Our HIPAA breach news section covers HIPAA breaches such as unauthorized disclosures of protected health information (PHI), improper disposal of PHI, unauthorized PHI access by cybercriminals and rogue healthcare employees, and other security and privacy breaches.

When known, we explain how the breach occurred, the consequences to patients that may have had their PHI compromised, and the actions being taken by the affected healthcare organization to improve safeguards to prevent further HIPAA breaches.

We also explain any actions being taken by the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) and state attorneys general in relation to those breaches.

OCR investigates all data breaches that impact more than 500 individuals to determine whether any HIPAA violations have occurred. When HIPAA Rules are discovered to have been violated, financial penalties may be deemed appropriate. It can take many months or years before any financial penalties for HIPAA breaches are decided. Financial penalties for HIPAA violations tend to be reserved for the most serious breaches of HIPAA Rules. OCR prefers to resolve cases with voluntary compliance and by issuing recommendations to bring policies in line with HIPAA Rules.

The HIPAA breach news section is particularly relevant to healthcare information security professionals, privacy officers, and other individuals who have some responsibility for HIPAA compliance.

The HIPAA breach news reports highlight common areas of non-compliance and new attack vectors used by cybercriminals to gain access to healthcare networks and PHI, the security failings that allowed them to happen, and the measures that have been implemented to prevent them from happening again.

No healthcare organization wants to experience a data breach, but when a breach does occur, lessons can be learned. HIPAA-covered entities can use these breach examples to help train their staff as well as to discover some of the methods other covered entities have adopted to improve data security.

As you will be able to see from the volume of posts in the HIPAA breach news category, healthcare data breaches occur frequently. In 2016 and 2017, healthcare data breaches have been reported on an almost daily basis.

Our HIPAA breach news section is an important source of information about potential security issues that covered entities should be identifying when conducting their own risk assessments. Many of the situations in our HIPAA breach news posts could have been avoided if a risk assessment had identified a vulnerability that was later exploited to gain access to PHI.

The main purpose for adding HIPAA breach news to this website is to highlight specific aspects of HIPAA compliance that are commonly overlooked, often with serious consequences for the covered entity and patients/health plan members.

By raising awareness of the volume of healthcare data breaches, the implications of those breaches, and the penalties that can result, it is hoped that healthcare providers will take decisive action to prevent their patients’ and members’ data from being exposed.

The most recent healthcare data breach reports are listed below. If you want to find out if a specific covered entity has experienced a data breach, please use the search function in the top right hand corner of this webpage.

PHI Theft Incidents Reported by Loyola Medicine and Main Street Clinical Associates
Nov13

PHI Theft Incidents Reported by Loyola Medicine and Main Street Clinical Associates

Main Street Clinical Associates, PA., in Durham, NC has informed certain patients that some of their protected health information was stored on devices that were stolen from its offices. The theft occurred when the Main Street offices had been evacuated due to a severe gas explosion. Staff at the office were ordered to evacuate the building on April 10, 2019 following an explosion in an adjacent building. Files and equipment were left on desks due to the urgent evacuation, and the room containing patient records was left unlocked. The damage to the building was extensive. Staff were not permitted to re-enter the building until September 9, 2019. When the staff returned, it was discovered the offices had been looted and equipment had been stolen. Two laptop computers had been taken, along with the cell phone of a clinician, and a printer containing some patient information. Main Street explained in a recent press release that the laptop computers and cell phone were password-protected, as were files that contained patient information. Since they devices were not encrypted, it is...

Read More
Tens of Thousands of TennCare and Florida Blue Members Impacted by Phishing Attack on Business Associate
Nov13

Tens of Thousands of TennCare and Florida Blue Members Impacted by Phishing Attack on Business Associate

Further healthcare organizations have confirmed they have been affected by a data breach at Magellan Health National Imaging Associates, a business associate of several HIPAA-covered entities that provides managed pharmacy and radiology benefits services. Danville, PA-based Geisinger Health Plan announced last month that 5,848 of its members had been affected by the breach. In the past few days, health insurance company Florida Blue and the Tennessee state Medicaid program, TennCare, have made similar announcements. Albuquerque, NM-based Presbyterian Health Plan also confirmed that it had been affected and 56,226 of its members had been affected. Further information can be found on this link. The phishing attack occurred on May 28, 2019. Magellan Health NIA learned of the breach on July 5, 2019 and took action to secure the affected email account. The breach was detected when the compromised account was used to send out large quantities of spam email. The internal investigation confirmed that the mailbox had been accessed on several occasions by an individual based outside the...

Read More
Salem Health Hospitals & Clinics and Delta Dental of Arizona Notify Patients About Phishing Attacks
Nov11

Salem Health Hospitals & Clinics and Delta Dental of Arizona Notify Patients About Phishing Attacks

Salem Health Hospitals & Clinics in Oregon experienced a phishing attack on July 31, 2019 that resulted in an unauthorized individual gaining access to the email accounts of several employees. The breach was detected within a day of the accounts being accessed and the compromised accounts were secured. Patients were notified about the breach on September 27 and were told that a review of the affected accounts was underway. The compromised email accounts were expected to contain a limited amount of patient information such as names, dates of birth, and information related to the medical services patients had received. At the time of issuing the notice, the investigation into the breach was ongoing. On Thursday, November 7, 2019, Salem Health spokesperson, Elijah Penner, said “The incident was reviewed thoroughly, and Salem Health has no indication that any patient information has been misused.” No evidence was uncovered to suggest patient information in emails and email attachments was accessed. Salem Health has advised affected patients to exercise caution and monitor...

Read More
Two Maine Healthcare Providers Report Email Security Breaches Impacting 52,000 Patients
Nov07

Two Maine Healthcare Providers Report Email Security Breaches Impacting 52,000 Patients

InterMed, one of the largest healthcare providers in Southern Maine, has discovered the personal and health information of up to 30,000 patients has potentially been accessed by an unauthorized individual as a result of a recent email security breach. On September 6, 2019, InterMed discovered an employee’s email account had been accessed by a third-party without authorization. An independent investigation into the breach revealed the account was compromised on September 4 and a further three employee email accounts were also found to have been compromised between September 7 and September 10, 2019. Emails and attachments in the compromised accounts contained patient information such as names, dates of birth, clinical information, and health insurance information, and for 155 individuals, Social Security numbers. The breach was limited to email accounts. The electronic medical record system was not accessed. It was not possible to determine whether emails in the account were actually viewed. The compromised email accounts were immediately secured, and affected patients were notified...

Read More
Texas Health Resources Reports Data Breach Affecting 82,577 Patients
Nov06

Texas Health Resources Reports Data Breach Affecting 82,577 Patients

82,577 patients of Texas Health Resources have had some of their health information impermissibly disclosed as a result of a misconfiguration of its billing system. Texas Health Resources is one of the largest faith-based health systems in the United States and the largest in North Texas, with facilities in 16 counties serving more than 7 million patients. On August 23, 2019, Texas Health Resources learned that an error in its billing system had resulted in patient information being incorrectly matched with guarantors. The error caused mailings to be sent to incorrect patients or their guarantors. The error occurred on July 19, 2019 and affected mailings up to September 4, 2019. An investigation was launched to determine which individuals had been affected and the types of patient information that had been impermissibly disclosed. The investigation revealed the following types of information were included in the mailings and had been sent to incorrect individuals: Name, service date, account number, names of treating physicians, name of health insurer, amount owed, and in some...

Read More
Brooklyn Hospital Center Malware Attack Results in Loss of Patients’ Health Records
Nov04

Brooklyn Hospital Center Malware Attack Results in Loss of Patients’ Health Records

Brooklyn Hospital Center in New York has announced that a security breach occurred in late July 2019 that resulted in malware being installed on some of the hospital’s servers. The attack was discovered promptly, and steps were taken to limit the harm caused; however, it was not possible to prevent certain files from being encrypted. A third-party digital forensics firm was retained to assess the nature and extent of the malware attack and assist with the recovery of encrypted files. On September 4, following ‘exhaustive efforts’ to recover the encrypted files, it was determined that certain patient information was unrecoverable. Entire medical records have not been lost, but some patients’ dental and cardiac images could not be restored. The hospital is currently conducting a review to determine which patients have been affected and those individuals will be notified in due course. As is often the case with ransomware attacks such as this, the goal of the attackers appears to have been to extort money from the hospital rather than gain access to patient information. No reports of...

Read More
California Mental Health Services Provider Discovers Unauthorized Email Account Access and File Deletion
Nov04

California Mental Health Services Provider Discovers Unauthorized Email Account Access and File Deletion

The Guidance Center (TGC), a nonprofit provider of mental health care services to disadvantaged children and their families in Long Beach, Compton, San Pedro, and Avalon in California, has discovered a breach of its digital environment. In a breach notification letter to the California Attorney General, Xavier Becerra, TGC’s counsel explained that unusual activity was detected within TGC’s digital environment in late March 2019. Staff had reported that files and backups appeared to be missing. An internal investigation was launched which concluded the files had been deleted. Further investigation also showed that a TGC computer had been reconfigured to allow it to be remotely accessed. TGC believes the change to the computer and deletion of files was most likely the work of a former employee. The matter was reported to both the Long Beach Police Department and the FBI, and the individual suspected of the illegal access was sent a cease and desist letter by TGC’s attorney on March 30, 2019. Following that letter, all further unauthorized access stopped. On April 19, 2019, TGC...

Read More
Utah Valley Eye Center Hacking Incident Leads to Phishing Attack on Patients
Nov01

Utah Valley Eye Center Hacking Incident Leads to Phishing Attack on Patients

Utah Valley Eye Center in Provo, UT is warning patients that some of their personal information may have been accessed by an unauthorized individual following a security breach involving its scheduling reminder portal on June 28, 2018. The hacker obtained the email addresses of 5,764 patients and sent each a phishing email in an attempt to gain access to PayPal credentials. The emails spoofed PayPal and advised the recipients that they had received a payment. Upon discovery of the security breach, Utah Valley Eye Center contacted all individuals who had been emailed to warn them about the security breach. No evidence has been uncovered to suggest any other information was accessed or misused, although the hacker would have had access to patient names, addresses, phone numbers, and dates of birth. No personal health or financial information is believed to have been accessed. Only 5,764 phishing emails were sent, but Utah Valley Eye Center could not determine exactly how many patients’ protected health information was viewed or obtained by the hacker. The decision was therefore...

Read More
Prisma Health Website Breach Potentially Impacts 22,000 Individuals
Oct30

Prisma Health Website Breach Potentially Impacts 22,000 Individuals

Prisma Health Midlands is notifying approximately 19,000 patients and 3,000 employees about a data breach involving the Palmetto Health website. Prisma Health – formerly Palmetto Health – learned on August 29, 2019 that an unauthorized individual had obtained the login credentials of a Prisma Health employee. Those credentials allowed the attacker to access the Palmetto Health website, which contained volunteer registration information and patient pre-registration forms that had been completed online. Those forms related to 6 Midlands hospitals and contained information such as names, addresses, dates of birth, limited health information and, for certain individuals, their Social Security number. No medical records or financial information were exposed. Prisma Health was not able to determine for how long the credentials were accessible. Upon discovery of the incident, the employee’s password was changed to prevent any further unauthorized access and policies and procedures are being updated to prevent similar breaches in the future. Affected individuals have been notified by mail...

Read More
Quest Diagnostics $195,000 Class Action Settlement Approved by Federal Judge
Oct30

Quest Diagnostics $195,000 Class Action Settlement Approved by Federal Judge

Following a November 2016 cyberattack at Quest Diagnostics that resulted in an unauthorized individual accessing and stealing the personal information and medical test results of 34,000 individuals, a class action lawsuit was filed by the breach victims. Quest Diagnostics proposed a $195,000 settlement to resolve the case. The settlement has recently been approved by a New Jersey district court judge. The types of information obtained by the hacker included names, phone numbers, dates of birth, and the results of medical tests, including HIV test results. The lawsuit alleged Quest Diagnostics had violated New Jersey laws and had been negligent for failing to safeguard the sensitive health information of its clients, Quest Diagnostics had breached its contract with clients, and that the company failed to provide timely notifications to patients informing them about the hacking incident and theft of their data. Quest Diagnostics maintains the claims are meritless, but the decision was taken to settle the lawsuit to avoid ongoing litigation and further legal costs. Under the terms of...

Read More
Improper Disposal Incident at Smith’s Food & Drug Affects Almost 58,000 Patients
Oct29

Improper Disposal Incident at Smith’s Food & Drug Affects Almost 58,000 Patients

Salt Lake City, OH-based Smith’s Food & Drug has announced that the pharmacy records of around 58,000 patients have been disposed of in an improper manner. The improper disposal incident was discovered by the grocery and drug store chain on August 29, 2019 and affected customers of its store at 4600 East Sunset Road in Henderson, NV. 12 boxes of files containing physical pharmacy records, including prescriptions, were disposed of by a former associate in an improper manner. The records were not shredded, pulped, burned, or pulverized to render them unreadable, indecipherable, and ensure they could not otherwise be reconstructed, as is required by HIPAA. The boxes of files were put in the store’s trash compactor along with regular trash. Since the records are no longer accessible, it was not possible to determine which patients were impacted and the exact types of information that had been exposed. Smith’s Food & Drug has estimated the sensitive information of approximately 57,600 patients was likely contained in the pharmacy records. The types of HIPAA-covered information...

Read More
Report Suggests Augmented Security Following a Data Breach Contributes to Increase in Patient Mortality Rate
Oct28

Report Suggests Augmented Security Following a Data Breach Contributes to Increase in Patient Mortality Rate

Healthcare data breaches lead to a reduction in the quality of care provided to patients, according to a study recently published in Health Services Research. Researchers analyzed data from Medicare Compare which details quality measures at hospitals. Data from 2012-2016 was analyzed and compared with data from the HHS’ Office for Civil Rights on data breaches of more than 500 records over the same period. The researchers analyzed data on 3,025 Medicare-certified hospitals, 311 of which had experienced a data breach. According to the study, the time it took from a patient arriving at the hospital to an electrocardiogram being performed increased by up to 2.7 minutes at hospitals that had experienced a data breach. A ransomware attack that prevents clinicians from accessing patient data will limit their ability to provide essential medical services to patients, so a delay in conducting tests and obtaining the results is to be expected. However, the delays were found to continue for months and years after an cyberattack was experienced. The study showed that 3-4 years after a breach...

Read More
Betty Jean Kerr People’s Health Centers Ransomware Attack Impacts 152,000 Patients
Oct28

Betty Jean Kerr People’s Health Centers Ransomware Attack Impacts 152,000 Patients

St Louis, MO-based Betty Jean Kerr People’s Health Centers experienced a ransomware attack on September 2, 2019 that prevented staff at its health centers from accessing certain types of patient, provider, and employee information. The security incident was detected on September 3 and law enforcement was notified. A ransom demand was received, but the decision was taken not to pay. A third-party IT firm was engaged to assist with recovery, but it has not been possible to recover the encrypted data. The encrypted data is considered to have been permanently lost, unless a decryptor is developed by security researchers that allows files to be recovered. No mention has been made about the type of ransomware used in the attack and if backup files were also encrypted in the attack. The investigation revealed the following types of information had been encrypted in the attack: Patient names, addresses, dates of birth, Social Security numbers, pharmacy data, health insurance information, dental x-rays, and a limited amount of clinical data. Affected patients had received medical services...

Read More
Geisinger Health Plan Notifies Members About Business Associate Phishing Attack
Oct24

Geisinger Health Plan Notifies Members About Business Associate Phishing Attack

Danville, PA-based Geisinger Health Plan has discovered the protected health information (PHI) of some of its members has been exposed as a result of a suspected phishing attack on one of its business associates, Magellan NIA. Magellan NIA provides radiology benefits management services to the health plan, which requires access to plan members’ PHI. Magellan NIA discovered the breach on July 5, 2019 when suspicious activity was detected in the email account of one of its employees. The account was immediately secured to prevent further unauthorized access and misuse and an investigation was launched to determine the extent of the breach. The investigation revealed the account was breached on May 28, and there had been several connections to the account between up until July 5. Those connections were made from a location outside the United States. Geisinger Health Plan believes the sole purpose of the attack was to gain access to email accounts for the purpose of spamming, rather than to steal sensitive plan member data. However, it was not possible to rule out unauthorized data...

Read More
Slew of HIPAA Violations Leads to $2.15 Million Civil Monetary Penalty for Jackson Health System
Oct23

Slew of HIPAA Violations Leads to $2.15 Million Civil Monetary Penalty for Jackson Health System

The Department of Health and Human Services’ Office for Civil Rights has imposed a $2.15 million civil monetary penalty against the Miami, FL-based nonprofit academic medical system, Jackson Health System (JHS), for a slew of violations of HIPAA Privacy Rule, Security Rule, and Breach Notification Rule. In July 2015, OCR became aware of several media reports in which the PHI of a patient was impermissibly disclosed. The individual was a well-known NFL football player. Photographs of an operating room display board and schedule had also been shared on social media by a reporter. OCR launched an investigation in October 2015 and opened a compliance review in relation to the impermissible disclosure. JHS investigated and submitted a report confirming a photograph was taken in which two patients PHI was visible, including the PHI of a well-known person in the community. The internal investigation revealed an employee had been accessing patient information without authorization since 2011. During that time, the employee had accessed the records of 24,188 patients without any legitimate...

Read More
140,209 Patients Notified of Kalispell Regional Healthcare Phishing Attack
Oct23

140,209 Patients Notified of Kalispell Regional Healthcare Phishing Attack

Kalispell Regional Healthcare in Montana is in the process of notifying approximately 140,000 patients that some of their protected health information (PHI) was potentially compromised in a security breach over the summer. Kalispell Regional Healthcare operates Kalispell Regional Medical Center, a 138-bed hospital in Kalispell, MT. The breach has affected most of its patients. The breach affected Kalispell Regional’s email system and was the result of multiple employees being fooled by a “highly sophisticated” phishing scam. Employees responding to the phishing email inadvertently disclosed their login credentials to the attacker who used the credentials to remotely access their email accounts. Kalispell Regional learned of the breach on August 28. Upon discovery of the breach, all affected email accounts were disabled to prevent further unauthorized access, the security breach was reported to law enforcement, and an internal investigation was launched to determine the extent of the breach. The investigation revealed the email account was breached on May 24, 2019 and the...

