Our HIPAA breach news section covers HIPAA breaches such as unauthorized disclosures of protected health information (PHI), improper disposal of PHI, unauthorized PHI access by cybercriminals and rogue healthcare employees, and other security and privacy breaches.

When known, we explain how the breach occurred, the consequences to patients that may have had their PHI compromised, and the actions being taken by the affected healthcare organization to improve safeguards to prevent further HIPAA breaches.

We also explain any actions being taken by the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) and state attorneys general in relation to those breaches.

OCR investigates all data breaches that impact more than 500 individuals to determine whether any HIPAA violations have occurred. When HIPAA Rules are discovered to have been violated, financial penalties may be deemed appropriate. It can take many months or years before any financial penalties for HIPAA breaches are decided. Financial penalties for HIPAA violations tend to be reserved for the most serious breaches of HIPAA Rules. OCR prefers to resolve cases with voluntary compliance and by issuing recommendations to bring policies in line with HIPAA Rules.

The HIPAA breach news section is particularly relevant to healthcare information security professionals, privacy officers, and other individuals who have some responsibility for HIPAA compliance.

The HIPAA breach news reports highlight common areas of non-compliance and new attack vectors used by cybercriminals to gain access to healthcare networks and PHI, the security failings that allowed them to happen, and the measures that have been implemented to prevent them from happening again.

No healthcare organization wants to experience a data breach, but when a breach does occur, lessons can be learned. HIPAA-covered entities can use these breach examples to help train their staff as well as to discover some of the methods other covered entities have adopted to improve data security.

As you will be able to see from the volume of posts in the HIPAA breach news category, healthcare data breaches occur frequently. In 2016 and 2017, healthcare data breaches have been reported on an almost daily basis.

Our HIPAA breach news section is an important source of information about potential security issues that covered entities should be identifying when conducting their own risk assessments. Many of the situations in our HIPAA breach news posts could have been avoided if a risk assessment had identified a vulnerability that was later exploited to gain access to PHI.

The main purpose for adding HIPAA breach news to this website is to highlight specific aspects of HIPAA compliance that are commonly overlooked, often with serious consequences for the covered entity and patients/health plan members.

By raising awareness of the volume of healthcare data breaches, the implications of those breaches, and the penalties that can result, it is hoped that healthcare providers will take decisive action to prevent their patients’ and members’ data from being exposed.

The most recent healthcare data breach reports are listed below. If you want to find out if a specific covered entity has experienced a data breach, please use the search function in the top right hand corner of this webpage.

$16 Million Anthem HIPAA Breach Settlement Takes OCR HIPAA Penalties Past $100 Million Mark
Oct16

$16 Million Anthem HIPAA Breach Settlement Takes OCR HIPAA Penalties Past $100 Million Mark

OCR has announced that an Anthem HIPAA breach settlement has been reached to resolve potential HIPAA violations discovered during the investigation of its colossal 2015 data breach that saw the records of 78.8 million of its members stolen by cybercriminals. Anthem has agreed to pay OCR $16 million and will undertake a robust corrective action plan to address the compliance issues discovered by OCR during the investigation. The previous largest ever HIPAA breach settlement was $5.55 million, which was agreed with Advocate Health Care in 2016. “The largest health data breach in U.S. history fully merits the largest HIPAA settlement in history,” said OCR Director Roger Severino. Anthem Inc., an independent licensee of the Blue Cross and Blue Shield Association, is America’s second largest health insurer. In January 2015, Anthem discovered cybercriminals had breached its defenses and had gained access to its systems and members’ sensitive data. With assistance from cybersecurity firm Mandiant, Anthem determined this was an advanced persistent threat attack – a continuous and targeted...

Read More
Email Accounts Compromised at Biomarin Pharmaceutical and Envision Healthcare Corporation
Oct12

Email Accounts Compromised at Biomarin Pharmaceutical and Envision Healthcare Corporation

Novato, CA-based Biomarin Pharmaceutical has discovered two employee email accounts have been compromised as a result of a phishing attack in which a temporary employee’s login credentials were obtained by the attacker. The attack was discovered on June 21, 2018 and immediate action was taken to prevent further unauthorized account access. The investigation into the breach determined that the email accounts had been accessed by an unauthorized individual, but it was not possible to tell whether any emails were opened or copied by the attacker. An analysis of the compromised accounts suggests a document containing names, health insurance information and Social Security numbers may have been in one or both email accounts at the time the breach. Due to the nature of exposed data, affected individuals have been advised to place a fraud alert on their credit files as a precaution against identity theft and fraud and urged to monitor explanation of benefits statements from insurers for medical services which have not been received. Biomarin Pharmaceutical has now secured its network and...

Read More
Minnesota DHS Notifies 21,000 Patients That Their PHI Has Potentially Been Compromised
Oct12

Minnesota DHS Notifies 21,000 Patients That Their PHI Has Potentially Been Compromised

The Minnesota Department of Human Services has mailed letters to approximately 21,000 individuals on medical assistance to alert them to a possible breach of their protected health information (PHI) due to two recent phishing attacks. Two DHS employees’ email accounts have been confirmed as having been compromised as a result of the employees clicking on links in phishing emails. The investigation into the breach determined that the attackers accessed both email accounts although it was not possible to determine which, if any, emails in the account had been accessed or copied by the attackers. Minnesota DHS has reason to believe that other employees may also have been targeted and could also have clicked on links in phishing emails, but it has not yet been confirmed whether their accounts have been breached. The investigation into the phishing attacks is ongoing. The two email account breaches occurred on June 28 and July 9, 2018, although the IT department only determined that the accounts had been breached in August. Upon discovery of the phishing attack, both accounts were...

Read More
Michigan Medicine Notifies 3,600 Patients of PHI Disclosure Due to Mailing Error
Oct09

Michigan Medicine Notifies 3,600 Patients of PHI Disclosure Due to Mailing Error

Michigan Medicine is notifying more than 3,600 patients of an impermissible disclosure of a limited amount of their protected health information. In early September 2018, the Michigan Medicine Development Office launched a fundraising campaign that involved sending letters to a large number of its patients. A third-party vendor was contracted to print the letters for the mailing and while many of the letters were printed correctly, an error was made by the printing company that resulted in an impermissible disclosure of certain patients’ personal information. According to Michigan Medicine, the error was introduced when the printing company installed new software. As a result of the error, a proportion of the letters contained information that was intended for other Michigan Medicine patients and did not match the name and address on the outside of the envelope. Since this was a fundraising mailing, the letters did not contain any medical information, Social Security numbers, financial data, or other highly sensitive information. Patients affected by the error has their name,...

Read More
California HIV Patient PHI Breach Lawsuit Allowed to Move Forward
Oct08

California HIV Patient PHI Breach Lawsuit Allowed to Move Forward

A lawsuit filed by Lambda Legal on behalf of a victim of a data breach that saw the highly sensitive protected health information of 93 lower-income HIV positive individuals stolen by unauthorized individuals has survived a motion to dismiss. The former administrator of the California AIDS Drug Assistance Program (ADAP), A.J. Boggs & Company, submitted a motion to dismiss but it was recently rejected by the Superior Court of California in San Francisco. In the lawsuit, Lambda Legal alleges A.J. Boggs & Company violated the California AIDS Public Health Records Confidentiality Act, the California Confidentiality of Medical Information Act, and other state medical privacy laws by failing to ensure an online system was secure prior to implementing that system and allowing patients to enter sensitive information. A.J. Boggs & Company made its new online enrollment system live on July 1, 2016, even though it had previously received several warnings from nonprofits and the LA County Department of Health that the system had not been tested for vulnerabilities. It was...

Read More
PHI of 37,000 Gold Coast Health Plan Members Potentially Compromised
Oct08

PHI of 37,000 Gold Coast Health Plan Members Potentially Compromised

Camarillo, CA-based Gold Coast Health Plan is informing approximately 37,000 plan members that some of their protected health information has potentially been obtained by hackers who succeeded in compromising the email account of one of its employees. The employee was fooled by a phishing email and the attackers gained access to the email account on June 18, 2018. Access remained possible until August 1, 2018. Gold Coast Health Plan discovered the security breach on August 8 and took steps to secure the account and prevent any further remote access. A leading third-party cybersecurity firm was engaged to conduct an investigation into the breach and assess the scope of the incident and determine whether any patients’ health information was accessed. It was not possible to rule out PHI access and data theft with 100% certainty, although no reports have been received to date that suggest any PHI in the account has been misused. Gold Coast Health Plan believes the attack was financially motivated and the purpose of the attackers was to gain access to banking information in order to...

Read More
Summary of Recent Healthcare Data Breaches
Oct05

Summary of Recent Healthcare Data Breaches

A round up of healthcare data breaches recently announced by healthcare providers and business associates of HIPAA covered entities. Tillamook Chiropractic Clinic Discovers 26-Month Malware Infection The medical records of 4,058 patients of the Tillamook Chiropractic Clinic in Tillamook, OR have been stolen as a result of a malware infection. On August 3, 2018, the clinic conducted an internal security audit which showed that malware had been installed on its network, even though a firewall was in place, antivirus and antimalware software were installed and up to date, and its software was fully patched. An investigation into the security breach revealed the malware had been installed on May 24, 2016 and had remained undetected for 26 months. The malware had been installed on the primary insurance billing system, which the clinic reports was used as a staging area by the attackers to collect patient records before exfiltrating the data. The information believed to have been stolen includes full names, home addresses, work addresses, dates of birth, phone numbers, diagnoses, lab...

Read More
PHI of 1,800 Patients Found Abandoned in Houston Street
Oct03

PHI of 1,800 Patients Found Abandoned in Houston Street

Paperwork containing the protected health information of approximately 1,800 patients has been discovered abandoned in a Midtown, Houston street by an employee of the CBS-affiliated television station KBOU 11. The paperwork contained information such as patients’ names, birth dates, diagnoses, treatment information, medications, vital signs, and admission dates. KBOU launched an investigation into the breach and determined the paperwork related to patients from five Houston hospitals – MD Anderson Cancer Center, LBJ Hospital, Children’s Memorial Hermann, Memorial Hermann Hospital, and TIRR Memorial Hermann. The investigation led to UT Health. According to the report, the records were stolen from the locked trunk of a vehicle belonging of a medical resident who, while studying at UT Health’s McGovern Medical School, had worked at the above hospitals. The records were stolen from his vehicle in July. Officials at UT Health confirmed to KBOU that they are aware of the breach. Reporters spoke to the medical graduate and confirmed that the incident had not been reported to the...

Read More
Study Reveals 70% Increase in Healthcare Data Breaches Between 2010 and 2017
Sep28

Study Reveals 70% Increase in Healthcare Data Breaches Between 2010 and 2017

There has been a 70% increase in healthcare data breaches between 2010 and 2017, according to a study conducted by two physicians at the Massachusetts General Hospital Center for Quantitative Health. The study, published in the Journal of the American Medical Association on September 25, involved a review of 2,149 healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights between 2010 and 2017. “While we conduct scientific programs designed to recognize the enormous research potential of large, centralized electronic health record databases, we designed this study to better understand the potential downsides for our patients – in this case the risk of data disclosure,” said Dr. Thomas McCoy Jr, director of research at Massachusetts General Hospital’s Center for Quantitative Health in Boston and lead author of the study. Every year, with the exception of 2015, the number of healthcare data breaches has increased, rising from 199 breaches in 2010 to 344 breaches in 2017. Those breaches have resulted in the loss, theft, exposure, or...

Read More
Claxton-Hepburn Medical Center Fires Several Employees for Inappropriate PHI Access
Sep27

Claxton-Hepburn Medical Center Fires Several Employees for Inappropriate PHI Access

Claxton-Hepburn Medical Center, a not-for-profit 115-bed community hospital in Ogdensburg, NY, has fired several employees for accessing patient health records without authorization. The PHI breaches were discovered during an internal investigation. It is unclear whether that investigation was launched following a complaint that had been received or if the patient privacy violations were uncovered during a routine audit of PHI access logs – A requirement of HIPAA. Claxton-Hepburn Medical Center has not publicly disclosed how many employees were terminated over the violations, only reporting that all employees who purposely committed the acts were terminated. It is also currently unclear exactly how many patients’ PHI was breached. Claxton-Hepburn Medical Center has confirmed that training is given to all employees on the first day of employment detailing the requirements of HIPAA and the importance of protecting the privacy of patients. All employees are made aware that accessing patient health information is only permitted when PHI needs to be viewed to complete work duties or...

Read More
Protected Health Information Stolen in Aspire Health Phishing Attack
Sep27

Protected Health Information Stolen in Aspire Health Phishing Attack

Aspire Health, a Nashville, TN-based provider of in-home services for patients diagnosed with serious illnesses, has experienced a phishing attack that resulted in the email account of an employee being accessed by an unauthorized individual. Once access to the email account was gained, the attacker forwarded 124 emails to an external email account. Several of the forwarded email messages contained the protected health information of patients and “confidential and proprietary information and files”. According to a statement issued by a spokesperson for Aspire Health, breach notification letters have already been sent to a “small handful” of its patients, although the exact number affected by the breach has not been disclosed. The data breach has yet to appear on the Department of Health and Human Services’ Office for Civil Rights’ breach portal. As is the case with many phishing scams, an email was sent to the employee which contained a hyperlink to a website which requested login credentials. The website, created on August 28, 2018, is hosted in the Russian Federation and was...

Read More
UMass Memorial Health Care Pays $230,000 to Resolve Alleged HIPAA Violations
Sep24

UMass Memorial Health Care Pays $230,000 to Resolve Alleged HIPAA Violations

Mass Memorial Health Care has been fined $230,000 by the Massachusetts attorney general for HIPAA failures related to two data breaches that exposed the protected health information (PHI) of more than 15,000 state residents. A lawsuit was filed against UMass Memorial Health Care in which attorney general Maura Healey claimed UMass Memorial Medical Group Inc., and UMass Memorial Medical Center Inc., failed to implement sufficient measures to protect patients’ sensitive health information. In two separate incidents, employees accessed and copied patient health information without authorization and used that information to open cell phone and credit card accounts in the victims’ names. It was also alleged that UMass Memorial Medical Group Inc., and UMass Memorial Medical Center Inc., were both aware of employee misconduct, yet failed to properly investigate complaints related to data breaches and discipline the employees concerned in a timely manner. Both entities also failed to ensure that patients’ PHI was properly safeguarded. These failures violated Massachusetts data security...

Read More
August 2018 Healthcare Data Breach Report
Sep21

August 2018 Healthcare Data Breach Report

August was a much better month for the healthcare industry with fewer data breaches reported than in July. In August, 28 healthcare data breaches were reported to the HHS’ Office for Civil Rights, a 17.86% month-over-month reduction in data breaches. There was also a major reduction in the number of healthcare records that were exposed or stolen. In August, 623,688 healthcare records were exposed or stolen – A 267.56% reduction from August, when 2,292,522 healthcare records were breached. Causes of Healthcare Data Breaches in August 2018 Hacking incidents dominated the breach reports in August, accounting for 53.57% of all reported data breaches and 95.73% of all records exposed or disclosed in August. Eight of the top ten breaches were the result of hacks, malware, or ransomware attacks. Insider breaches are a major problem in the healthcare industry, more so than other verticals. In August there were nine insider breaches – 32.14% of the healthcare data breaches in August. Those breaches involved the unauthorized access or impermissible disclosure of 18,488 healthcare...

Read More
$999,000 in HIPAA Penalties for Three Hospitals for Boston Med HIPAA Violations
Sep20

$999,000 in HIPAA Penalties for Three Hospitals for Boston Med HIPAA Violations

Three hospitals that allowed an ABC film crew to record footage of patients as part of the Boston Med TV series have been fined $999,000 by the Department of Health and Human Services’ Office for Civil Rights (OCR) for violating Health Insurance Portability and Accountability Act (HIPAA) Rules. This is the second HIPAA violation case investigated by OCR related to the Boston Med TV series. On April 16, 2016, New York Presbyterian Hospital settled its HIPAA violation case with OCR for $2.2 million to resolve the impermissible disclosure of PHI to the ABC film crew during the recording of the series and for failing to obtain consent from patients. Fines for Boston Medical Center, Brigham and Women’s Hospital, & Massachusetts General Hospital Boston Medical Center (BMC) settled its HIPAA violations with OCR for $100,000. OCR investigators determined that BMC had impermissibly disclosed the PHI of patients to ABC employees during production and filming of the TV series, violating 45 C.F.R. § 164.502(a). Brigham and Women’s Hospital (BWH) settled its HIPAA violations...

