Read More
August Sees OCR Breach Reports Surpass 2,000 Incidents
Aug16

August Sees OCR Breach Reports Surpass 2,000 Incidents

Following the introduction of the HITECH Act in 2009, the Department of Health and Human Services’ Office for Civil Rights has been publishing summaries of healthcare data breaches on its Wall of Shame.  August saw an unwanted milestone reached. There have now been more than 2,000 healthcare data breaches (impacting more than 500 individuals) reported to OCR since 2009. As of today, there have been 2,022 healthcare data breaches reported. Those breaches have resulted in the theft/exposure of 174,993,734 individuals’ protected health information. Healthcare organizations are getting better at discovering and reporting breaches, but the figures clearly show a major hike in security incidents. In the past three years, the total has jumped from around 1,000 breaches to more than 2,000. The recent KPMG 2017 Cyber Healthcare & Life Sciences Survey showed that 47% of healthcare organizations have experienced a data breach in the past two years, up from 37% in 2015 when the survey was last conducted. An ITRC/CyberScout study showed there has been a 29% increase in data breaches so far...

Read More
Surgical Dermatology Group Informs Patients of Cloud Services Provider Breach
Aug14

Surgical Dermatology Group Informs Patients of Cloud Services Provider Breach

Hackers have gained access to a server maintained by cloud hosting and server management provider TekLinks and have potentially accessed/copied the protected health information of patients of Surgical Dermatology Group in Birmingham, AL. The intrusion was discovered on or around May 1, 2017, although the breach investigation revealed access to the server was first gained on March 23, 2017. TekLinks said access to the server was blocked on May 1, and its monitoring systems showed no access took place between April 22 and May 1, although it is possible data were viewed or copied in the previous four weeks. Surgical Dermatology Group has been working with forensic investigators to determine the nature and scope of the breach and reports that a wide range of protected health information was potentially accessed. The types of data stored on the compromised server includes patients’ names, home and work telephone numbers, cell phone numbers, addresses, email addresses, medical record numbers, patient ID numbers, Social Security numbers, health plan numbers, details of charges and...

Read More
Pacific Alliance Medical Center Announces Ransomware Attack
Aug14

Pacific Alliance Medical Center Announces Ransomware Attack

A ransomware attack on the Los Angeles Pacific Alliance Medical Center has potentially resulted in the attackers gaining access to the protected health information of its patients. The attack occurred on or around June 14, 2017. Pacific Alliance Medical Center became aware that its systems had been compromised when files started to be encrypted. The incident triggered Pacific Alliance Medical Center’s emergency response procedures and its networked computer systems were rapidly shut down to prevent the spread of the virus. The Information Technology Department conducted an initial investigation which revealed several computer systems had been attacked. The forensic investigation has now been completed, the virus has been removed and data have been successfully decrypted. It is unclear whether a ransom was paid. Efforts are continuing to restore its systems and improve protections to ensure incidents such as this are prevented in the future. Those measures include enhanced antivirus protection and other system safeguards. All affected individuals have now been notified of the breach...

Read More
Missouri Care Notifies Medicaid Recipients of Subcontractor Breach
Aug14

Missouri Care Notifies Medicaid Recipients of Subcontractor Breach

A mailing error by a subcontractor of Missouri Care Inc., has resulted in the protected health information of 1,223 participants being impermissibly disclosed to other individuals. The MO HealthNet-managed care plan was informed of the breach by O’Neil Printing on July 20, 2017. The privacy breach has been attributed to a software programming error. The error potentially resulted in the names, birth dates, MO HealthNet ID numbers and Missouri Care member ID numbers of Medicaid recipients being mailed to incorrect recipients. The Missouri Department of Social Services has confirmed that Social Security numbers, financial information and medical information were not involved. O’Neil Printing identified the cause of the error and has since corrected its software to prevent further mis-mailings. The error only affected mailings on July 11 and July 13, 2017. Missouri Care has been working closely with MO HealthNet to ensure affected individuals were notified promptly. Letters informing participants of the privacy breach were recently sent in the mail, well within the deadline of the...

Read More
3,400 Patients’ PHI Potentially Compromised in City of Hope Phishing Attack
Aug10

3,400 Patients’ PHI Potentially Compromised in City of Hope Phishing Attack

A phishing attack on City of Hope has resulted in cybercriminals gaining access to the email accounts of four employees. The emails made it past spam filtering controls and were delivered to employees on May 31 and June 2, 2017. Four employees responded to the requests and disclosed their login credentials to the attackers. City of Hope says the emails appeared to have been sent from a trustworthy source. The attackers used the login credentials to access the accounts, although City of Hope was unable to determine the scope or nature of access. On July 21, City of Hope confirmed that three of the accounts contained patients’ protected health information. The protected health information in the emails included names, addresses, email addresses, contact telephone numbers, dates of birth, dates of service, diagnoses, test results, medication information, and other clinical data. No financial information, insurance details, or Social Security numbers were exposed or accessed. Phishing attacks such as this are not always concerned with obtaining protected health information. Oftentimes,...

Read More
Maryland Data Breach Notification Law Updated
Aug07

Maryland Data Breach Notification Law Updated

Maryland data breach notification law has been updated, with the definition of personal information now expanded. The current data breach notification statute in Maryland does not include health insurance information or data covered under the definition of the Health Insurance Portability and Accountability Act (HIPAA), although from January 1, 2018 that will change. Maryland data breach notification law – specifically the Maryland Personal Information Protection Act – requires breach notification letters to be sent to all Maryland residents affected by a breach of personal information. Those notifications must be issued as soon as it is practicable to do so, but no later than 45 days after the discovery of a data breach that has resulted in personal information being misused or if it is likely that data could be misused. The current definition of personal information includes a Maryland resident’s first and last name or initial and last name along with either a driver’s license number, Social Security number, financial account number, credit or debit card number (with a security...

Read More
4,271 UC Health Patients Notified of Insider Data Breach
Aug04

4,271 UC Health Patients Notified of Insider Data Breach

Cincinnati’s UC Health has discovered a former employee of its Daniel Drake Center for Post-Acute Care had been accessing the medical records of its patients without authorization for almost two years. The first recorded instance of inappropriate access occurred on July 29, 2015, with periodic access continuing until June 2, 2017. During that time, the medical records of 4,271 patients had been accessed without authorization or any legitimate work reason for doing so. The types of information accessed by the individual included patients’ names, medical record numbers, birth dates, lab test results, diagnoses, treatment information and other clinical data. However, financial information and Social Security numbers were stored separately and were not accessed. Due to the range of data that was accessed, patients have been offered credit monitoring and identity theft protection services through Experian for a period of one year without charge. Patients affected by the privacy breach were notified by mail on August 1. UC Health reports that the employee was terminated as soon as it was...

Read More
Northwest Rheumatology Discovers PHI Potentially Accessed During Ransomware Attack
Aug03

Northwest Rheumatology Discovers PHI Potentially Accessed During Ransomware Attack

Northwest Rheumatology of Tuscon, Arizona has announced that some of its computer systems were taken out of action following a ransomware infection on April 10, 2017. Following any ransomware attack, HIPAA-covered entities must conduct an investigation to determine the extent of the attack and whether patient’s protected health information has been compromised. If a covered entity can determine with a high degree of certainty that protected health information has not been accessed, viewed or stolen – or in the case of ransomware ePHI was not encrypted – patients do not need to be notified and a report does not need to be sent to Office for Civil Rights. When the attack was discovered, Northwest Rheumatology called on its computer security vendor to complete a full investigation into the attack to determine the extent to which data had been encrypted and if any PHI had been compromised. Northwest Rheumatology was informed by its vendor that the ransomware attack was limited and no protected health information had been encrypted, accessed or copied. Consequently, patient...

Read More
Phishing Email Response Compromises PHI of 2,800 Patients
Aug03

Phishing Email Response Compromises PHI of 2,800 Patients

A response to a phishing email has resulted in the PHI of 2,789 Kaleida Health patients being made accessible to cybercriminals. Kaleida Health discovered the attack on May 24, 2017, prompting a full investigation which involved hiring a third-party computer forensic firm. An analysis of its systems showed that by responding to the phishing email, the employee had provided access to his/her email account. While access to Kaleida Health’s EHR was not gained, the email account contained a range of protected health information of a small subset of its patients. The types of data in the account varied for each patient, but may have included names, dates of birth, medical record numbers, diagnoses, treatment and other clinical data. However, no financial information or Social Security numbers were exposed at any time. While access to the email account was possible, no evidence was uncovered to suggest that the emails were accessed or any protected health information was viewed or copied. However, since the possibility of data access could not be ruled out with a high degree of...