Read More
Sensitive Data of Millions of Patients Discovered to Be Freely Accessible Over the Internet
Oct22

Sensitive Data of Millions of Patients Discovered to Be Freely Accessible Over the Internet

The sensitive health information of millions of patients has been exposed over the internet as a result of the failure of nine companies to secure their medical databases. The exposed patient data was discovered by security researchers at WizeCase. The research team, led by Avishai Efrat, used publicly available tools to search for exposed data that could be accessed without the need for any usernames or passwords. The firm then offers to help those organizations fix their data leaks and better secure their data. In all cases, the researchers attempted to contact the healthcare organizations concerned to advise them about the misconfigured databases to allow steps to be taken to secure the data and prevent unauthorized access, but in several cases no response was received. The researchers contacted databreaches.net and received assistance in contacting the companies concerned. When no response was received, the researchers contacted local authorities and hosting companies for assistance. Several attempts were made to get the data secured over the space of a month before the...

Read More
South Texas Dermatopathology Notifies 15,982 Patients About AMCA Data Breach
Oct22

South Texas Dermatopathology Notifies 15,982 Patients About AMCA Data Breach

South Texas Dermatopathology is the last known victim of the data breach at American Medical Collection Agency (AMCA) to report the breach to the Department of Health and Human Services Office for Civil Rights (OCR) and notify affected patients. The breach appeared on the OCR breach portal on October 7, 2019 and indicates 15,982 patients have been affected. AMCA was a business associate of the San Antonio, TX-based medical testing laboratory and provided billings and collection services. South Texas Dermatopathology was informed about the security breach at AMCA in May 2019 and was told that some of its patients’ information was potentially compromised as a result of the hacking of AMCA systems. An unauthorized individual first gained access to AMCA systems on August 1, 2018. Access remained possible up to March 30, 2019 when the breach was detected and its systems were secured. During that time, the unauthorized individual had access to parts of AMCA systems that contained information such as names, addresses, phone numbers, dates of birth, balance information, dates of service,...

Read More
September 2019 Healthcare Data Breach Report
Oct21

September 2019 Healthcare Data Breach Report

September saw 36 healthcare data breaches of more than 500 records reported to the Department of Health and Human Services’ Office for Civil Rights, which represents a 26.53% decrease in breaches from the previous month. 1,957,168 healthcare records were compromised in those breaches, an increase of 168.11% from August. The large number of breached records is largely down to four reported incidents, each of which involved hundreds of thousands of healthcare records. Three of those incidents have been confirmed as ransomware attacks. Largest Healthcare Data Breaches in September 2019 The largest breach of the month was due to a ransomware attack on Jacksonville, FL-based North Florida OB-GYN, part of Women’s Care of Florida. 528,188 healthcare records were potentially compromised as a result of the attack. Sarrell Dental also experienced a ransomware attack in which the records of 391,472 patients of its Alabama clinics were encrypted. 320,000 records of patients of Premier Family Medical in Utah were also potentially compromised in a ransomware attack. The University of Puerto Rico...

Read More
VA OIG: Records of Thousands of Veterans Exposed to 25,000 VA Employees via Shared Network Drives
Oct21

VA OIG: Records of Thousands of Veterans Exposed to 25,000 VA Employees via Shared Network Drives

Internal Department of Veteran Affairs (VA) communications, disability claims, and the health information of thousands of veterans have been exposed and could be accessed by VA employees authorized to view the information, according to the findings of a Department of Veteran Affairs’ Office of Inspector General (VA OIG) audit. VA OIG conducted an audit of the VA’s Milwaukee Regional Office following a tipoff by a whistleblower in September 2018 about the exposure of sensitive information on shared network drives, which the whistleblower claimed could be accessed by employees unauthorized to view the information. VA OIG audit visited the Milwaukee offices in January 2019 and confirmed that sensitive information had been stored on two shared network drives on the VA Enterprise network, which could be accessed by veterans service organization (VSO) officers, even if those officers did not represent those veterans. The auditors determined that any Veterans Benefits Administration employee who had permission to access the VA network remotely could have accessed the files stored on the...

Read More
Ransomware Attacks Reported by Monterey Health Center and Magnolia Pediatrics
Oct18

Ransomware Attacks Reported by Monterey Health Center and Magnolia Pediatrics

Monterey Health Center in Milwaukie, OR, has experienced a ransomware attack that encrypted its electronic medical records system. The attack commenced on August 12, 2019 and prevented patient data from being accessed. Assisted by a third-party vendor, the health center successfully restored all patient data quickly and was able to continue providing care to its patients. It is unclear whether the medical records were restored from backups or if the ransom demand was paid. Third party forensic investigators were retained to investigate the attack and determine whether patient data had been copied by the attackers. The investigation found no evidence of data exfiltration, although unauthorized data access could not be totally ruled out. To date, no reports have been received about any misuse of patient information. The following information was potentially compromised: Names, addresses, dates of birth, Social Security numbers, driver’s license numbers, medical histories, diagnoses, lab test results, treatment information, medications, health insurance information, claims...

Read More
Malicious Code on Mission Health E-Commerce Websites Enabled Data Theft for 3 Years
Oct18

Malicious Code on Mission Health E-Commerce Websites Enabled Data Theft for 3 Years

Mission Health in Western North Carolina has discovered malicious code has been installed on its e-commerce websites that were used by patients to purchase health products. The malicious code was capable of capturing payment information as it was entered on the websites. That information was then sent to an unauthorized third party. The breach was discovered by Mission Health in June 2019. The breach investigation revealed the malicious code had been inserted into the genuine code of the website three years previously in March 2016. The affected websites were taken offline and are being rebuilt. At the time of writing, those websites are not operational. Only limited information about the breach has been released and there is currently no substitute breach notification letter on the Mission Health website. It is unclear how the breach was discovered. Typically, when credit card information is stolen, credit card firms trace fraudulent activity back to a specific retailer or website and advise the company that their systems have been compromised. In such cases, the fraudulent...

Read More
Roger Severino Gives Update on OCR HIPAA Enforcement Priorities
Oct17

Roger Severino Gives Update on OCR HIPAA Enforcement Priorities

Roger Severino, Director of the HHS’ Office for Civil Rights, has given an update on OCR’s HIPAA enforcement priorities at the OCR/NIST 11th Annual HIPAA Conference in Washington D.C. Severino confirmed that one of OCR’s top policy initiatives is still enforcing the rights of patients under the HIPAA Privacy Rule and ensuring they are given timely access to their health information at a reasonable cost. Under HIPAA, patients have the right to view and check their medical records and obtain a copy of their health data, yet there are still healthcare organizations that are making this difficult. OCR has already agreed to settle one case this year with a HIPAA-covered entity that failed to provide a patient with a copy of her health information. OCR had to intervene before those records were provided to the patient. The entity in question, Bayfront Health St Petersburg, paid a financial penalty of $85,000 to resolve the HIPAA violation. More financial penalties will be issued to covered entities that fail to comply with this important provision of HIPAA. Severino confirmed that...

Read More
Hunt Regional Healthcare Revises May 2018 Data Breach Total
Oct15

Hunt Regional Healthcare Revises May 2018 Data Breach Total

Texas-based Hunt Regional Healthcare has discovered a May 2018 cyberattack was much more extensive than previously thought. On May 14, 2019, Hunt Regional was informed by the FBI that its systems had been the subject of a sophisticated, targeted cyberattack in May 2018 and that a small subset of its patients had had their protected health information (PHI) exposed. Those individuals had previously received medical services at Hunt Regional Medical Center. The PHI was stored in a limited area of the network to which the hackers had gained access and those individuals were notified about the breach in July 2019. A more detailed investigation was then conducted with assistance provided by third-party computer forensics experts, who discovered the hackers had gained access to other parts of the network that were not initially thought to have been compromised. These additional parts of the network contained the PHI of patients of other facilities in the network: Hunt Regional Medical Center in Greenville, Hunt Regional Emergency Medical Center – Commerce, Hunt Regional Emergency Medical...

Read More
Philadelphia Department of Public Health Data Breach Exposed Data of Hepatitis Patients
Oct14

Philadelphia Department of Public Health Data Breach Exposed Data of Hepatitis Patients

The Philadelphia Department of Public Health (PDPH) has discovered sensitive information of patients with hepatitis B and hepatitis C has been exposed over the internet and could be accessed by anyone without the need for authentication. The breach came to light on Friday October 12, 2019 following notification from a reporter from The Philadelphia Inquirer. The issue was corrected within minutes of the hospital being notified of the breach. An investigation has now been launched to determine the nature, cause, and extent of the breach. New cases of hepatitis B and hepatitis C must be reported to PDPH by medical providers to enable tracking and monitoring of the disease. Both diseases can be transmitted through contact with bodily fluids of an infected person. New cases are often the result of sharing of needles by intravenous drug users. New cases of both forms of hepatitis are monitored as part of the PDPH opioids initiative. The data supplied by healthcare providers had been uploaded to a website tool that allows aggregated data to be visualized through charts using Tableau...

Read More
68,000 Patients of Methodist Hospitals Impacted by Phishing Attack
Oct09

68,000 Patients of Methodist Hospitals Impacted by Phishing Attack

In June 2019, Gary, Indiana-based Methodist Hospitals discovered an unauthorized individual had gained access to the email account of one of its employees following the detection of suspicious activity in the employee’s email account. An investigation was immediately launched and third-party computer forensics experts were called in to determine the extent of the breach and whether any patient information had been accessed or copied by the attacker. The investigation revealed two email accounts had been compromised as a result of employees responding to phishing emails. It took until August 7, 2019 for the forensic investigators to determine that a breach had occurred and patient information had been compromised. One of the compromised email accounts was discovered to have been accessed by an unauthorized individual from March 13, 2019 to June 12, 2019, and the second account was subjected to unauthorized access on June 12, 2019 and from July 1 to July 8. As is typical in forensic investigations, it was not possible to determine whether the attacker viewed or copied patient...

Read More
CHI Health Ransomware Attack Impacts 48,000 Lakeside Patients
Oct08

CHI Health Ransomware Attack Impacts 48,000 Lakeside Patients

The Omaha, NE-based 14-hospital health system, CHI Health, has experienced a ransomware attack in which the protected health information of approximately 48,000 patients has potentially been compromised. The attack was discovered on August 1, 2019 and affected an old electronic health record system that contained the medical records patients who had received medical services at CHI Health’s Lakeside Orthopedic Clinic prior to April 2016. The investigation confirmed that a database used by the medical record system had been encrypted in the attack. A full investigation into the attack was launched and while it is possible that patient information was accessed or copied by the attackers, no evidence of unauthorized data access or data exfiltration was discovered and there have been no reports of misuse of patient information. The attack appears to have been conduced solely with the aim of extorting money from CHI Health. The types of information contained in the database included patient names, addresses, contact telephone numbers, dates of birth, Social Security numbers, diagnoses,...

Read More
Cancer Treatment Centers of America Experiences Another Phishing Attack
Oct07

Cancer Treatment Centers of America Experiences Another Phishing Attack

Cancer Treatment Centers of America (CTCA) is notifying certain patients that some of their protected health information (PHI) has been exposed as a result of a phishing-related email security breach that occurred in July 2019 at its Southeastern Regional Medical Center. The attack was identified on July 29, 2019 when suspicious activity was detected in the email account of a CTCA staff member. The breach investigation revealed the attacker had gained access to the account for a period of around 7 days from July 22. Upon detection of the breach, the user’s email account was secured to prevent further unauthorized access. The investigation did not uncover any evidence to suggest patient information in emails and email attachments were accessed or copied by the attacker, but the possibility could not be ruled out. The types of information potentially accessed included names along with addresses, phone numbers, dates of birth, health insurance information, medical information, and medical record numbers, and other patient identifiers. No Social Security numbers were exposed in the...

Read More
UAB Medicine Phishing Attack Impacts 19,000 Patients
Oct07

UAB Medicine Phishing Attack Impacts 19,000 Patients

UAB Medicine is alerting patients about an August 7, 2019 phishing attack that resulted in the email accounts of several employees of UAB Medical Center in Birmingham, AL being accessed by the attackers. Upon discovery of the breach, the passwords on affected email accounts were changed to prevent further unauthorized access and UAB Medicine engaged a leading cybersecurity firm to investigate the breach. An analysis of the compromised email accounts revealed they contained the protected health information (PHI) of 19,557 patients, including names and one or more of the following data elements: Medical record number, date of birth, dates of service, location of service, diagnoses, and treatment information. A limited number of patients also had their Social Security number exposed. UAB Medicine provides security awareness training to its workforce and has taught employees how to identify phishing emails. In this instance, despite that training, several employees responded to the emails and disclosed their email account credentials. Those credentials were used to gain access to email...

Read More
Goshen Health Notifies 9,160 Patients of Historic PHI Breach
Oct03

Goshen Health Notifies 9,160 Patients of Historic PHI Breach

Goshen Health in Indiana has started notifying 9,160 patients that some of their protected health information (PHI) may have been compromised in a phishing-related email breach in August 2018. Upon discovery of the breach the compromised email accounts were secured and the breach was investigated. At the time, the security breach was determined not to require notifications to patients as PHI did not appear to have been compromised. However, on August 1, 2019, Goshen Health became aware that the compromised email accounts did contain the PHI of certain patients and notification letters were necessary. The breach occurred between August 2, 2018 and August 13, 2018. An unidentified, unauthorized individual gained access to the email accounts of two Goshen colleagues. Following the breach, Goshen Health enhanced its email security protections and as part of that process used additional forensic tools and technology to re-evaluate the breach. Third-party forensics experts were retained in November 2018 to reassess the incident, but no evidence of unauthorized PHI access or PHI theft was...

Read More
DCH Health System Ransomware Attack Temporarily Cripples 3 Alabama Hospitals
Oct02

DCH Health System Ransomware Attack Temporarily Cripples 3 Alabama Hospitals

DCH Health System has been forced to close all three of its Alabama hospitals for all but critical new patients following a ransomware attack. The attack prevented staff at DCH Regional Medical Center in Tuscaloosa, Northport Medical Center, and Fayette Medical Center from accessing computer systems, which were taken out of action as a result of the attack which commenced in the early hours of Tuesday, October 1, 2019. Emergency procedures were implemented at all three hospitals to ensure day to day healthcare operations could continue and care is continuing to be provided to patients currently at the hospital. Critical patients are being accepted, but individuals scheduled for outpatient procedures or tests have been advised to call before attending. Ambulance services have been advised to take patients to alternate facilities if possible. The health system started using backup files to restore certain system components which allowed those systems to be brought back online. DCH Health System also purchased the decryption keys from the attacker. “We worked with law enforcement and...

Read More
391,472 Patients Impacted by Sarrell Dental Ransomware Attack
Oct02

391,472 Patients Impacted by Sarrell Dental Ransomware Attack

Sarrell Dental, an Alabama-based not-for-profit provider of Children’s dental and optical services, has experienced a ransomware attack in which the protected health information of its patients may have been compromised. Sarrell Dental is the largest provider of dental services in the state of Alabama and operates 17 clinics in the state. In July 2019, ransomware was deployed on its network which resulted in widespread file encryption. Upon discovery of the attack, the network was deactivated, and an investigation was launched. Affected clinics were closed for two weeks while the breach was investigated and systems were restored. A ransom demand was received but it was not paid. Patient information was restored from backups. A third-party computer forensics team was engaged to assist with the investigation to determine the extent of the breach. That investigation revealed that the attackers may have first gained access to Sarrell Dental systems as early as January 2019. No evidence was found to suggest patient information was accessed or copied by the attackers, but the possibility...

Read More
PHI Potentially Compromised in Cybersecurity Breach at North Florida OB-GYN
Oct01

PHI Potentially Compromised in Cybersecurity Breach at North Florida OB-GYN

Jacksonville, FL-based North Florida OB-GYN has discovered hackers gained access to certain parts of its computer system containing patients’ personal and health information and deployed a virus that caused widespread file encryption. Upon discovery of the breach on July 27, 2019, networked computer systems were shut down and breach response and recovery procedures were initiated. Third party IT consultants assisted with the investigation and confirmed that parts of its networked computer systems had been subjected to unauthorized access and a virus had been used to encrypted certain files. The investigation revealed its systems had most likely been compromised on or before April 29, 2019. While system access was confirmed, no evidence of unauthorized data access or theft of personal or medical information was found; however, unauthorized data access and data exfiltration could not be ruled out. Protected health information potentially compromised in the attack varied from patient to patient and may have include name, demographic information, birth date, driver’s license number, ID...

Read More
Wood Ranch Medical Announces Permanent Closure Due to Ransomware Attack
Sep30

Wood Ranch Medical Announces Permanent Closure Due to Ransomware Attack

Another healthcare provider has announced it will be permanently closing its doors as a direct result of a ransomware attack. The devastating attack occurred at Wood Ranch Medical in Simi Valley, CA, which recently announced that the practice will permanently close on December 17, 2019. The attack occurred on August 10, 2019 and resulted in its servers being infected with ransomware. The attack caused widespread file encryption and prevented medical records from being accessed. The extent of the attack was such that computer systems were permanently damaged making file recovery impossible. The practice had created backups of patient records, but those backups were also encrypted and could not be used to restore patient data. Ransomware attacks are usually conducted with the sole purpose of extorting money. Files are encrypted and a ransom demand is issued. If the ransom is not paid, files remain permanently encrypted. Payment of the ransom comes with no guarantee that file recovery will be possible and encourages further attacks. For these reasons the FBI recommends ransom payments...

Read More
Senator Demands Answers Over Exposure of Medical Images in Unsecured PACS
Sep27

Senator Demands Answers Over Exposure of Medical Images in Unsecured PACS

Sen. Mark Warner (D-Virginia) has written to TridentUSA Health Services demanding answers about a breach of sensitive medical images at one of its affiliates, MobileXUSA. Sen. Warner is the co-founder of the Senate Cybersecurity Caucus, which was set up as bipartisan educational resource to help the Senate engage more effectively on cybersecurity policy issues. As part of the SCC’s efforts to improve cybersecurity in healthcare, in June Sen. Warner asked NIST to develop a secure file sharing framework and wrote to healthcare stakeholder groups in February requesting they share best practices and the methods they used to reduce cybersecurity risk and improve healthcare data security. The latest letter was sent a few days after ProPublica published a report of an investigation into unsecured Picture Archiving and Communications Systems (PACS). PACS are used by hospitals and other healthcare organizations for viewing, storing, processing, and transmitting medical images such as MRIs, CT scans, and X-Rays. The report revealed more than 303 medical images of approximately 5 million...