Read More
Phishing Attack on Ohio Living Exposed PHI of 6,500 Individuals
Sep20

Phishing Attack on Ohio Living Exposed PHI of 6,500 Individuals

Ohio Living, a provider of life plan communities and home health services in Ohio, has discovered an unauthorized individual has gained access to the email accounts of some of its employees. Ohio Living detected suspicious activity related to an employee’s email account on July 10, 2018. An investigation was immediately launched, and a third-party computer forensics expert was hired to investigate the breach and determine how access to the account was gained. On July 19, 2018, Ohio Living was informed that several email accounts had been compromised on July 10 and that those accounts had been accessed by an unauthorized individual. It was not possible to determine whether any emails were opened or if any emails were downloaded by the attacker. A review of the compromised accounts revealed they contained the protected health information of 6,510 individuals. Upon discovery of the breach, passwords were reset on all accounts known to have been compromised and a full password reset was performed on all other employees’ email accounts. Ohio Living has also provided further training to...

Read More
Brooklyn Emergency Room Worker Accused of Stealing and Selling Patients’ PHI
Sep20

Brooklyn Emergency Room Worker Accused of Stealing and Selling Patients’ PHI

A former employee of the emergency department of Brooklyn’s Kings County Hospital is alleged to have stolen the protected health information of at least 100 individuals while working at the hospital and disclosed that information to another individual using an encrypted smartphone app. Orlando Jemmott, 52, was employed at the hospital for 12 years between March 2006 and April 2018 and was given access to patient health records in order to complete his work duties. Jemmott was required to enter patient information into the hospital’s system such as demographic data and information on patients’ symptoms and health complaints. In June 2017, the FBI received a tip that Jemmott was stealing patient information and selling the data to another individual. The woman claimed the information was being sent via the WhatsApp encrypted messaging app. The woman took Jemmott’s mobile phone from his house and handed it over to the FBI along with a photo from his WhatsApp profile. A warrant was then obtained by the FBI to search the phone. The search revealed hundreds of communications between...

Read More
Mailing Vendor Blamed for Blue Cross and Blue Shield of Rhode Island Privacy Breach
Sep19

Mailing Vendor Blamed for Blue Cross and Blue Shield of Rhode Island Privacy Breach

Blue Cross and Blue Shield of Rhode Island (BCBSRI) is alerting 1,567 plan members that some of their protected health information has been impermissibly disclosed by one of its business associates. A BCBSRI vendor was contracted to send explanation of benefits statements to plan members which contain summaries of the healthcare services members have received under their health plan. However, an error was made which resulted in statements being sent to incorrect individuals. The explanation of benefits statements included members’ BCBSRI ID number, their service provider(s), the service(s) provided, and the cost of the claims. The impermissible disclosure of PHI was attributed to an error made by the vendor when combining the explanation of benefits statements for certain individuals who are covered under the same policy. Combining the statements was intended to reduce the number of summaries received by some members. The error resulted in some explanation of benefits statements being incorrectly combined in the mid-July mailings, which resulted in the summaries being sent to...

Read More
Independence Blue Cross Notifies 17,000 Members of Online Exposure of Their PHI
Sep18

Independence Blue Cross Notifies 17,000 Members of Online Exposure of Their PHI

Independence Blue Cross is notifying thousands of plan members that some of their protected health information has been exposed online and has potentially been accessed by unauthorized individuals. The Independence Blue Cross privacy office was informed about the exposed information on July 19 and immediately launched an investigation. A leading forensics investigation firm was hired to investigate the incident and establish whether any plan members’ information was accessed during the time it was exposed. Independence Blue Cross said an employee had uploaded a file containing plan members’ protected health information to a public facing website on April 23, 2018. The file remained accessible until July 20 when it was removed from the website. The information contained in the file was limited. No financial information or Social Security numbers were exposed. Affected plan members only had their name, diagnosis codes, provider information, date of birth, and information used for processing claims exposed. Despite a thorough investigation, it was not possible to determine whether any...

Read More
CMS: Fairview Southdale Hospital Videotaped Patients Without Knowledge or Consent
Sep17

CMS: Fairview Southdale Hospital Videotaped Patients Without Knowledge or Consent

The HHS’ Centers for Medicare and Medicaid Services (CMS) has investigated Fairview Southdale Hospital in Edina, MN over an alleged violation of patient privacy. The CMS confirmed that patients were videotaped during psychiatric evaluations in the emergency department without their knowledge or consent.  The hospital was cited for violating patient privacy. According to the Star Tribune, the CMS launched an investigation following a complaint from a patient who had been taken to the hospital for a psychiatric evaluation against her will in May 2017. The patient was escorted to the hospital as police officers were concerned about her state of mental health and feared she may cause harm to herself or others. After being released, the patient took legal action over her admission to the hospital and how she was treated by the police. As part of that lawsuit, the patient requested a copy of the security camera footage from the hospital. While the patient expected to receive a copy of the videotape from the front of the hospital showing her entering the facility, the videotape showed her...

Read More
Fetal Diagnostic Institute of the Pacific Experiences Ransomware Attack
Sep17

Fetal Diagnostic Institute of the Pacific Experiences Ransomware Attack

The Fetal Diagnostic Institute of the Pacific (FDIP) in Honolulu, HI, experienced a ransomware attack on June 30, 2018. File-encrypting software was installed on an FDIP server and encrypted a wide range of file types, including patient medical records. FDIP engaged the services of a leading cybersecurity company to conduct a full investigation into the breach to determine whether patient data was accessed by the attackers and also to assist with breach remediation. The investigation did not uncover any evidence to suggest that patients’ protected health information was accessed, viewed, or stolen by the individuals behind the attack, although it was not possible to rule out data access and data theft with a high level of confidence. Consequently, the incident is being treated as a HIPAA breach, patients are being notified, and the Department of Health and Human Services’ Office for Civil Rights (OCR) has been informed. An analysis of the files encrypted by the ransomware revealed they contained a range of protected health information. Patients affected by the security breach may...

Read More
Email Security Breaches Reported by Hopebridge (IN) and United Methodist Homes (NY)
Sep14

Email Security Breaches Reported by Hopebridge (IN) and United Methodist Homes (NY)

Hopebridge, an Indiana-based network of 28 autism treatment centers throughout the Midwest, has discovered it has been the victim of a phishing attack that has potentially resulted in an unauthorized individual gaining access to the protected health information (PHI) of its patients. A security breach was detected on July 19, 2018 prompting a thorough investigation. A leading third-party computer forensics firm was engaged to assess the nature and scope of the breach and all accounts and systems were immediately secured to lock out the attacker. The investigation revealed several employees had been fooled by phishing emails that had been sent between March and July 2018. Several email accounts were compromised as a result of employees’ responses to those emails. An analysis of the compromised email accounts revealed they contained a limited amount of patients’ PHI – Their names, the services they received from Hopebridge, and an inferred autism diagnosis. The results of the forensic investigation suggest that it was not the intention of the attacker to gain access to PHI, instead...

Read More
Texas Nurse Fired for Social Media HIPAA Violation
Sep13

Texas Nurse Fired for Social Media HIPAA Violation

A nurse at a Texas children’s hospital has been fired for violating Health Insurance Portability and Accountability Act (HIPAA) Rules by posting protected health information on a social media website. The pediatric ICU/ER nurse worked at Texas Children’s Hospital and posted a series of comments on Facebook about a rare case of measles at the hospital. The nurse was an anti-vaxxer and posted about the experience of seeing a boy at the hospital suffering from the disease – a disease that could have been prevented through vaccination. Her comments explained how the disease was much worse that she expected it to be, having not encountered anyone with the measles in the past.  She explained that it was a “rough” experience seeing the boy suffering from the disease. She also explained in one of her posts, “I think it’s easy for us non-vaxxers to make assumptions, but most of us have never and will never see one of these diseases,” according to the Houston Chronicle, which obtained screenshots of her Facebook posts. “By no means have I changed my vax stance, and I never will. But this...

Read More
Phishing Attack on Acadiana Computer Systems Exposed the PHI of 31,000 Individuals
Sep12

Phishing Attack on Acadiana Computer Systems Exposed the PHI of 31,000 Individuals

Acadiana Computer Services Inc., a Lafayette, LA-based provider of software and business solutions for the healthcare industry, has discovered an unauthorized individual has gained access to the email account of one of its employees. The security breach was detected on July 6, 2018 and external access to the account was immediately disabled. An independent cybersecurity expert was retained to conduct a forensic analysis of the breach and determine the nature and scope of the attack. An analysis of the emails in the compromised account revealed they contained the personal information of several of its clients’ patients. The information potentially accessed was limited to names, addresses, treatment information, billing information, and for a limited number of individuals, Social Security numbers. The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates 31,151 individuals have had their protected health information exposed as a result of the email account breach. Those individuals had previously received medical services from the...

Read More
Reliable Respiratory Phishing Attack Impacts 21,000 Patients
Sep10

Reliable Respiratory Phishing Attack Impacts 21,000 Patients

The Norwood, MA-based respiratory care provider Reliable Respiratory has experienced a phishing attack that has affected several thousand of its patients. A cyberattack was suspected on July 3, 2018, following the detection of unusual activity in an employee’s email account. An investigation was launched to determine the cause of that activity, which revealed the employee had been targeted with a phishing campaign. The response to a phishing email resulted in the disclosure of that individual’s login credentials. The unusual account activity was detected on July 3 and the account was immediately secured. Computer forensic specialists were retained to determine the nature and extent of the breach. The breach investigation confirmed that the account had been accessed by an unauthorized individual between June 28 and July 2. An analysis of the emails contained in the account showed a wide range of protected health information could potentially have been accessed by the attacker. Patients are now being notified of the breach by mail and have been advised to monitor their account...

Read More
Medical Records from New Mexico Hospital Found Scattered in Street
Sep07

Medical Records from New Mexico Hospital Found Scattered in Street

The New Mexico Department of Health is currently investigating how the private medical records of some of its patients came to fall from a truck during transportation from the hospital to a secure storage facility. The records came from Turquoise Lodge Hospital, a rehabilitation center run by the New Mexico Department of Health that specializes in the treatment of parents and pregnant women who are recovering from substance abuse. The hospital had arranged for patients’ medical records to be collected and transported to a new location for storage. The paperwork was collected from the hospital on Thursday August 30; however, during transit some of those records fell out of the delivery truck onto a busy Albuquerque street. KRQE News 13 sent reporters to the scene who discovered medical records strewn along Avenida Cesar Chavez at I-25. Some of the paperwork had been collected by members of the public. The paperwork contained highly sensitive personally identifiable information (PII) and protected health information (PHI), including patients’ names, their medical histories, billing...

Read More
NY Attorney General Fines Arc of Erie County $200,000 for Security Breach
Sep04

NY Attorney General Fines Arc of Erie County $200,000 for Security Breach

The Arc of Erie County has been fined $200,000 by the New York Attorney General for violating HIPAA Rules by failing to secure the electronic protected health information (ePHI) of its clients. In February 2018, The Arc of Erie County, a nonprofit social services agency and chapter of the The Arc Of New York, was notified by a member of the public that some of its clients’ sensitive personal information was accessible through its website. The information could also be found through search engines. The investigation into the security breach revealed sensitive information had been accessible online for two and a half years, from July 2015 to February 2018 when the error was corrected. The forensic investigation into the security incident revealed multiple individuals from outside the United States had accessed the information on several occasions. The webpage should only have been accessible internally by staff authorized to view ePHI and should have required a username and password to be entered before access to the data could be gained. In total, 3,751 clients in New York had...

Read More
Mailing Error Resulted in Impermissible Disclosure of 19,570 Missouri Care Members’ PHI
Aug30

Mailing Error Resulted in Impermissible Disclosure of 19,570 Missouri Care Members’ PHI

An error in a mailing to Missouri Care members reminding them to book well-child visits has resulted in the accidental disclosure of the personal information of almost 20,000 children to other Missouri Care members. The personal information detailed in the letters was limited to children’s names, ages, and the names of their provider’s. Health information and other sensitive data was not exposed, so the potential for the information to be misused is low. However, out of an abundance of caution, parents and legal guardians of affected children have been advised to monitor their credit card bills and account statements for any suspicious activity and told not to respond to any email requests asking for further personal information. Free credit monitoring services have been offered to all individuals affected by the breach. WellCare Health Plans Inc., discovered the error on July 25, 2018 and launched an investigation to determine how the error occurred and the individuals that were impacted. The mailing had been sent to 19,570 individuals, although it is unclear how many of those...

Read More
1,790 Patients Impacted by Phishing Attack on Los Angeles Drug and Alcohol Treatment Center
Aug29

1,790 Patients Impacted by Phishing Attack on Los Angeles Drug and Alcohol Treatment Center

The West Los Angeles-based drug and alcohol treatment center, Authentic Recovery Center, is alerting 1,790 individuals that some of their personally identifiable information (PII) and protected health information (PHI) has potentially been obtained by an unauthorized individual as a result of a phishing attack. The phishing attack was discovered on June 21, 2018 prompting a full investigation. The investigation confirmed that the breach was limited to a single email account. All other email accounts and systems remained secure at all times. Access was first gained the email account on June 7, 2018 and continued until the breach was detected on June 21 and the account was secured. An email-by-email analysis of the compromised account revealed it contained the PII and PHI of clients and employees. Employee information accessible through the account was limited to name and driver’s license number, with the exception of two individuals who also had their address, contact telephone number, date of birth, and Social Security number exposed. Clients impacted by the incident had their name...

Read More
July 2018 Healthcare Data Breach Report
Aug24

July 2018 Healthcare Data Breach Report

July 2018 was the worst month of 2018 for healthcare data breaches by a considerable distance. There were 33 breaches reported in July – the same number of breaches as in June – although 543.6% more records were exposed in July than the previous month. The breaches reported in July 2018 impacted 2,292,552 patients and health plan members, which is 202,859 more records than were exposed in April, May, and June combined. A Bad Year for Patient Privacy So far in 2018 there have been 221 data breaches of more than 500 records reported to the Department of Health and Human Services’ Office for Civil Rights. Those breaches have resulted in the protected health information of 6,112,867 individuals being exposed, stolen, or impermissibly disclosed. To put that figure into perspective, it is 974,688 more records than were exposed in healthcare data breaches in all of 2017 and there are still five months left of 2018. Largest Healthcare Data Breaches of 2018 (Jan-July) Entity Name Entity Type Records Exposed Breach Type UnityPoint Health Business Associate 1,421,107 Hacking/IT Incident CA...

Read More
Central Colorado Dermatology Ransomware Attack Potentially Resulted in PHI Access
Aug21

Central Colorado Dermatology Ransomware Attack Potentially Resulted in PHI Access

Central Colorado Dermatology (CCD) has notified more than 4,000 patients that some of their protected health information (PHI) has potentially been accessed by hackers during a ransomware attack on its computer network. An unauthorized individual gained access to CCD’s computer network and deployed ransomware on a server. Medical records and patients’ medical charts were not accessed, although certain files and scanned fax communications were encrypted. Some of those files contained PHI. An investigation was launched to determine whether protected health information was accessed or stolen although it was not possible to determine with a high degree of certainty whether any PHI was viewed or copied. CCD did not uncover any evidence to suggest that PHI had been accessed or stolen, although some of the software that had been installed on its network could have allowed files to be downloaded. The files that could have been accessed including the following information: Names, addresses, contact telephone numbers, dates of birth, email addresses, Insurance information, Social Security...