Read More
Protenus Provides Insight into 2017 Healthcare Data Breach Trends
Aug03

Protenus Provides Insight into 2017 Healthcare Data Breach Trends

Protenus, in conjunction with Databreaches.net, has produced its Breach Barometer mid-year review. The report covers all healthcare data breaches reported over the past 6 months and provides valuable insights into 2017 data breach trends. The Breach Barometer is a comprehensive review of healthcare data breaches, covering not only the data breaches reported through the Department of Health and Human Services’ Office for Civil Rights’ breach reporting tool, but also media reports of incidents and public findings. Prior to inclusion in the report, all breaches are independently confirmed by databreaches.net. The Breach Barometer reports delve into the main causes of data breaches reported by healthcare providers, health plans and their business associates. In a webinar on Wednesday, Protenus Co-Founder and president Robert Lord and Dissent of databreaches.net discussed the findings of the mid-year review. Lord explained that between January and June 2017 there have been 233 reported data breaches. Those breaches have impacted 3,159,236 patients. The largest reported breach in the...

Read More
Beazley Insights: 133% Increase in Healthcare Ransomware Demands
Aug02

Beazley Insights: 133% Increase in Healthcare Ransomware Demands

Beazley has released its half-yearly Insights report detailing the causes of data breaches experienced by its clients between January and June 2017. Across the four industries covered by the report, hacks and malware – including ransomware- caused the highest percentage of breaches – 32% of the 1,330 incidents that the firm helped mitigate in the first half of 2017. In the professional services industry, hacks/malware incidents accounted for 44% of the 1H total, in higher education it was 43% and the financial services was on 37%. Only healthcare bucked the trend with hacks/malware accounting for 18% of the total – the second biggest cause of incidents affecting the industry. The report shows that the first six months of the year saw a 50% increase in ransomware attacks across all industries, with the healthcare sector experiencing the highest increase in ransomware demands, jumping 133% in those six months. While malware/ransomware attacks may top the list of breach causes, they are closely followed by accidental breaches caused by employees or third-party suppliers, which...

Read More
CareFirst Can Be Sued for Breach, Rules Court of Appeals
Aug02

CareFirst Can Be Sued for Breach, Rules Court of Appeals

The D.C. Circuit Court of Appeals has ruled that CareFirst can be sued for a 2014 data breach that saw the PHI of more than 1 million members exposed and potentially stolen. Following the announcement of the data breach, a lawsuit was filed by seven plaintiffs to recover damages, although in August last year the case was dismissed by a district court judge for lack of standing. The plaintiffs alleged that the breach had occurred as a result of the carelessness of CareFirst, and as a direct result of that carelessness, they faced an increased risk of suffering identity theft and fraud. The district court judge dismissed the case as the plaintiffs failed to establish harm, or a significant threat of future harm. The judge explained that “merely having one’s personal information stolen in a data breach is insufficient to establish standing to sue the entity from whom the information was taken.” However, the three-judge panel overturned the previous ruling claiming the interpretation of the law was ‘unduly narrow’, explaining that all the plaintiffs were required to establish at that...

Read More
Nuance Communications Decides Not to Report NotPetya Attack to OCR
Aug02

Nuance Communications Decides Not to Report NotPetya Attack to OCR

As the Department of Health and Human Services’ Office for Civil Rights has previously explained in its ransomware guidance, if ePHI is encrypted, ransomware attacks are usually HIPAA breaches and are reportable incidents. OCR says out in its ransomware guidance that “Whether or not the presence of ransomware would be a breach under the HIPAA Rules is a fact-specific determination,” going on to explain that the definition of a breach in HIPAA is “the acquisition, access, use, or disclosure of PHI in a manner not permitted under the [HIPAA Privacy Rule] which compromises the security or privacy of the PHI.” A ransomware attack qualifies as a HIPAA breach because the actions of the attackers have resulted in the acquisition of PHI, in the sense that unauthorized individuals have taken control of the data. The only time that a breach report – and notifications to patients – would not be required would be if the covered entity can demonstrate “a low probability that the PHI has been compromised.” OCR suggest covered entities can make that determination after a risk assessment has...

Read More
47% of Healthcare Organizations Have Experienced A HIPAA Data Breach in the Past 2 Years
Jul31

47% of Healthcare Organizations Have Experienced A HIPAA Data Breach in the Past 2 Years

The KPMG 2017 Cyber Healthcare & Life Sciences Survey shows there has been a 10 percentage point increase in reported HIPAA data breaches in the past two years. The survey was conducted on 100 C-suite information security executives including CIOs, CSOs, CISOs and CTOs from healthcare providers and health plans generating more than $500 million in annual revenue. 47% of healthcare organizations have reported a HIPAA data breach in the past two years, whereas in 2015, when the survey was last conducted, 37% of healthcare organizations said they had experienced a security-related HIPAA breach in the past two years. Preparedness for data breaches has improved over the past two years. When asked whether they were ready to deal with a HIPAA data breach, only 16% of organizations said they were completely ready in 2015. This year, 35% of healthcare providers and health plans said they were completely ready to deal with a breach if one occurred. Ransomware has become a major threat since the survey was last conducted. 32% of all respondents said they had experienced a security breach...

Read More
10,000 Plastic Surgery Patients Informed of Ransomware-Related PHI Breach
Jul28

10,000 Plastic Surgery Patients Informed of Ransomware-Related PHI Breach

10,200 patients of Plastic Surgery Associates of South Dakota are being notified that some of their protected health information was potentially compromised as a result of a ransomware attack in February this year. Plastic Surgery Associates of South Dakota discovered ransomware had been installed on some of its systems on February 12, 2017. Rapid action was taken to remove the ransomware and third-party forensics experts were brought in to investigate and determine the extent of the breach and which, if any, patients had been impacted. Fortunately, while data were encrypted, the majority of its patients were not impacted by the incident and did not have any of their data accessed or encrypted. However, the process of restoring data resulted in critical files being lost. Those files contained evidence that could have been used to confirm that some patients had not been impacted by the incident. On April 24, Plastic Surgery Associates of South Dakota decided that without access to that evidence it was not possible to rule out PHI access for 10,200 of its patients with a high degree...

Read More
Anthem Business Associate Data Breach Impacts 18,500 Plan Holders
Jul28

Anthem Business Associate Data Breach Impacts 18,500 Plan Holders

Anthem Inc., has only recently settled the lawsuit arising from its 2015 data breach that affected 78.8 million plan holders. Now, thousands of its members are being notified that their protected health information has been exposed in another incident. This time it was not a cyberattack, but a data breach involving an employee of one of its business associates, Indiana-based LaunchPoint Ventures LLC. LaunchPoint is contracted to provide coordination services, for which it required to be provided with access to plan members’ protected health information. On April 12, 2017, LaunchPoint became aware that one of its employees was alleged to have been involved in identity theft related activities, prompting the firm to launch an investigation into the possibility of data theft. The business associate hired the services of a third-party forensic firm to assist with the investigation. On May 28, 2017, LaunchPoint learned that other ‘non-Anthem’ data may also have been compromised. On June 12, 2017, it was confirmed that the PHI of 18,580 Anthem health plan members had been accessed. The...

Read More
Phishing Scam Fools University of Vermont Medical Center Employees into Revealing Login Credentials
Jul26

Phishing Scam Fools University of Vermont Medical Center Employees into Revealing Login Credentials

A phishing campaign targeting University of Vermont Medical Center (UVMC) has resulted in criminals gaining access to UVMC email accounts. The phishing emails were sent in late May and two employees responded. Doing so allowed the attackers to temporarily gain access to their email accounts. The phishing emails were part of a large campaign sent to many UVMC employees. Fortunately, only two individuals responded. The emails appeared to have been sent from within the organization. The accounts were compromised on May 22, and on May 24 UVMC detected spam emails being sent from the accounts and shut them down to minimise the damage caused. The electronic medical record system was not compromised, although the email accounts did contain protected health information (PHI) such as names, medical record numbers, addresses, details of medications, medical diagnoses and treatment information.  No Social Security numbers, insurance information or financial data were compromised. It is possible that the purpose of the attack was not to gain access to PHI, only to use the email accounts to...

Read More
4-Month Data Breach Discovered During Ransomware Investigation: 300,000 Patients Impacted
Jul26

4-Month Data Breach Discovered During Ransomware Investigation: 300,000 Patients Impacted

Women’s Health Care Group of Pennsylvania, one of the largest healthcare networks in the state, has alerted approximately 300,000 patients that some of their sensitive protected health information has been compromised. The types of data exposed – and potentially stolen – include names, addresses, dates of birth, lab test orders, lab test results, blood types, race, gender, pregnancy status, medical record numbers, employer information, insurance details, medical diagnoses, physicians’ names and Social Security numbers. Identity theft protection services are being offered to all affected patients. Those individuals would do well to activate those services promptly, as hackers gained access to a server and workstation containing the above information in January this year, with access to systems possible until at least May. In May, a virus was installed on a server/workstation preventing the hospital from accessing patient data. While ransomware can be installed as a result of a phishing email or software vulnerability, in this case it appears to have been deployed by...