Read More
Ransomware Attacks Reported by People’s Injury Network Northwest and Berry Family Services
Sep27

Ransomware Attacks Reported by People’s Injury Network Northwest and Berry Family Services

Kent, WA-based People’s Injury Network Northwest (PINN), a physical rehabilitation company for industrial rehabilitation patients, has experienced a ransomware attack in which patient information may have been accessed by the attackers. The attack occurred on April 22, 2019 and saw three servers infected with ransomware. The attack was discovered the following day and the servers were taken offline. The decision was taken not to pay the ransom demand and encrypted files were restored from backups. PINN reports that it was possible to recover most of the data on the servers. A computer forensics firm was retained to conduct an investigation to determine whether the attackers gained access to or stole information on the servers. No evidence of unauthorized data access or data theft were discovered; however, it was not possible to rule out to possibility of unauthorized data access or exfiltration. Consequently, the decision was taken to notify patients whose personal and protected health information was potentially compromised. Affected individuals had received services from PINN up...

Read More
Study Reveals Types of Protected Health Information Most Commonly Exposed in Healthcare Data Breaches
Sep24

Study Reveals Types of Protected Health Information Most Commonly Exposed in Healthcare Data Breaches

Researchers from Michigan State University and Johns Hopkins University have conducted a study of healthcare data breaches over the past 10 years to examine what types of information are most commonly exposed in healthcare data breaches. The study, published in the journal Annals of Internal Medicine on Monday September 23, 2019, confirms that the health information of approximately 169 million Americans was exposed, compromised, or impermissibly disclosed in 1,461 data breaches at 1,388 entities between October 2009 and July 2019. Those breaches each impacted 500 or more individuals and were reportable incidents under HIPAA and the HITECH Act. The researchers explain that information about the types of information exposed in data breaches is not widely available to the public, since it is not a requirement to share the types of data that have been compromised in the breaches. It is therefore difficult for researchers to classify the amount and types of healthcare information exposed and gain an accurate picture of the consequences of the breaches. “When the media reports...

Read More
August 2019 Healthcare Data Breach Report
Sep23

August 2019 Healthcare Data Breach Report

In August, healthcare data breaches continued to be reported at a rate of more than 1.5 per day, which is around twice the monthly average in 2018 (29.5 breaches per month). This is the second successive month when breaches have been reported at such an elevated level. While the number of breaches has not changed much since last month (49 compared to 50), there has been a substantial reduction in the number of exposed records.   August saw 729,975 healthcare records breached compared to 25,375,729 records in July, 3,452,442 records in June, and 1,988,376 records in May. The exceptionally high breach total for July was mostly due to the massive data breach at American Medical Collection Agency (See below for an update on the AMCA breach total). Causes of August 2019 Healthcare Data Breaches Hacking and other IT incidents dominated the breach reports in August. 32 breaches were attributed to hacking/IT incidents, which is almost double the number of breaches from all other causes. Hacking/IT incidents breached 602,663 healthcare records – 82.56% of all records breached in...

Read More
Campbell County Health Ransomware Attack Causes Major Disruption to Patient Services
Sep23

Campbell County Health Ransomware Attack Causes Major Disruption to Patient Services

Campbell County Health in Gillette, WY, has experienced a ransomware attack that has disabled hospital systems and is preventing access to patient information. The attack started in the early hours of Friday September 20, 2019 according to the Department of Health. An investigation into the attack has been launched and efforts are continuing to remove the ransomware, restore encrypted files, and bring systems back online; however, at the time of writing, Campbell County Health is continuing to experience major disruption to medical services. Campbell County Health reports that all of its systems have been affected. At this stage, no evidence has been uncovered to suggest patient information has been subjected to unauthorized access or misused. The Emergency Department, Maternal Child (OB) department, and the Walk-In Clinic remain open and staff are on hand to triage and treat patients. Transfers to alternate facilities will be arranged, if appropriate, and the County’s Emergency Medical Services (EMS) has additional ambulances to meet demand. Patients already receiving care are...

Read More
56,226 Presbyterian Health Plan Members Affected by Phishing Attacks at Magellan Health Subsidiaries
Sep20

56,226 Presbyterian Health Plan Members Affected by Phishing Attacks at Magellan Health Subsidiaries

The Scottsdale, AZ-based managed care company, Magellan Health, has discovered two of its subsidiaries have experienced phishing attacks that exposed the protected health information of members of Albuquerque, NM-based Presbyterian Health Plan. The phishing attacks were experienced by National Imaging Associates and Magellan Healthcare, which both provide services to Presbyterian Health Plan. Both incidents were reported to the Department of Health and Human Services’ Office for Civil Rights on September 17, 2019. The National Imaging Associates incident was discovered on July 5 and affected 589 individuals and the Magellan Healthcare breach was discovered on July 12 and affected 55,637 individuals. Both incidents occurred within a few days but they are not believed to be related. The email accounts of two employees were breached on May 28 and June 6, 2019. Both of those individuals handled data related to members of the health plan. The investigation determined the aim of the attack was to compromise email accounts to use them to distribute spam email. No evidence was uncovered to...

Read More
Ramsey County Expands 2018 Phishing Attack Victim Count from 599 to 117,905
Sep19

Ramsey County Expands 2018 Phishing Attack Victim Count from 599 to 117,905

Ramsey County has discovered an August 2018 phishing attack has impacted far more individuals than initially thought. The victim count has been increased from 599 to 117,905. The initial breach report stated the email accounts of 26 employees were compromised in a phishing attack on or around August 9. The attack was identified promptly and the affected accounts were secured. The individuals responsible conducted the attack in order to re-route employees’ paychecks. The initial investigation, conducted with assistance from a data security firm, concluded on October 12, 2018 that the attackers would have been able to access sensitive information contained in the compromised accounts. The accounts were discovered to contain clients’ names, addresses, dates of birth, Social Security numbers, and limited medical information. Ramsey County reported the breach to the HHS’ Office for Civil Rights on December 11, 2018 and notified affected clients. The initial breach report indicated 599 clients had been affected. 9 months on and Ramsey County has announced that 117,905 individuals have...

Read More
Shore Specialty Consultants Pulmonology Group Breach Impacts 9,700 Patients
Sep16

Shore Specialty Consultants Pulmonology Group Breach Impacts 9,700 Patients

New Jersey-based Shore Specialty Consultants Pulmonology Group (SSCPG) is notifying 9,700 patients that some of their protected health information (PHI) has potentially been subjected to unauthorized access as a result of a recent security breach. On July 8, 2019, SSCPG discovered a hacker gained access to a network server containing patient information. The breach was detected within a day and the server was secured. A forensic investigation of the breach did not uncover any evidence to suggest patient information was accessed or stolen, but the possibility could not be ruled out. The compromised server contained the PHI of patients who had previously participated in sleep studies at SSCPG. Highly sensitive information such as Social Security numbers, health insurance information and financial information were not exposed. The breach was limited to patients’ names, dates of birth, details of the care received at SSCPG, and some information relating to the sleep study. The breach prompted SSCPG to conduct a review of its policies and procedures and additional security measures are...

Read More
Phishing Incidents Reported by Fraser and East Central Indiana School Trust
Sep16

Phishing Incidents Reported by Fraser and East Central Indiana School Trust

East Central Indiana School Trust (ECIST) has started notifying more than 3,200 individuals that some of their protected health information (PHI) has been exposed as a result of a recent phishing attack. On May 19, 2019, an employee was fooled into disclosing email account credentials which were used by the attacker to gain access to that individual’s email account. The breach was detected on May 22, 2019 and the account was secured. A third-party computer forensics company was retained to investigate the breach and determine whether patient information was compromised or stolen in the attack. The forensics firm did not uncover any evidence to suggest emails in the account were opened or downloaded by the attacker, but the possibility of unauthorized data access and theft could not be ruled out. The compromised email account contained information such as employees’ and dependents’ names, dates of birth, Social Security numbers, driver’s license numbers, prescription details, health insurance information, and some medical information. The breach has been reported to the HHS’ Office...

Read More
Utah Ransomware Attack Impacts 320,000 Patients
Sep10

Utah Ransomware Attack Impacts 320,000 Patients

The Utah physician group, Premier Family Medicine, is notifying 320,000 patients that some of their protected health information has potentially been compromised as a result of a recent ransomware attack. The attack occurred on July 8, 2019 and temporarily prevented access to patient data and certain systems. According to the August 30, 2019 breach notice on its website, the physician group notified law enforcement and engaged the services of technical consultants to investigate the breach and regain access to its systems and patient data. It is unclear whether the ransom demand was paid. The breach affected all ten of its Utah County locations. “Even though our investigation has found no reason to believe patient information was accessed or taken, we are very concerned that this event even occurred and have taken steps to further enhance the security of our systems,” said Premier Family Medicine chief administrator, Robert Edwards. Community Psychiatric Clinic Breaches Impact 15,537 Patients Community Psychiatric Clinic, a provider of mental health services in Seattle, WA, has...

Read More
OCR Settles First HIPAA Violation Case Under 2019 Right of Access Initiative
Sep10

OCR Settles First HIPAA Violation Case Under 2019 Right of Access Initiative

Earlier this year, the Department of Health and Human Services’ Office for Civil Rights (OCR) announced that one of the main areas of HIPAA enforcement in 2019 would be HIPAA right of access failures, including untimely responses to access requests and overcharging for copies of medical records. The HIPAA right of access allows patients to obtain copies of their medical records on request. HIPAA-covered entities are required to honor those requests and provide patients with access to PHI or copies of health data contained in a ‘designated record set’ within 30 days of the request being received. A covered entity is permitted to charge a reasonable, cost-based fee for providing a copy of the individual’s PHI, which can include the cost of certain labor, supplies and postage. HIPAA-covered entities that fail to provide copies of records in a reasonable time frame or charge excessive amounts for providing a copy of a patient’s PHI are in violation of the HIPAA Privacy Rule – See 45 CFR 164.501. Such violations can attract a sizable financial penalty. This week, OCR has announced...

Read More
Study Confirms Why Prompt Data Breach Notifications Are So Important
Sep05

Study Confirms Why Prompt Data Breach Notifications Are So Important

When healthcare organizations experience a data breach it is understandable that breach victims will be upset and angry. Information is provided to healthcare organizations in the understanding that safeguards have been implemented to keep that information private and confidential. When patients and health plan members learn that their sensitive, private information has been exposed or stolen, many choose to take their business elsewhere. According to a new study* by the credit reporting agency Experian, if the breach response is properly managed and the breached entity is transparent and issues notifications promptly, customer churn rate can be kept to an absolute minimum. The Health Insurance Portability and Accountability Act’s (HIPAA) Breach Notification Rule requires notifications to be issued to breach victims ‘without unreasonable delay’ and no later than 60 days from the discovery of the breach. However, a majority of patients expect to be notified much more quickly. The study showed 73% of patients/plan members expect to be notified about a breach within 24 hours of the...

Read More
Multiple Email Accounts Compromised in UC Health Phishing Attack
Sep05

Multiple Email Accounts Compromised in UC Health Phishing Attack

University of Cincinnati Health (UC Health) is investigating a security breach that saw the email accounts of multiple employees accessed by an unauthorized individual. The attack occurred between July 6 and July 12, 2019 and involved ‘a limited number’ of employee email accounts. An analysis of the compromised email accounts revealed they contained patients’ names, birth dates, medical record numbers, and some clinical information. A forensic analysis of UC Health email system was unable to establish whether the attackers opened or copied any emails or email attachments.  UC Health is attempting to determine exactly which patients have been affected and notification letters will be sent “in the coming weeks.” UC Health announced the breach on its website on September 4, 2019. UC Health will be enhancing email security and re-educating employees to help them identify phishing and other malicious emails. The incident has not yet appeared on the HHS’ Office for Civil Rights website, so it is unknown how many patients have been affected. Conway Regional Medical Center Phishing Attack...

Read More
Artesia General Hospital Phishing Attack Impacts 13,905 Patients
Sep05

Artesia General Hospital Phishing Attack Impacts 13,905 Patients

Artesia General Hospital in Artesia, NM, has discovered the protected health information (PHI) of 13,905 patients has been compromised in a phishing attack. The breach was detected when an employee’s email account was discovered to have been used to send unauthorized emails. The breach was detected on June 18, 2019 and the forensic analysis revealed the account had been accessed by an unauthorized individual between June 11 to June 18. A leading computer forensics company was engaged to investigate the breach, but no evidence of data theft was discovered. To date, no reports have been received to suggest PHI has been stolen or misused. The email accounts contained patients’ names, birth dates, patient account numbers, medical record numbers, health insurance information, and some treatment and/or clinical information, such as diagnoses, dates of service, and provider names. A small subset of affected patients also had Social Security numbers exposed. The hospital has re-enforced security awareness training and additional measures are being implemented to improve email security....

Read More
122,000 Providence Health Plan Members Impacted by Dominion National Data Breach
Sep04

122,000 Providence Health Plan Members Impacted by Dominion National Data Breach

In July 2019, Dominion National, an insurer and administrator of dental and vision benefits, announced the discovery of a major data breach that impacted around 2.9 million health plan members. Hackers had gained access to Dominion National servers in 2010. The breach was detected on April 24, 2019. Providence Health Plan has recently announced the breach at Dominion National affected 122,000 of its plan members. Virginia-based Dominion National administers Providence Health Plan’s dental program in Oregon, and as such, had access to plan members’ protected health information (PHI), including names, addresses, dates of birth, insurance information, and Social Security numbers. Dominion National started administering the health plan’s dental program in 2015. The breach was therefore limited to customers who participated in the dental program between 2015 and 2019. Affected Providence Health Plan members were notified by Dominion National in August and have been offered two years of complimentary credit monitoring and identity theft protection services. Laptop Theft from Business...

Read More
82% of Healthcare Organizations Have Experienced a Cyberattack on Their IoT Devices
Sep03

82% of Healthcare Organizations Have Experienced a Cyberattack on Their IoT Devices

82% of healthcare providers that have implemented Internet-of-Things (IoT) devices have experienced a cyberattack on at least one of those devices over the course of the past 12 months, according to the Global Connected Industries Cybersecurity Survey from Swedish software company Irdeto. For the report, Irdeto surveyed 700 security leaders from healthcare organizations and firms in the transportation, manufacturing, and IT industries in the United States, United Kingdom, Germany, China, and Japan. Attacks on IoT devices were common across all those industry sectors, but healthcare organizations experienced the most cyberattacks out of all industries under study. The biggest threat from these IoT cyberattacks is theft of patient data. The attacks also have potential to compromise end user safety, result in the loss of intellectual property, operational downtime and damage to the organization’s reputation. The failure to effectively secure the devices could also potentially result in a regulatory fine. When asked about the consequences of a cyberattack on IoT devices, the biggest...

Read More
73 Email Accounts Compromised in Major Phishing Attack on NCH Healthcare System
Sep02

73 Email Accounts Compromised in Major Phishing Attack on NCH Healthcare System

The importance of security awareness training for healthcare employees has been highlighted by a recent phishing attack on Bonita Springs, FL-based NCH Healthcare System. The attack was detected on June 14, 2019 when suspicious email activity was identified in relation to its payroll system. The investigation revealed a staggering 73 employees had responded to phishing emails and disclosed their account credentials to the scammers. It is common for healthcare organizations to identify an email account breach and later discover the attack was more extensive than originally thought. Oftentimes, several emails accounts are discovered to have been compromised, often as a result of lateral phishing – The use of one compromised email account to send phishing emails to other individuals in the organization. However, a breach as extensive as this is fortunately rare. NCH Healthcare system is still investigating the attack and is being assisted by a third-party computer forensics firm. The initial findings of the investigation suggest the attackers were not concerned with obtaining PHI,...

Read More
Ransomware Attack Impacts More Than 400 U.S. Dental Practices
Aug30

Ransomware Attack Impacts More Than 400 U.S. Dental Practices

A ransomware attack on a medical record backup service has prevented hundreds of dental practices in the United States from accessing their patients’ records. The attack occurred on August 26, 2019 and affected the DDS Safe backup solution developed by Wisconsin-based software company, Digital Dental Record (DDS). The DDS system was accessed via an attack on its cloud management provider, West Allis, WI-based PerCSoft. Ironically, the DDS website states DDS Safe helps to protect dental practices against ransomware attacks. The attack did not affect all dental practices using the DDS Safe solution. Initial reports suggest between 400 and 500 of the 900 dental practices using the solution have been affected by the REvil/Sodinokibi ransomware attack. PerCSoft, assisted by a third-party software company, has obtained a decryptor and is in the process of recovering the encrypted files. According to a statement from DDS, recovery of files is estimated to take between 30 minutes to 4 hours per client. Some dental practices have reported file loss as a result of the attack and others have...

Read More
33,370 Mount Sinai Hospital Patients Impacted by AMCA Breach
Aug29

33,370 Mount Sinai Hospital Patients Impacted by AMCA Breach

Mount Sinai Hospital has discovered the protected health information (PHI) of 33,730 patients was compromised in the cyberattack on American Medical Collection Agency (AMCA).  The hospital is the 24th known victim of the massive AMCA breach, which has affected almost 25 million patients. AMCA notified Mount Sinai Hospital on June 4, 2019 that an unauthorized individual had gained access to a web payment page, through which the PHI of its clients’ patients could be accessed. The webpage was compromised on August 1, 2018 and unauthorized access continued until March 30, 2019 when the breach was discovered and the web page was secured. The breach only affected patients with outstanding medical bills that had been passed to AMCA for collection. The breach involved names, name of lab or medical service provider, dates of service, referring physician’s name, health insurance information, and other medical information related to the services provided by Mount Sinai. Some patients also had financial information exposed. Those individuals were notified directly by AMCA and offered credit...

Read More
Georgia Court of Appeals to Decide Whether Athens Orthopedic Data Breach Victims Are Entitled to Damages
Aug28

Georgia Court of Appeals to Decide Whether Athens Orthopedic Data Breach Victims Are Entitled to Damages

A class action lawsuit filed by victims of a June 2016 cyberattack on Athens Orthopedic in Georgia has gone before the Georgia Supreme Court to determine whether breach victims are entitled to recover damages. The cyberattack in question saw the personal information, Social Security numbers, and health insurance information of approximately 200,000 individuals stolen by the hacking group, Dark Overlord. The Dark Overlord has conducted numerous attacks on healthcare organizations in the United States over the past three years. Initially, attacks were conducted to steal sensitive data, which was subsequently sold on dark web marketplaces. More recently, attacks have involved data theft and extortion. A ransom demand is issued to breached entities that must be paid in order to prevent publication of the stolen data.  Athens Orthopedic did not pay the ransom demand. The Dark Overlord gained access to Athens Orthopedic’s systems via an attack on a “nationally-known health care information management contractor,” the login credentials of which were used to steal patient data. Athens...