Read More
Phishing Attack on Legacy Health Results In Exposure of 38,000 Patients’ PHI
Aug21

Phishing Attack on Legacy Health Results In Exposure of 38,000 Patients’ PHI

Legacy Health has discovered an unauthorized individual has gained access to its email system and the protected health information (PHI) of approximately 38,000 patients. The Portland, OR-based health system operates two regional hospitals, four community hospitals, and 70 clinics in Oregon, Southwest Washington, and the and the Mid-Willamette Valley and is the second largest health system in the Portland Metro Area. The data breach was discovered on June 21, 2018, although the email accounts were first accessed by an unauthorized individual in May. Legacy Health determined that access was gained to the email accounts as a result of employees being duped by phishing emails. Email breaches can take a considerable amount of time to investigate. While tools are available to scan email accounts for protected health information, many of the emails in compromised accounts need to be individually checked, which can involve manual checks of hundreds of thousands of messages.  According to Legacy Health Spokesperson Kelly Love, “We’ve been moving at as fast a pace as we can to...

Read More
9,350 Patients of Gordon Schanzlin New Vision Institute Notified of Data Breach
Aug20

9,350 Patients of Gordon Schanzlin New Vision Institute Notified of Data Breach

The Gordon Schanzlin New Vision Institute in La Jolla, CA, is alerting thousands of patients that their medical records may have been stolen after files containing protected health information were discovered in the possession of an individual unauthorized to hold the information. The data breach came to light following an investigation conducted by the U.S. Postal Inspection Service. A raid was conducted on a property in Southern California and a box of medical records was discovered in the property. The files contained information such as names, dates of service, addresses, health insurance information, Social Security numbers, and health and clinical information. Gordon Schanzlin was notified of the discovery on June 15, 2018, and an internal investigation was immediately launched to determine the nature and scope of the breach and how the medical records had been stolen. While it could not be confirmed with 100% certainty, Gordon Schanzlin believes the medical records were part of a batch of files that were stolen from a storage unit that was broken into in October 2017. The...

Read More
Court Approves Anthem $115 Million Data Breach Settlement
Aug20

Court Approves Anthem $115 Million Data Breach Settlement

The $115 million settlement proposed by Anthem Inc., in 2017 to resolve the class action lawsuits filed by victims of its 78.8 million-record data breach in 2015 received final approval on Thursday, August 16. The Anthem cyberattack resulted in plan members’ names, dates of birth, health insurance information, Social Security numbers and other data elements stolen by cybercriminals. Several class-action lawsuits were filed in the wake of the breach, which were consolidated into a single lawsuit by the Judicial Panel for Multidistrict Litigation in June 2015. The case was assigned to the U.S District Court for the Northern District of California, where a large proportion of the class members reside. While 78.8 million individuals had protected health information (PHI) exposed when Anthem’s network was hacked, there are only 19.1 million members of the class action lawsuit, all of whom were able to demonstrate that their personal information was stored in the data center that was attacked by hackers. Following the data breach, Anthem offered breach victims 24 months of credit...

Read More
InterAct of Michigan Discovers Email Account Compromise
Aug17

InterAct of Michigan Discovers Email Account Compromise

InterAct of Michigan, a provider of mental health and substance abuse treatments through clinics in Kalamazoo and Grand Rapids, has discovered an unauthorized individual has gained access to the email account of an employee and potentially viewed and copied the protected health information of 1,290 patients. The attack was discovered on June 8, 2018 prompting a thorough investigation to determine the nature and scope of the breach. Immediate action was taken to terminate access to the compromised account and an internal investigation was launched. A leading computer forensics company was retained to provide assistance with the investigation. On July 30, 2018, InterAct of Michigan determined that the protected health information of certain patients had potentially been accessed. The information was present in emails and email attachments in the compromised account. The exposed PHI included clients’ names and Social Security numbers. For some patients, date of birth, prescription details, and treatment history may also have been accessed. Due to the sensitive nature of the...

Read More
258,000 Wisconsin Residents Notified of Adams County Government Data Breach
Aug17

258,000 Wisconsin Residents Notified of Adams County Government Data Breach

More than 258,000 people have had their personal health information, personal identification information and/or tax information exposed as a result of a data security incident in Adams County, Wisconsin. A potential security breach was detected on March 28, 2018 after questionable activity was identified on the Adams County computer system and network. An investigation was launched to determine whether any sensitive data had been accessed and on June 29, a data breach was confirmed to have occurred. Some evidence has been found that suggests PHI and PII has been accessed and potentially obtained by an unauthorized individual. 258,102 individuals have potentially been affected. The exposed data was collected between January 1, 2013 and March 28, 2018 and were stored on the systems used by the departments of Health and Human Services, Child Support, Veteran Service Office, Extension Office, Adams County Employees, Solid Waste, and the Sheriff’s Office. A criminal investigation has been launched into the breach and the suspect(s) have been prevented from accessing the entire...

Read More
417,000 Individuals Affected by Augusta University Health Phishing Attack
Aug17

417,000 Individuals Affected by Augusta University Health Phishing Attack

A serious data breach has been reported by Augusta University Health that has impacted an estimated 417,000 individuals including patients, faculty members and a limited number of students. Most of the patients affected by the breach had previously received medical services at Augusta University Medical Center or Children’s Hospital of Georgia, although patients from over 80 outpatient clinics in Georgia have also been affected and had their personally identifiable information (PII) and protected health information (PHI) exposed. A wide range of PII and PHI was exposed, including names, addresses, dates of birth, lab test results, diagnoses, medications, treatment information, dates of service, medical record numbers, surgical information, and health insurance details. Augusta University Health said only a small percentage of individuals had a driver’s license number or Social Security number exposed. The PII and PHI were saved in emails and email attachments. Augusta University Health said a data security incident was discovered on September 11, 2017 following a phishing attack on...

Read More
Lawmakers Accuse Oklahoma Department of Veteran Affairs of Violating HIPAA Rules
Aug13

Lawmakers Accuse Oklahoma Department of Veteran Affairs of Violating HIPAA Rules

The Oklahoma Department of Veteran Affairs has been accused of violating Health Insurance Portability and Accountability Act (HIPAA) Rules by three Democrat lawmakers, who have also called for two top Oklahoma VA officials to be fired over the incident. The alleged HIPAA violation occurred during a scheduled internet outage, during which VA medical aides were prevented from gaining access to veterans’ medical records. The outage had potential to cause major disruption and prevent “hundreds” of veterans from being issued with their medications. To avoid this, the Oklahoma Department of Veteran Affairs allowed medical aides to access electronic medical records using their personal smartphones. In a letter to Oklahoma Governor Mary Fallin, Reps. Brian Renegar, Chuck Hoskin, and David Perryman called for the VA Executive Director Doug Elliot and the clinical compliance director Tina Williams to be fired over the alleged HIPAA violation. They claimed Elliot and Williams “have little regard for, and knowledge of, health care,” and allowing medical aides to access electronic medical...

Read More
MedSpring Urgent Care Breach Impacts 13,034 Patients
Aug10

MedSpring Urgent Care Breach Impacts 13,034 Patients

MedSpring Urgent Care, a network of urgent care clinics in Atlanta, Chicago, Austin, Dallas, Fort Worth, and Houston, has discovered an unauthorized individual has gained access to an email account as a result of an employee being duped by a phishing email. The email account was compromised on May 8, 2018 but the security breach was not detected until May 17. Upon discovery of the breach, the email account was secured to prevent further unauthorized access and a leading cybersecurity forensics firm was contracted to conduct an investigation into the breach and assist with the breach response. MedSpring discovered on May 22, 2018 that the attacker potentially gained access to the protected health information of patients through the emails and email attachments. The breach was limited to a single email account and no other systems were compromised. A full review of all messages in the account was conducted to determine which patients had been affected and the types of information that had been exposed. MedSpring says the breach was limited to patients who had previously visited its...

Read More
At Least 3.14 Million Healthcare Records Were Exposed in Q2, 2018
Aug09

At Least 3.14 Million Healthcare Records Were Exposed in Q2, 2018

In total, there were 143 data breaches reported to the media or the Department of Health and Human Services’ Office for Civil Rights (OCR) in Q2, 2018 and the healthcare records of at least 3,143,642 patients were exposed, impermissibly disclosed, or stolen. Almost three times as many healthcare records were exposed or stolen in Q2, 2018 as Q1, 2018. The figures come from the Q2 2018 Breach Barometer Report from Protenus. The data for the report came from OCR data breach reports, data collected and collated by Databreaches.net, and proprietary data collected through the Protenus compliance and analytics platform, which monitors the tens of trillions of EHR access attempts by its healthcare clients. Q2 2018 Healthcare Data Breaches Month Data Breaches Records Exposed April 45 919,395 May 50 1,870,699 June 47 353,548   Q2, 2018 saw five of the top six breaches of 2018 reported. The largest breach reported – and largest breach of 2018 to date – was the 582,174-record breach at the California Department of Developmental Services – a burglary. It is unclear if any healthcare...

Read More
The Cost of SamSam Ransomware Attacks: $17 Million for the City of Atlanta
Aug09

The Cost of SamSam Ransomware Attacks: $17 Million for the City of Atlanta

The SamSam ransomware attack on the City of Atlanta was initially expected to cost around $6 million to resolve: Substantially more than the $51,000 ransom demand that was issued. However, city officials now believe the final cost could be around $11 million higher, according to a “confidential and privileged” document obtained by The Atlanta Journal-Constitution. The attack has prompted a complete overhaul of the city’s software and systems, including system upgrades, new software, and the purchasing of new security services, computers, tablets, laptops, and mobile phones. The Colorado Department of Transportation was also attacked with SamSam ransomware this year and was issued with a similar ransom demand. As with the City of Atlanta, the ransom was not paid. In its case, the cleanup is expected to cost around $2 million. When faced with extensive disruption and a massive clean up bill it is no surprise that many victims choose to pay the ransom. Now new figures have been released that confirm just how many victims have paid to recover their files and regain control of their...

Read More
Protected Health Information of Three Hundred Thousand SSM Health Patients Exposed
Aug08

Protected Health Information of Three Hundred Thousand SSM Health Patients Exposed

SSM Health St. Mary’s Hospital in Jefferson City, Missouri is informing hundreds of thousands of patients that some of their protected health information has been left unprotected and could potentially have been viewed by unauthorized individuals. On November 16, 2014, St. Mary’s Hospital moved to new premises and all patients’ medical records were transferred to the new facility and were secured at all times. However, on June 1, 2018, the hospital discovered many documents containing protected health information had been left behind. The documents were mostly administrative and operational supporting documents and contained only a limited amount of protected health information. For the majority of patients, the only information that was exposed was their name and medical record number. Some patients also had some clinical data, demographic information, and financial information exposed. Due to the number of documents involved, the hospital has retained a document services firm to catalogue all the documents and determine which patients have had some of their PHI exposed. It has...

Read More
Hacktivist Convicted for DDoS Attack on Children’s Mercy Hospital
Aug07

Hacktivist Convicted for DDoS Attack on Children’s Mercy Hospital

A hacktivist who conducted a Distributed Denial of Service (DDoS) attack on Boston’s Children’s Mercy Hospital in 2014 has been convicted on two counts – conspiracy to intentionally damage protected computers and damaging protected computers – by a jury in the U.S. District Court in Boston. Martin Gottesfeld, 32, of Somerville, MA, conducted the DDoS attacks in March and April of 2014. He first conducted a DDoS attack on Wayside Youth and Family Support Network in Framingham, MA. The attack crippled its systems and took them out of action for more than a week. The attack cost the healthcare facility $18,000 to resolve. Following that attack, Gottesfeld conducted a much larger attack on Boston Children’s Hospital using 40,000 malware-infected network routers that he controlled from his home computer. The attack was planned for a week and occurred on April 19, 2014. Such was the scale of the attack that the hospital and several others in the Longwood medical area were knocked off the internet. 65,000 IP addresses used by the hospital and other healthcare facilities in the area were...

Read More
Phishing Attack, Lost Devices, and System Error Exposed PHI of 9,400 Patients
Aug03

Phishing Attack, Lost Devices, and System Error Exposed PHI of 9,400 Patients

A round up of data breaches recently disclosed to the media and the Department of Health and Human Services’ Office for Civil Rights System Error Exposed Data at Pennsylvania Department of Human Services Pennsylvania Department of Human Services has discovered a system error in its Compass system allowed certain individuals to view the protected health information of others who, at some point, were part of the same benefit household but are now part of a different active case record. The types of information that could have been viewed included names, citizenship, date of birth, and all information reported about employment, although not Social Security numbers. No reports have been received to date to suggest any of the information was accessed and misused. The system glitch was detected on May 23, 2018 and has now been corrected. All 2,130 individuals potentially impacted have been notified of the breach by mail. Lost Laptop Exposes PHI of Ambercare Patients The Ambercare Corporation, a provider of hospice and home care services in New Mexico, has announced that an unencrypted...

Read More
Email Account Compromises Continue Relentless Rise
Aug02

Email Account Compromises Continue Relentless Rise

There has been a steady rise in the number of reported email data breaches over the past year. According to the July edition of the Beazley Breach Insights Report, email compromises accounted for 23% of all breaches reported to Beazley Breach Response (BBR) Services in Q2, 2018. In Q2, 2018 there were 184 reported cases of email compromises, an increase from the 173 in Q1, 2018 and 120 in Q4, 2017. There were 45 such breaches in Q1, 2017, and each quarter has seen the number of email compromise breaches increase. In Q2, 2018, the email account compromises were broadly distributed across a range of industry sectors, although the healthcare industry experienced more than its fair share. Healthcare email accounts often contain a treasure trove of sensitive data that can be used for identity theft, medical identity theft, and other types of fraud. The accounts can contain the protected health information of thousands of patients. The recently discovered phishing attack on Boys Town National Research Hospital resulted in the attackers gaining access to the PHI of more than 105,000...

Read More
Orlando Orthopaedic Center Suffers 19,000-Record Breach Due to Business Associate Error
Aug01

Orlando Orthopaedic Center Suffers 19,000-Record Breach Due to Business Associate Error

An error made by a transcription service provider during a software upgrade on a server has resulted in the exposure of more than 19,000 patients’ protected health information (PHI). Patients affected by the breach had received medical services at Orlando Orthopaedic Center clinics in Orlando, Florida prior to January 2018. The software upgrade took place in December 2017 and throughout the month, PHI stored on the server became accessible over the Internet without any need for authentication. Orlando Orthopaedic Center only became aware of the exposure of patients’ PHI in February 2018. The discovery of the breach prompted a full investigation, which revealed names, dates of birth, insurance information, employer details, and treatment types were accessible. A limited number of patients also had their Social Security numbers exposed. It is unclear whether any PHI was accessed by unauthorized individuals during the time that the protections were removed. Orlando Orthopaedic Center said it has not received any reports from patients that indicate PHI has been misused and no evidence...

Read More
1.4 Million Patients Warned About UnityPoint Health Phishing Attack
Jul31

1.4 Million Patients Warned About UnityPoint Health Phishing Attack

A massive UnityPoint Health phishing attack has been reported, one in which the protected health information of 1.4 million patients has potentially been obtained by hackers. This phishing incident is the largest healthcare data breach of 2018 by some distance, involving more than twice the number of healthcare records as the California Department of Developmental Services data breach reported in April and the LifeBridge Health breach reported in May. This is also the largest phishing incident to be reported by a healthcare provider since the HHS’ Office for Civil Rights (OCR) started publishing data breaches in 2009 and the largest healthcare breach since the 3,466,120-record breach reported by Newkirk Products, Inc., in August 2016. Email Impersonation Attack Fools Several Employees into Disclosing Login Credentials The UnityPoint Health phishing attack was detected on May 31, 2018. The forensic investigation revealed multiple email accounts had been compromised between March 14 and April 3, 2018 as a result of employees being fooled by email impersonation scams. Business email...