Read More
Protected Health Information Stolen in Vision Care Specialists Burglary
Jul24

Protected Health Information Stolen in Vision Care Specialists Burglary

The price of medical information on the black market may be high, but it is relatively rare for paper records to be stolen during break-ins. However, a burglary at Vision Care Specialists’ administrative offices in Denver, CO saw paperwork containing the PHI of patients taken by thieves. The burglary was discovered on May 22, 2017 and law enforcement was called in to investigate. An inventory was conducted to determine what items were taken by the thieves and third party forensic investigators were called in to ascertain whether its systems had been accessed. That investigation did not uncover any evidence to suggest electronic medical information had been accessed, although on July 5, Vision Care Specialists discovered that paperwork containing the protected health information of some of its patients had been removed from its offices. The documents contained a range of sensitive information including names, dates of birth, Social Security numbers, medical information, health conditions/diagnoses, financial information and health insurance details. While no reports have been...

Read More
Hospital Employee Discovered to Have Accessed Medical Records Without Authorization for 14 Years
Jul24

Hospital Employee Discovered to Have Accessed Medical Records Without Authorization for 14 Years

Cases of employees snooping on medical records are relatively common, although an incident at Tewksbury Hospital in Massachusetts stands out due to the length of time that an employee was accessing medical records without authorization before being caught. The hospital was tipped off about the employee in April after a former patient made a complaint about their medical record being accessed inappropriately. In response to the complaint, the hospital conducted a full review which revealed the former patient’s medical records had been accessed by an employee without any legitimate reason for doing so. Further investigation revealed it was far from a one off.  The employee had been accessing the records of patients without authorization for a period of 14 years. The first instance dated back to 2003 and the inappropriate access continued until May 2017. During that time, the employee accessed the records of more than 1,000 patients. Tewksbury Hospital, which is run by the Department of Public Health, has now written to all patients whose medical records were inappropriately accessed,...

Read More
NotPetya Attack Continues to Disrupt Nuance Communications’ Services
Jul20

NotPetya Attack Continues to Disrupt Nuance Communications’ Services

In late June, Nuance Communications, a provider of healthcare solutions and transcription services, was one of many organizations around the globe to have systems taken out of action by NotPetya ransomware. While most ransomware attacks are conducted with the intention of obtaining ransom payments in exchange for the keys to unlock data, NotPetya was different. The aim was sabotage. Infection resulted in permanent encryption of master file tables, preventing infected computers from locating stored data. Data recovery was not possible even if the ransom demand was paid. The attacks caused permanent damage at many organizations requiring the replacement of hardware and substantial portions of affected networks. Nuance Communications was no different. Following the attack, Nuance Communications brought in external security experts to contain the infection and determine the extent of the attack. However, not in time to prevent widespread damage. Systems were taken out of action preventing hundreds of hospitals from using its services. Premier Health was one of many hospital systems...

Read More
U.S. Data Breaches Hit Record High
Jul20

U.S. Data Breaches Hit Record High

Hacking still the biggest cause of data breaches and the breach count has risen once again in 2017, according to a new report released by the Identity Theft Resource Center (ITRC) and CyberScout. In its half yearly report, ITRC says 791 data breaches have already been reported in the year to June 30, 2017 marking a 29% increase year on year. At the current rate, the annual total is likely to reach 1,500 reported data breaches. If that total is reached it would represent a 37% increase from last year’s record-breaking total of 1,093 breaches. Following the passing of the HITECH Act in 2009, the Department of Health and Human Services’ Office for Civil Rights (OCR) has been publishing healthcare data breach summaries on its website. Healthcare organizations are required by HIPAA/HITECH to detail the extent of those breaches and how many records have been exposed or stolen. The healthcare industry leads the way when it comes to transparency over data breaches, with many businesses failing to submit details of the extent of their breaches. ITRC says it is becoming much more common to...

Read More
Ransomware Attack Investigation Reveals 15-Month Security Breach
Jul18

Ransomware Attack Investigation Reveals 15-Month Security Breach

A ransomware attack on Peachtree Neurological Clinic (PNC) in Atlanta, GA resulted in the encryption of sensitive data. Since PNC had backed up its data, it was possible to restore the affected files without paying the ransom. Following any ransomware attack it is important to conduct a forensic analysis of systems to ensure all traces of the ransomware have been removed and no backdoors have been installed. PNC performed scans of its system and confirmed that the malware had been removed; however, the scans revealed that its systems had been accessed by unauthorized individuals between February 2016 and May 2017. Cybercriminals have been known to gain access to organizations’ systems and install ransomware when there is no further need for access, but it is unclear whether the same individuals were responsible for both security breaches. PNC found no evidence to suggest that the ransomware attack involved the exfiltration of data, but it was not possible to determine with any degree of certainty whether access to protected health information was gained in the initial attack. PNC...

Read More
Rosalind Franklin University of Medicine and Science Phishing Attack Sees PHI Compromised
Jul18

Rosalind Franklin University of Medicine and Science Phishing Attack Sees PHI Compromised

The protected health information of 859 patients of Rosalind Franklin University of Medicine and Science (RFU) has been compromised and potentially been viewed/stolen. The information was stored in two email accounts that were accessed by unauthorized individuals in May. Access to the email accounts was gained after employees responded to phishing emails. The phishing attack occurred on May 10, 2017 prompting a full investigation. The malicious actors behind the phishing scam gained access to one email account for less than a day and the second email account for a period of 9 days. Access to the second email account was blocked on May 19. Third party security experts were brought in to assist with the investigation to help determine the full extent of the security breach. RFU is now certain that unauthorized access to sensitive data has been blocked. Part of the investigation involved checking all messages in the compromised email accounts for protected health information. The investigation confirmed that the compromised PHI was limited to patients’ names, addresses, dates of...

Read More
Detroit Medical Center Discovers Agency Employee Disclosed Patients’ PHI
Jul17

Detroit Medical Center Discovers Agency Employee Disclosed Patients’ PHI

Detroit Medical Center has discovered an employee has stolen the protected health information of as many as 1,529 patients and impermissibly disclosed that information to a third party. Detroit Medical Center became aware of the security breach when the staffing agency that supplied the employee contacted DMC to report that it had discovered protected health information had been obtained and provided to an third party. DMC is part of the Tenet Healthcare system and runs eight hospitals and institutions in Detroit and southeast Michigan. DMC has not released information on the specific medical center where the employee worked or that individual’s role. The types of information that were stolen and disclosed were also not made public. However, DMC has issued a statement confirming the data theft and disclosure have been reported to law enforcement and that the hospital is cooperating fully with the police investigation. Upon hearing of the unauthorized disclosure, Detroit Medical Center conducted a thorough internal investigation, which included a review of all medical records that...

Read More
Ivinson Memorial Hospital Affected by FastHealth Security Breach
Jul14

Ivinson Memorial Hospital Affected by FastHealth Security Breach

A data breach experienced by FastHealth, a vendor of website services, has impacted more than 500 patients of Ivinson Memorial Hospital in Laramie, WY. Access was gained to a web server used by FastHealth and the attackers altered code on the website to capture billing and health information submitted by patients in online forms. The breach does not affect all patients, only those that used the online bill-pay platform or completed new patient intake forms between January 14, 2016 and December 20, 2016. The security breach was discovered by FastHealth on December 21, 2016 and a third-party security firm was contracted to conduct an investigation. Forensic investigations can take some time to conduct, although it is unclear why it took almost 5 months for FastHealth to notify organizations about the breach. The Laramie Boomerang reports that Ivinson Memorial Hospital was informed about the security breach on May 15, 2017. Patients are just being notified of the breach as it took time for Ivinson Memorial Hospital to verify the information sent by FastHealth. Ivinson Memorial...

Read More
PHI of 15,000 UC Davis Health Patients Compromised in Phishing Attack
Jul14

PHI of 15,000 UC Davis Health Patients Compromised in Phishing Attack

University of California Davis Health is alerting almost 15,000 patients that their PHI may have been viewed as a result of an employee falling for a phishing scam. The incident occurred on May 15, 2017. A phishing email was sent to a UC Davis Health employee who responded and unwittingly gave the attacker login credentials to his/her email account. That email account was accessed by the attacker on May 17. It is possible that the attacker accessed the employee’s email messages and viewed and/or obtained patients’ PHI. The investigation did not uncover any evidence to suggest that any patients’ PHI was viewed, although it was not possible to rule out the possibility with a high degree of confidence. On May 17, the attacker used the email account to send emails to other staff members requesting bank transfers for large sums of money. The emails were recognized as fraudulent and were reported to the data security team which secured the email account to prevent further access. Since access to the email account was rapidly blocked it is possible that PHI was not viewed or copied by the...