Read More
AMCA Data Breach Total Nears 25M as Wisconsin Diagnostic Laboratories Confirms 115K Record Breach
Aug28

AMCA Data Breach Total Nears 25M as Wisconsin Diagnostic Laboratories Confirms 115K Record Breach

The victim count from the American Medical Collection Agency (AMCA) data breach has risen to almost 25 million as yet another healthcare organization has announced it has been impacted by the breach. Wisconsin Diagnostic Laboratories (WDL), a network of 13 medical testing facilities in and around Milwaukee, is notifying 114,985 patients that some of their protected health information was compromised in the AMCA data breach. On June 3, 2019, AMCA informed WDL that some of its patients’ data had been compromised as a result of the hacking of a web payment portal. The hacker gained access to the payment page on August 1, 2018. The breach was detected on March 30, 2019 and unauthorized access was terminated. The types of information in AMCA systems was limited to patients’ names, dates of birth, dates of service, names of lab or medical service providers, referring physician’s name, balances owed to WDL, and other medical information related the services provided by WDL. No Social Security numbers or lab test results were compromised in the breach. A limited number of individuals also...

Read More
July 2019 Healthcare Data Breach Report
Aug26

July 2019 Healthcare Data Breach Report

May 2019 was the worst ever month for healthcare data breaches with 46 reported breaches of more than 500 records. More breaches were reported in May than any other month since the HHS’ Office for Civil Rights started publishing breach summaries on its website in 2009. That record of 44 breaches was broken in July. July saw 50 healthcare data breaches of more than 500 records reported to the Department of Health and Human Services’ Office for Civil Rights, which is 13 more breaches than the monthly average for 2019 and 20.5 more breaches than the monthly average for 2018. July 2019 was the second worst month in terms of the number of healthcare records exposed. 25,375,729 records are known to have been exposed in July. There are still 5 months left of 2019, yet more healthcare records have been breached this year than in all of 2016, 2017, and 2018 combined. More than 35 million individuals are known to have had their healthcare records compromised, exposed, or impermissibly disclosed this year. Causes of July 2019 Healthcare Data Breaches   The main reason for the increase in...

Read More
Phishing Attack on Presbyterian Healthcare Services Exposed PHI of 183,000 Patients
Aug26

Phishing Attack on Presbyterian Healthcare Services Exposed PHI of 183,000 Patients

The Albuquerque, NM-based not-for-profit health system, Presbyterian Healthcare Services, has experienced a phishing attack that saw the email accounts of several employees subjected to unauthorized access. The phishing attack was discovered by Presbyterian Healthcare Services on June 6, 2019. The breach investigation revealed the email accounts were compromised a month previously, on or around May 9, 2019. Upon discovery of the breach, all affected email accounts were secured to prevent further access. An analysis of the compromised email accounts revealed they contained the protected health information (PHI) of 183,370 individuals. Compromised PHI was limited to names, dates of birth, Social Security numbers, and clinical and health plan information. Affected individuals have been advised to check their statements from their providers and health plans for signs of misuse of their personal information. Presbyterian Healthcare Services has implemented additional safeguards to protect its email system and all employees will be required to undergo annual cybersecurity training....

Read More
Massachusetts General Hospital Data Breach Impacts 10,000 Patients
Aug23

Massachusetts General Hospital Data Breach Impacts 10,000 Patients

Massachusetts General Hospital (MGH) has discovered computer applications used by researchers in its Department of Neurology have been subjected to unauthorized access. The individual responsible would have been able to access the protected health information of approximately 10,000 patients. MGH discovered the breach on June 24, 2019 and immediately terminated access to the applications and databases. An investigation was launched, and a forensic investigator was engaged to help determine the nature and scope of the breach. The investigation confirmed that two applications had been subjected to unauthorized access between June 10 and June 16, 2019. Via the applications, the unauthorized individual would have been able to view information in databases related to specific neurology research studies. The types of information in the databases varied from patient to patient and may have included: Name, marital status, age, date of birth, sex, race, ethnicity, dates of visits and tests, medical record number, diagnoses, treatment information, biomarkers, genetic information, assessments...

Read More
Rhode Island Healthcare Provider Hacked: 3,000 Records Potentially Compromised
Aug22

Rhode Island Healthcare Provider Hacked: 3,000 Records Potentially Compromised

Rhode Island Ear, Nose and Throat Physicians Inc. (RIENT) is notifying 2,943 patients that some of their health information was stored on a server which was subjected to unauthorized access on June 19, 2019 when a hacker gained access to its network. The breach was detected the same day and the network was secured. A third-party computer forensics firm was hired to assist with the investigation and help determine the nature and extent of the breach. The compromised servers did not contain the medical records of all patients, only records of patients who received medical services between May 1, 2019 and June 12, 2019.  The forensic investigation did not uncover any evidence to suggest patient information was viewed or copied and no reports have been received to suggest patient information has been misused. For the majority of affected patients, the breach was limited to names, dates of birth, and clinical information. A small subset of patients also had their Social Security number exposed. Patients whose Social Security number was exposed have been offered complimentary credit...

Read More
Medical Records of Western Connecticut Health Network Patients Exposed
Aug22

Medical Records of Western Connecticut Health Network Patients Exposed

Nuvance Health has started notifying certain Western Connecticut Health Network (WCHN) patients that some of their protected health information has been exposed. On June 11, 2019, WCHN sent a box of medical records to the Connecticut State Department of Public Health. The package was sent via the U.S. Postal Service (USPS), but the package was damaged in transit, exposing the contents of the package. WCHN was notified and retrieved the damaged package from the USPS. A spokesperson for WCHN said there was no indication that any information had been removed and misused and that the package did not appear to have left the custody of the USPS until it was collected by WCHN personnel. WCHN has now changed its procedures for sending protected health information to ensure similar incidents are prevented in the future. Patients were notified on August 19, 2019. The types of information in the records was limited to names, addresses, dates of birth, provider names, medical record numbers, diagnosis dates, diagnoses, and medical test results. The HHS’ Office for Civil Rights breach...

Read More
30K Integrated Regional Laboratories Patients Impacted by AMCA Breach
Aug20

30K Integrated Regional Laboratories Patients Impacted by AMCA Breach

Integrated Regional Laboratories (IRL) in Florida is notifying approximately 30,000 patients that their protected health information (PHI) was potentially compromised in the American Medical Collection Agency (AMCA) data breach discovered on March 20, 2019. On June 3, 2019, AMCA notified IRL about its security breach and confirmed on June 13, 2019 that the PHI of IRL patients had been exposed. IRL posted a breach notice on its website on July 30, and patients are being notified. IRL stopped sending patient information to AMCA when the breach was discovered, and the company is no longer using AMCA’s services. AMCA has been instructed to securely destroy all copies any IRL patients’ PHI. According to the breach summary on the HHS’ Office for Civil Rights website, 29,644 patients were affected by the breach. Over the past few days, the breach summaries of several victims of the AMCA breach have been added to the OCR’s breach portal. HIPAA Journal has been tracking breach reports and has identified 22 HIPAA-covered entities that have been affected by the breach. So far, 24,739,540...

Read More
PHI Exposed in Phishing Attacks on Michigan Medicine and Virginia Gay Hospital
Aug19

PHI Exposed in Phishing Attacks on Michigan Medicine and Virginia Gay Hospital

5,466 patients of Michigan Medicine are being notified that some of their protected health information has been exposed in a recent phishing attack. In July, Michigan Medicine employees were targeted in large scale phishing campaign. 3,200 Michigan Medicine employees received phishing emails containing a hyperlink to a legitimate looking web page that requested the user’s email login credentials. Three employees responded to the emails and disclosed their credentials. Those accounts were subjected to unauthorized access and were used to send further phishing emails. Michigan Medicine detected suspicious activity in the email accounts on July 8, 9 and 12, 2019 and performed a password reset to prevent any further unauthorized access. As a precaution, the passwords were also resent on the email accounts of all employees who received one of the phishing emails. Two of the accounts were discovered to contain patient information. In addition to a patient’s name, one or more of the following may have been compromised: Address, date of birth, medical record number, diagnostic information,...

Read More
Ohio Eye Care Provider Suffers Ransomware Attack
Aug15

Ohio Eye Care Provider Suffers Ransomware Attack

Eye Care Associates, a fully integrated regional eye care provider in northeast Ohio, experienced a ransomware attack in late July which took its computer systems out of action. Two weeks after the attack occurred, its computer systems remain locked. According to Director of Operations, Mary Jo Silva, the attack occurred in the early hours of July 28, 2019. The Beaver Township Police Department was notified about the attack and the board was informed. A ransom demand was received, but no amount was stated on the demand. Contact with the attackers was required in order to discover how needed to be paid. Silva said no contact was made with the attackers and no payment was made. Eye Care Associates has been working with its backup and file storage service provider to recover all encrypted files. Silva expects systems to be brought back online in the next couple of days. An investigation into the attack has uncovered no evidence to suggest patient information was stolen. The Business Journal reports that the ransomware was delivered via email. The attack has caused considerable...

Read More
Hackers Demand $1 Million Ransom from Washington Hospital
Aug15

Hackers Demand $1 Million Ransom from Washington Hospital

A ransomware attack on an Aberdeen, WA-hospital and associated clinics is still causing problems two months after the attack occurred. The attackers have demanded $1 million for the keys to unlock the encryption. On June 15, 2019, Grays Harbor Community Hospital started experiencing IT problems. The attack occurred on a Saturday when staffing was limited so initially the problem was attributed to an IT issue. On Monday it became apparent that ransomware was involved and steps were taken to isolate the infection and secure the network; however, the attackers had already moved laterally and had gained access to servers and the systems used by Harbor Medical Group clinics. The initial point of attack appears to have been a response to a phishing email by a single employee. Harbor Medical Group operates 8 clinics in the Aberdeen and Hoquiam region, and those clinics were the worst affected by the attack. Grays Harbor Community Hospital used older software, which prevented the ransomware from being installed on the hospital’s main computer system. The clinics used more recent software,...

Read More
Renown Health Discovers PHI was Stored on Lost Thumb Drive
Aug14

Renown Health Discovers PHI was Stored on Lost Thumb Drive

Renown Health, the largest healthcare provider in Northern Nevada, has started notifying certain patients that some of their protected health information (PHI) may have been compromised. Patient information was present in files on a portable storage device (thumb drive) discovered to be missing on June 30, 2019. An extensive search of the facility was conducted but the thumb drive could not be located. An investigation was conducted to determine what files had been saved to the device and which patients had their PHI exposed. Files on the storage device related to patients who had received inpatient services at Renown South Meadows Medical Center between January 1, 2012 and June 14, 2019. The types of information in the files included names, diagnoses, medical record numbers, clinical information, admission dates, and physicians’ names.  No Social Security numbers or financial information were stored on the device. Patients have been advised to exercise caution and monitor their accounts and explanation of benefits statements for any signs of fraudulent activity. Renown Health will...

Read More
More than 10,000 FDNY EMS Patients Notified of PHI Exposure
Aug12

More than 10,000 FDNY EMS Patients Notified of PHI Exposure

10,292 EMS patients who were taken to hospital by a New York Fire Department (FDNY) ambulance between 2011 and 2018 have had some of their protected health information exposed. According to FDNY spokesperson Myles Miller, there was “a loss of data caused by one employee’s failure to follow the department’s data security policies.” The fire department learned on March 4, 2019 that an employee’s personal hard drive was missing. The hard drive had been used by the employee to store files containing patient information such as patient care reports. A patient care report is created when a 911 call is received that requires an ambulance to respond. The reports contained information on 10,253 patients such as name, address, telephone number, date of birth, insurance details, health condition, and for approximately 3,000 patients, their Social Security number. All affected individuals are now being notified of the breach and individuals whose Social Security number was exposed have been offered complimentary credit monitoring services. “The FDNY is treating the incident as if the...

Read More
Email Security Breaches Expose PHI of Seattle Community Psychiatric Clinic Patients
Aug09

Email Security Breaches Expose PHI of Seattle Community Psychiatric Clinic Patients

Community Psychiatric Clinic in Seattle, WA, a provider of accredited outpatient, mental health treatment, and counselling services, has experienced two security breaches in which patient information may have been compromised. In both cases, an unauthorized individual gained access to an employee’s Microsoft Office 365 account. The first security breach was detected on March 12, 2019 when an employee’s account was subjected to unauthorized access. The affected account was immediately secured, passwords were changed, and the employee’s hard drive was restored.  The email account also had additional protections added to prevent similar breaches from occurring in the future. The investigation did not uncover any evidence to suggest that patient data had been stolen. Around two months later on May 8, 2019, a second email account was discovered to have been compromised in a separate attack. The attacker used the email account to send a fraudulent wire transfer request to another member of staff. The transfer was executed, but due to the fast response of the clinic, it was possible to...

Read More
PHI of Tens of Thousands of Patients Exposed Online Due to Database Misconfiguration
Aug08

PHI of Tens of Thousands of Patients Exposed Online Due to Database Misconfiguration

A database containing the personal information of individuals who had expressed an interest in Amarin Pharma’s cholesterol drug Vascepa® has been exposed online. The database was maintained by third party vendor and contained information such as full names, addresses, telephone numbers, email addresses, medications, and interest in a copay card for Vascepa®. Amarin learned of the breach via media reports of an exposed database containing information of Amarin customers and immediately launched an investigation. The company quickly determined which database had been exposed and took steps to suspend active data feeds and the database was secured the same day. The vendor’s investigation revealed a database misconfiguration had occurred which rendered the database accessible online between May 2, 2018 and June 20, 2019. An investigation by the vendor confirmed that the database had been subjected to unauthorized access by a third party between May 29, 2019 and June 20, 2019, and during that time data had been copied. Amarin and its vendor are continuing to investigate the breach and...

Read More
Further 185,000 Individuals Affected by AMCA Data Breach
Aug08

Further 185,000 Individuals Affected by AMCA Data Breach

Three more healthcare organizations have announced they have been affected by the data breach at American Medical Collection Agency (AMCA): West Hills Hospital & Medical Center in California, Inform Diagnostics, and CompuNet Clinical Laboratories. The AMCA data breach was first announced more than two months ago. Most of the companies impacted by the breach were notified by AMCA in May/June that some of their patients’ data had potentially been compromised, but it has taken several weeks for those companies to be provided with sufficient information to make announcements and sent notification letters. The breach at AMCA occurred between August 1, 2018 and March 30, 2019. During that period, an unauthorized individual had access to a web payment page, through which it was possible to obtain personal and financial information. Affected individuals had had their information passed to AMCA to collect outstanding bills for medical services. The latest announcements bring the total number of companies known to have been affected to 21. It is not yet known how many patients of West...

Read More
Presbyterian Healthcare Services Data Breach Impacts 183,000 Patients
Aug05

Presbyterian Healthcare Services Data Breach Impacts 183,000 Patients

New Mexico-based Presbyterian Healthcare Services is notifying approximately 183,000 patients and health plan members that some of their protected health information (PHI) has been exposed in a recent security breach. On or around May 6, 2019, several Presbyterian Healthcare Services employees received phishing emails. Certain employees responded to the emails and inadvertently disclosed their credentials to the attackers. Those credentials were used to gain access to accounts containing sensitive information such as names, dates of birth, and Social Security numbers. Presbyterian Healthcare Services became aware of the breach on June 9 and immediately secured the affected accounts. The breach investigation uncovered no evidence to suggest any personal information was accessed or stolen by the attacker and no reports been received to suggest any PHI has been misused. The breach affected approximately 21% of Presbyterian Healthcare Services patients and plan members. Affected individuals have been offered complimentary credit monitoring and identity theft protection services for 12...

Read More
Imperial Health Ransomware Attack Impacts More Than 111,000 Patients
Aug02

Imperial Health Ransomware Attack Impacts More Than 111,000 Patients

Imperial Health, a physicians’ network serving patients in Southwest Louisiana, is alerting more than 111,000 patients that some of their protected health information has potentially been compromised in a recent ransomware attack. An unauthorized party had succeeded in downloading ransomware onto the network, which encrypted files and a database used by the Imperial Health’s Center for Orthopaedics (CFO). The attack was detected on May 19, 2019. The database contained the protected health information of 116,262 patients. While no evidence of data access or data theft was uncovered during the investigation, it was not possible to rule out a breach of PHI. The decision was therefore taken to issue notifications to affected patients to allow them to take step to eliminate any risk of harm. The information stored in the database related to patients who had previously received medical services at CFO. The information varied from patient to patient and may have included name, address, telephone number, birth date, Social Security number, medical record number, diagnoses, treatment...

Read More
First Half of 2019 Sees 31.6 Million Healthcare Records Breached
Aug02

First Half of 2019 Sees 31.6 Million Healthcare Records Breached

It has been a particularly bad six months for the healthcare industry. Data breaches have been reported in record numbers and the number of healthcare records exposed on a daily basis is extremely concerning. The trend of more than one healthcare data breach a day has continued throughout 2019, even reaching a rate of 2 per day in May. According to the 2019 Mid-Year Data Breach Barometer Report from Protenus and Databreaches.net, 31,611,235 healthcare records were breached between January 2019 and June 2019. To put that figure into perspective, it is double the number of records exposed in healthcare data breaches in the entirety of 2018 (14,217,811 records). One breach stands out from the 285 incidents reported in the first half of the year: The data breach at American Medical Collection Agency (AMCA). A batch of stolen credentials on a dark net marketplace was traced back to AMCA, which discovered its payment web page had been compromised for months. It is not yet known exactly how many healthcare records were exposed in the incident, but 18 clients are known to have been...

Read More
More than 522,000 Puerto Rico Patients Impacted by Ransomware Attack
Jul30

More than 522,000 Puerto Rico Patients Impacted by Ransomware Attack

More than half a million patients in Bayamón, Puerto Rico have been affected by a ransomware attack on a medical center and its associated hospital. Bayamón Medical Center and Puerto Rico Women and Children’s Hospital discovered on May 21, 2019 that their computer systems had been infected with ransomware. The ransomware encrypted a wide range of files and prevented hospital staff from accessing patient information ‘for a short period of time,’ according to a July 19, 2019 press release announcing the attack. Approximately 522,000 current and former patients are being notified about the ransomware attack as a precautionary measure. The internal investigation into the attack confirmed that patient information was affected, but no evidence of unauthorized data access or theft was identified. The information potentially compromised was limited to names, demographic information, clinical information, financial information, and in some cases, diagnosis information, dates of birth, and Social Security numbers. The ransomware attack only rendered data temporarily inaccessible and...