Read More
Confluence Health Informs Patients of Phishing Incident
Jul30

Confluence Health Informs Patients of Phishing Incident

Confluence Health, a not-for-profit health system that operates Central Washington Hospital, Wenatchee Valley Hospital and a dozen satellite clinics in Central and North Central Washington, has experienced a data security incident involving an employee’s email account that may have resulted in unauthorized accessing of patients’ protected health information. The security breach was discovered on May 29, 2018. A digital forensics firm was called in to conduct an investigation, which revealed the email account had been accessed by an unauthorized individual on May 28 and May 30, 2018. The email account only contained a limited amount of protected health information and no highly sensitive data such as Social Security numbers or financial information was exposed. Patients impacted by the incident have had information such as their names and treatment information exposed. Confluence Health had multiple security solutions in place to prevent unauthorized account access and staff had received security awareness training, yet those measures were bypassed by the attacker. While PHI access...

Read More
Lane County Health and Human Services and New England Dermatology Alert Patients to PHI Exposure
Jul27

Lane County Health and Human Services and New England Dermatology Alert Patients to PHI Exposure

The medical records of more than 17,000 patients have been exposed in two recent incidents in Oregon and Massachusetts. Lane County Health and Human Services Alerts Patients to Loss of PHI Lane County Health and Human Services in Oregon is notifying more than 700 patients that some of their protected health information has been lost and has potentially been destroyed. 49 boxes containing patient files were moved to a temporary storage facility while the Charnelton Clinic in Eugene was being renovated. During a routine search, the boxes of files were discovered to be missing from the storage facility on June 19. Multiple teams conducted further searches for the missing boxes but they could not be located. Lane County Health and Human Services suspects the boxes of files have been destroyed along with other paperwork as part of its normal document management practice for non-medical records. However, it has not been possible to confirm whether that was definitely the case. The files contained information such as patients’ full names, addresses, telephone numbers, medical histories...

Read More
Flowers Hospital Proposes $150,000 Settlement for 2014 Data Breach
Jul26

Flowers Hospital Proposes $150,000 Settlement for 2014 Data Breach

A class action lawsuit filed in the wake of an employee-related data breach at Flowers Hospital in Dothan, Alabama in 2014 is heading towards being settled. The settlement has yet to receive final court approval, although approval seems likely and a resolution to this four-year legal battle is now in sight. In contrast to most class action lawsuits filed over the exposure/theft of PHI, this case involved the theft of data by an insider rather than a hacker. Further, the former employee used PHI for identity theft and fraud and was convicted of those crimes. The breach in question involved a former lab technician, Kamarian D. Millender, who was found in possession of paper records containing patients protected health information. Millender admitted to using the information for identity theft and for filing false tax returns in victims’ names. In December 2014, Millender was sentenced to serve two years in jail. In the class action lawsuit, filed the same year, it was claimed that between June 2013 and December 2014, paper records were left unprotected and unguarded at the hospital...

Read More
Blue Springs Family Care Ransomware Attack Impacts 45,000 Patients
Jul25

Blue Springs Family Care Ransomware Attack Impacts 45,000 Patients

Blue Springs Family Care in Missouri has experienced a ransomware attack that has resulted in the encryption of sensitive data. The attack was detected by the healthcare provider’s computer vendor on May 12, 2018.  An investigation was launched the same day by the computer vendor with assistance provided by a contracted third-party computer forensics firm. In contrast to many ransomware attacks which involve a single ransomware variant being downloaded and blind file encryption, the attacker managed to gain access to Blue Springs Family Care systems and installed a variety of malicious software programs in addition to the ransomware. Those malware programs would have given the attacker full access to all Blue Springs Family Care computer systems, including access to all patients protected health information. At the time of issuing notifications to patients, Blue Springs Family Care had not received any reports to suggest that any PHI was stolen and misused by the attacker. However, data access and data theft could not be ruled out. The types of information potentially accessed...

Read More
Boys Town National Research Hospital and NorthStar Anesthesia Discover PHI Compromised in Phishing Attacks
Jul24

Boys Town National Research Hospital and NorthStar Anesthesia Discover PHI Compromised in Phishing Attacks

The phishing attacks on healthcare organizations continue… The past few days have seen two further healthcare organizations announce that email accounts were breached when employees responded to phishing emails. Email Account Compromised at Boys Town National Research Hospital Boys Town National Research Hospital (Boys Town), an Omaha, NE hospital specializing in pediatric deafness, visual and communication disorders, has announced that a recent phishing campaign has resulted in the email account of an employee being accessed by an unauthorized individual. The email account contained the protected health information of 105,309 patients Boys Town first became aware of a security breach on May 23, 2018 when unusual email account activity was detected. Computer forensics experts were called in to investigate and a breach was confirmed to have occurred on May 23. Boys Town painstakingly examined the account email-by-email to determine which patients potentially had their PHI exposed and the amount of PHI that was potentially compromised. The breach was confirmed as being confined to a...

Read More
Golden Heart Administrative Professionals Ransomware Attack Impacts 44,600 Patients
Jul20

Golden Heart Administrative Professionals Ransomware Attack Impacts 44,600 Patients

Golden Heart Administrative Professionals, a Fairbanks, AK-based billing company and business associate of several healthcare providers in Alaska, is notifying 44,600 individuals that some of their protected health information has potentially been accessed by unauthorized individuals as a result of a recent ransomware attack. The ransomware was downloaded to a server containing the PHI of patients. According to a press release issued by the company, “All client patient information must assume to be compromised.” Local and federal law enforcement agencies have been notified about the cyberattack and efforts are continuing to recover files. The Golden Heart Administrative Professionals ransomware attack is the largest data breach reported by a healthcare organization in July, and the second major data breach to be reported by an Alaska-based healthcare organization in July. In early July, the Alaska Department of Health and Social Services announced that it had suffered a data breach as a result of a malware infection. The Zeus/Zbot Trojan – an information stealer – had...

Read More
New York Physician Notifies Patients of Exposure of their PHI
Jul19

New York Physician Notifies Patients of Exposure of their PHI

A New York physician has started notifying patients that their protected health information has been exposed and has been potentially accessed unauthorized individuals. Ruben U. Carvajal, MD was alerted to a possible privacy breach on January 3, 2018 and was informed that some of his patients’ health information was accessible over the Internet. An investigation into the possible privacy breach was launched and the matter was reported to the New York Police Department and the Federal Bureau of Investigation (FBI). FBI investigators visited his office and examined his computer. On February 18, 2018, the FBI confirmed that the EMR program on his computer had been accessed by an unauthorized individual. A forensic investigator was called in to conduct a thorough investigation to determine the nature and scope of the breach. On May 22, 2018 the forensic investigator determined that the physician’s computer had been accessed by an unauthorized individual between December 16, 2017 and January 3, 2018. Any individual that gained access to the physicians’ computer could have gained access...

Read More
Investigation Launched Over Snapchat Photo Sharing at M.M. Ewing Continuing Care Center
Jul19

Investigation Launched Over Snapchat Photo Sharing at M.M. Ewing Continuing Care Center

Certain employees of a Canandaigua, NY nursing home have been using their smartphones to take photographs and videos of at least one resident and have shared those images and videos with others on Snapchat – a violation of HIPAA and serious violation of patient privacy. The privacy breaches occurred at Thompson Health’s M.M. Ewing Continuing Care Center and involved multiple employees. Thompson Health has already taken action and has fired several workers over the violations. Now the New York Department of Health and the state attorney general’s office have got involved and are conducting investigations. The state attorney general’s Deputy Press Secretary, Rachel Shippee confirmed to the Daily Messenger that an investigation has been launched, confirming “The Medicaid Fraud Control Unit’s mission includes the protection of nursing home residents from abuse, neglect and mistreatment, including acts that violate a resident’s rights to dignity and privacy.” Thompson Health does not believe the images/videos were shared publicly and sharing was restricted to a group of employees at the...

Read More
June 2018 Healthcare Breach Report
Jul18

June 2018 Healthcare Breach Report

There was a 13.8% month-over-month increase in healthcare data breaches in June 2018. Data breaches were up, but the breaches were far less severe in June, with 42.48% fewer healthcare records exposed or stolen than in May. In June there were 33 healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights and those breaches saw 356,232 healthcare records exposed or stolen – the lowest number of records exposed in healthcare data breaches since March 2018. Healthcare Data Breaches (January-June 2018) Healthcare Records Exposed (January-June 2018) Causes of Healthcare Data Breaches (June 2018) Unauthorized access/disclosure incidents were the biggest problem area in June, followed by hacking IT incidents. As was the case in May, there were 15 unauthorized access/disclosure breaches and 12 hacking/IT incidents. The remaining six breaches involved the theft of electronic devices (4 incidents) and paper records (2 incidents). There were no reported losses of devices or paperwork and no improper disposal incidents. Healthcare Records Exposed...

Read More
Several Email Accounts Compromised in Sunspire Health and UPMC Cole Phishing Attacks
Jul18

Several Email Accounts Compromised in Sunspire Health and UPMC Cole Phishing Attacks

Two more healthcare organizations have reported phishing attacks that have resulted in cybercriminals gaining access to the protected health information of patients, both of which saw the attackers gain access to multiple email accounts. Sunspire Health, which runs a national network of addition treatment facilities, saw several email accounts compromised as a result of a phishing campaign targeting its employees. The attacks were discovered between April 10, 2018 and May 17, 2018. Forensic investigators were called in to determine the nature and scope of the incidents. The investigation revealed the first email account was compromised on March 1, 2018, with further accounts compromised and accessed by unauthorized individuals up until May 4. No patients have reported misuse of protected health information to Sunspire Health to date, and no evidence was found to suggest the email accounts had been misused, although it is possible that protected health information in the compromised email accounts was accessed and may have been downloaded by the attacker(s). The types of information...

Read More
LabCorp Cyberattack Forces Shutdown of Systems: Investigators Currently Determining Scale of Breach
Jul17

LabCorp Cyberattack Forces Shutdown of Systems: Investigators Currently Determining Scale of Breach

LabCorp, one of the largest clinical laboratories in the United States, has experienced a cyberattack that has potentially resulted in hackers gaining access to patients’ sensitive information; however, data theft appears unlikely as the cyberattack has now been confirmed as being a ransomware attack. It has been suggested that variant of SamSam ransomware was used in the brute force RDP attack, although this has not been confirmed by LabCorp. The Burlington, NC-based company runs 36 primary testing laboratories throughout the United States and the Los Angeles National Genetics Institute. The company performs standard blood and urine tests, HIV tests and specialty diagnostic testing services and holds vast quantities of highly sensitive data. The cyberattack occurred over the weekend of July 14, 2018 when suspicious system activity was identified by LabCorp’s intrusion detection system within 50 minutes of the attack commencing. Prompt action was taken to terminate access to its servers and systems were taken offline to contain the attack. With its systems offline, this naturally...

Read More
Two Employees of the Alive Hospice in Tennessee Fooled by Phishing Scam
Jul16

Two Employees of the Alive Hospice in Tennessee Fooled by Phishing Scam

The email accounts of two employees of the Alive Hospice in Tennessee have been compromised as a result of the employees falling for phishing scams. The email account breaches were identified during a review of the email system on May 15, 2018. During the review, ongoing unauthorized access to the email accounts was detected. Alive Hospice immediately took steps to block third-party access by performing a password reset, and third-party forensics investigators were called in to determine the nature and scope of the breach. The investigation revealed the first email account was compromised on or around December 20, 2017, with the second account compromised on or around April 5, 2018. An analysis of both email accounts revealed they contained the protected health information of patients, which may have been accessed by the person(s) responsible for the attacks. The types of information that may have been accessed varied for each patient and included names, dates of birth, Social Security numbers, driver’s license numbers, passport numbers, financial account numbers, copies of...

Read More
Email Account of Billings Clinic Worker Hacked During Overseas Trip
Jul16

Email Account of Billings Clinic Worker Hacked During Overseas Trip

The email account of an employee of Billings Clinic in Billings, MT, that contained the protected health information of 8,435 patients, has been compromised. The breach was detected by the clinic’s cybersecurity systems on May 14, 2018, with unusual activity triggering an alert. Rapid action was taken to secure the account, although it is possible that the PHI of patients could have been viewed or copied. The information in the account was limited. No financial information was exposed, access to medical records was not gained, and no Social Security numbers were stored in the account. Data in the account had been used for scheduling purposes and related to patients who received medical services between 2008 and 2011. The breach was limited to names, dates of birth, contact information, diagnoses, descriptions of medical services provided, medical record numbers, and internal financial control numbers. The investigation confirmed that the breach was limited to a single email account. While data breaches such as this can easily be caused as a result of employees responding to...

Read More
Children’s Mercy Hospital Sued for 63,000-Record Data Breach
Jul13

Children’s Mercy Hospital Sued for 63,000-Record Data Breach

Legal action has been taken over a phishing attack on Children’s Mercy that resulted in the theft of 63,049 patients’ protected health information. In total, five email accounts were compromised between December 2017 and January 2018. On December, 2, 2017  two email accounts were discovered to have been accessed by an unauthorized individual as a result of employees responding to phishing emails. Links in the emails directed the employees to a website where they were fooled into disclosing their email account credentials. Two weeks later, two more email accounts were compromised in a similar attack, with a fifth and final account compromised in early January. The mailbox accounts of four of those compromised email accounts were downloaded by the attacker, resulting in the unauthorized disclosure of patients’ protected health information. Patients were notified of the breach via a substitute breach notice on the Children’s Mercy website and notification letters were sent by mail. Due to the number of people impacted, the letters were sent out in batches. According to a recent...

Read More
UMC Physicians Discovers Hacker Accessed PHI of Up to 18,000 Patients
Jul13

UMC Physicians Discovers Hacker Accessed PHI of Up to 18,000 Patients

A summary of hacking incidents and employee data breaches recently discovered by healthcare organizations. Hacked Email Account Contained PHI of 18,000 UMC Physicians’ Patients UMC Physicians in Texas is notifying approximately 18,000 patients that some of their protected health information has been exposed as a result of the hacking of a physicians’ email account. The breach occurred on March 15, 2018, although it was not discovered by the UMC Physicians’ IT team until May 18, giving the hacker two months to access the data stored in the account. While the investigation did not uncover any evidence of actual or attempted misuse of PHI, it was not possible to determine with a high degree of certainty that PHI had not been compromised. Consequently, all patients whose PHI was potentially accessed have been offered complimentary credit monitoring and identity theft protection services for 12 months. An analysis of the email account revealed the following information was potentially viewed/obtained by the hacker: Patients’ full names, addresses, phone numbers, medical record numbers,...

Read More
Health Information of Thousands of HIV Patients Exposed by Employee Error
Jul12

Health Information of Thousands of HIV Patients Exposed by Employee Error

An error by an employee of Metro Health has resulted in the exposure of highly sensitive information of patients diagnosed with HIV or AIDS, according to a recent report in the Tennessean. The information was stored in a database which had been copied by the employee onto a server that was accessible by all employees in the Nashville Metro Public Health Department, even though the vast majority of those individuals were not authorized to access the information. The database was only supposed to be accessed by three government scientists. The database was present on the server for nine months before the file was found by an employee and Metro Health officials were notified. During the time that the file was on the server, more than 500 employees could potentially have accessed the database. The database contained information such as names, addresses, lab test results, HIV diagnoses, drug usage, sexual orientation, birth dates, and Social Security numbers. The data came from the Enhanced HIV/AIDS Reporting System – a national database that includes details of patients with HIV and...

Read More
Healthcare Data Breach Costs Highest of Any Industry at $408 Per Record
Jul12

Healthcare Data Breach Costs Highest of Any Industry at $408 Per Record

A recent study conducted by the Ponemon Institute on behalf of IBM Security has revealed the hidden cost of data breaches, and for the first time, the cost of mitigating 1 million-record+ data breaches. The study provides insights into the costs of resolving data breaches and the full financial impact on organizations’ bottom lines. For the global study, 477 organizations were recruited and more than 2,200 individuals were interviewed and asked about the data breaches experienced at their organizations and the associated costs. The breach costs were calculated using the activity-based costing (ABC) methodology. The average number of records exposed or stolen in the breaches assessed in the study was 24,615 and 31,465 in the United States. Last year, the Annual Cost of a Data Breach Study by the Ponemon Institute/IBM Security revealed the cost of breaches had fallen year over year to $3.62 million. The 2018 study, conducted between February 2017 and April 2018, showed data breach costs have risen once again. The average cost of a data breach is now $3.86 million – An annual increase...