Read More
University of Iowa Health Care Discovers PHI Was Exposed Online for 2 Years
Jul14

University of Iowa Health Care Discovers PHI Was Exposed Online for 2 Years

University of Iowa Health Care has discovered patient information has been accidentally exposed on the Internet for a period of around 2 years. The exposed data was limited and did not include any clinical data, financial information or Social Security numbers, only patients’ names, admission dates and medical record numbers. 5,292 patients of University of Iowa Hospitals and Clinics have been impacted by the incident. The data were saved in unencrypted files which were inadvertently posted online via an application development website. The data were accessible via the Internet since May 2015, with the error discovered on April 29, 2017. UIHC spokesperson Tom Moore said the tip off came from “An individual who is an expert on online security.” The tip off prompted an immediate and thorough investigation. University of Iowa Health Care acted quickly to mitigate risk, with the files deleted from the website on May 1, 2017. The investigation did not uncover any evidence to suggest any information was misused, and while the exposed data were extremely limited, University of...

Read More
Almost 12,000 Records Compromised in Two New Ransomware Attacks
Jul11

Almost 12,000 Records Compromised in Two New Ransomware Attacks

In the past two weeks, two further healthcare organizations have announced that they have experienced ransomware attacks that potentially resulted in the protected health information of patients being accessed by cybercriminals. A combined 11,843 patient records were exposed in the two attacks. The first incident affects PVHS-ICM Employee Health and Wellness, LLC. Ransomware was installed on a server at a single UCHealth walk-in clinic in Fort Collins, CO. The ransomware attack was discovered on May 4, 2017, with the crypto-ransomware believed to have been installed the same day. A third-party computer expert was called in to help remove the ransomware and conduct a forensic investigation of the affected server. That investigation revealed the data stored on the server dated back to September 23, 2014 and included the protected health information of 10,143 individuals. PVHS-ICM has not indicated whether the ransom was paid. The protected health information on the server included patients’ names, home addresses and other demographic information along with health records, including...

Read More
Lost Backup Drive Contained PHI of More than 500 EEG Patients
Jul10

Lost Backup Drive Contained PHI of More than 500 EEG Patients

Baptist Medical Center South of Jacksonville, Florida has discovered a backup drive containing the electronic protected health information of 531 patients has gone missing. The portable storage drive was discovered to be missing on May 18, 2017. The device is believed to have been taken from an EEG room. A full search for the device was conducted but it could not be located. Baptist Medical Center South was unable to determine whether the portable drive had been borrowed by a member of staff and not returned, was misplaced, stolen or had been accidentally discarded. Baptist Medical Center South was also unable to determine when the device went missing. An investigation was conducted which enabled the medical center to determine which data had been backed up on the device. The information stored on the drive was limited to names, dates of birth, physician’s orders, medical record numbers, diagnoses, reasons for study, images taken during EEG tests and patients’ room numbers. The data related to certain patients who had visited the medical center for EEG testing in 2015, 2016 and...

Read More
Indiana Medicaid Recipients Alerted to Potential Data Breach
Jul04

Indiana Medicaid Recipients Alerted to Potential Data Breach

Medicaid recipients in Indiana are being notified that some of their protected health information was accessible over the Internet between February and May this year. The fiscal agent for the Indiana Health Coverage Program (IHCP), DXC Technology, says a hyperlink to an IHCP report containing patient information was accessible online. The report was an internal document used for administrative functions. The information exposed was limited to names, Medicaid ID numbers, patient numbers, procedure codes, dates of service, payment amounts and names/addresses of health care providers. At no point was it possible for Social Security numbers, addresses or financial information to be accessed. While protected health information could potentially have been accessed via the Internet, no evidence has been uncovered to suggest the link was clicked or that any information was stolen. DXC Technology is contacting all affected individuals by mail to alert them to the potential data breach to allow them to take precautions to protect their identities and to satisfy state and federal regulatory...

Read More
Tampa Bay Surgery Center Notifies 26,000 of PHI Theft
Jul04

Tampa Bay Surgery Center Notifies 26,000 of PHI Theft

Tampa Bay Surgery Center has started notifying almost 26,000 patients that some of their protected health information was stolen by an unauthorized individual who subsequently posted the information on a file sharing website. Law enforcement contacted Tampa Bay Surgery Center on May 5, 2017 alerting the healthcare provider to the data dump. The file had been uploaded to the file sharing website the previous day. The file contained sensitive data that had been obtained from a database maintained by Tampa Bay Surgery Center. Data stolen and exposed online by the malicious third party included the full names of patients along with dates of birth, home addresses and social security numbers. A link to the file was also distributed on Twitter by the individual who claimed to have stolen the data. Tampa Bay Surgery Center has notified the Department of Health and Human Services’ Office for Civil Rights of the breach. The breach report indicates 25,848 patients were affected by the incident. Those individuals are being offered identity theft protection services without charge, although...

Read More
White Blossom Care Center Notifies Residents of Improper PHI Access
Jul03

White Blossom Care Center Notifies Residents of Improper PHI Access

White Blossom Care Center in San Jose, CA has started notifying approximately 800 of its residents that some of their protected health information has been inappropriately accessed and acquired by a former employee. The care center was recently alerted to the potential data security incident and launched an investigation to determine whether a data breach had occurred. A third party technical security expert was brought in to assist with the investigation. The investigation confirmed that data had been obtained by the former employee, although it was not possible to tell when data were accessed and acquired. The types of information accessed and acquired by the former employee includes residents’ full names, along with insurance provider names and account numbers, dates of birth, Social Security numbers and medical information such as diagnoses, procedures performed and details of medications. White Blossom Care Center believes only a limited number of the acquired files contain the above information. Based on the information available, the care center believes that credit...

Read More
Cleveland Medical Associates Attacked with Ransomware
Jun30

Cleveland Medical Associates Attacked with Ransomware

Another healthcare organization has experienced a ransomware attack in which the protected health information of patients was potentially accessed. Ransomware is typically installed for the purpose of extortion rather than the theft of data; however, even if data theft is not suspected, ransomware attacks are reportable security incidents under HIPAA Rules and patients must be notified per the HIPAA Breach Notification Rule. Cleveland Medical Associates does not believe any data were stolen in its attack and no evidence has been uncovered to suggest that the PHI of patients was compromised. However, since it is not possible to rule out the possibility of a PHI being accessed with a high degree of certainty, the incident has been reported to the HHS’ Office for Civil Rights and patients are being notified of the cyberattack. The ransomware attack was discovered on April 21, 2017 with ransomware believed to have been installed the previous evening.  The ransomware was installed on a server than contained the protected health information of 22,000 patients. Medical services were not...

Read More
Family Tree Health Clinic Announces Ransomware Attack
Jun29

Family Tree Health Clinic Announces Ransomware Attack

The Family Tree Health Clinic in League City, Texas is alerting 13,402 patients that their protected health information was potentially viewed by unauthorized individuals. The attackers gained access to the IT systems of the clinic and downloaded ransomware. The clinic reports that this was a ‘sophisticated ransomware-encryption’ attack that was quickly remediated. The attack occurred on April 24, 2017 preventing the clinic from accessing its systems. The clinic was prepared for ransomware attacks and had a backup of patients’ protected health information. All encrypted data was restored from those backups and no ransom payment was made. The clinic has received no reports that any PHI has been misused, although data were potentially accessed by the individuals behind the attack. The types of data that could have been viewed included the patients’ names, addresses, dates of birth, Social Security numbers, medical information including claims and diagnosis codes and health insurance information. Financial information, including credit/debit card numbers, were not stored in the system...

Read More
Experian Health Accidentally Sends PHI to Incorrect Individuals
Jun27

Experian Health Accidentally Sends PHI to Incorrect Individuals

Experian Health has discovered the protected health information of some patients has been accidentally disclosed to incorrect individuals due to a technical error that occurred during a server migration. The disclosed data including names, addresses, genders, dates of birth, Medicare ID/HIC numbers, member ID numbers, insurance/payer company names, group numbers/group policy numbers and Medicaid case numbers. The data were shared with incorrect HIPAA covered entities. No information was sent to or otherwise shared with members of the public. Experian Health took immediate action to address what it refers to as ‘an isolated error’ and reports that the mistake has been corrected. The error affected two platforms used by Experian Health, with data disclosed between February 13 and March 13, 2017. The information disclosed could only have been accessed or saved by HIPAA-covered entities, who are bound by HIPAA Rules. Therefore, the risk of protected health information being misused is likely to be low. Experian Health notified affected healthcare institutions of the error on April 28,...