Read More
Kentucky Community Health Center Pays $70,000 Ransom to Recover PHI
Jul29

Kentucky Community Health Center Pays $70,000 Ransom to Recover PHI

On June 7, 2019, Louisville, KY-based Park DuValle Community Health Center suffered a ransomware attack. Hackers succeeded in gaining access to its network and installed ransomware which rendered its medical record system and appointment scheduling platform inaccessible. The not-for-profit health center provides medical services to the uninsured and low-income patients in the western Louisville area. For seven weeks, employees at the health center have been recording patient information on pen and paper and have had to rely on patients’ accounts of past treatments and medications. With its systems out of action, no patient data could be viewed, and appointments could not be scheduled. The clinic had to operate on a walk-in basis. The medical record system contained the records of around 20,000 current and former patients who had previously received treatment at one of its medical centers in Louisville, Russell, Newburg, or Taylorsville. This is not the first ransomware attack suffered by the health center this year.  A prior attack occurred on April 2, 2019, which similarly took...

Read More
2019 Cost of A Data Breach Study Reveals Increase in U.S. Healthcare Data Breach Costs
Jul24

2019 Cost of A Data Breach Study Reveals Increase in U.S. Healthcare Data Breach Costs

The Ponemon Institute/IBM Security has published its 2019 Cost of a Data Breach Report – A comprehensive analysis of data breaches reported in 2018. The report shows data breach costs have continue to rise and the costliest breaches are experienced by healthcare organizations, as has been the case for the past 9 years. Average Data Breach Costs $3.92 Million Over the past five years, the average cost of a data breach has increased by 12%. The global average cost of a data breach has increased to $3.92 million. The average breach size is 25,575 records and the cost per breached record is now $150; up from $148 last year. Globally, the healthcare industry has the highest breach costs with an average mitigation cost of $6.45 million. Healthcare data breaches typically cost 65% more than data breaches experienced in other industry sectors. Data breach costs are the highest in the United States, where the average cost of a data breach is $8.19 million – or $242 per record. The average cost of a healthcare data breach in the United States is $15 million. Healthcare Data Breaches Cost...

Read More
June 2019 Healthcare Data Breach Report
Jul24

June 2019 Healthcare Data Breach Report

For the past two months, healthcare data breaches have been reported at a rate of 1.5 per day – Well above the typical rate of one per day. In June, data breaches returned to more normal levels with 30 breaches of more than 500 healthcare records reported in June – 31.8% fewer than May 2019.   While the number of reported data breaches fell,  June saw a 73.6% increase in the number of health records exposed in data breaches. 3,452,442 healthcare records were exposed in the 30 healthcare data breaches reported in June. Largest Healthcare Data Breaches in June 2019 The increase in exposed records is due to a major breach at the dental health plan provider Dominion Dental Services (Dominion National Insurance Company). Dominion discovered an unauthorized individual had access to its systems and patient data for 9 years. During that time, the protected health information of 2,964,778 individuals may have been stolen. That makes it the largest healthcare data breach to be reported to the Office for Civil Rights so far in 2019 – At least for a month until entities affected by...

Read More
15,000 Patient Records Exposed in Phishing Attack on HIPAA Business Associate
Jul23

15,000 Patient Records Exposed in Phishing Attack on HIPAA Business Associate

Northwood Inc., a Madison Heights, MI-based HIPAA business associate, has announced that a hacker has gained access to the email account of one of its employees and potentially viewed or obtained sensitive patient information. The breach was discovered on May 6, 2019 while investigating suspicious activity related to an employee’s email account. When a breach was confirmed, a leading computer forensics expert was hired to assist with the investigation and determine the nature and full extent of the attack. The forensic investigation revealed the employee’s email account was accessed by an unauthorized individual(s) from May 3 to May 6. No evidence was found to suggest any emails had been viewed or copied, but data access and data theft could not be ruled out. All emails and email attachments in the account had to be checked to determine whether they contained any patient information. On June 19, Northwood determined patients’ protected health information had been exposed and may have included a patient’s name along with one or more of the following data elements: Address, date of...

Read More
AMCA Victim Count Swells to Almost 25 Million Records
Jul23

AMCA Victim Count Swells to Almost 25 Million Records

The number of healthcare providers confirmed to have been affected by the data breach at American Medical Collection Agency (AMCA) has grown considerably over the past few days. The victim count is now nearing 25 million and 18 healthcare providers are now known to have been affected. The AMCA breach was discovered by its parent company, Retrieval Masters Credit Bureau (RMCB), on March 21, 2019. An investigation was launched to determine the extent of the attack, which revealed the hacker had access to the AMCA payment web page for around 8 months. During that time, the hacker had access to vast quantities of sensitive patient information, including financial information and Social Security numbers. AMCA notified all entities that had been affected by the breach in May 2019; however, only limited information was released. Most of the covered entities affected by the breach were not given sufficient information to allow the affected patients to be identified. Quest Diagnostics was the first to announce that it has been impacted by the breach, closely followed by LabCorp and...

Read More
Thousands of Patients Impacted by Breaches at Cancer Treatment Centers of America and Edgepark Medical Supplies
Jul22

Thousands of Patients Impacted by Breaches at Cancer Treatment Centers of America and Edgepark Medical Supplies

Edgepark Medical Supplies (EMS) has discovered an unauthorized individual has gained access to certain customer accounts and changed addresses and had their orders redirected to other addresses. On May 13, 2019, EMS discovered the potential breach and disabled the affected online accounts. The investigation revealed an unauthorized individual gained access to the accounts by using brute force tactics, often referred to as a password spraying attack. This is an automated, sustained attempt to gain access to accounts by using commonly used passwords and dictionary words until the correct password is guessed. Once account passwords had been guessed, shipping addresses were changed to redirect orders. It is possible that orders have been placed by the attacker unbeknown to Edgepark.com account holders. EMS is still investigating the breach and will be issuing refunds to any customers who have been charged for fraudulent orders. In addition to fraudulent use of their accounts, the following information may have been viewed/obtained by the hacker: Customer name, address, date of birth,...

Read More
21,400 Patients Impacted by St. Croix Hospice Phishing Attack
Jul19

21,400 Patients Impacted by St. Croix Hospice Phishing Attack

St. Croix Hospice, a provider of hospice care throughout the Midwest, has discovered an unauthorized individual gained access to the email account of an employee and potentially viewed patient information. The breach was detected on May 10, 2019 when suspicious email activity was detected in the account. A third-party computer forensics firm was hired to assist with the investigation and discovered several employees’ email accounts were compromised between April 23, 2019 and May 11, 2019. It was not possible to determine whether any patient information had been accessed or copied, but the forensics firm did confirm that the accounts had been subjected to unauthorised access. An extensive systemic review of the compromised email accounts was conducted to identify which patients had had their protected health information exposed. On June 21, 2019, it was confirmed that protected health information had been exposed. The review has now been completed and patients are being notified that their name, address, financial information, Social Security number, health insurance information,...

Read More
Wise Health System Phishing Attack impacts 35,899 Patients
Jul19

Wise Health System Phishing Attack impacts 35,899 Patients

Wise Health System in Decatur, TX, has started sending notifications to patients to inform them that some of their protected health information (PHI) has been exposed as a result of a phishing attack. 35,899 patients have potentially been affected. The attack occurred on March 14, 2019. Several employees received phishing emails and some responded and disclosed their account credentials. The credentials were then used to gain access to the Employee Kiosk, where the attacker(s) attempted to reroute payroll direct deposits.  Attempts were made to redirect approximately 100 direct deposit payments. Wise Health had policies in place that require a paper check to be printed for two successive payrolls following a change to direct deposit information. The checks were printed in the payroll on April 5 and the unusually high number of checks raised the alarm. Thanks to the two-check policy, the fraud was prevented and no payments were redirected.  A system wide password change was immediately performed to lock out the attackers and two third-party forensic firms were hired to investigate...

Read More
2.2 Million Clinical Pathology Laboratories Patients Affected by AMCA Breach
Jul18

2.2 Million Clinical Pathology Laboratories Patients Affected by AMCA Breach

Clinical Pathology Laboratories in Texas has recently discovered the protected health information (PHI) of approximately 2.2 million of its patients has potentially been compromised in the data breach at American Medical Collection Agency (AMCA). AMCA provides debt collection services to many healthcare companies, which requires access to the PHI of patients with outstanding bills. A cyberattack on the AMCA payment website allowed hackers to can access to the site, and through it, the PHI of patients. Hackers had access to the payment website for 8 months before the breach was detected. As of today, July 18, 2019, five AMCA clients have confirmed they have been affected by the breach. First came Quest Diagnostics, which announced through an SEC filing that 11.9 million of its patients had been affected. That was closely followed by LabCorp’s announcement that 7.7 million records had been exposed.  BioReference Laboratories also confirmed that around 422,000 of its patients had been affected, and recently 13,000 patients of Penobscot Community Health Center in Maine have been...

Read More
Penobscot Community Health Center Victim of AMCA Breach
Jul16

Penobscot Community Health Center Victim of AMCA Breach

Another healthcare provider has discovered it has been affected by the security breach at American Medical Collection Agency (AMCA). AMCA recently discovered an unauthorized individual had gained access to systems containing protected health information (PHI) provided by its clients. Its systems were first subjected to unauthorized access on August 1, 2018 and the breach persisted until March 30, 2019. Penobscot Community Health Center (PCHC), a not for profit health center in Bangor, ME, contracted with AMCA for billing collection services. AMCA notified PCHC on May 15, 2019 that the PHI of approximately 13,000 of its patients had potentially been compromised. In order to provide billing collection services, AMCA was provided with a limited amount of PHI. The only PHI provided to AMCA was for patients whose accounts had been sent to AMCA for debt collection and in each case the information disclosed was limited to the minimum necessary amount. During the 8 months that AMCA systems were subjected to unauthorized access the following types of information were potentially viewed or...

Read More
Email Account Hack Affects 25,000 Adirondack Health Patients
Jul15

Email Account Hack Affects 25,000 Adirondack Health Patients

Vermont-based Adirondack Health is notifying approximately 25,000 patients that some of their protected health information has potentially been obtained by a hacker. The information may have included patients’ names, dates of birth, Medicare ID numbers or health insurance member numbers, and limited treatment and/or clinical information. A subset of patients also had their Social Security number exposed. Adirondack Health is part of Adirondacks Accountable Care Organization (ACO), which includes various different healthcare providers. For monitoring purposes and to help improve the quality of services provided to patients, ACO receives and analyzes certain patient information. ACO recently discovered an unauthorized individual had gained access to the email account of an employee. The breach was detected on March 4, 2019 and the account was immediately secured. The hacker had access to the account for a period of two days. ACO checked every email and attachment in the compromised account to determine whether any PHI had been exposed. There was only one item in the compromised...

Read More
Premera Blue Cross Settles Multi-State Action for $10 Million
Jul12

Premera Blue Cross Settles Multi-State Action for $10 Million

Premera Blue Cross has agreed to a $10 million settlement to resolve a multi-state data breach lawsuit involving 30 state attorneys general. The settlement resolves alleged violations of state and federal laws that contributed to its 10.4 million record data breach in 2014. A hacker gained access to Premera Health’s network on May 5, 2014 and remained undetected until March 6, 2015. For almost a year the hacker had access to highly sensitive plan member information such as names, contact information, dates of birth, member ID numbers, and Social Security numbers. Alabama, Alaska, Arizona, Arkansas, California, Connecticut, Florida, Hawaii, Idaho, Indiana, Iowa, Kansas, Kentucky, Louisiana, Massachusetts, Minnesota, Mississippi, Montana, Nebraska, Nevada, New Jersey, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Rhode Island, Utah, Vermont and Washington all participated in the lawsuit. Washington State Attorney General Bob Ferguson led the investigation and looked at the security vulnerabilities that had been exploited by the hacker to gain access to such a large amount of...

Read More
More than 1,000 Essential Health Patients Impacted by Nemadji Research Corporation Breach
Jul11

More than 1,000 Essential Health Patients Impacted by Nemadji Research Corporation Breach

Essentia Health, an integrated health system serving Minnesota, Wisconsin, North Dakota, and Idaho, is sending notifications to more than 1,000 patients alerting them to the exposure of some of their protected health information (PHI). Like many healthcare providers, Essentia Health works with a third-party vendor that provides billing services to help recover lost revenue. Those services were provided by a Bruno, MN-based billing services firm called Nemadji Research Corporation. Essentia Health provided Nemadji with certain types of PHI to allow the company to perform its contracted services. Essentia Health did not disclose exactly what types of information were exposed in the substitute breach notice posted on its website. On March 28, 2019, Nemadji discovered unusual activity in an employee’s email account. The investigation revealed the employee had fallen for a phishing scam and had disclosed login credentials to the attacker. The account was subjected to unauthorized access for a period of several hours before the account was deactivated. The subsequent investigation...

Read More
Phishing Attack on California Business Associate Impacts 14,591 DHS Patients
Jul10

Phishing Attack on California Business Associate Impacts 14,591 DHS Patients

Nemadji Research Corporation, doing business as California Reimbursement Enterprises, has announced an unauthorized individual has gained access to the email account of an employee and may have viewed or copied the protected health information (PHI) of its clients’ patients. California Reimbursement Enterprises is a business associate of several healthcare facilities and hospitals in California and provides patient eligibility and billing services. The company also provides services to the Los Angeles County Department of Health Services (DHS). A potential email account breach was detected on March 28, 2019 when IT staff identified unusual activity in an employee’s email account. Assisted by a third-party computer forensics expert, Nemadji determined the employee responded to a phishing email the same day and the attacker accessed the account for several hours. All emails in the account were checked and on June 5, 2019, Nemadji confirmed that patient information had been exposed and notifications were issued to affected business partners. The breached email account contained...

Read More
Sensitive Data Potentially Compromised in Tennessee Hospice Phishing Attack
Jul05

Sensitive Data Potentially Compromised in Tennessee Hospice Phishing Attack

Alive Hospice in Nashville, TN, a provider of end-of-life care, palliative care, bereavement support and community education in middle Tennessee, has announced that the email account of an employee was subjected to unauthorized access in May 2019. Around May 6, 2019, suspicious activity was detected in an employee’s email account. The password for the account was immediately changed and an investigation was launched into the cause of the breach. The investigation revealed the email account was compromised on May 4, 2019 and hackers had access to the email account for a period of two days. Only one email account was compromised. Unauthorized account access was confirmed, but no evidence was found to suggest any patient information was accessed or stolen. The types of information in emails and email attachments varied from patient to patient and may have included the following types of PHI in addition to a patient’s name: Date of birth, Social Security number, driver’s license number, financial account number, medical history, treatment information, prescription information, treating...

Read More
PHI of 10,893 Summa Health Patients Potentially Compromised in Phishing Attack
Jul04

PHI of 10,893 Summa Health Patients Potentially Compromised in Phishing Attack

Akron, Ohio-based Summa Health has discovered an unauthorized individual has gained access to four employee email accounts containing patients’ protected health information (PHI). Summa Health became aware of the breach on May 1, 2019 and launched an investigation that revealed 2 email accounts had been breached in August 2018, and a further two accounts between March 11, 2019 and March 29, 2019. All four accounts were immediately secured and a third-party computer forensics firm was hired to determine whether any patient information had been accessed or stolen. The firm found no evidence of data theft or PHI access, although it was not possible to rule out the possibility that patient information was compromised in the breach. An analysis of the compromised accounts revealed they contained the following types of PHI: Patient names, dates of birth, medical record numbers, patient account numbers, clinical information, and treatment information. In total, 10,893 patients were affected. A small subset of those patients also had their Social Security numbers and/or driver’s license...

Read More
Student Sues Hospital for Unauthorized Use of PHI as Teaching Tool
Jul04

Student Sues Hospital for Unauthorized Use of PHI as Teaching Tool

A medical student is suing Marshall University and Cabell Huntington Hospital over the impermissible disclosure of some of his protected health information (PHI) to a class of students. The student, who is identified as J.M.A in the lawsuit, claims his x-rays were used as a teaching tool by a professor at Marshall University Joan C. Edwards School of Medicine, but information identifying J.M.A. as the patient had not been removed or redacted from the images. The matter had been brought to the attention of the university by another faculty member. On April 15, 2018, the dean of the medical school wrote to J.M.A to inform him of the privacy violation. The university was unaware that the professor was using the image as a teaching tool. J.M.A. claims he has suffered shame, embarrassment, humiliation, and severe anxiety as a direct result of the disclosure of his identity. It is unclear how many people viewed J.M.A’s x-rays and how many of those individuals disclosed what they saw to others. J.M.A is represented by Troy N. Giatras, Matthew W. Stonestreet, and Phillip A. Childs of The...

Read More
2.9 Million Members Affected by Dominion National 9-Year PHI Breach
Jul03

2.9 Million Members Affected by Dominion National 9-Year PHI Breach

Dominion National, a Virginia-based insurer, health plan administrator, and administrator of dental and vision benefits, has experienced a data security incident involving the personal information of individuals connected to the services it provides. Hackers first gained access to its servers in 2010. Following an internal alert, Dominion National launched an internal investigation and determined on April 24, 2019 that its systems had been breached. A leading cybersecurity company performed a comprehensive forensic analysis and review of affected data and confirmed the sensitive information of current and former members of Dominion National and Avalon Vision plans may have been compromised along with the PHI of individuals who are members of health plans for which the company provides administration services for. Data relating to individuals affiliated with the organizations that the company administers dental and vision benefits for, plan producers, and participating healthcare providers were also potentially compromised. Unauthorized access to its systems first occurred on August...

Read More
UChicago Accused of Illegally Sharing Patient Data with Google
Jul01

UChicago Accused of Illegally Sharing Patient Data with Google

A lawsuit has been filed by a former patient of UChicago Medicine who claims his medical records – and those of hundreds of thousands of other patients – have been shared with Google without authorization. UChicago Medicine, UChicago Medical Center, and Google have been named in the lawsuit. The suit claims patient information was shared with Google as part of study aimed to advance the use of artificial intelligence, but patient authorization was not obtained in advance and data were not properly deidentified. In 2017, UChicago Medicine started sending patient data to Google as part of a project to look at how historical health record data could be used to predict future medical events. Patient data were fed into a machine learning system which attempted to make health predictions about patients. The HIPAA Privacy Rule does not prohibit such disclosures, but prior to patient health information being disclosed, patients must either give their consent or protected health information must first be de-identified – Stripped of the 18 identifiers that allow protected health information...