Read More
MedEvolve Notifies Patients of PHI Exposure Through Unsecured FTP Server
Jul11

MedEvolve Notifies Patients of PHI Exposure Through Unsecured FTP Server

MedEvolve, a provider of electronic billing and record services to healthcare providers, has announced that an FTP server used by the firm had been left unsecured between March 29, 2018 and May 4, 2018. The FTP server contained a file that included the protected health information of patients. On March 29, the day that the protection was removed, the file was accessed by an unauthorized individual. MedEvolve discovered the breach on May 11, 2018. According to the breach notice submitted to the California Attorney General, the file contained the data of patients of Premier Immediate Medical Care. MedEvolve did not mention in the breach notice how many patients had been affected and the incident has yet to appear of the Department of Health and Human Services’ Breach Portal. However, in May, databreaches.net was alerted to the exposure of data by a security researcher who discovered the unprotected FTP server. According to the report, the file contained approximately 205,000 lines of patient data, each corresponding to a different patient. More than 11,000 Social Security number were...

Read More
Cass Regional Medical Center EHR Out of Action Due to Ransomware Attack
Jul11

Cass Regional Medical Center EHR Out of Action Due to Ransomware Attack

Around 11am on Monday July 9, Cass Regional Medical Center in Harrisonville, MO, experienced a ransomware attack that affected its communication system and prevented staff from accessing its electronic medical record (EHR) system. The medical center had policies in place for such an emergency situation. Its incident response protocol was initiated within 30 minutes of the discovery of the attack and staff met to develop detailed plans to minimize the impact to patients. Ransomware attacks typically do not involve the attackers gaining access to data, although as a precaution, it’s EHR vendor – Meditech – shut down the EHR system while the attack was investigated and remediated. At this stage, no evidence has been uncovered to suggest patient data have been accessed. As an additional precautionary measure, ambulances for trauma and stroke have been redirected to other medical facilities. Without access to the EHR system, staff resorted to pen and paper while its IT staff worked to decrypt data and bring its systems back online. A leading international forensics firm was called in to...

Read More
Former Arkansas Children’s Hospital Employee Investigated Over Potential Theft of 4,500 Patients’ PHI
Jul11

Former Arkansas Children’s Hospital Employee Investigated Over Potential Theft of 4,500 Patients’ PHI

A former employee of Arkansas Children’s Hospital is being investigated by law enforcement over the theft and misuse of patients’ protected health information. According to the breach notice submitted to the Department of Health and Human Services’ Office for Civil Rights, the former employee potentially viewed and copied the PHI of up to 4,521 patients. That individual was employed at Arkansas Children’s Hospital for 15 months between November 7, 2016 and February 6, 2018. During that time the employee was provided with access to patient health information to perform essential functions of the job. On May 9, 2018, law enforcement notified Arkansas Children’s Hospital that an investigation had been launched over the possible theft of patients’ Social Security numbers and personal information and the misuse of that information for personal gain. Arkansas Children’s Hospital immediately launched an investigation to determine the types of information that were potentially accessed and whether patients’ PHI had been accessed without authorization. While that internal investigation...

Read More
PHI Stolen As a Result of Manitowoc County Phishing Attack
Jul06

PHI Stolen As a Result of Manitowoc County Phishing Attack

Manitowoc County in Wisconsin has announced protected health information has been stolen as a result of a successful phishing attack. The incident occurred on or around January 14, 2018, although the attack and data breach was not discovered until April 24. While the account was immediately secured to prevent any further access, the attacker had well over two months to view and obtain sensitive data stored in the email account. During the time that the attacker had email account access, emails sent to that account were diverted to a different email account to which Manitowoc County staff had no access. While County officials have not uncovered any evidence to suggest any of the information in the emails has been misused, they have similarly not been able to establish that sensitive data have not been misused or sold on. The types of information that were stolen include names, telephone numbers, email addresses, addresses, and dates of birth. Individuals who received services through the County have also had their health information, insurance information, details of prescriptions,...

Read More
Sophisticated Cyber Spoofing Attack Reported by Humana
Jul03

Sophisticated Cyber Spoofing Attack Reported by Humana

Humana is notifying members in several states that their PHI has potentially been accessed during a ‘sophisticated’ spoofing attack. A spoofing attack is an attempt by a threat actor or bot to gain access to a system or data using stolen or spoofed login credentials. Humana became aware of the attack on June 3, when large numbers of failed login attempts were detected from foreign IP addresses. Prompt action was taken to block the attack, with the foreign IP addresses blocked from accessing its Humana.com and Go365.com websites on June 4. Humana suggests “the nature of the attack and observed behaviors indicated the attacker had a large database of user identifiers (IDs).” It is possible the login credentials are old and that they were obtained in a separate third-party breach, although Humana notes that “the excessive number of log in failures strongly suggests the ID and password combinations did not originate from Humana.” The website accounts did not contain Social Security numbers or financial information; however, the following types of information could potentially have been...

Read More
Zeus Trojan Infection Potentially Resulted in Theft of PHI from Alaska DHSS
Jul03

Zeus Trojan Infection Potentially Resulted in Theft of PHI from Alaska DHSS

The Alaska Department of Health and Social Services (ADHSS) is notifying ‘more than 500’ individuals that some of their protected health information (PHI) has potentially been accessed and stolen by hackers. On April 26, the ADHSS discovered malware had been installed on an employee’s computer after suspicious behavior was detected. The investigation revealed malware had been installed – a variant of the Zeus/Zbot Trojan – which is known to be used to steal sensitive information. The malware was discovered to have communicated with IP addresses in Russia, although it is not known whether the attackers are based in Russia or just using Russian IP addresses. ADHSS has not confirmed whether protected health information was exfiltrated to those IP addresses, although data access and theft of PHI is a possibility. Under the Health Insurance Portability and Accountability Act, HIPAA-covered entities must report data breaches as soon as possible, but no later than 60 days following the discovery of a breach. AHDSS chose to delay the issuing of notifications until just before...

Read More
Healthcare Worker Charged with Criminally Violating HIPAA Rules
Jul03

Healthcare Worker Charged with Criminally Violating HIPAA Rules

A former University of Pittsburgh Medical Center patient information coordinator has been indicted by a federal grand jury over criminal violations of HIPAA Rules, according to an announcement by the Department of Justice on June 29, 2018. Linda Sue Kalina, 61, of Butler, Pennsylvania, has been charged in a six-count indictment that includes wrongfully obtaining and disclosing the protected health information of 111 patients. Kalina worked at the University of Pittsburgh Medical Center and the Allegheny Health Network between March 30, 2016 and August 14, 2017. While employed at the healthcare organizations, Kalina is alleged to have accessed the protected health information (PHI) of those patients without authorization or any legitimate work reason for doing so. Additionally, Kalina is alleged to have stolen PHI and, on four separate occasions between December 30, 2016, and August 11, 2017, disclosed that information to three individuals with intent to cause malicious harm. Kalina was arrested following an investigation by the Federal Bureau of Investigation. The case was taken up...

Read More
Associated Dermatology & Skin Cancer Clinic of Helena Discloses PHI Breach Impacting 1,254 Patients
Jul02

Associated Dermatology & Skin Cancer Clinic of Helena Discloses PHI Breach Impacting 1,254 Patients

This week, Associated Dermatology & Skin Cancer Clinic of Helena, MT, has disclosed a breach of physical protected health information (PHI) affecting 1,254 patients. A journal maintained by an employee of Associate Dermatology was stolen from her vehicle on May 26, 2018. A thief forcibly gained access to the vehicle and stole the personal journal, which contained information to help the employee with the provision of care to patients. The types of information recorded in the journal included names and ages of patients, their referring physicians, brief notes on patients’ medical histories, reasons for visits, and visit notes. Patients whose PHI has been obtained by the thief had received medical services through Associated Dermatology between September 1, 2017 and May 24, 2018. While highly sensitive information – the types that can be used to steal identities – were not stored in the journal, there is potential the information could be misused, although no reports have been received to date to suggest that is the case. The biggest risk is the use of the information in social...

Read More
Business Email Compromise Attacks Dominate 2017 FBI Internet Crime Report
Jun29

Business Email Compromise Attacks Dominate 2017 FBI Internet Crime Report

The FBI has released its 2017 Internet Crime Report. Data for the report came from complaints made through its Internet Crime Complaints Center (IC3). The report highlights the most common online scams, the scale of Internet crime, and the substantial losses suffered as a result of Internet-related crimes. In 2017, there were 301,580 complaints made to IC3 about Internet crime, with total losses for the year exceeding $1.4 billion. Since 2013, when the first Internet Crime Report was first published, more than $5.52 billion has been lost in online scams and more than 1.4 million complaints have been received. The leading types of online crime in 2017 were non-payment/non-delivery, personal data breaches, and phishing; however, the biggest losses came from business email compromise (BEC) attacks, confidence scams/romance fraud, and non-payment/non-delivery. The losses from business email compromise scams (and email account compromise scams on consumers) exceeded $675 million. BEC/EAC scams resulted in more than three times the losses as confidence fraud/romance scams – the second...

Read More
Michigan Medicine Informs Hundreds of Patients of PHI Exposure
Jun28

Michigan Medicine Informs Hundreds of Patients of PHI Exposure

An unencrypted laptop computer containing the protected health information (PHI) of 870 patients of Michigan Medicine has been stolen. The PHI was saved on a personal laptop computer which had been left unattended in an employee’s vehicle. A thief broke into the car and stole the employee’s bag, which contacted the device. The theft occurred on June 3, 2018 and it was immediately reported to law enforcement. Michigan Medicine was informed of the theft the following day on June 4. The laptop contained a range of protected health information of patients who had participated in research studies. The types of information exposed varied depending on the type of research the patients had participated in. Highly sensitive information such as Social Security numbers, health plan ID numbers, and financial information were not stored on the device and addresses and contact telephone numbers were not exposed. The information exposed was limited to names, medical record numbers, gender, race, diagnoses, and treatment information. All of the research studies had been approved by the...

Read More
Protected Health Information Sent to Incorrect Fax Recipient Over Several Months
Jun27

Protected Health Information Sent to Incorrect Fax Recipient Over Several Months

Faxes containing the protected health information (PHI) of a patient have been sent to an incorrect recipient by OhioHealth’s Grant Medical Center over a period of several months – A violation of patient privacy and the Health Insurance Portability and Accountability Act (HIPAA). The recipient of the faxes, Elizabeth Spilker, tried on numerous occasions to notify Grant Medical Center about the problem and stop the faxes being sent, but her efforts were unsuccessful. She tried faxing back a message on the same number requesting a change to the programmed fax number and tried contacting the medical center by telephone. Spilker later notified ABC6 about the issue and the story was covered in a June 18 report. In the report, Spilker explained that faxes had been received from Grant Medical Center for more than a year. The messages contained a range of protected health information including name, age, weight, medical history, medications prescribed, and other sensitive health information. Typically, the faxes were received at the end of the day. Repeated attempts were made to send the...

Read More
Unencrypted Hospital Pager Messages Intercepted and Viewed by Radio Hobbyist
Jun26

Unencrypted Hospital Pager Messages Intercepted and Viewed by Radio Hobbyist

Many healthcare organizations have now transitioned to secure messaging systems and have retired their outdated pager systems. Healthcare organizations that have not yet made the switch to secure text messaging platforms should take note of a recent security breach that saw pages from multiple hospitals intercepted by a ‘radio hobbyist’ in Missouri. Intercepting pages using software defined radio (SDR) is nothing new. There are various websites that explain how the SDR can be used and its capabilities, including the interception of private communications. The risk of PHI being obtained by hackers using this tactic has been well documented.  All that is required is some easily obtained hardware that can be bought for around $30, a computer, and some free software. In this case, an IT worker from Johnson County, MO purchased an antenna and connected it to his laptop in order to pick up TV channels. However, he discovered he could pick up much more. By accident, he intercepted pages sent by physicians at several hospitals. The man told the Kansas City Star he intercepted pages...

Read More
Washington Health System Suspends Several Employees for Inappropriate PHI Access
Jun21

Washington Health System Suspends Several Employees for Inappropriate PHI Access

Following the alleged inappropriate accessing of patient health records by employees, Washington Health System has taken the decision to suspend several employees while the privacy breach is investigated. While it has not been confirmed how many employees have been suspended, Washington Health System VP of strategy and clinical services, Larry Pantuso, issued a statement to the Observer Reporter indicating around a dozen employees have been suspended, although at this stage, no employees have been fired for inappropriate medical record access. The privacy breaches are believed to relate to the death of an employee of the WHS Neighbor Health Center. Kimberly Dollard, 57, was killed when an out of control car driven by Chad Spence, 43, rammed into the building where she worked. Spence and one other individual were admitted to the hospital after sustaining injuries in the accident. Pantuso did not confirm that this was the incident that prompted the employees to access patients’ medical records, although he did confirm that the alleged inappropriate access related to a “high profile...

Read More
Florida Agency for Persons with Disabilities and Black River Medical Center Report Phishing Incidents
Jun20

Florida Agency for Persons with Disabilities and Black River Medical Center Report Phishing Incidents

Two HIPAA-covered entities have recently disclosed they have been victims of phishing attacks that have potentially resulted in the exposure of patients’ protected health information (PHI).   Further Phishing Attack Reported by Florida Agency for Persons with Disabilities The Florida Agency for Persons with Disabilities (FAPD), which provides support services for people with disabilities such as autism, cerebral palsy, spina bifida, and Downs syndrome, has experienced another phishing attack The phishing attack occurred on April 10, 2018 and was limited to a single email account; however, that account contained the PHI of 1,951 customers or guardians. While no evidence was uncovered to suggest any PHI was viewed or copied by the attacker, PHI access could not be ruled out with 100% certainty. The compromised email account contained information such as names, birth dates, addresses, telephone numbers, health information, and Social Security numbers. All patients have now been notified of the breach and have been offered credit monitoring services for a year without charge. Three...

Read More
May 2018 Healthcare Data Breach Report
Jun19

May 2018 Healthcare Data Breach Report

April was a particularly bad month for healthcare data breaches with 41 reported incidents. While it is certainly good news that there has been a month-over-month reduction in healthcare data breaches, the severity of some of the breaches reported last month puts May on a par with April. There were 29 healthcare data breaches reported by healthcare providers, health plans, and business associates of covered entities in May – a 29.27% month-over month reduction in reported breaches. However, 838,587 healthcare records were exposed or stolen in those incidents – only 56,287 records fewer than the 41 incidents in April. In May, the mean breach size was 28,917 records and the median was 2,793 records. In April the mean breach size was 21,826 records and the median was 2,553 records. Causes of May 2018 Healthcare Data Breaches Unauthorized access/disclosure incidents were the most numerous type of breach in May 2018 with 15 reported incidents (51.72%). There were 12 hacking/IT incidents reported (41.38%) and two theft incidents (6.9%). There were no lost unencrypted electronic devices...

Read More
3-Year Jail Term for VA Employee Who Stole Patient Data
Jun18

3-Year Jail Term for VA Employee Who Stole Patient Data

A former employee of the Veteran Affairs Medical Center in Long Beach, CA who stole the protected health information (PHI) of more than 1,000 patients has been sentenced to three years in jail. Albert Torres, 51, was employed as a clerk in the Long Beach Health System-run medical center – a position he held for less than a year. Torres was pulled over by police officers on April 12 after a check of his license plates revealed an anomaly – plates had been used on a private vehicle, which were typically reserved for commercial vehicles. The police officers found prescription medications which Torres’ did not have a prescription for and the Social Security numbers and other PHI of 14 patients in his vehicle. A subsequent search of Torres’ apartment revealed he had hard drives and zip drives containing the PHI of 1,030 patients and more than $1,000 in cleaning supplies that had been stolen from the hospital. After pleading guilty to several crimes, including identity theft and grand theft, Torres was sentenced to three years in state penitentiary on June 4. Sutter Health Fires...