Read More
Aetna Error Sees PHI of 5,000 Individuals Exposed Online
Jun27

Aetna Error Sees PHI of 5,000 Individuals Exposed Online

Hartford, CT-based health insurer Aetna has discovered the protected health information of more than 5,000 plan members has been exposed online and was accessible through search engines. Aetna started investigating a security issue affecting two computer services on April 27, 2017. Those services were intended to show documents containing PHI to plan members and other authorized individuals, although it was discovered that the documents had been indexed by search engines and could be viewed by unauthorized individuals. On May 10, the investigation had uncovered evidence that confirmed a data breach had occurred, with the investigation concluding on June 9. While the investigation into security issues was launched in April, Aetna first became aware of exposed PHI on February 1, according to the San Antonio Express-News. It is unclear why it took almost three months for an investigation to be launched. Aetna says Social Security numbers, financial information and credit/debit card information was not exposed. The PHI in the documents only included names, identification numbers,...

Read More
Airway Oxygen Inc. Ransomware Attack Impacts up to 500,000 Individuals
Jun26

Airway Oxygen Inc. Ransomware Attack Impacts up to 500,000 Individuals

A ransomware attack on the Wyoming, MI-based medical supply company Airway Oxygen Inc., in April 2017 has potentially resulted in the protected health information of 500,000 individuals being accessed by the attackers. No evidence of data access or theft was uncovered by Airway Oxygen, although it was not possible to rule out the possibility that information was compromised in the attack. The attackers gained access to the company’s technical infrastructure on April 18, 2017 and installed ransomware. The part of the network affected was discovered to contain protected health information including names, addresses, birth dates, contact telephone numbers, medical diagnoses, health insurance policy numbers and details of the services the company provided to patients. Financial information and Social Security numbers were not exposed. Upon discovery of the cyberattack, immediate action was taken to prevent further network intrusions and a scan of the entire system was performed to search for any additional malware. Passwords for users, vendors and applications were changed as a...

Read More
World’s Largest Data Breach Settlement Agreed by Anthem
Jun26

World’s Largest Data Breach Settlement Agreed by Anthem

The largest data breach settlement in history has recently been agreed by the health insurer Anthem Inc. Anthem experienced the largest healthcare data breach ever reported in 2015, with the cyberattack resulting in the theft of 78.8 million records of current and former health plan members. The breach involved names, addresses, Social Security numbers, email addresses, birthdates and employment/income information. A breach on that scale naturally resulted in many class-action lawsuits, with more than 100 lawsuits consolidated by a Judicial Panel on Multidistrict Litigation. Now, two years on, Anthem has agreed to settle the litigation for $115 million. If approved, that makes this the largest data breach settlement ever – Substantially higher than $18.5 million settlement agreed by Target after its 41 million-record breach and the $19.5 million paid to consumers by Home Depot after its 50-million record breach in 2014. After experiencing the data breach, Anthem offered two years of complimentary credit monitoring services to affected plan members. The settlement will, in...

Read More
2,859 Patients Impacted by Improper Disposal at St. Thomas Rutherford Hospital
Jun22

2,859 Patients Impacted by Improper Disposal at St. Thomas Rutherford Hospital

This month, North Dakota Department of Human Services and Texas Health and Human Services have both reported that patients’ protected health information has been disposed of improperly. Today, another HIPAA-covered entity – Saint Thomas Rutherford Hospital in Murfreesboro, TN – has reported a similar incident. Documents containing the protected health information of almost 3,000 patients were discovered to have been abandoned by the side of a remote, rural road in DeKalb County in April. The documents were discovered by a member of the public. Upon being notified of the discarded reports, St Thomas Rutherford Hospital immediately launched an investigation but it is currently unclear how the documents were discarded and who was responsible. The documents were reports on a sample of 2,859 patient census reports and date between 2009 and 2010.  Affected patients have now been notified of the privacy breach by mail and the incident has been reported to all appropriate authorities. The documents contained no medical records or Social Security numbers, only each patient’s...

Read More
Texas Health and Human Services Commission Reports Improper Disposal of 1,800 Patient Records
Jun21

Texas Health and Human Services Commission Reports Improper Disposal of 1,800 Patient Records

A box of paper forms has been discovered to have been improperly disposed of by the Texas Health and Human Services Commission. The Texas Health and Human Services Commission recently announced that the paperwork was discovered in a box next to a dumpster used by one of its eligibility offices in the E. 40th St. complex in Houston. An investigation into the improper disposal has been launched and steps are being taken to prevent similar incidents from occurring in the future. Those steps will include a review of the processes and procedures for permanently destroying documents containing protected health information. Texas Health and Human Services Commission is in the process of issuing breach notification letters to all affected individuals. The breach summary on the Department of Health and Human Services breach portal indicates 1,842 patients were impacted. Those individuals all reside in the Houston area. The Texas Health and Human Services Commission says the forms contained protected health information such as names, dates of birth, client numbers, case numbers and telephone...

Read More
Healthcare Data Breach Costs Fall to $380 Per Record
Jun21

Healthcare Data Breach Costs Fall to $380 Per Record

Healthcare data breach costs have fallen year-over-year according to the latest IBM Security/Ponemon Institute study.  While there was a slight decline, for the seventh straight year, healthcare data breach costs are still higher than any other industry sector. This year, the Ponemon Institute calculated the average healthcare data breach costs to be $380 per record. The average global cost per record for all industries is now $141, with healthcare data breach costs more than 2.5 times the global average. Last year, average healthcare data breach costs were $402 per record. The average cost of a breach in the United States across all industries is $225 per record, up from $221 in 2016. Data breach costs have risen substantially over the past seven years, although the latest report shows there was a 10% reduction in data breach costs across all industry sectors. This was the first year that data breach costs have shown a decline. The average global cost of a data breach now stands at $3.62 million, having reduced from $4 million last year. The study was conducted globally, with 63...

Read More
May’s Healthcare Data Breach Report Shows Some Incidents Took 3 Years to Discover
Jun20

May’s Healthcare Data Breach Report Shows Some Incidents Took 3 Years to Discover

The May 2017 healthcare Breach Barometer Report from Protenus shows there was an increase in reported data breaches last month. May was the second worst month of the year to date for healthcare data breaches with 37 reported incidents, approaching the 39 data breaches reported in March. In April, there were 34 incidents reported. So far, each month of 2017 has seen more than 30 data breaches reported – That’s one reported breach per day, as was the case in 2016. In May, there were 255,108 exposed healthcare records representing a 10% increase in victims from the previous month; however, it is not yet known how many records were exposed in 8 of the breaches reported in May. The number of individuals affected could rise significantly. The largest incident reported in May was the theft of data by TheDarkOverlord, a hacking group/hacker known for stealing data and demanding a ransom in exchange for not publishing the data. The latest incident saw the data dumped online when the organization refused to pay the ransom. While April saw a majority of healthcare data breaches caused by...

Read More
Torrance Memorial Medical Center Reports Email Account Compromise
Jun20

Torrance Memorial Medical Center Reports Email Account Compromise

The danger of phishing has been highlighted by an incident reported by Torrance Memorial Medical Center in Claysburg, PA. The medical center discovered the email accounts of two staff members had been accessed by an unauthorized individual. The incident was detected rapidly, with third party forensic investigators brought in to investigate the breach. The investigation revealed the accounts were accessed on April 18 and April 19. The investigation revealed the email accounts contained the protected health information of some patients, including names, addresses, dates of birth, Social Security numbers, insurance details and treatment and diagnostic information. The forensic investigation did not uncover evidence to suggest any patient information has been misused, although it was not possible to rule out the possibility that data were accessed by the attackers. Torrance Memorial Medical Center says the breach investigation is ongoing and the incident has been reported to the FBI. Since there is a risk that PHI was accessed, all affected individuals have been offered one year of...

Read More
Delayed Breach Notification Sees CoPilot Fined $130,000 by NY AG
Jun19

Delayed Breach Notification Sees CoPilot Fined $130,000 by NY AG

A data breach that occurred in October 2015 should have seen affected individuals notified within 2 months, yet it took CoPilot Provider Support Services Inc., until January 2017 to issue breach notifications. An administration website maintained by CoPilot was accessed by an unauthorized individual on October 26, 2015. That individual also downloaded the data of 221,178 individuals. The stolen data included names, dates of birth, phone numbers, addresses, and medical insurance details. The individual suspected of accessing the website and downloading data was a former employee. CoPilot contacted the FBI in February 2016 to receive help with the breach investigation and establish the identity of the unauthorized individual. However, notifications were not sent by CoPilot until January 18, 2017. CoPilot says the delay was due to the time taken for the FBI to investigate the breach; however, since CoPilot was aware that reimbursement-related records had been stolen, notifications should have been sent sooner. Further, law enforcement did not instruct CoPilot to delay the issuing of...