Read More
5 Million Records Exposed Due to Unsecured MongoDB Marketing Database
Jul01

5 Million Records Exposed Due to Unsecured MongoDB Marketing Database

A MongoDB database containing the personal records of around 5 million individuals has been left exposed on the internet. The database contained personal information and health data and belonged to MedicareSupplement.com, a website run by TZ Insurance Solutions which helps individuals find a Medigap insurance plan. Individuals looking for coverage can visit the website to find out more about suitable health plans and can obtain quotes by filling out an online form and entering their personal information. Researchers from Compariteh and security researcher Bob Diachenko discovered the database on May 13, 2019. The marketing database contains information such as name, address, telephone number, email address, IP address, date of birth, gender, and information relating to health, life, auto, and supplemental insurance.  Around 239,000 records included the area of insurance interest. It is unclear for how long the database was exposed, but it was indexed by the search engine BinaryEdge on May 10, 2019. The researchers reported the breach to MedicareSupplement.com but no response was...

Read More
2,200 Franciscan Health Patients Notified of Unauthorized PHI Access by Employee
Jun26

2,200 Franciscan Health Patients Notified of Unauthorized PHI Access by Employee

Mishawaka, IN-based Franciscan Health has discovered the protected health information of approximately 2,200 patients has been accessed by a former employee without authorization. The privacy violation was discovered during a routine privacy audit. Franciscan Health announced that it was confirmed on May 24, 2019 that an employee in the quality research department had accessed the electronic medical records of patients without authorization and with no legitimate work reason for doing so. The individual concerned is no longer employed by Franciscan Health and the matter has been reported to law enforcement. While unauthorized PHI access was confirmed, Franciscan Health found no evidence to suggest that the employee copied, transmitted, or disclosed any patient information. Patient information was stored in Franciscan Health’s medical record system, which has been in use since 2012. Through that system, the former employee accessed patient records containing information such as names, addresses, email addresses, dates of birth, phone numbers, gender information, race/ethnicity, last...

Read More
Ransomware Attacks Reported by California and Illinois Clinics
Jun24

Ransomware Attacks Reported by California and Illinois Clinics

Patients of Quantum Vision Centers and Eye Surgery Center in Illinois are being notified that some of their protected health information may have been compromised in an April 2019 ransomware attack. An unauthorized individual gained access to certain Quantum systems and deployed ransomware on April 18, 2019. The ransomware encrypted files, some of which contained information such as names, dates of birth, addresses, health insurance information, and Social Security numbers. A third-party computer forensics firm has been hired to help determine the nature and scope of the attack. The investigation is ongoing, but it is believed that the malware was not used to steal any patient information. The sole purpose of the attack appears to have been to extort money from the business. Encrypted files are now being recovered and backup measures have been implemented to ensure services can continue to be provided to patients, albeit with some disruption. It is currently unclear exactly how many patients have been affected. Affected individuals have been offered one year of credit monitoring...

Read More
Phishing Attacks Reported by Broome County, NY and UMassMemorial Community Healthlink
Jun21

Phishing Attacks Reported by Broome County, NY and UMassMemorial Community Healthlink

Broome County in New York has started notifying 7,048 individuals that some of their protected health information (PHI) was compromised in a phishing attack on county employees. Broome County officials learned about the attack on January 2, 2019 when it was discovered that an employee’s direct deposit account information had been changed. An investigation was immediately launched which revealed ‘numerous’ Broome County email accounts had been compromised as a result of responses to phishing emails. Further, an unauthorized individual had also gained access to employees’ PeopleSoft accounts. A computer forensics expert was hired to assist with the investigation and determine how and when access to the accounts was first gained. That investigation revealed the first accounts were compromised on November 20, 2018 and further accounts were compromised up to January 2, 2019. Employee direct deposit information has been checked and all emails and email attachments in the compromised accounts have been analyzed. Broome County says multiple county departments were affected, including the...

Read More
Ransomware Attack Affects More than 60 Assisted Living Facilities
Jun21

Ransomware Attack Affects More than 60 Assisted Living Facilities

A provider of software for assisted living communities has experienced a ransomware attack that has affected more than 60 facilities that use the software. Tenx Systems, doing business as ResiDex Software, said the attack occurred on April 9, 2019 and affected its server infrastructure. Rapid action was taken to move the servers to a new hosting provider and files were seamlessly recovered from backups the same day as the attack. No ransom was paid. A forensic investigation was launched to determine whether any files had been accessed or other malicious actions had been performed by the attackers. The investigation revealed its servers were first compromised on April 2, 2019, 7 days prior to the deployment of ransomware. While extortion through file encryption may have been the main aim of the attack, it is possible that the attackers gained access to names, Social Security numbers, and medical records contained in the ResiDex system. It was not possible to establish which, if any, records were subjected to unauthorized access due to the complexity of the attack and the steps taken...

Read More
May 2019 Healthcare Data Breach Report
Jun20

May 2019 Healthcare Data Breach Report

In April, more healthcare data breaches were reported than in any other month to date. The high level of data breaches has continued in May, with 44 data breaches reported. Those breaches resulted in the exposure of almost 2 million individuals’ protected health information. On average, 2018 saw 29.5 healthcare data breaches reported to the HHS’ Office for Civil Rights each month – a rate of more than one a day. From January 2019 to May 2019, an average of 37.2 breaches have been reported each month. Up until May 31, 2019, 186 healthcare data breaches had been reported to OCR, which is more than half (52%) the number of breaches reported last year. It remains to be seen whether the increase in data breaches is just a temporary blip or whether 40+ healthcare data breaches a month will become the new norm. May saw a 186% increase in the number of exposed records compared to April. Across the 44 breaches, 1,988,376 healthcare records were exposed or compromised in May. So far this year, more than 6 million healthcare records have been exposed, which is more than half of the number of...

Read More
Oregon Department of Human Services Notifies 645,000 Clients of Phishing Breach
Jun20

Oregon Department of Human Services Notifies 645,000 Clients of Phishing Breach

The Oregon Department of Human Services (ODHS) is notifying 645,000 clients that some of their personal information has potentially been compromised as a result of a phishing attack. The targeted attack started on January 9, 2019 and resulted in 9 ODHS employees following links in emails and disclosing their login credentials. ODHS and the Department of Administrative Services Enterprise Security Office discovered the breach on January 28 following reports from employees who believed their email accounts had been accessed. All affected email accounts were rapidly identified and remote access to the accounts was blocked the same day. An investigation was launched into the breach to determine what protected health information may have been viewed and who had been affected. That process has taken some time to complete as it involved checking around 2 million emails. The attackers accessed the compromised accounts and were able to access emails in the accounts for a period of 19 days. ODHS has confirmed that no malware was installed by the attackers but they may have viewed or obtained...

Read More
Potential Breach at Meditab Software Impacts 2 Maryland Healthcare Providers
Jun20

Potential Breach at Meditab Software Impacts 2 Maryland Healthcare Providers

Two healthcare providers in Maryland have been affected by a potential breach at their business associate, Meditab Software Inc. Meditab provides EMR and practice management software to healthcare providers and its systems contain patient information. In March 2019, Meditab discovered some protected health information (PHI) had been left unprotected. Meditab had created a portal to view statistics for its Fax Cloud services. Statistics were maintained on all faxes, but no images were stored directly on the fax server. When faxes were transmitted, a link to the fax image on a separate and secure server was temporarily available until the fax was confirmed as having been received. When receipt was confirmed, the link is no longer available. Usernames and passwords were required to gain access to the portal; however, in January, a Meditab programmer deactivated authentication without authorization. While authentication was disabled, a limited number of faxes containing medical information were discoverable between January 9 and March 14, 2019. A limited number of faxes remained in the...

Read More
AMCA Parent Company Files for Chapter 11 Protection
Jun19

AMCA Parent Company Files for Chapter 11 Protection

Following the massive data breach at American Medical Collection Agency (AMCA) which saw more than 20 million records compromised, AMCA’s parent company, Retrieval-Masters Creditors Bureau Inc., has filed for Chapter 11 protection. The data breach affected individuals who had received medical testing services from Quest Diagnostics, LabCorp, or BioReference Laboratories. Hackers gained access to the web payment portal used by AMCA and accessed and stole the sensitive personal and financial data of patients. The hackers had access to its payment page for more than 7 months before the breach was detected. The cost of recovering from a breach on this scale is considerable. So far, AMCA has mailed more than 7 million breach notification letters to affected individuals at a cost of $3.8 million. A further $400,000 has been spent on hiring IT consultants to assist with the breach response. The data breach caused a cascade of events that led to the bankruptcy filing. Retrieval-Masters Creditors Bureau CEO Russell Fuchs lent AMCA $2.5 million to help cover the cost of mailing the breach...

Read More
Shingle Springs Health and Wellness Center Ransomware Attack Impacts 21,000 Patients
Jun19

Shingle Springs Health and Wellness Center Ransomware Attack Impacts 21,000 Patients

Shingle Springs Health and Wellness Center (SSHWC) in Placerville, CA, is notifying 21,513 patients that protected health information (PHI) was potentially compromised as a result of a recent ransomware attack. SSHWC learned on April 7, 2019 that its server infrastructure had been compromised and ransomware had been deployed. As a result of the attack, all computer systems were rendered inoperable and access to patient data and essential files was blocked. An investigation was immediately launched and the cyberattack was reported to the Federal Bureau of Investigation and the Indian Health Service. SSHWC has now installed new servers and is fast-tracking system upgrades and workstation updates across all departments. The ransomware attack is believed to have been conducted to extort money from SSHWC; however, files containing PHI were involved in the breach and could potentially have been compromised. Those files contained names, addresses, telephone numbers, Social Security numbers, health insurance information, provider names, dates of service, amount paid or owed, and diagnosis...

Read More
Urology Practice Pays $75,000 Ransom to Regain Access to Computer Systems
Jun17

Urology Practice Pays $75,000 Ransom to Regain Access to Computer Systems

Boardman, OH-based N.E.O Urology has experienced a severe ransomware attack that has impacted its entire IT system. The ransomware caused widespread file encryption and locked the healthcare provider out of its computers and patient records. While the attack was sophisticated, the notification was not. The healthcare provider was sent a fax from the attackers demanding a $75,000 ransom payment for the keys to unlock the encryption. N.E.O Urology contacted its IT service provider and after assessing options and the risks, the decision was taken to pay the ransom. The IT service provider made contact with the attackers through a third party and the ransom was paid to obtain the keys to unlock the encryption. Even with the decryption keys it took the medical practice three days to restore its computer systems due to the extent of file encryption. The breach investigation uncovered evidence to suggest the attackers were based in Russia. Payment of a ransom is not without risk. The attackers may not be able to unlock files or may choose not to do so even after the ransom is paid. The...

Read More
Alabama Jury Awards Woman $300,000 Damages over HIPAA Breach
Jun14

Alabama Jury Awards Woman $300,000 Damages over HIPAA Breach

A woman in Alabama has been awarded $300,000 in damages after a doctor illegally accessed and disclosed her protected health information to a third party. Plaintiff Amy Pertuit filed a lawsuit against Medical Center Enterprise (MCE) in Alabama, a former MCE physician, and an attorney over the violation of her privacy in January 2015. According to lawyers for the plaintiff, Amy Pertuit’s husband was experiencing visitation issues and was involved in a custody battle with his former wife, Deanna Mortenson. Deanna Mortenson contacted Dr. Lyn Diefendfer, a physician at MCE, and convinced her to obtain health information about Amy Pertuit for use against her ex husband in the custody battle. Dr. Diefendfer accessed Pertuit’s records through the Alabama Prescription Drug Monitoring Program website and disclosed the information to her attorney, Gary Bradshaw.  Since Dr. Diefendfer had no treatment relationship with Pertuit, she was not authorized to access her medical information. The access and disclosure were violations of hospital policies and HIPAA Rules. After discovering that her...

Read More
PHI Exposed in Union Labor Life Insurance Phishing Attack
Jun14

PHI Exposed in Union Labor Life Insurance Phishing Attack

The Ullico Inc. subsidiary, Union Labor Life Insurance (ULLI), is notifying more than 87,000 plan members that some of their protected health information (PHI) has been exposed as a result of an employee responding to a phishing email. As is often the case in healthcare phishing attacks, the phishing email was realistic and appeared to be a genuine request from a business partner. The email contained a hyperlink which asked for login credentials to be entered when clicked. The employee entered the credentials, which were harvested by the attacker and used to remotely access the account. ULLI had systems in place which alerted the information technology department to the unauthorized access. The IT department blocked third-party access to the account within 90 minutes of the account being compromised on April 1, 2019 and disconnected the device from the network. The prompt action greatly limited the potential for the accessing or theft of protected health information contained in emails and email attachments. ULLI conducted a forensic analysis and determined that access was limited...

Read More
Nurse Fired over Alleged Theft and Impermissible Disclosure of PHI
Jun13

Nurse Fired over Alleged Theft and Impermissible Disclosure of PHI

A former employee of a Germantown, MD-based healthcare provider is suspected of accessing the protected health information of up to 16,542 patients and providing that information to a third party for use in fraudulent activities. On April 10, 2019, Takai, Hoover & Hsu, P.A., which runs THH Paediatrics in Germantown, was notified by county and state police that an individual had been arrested as part of an investigation in a matter unrelated to THH. That individual was associated with an employee of THH who is suspected of accessing and impermissibly disclosing patient information including names, dates of birth, Social Security numbers, and addresses of the parents of patients. Immediate action was taken by THH to investigate the allegations. Access to patient data was restricted for the employee, who was placed on leave on April 16 pending the outcome of the internal and law enforcement investigations. The former employee has not been charged at this stage and no direct evidence has been found to suggest that any patient information was taken and misused; however, THH took the...

Read More
PHI Potentially Compromised at Rosenbaum Dental Group and Kingman Regional Medical Center
Jun11

PHI Potentially Compromised at Rosenbaum Dental Group and Kingman Regional Medical Center

Kingman Regional Medical Center (KRMC) has discovered a flaw on its website resulted in the exposure of the protected health information (PHI) of certain patients. KRMC became aware of the security issue on April 8, 2019 and the website was shut down while the security problem was investigated. Assisted by a third-party computer forensics company, KRMC determined that the configuration of the website was such that unauthorized individuals may have been able to gain access to patient information. The website was housed on an isolated server, so any access to data was limited to the information stored on the server. For a small subset of patients who used the website to enter information related to their care, such as making an appointment, could have had the following information exposed: Name, date of birth, and information supplied related to a medical condition for which medical services were being requested. Affected patients were notified of the breach by mail on June 7, 2019. The KRMC website has been offline now for more than 2 months. KRMC is in the process of rebuilding the...

Read More
Mercy Health Discovers PHI of 978 Patients Was Exposed
Jun11

Mercy Health Discovers PHI of 978 Patients Was Exposed

Mercy Health, MI, has discovered a limited amount of patient data had been saved on a private server which was used for other activities such as online scheduling and electronic physician office check-ins. As a result, patient information could potentially have been accessed by unauthorized individuals. The issue has been corrected and all patient information has now been secured. The investigation did not uncover any evidence of unauthorized access or data theft, but it was not possible to rule out either with a very high degree of certainty. Patient information was accessible on the server from an unspecified date in 2014 to March 25, 2019, when the problem was detected and rectified. The security issue only affected certain individuals who had received medical services at Mercy Health facilities in Grand Rapids or Muskegon in Michigan. The types of information potentially accessed were limited to names, addresses, email addresses, and health insurance information for the vast majority of affected individuals. A limited number of patients may also have had their Social Security...

Read More
Delta Health Systems Alerts Plan Members to Exposure of SSNs Over Internet
Jun10

Delta Health Systems Alerts Plan Members to Exposure of SSNs Over Internet

Employees of Turlock Irrigation District in California who are members of their employer-sponsored health plan are being notified that some of their protected health information has been exposed online as a result of an error at a business associate. Delta Health Systems (DHS) provides administrative services related to the health plan and requires access to certain protected health information. Some of that information was made accessible over the internet through a link to a DHS webpage. The error was made by third-party website developer. While the website had been configured to restrict access, there was a conflicting setting which provided general access to the document which took precedence. Affected plan members have been told that their billing statement for their employee-sponsored health plan could have been accessed by unauthorized individuals during the time it was accessible over the internet. The billing statement contained the plan member’s first and last name, employer’s name and address, DHS ID number, and Social Security number. All affected members have been...

Read More
AMCA Data Breach Tally Passes 20 Million as BioReference Laboratories Added to List of Impacted Entities
Jun07

AMCA Data Breach Tally Passes 20 Million as BioReference Laboratories Added to List of Impacted Entities

The total number of victims of the American Medical Collections Agency (AMCA) data breach has now passed 20 million, as yet another healthcare organizations has been confirmed as being affected by the breach. New Jersey-based laboratory and clinical testing company BioReference Laboratories is the latest confirmed victim, with approximately 422,600 of its customers having had their personal information exposed in the AMCA data breach. BioReference Laboratories joins Quest Diagnostics/Optum360 (11.9 million records) and LabCorp (7.7 million records), with the total number of compromised records now standing at 20,022,600 records. That number may well continue to grow as the investigation progresses and more healthcare entities are notified that their data has also been compromised. BioReference Laboratories confirmed the breach in an 8-K Security and Exchange Commission (SEC) filing on Monday. The OPKO Health subsidiary was notified it has been impacted by the breach on June 3, 2019. The breach at AMCA occurred between August 1, 2018 and March 30, 2019, during which time hackers had...

Read More
Misconfigured University of Chicago Medicine ElasticSearch Instance Exposed More Than 1.68 Million Records
Jun05

Misconfigured University of Chicago Medicine ElasticSearch Instance Exposed More Than 1.68 Million Records

It is certainly a week of massive data breaches. 11.9 million Quest Diagnostics records were exposed, 7.7 million records at LabCorp have potentially been compromised, and now University of Chicago Medicine has discovered more than 1.68 million of its records have been exposed. The records were stored on a misconfigured ElasticSearch server which had accidentally had protections removed allowing it to be accessed over the internet without the need for any authentication. The misconfiguration allowed a database to be accessed which contained 1,679,993 records of donors and prospective donors. The exposed database was discovered by Security Discovery researcher Bob Diachenko on May 28. Diachenko had performed a search using the search engine Shodan to identify unsecured databases. Even though awareness has been raised following the discovery of a large number of exposed ElasticSearch instances and other NoSQL databases in recent months, Security Discovery researchers are still identifying between 5 and 10 ‘big cases’ of unsecured databases every month. The latest find was a sizable...

Read More
Up to 7.7 Million Patients of LabCorp Impacted by AMCA Breach
Jun05

Up to 7.7 Million Patients of LabCorp Impacted by AMCA Breach

Following the news that the data breach at American Medical Collection Agency (AMCA) exposed the records of 11.9 million Quest Diagnostics patients, comes news of another healthcare company that has been affected by the breach. On June 4, 2019, LabCorp, another national network of blood testing centers, announced that 7.7 million individuals whose blood samples were processed by the company may have had their sensitive information exposed. As was the case with Quest Diagnostics, LabCorp disclosed the breach through a U.S. Securities and Exchange Commission (SEC) filing. LabCorp said it had been notified by AMCA that its data had also been exposed as a result of the cyberattack on AMCA’s web payment portal, which saw hackers gain access to the system between August 1, 2018 and March 30, 2019. LabCorp said AMCA held data on 7.7 million of its customers. According to the AMCA website, the company manages more than $1 billion in annual receivables for a diverse client base, which includes “laboratories, hospitals, physician groups, billing services, and medical providers all...