Read More
PHI Stolen in San Francisco and Corpus Christi Burglaries
Jun15

PHI Stolen in San Francisco and Corpus Christi Burglaries

Two HIPAA-covered entities are alerting patients that some of their protected health information (PHI) has been obtained by thieves in recent burglaries. PHI Taken from Employee of Christus Spohn Hospitals The protected health information of patients of two Christus Spohn Hospitals in Corpus Christi has been stolen in a burglary. A Christus Spohn employee was burgled on April 16, 2018 and PHI was taken including information such as names, birth dates, dates of service, medical record numbers, account numbers, ages, and other medical data. No financial information, driver’s license numbers, or Social Security numbers were compromised. Patients affected by the breach had previously received treatment at Christus Spohn Health System’s Memorial or Shoreline hospitals. While PHI was obtained, the information does not appear to have been misused. Christus Spohn has confirmed that approximately 1,800 patients have been affected by the incident. Steps have already been taken to prevent further incidents of this nature from occurring, and the employee in question has received further...

Read More
PHI Compromised in HealthEquity Phishing Attack
Jun13

PHI Compromised in HealthEquity Phishing Attack

A phishing attack on Draper, UT-based HealthEquity Inc., has resulted in the exposure of members’ protected health information. The data breach was limited to one email account, although an analysis of the messages in the account revealed a range of PHI was potentially obtained by the attacker. Information possibly compromised in the attack was limited to names, email addresses, HealthEquity member ID numbers, employer ID numbers, employer names, health account type, deduction amounts, and for some Michigan-based employees, Social Security numbers. The breach was identified on April 13, 2018 and was discovered to have occurred two days previously, giving the attacker 48 hours to access messages in the account. Access to the compromised account was immediately terminated to prevent any further unauthorized access. A third-party computer forensics firm was engaged to conduct a full investigation into the attack. The investigation confirmed that the breach was limited to a single email account and access was gained due to human error – the employee responding to a phishing message. No...

Read More
1,600 Patients Potentially Impacted by Terros Health Phishing Attack
Jun12

1,600 Patients Potentially Impacted by Terros Health Phishing Attack

An employee of Phoenix-based Terros Health was fooled by a phishing scam and inadvertently handed over login credentials to the attacker. That individual accessed the employee’s email account and potentially viewed or obtained a range of protected health information detailed in individual emails in the account. The breach was limited to one email account and access to other systems was not gained. Terros Health learned of the phishing attack on April 12, 2018 and notified the media on June 8. All patients impacted by the breach have now been notified by mail. An investigation into the attack revealed the employee responded to the phishing email on or around November 16, 2017, which was when the email account was first accessed by the attacker. While almost 1,600 patients potentially had some of their PHI compromised as a result of the attack, for the majority of patients (1,241) the exposed information was limited to names and dates of birth. The remaining patients also had their addresses, email addresses, diagnoses, medical record numbers, and other protected health information...

Read More
3,700 Rise Wisconsin Plan Participants Potentially Impacted by Ransomware Attack
Jun11

3,700 Rise Wisconsin Plan Participants Potentially Impacted by Ransomware Attack

Rise Wisconsin is alerting more than 3,700 plan members that some of their protected health information was potentially accessed by unauthorized individuals during a recent ransomware attack. The ransomware was installed on its network on or around April 8, 2018. The ransomware attack was detected rapidly, although not in time to prevent the encryption of data. Rise Wisconsin (formerly Community Partnerships Inc., and Center for Families) called in third party computer forensics experts to assist with the breach investigation and recovery process. While the investigation did not uncover any evidence to suggest protected health information was accessed or stolen in the attack, it was not possible to rule out data access and data theft with a high degree of certainty. Potentially, the types of data that could have been accessed by the attackers includes names, addresses, dates of birth, Social Security numbers and, for certain patients, a limited amount of health information.  No financial information was compromised. Rise Wisconsin has not disclosed how much the attackers demanded...

Read More
Impostor, Burglar, and Hackers Obtain PHI of Patients
Jun08

Impostor, Burglar, and Hackers Obtain PHI of Patients

A round up of healthcare data security incidents reported in the past few days that have resulted in the protected health information of patients being obtained by unauthorized individuals. Blue Cross Blue Shield of Illinois Discovers PHI was Provided to an Imposter Blue Cross Blue Shield of Illinois has discovered the protected health information of some plan members has been disclosed to a doctor who was impersonating another physician. The doctor was employed by its business associate Dane Street and conducted peer to peer reviews for the firm – Further reviews when requests for services have been denied by an insurance company. Dane Street was notified by law enforcement on April 9, 2018 that the doctor had been fraudulently impersonating another physician in order to perform peer to peer reviews. Those reviews required the doctor to view information such as names, addresses, dates of birth, phone numbers, medical service information, and Social Security numbers. Since Social Security numbers were disclosed, affected patients have been offered complimentary credit...

Read More
Healthcare Employees Accused of Taking PHI to New Employers
Jun07

Healthcare Employees Accused of Taking PHI to New Employers

Two HIPAA-covered entities are notifying patients that former employees have accessed databases and stolen protected health information to take to new employers. Former Hair Free Forever Employee Contacts Patients to Solicit Customers Hair Free Forever, a Ventura, CA-based provider of permanent hair removal treatments, has announced that a former employee has stolen patient information and has been contacting its patients in an attempt to solicit customers. The company uses Thermolysis to permanently remove hair. Since the technique is classed as a medical procedure, Hair Free Forever and its employees are required to comply with HIPAA Rules. In a data breach notice provided to the California attorney general, Hair Free Forever’s Cheryl Conway informs patients that the former employee accessed patient files and the company’s database and stole patients’ protected health information, in clear violation of HIPAA Rules. The data theft came to light when complaints were received from customers who had been contacted and told about the former employee’s new practice. An investigation...

Read More
Multiple Data Breaches Reported by Dignity Health
Jun04

Multiple Data Breaches Reported by Dignity Health

Dignity Health has discovered multiple data breaches and violations of HIPAA Rules in the past few weeks. One incident involved an employee accessing the PHI of patients without authorization, an error occurred that allowed a business associate to receive PHI without a valid BAA being in place, and most recently, a 55,947-record unauthorized access/disclosure incident has been reported to the Department of Health and Human Services’ Office for Civil Rights (OCR). Business Associate Agreement Error Discovered On May 10, 2018, Dignity Health notified OCR of a data breach affecting patients of its St. Rose Dominican Hospitals at the San Martin, Siena, and Rose de Lima campuses in Nevada. Dignity Health reports that on April 6, 2018, St Rose Dominican Hospitals shared the protected health information of 6,036 patients with a third-party contractor to process health-related court documents for hearings. The contractor had been used for ten years and a valid business associate agreement was previously in place; however, that document had expired and data continued to be shared with the...

Read More
Purdue University Uncovers Data Security Incidents that Potentially Compromised PHI
May31

Purdue University Uncovers Data Security Incidents that Potentially Compromised PHI

Two security breaches have been discovered by Purdue University’s security team that have potentially resulted in unauthorized individuals gaining access to the protected health information of patients. In April, Purdue University’s security team discovered a file on computers used by Purdue University Pharmacy indicating the devices had been remotely accessed by an unauthorized individual. The file was placed on the devices around September 1, 2017. The computers contained a limited amount of protected health information including patients’ names, dates of birth, dates of service, identification numbers, internal identification numbers, diagnoses, treatment information, and amounts billed. No personal financial information or Social Security numbers were stored on the computer. An investigation into the breach did not uncover any evidence to suggest any patient information was stolen and no reports have been received to suggest any patient data have been misused. However, since it was not possible to rule out unauthorized PHI access with a high degree of certainty, patients have...

Read More
42,600 Patients Potentially Impacted by Aultman Health Foundation Phishing Attack
May28

42,600 Patients Potentially Impacted by Aultman Health Foundation Phishing Attack

Aultman Health Foundation, which runs Aultman Hospital in Canton, OH, is notifying approximately 42,600 patients that some of their protected health information may have been compromised as a result of a phishing attack. Unauthorized and unknown individuals succeeded in gaining access to several email accounts used by employees of Aultman Hospital, its AultWorks Occupational Medicine division, and certain Aultman physician offices. The unauthorized access was first detected on March 28, 2018 prompting a full investigation to determine the scope of the breach and whether any sensitive information was potentially accessed. Third-party information security experts were engaged to assist with the investigation and determined access to the email accounts occurred on several occasions starting in mid-February and continued until the breach was detected and remediated in late March. The breach was limited to email accounts. The system that stores electronic medical records was not compromised. Email accounts used by Aultman hospital and certain physician practices contained names,...

Read More
More than 6,500 Patients Potentially Impacted by Minnesota Ransomware Attack
May25

More than 6,500 Patients Potentially Impacted by Minnesota Ransomware Attack

Rochester, MN-based Associates in Psychiatry and Psychology (APP) has experienced a ransomware attack that affected several computers containing patients’ protected health information. The ransomware attack was discovered on March 31, 2018. Patient information stored on the affected computers was not in a “human-readable” format, and no evidence was uncovered to suggest any protected health information was accessed or copied by the attackers. Since it was not possible to rule out data access with 100% certainty, all patients whose data were stored on the affected devices have been notified of the security breach. The types of information potentially accessed includes names, birth dates, addresses, Social Security numbers, insurance information, and treatment records. APP acted promptly when the attack was discovered and took its systems offline to prevent the spread of the ransomware and limit the potential for further encryption of data and data theft. APP’s systems remained offline for four days while the attack was assessed. APP notes in its Q&A about the incident that the...

Read More
OCR Plans to Share HIPAA Violation Settlements with Breach Victims
May23

OCR Plans to Share HIPAA Violation Settlements with Breach Victims

The Health Information Technology for Economic and Clinical Health (HITECH) Act was enacted in 2009 and includes a provision that calls for the Department of Health and Human Services to share a percentage of HIPAA settlements with victims of HIPAA violations and data breaches. This month has seen some progress in that area. The Department of Health and Human Services’ Office for Civil Rights has announced it is planning on issuing an advance notice of proposed rulemaking in November about sharing a percentage of the fines it collects through its HIPAA enforcement activities with the victims of data breaches. OCR officials have previously made it clear that steps will be taken to meet the requirements of this HITECH provision, but little progress has been made. This is not the first time that OCR has announced it plans to issue an advance notice of proposed rulemaking on the matter only for the advance notice of proposed rulemaking to be delayed. If OCR follows through on its plans this fall, feedback will be sought from the public and industry stakeholders on how it can achieve...

Read More
538,000 Patients Notified of LifeBridge Health Data Breach
May23

538,000 Patients Notified of LifeBridge Health Data Breach

Earlier this month, the Baltimore-based healthcare provider LifeBridge Health announced it had experienced a data breach. A press release about the breach was issued on May 16, although there was no mention of the number of patients impacted. Further information has now been released on the extent of the breach. On March 18, 2018, LifeBridge Health discovered malware had been installed on a server that hosted the electronic medical record system used by LifeBridge Potomac Professionals and LifeBridge Health’s patient registration and billing systems. The discovery of malware prompted a through investigation to determine when access to the server was first gained. LifeBridge Health contracted a national computer forensics firm to assist with the investigation with the firm establishing that access to the server was first gained 18 months previously on September 27, 2016. The types of information stored on the server included patients’ names, dates of birth, addresses, diagnoses, medications prescribed, clinical and treatment information, insurance details, and a limited number of...

Read More
Indiana Physicians Group Suffers SamSam Ransomware Attack
May22

Indiana Physicians Group Suffers SamSam Ransomware Attack

Allied Physicians Group of Michiana has experienced a ransomware attack that took part of its network out of action. The attack occurred on Thursday May 17, 2018 and resulted in the encryption of several files on its network. It is currently unclear whether any protected health information encrypted. An investigation into the security incident is continuing to determine whether any protected health information was compromised in the attack. The attack was detected promptly and action was immediately taken to shut down its network to protect the PHI of patients. Allied Physicians Group of Michiana has been working with its incident responder, outside counsel, and other professionals to determine the scope of the breach and recover encrypted data. The Indiana Physicians Group reports that all data have now been recovered in a secure format and the attack did not cause significant disruption to patients. Steps have already been taken to improve security and prevent future attacks of this nature from occurring. CEO Shery Roussarie explained in a May 21 press release that the attack...

Read More
Healthcare Data Breach Report: April 2018
May18

Healthcare Data Breach Report: April 2018

April was a particularly bad month for healthcare data breaches with both the number of breaches and the number of individuals impacted by breaches both substantially higher than in March. There were 41 healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights in April. Those breaches resulted in the theft/exposure of 894,874 healthcare records. Healthcare Data Breach Trends For the past four months, the number of healthcare data breaches reported to OCR has increased month over month. For the third consecutive month, the number of records exposed in healthcare data breaches has increased. Causes of Healthcare Data Breaches in April 2018 The healthcare industry may be a big target for hackers, but the biggest cause of healthcare data breaches in April was unauthorized access/disclosure incidents. While cybersecurity defences have been improved to make it harder for hackers to gain access to healthcare data, there is still a major problem preventing accidental data breaches by insiders and malicious acts by healthcare employees....

Read More
Former Employee of Nuance Communications Stole PHI of 45,000 Patients
May16

Former Employee of Nuance Communications Stole PHI of 45,000 Patients

In a recent filing with the U.S. Securities and Exchange Commission, Burlington, MA-based Nuance Communications disclosed it experienced a data breach involving the protected health information of 45,000 individuals in December 2017. Nuance Communications stated in its May 10, 2018 SEC filing that a third party accessed certain reports hosted on a single Nuance transcription platform, which was promptly shut down when unauthorized access was discovered. The filing states law enforcement was notified about the breach and assisted with the investigation and apprehended the individual responsible. There is no mention of when the breach was discovered, although the company has notified all customers who used the platform to allow them to issue notifications to affected individuals. One of those customers, The San Francisco Health Network, published a substitute breach notice on its website on May 11 providing further information on the breach. The breach notice explains that the protected health information of 895 patients who received medical services at Zuckerberg San Francisco...

Read More
Eye Care Surgery Center Data Breach Impacts 2,553 Patients
May15

Eye Care Surgery Center Data Breach Impacts 2,553 Patients

A laptop computer containing the protected health information of 2,553 patients of Eye Care Surgery Center, Inc., of Baton Rouge, LA has been stolen. The theft was discovered by Eye Care Surgery Center on February 26, 2018 although it is unclear where the device was stolen from. The theft prompted Eye Care Surgery Center to install a new multi-camera system at its facilities, both inside and outside buildings. The decision has also been taken to use encryption on most of the portable electronic devices used by Eye Care Surgery Center to prevent protected health information from being exposed in the event that any further portable electronic devices are stolen. An investigation was conducted to determine the types of information stored on the stolen device and the patients affected by the incident. Highly sensitive information such as health insurance information, Social Security numbers, and financial information were not stored on the device and remained secure at all times. The breach was limited to names, birth dates, and diagnosis information. No reports have been received to...

Read More
8,300 Cerebral Palsy Research Foundation of Kansas Patients Informed of 10-Month Exposure of PHI
May14

8,300 Cerebral Palsy Research Foundation of Kansas Patients Informed of 10-Month Exposure of PHI

An oversight has caused a database used by Cerebral Palsy Research Foundation of Kansas (CPRF) to have its security protections removed for a period of 10 months, exposing the protected health information (PHI) of 8,300 patients. The vulnerable demographic database was discovered on March 10, 2018 and was immediately secured. The investigation into the breach determined that while the database had been created on a secure subdomain in early 2000, when CPRF switched its servers in 2017 the database was not identified resulting in the accidental removal of security protections. During the time that the database was vulnerable it is possible that personal and health information was accessed by unauthorized individuals. The breach was limited to personal information and personal health information relating to the type of disability suffered by patients. No financial information or donor information was exposed. Individuals affected by the breach had received services from CPRF between 2001 and 2010. It is unclear whether any of the exposed information was accessed by unauthorized...