Read More
OCR’s Wall of Shame Under Review by HHS
Jun16

OCR’s Wall of Shame Under Review by HHS

Since 2009, the Department of Health and Human Services’ Office for Civil Rights has been publishing summaries of healthcare data breaches on its website. The data breach list is commonly referred to as OCR’s ‘Wall of Shame’. The data breach list only provides a brief summary of data breaches, including the name of the covered entity, the state in which the covered entity is based, covered entity type, date of notification, type of breach, location of breach information, whether a business associate was involved and the number of individuals affected. The list includes all reported data breaches, including those which occurred due to no fault of the healthcare organization. The list is not a record of HIPAA violations. Those are determined during OCR investigations of breaches. Making brief details of the data breaches available to the public is an ‘unnecessarily punitive’ measure, according to Rep. Michael Burgess (R-Texas), who recently criticized OCR about its data breach list. Burgess was informed at a cybersecurity hearing last week that HHS secretary Tom Price is currently...

Read More
Sound Community Services Discovers Email Account Breach
Jun14

Sound Community Services Discovers Email Account Breach

New London, CT-based Sound Community Services Inc., a not-for-profit provider of education, support and assistance for individuals with persistent mental illness and/or substance abuse disorders has discovered an unauthorized individual has gained access to an employee’s email account. Suspicious activity was detected on the email account on January 13, 2017. An investigation was immediately launched and access to the email account was blocked. The investigators determined access to the email account had been gained the previous day. A forensic investigation into the security breach was conducted, although the identity of the unauthorized individual could not be determined. The email account was discovered to contained the protected health information of 1,278 individuals. No information has been released detailing how the unauthorized individual gained access to the email account, although this type of security breach is commonly caused as a result of employees responding to phishing emails and disclosing their email credentials. While it is possible that patient information was...

Read More
Double Burglary Sees Connecticut Patients’ PHI Exposed
Jun13

Double Burglary Sees Connecticut Patients’ PHI Exposed

SouthWest Community Health Center, a Bridgeport, CT network of health centers, has alerted patients that some of their protected health information has been exposed after burglars targeted two of its facilities. Several computers were stolen in a double burglary at its 1046 Fairfield Avenue and 10 Clinton Avenue sites. Thieves first broke into the Fairfield Avenue facility on Saturday 8, April and stole four desktop computers and a laptop. The following weekend, the Clinton Avenue health center was broken into and two laptop computers were stolen. Both facilities had security alarms which were triggered when the offices were entered. Law enforcement responded immediately in both cases, but the perpetrators had fled the scene. The burglaries were not believed to have been conducted in order to gain access to patients’ protected health information, only for the value of the computer hardware that was stolen. However, it is possible that the thieves or other unauthorized individuals were able to view the information stored on the devices. The data stored locally on the devices were...

Read More
Austin Medical Center Discovers Patient Data Was Accessible Via Internet
Jun08

Austin Medical Center Discovers Patient Data Was Accessible Via Internet

An Austin, TX medical center has discovered patient data has been stolen and uploaded to the Internet and was accessible for 4 years. The information, which related to approximately 2,000 patients, could freely be found via search engines. Victory Medical Center was alerted to the data leak on April 5, 2017 by a patient who had found his or her personal information online while browsing the Internet. An investigation was launched by Victory Medical which revealed a paper based report containing patient information had been uploaded to Github by an unauthorized individual. The data was taken and uploaded without the knowledge or authorization by Victory Medical. The company says the breach was likely the work of a ‘lone bad actor’. The date of the breach is not known, although it is likely the incident occurred on or after June 10, 2013 according to the substitute breach notice uploaded to the Victory Medical website. The report had been generated from Victory Medical’s secure patient record system, although it did not include any medical information. The types of information...

Read More
WannaCry Ransomware Continues to Cause Problems for U.S. Hospitals
Jun06

WannaCry Ransomware Continues to Cause Problems for U.S. Hospitals

The Department of Health and Human Services (HHS) has issued a cyber notice to alert healthcare organizations of the continuing problems caused by the WannaCry ransomware attacks on May 12, 2017. Following the attacks, the United States Department of Homeland Security (DHS) issued a statement saying the U.S. had suffered ‘limited attacks’ with only a small number of companies affected. However, the problems caused by those attacks have been considerable. The HHS says two large, multi-state hospital systems are still facing significant challenges to operations as a result of the May 12 attacks. The Windows SMB vulnerability (MS17-010) exploited by the threat actors was addressed by Microsoft in a March 14, 2017 update, with an emergency patch released for unsupported Windows versions shortly after the attacks took place. The patches will prevent the MS17-010 vulnerability from being exploited and thus prevent WannaCry from being downloaded. The encryption routine used by the WannaCry malware was deactivated quickly following the discovery of a kill switch. While the encryption...

Read More
North Dakota Department of Human Services Notifies 2,452 Medicaid Recipients of PHI Exposure
Jun06

North Dakota Department of Human Services Notifies 2,452 Medicaid Recipients of PHI Exposure

The North Dakota Department of Human Services (NDDHS) is alerting 2,452 Medicaid recipients that some of their protected health information has been exposed. NDDHS discovered documents containing PHI had been disposed of in a dumpster accessible by the public. The HIPAA breach was discovered on May 19, 2017 when a member of the public saw documents containing sensitive information in a dumpster. The citizen contacted NDDHS about the discovery and an investigation was immediately launched. NDDHS arranged to collect the documents the same day. The documents were Medicaid worksheets dated 2015. The worksheets did not contain Social Security numbers, financial information or Medicaid recipients’ addresses; however, detailed on the sheets were Medicaid recipients’ first and last names, the first two characters of their Medicaid provider name, Medicaid provider numbers, Medicaid ID numbers, a two-digit code representing the county of residence, an internal NDDHS ID number, dates of service, amounts covered by insurance, amounts billed and allowed, diagnosis codes, coding modifiers and...

Read More
Plastic Surgery Clinic Employee Suspected of Stealing 15,000 Patient Records
Jun02

Plastic Surgery Clinic Employee Suspected of Stealing 15,000 Patient Records

A former employee of a Californian plastic surgery clinic is suspected of stealing the medical records of around 15,000 patients. The employee worked at the Rodeo Drive clinic in Beverly Hills run by Dr. Zain Kadri. The employee had been employed as a driver and translator since September 2016, but had subsequently been given other duties such as data entry. Allegedly, she quit the practice on May 13 after being accused of embezzlement. The employee was later discovered to have taken photographs of patients before and during surgical procedures and uploaded those pictures to the image sharing site Snapchat. Further data theft was uncovered in May while the clinic was transferring paper records to digital files. As part of that process, the clinic checked a company phone used by the former employee. Images were discovered on the device including photographs of patients, but also photographs of patient IDs, usernames and passwords, copies of checks and credit and debit card information. Conversations were also reportedly recorded by the employee. It is unclear how much of that...

Read More
Trios Health Discovers Employee Accessed EHR Without Authorization for 41 Months
Jun02

Trios Health Discovers Employee Accessed EHR Without Authorization for 41 Months

The medical records of 570 Trios Health patients have been accessed by an employee, without authorization, over a period of 41 months. In March, Trios Health noticed some irregularities in its EHR logs which suggested patient records were being accessed without any legitimate work purpose for doing so. An investigation was launched to investigate and the employee was placed on leave. The investigation revealed the employee had accessed hospital patient records without authorization between October 2013 and March 2017. The types of information that was viewed included names, contact information, driver’s license numbers, Social Security numbers, dates of service, demographic information and limited medical information such as diagnoses. Interviews were conducted, although a spokesperson for Trios Health said, “We don’t know the motivation,” although it would appear that no harm was intended by the employee. Trios Health says the risk of information being used inappropriately is low, although credit monitoring and identity theft protection services are being offered to affected...

Read More
Molina Healthcare Patient Portal Discovered to Have Exposed Patient Data
May31

Molina Healthcare Patient Portal Discovered to Have Exposed Patient Data

Earlier this month, security researcher Brian Krebs was alerted to a flaw in a patient portal used by True Health Group that allowed patients’ test results to be viewed by other patients. While patients were required to login to the patient portal before viewing their test results, a security flaw allowed then to also view other patients’ results. Now, the Medicaid and Affordable Care Act Insurer Molina Healthcare is investigating a similar flaw in its patient portal that has allowed the sensitive medical information of patients to be accessed by unauthorized individuals. In the case of Molina Healthcare, patients’ medical claims could be accessed without authentication. Brian Krebs contacted Molina Healthcare to alert the company to the flaw. An investigation was conducted and its patient portal was shut down while the issue was resolved. It is unclear for how long the flaw existed, whether medical claims had been viewed by unauthorized individuals, and if so, how many patients had their privacy violated. Potentially, the flaw resulted in the exposure of all customers’ medical...