Read More
AMCA Data Breach Impacts 12 Million Quest Diagnostics Patients
Jun04

AMCA Data Breach Impacts 12 Million Quest Diagnostics Patients

A hacker has gained access to the systems of Elmsford, NY-based billing collections company American Medical Collection Agency (AMCA) and potentially viewed and copied the protected health information of 11.9 million patients of Quest Diagnostics. Quest Diagnostics is one of the largest blood testing laboratories in the United States but is just one entity that uses AMCA services. It is possible that the breach could be much larger and impact patients of other healthcare organizations. At almost 12 million records, it is already the second largest healthcare data breach ever to be reported, behind Anthem’s 78.8 million record data breach of 2015. The data breach first came to light in May 2019 when researchers at Gemini Advisory notified databreaches.net that they had discovered the payment card details of around 200,000 patients listed for sale on a darknet marketplace. Gemini Advisory determined that the credit card details came from AMCA and appeared to have been obtained between September 2018 and March 2019. Gemini Advisory notified AMCA about the potential breach, although no...

Read More
7 Month Data Breach Discovered by Communities Connected for Kids
Jun03

7 Month Data Breach Discovered by Communities Connected for Kids

Port St. Lucie, FL-based Communities Connected for Kids (CCK) has discovered an unauthorized individual gained access to databases containing the protected health information of child clients, their parents and staff members. The breach was identified when suspicious activity was detected in the databases by one of its third-party vendors. An external computer forensics expert was hired to conduct an investigation which revealed access to the databases was first gained in August 2018. The breach was detected in March 2019 and access to the databases was promptly blocked. During the 7 months that the individual had access to the databases, range of sensitive information was potentially viewed and downloaded. The information exposed varied from individual to individual, but may have included name, contact information, date of birth, Social Security number, financial information, family information, Medicaid number, medical record number, prescription information, health insurance information, and medical and clinical information such as diagnoses and treatment information. According...

Read More
Health Quest Patients Notified of Historic Phishing Breach
Jun03

Health Quest Patients Notified of Historic Phishing Breach

Health Quest has announced it has suffered a phishing attack that has resulted in the exposure of certain patients’ protected health information. The breach affected its affiliates Health Quest Medical Practice, Health Quest Urgent Care and Hudson Valley Newborn Physician Services, and the exposed information related to medical services provided to patients of those affiliates. According to the breach notice on the Health Quest website, on April 2, 2019, Quest Health learned that patient information was contained in emails and email attachments in several employee email accounts that had been compromised as a result of a phishing attack. Compromised protected health information included names, diagnoses, treatment information, dates of service, provider names, health insurance claims information and other information related to services received between January 2018 and June 2018. When the breach was detected, the accounts were secured, and a leading cybersecurity firm was engaged to assist with the investigation. Quest Health has since implemented multi factor authentication and...

Read More
Data Breaches Reported by TriHealth, Centura Health, and Columbus Community Hospital
May29

Data Breaches Reported by TriHealth, Centura Health, and Columbus Community Hospital

The Cincinnati-based health system TriHealth is alerting 2,433 patients about an impermissible disclosure of their protected health information (PHI) to a student mentee. The student was acting under the direct supervision of a former TriHealth physician and accessed patient information for a potential research project. On June 8 and June 9, 2018, the student was provided with patient information including first and last names, dates of birth, ethnicity, life status, cancer diagnosis information, and zip codes. TriHealth does not believe that there were any further uses or disclosures of patient information nor that any patient information has been misused. PHI was accessed solely in relation to the potential research project. Since the student was not an approved TriHealth workforce member, access to patient information was prohibited. As such, this was an impermissible disclosure of patient information which warranted breach notifications to be issued to affected patients. Those notification letters have now been sent. In its website breach notice, TriHealth said all employees...

Read More
Multi-State Action Results in $900,000 Financial Penalty for Medical Informatics Engineering
May28

Multi-State Action Results in $900,000 Financial Penalty for Medical Informatics Engineering

Medical Informatics Engineering (MIE) is required to pay a financial penalty of $900,000 to resolve a multi-state action over HIPAA violations related to a breach of 3.9 million records in 2015. The announcement comes just a few days after the HHS’ Office for Civil Rights settled its HIPAA violation case with MIE for $100,000. MIE licenses a web-based electronic health record application called WebChart and its subsidiary, NoMoreClipboard (NMC), provides patient portal and personal health record services to healthcare providers that allow patients to access and manage their health information. By providing those services, MIE and NMC are business associates and are required to comply with HIPAA Rules. Between May 7 and May 26 2015, hackers gained access to a server containing data related to its NMC service.  Names, addresses, usernames, passwords, and sensitive health information were potentially accessed and stolen. A lawsuit was filed in December 2018 alleging MIE and NMC had violated state laws and several HIPAA provisions. 16 state attorneys general were named as plaintiffs in...

Read More
Medical Informatics Engineering Settles HIPAA Breach Case for $100,000
May24

Medical Informatics Engineering Settles HIPAA Breach Case for $100,000

Medical Informatics Engineering, Inc (MIE) has settled its HIPAA violation case with the HHS’ Office for Civil Rights for $100,000. MIE, an Indiana-based provider of electronic medical record software and services, experienced a major data breach in 2015 at its NoMoreClipboard subsidiary. Hackers used a compromised username and password to gain access to a server that contained the protected health information (PHI) of 3.5 million individuals. The hackers had access to the server for 19 days between May 7 and May 26, 2015. 239 of its healthcare clients were impacted by the breach. OCR was notified about the breach on July 23, 2015 and launched an investigation to determine whether it was the result of non-compliance with HIPAA Rules. OCR discovered MIE had failed to conduct an accurate and through risk analysis to identify all potential risks to the confidentiality, integrity, and availability of PHI prior to the breach – A violation of the HIPAA Security Rule 45 C.F.R. § 164.308(a)(l)(ii)(A). As a result of that failure, there was an impermissible disclosure of 3.5 million...

Read More
Boxes of Records of Today’s Vision Patients and Employees Discovered in Texas Dumpster
May23

Boxes of Records of Today’s Vision Patients and Employees Discovered in Texas Dumpster

Thousands of medical records have been found abandoned in a publicly accessible dumpster in Texas. The boxes contained records of Today’s Vision patients and employees and included highly sensitive information. Today’s Vision has more than 50 independently owned and operated optometry clinics throughout Texas. Most of the records appear to have come from Today’s Vision in Willowbrook in northwest Houston. The Willowbrook location is no longer operational and was sold to MyEyeDr three months ago. Dr. Donald Glenz owned and ran both the Willowbrook and Tomball Today’s Vision offices, prior to the sale to MyEyeDr in February. Dr. Glenz is unaware how the files came to be dumped and who is responsible. Dr. Glenz told KPRC that the incident is being investigated to determine who was responsible. Prior to any records being deleted they are usually shredded in accordance with HIPAA requirements but that did not occur in this instance. Today’s Vision executive director Greg Watson described the discovery as ‘disturbing.’ The incident is also being investigated by MyEyeDr and the Department...

Read More
PHI of 1.5 Million Individuals Exposed Online by Inmediata
May22

PHI of 1.5 Million Individuals Exposed Online by Inmediata

In April, Inmediata, a provider of clearinghouse services to healthcare organizations, announced that the protected health information of certain patients had been exposed online as a result of a misconfigured setting on an internal web page. The incident has now been reported to the Department of Health and Human Services’ Office for Civil Rights. The breach report indicates 1,565,338 individuals had their PHI exposed. That makes the data breach the largest to be reported in 2019. The information had been made available to employees through an internal web page, but the failure to configure that page correctly allowed the data to be made accessible over the internet without the need for authentication. The page was indexed by Google and patient information could be found through online searches. The information had been provided by hospitals, health plans, and independent physicians and included names, addresses, dates of birth, gender, claims data and, for a small number of patients, Social Security numbers. Inmediata immediately deactivated the web page when it was discovered...

Read More
Phishing Attack on Hematology Oncology Associates Sees Multiple Email Accounts Breached
May22

Phishing Attack on Hematology Oncology Associates Sees Multiple Email Accounts Breached

The email accounts of several employees of Medford, OR-based Hematology Oncology Associates. P.C. have been compromised as a result of responses to phishing emails. The phishing attack was detected on March 19, 2018, although the investigation revealed the first account was breached on December 18, 2018. Further accounts were compromised up until February 22, 2019. Third-party computer forensics experts were retained to investigate the breach, but it was not possible to determine which, if any, emails and attachments had been opened by the attackers. The breach investigation was concluded on April 20 and confirmed that some of the emails and attachments in the compromised accounts contained patients’ protected health information. A password reset has been performed to prevent further unauthorized access and additional security awareness training will be provided to employees. The breach has been reported to the HHS’ Office for Civil Rights and state attorneys general and affected individuals have been offered free membership to Experian’s IdentityWorks credit monitoring and...

Read More
Another Phishing Attack Reported by Cancer Treatment Centers of America
May21

Another Phishing Attack Reported by Cancer Treatment Centers of America

Cancer Treatment Centers of America (CTCA) has discovered the email account of an employee of its Southeastern Regional Medical Center has been compromised as a result of a response to a phishing email. The email account breach occurred on March 10, 2019 after the employee disclosed network login credentials when responding to a seemingly legitimate internal email. CTCA discovered the breach the following day and secured the account by changing the password. The account was accessible for less than two days, but during that time it is possible that information in emails and email attachments may have been viewed. The third-party computer forensics firm that was retained to conduct an investigation and found no evidence to suggest any patient health information was viewed, but it was not possible to rule out PHI access or data theft. The compromised email account contained names, addresses, medical record numbers, government ID numbers, health insurance information, and some medical information. No Social Security numbers or financial information were exposed. Individuals affected...

Read More
April 2019 Healthcare Data Breach Report
May20

April 2019 Healthcare Data Breach Report

April was the worst ever month for healthcare data breaches. More data breaches were reported than any other month since the Department of Health and Human Services’ Office for Civil Rights started publishing healthcare data breach reports in October 2009. In April, 46 healthcare data breaches were reported, which is a 48% increase from March and 67% higher than the average number of monthly breaches over the past 6 years. While breach numbers are up, the number of compromised healthcare records is down. In April 2019, 694,710 healthcare records were breached – A 23.9% reduction from March.  While the breaches were smaller in March, the increase in breaches is of great concern, especially the rise in the number of healthcare phishing attacks. Largest Healthcare Data Breaches in April 2019 Two 100,000+ record data breaches were reported in April. The largest breach of the month was reported by the business associate Doctors Management Services – A ransomware attack that exposed the records of 206,695 patients. The ransomware was deployed 7 months after the attacker had first gained...

Read More
Medical Oncology Hematology Consultants Notifies Patients about June 2018 Data Breach
May17

Medical Oncology Hematology Consultants Notifies Patients about June 2018 Data Breach

Medical Oncology Hematology Consultants (MOHC), a Newark, DE-based cancer treatment center, is alerting certain patients that some of their protected health information (PHI) has been exposed as a result of an email security breach. According to the substitute breach notice on the MOHC website, an email account was compromised between June 7 and June 8, 2018. It is unclear when MOHC learned of the breach, but its ‘extensive investigation’ concluded on March 14, 2019 that the breach had resulted in the exposure of patient information. Third party computer forensics experts were engaged to conduct the investigation, which involved extensive coordination with the company that hosts its email environment. Data access and theft could not be ruled out, although no reports have been received to suggest any patient information has been misused. Names, dates of birth, Social Security numbers, government ID numbers, financial account information, and health and medical information were exposed. All patients affected by the breach have been notified and offered 12 months of membership to...

Read More
UMC Physicians Discovers Patient Information Was Uploaded to Unapproved and Unsecured Cloud Service
May15

UMC Physicians Discovers Patient Information Was Uploaded to Unapproved and Unsecured Cloud Service

The Lubbock, TX-based medical group UMC Physicians is alerting patients of UMC Southwest Gastroenterology that some of their protected health information has been exposed as a result of errors of judgement by two of its employed providers. Those providers had each set up a Google shared drive which was used to track follow up tasks related to the provision of care to patients. While the shared drives were set up with good intentions and were intended to help improve the care provided to patients, the providers used an unapproved cloud storage solution and patient data was inadvertently stored on an unsecured network. UMC Physicians discovered the policy violation on March 12, 2019 and launched an investigation to determine which patients’ protected health information had been exposed. During the course of that investigation, UMC Physicians determined that one of the providers had also been forwarding emails containing patient information to an unsecured Gmail account. The types of information that had been stored on the unsecured network and emailed to the Gmail account included...

Read More
Oregon State Hospital and New York Episcopal Health Services Report Phishing Attacks
May14

Oregon State Hospital and New York Episcopal Health Services Report Phishing Attacks

Oregon State Hospital has announced that the protected health information (PHI) of some of its patients was potentially compromised as a result of an employee being duped by a spear phishing email. The email was received on May 3 and the employee responded on May 6. The response resulted in the disclosure of email login credentials. The unauthorized access was detected quickly, and steps were rapidly taken to secure the account. The employee responded to the message at 9:50 AM and Oregon State Hospital’s IT team detected the breach at 10:30 AM and secured the account. The limited time the attacker had access to the account reduced the potential for any information in emails and email attachments to be viewed or copied. Currently, Oregon State Hospital is unaware whether the attacker gained access to patients protected health information during the 40 minutes that the account was accessible, and the hospital has yet to determine which patients have been affected. A third-party cybersecurity company has been hired to conduct an analysis of the compromised account to determine which...

Read More
Ransomware Attack on the Southeastern Council on Alcoholism and Drug Dependence Impacts 25,148 Patients
May13

Ransomware Attack on the Southeastern Council on Alcoholism and Drug Dependence Impacts 25,148 Patients

The Southeastern Council on Alcoholism and Drug Dependence (SCADD) in Lebanon, CT, has experienced a ransomware attack that has resulted in widespread file encryption. The attack was detected on February 18, 2019 when problems started to be experienced with its network. The investigation confirmed ransomware had been installed on its systems, some of which contained the protected health information (PHI) of patients. While no evidence was uncovered that suggested the attackers accessed files containing PHI, third-party forensic investigators were unable to rule out patient data access. Consequently, the incident was reported to the HHS’ Office for Civil Rights as a potential data breach and notification letters have been sent to affected patients. To date, no reports have been received which suggest any patient information has been misused. Patients have been informed that their name, address, medical history, treatment information, and Social Security number has potentially been compromised. All affected individuals have been offered complimentary credit monitoring and identity...

Read More
Lawsuit Alleges Hospital Worker Disclosed Information about Woman’s Sexual Assault to her Attacker
May13

Lawsuit Alleges Hospital Worker Disclosed Information about Woman’s Sexual Assault to her Attacker

A lawsuit has been filed against Atchison Hospital in Kansas by a rape victim who alleges an x-ray technician at the hospital contacted her attacker and disclosed sensitive information about the treatment she received at the hospital. According to the Kansas City Star, after being raped, the woman sought treatment at the hospital. She underwent a rape kit examination, and allegedly made it clear to the hospital that she did not want her health information to be disclosed to third parties. Despite being against the patient’s wishes and a violation of the HIPAA Privacy Rule, information about the examination was disclosed to her attacker by a female X-ray technician at the hospital. The x-ray technician also told the man that he had been accused of sexually assaulting the patient. Following the disclosure, the man repeatedly harassed and threatened the patient by phone and text message over the following weeks. In addition to receiving a barrage of abuse from her attacker, the lawsuit claims the woman was also harassed by hospital staff. A complaint was filed with the hospital over...

Read More
Phishing Attack Reported by Verity Health’s St. Vincent Medical Center
May09

Phishing Attack Reported by Verity Health’s St. Vincent Medical Center

St. Vincent Medical Center, a part of Verity Health System, has discovered a web email account has been compromised as a result of a response to a phishing email. The breach occurred on March 15, 2016 and involved the email account of a hospital pathologist. The account compromise was detected on March 26 and the account was secured within hours. During the time that the unauthorized individual had access to the account, it was used to send phishing emails to internal and external email addresses. Those messages contained malicious attachments and hyperlinks. According to a substitute breach notice provided to the California Attorney General, no other employee accounts were breached as a result of misuse of the email account. While the intention of the attacker appears to have been to obtain login credentials to other email accounts, during the time that the account was accessible, full access to emails, folders, and email attachments was possible. The investigation into the breach could not confirm whether any patient information in emails and email attachments had been accessed...

Read More
Phishing Attack Impacts 1,100 Spectrum Health Lakeland Patients
May09

Phishing Attack Impacts 1,100 Spectrum Health Lakeland Patients

For the second time in the space of two months, Spectrum Health Lakeland has announced that a breach has exposed the protected health information (PHI) of some of its patients. The previous breach occurred at Wolverine Services Group and impacted around 60,000 of its patients. The latest incident involved an unauthorized individual gaining access to an email account as the result of a response to a phishing email. As with the last breach, the incident occurred at a business associate. OC, Inc., a provider of billing services, discovered an unauthorized individual had gained access to an email account of one of its employees. The email account was discovered to contain the PHI of approximately 1,100 Spectrum Health Lakeland patients. OS Inc. discovered a potential breach on December 21, 2018 after suspicious activity was detected within an employee email account. A third-party computer forensics expert was hired to assist with the investigation and found no evidence to suggest that any PHI in emails and attachments had been accessed or stolen. However, it was not possible to rule...

Read More
Key Findings of the 2019 Verizon Data Breach Investigations Report
May08

Key Findings of the 2019 Verizon Data Breach Investigations Report

Today sees the release of the 2019 Verizon Data Breach Investigations Report. This is the 12th edition of report, which contains a comprehensive summary of data breaches reported by public and private entities around the globe. The extensive report provides in-depth insights and perspectives on the tactics and techniques used in cyberattacks and detailed information on the current threat landscape.  The 2019 Verizon Data Breach Investigations Report is the most comprehensive report released by Verizon to date and includes information from 41,686 reported security incidents and 2,013 data breaches from 86 countries. The report was compiled using data from 73 sources. The report highlights several data breach and cyberattack trends. Some of the key findings of the report are detailed below: C-Suite executives are 12 time more likely to be targeted in social engineering attacks than other employees Cyber-espionage related data breaches increased from 13% of breaches in 2017 to 25% in 2018 Nation-state attacks increased from 12% of attacks in 2017 to 23% in 2018 Financially motivated...