Read More
Spate of Phishing Attacks on Healthcare Organizations Sees 90,000 Records Exposed
May10

Spate of Phishing Attacks on Healthcare Organizations Sees 90,000 Records Exposed

The past few weeks have seen a significant rise in successful phishing attacks on healthcare organizations. In a little over four weeks there have been 10 major email hacking incidents reported to the Department of Health and Human Services’ Office for Civil Rights, each of which has resulted in the exposure and potential theft of more than 500 healthcare records. Those ten incidents alone have seen almost 90,000 healthcare records compromised. Recent Email Hacking and Phishing Attacks on Healthcare Organizations HIPAA-Covered Entity Records Exposed Inogen Inc. 29,529 Knoxville Heart Group 15,995 USACS Management Group Ltd 15,552 UnityPoint Health 16,429 Texas Health Physicians Group 3,808 Scenic Bluffs Health Center 2,889 ATI Holdings LLC 1,776 Worldwide Insurance Services 1,692 Billings Clinic 949 Diagnostic Radiology & Imaging, LLC 800 The Oregon Clinic Undisclosed   So far this year there have been three data breaches involving the hacking of email accounts that have exposed more than 30,000 records. Agency for Health Care Administration suffered a 30,000-record breach in...

Read More
Class Action Lawsuit Claims UnityPoint Health Mislead Patients over Severity of Phishing Attack
May08

Class Action Lawsuit Claims UnityPoint Health Mislead Patients over Severity of Phishing Attack

A class action lawsuit has been filed in response to a data breach at UnityPoint Health that saw the protected health information (PHI) of 16,429 patients exposed and potentially obtained by unauthorized individuals. As with many other healthcare data breaches, PHI was exposed as a result of employees falling for phishing emails. UnityPoint Health discovered the security breach on February 15, 2018 and sent breach notification letters to affected patients two months later, on or around April 16, 2018. HIPAA-covered entities have up to 60 days following the discovery of a data breach to issue notifications to patients. Many healthcare organizations wait before issuing breach notifications and submitting reports of the incident to the Department of Health and Human Services’ Office for Civil Rights. Waiting for two months to issue notifications to breach victims could be viewed as a violation of HIPAA Rules. While the maximum time limit for reporting was not exceeded, the HIPAA Breach Notification Rule requires notifications to be sent ‘without unnecessary delay.’ The HHS’ Office for...

Read More
Capital Digestive Care Notifies 17,639 Individuals of PHI Exposure
May08

Capital Digestive Care Notifies 17,639 Individuals of PHI Exposure

The Silver Spring, MD-based gastroenterology group Capital Digestive Care has discovered one of its business associates uploaded files to a commercial cloud server that lacked appropriate security controls, exposing the protected health information of up to 17,639 patients. The availability of sensitive patient data over the Internet was brought to the attention of Capital Digestive Care on February 23, 2018 and action was promptly taken to secure the files and prevent further unauthorized access. An investigation into the privacy breach was launched to determine the types of information that had been exposed and the number of patients impacted. The investigation confirmed some sensitive data had been exposed, although the breach was limited to individuals that had visited its website and submitted information via the Schedule a Visit and Contact pages on the site. The types of information exposed was limited to names, addresses, email addresses, telephone numbers, and birth dates. Patients may also have had a limited amount of health information exposed. The login page to the...

Read More
3 University of Arkansas Medical Sciences Employees Fired for Violation of Patient Privacy
May07

3 University of Arkansas Medical Sciences Employees Fired for Violation of Patient Privacy

University of Arkansas Medical Sciences (UAMS) has fired three employees over alleged HIPAA violations that saw a patient’s protected health information impermissibly disclosed and published on Facebook. UAMS provides training to all employees to make them aware of their responsibilities with respect to patient privacy and the requirements of HIPAA, yet despite that training, one employee violated the privacy of a patient by disclosing that individual’s name, age, HIV status, employment information, and surgical history to a colleague. That employee shared the information with a friend who uploaded the PHI to Facebook. A third employee allegedly played no part in the violation but was aware of the disclosures yet failed to report the incident to the hospital. The hospital took prompt action when the HIPAA violations were discovered and terminated all three employees for violating HIPAA Rules and the hospital’s code of conduct. The hospital is taking steps to ensure similar incidents are prevented and is working with the patient to resolve the privacy violation. The motives of the...

Read More
Protenus Report Highlights Extent of Insider Breaches in Healthcare
May04

Protenus Report Highlights Extent of Insider Breaches in Healthcare

The quarterly breach barometer report from Protenus provides insights into the extent to which insiders are violating HIPAA Rules and snooping on patient health information. The Breach Barometer report is compiled using breach data supplied by Databreaches.net and proprietary data collected through the artificial intelligence platform developed by Protenus that allows healthcare organizations to track and analyze employee EHR activity. Insider breaches are a major problem in healthcare, yet many insider breaches go undetected. When insider breaches are identified, it is often months after the breach has occurred. One healthcare employee was recently discovered to have been accessing medical records without authorization for 14 years. 1.13 Million Patient Records Exposed in Q1, 2018 The latest Breach Barometer report shows the records of 1,129,744 patients and health plan members has been viewed by unauthorized individuals, exposed, or stolen in the first quarter of 2018. Data breaches occurred at a rate of more than one per day, with 110 healthcare data breaches reported in Q1....

Read More
2,889 Patients of Scenic Bluffs Community Health Centers Notified of PHI Breach
May04

2,889 Patients of Scenic Bluffs Community Health Centers Notified of PHI Breach

An unauthorized individual has gained access to the email account of an employee of Scenic Bluffs Community Health Centers and potentially viewed the protected health information of up to 2,889 patients. The email account breach was discovered by the health centers on March 1, 2018, the day after access to the account was gained. The attacker had set up a mail forwarder on the account, which had forwarded 44 messages to an email address controlled by the attacker. None of the forwarded emails contained any protected health information and following the discovery of the mail forwarding rule it was deleted, the account was closed, and all PHI was secured. While no PHI appeared to have been obtained by the attacker, it is possible that during the time that access to the email account was possible, PHI detailed in the emails could potentially have been viewed. It is unclear how access to the email account was gained. Typically email accounts are compromised after employees respond to phishing emails and inadvertently disclose their login credentials, or via brute force attacks that...

Read More
PHI of 3,000 Patients Exposed Due to Mailing Printing Error
May03

PHI of 3,000 Patients Exposed Due to Mailing Printing Error

Maximus Inc, a provider of business process management and technology solutions to government health and human services agencies, is alerting more than 3,000 individuals that some of their protected health information has been accidentally disclosed to other individuals as a result of a printing error on a recent mailing. The mailing was prepared and sent by its business associate, Business Ink, between February 10 and February 13, 2018. The mailing was sent to approximately 1,100 families in Texas who participated in Medicaid and the Children’s Health Insurance Program (CHIP). The error was discovered by Maximus on February 16. The 6-page letter included one mismatched page that included information relating to another individual. The types of information detailed on the page were limited to names, addresses, group numbers, case numbers, and program type. No highly sensitive information such as Social Security numbers, birth dates, insurance information, or financial information was exposed, and none of the information detailed on the mismatched pages would allow another...

Read More
Malware Installed on Florida Hospital Websites May Have Provided Access to PHI
May03

Malware Installed on Florida Hospital Websites May Have Provided Access to PHI

Three websites used by Florida Hospital have been infected with malware that has potentially allowed the threat actors behind the attack to obtain patients’ protected health information. PHI access has not been confirmed and no reports have been received to suggest any protected health information has been misused. Patients are being informed of the breach and, out of an abundance of caution, have been offered complimentary credit monitoring services. The websites impacted are FloridaBariatric.com, FHOrthoInstitute.com and FHExecutiveHealth.com. The data potentially compromised was limited and did not involve any financial information. Potentially, patients’ names, birth dates, email addresses, phone numbers, insurance carriers, the last four digits of their social security numbers, any comments uploaded via the sites, and their height and weight have potentially been obtained by the attackers. The malware attack was limited to the above websites and no other systems were affected. It is unclear what type of malware was uploaded to the websites and how long the malware was present...

Read More
Employee Sent PHI After Being Fired
Apr27

Employee Sent PHI After Being Fired

A bizarre mistake by the Texas Health and Human Services Commission has seen a former employee sent the protected health information of approximately 100 patients after she had been fired. She was sent boxes containing items that had been collected from her old desk, but was also sent a box of benefits application forms. After Tracy Ryans, 51, of Houston, was terminated, HHSC mailed her two boxes containing her personal items, which were left on her porch by the delivery driver. One of the boxes contained personal belongings that included pens, a coffee cup, and old shoes. The other box contained paperwork. Ryans told the Texas Tribune that one of the boxes contained personal items that did not belong to her. They had been taken from a desk she shared with coworkers. The other box was full of paperwork containing highly sensitive personal information of clients. The paperwork included benefits applications that included the Social Security numbers, billing statements, copies of driver’s licenses, and check stubs relating to approximately 100 individuals. The documents were dated...

Read More
85,000 Patients Impacted by California Ransomware Attack
Apr26

85,000 Patients Impacted by California Ransomware Attack

Center for Orthopaedic Specialists is notifying its patients that some of their protected health information was potentially accessed by unauthorized individuals who installed ransomware on its network. The attack impacts all current and former patients of three of its facilities in West Hills, Simi Valley and Westlake Village in California. According to Databreaches.net, 85,000 patients have potentially been impacted. Center for Orthopaedic Specialists was notified by its IT vendor that an unauthorized individual began attempting to access its network on February 18, 2018. Access to the network was gained and ransomware was installed, which was used to encrypt a wide range of files, many of which contained the protected health information of patients. The types of information encrypted by the ransomware included names, details about medical records, dates of birth, and Social Security numbers. Prompt action was taken by the IT vendor to limit the harm caused and the affected system was taken offline rapidly to prevent any exfiltration of data. An investigation into the breach has...

Read More
Web Portal of Transcription Service Provider Discovered to be Leaking PHI
Apr25

Web Portal of Transcription Service Provider Discovered to be Leaking PHI

A transcription service provider has inadvertently left medical records and patient notes unsecured and freely accessible via a physician portal, which should have been password protected. The error has resulted in the exposure of thousands of patients’ PHI. MEDantex provides medical transcription services to many hospitals and physicians, many of whom choose to upload audio files to the MEDantex website. The audio files are accessed by the firm’s employees and transcribed, and documents containing the transcribed notes are uploaded to the portal where they can be downloaded by providers. In order to gain access the portal, a user must be authenticated by means of a password. According to a report on KrebsOnSecurity, certain portions of the website were recently discovered to lack any authentication controls. Anyone visiting the website could, through their browser, gain access to patient data stored on the site. Brian Krebs reports that several of the tools used by MEDantex staff and could also be accessed and used by unauthorized individuals. Those tools allowed unauthorized...

Read More
Report: Healthcare Data Breaches in Q1, 2018
Apr24

Report: Healthcare Data Breaches in Q1, 2018

The first three months of 2018 have seen 77 healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights (OCR). Those breaches have impacted more than one million patients and health plan members – Almost twice the number of individuals that were impacted by healthcare data breaches in Q4, 2017. There was a 10.5% fall in the number of data breaches reported quarter over quarter, but the severity of breaches increased. The mean breach size increased by 130.57% and there was a 15.37% increase in the median breach size. In Q4, 2017, the mean breach size was 6,048 healthcare records and the median breach size was 1,666 records. In Q1, 2018, the mean breach size was 13,945 records and the median breach size was 1,922 records. Between January 1 and March 31, 2018, 1,073,766 individuals had their PHI exposed, viewed, or stolen compared to 520,141 individuals in Q4, 2017. Individuals Impacted by Healthcare Data Breaches in Q1, 2018 Throughout 2017, healthcare data breaches were occurring at a rate of more than one per day. Compared to 2017,...

Read More
1,000 Mental Health Patients’ PHI Accidentally Disclosed for 3 and a Half Years
Apr20

1,000 Mental Health Patients’ PHI Accidentally Disclosed for 3 and a Half Years

1,071 patients who received medical services at the Des Moines Crisis Observation Center operated by Polk County Health Services Inc., have been informed that some of their protected health information has been “accidentally and unknowingly disseminated” over a period of three and a half years. The breach was discovered on February 14, 2018, although the investigation revealed that information first started being disclosed on June 1, 2014 and continued until January 11, 2018. The types of information disclosed includes patients’ names along with Social Security numbers, home addresses, Medicaid ID numbers, admission dates, and discharge locations. Through the Crisis Observation Center, Polk County Health Services provides mental health services for residents of Polk County, IA and is the regional administrator and governing board for mental health and disability services for the county. Polk County Health Services is aware of the individual(s) to whom the information has been disclosed and was able to determine exactly the types of information that has been received by those...

Read More
California Dept. of Developmental Services Notifies 582,000 Patients of Potential PHI Compromise
Apr19

California Dept. of Developmental Services Notifies 582,000 Patients of Potential PHI Compromise

The California Department of Developmental Services (DDS) is notifying 582,174 patients that their protected health information has potentially been compromised. On February 11, 2018, thieves broke into the DDS legal and audits offices in Sacramento, CA. During the time the thieves were in the offices they potentially had access to the sensitive information of approximately 15,000 employees, contractors, job applicants, and parents of minors who receive DDS services, in addition to the PHI of more than half a million patients. The thieves also stole 12 government computers. It does not appear that the perpetrators were interested in paper records and all computers taken by the thieves were encrypted so data access was not possible. DDS has confirmed that none of the office computers were used to gain access to the department’s network and electronic protected health information remained secure at all times. In its substitute breach notice, DDS explained that its offices were vandalized and a fire was started, which triggered the sprinkler system causing damage to documents and CDs....

Read More
Texas Health Resources Notifies 4,000 Patients of Email Account Breach
Apr17

Texas Health Resources Notifies 4,000 Patients of Email Account Breach

Arlington-based Texas Health Resources, a provider group serving more than 1.7 million patients in North Texas, is notifying ‘fewer than 4,000 patients’ that some of their sensitive information may have been accessed by an unauthorized individual. The data breach occurred as early as October 2017, although it was not discovered until January 17, 2018, when the health system was notified of a breach by law enforcement. The potentially compromised data was saved in email accounts that the attacker had access to for up to three months. The delay in issuing breach notification letters, which would normally have to be issued within 60 days of the discovery of the breach under HIPAA Rules, was at the request of law enforcement. HIPAA covered entities are permitted to delay the issuing of notifications if law enforcement believes such an act would impede an investigation. Law enforcement has only recently given the OK to start sending notifications. It is unclear whether the law enforcement investigation resulted in the apprehension of a suspect. Texas Health Resources explained in its...

Read More
Analysis of March 2018 Healthcare Data Breaches
Apr16

Analysis of March 2018 Healthcare Data Breaches

There has been a month-over-month increase in healthcare data breaches. In March 2018, 29 security incidents were reported by HIPAA covered entities compared to 25 incidents in February. Even though more data breaches were reported in March, there was a fall in the number of individuals impacted by breaches. March 2018 healthcare data breaches saw 268,210 healthcare records exposed – a 13.13% decrease from the 308,780 records exposed in incidents in February. Causes of March 2018 Healthcare Data Breaches March saw the publication of the Verizon Data Breach Investigations Report which confirmed the healthcare industry is the only vertical where more data breaches are caused by insiders than hackers. That trend continued in March. Unauthorized access/disclosures, loss of devices/records, and improper disposal incidents were behind 19 of the 29 incidents reported – 65.5% of all incidents reported in March. The main cause of healthcare data breaches in March 2018 was unauthorized access/disclosure incidents. 14 incidents were reported, with theft/loss incidents the second main cause...