Read More
Children’s Mercy Hospital Discovers Unauthorized Website Exposed 5,500 Patients’ PHI
May31

Children’s Mercy Hospital Discovers Unauthorized Website Exposed 5,500 Patients’ PHI

A website created by a physician at Children’s Mercy Hospital in Kansas City, MO has recently been discovered to lack appropriate security protections, potentially allowing the protected health information of 5,511 patients to be viewed by unauthorized individuals. The physician created the website with good intentions and used the site as an educational resource. Data uploaded to the website was protected with a password to prevent unauthorized access. However, the protections in place to prevent unauthorized ePHI access did not meet the hospital’s security standards. The lack of security controls on the website meant information uploaded to the website could have been accessed by unauthorized individuals. Contact information (addresses and telephone numbers), Social Security numbers, financial information, health insurance details, photos and other images were not uploaded to the site. However, the website did contain information such as patients’ first and last names, gender, age, medical record number, encounter number, dates of service, admission and discharge dates,...

Read More
Beacon Health Employee Improperly Accessed 1,200 Patient Records Over 3 Year Period
May30

Beacon Health Employee Improperly Accessed 1,200 Patient Records Over 3 Year Period

A former Beacon Health System employee has been discovered to have accessed the medical records of approximately 1,200 patients without authorization over a period of three years. The privacy breach was uncovered during a routine audit of ePHI access logs, with the unauthorized access discovered on March 30, 2017. The employee in question was permitted to access patient records to perform work duties, although access rights were abused and the records of other patients were viewed even though there was no legitimate work reason for doing so. Upon discovery of the unauthorized access, Beacon Health conducted a full review with assistance from an external computer forensics firm and determined the inappropriate access started in March 2014. The employee was interviewed and claimed the records were accessed out of curiosity only and confirmed no information was copied or disclosed to other individuals. The medical records were accessed after patients visited the Emergency Room for treatment. The types of information in the records included patients’ names, ages, room numbers, chief...

Read More
Arizona Department of Health Services Notifies 2,500 Patients of Potential Loss of PHI
May30

Arizona Department of Health Services Notifies 2,500 Patients of Potential Loss of PHI

Data collected as part of a newborn screening program run by the Arizona Department of Health Services (ADHS) has been lost in the mail. The information, which was to be used for billing purposes, contained the personal information, financial data and sensitive health information of approximately 2,500 patients. Names, addresses, phone numbers, Social Security numbers, health insurance information, birth dates, and health information relating to mothers and newborns have all potentially been exposed. While state officials have said no evidence has been found to suggest any of the information has been accessed by unauthorized individuals or misused, ADHS has no idea where the records are located. The information was sent via the U.S. Postal Service to billing contractor Midwest Medical Practice Management of Carbondale, Illinois in two boxes; however, only one of the boxes arrived. The last known location of the missing box was a Postal Service facility in Phoenix, AZ. The U.S. Postal Services has been contacted and a search for the missing box has been conducted. Postal Service...

Read More
Stolen Electromyography Device Contained 836 Patients PHI, says SSM Health
May25

Stolen Electromyography Device Contained 836 Patients PHI, says SSM Health

SSM Health has started notifying patients that some of their protected health information was exposed when a portable device was stolen from DePaul Hospital St Louis in Bridgeton, MO. The device contained the protected health information of 836 patients, including names, medical record numbers, dates of birth and brief details of patients’ chief health complaint.  No insurance details, financial information, Social Security numbers or contact information were stored on the device. Due to the limited data stored on the device, patients are not believed to be at risk of experiencing identity theft or fraud. The portable device was stolen from DePaul hospital overnight between April 12 and the morning of April 13, 2017. The theft has been reported to the local police department and an investigation into the incident is ongoing. The device, which resembles a laptop computer, was part of an electromyography (EMG) medical device. Officials at DePaul hospital believe the device was stolen because it resembles a laptop computer, not for the information stored on the device. No evidence has...

Read More
Impermissible Disclosure of HIV Status to Employer Results in $387,000 HIPAA Penalty
May24

Impermissible Disclosure of HIV Status to Employer Results in $387,000 HIPAA Penalty

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced a new HIPAA settlement to resolve violations of the HIPAA Privacy Rule. St. Luke’s-Roosevelt Hospital Center Inc., has paid OCR $387,200 to resolve potential HIPAA violations discovered during an OCR investigation of a complaint about an impermissible disclosure of PHI. In September 2014, OCR received a complaint about a potential privacy violation involving a patient of St. Luke’s Spencer Cox Center for Health. In the complaint, it was alleged that a member of St Luke’s staff violated the privacy of a patient by faxing protected health information to the individual’s employer. The information in the fax was highly sensitive, including the patient’s sexual orientation, HIV status, sexually transmitted diseases, mental health diagnosis, details of physical abuse suffered, medical care and medications. Instead of faxing the information, the data should have been sent to a personal post box as requested. The investigation revealed that the incident was not the only time that the HIPAA Privacy Rule...

Read More
Leading Cause of Healthcare Data Breaches in April was Hacking
May23

Leading Cause of Healthcare Data Breaches in April was Hacking

The monthly Breach Barometer Report from Protenus shows a significant reduction in the number of exposed healthcare records in April, with 232,060 records exposed compared to more than 1.5 million in March. The number of reported data breaches also fell from 39 to 34. The report offers some further good news. The time taken by healthcare organizations to report security incidents also fell last month. 66% of breaches were reported within the 60-day time period allowed by the Health Insurance Portability and Accountability Act Breach Notification Rule. While it is good news that the trend for reporting data breaches more promptly is continuing, there is still plenty of room for improvement. Protenus reports that in April, it took an average of 51 days from the date of the breach to discovery, and an average of 59 days from the discovery of a breach to the submission of a breach report to the HHS’ Office for Civil Rights. The data for the Protenus Breach Barometer report was supplied by Databreaches.net, which uncovered one of the worst breaches of the year to date. The theft of...

Read More
HIPAA and Ransomware: Healthcare Organizations Reminded of HIPAA Rules Relating to Ransomware
May19

HIPAA and Ransomware: Healthcare Organizations Reminded of HIPAA Rules Relating to Ransomware

Following the recent WannaCry ransomware attacks, the Department of Health and Human Services has been issuing cybersecurity alerts and warnings to healthcare organizations on the threat of attack and steps that can be taken to reduce risk. The email alerts were sent soon after the news of the attacks on the UK’s NHS first started to emerge on Friday May 12, and continued over the course of the week. The alerts provided timely and pertinent information for U.S. healthcare organizations allowing them to take rapid action to counter the threat. While the Office for Civil Rights has previously sent monthly emails to healthcare organizations warning of new threats in its cybersecurity newsletters, the recent alerts were sent much more rapidly and frequently, with four email alerts and conference calls made with industry stakeholders alerting them to the imminent threat. Whether this was a one off in response to a specific and imminent major threat or the HHS plans to issue more timely alerts remains to be seen. However, the rapid communication of the ransomware threat almost certainly...

Read More
Patients’ Email Addresses Accidentally Disclosed by Rutland Regional Medical Center
May18

Patients’ Email Addresses Accidentally Disclosed by Rutland Regional Medical Center

An electronic survey can provide healthcare organizations with valuable information to improve patient services; however, in the case of Rutland Regional Medical Center, it has resulted in a privacy breach. According to the Burlington Free Press, Rutland Regional Medical Center sent emails to more than 700 patients asking for opinions on discharge paperwork in an effort to make improvements to patient discharges. Rather than using an email group or the BCC field to mask patients email addresses, patients email addresses were added to the ‘to’ field. Consequently, the email addresses of more than 700 patients were revealed to all who received the mailshot. The error only revealed the email addresses of patients, many of whom would not have been easily identifiable from their email addresses. However, any patient who was identifiable from their email addresses would also have had their status as a patient of Rutland Regional Medical Center disclosed to other individuals. The email also suggests that the recipient had recently been discharged from hospital; something patients may have...