Read More
American Indian Health & Services and Madison Parish Hospital Discover Impermissible PHI Disclosures by Employees
May08

American Indian Health & Services and Madison Parish Hospital Discover Impermissible PHI Disclosures by Employees

American Indian Health & Services, the operator of a community health clinic in Santa Barbara, CA, has discovered a former employee forwarded emails containing the sensitive data of certain employees, patients, and vendors to a personal email account, in violation of HIPAA Rules. The incident was detected on March 7, 2019. An analysis to the email account revealed the former employee, who was employed at the clinic at the time, had forwarded emails to her personal email account between March 26 and February 6, 2019. The emails contained names, billing information, provider names and locations, dates of service, amounts paid/owed for services provided, health insurance and payor information, and Medicare/Medicaid and/or Medical numbers. The incident has been reported to law enforcement, state, and federal regulators and affected individuals have been notified by mail. No reports of misuse of patient information have been received to date, but as a precaution against identity theft and fraud, affected individuals have been offered 12 months of credit monitoring and identity theft...

Read More
Ransomware Attack Reported by American Baptist Homes of the Midwest
May08

Ransomware Attack Reported by American Baptist Homes of the Midwest

American Baptist Homes of the Midwest (ABHM), a provider of assisted living and assisted care facilities throughout the U.S Midwest, has reported a security breach involving the use of ransomware on its network. The attack commenced on or around March 10, 2019. The attack was detected promptly, but only after the encryption routine had commenced. The attack was stopped and affected accounts were secured, but not in time to prevent widespread file encryption. The files encrypted by the ransomware contained the records of many ABHM clients. ABHM’s clinical and billing systems were not affected, only general file systems and email accounts. The attack is believed to have been conducted with the sole purpose of extorting money from ABHM, although due to the nature of access gained to install the ransomware, unauthorized accessing of protected health information could not be ruled. No evidence of data theft or misuse of PHI has been found to date. The types of information stored on the compromised servers and systems included individuals’ names and addresses in combination with the...

Read More
3,193 Employees and Dependents Affected by Bodybuilding.com Data Breach
May07

3,193 Employees and Dependents Affected by Bodybuilding.com Data Breach

The bodybuilding and personal fitness website Bodybuilding.com has announced it has experienced a security incident that may have resulted in the information of customers and employees being accessed by unauthorized individuals. While the breach affecting customers was not a reportable incident under HIPAA, HIPAA does cover group health plans. As such, bodybuilding.com was required to report the breach of group members’ PHI to the Office for Civil Rights. The breach was discovered in February 2019 when suspicious activity was detected on its network. A formal breach investigation was launched which revealed access to the network was gained as a result of an employee falling for a phishing scam. While the data of customers and employees is not believed to have been obtained by unauthorized individuals as a result of the phishing attack, the possibility could not be ruled out. The breach has now been resolved and its systems have been secured. A forced password reset was performed for all users of the website as a precaution. For customers, the information potentially obtained was...

Read More
Touchstone Medical Imaging Fined $3 Million by OCR for Extensive HIPAA Failures
May06

Touchstone Medical Imaging Fined $3 Million by OCR for Extensive HIPAA Failures

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced a settlement has been reached with the Franklin, TN-based diagnostic medical imaging services company, Touchstone Medical Imaging. The settlement resolves multiple violations of HIPAA Rules discovered by OCR during the investigation of a 2014 data breach. Touchstone Medical Imaging has agreed to a settlement of $3,000,000 to resolve the violations and will adopt a corrective action plan (CAP) to address its HIPAA compliance issues. The high settlement amount reflects widespread and prolonged noncompliance with HIPAA Rules. OCR alleged 8 separate violations across 10 HIPAA provisions. The settlement resolves the HIPAA case with no admission of liability. On May 9, 2014, Touchstone Medical Imaging was informed by the FBI that one of its FTP servers was accessible over the Internet and allowed anonymous connections to a shared directory. The directory contained files that included the protected health information (PHI) of 307,839 individuals. As a result of the lack of access controls, files had...

Read More
Mailing Error Sees Inmediata Breach Notification Letters Sent to Incorrect Addresses
May03

Mailing Error Sees Inmediata Breach Notification Letters Sent to Incorrect Addresses

Following a security incident that resulted in the exposure of PHI, Inmediata sent notification letters to affected individuals. However, several individuals have reported receiving notification letters in the mail addressed to other people. The incident that prompted the notifications was a webpage used internally by Inmediata employees that had been accidentally set to allow it to be indexed by search engines. Consequently, the webpage could be found using Internet searches and the PHI of its customers’ patients could be accessed. The forensic investigation did not find evidence to suggest the webpage was subjected to unauthorized access during the time it was accessible online; however, the possibility could not be ruled out. Through the webpage, unauthorized individuals could have accessed the following information: Patients’ names, addresses, dates of birth, gender, doctor’s names, and medical claim information. A small number of individuals also had their Social Security number exposed. Inmediata started sending notification letters to affected individuals on April 22, 2019...

Read More
Class Action Lawsuit Filed Over Baystate Health Phishing Attack
May01

Class Action Lawsuit Filed Over Baystate Health Phishing Attack

In February 2019, Baystate Health experienced a phishing attack that resulted in the exposure of the protected health information (PHI) of 12,000 patients. On April 11, a class action lawsuit was filed on behalf of individuals affected by the breach. The lawsuit was filed by attorney Kevin Chrisanthopoulos in the U.S. District Court in Springfield, MA, three days after Baystate Health announced the breach. The lawsuit alleges plaintiffs now face an elevated risk of identity theft and fraud as a result of the phishing attack and seeks monetary damages for all patients whose PHI was exposed. Upon discovery of the breach, Baystate Health secured its email system and launched an investigation. The investigation revealed the email accounts of nine employees had been compromised as a result of employees responding to phishing emails. The email accounts were subjected to unauthorized access and, as a result, the attacker(s) potentially gained access to patients’ PHI. For most patients, the information exposed was limited to names, birth dates, diagnoses, treatment information, and...

Read More
24,000 Patients Impacted by New Jersey Ransomware Attack
Apr30

24,000 Patients Impacted by New Jersey Ransomware Attack

Paramus, NJ-based orthopedic surgeon, Ronald Snyder, M.D., has learned that an office server containing patient billing information has been compromised and encrypted by ransomware. The attack took place on January 9, 2019 and prevented office staff from accessing patient files. The server was backed up regularly so it was possible to quickly restore almost all files that had been rendered inaccessible without having to pay any ransom demand. Third-party computer forensics consultants were brought in to assist with the investigation, but it was not possible to determine whether patient information had been accessed due to damage caused by the attack. No evidence was uncovered to suggest the attack was conducted as part of an attempt to gain access to patient information, although it was not possible to rule out data access. Consequently, all patients affected by the breach have been notified by mail. The following types of information were stored in files on the server: Names, addresses, dates of birth, genders, co-pay amounts, patient statuses, employment statuses, telephone...

Read More
Three Healthcare Phishing Incidents Result in Exposure of 10,000 Patient Records
Apr30

Three Healthcare Phishing Incidents Result in Exposure of 10,000 Patient Records

National Seating and Mobility, Partners for Quality, and Alana Healthcare have all recently started notifying patients that their protected health information has been exposed as a result of phishing incidents. 3,673 Clients Impacted by Partners For Quality Phishing Attack Partners For Quality, Inc., (PFQ), a provider of services and support for individuals with intellectual and developmental disabilities, discovered unusual activity within certain employee email accounts on February 19, 2019. Assisted by a third-party computer forensics company, PFQ determined that three email accounts had been accessed by an unauthorized individual between January 19 and February 27, 2019. Further analysis of the compromised email accounts revealed they contained the sensitive information of clients and employees. Clients affected by the breach had previously received services from PFQ, Allegheny Children’s Initiative Inc., Citizen Care Inc., Exceptional Adventures, or Milestone Centers Inc. A wide range of highly sensitive protected health information was stored in the compromised email accounts...

Read More
HHS Changes HITECH Act Penalties for HIPAA Violations
Apr29

HHS Changes HITECH Act Penalties for HIPAA Violations

The Department of Health and Human Services has issued a notification of enforcement discretion regarding the civil monetary penalties that are applied when violations of HIPAA Rules are discovered. The HHS has reduced the maximum financial penalty for HIPAA violations in three of the four penalty tiers. The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 increased the penalties for HIPAA violations. The new penalties were based on the level of knowledge a HIPAA covered entity or business associate had about the violation and whether action was voluntarily taken to correct any violations. The 1st penalty tier applies when a covered entity or business associate is unaware that HIPAA Rules were violated and, by exercising a reasonable level of due diligence, would not have known that HIPAA was being violated. The 2nd tier applies when a covered entity knew about the violation or would have known had a reasonable level of due diligence been exercised, but when the violation falls short of willful neglect of HIPAA Rules. The 3rd penalty tier applies...

Read More
The Most Common HIPAA Violations You Should Be Aware Of
Apr26

The Most Common HIPAA Violations You Should Be Aware Of

The most common HIPAA violations that have resulted in financial penalties are the failure to perform an organization-wide risk analysis to identify risks to the confidentiality, integrity, and availability of protected health information (PHI); the failure to enter into a HIPAA-compliant business associate agreement; impermissible disclosures of PHI; delayed breach notifications; and the failure to safeguard PHI. The settlements pursued by the Department of Health and Human Services’ Office for Civil Rights (OCR) are for egregious violations of HIPAA Rules. Settlements are also pursued to highlight common HIPAA violations to raise awareness of the need to comply with specific aspects of HIPAA Rules. This article covers five of the most common HIPAA violations that have resulted in settlements with covered entities and their business associates over the past few years. Are Data Breaches HIPAA Violations? Data breaches are now a fact of life. Even with multi-layered cybersecurity defenses, data breaches are still likely to occur from time to time. OCR understands that healthcare...

Read More
Medical Billing Service Provider Suffers Ransomware Attack 7 Months After Computer Breach
Apr26

Medical Billing Service Provider Suffers Ransomware Attack 7 Months After Computer Breach

Doctors’ Management Service Inc., a Massachusetts-based provider of medical billing services, discovered on December 24, 2018 that malicious software had been downloaded to its network which prevented files from being accessed. An investigation into the security incident was initiated which determined GandCrab ransomware had been deployed. Files were recovered from backups and no ransom was paid. The investigation also revealed that the individual responsible for installing the ransomware had first gained access to its systems on April 1, 2017, 7 months before the ransomware was deployed. Access to the network was gained via Remote Desktop Protocol (RDP) on one of its workstations. Parts of the network that were subjected to unauthorized access contained the protected health information of patients of its clients, which included names, addresses, dates of birth, Social Security numbers, insurance information, Medicare/Medicaid ID numbers, driver’s license numbers, and some diagnostic information. The attack appeared to have been timed to ensure the attack would not be immediately...

Read More
Email Hacking Incidents Result in Exposure of 8,600 Patients’ PHI
Apr25

Email Hacking Incidents Result in Exposure of 8,600 Patients’ PHI

Three more healthcare organizations have discovered unauthorized individuals have gained access to the email accounts of employees and potentially accessed patients’ protected health information. In total, across the three incidents, the PHI of 8,635 patients has been exposed. PHI of 5,319 Patients of Center for Sight and Hearing Exposed Rockford, IL-based Center for Sight and Hearing discovered on January 23, 2019 that an unauthorized individual had gained access to the email account of an employee. The investigation revealed the account was compromised on January 18 and the account contained the PHI of 5,319 patients. A third-party computer forensics company confirmed on February 21, 2019 that names, addresses, and scheduling information was contained in the compromised account. To improve security, Center for Sight and Hearing has implemented a new password management system and multi-factor authentication. 2,290 Patients Notified About Harbor Behavioral Health Phishing Attack Harbor Behavioral Health, a network of counselling and mental health treatment centers in Northwest...

Read More
Washington State University Settles Class Action Data Breach Lawsuit for $4.7 Million
Apr23

Washington State University Settles Class Action Data Breach Lawsuit for $4.7 Million

A $4.7 million settlement has recently been approved by the King County Superior Court to reimburse individuals whose personal information was stolen from Washington State University in April 2017. Washington State University had backed up personal information on portable hard drives which were stored in a safe in a self-storage locker. On April 21, 2017, the university discovered a break-in had occurred at the storage facility and the safe had been stolen. The hard drives contained the sensitive personal information of 1,193,190 individuals. Most of the files on the hard drives were not encrypted. The drives contained the types of information sought by identity thieves: Names, contact information, and Social Security numbers, in addition to health data of patients, college admissions test scores, and other information. The information dated back around 15 years and had been collected by the WSU Social and Economic Sciences Research Center for a research project. While the hard drive was stolen, Washington State University maintains there are no indications any data stored on the...

Read More
Unsecured Database of Addiction Service Provider Potentially Contained Records of 145,000 Patients
Apr23

Unsecured Database of Addiction Service Provider Potentially Contained Records of 145,000 Patients

A database containing highly sensitive information of patients who had previously sought treatment for addiction at rehabilitation centers has been discovered to be freely accessible over the internet. The database contained approximately 4.91 million records which related to an estimated 145,000 patients of the Levittown, PA-based addiction rehabilitation service provider Steps to Recovery. The unsecured database was discovered on March 24, 2019 by Justin Paine, Director of Trust and Safety at Cloudflare. Following the discovery, Paine notified Steps to Recovery and its hosting provider on March 24. No reply was received from Steps to Recovery, but its hosting company made contact and the database has now been secured and is no longer accessible online. Paine had performed a search on the Shodan search engine to identify unsecured databases and devices. According to Paine, the ElasticSearch database contained two indexes which included more than 1.45 GB of data. The information could be accessed by anyone over the internet without the need for any authentication. The database was...

Read More
60,000 Records Exposed in EmCare Phishing Attack
Apr23

60,000 Records Exposed in EmCare Phishing Attack

The Dallas, TX-based physician staffing company EmCare has announced that it has suffered a data breach that has impacted approximately 60,000 individuals, 31,000 of whom were patients. The exposed information was detailed in emails and email attachments in employee email accounts that were accessed by an unauthorized individual after several employees responded to phishing emails and disclosed their email credentials. It is unclear from Emcare’s breach notice when the breach occurred and how long the attackers had access to email accounts. The breach was discovered on February 19, 2019. An investigation was launched and, assisted by a third-party computer forensics company, it was discovered that the compromised email accounts contained information about patients, employees, and contractors. The following information was saved in email accounts and was potentially accessed or copied by the attackers: Names, dates of birth, driver’s license numbers, Social Security numbers, demographic information, and clinical information. The investigation did not uncover evidence to suggest...

Read More
Klaussner Furniture Industries Discovers Health Plan Data of 9,352 Employees Has Potentially Been Compromised
Apr19

Klaussner Furniture Industries Discovers Health Plan Data of 9,352 Employees Has Potentially Been Compromised

The protected health information of 9,352 current and former employees of Klaussner Furniture Industries, Inc., and some dependents of those employees, has been exposed as a result of a security breach. In February 2019, Klaussner Furniture learned that computers had been accessed by unauthorized individuals. A leading cybersecurity firm was retained to conduct a forensic investigation, which confirmed that two computers had been accessed by an unauthorized third party. An analysis of the computers revealed they contained files that included first and last names, dates of birth, addresses, Social Security numbers, health benefit election(s), and some health information. No evidence was found that suggests employee information was accessed, copied, or misused, although it was not possible to rule out data access and exfiltration. Individuals whose information was exposed had either worked at the company in 1998 or were employed at some point between 2004 and February 25, 2019. The sensitive information of dependents of those employees was only exposed if they had been listed on...

Read More
Centrelake Medical Group Discovers Servers Compromised and Virus Deployed
Apr18

Centrelake Medical Group Discovers Servers Compromised and Virus Deployed

Centrelake Medical Group, a network of 8 medical imaging and oncology centers in California, is notifying certain patients that some of their protected health information has been exposed as a result of a computer virus. The computer virus was discovered in February 2019 when it prevented the medical group from accessing its files. The virus appears to be a form of ransomware, although no mention of ransomware or a ransom demand was made in the media notice issued by Centrelake. Centrelake retained a computer forensics company to assist with the investigation to determine the scope of the attack and whether any files containing protected health information had been accessed or copied. The investigation revealed an unauthorized individual had gained access to its servers on January 9, 2019. Prior to deploying the virus on February 19, 2019, the unauthorized individual was able to access the servers undetected. It is not unusual for ransomware to be installed on systems after hackers have breached security defenses. In some cases, ransomware is deployed after the system has been...

Read More
11,639 Individuals Impacted by Riverplace Counseling Center Malware Attack
Apr18

11,639 Individuals Impacted by Riverplace Counseling Center Malware Attack

Riverplace Counseling Center in Anoka, MN, has discovered malware has been installed on its systems which may have allowed unauthorized individuals to gain access to patients’ protected health information. The malware infection was discovered on January 20, 2019. The counseling center engaged an IT firm to conduct a forensic analysis, remove the malware, and restore its systems from backups. The analysis was completed on February 18, 2019. The IT firm did not find evidence that suggested patient information had been subjected to unauthorized access or had been copied, but data access and PHI theft could not be totally ruled out. The types on information stored on the affected systems included names, addresses, dates of birth, health insurance information, Social Security numbers, and treatment information. Affected individuals were notified about the data breach on April 11, 2019 and have been offered identity theft monitoring services via Kroll for 12 months at no cost. No reports have been received to date to suggest any patients’ PHI has been misused. Riverplace Counseling...

Read More
Clearway Pain Solutions Institute Discovers Unauthorized EMR System Access
Apr18

Clearway Pain Solutions Institute Discovers Unauthorized EMR System Access

Gulf Coast Pain Consultants, dba Clearway Pain Solutions Institute, has discovered its EMR system has been accessed by an unauthorized individual. An investigation was launched following the discovery of the breach on February 20, 2019. The investigation revealed the individual accessed a range of patient information. The types of information that were accessed included patients’ names, telephone numbers, home addresses, email addresses, dates of birth, Social Security numbers, health insurance information, name of referring provider, and demographic information. Clinical information contained in medical records could not be accessed and no financial information was exposed. Unauthorized access to the system has now been blocked, a full review of all EMR accounts has been conducted, and access levels and EMR system activity has been validated for all user accounts. A review of policies and procedures is being conducted with regards to the accessing of patient information and updates will be made as appropriate. All patients affected by the breach are now being notified and are...

Read More