Read More
Coney Island Hospital Supervisor Allowed Unvetted Volunteer to Access PHI
May17

Coney Island Hospital Supervisor Allowed Unvetted Volunteer to Access PHI

NYC Health + Hospitals has discovered a volunteer accessed the protected health information of almost 3,500 patients without official authorization. The unauthorized disclosure of PHI was discovered by NYC Health + Hospitals on March 10, 2017. The volunteer had worked in the phlebotomy department of Coney Island Hospital for a period of three months under direction of a supervisor. The supervisor arranged for the volunteer to perform a number of tasks, some of which involved accessing certain patients’ PHI. While volunteers would be permitted access to PHI if they had been first vetted by Coney Island Hospital’s Human Resources department, in this case that process had not been completed. When the supervisor instructed the volunteer to perform certain duties that required the PHI of patients to be accessed, the supervisor violated NYC Health + Hospitals polices and Health Insurance Portability and Accountability Act Rules. The activities performed by the volunteer that involved accessing PHI included logging the names of patients in a log book and transporting specimens within the...

Read More
Ransomware Attack Reported by Dallas Senior Living Community
May16

Ransomware Attack Reported by Dallas Senior Living Community

A ransomware attack on the Dallas Senior Living Community, Walnut Place, in February resulted in highly sensitive data being encrypted, including Social Security numbers, driver’s license numbers, birth dates, banking and credit card numbers, health insurance information, clinical information and patients’ and residents’ contact information. The ransomware was installed on its systems on January 25, 2017, with the issue remediated 8 days later on February 2, 2017.  Third-party security experts were called in to assist with the forensic investigation of the breach and conducted a security scan of its systems to ensure all traces of malware had been removed. The incident report has yet to appear on the Department of Health and Human Services’ Office for Civil Rights breach portal, so it is currently unclear exactly how many individuals have been impacted. Ransomware Attacks and HIPAA Rules Ransomware attacks are not always reportable under HIPAA Rules. If an organization can demonstrate there was a low probability of PHI being acquired, accessed, used or disclosed (see OCR ransomware...

Read More
PHI of Thousands of Patients of Bronx Lebanon Hospital Center Exposed Online
May12

PHI of Thousands of Patients of Bronx Lebanon Hospital Center Exposed Online

Highly sensitive medical records of thousands of patients of New York’s Bronx Lebanon Hospital Center have been exposed online. Those records were reportedly accessible for three years as a result of a misconfigured backup server. The exposed records were uncovered by researchers at the Kromtech Security Research Center after conducting a “regular security audit of exposed rsync protocols on Shodan,” a search engine that can be used to find networked devices. Rsync backup servers are used for transferring files between computer systems and for file syncing. The records were not encrypted nor protected with a password and could have been downloaded by any individual who knew where to look. It is currently unclear exactly how many patient records were exposed, with initial reports indicating tens of thousands of patients may have been affected. NBC’s Mary Emily O’Hara recently reported that the breach has impacted at least 7,000 individuals. The misconfiguration allowed the researchers to view highly sensitive information including names, addresses, medical diagnoses, health...

Read More
Security Breach Highlights Need for Patient Portals to be Pen Tested
May11

Security Breach Highlights Need for Patient Portals to be Pen Tested

A range of safeguards must be implemented to ensure networks and EHRs are protected. Encryption should be considered to prevent the loss or theft of devices from exposing the ePHI of patients. However, it is important for healthcare organizations also check their patient portals for potential vulnerabilities and implement safeguards to prevent unauthorized disclosures of sensitive information. The failure to implement appropriate safeguards on web-based applications can easily result in unauthorized disclosures of patients PHI, as was recently demonstrated at True Health Diagnostics. The Frisco, TX-based healthcare services company offers testing for a wide range of diseases and genetic abnormalities, with test information available to patient via a web portal. The web portal allows patients to obtain their test results quickly. Patients are required to register and can only access their records if they first log in to the portal. However, a flaw on the web portal allowed patients to access not only their own test results, but the test results and PHI of other patients. The website...

Read More
Memorial Hermann Health System Hit with $2.4 Million HIPAA Fine
May11

Memorial Hermann Health System Hit with $2.4 Million HIPAA Fine

Memorial Hermann Health System has agreed to settle potential HIPAA Privacy Rule violations with the Department of Health and Human Services’ Office for Civil Rights (OCR) for $2.4 million. The settlement stems from an impermissible disclosure on a press release issued by MHHS in September 2015. Memorial Hermann Health System (MHHS) is a 16-hospital health system based in Southeast Texas, serving patients in the Greater Houston area. In September, a patient visited a MHHS clinic and presented a fraudulent identification card to hospital staff. The fraudulent ID card was identified as such by hospital staff, law enforcement was notified and the patient was arrested. The hospital disclosed the name of the patient to law enforcement, which is allowable under HIPAA Rules. However, the following action taken by the hospital was a violation of the HIPAA Privacy Rule. MHHS issued a press release about the incident but included the patients name in the title of the press release. That press release was approved before release by MHHS senior management, even though naming the patient...

Read More
New Jersey IVF Clinic Hack Sees PHI of 14,000 Patients Potentially Compromised
May10

New Jersey IVF Clinic Hack Sees PHI of 14,000 Patients Potentially Compromised

A third-party server hosting the electronic health record database of the New Jersey Diamond Institute for Infertility and Menopause has been hacked and access gained by an unauthorized individual. The Diamond Institute says its database and EHR system was encrypted, so the attackers were unable to access patient health records, although many unencrypted supporting documents were also stored on the server and may have been accessed. It is unclear when the attack took place, although the Diamond Institute learned of the cyberattack on February 27, 2017. A full investigation was rapidly initiated and steps taken to secure the server to prevent further unauthorized activity. The investigation involved checking all documents to determine the patients impacted and the types of data that could potentially have been viewed or copied. The documents were found to contain a limited amount of protected health information relating to more than 14,000 patients. Those data included patients’ names, addresses, birth dates, Social Security numbers, sonograms and lab test results. The breach has...

Read More
Unencrypted Hard Drive Stolen from LSU Health New Orleans: 2,200 Individuals Impacted
May09

Unencrypted Hard Drive Stolen from LSU Health New Orleans: 2,200 Individuals Impacted

Another healthcare provider has announced that an unencrypted device used to store electronic protected health information of patients has been stolen. The medical data of 2,200 patients of Louisiana State University Health New Orleans were stored on a portable hard drive that was stolen from the Department of Neurology Research in March. The theft occurred on or around March 6 and was immediately reported to law enforcement. A suspect was arrested the following day, although the hard drive has not been recovered. Officials do not believe any data on the drive have been misused, although the possibility that ePHI has been viewed cannot be ruled out. LSU Health New Orleans has reconstructed the data on the drive and is notifying affected individuals. The drive contained research data relating to individuals who participated in studies between 1998 and 2009. No Social Security numbers or financial information have been compromised, with the data breach limited to names, dates of birth, diagnosis codes and treatment codes. This is not the first time that an incident such as this has...

Read More
Bitglass Publishes 2017 Healthcare Data Security Report
May04

Bitglass Publishes 2017 Healthcare Data Security Report

Bitglass has recently published its 2017 Healthcare Data Breach Report, the third annual report on healthcare data security issued by the data protection firm. For the report, Bitglass conducted an analysis of healthcare data breach reports submitted to the Department of Health and Human’ Services Office for Civil Rights. The report confirms 2016 was a particularly bad year for healthcare industry data breaches. Last year saw record numbers of healthcare data breaches reported, although the number of healthcare records exposed in 2016 was lower than in 2015. In 2016, 328 healthcare data breaches were reported, up from 268 incidents in 2015. Last year’s healthcare data breaches impacted around 16.6 million Americans. The good news is that while incidents are up, breaches are exposing fewer healthcare records. If the colossal data breach at Anthem Inc., which exposed 78.8 million healthcare records, is considered an anomaly and is excluded from last year’s figures, the number of individuals impacted by healthcare data breaches has fallen for two years in a row. That trend looks set...

Read More
Survey Explores Trust in Healthcare Organizations’ Ability to Keep Data Secure
May04

Survey Explores Trust in Healthcare Organizations’ Ability to Keep Data Secure

A recent survey by Accenture has explored consumers’ attitudes about healthcare data security and revealed the impact healthcare data breaches have had on consumers. The survey showed the extent to which individuals had suffered losses as a result of a data breach, how consumers felt their organization handled data breaches and the effect those breaches had on trust. Trust in Healthcare Providers and Insurers is High In the United States, trust in healthcare providers’ and health insurers’ ability to keep sensitive data secure is high. 88% of respondents said they trusted their physician or other healthcare providers ‘somewhat’ (53%) or ‘a great deal’ (36%). Trust in hospitals was slightly lower at 84% (54% somewhat / 30% a great deal). Health insurers and laboratories that process medical tests fared slightly worse, both somewhat trusted by 54% of respondents and trusted a great deal by 28% of respondents. Distrust –not at all trusted or not trusted very much – was highest in urgent care clinics (25%), non-medical staff at physicians’ and healthcare providers’ offices (36%)...

Read More