Read More
Several Employee Email Accounts Compromised in UnityPoint Health Phishing Attack
Apr16

Several Employee Email Accounts Compromised in UnityPoint Health Phishing Attack

UnityPoint Health has discovered the email accounts of several employees have been compromised and accessed by unauthorized individuals. Access to the employee email accounts was first gained on November 1, 2017 and continued for a period of three months until February 7, 2018, when the phishing attack was detected and access to the compromised email accounts was blocked. Upon discovery of the phishing attack, UnityPoint Health engaged the services of a computer forensics firm to investigate the scope of the breach and the number of patients impacted. The investigation revealed a wide range of protected health information had potentially been obtained by the attackers, which included names in combination with one or more of the following data elements: Medical record number, date of birth, service dates, treatment information, surgical information, lab test results, diagnoses, provider information, and insurance information. The security breach has yet to appear on the Department of Health and Human Services’ breach portal, so it is currently unclear exactly how many patients have...

Read More
Oxygen Equipment Manufacturer Discovers Credential Theft Incident Potentially Impacts 30,000
Apr16

Oxygen Equipment Manufacturer Discovers Credential Theft Incident Potentially Impacts 30,000

Inogen, a manufacturer of portable oxygen concentrators, has discovered an unauthorized individual has obtained the credentials of an employee and has used them to gain access to the employee’s email account. Phishing and other credentials theft incidents are common in the healthcare sector, although what makes this incident stand out is the number of individuals impacted by the attack. The compromised email account contained the personal information of approximately 30,000 individuals who had previously been provided with oxygen supply devices. The types of information potentially viewed and obtained by the attacker include name, telephone number, address, email address, date of birth, date of death, types of equipment provided, Medicare ID number and health insurance information. Medical records, Social Security numbers, and payment card information were not compromised. Also notable is the length of time it took to discover the breach. Inogen reports that access to the email account was first gained on January 2, 2018 and continued until March 14. Forensic investigators were...

Read More
Integrated Rehab Consultants Takes 16 Months to Notify Patients of PHI Breach
Apr12

Integrated Rehab Consultants Takes 16 Months to Notify Patients of PHI Breach

The Chicago, IL-based physiatry group Integrated Rehab Consultants is sending notification letters to certain patients alerting them to the exposure of some of their protected health information, as is required by HIPAA. However, the breach was not discovered in the past 60 days. Integrated Rehab Consultants (IRC) first became aware of the exposure of PHI on December 2, 2016 – 16 months ago. The data – which included patients’ full names, address, date of birth, gender, medical provider information, visit date, visit status, admission date, appointment visit ID, treatment location, procedure code, and diagnosis codes – had been uploaded to a publicly accessible repository. The PHI was discovered by a healthcare security researcher who notified IRC about the breach. Prompt action was taken to remove and secure the data and an investigation was launched to determine how and why the data had been uploaded to an insecure location. That investigation determined that a business associate who had been provided with the PHI had disclosed the information to a third party. It was that...

Read More
Baptist Health Alerts Almost 1,500 Patients to Possible Abuse of Credit Card Details
Apr11

Baptist Health Alerts Almost 1,500 Patients to Possible Abuse of Credit Card Details

A former employee of Baptist Health’s West Kendall Baptist Hospital in Miami, FL has been discovered to have stolen the credit card details of patients and used the information to make fraudulent purchases. The misuse of credit cards was discovered by Baptist Health on March 9, 2018 and the matter was referred to Miami-Dade law enforcement and the employee was terminated. Baptist Health has not specified exactly how many patients have been confirmed to have been defrauded by the employee, although 1,480 patients have been sent breach notification letters to alert them to the possibility that their credit card details may have been misused. Any patient who paid for medical services using a credit card with the registration employee between August 2014 and March 2018 have potentially had their name, date of birth, and credit card details stolen and misused. As a precaution, all 1,480 patients have been offered identity theft protection and credit monitoring services for 12 months without charge and have been advised to check their credit card statements carefully for any unauthorized...

Read More
63,500 Patients Impacted by Middletown Medical Data Breach
Apr11

63,500 Patients Impacted by Middletown Medical Data Breach

A misconfigured security setting on a radiology interface has resulted in the exposure of tens of thousands of patients’ protected health information. Middletown Medical, a multi-specialty physicians’ group based in Middleton, NY, discovered the misconfigured security setting on January 29, 2018. The following day the interface was secured to ensure unauthorized individuals were prevented from accessing patient information. It is unclear for how long patient data was accessible. Middletown Medical says only a limited number of patients’ PHI could have been accessed by unauthorized individuals. Highly sensitive information such as financial data, Social Security numbers, and insurance information were not exposed. The breach was limited to names, client identification numbers, birth dates, confirmation that radiology services had been received by patients, and the dates those services were provided. A limited number of patients also had diagnosis codes, radiology images, and radiology reports exposed. The discovery of the error prompted Middletown Medical to review its polices and...

Read More
2 to 6 Year Jail Term for Receptionist Who Stole PHI from Dentist Office
Apr11

2 to 6 Year Jail Term for Receptionist Who Stole PHI from Dentist Office

A former receptionist at a New York dental practice has been sentenced to serve 2 to 6 years in state penitentiary for stealing the protected health information of hundreds of patients. Annie Vuong, 31, was given access to the computer system and dental records of patients in order to complete her work duties. Vuong abused the access rights and stole the PHI of more than 650 patients. That information was passed to her co-defendants who used the data to steal identities and make fraudulent purchases of high value items. Vuong was arrested on February 2, 2015, following a two-and-a-half-year investigation into identity theft by the New York District Attorney’s Office. The theft of data occurred between May and November 2012, when the PHI of 653 patients was taken from the dental office. The types of information stolen included names, birth dates, and Social Security numbers. That information was shared with co-defendant Devin Bazile in an email. Bazile used the information to obtain credit lines from Barclaycard in the victims’ names. Credit ranged from $2,000 to $7,000 per...

Read More
Chesapeake Regional Healthcare Reports PHI of 2,100 Patients Was Stored on Lost Hard Drives
Apr09

Chesapeake Regional Healthcare Reports PHI of 2,100 Patients Was Stored on Lost Hard Drives

Body: Chesapeake Regional Healthcare has discovered two hard drives containing the protected health information (PHI) of approximately 2,100 patients are missing from the Chesapeake Regional Medical Center campus in Chesapeake, Virginia. The data stored on the devices relates to individuals who took part in studies at its Sleep Center between April 2015 and February 2018. It is currently unclear exactly when the hard drives went missing. Chesapeake Regional Healthcare discovered the devices were missing on February 6, 2018. An internal investigation was launched, and a full search of the facility was conducted, but the devices could not be located. The missing hard drives have been reported as lost/stolen to law enforcement, but Chesapeake Regional Healthcare said the probability of the devices being recovered is low and it does not expect the devices to be found. The hard drives were not encrypted. If obtained by a third party, the protected health information of patients could potentially be accessed. The types of information stored on the devices includes names, demographic...

Read More
Oregon Data Breach Notification and Information Security Laws Updated
Apr06

Oregon Data Breach Notification and Information Security Laws Updated

Oregon has updated its data breach notification law to improve protections for state residents whose personal information is exposed in a data breach. State governor Kate Brown added her signature to Senate Bill (SB 1551) last month, which updates several regulations, notably Oregon’s Breach Notification Law, O.R.S. 646A.604 and Information Security Law, O.R.S. 646A.622. The updates will become effective in June 2018. Prior to the update, Oregon data breach notification law only applied to persons who own or license personal information. Now, the definition of a person is “an individual, private or public corporation, partnership, cooperative, association, estate, limited liability company, organization or other entity, whether or not organized to operate at a profit, or a public body as defined in ORS 174.109.” A data breach is defined as “an unauthorized acquisition of computerized data that materially compromises the security, confidentiality or integrity of personal information that a person maintains.” The definition of personal information has been expanded to include a first...

Read More
Verizon PHI Breach Report Confirms Healthcare Has Major Problem with Insider Breaches
Apr03

Verizon PHI Breach Report Confirms Healthcare Has Major Problem with Insider Breaches

Verizon has released its annual Protected Health Information Breach Report which delves deep into the main causes of breaches, why they occur, the motivations of internal and external threat actors, and the main threats to the confidentiality, integrity, and availability of PHI. For the report, Verizon analyzed 1,368 healthcare data breaches and incidents where protected health information (PHI) was exposed but not necessarily compromised. The data came from 27 countries, although three quarters of the breached entities were based in the United States where there are stricter requirements for reporting PHI incidents. In contrast to all other industry sectors, the healthcare industry is unique as the biggest security threat comes from within. Insiders were responsible for almost 58% of all breaches with external actors confirmed as responsible for just 42% of incidents. The main reason for insider breaches is financial gain. PHI is stolen to commit identity theft, credit card fraud, insurance fraud, and tax fraud. Verizon determined that 48% of all internal incidents were conducted...

Read More
Law Enforcement Notifies Cambridge Health Alliance About PHI Breach
Apr03

Law Enforcement Notifies Cambridge Health Alliance About PHI Breach

Cambridge Health Alliance (CHA) in Massachusetts has been notified by law enforcement that the protected health information of some of its patients has been discovered in the possession of an unauthorized individual. On January 31, 2018, Everett Massachusetts Police Department notified CHA that files containing the PHI of some of its patients had been discovered in the possession of an individual unauthorized to have the information. After being notified of the breach, CHA conducted an internal investigation into the breach and examined the files. At least one of the files contained PHI related to billing which included patients’ names, addresses, dates of birth, Social Security numbers, employer information, charges for healthcare services, and discharge dates. The data related to billing from 2013. According to a breach notice sent to affected individuals by the law firm BakerHostetler on behalf of CHA, the breach impacted four individuals in New Hampshire, all of whom have been offered complimentary credit monitoring and identity theft protection services through Experian. While...

Read More
6,800 CareFirst BCBS Members Impacted by Phishing Attack
Apr02

6,800 CareFirst BCBS Members Impacted by Phishing Attack

A phishing attack on CareFirst Blue Cross Blue Shield has resulted in the exposure of 6,800 plan members’ protected health information. The attack was detected by CareFirst on March 12, 2018, prompting a thorough investigation, which included a forensic analysis of the email system and CareFirst’s systems in general. In addition to the internal investigation by the CareFirst IT security team, a third-party information security firm also investigated the attack. The analyses did not uncover any evidence to suggest emails in the compromised account had been opened by the attacker; however, the emails in the account did contain some protected health information and data access could not be ruled out with a high degree of certainty. Once access to the account was gained, the attacker sent phishing emails to individuals in a contact list. Those individuals were not employed by or affiliated with CareFirst BCBS. The emails were sent with the intention of gaining further login credentials. No malware was involved. While 6,800 individuals have potentially been impacted by the incident,...

Read More
Security Breaches in Healthcare in the Last Three Years
Mar30

Security Breaches in Healthcare in the Last Three Years

There have been 955 major security breaches in healthcare in the last three years that have resulted in the exposure/theft of 135,060,443 healthcare records. More than 41% of the population of the United States have had some of their protected health information exposed as a result of those breaches, which have been occurring at a rate of almost one a day over the past three years. There has been a steady rise in reported security beaches in healthcare in the last three years. In 2015 there were 270 data breaches involving more than 500 records reported to the Department of Health and Human Services’ Office for Civil Rights. The figure rose to 327 security breaches in 2016, and 342 security breaches in 2017. More healthcare security breaches are being reported than at any other time since HIPAA required covered entities to disclose data breaches, although the number of individuals affected by healthcare data breaches has been declining year-over year for the past three years. In 2015, a particularly bad year for healthcare industry data breaches, 112,107,579 healthcare records were...

Read More
3,751 Patients’ PHI Exposed on Internet for More Than 30 Months
Mar30

3,751 Patients’ PHI Exposed on Internet for More Than 30 Months

The Arc of Erie County New York (The Arc), a provider of person-centered services to individuals with developmental disabilities, has discovered two spreadsheets containing the protected health information of 3,751 patients were accessible on the Internet without the need for authentication for more than 30 months. Between July 2015 and February 2018, the two spreadsheets could be accessed over the Internet by unauthorized individuals as a result of a coding error on the website. The coding error saw a link included on the website that allowed the spreadsheets to be accessed. Individuals affected by the breach, many of whom are developmentally disabled, had been enrolled in certain programs offered by The Arc. The Arc spreadsheets contained sensitive information such as names, Social Security numbers and diagnosis codes. When the error was discovered in February, The Arc deactivated the link to prevent any further disclosures of PHI and contacted a computer forensics and data security firm to investigate the breach and help take corrective action to limit the harm caused to...

Read More
Data Breach Impacts Almost 14,000 Family Members of Subscribers
Mar30

Data Breach Impacts Almost 14,000 Family Members of Subscribers

The Special Agents Mutual Benefit Association (SAMBA) health plan is alerting almost 14,000 individuals about a February 2018 breach of protected health information. The breach affects eligible family members of subscribers who were covered by the Federal Employees Health Benefits Plan in 2017. It is an Internal Revenue Service (IRS) requirement for SAMBA to mail a copy of Form 1095-B to all plan subscribers each tax year. The form supports plan members’ and covered family members’ compliance with the Affordable Care Act’s individual mandate. The forms for the 2017 tax year were mailed on or soon after February 19, 2018; however, a programming error resulted in the forms being populated with information relating to other subscribers’ family members. Instead of detailing the subscribers’ family members covered by their health plan, the forms included the names and Social Security numbers of other subscribers’ family members and the dates of health insurance coverage in 2017.  The forms were also incorrectly dated 2016. SAMBA notes that no subscribers’ Social Security numbers were...

Read More
Server Misconfiguration Results in the Exposure of 42,000 Patients’ PHI
Mar28

Server Misconfiguration Results in the Exposure of 42,000 Patients’ PHI

Tens of thousands of patients of a New York medical practice have had their protected health information exposed online due to a misconfigured server. It is currently unclear if anyone other than the security researcher who discovered the problem has accessed the data. The server misconfiguration was identified on January 25, 2018 by Chris Vickery, director of cyber risk research at Upguard. In a March 26 blog post Vickery explained that he identified an exposed port typically used for remote synchronization (rsync). While access should have been limited to specific whitelisted IP addresses, the port was misconfigured and allowed anyone to access the data. All that was required to access the server was its IP address. Vickery identified two sections in the repository, one of which – named backupwscohen – was publicly accessible and contained several files that included highly sensitive information. A virtual hard drive was also accessible that was discovered to contain staff details, including spouse information, children’s names, and in some cases, Social Security numbers. An...

Read More
Research Suggests Healthcare Data Breaches Cause 2,100 Deaths a Year
Mar27

Research Suggests Healthcare Data Breaches Cause 2,100 Deaths a Year

A researcher at Vanderbilt University has conducted a study that suggests mortality rates at hospitals increase following a data breach as a result of a drop in the standard of care. The researcher estimates healthcare data breaches may cause as many as 2,100 deaths a year in the United States. The study was conducted by Owen Graduate School of Management researcher, Dr. Sung Choi. The findings of the study were presented at a recent cyberrisk quantification conference at Philadelphia’s Drexel University LeBow College of Business. Cyberattacks can have a direct impact on patient care, which has been clearly highlighted on numerous occasions over the past 12 months. Ransomware and wiper malware attacks have crippled information systems and have forced healthcare providers to cancel appointments, while the lack of access to patient health records can cause treatment delays. Notable attacks that caused major disruption were the NotPetya wiper and WannaCry ransomware attacks last year, with the latter causing major problems for the National Health Service in the UK. Choi explained that...

Read More
Class Action Lawsuit Seeks Damages for Victims of CVS Caremark Data Breach
Mar26

Class Action Lawsuit Seeks Damages for Victims of CVS Caremark Data Breach

An alleged healthcare data breach that saw the protected health information of patients of CVS Caremark exposed has resulted in legal action against CVS, Caremark, and its mailing vendor, Fiserv. The lawsuit, which was filed in Ohio federal court on March 21, 2018, relates to an alleged privacy breach that occurred as a result of an error that affected a July/August 2017 mailing sent to approximately 6,000 patients. In July 2017, CVS Caremark was contracted to operate as the pharmacy benefits manager for the Ohio HIV Drug Assistance Program (PhDAP), and under that program, CVS Caremark provides eligible patients with HIV medications and communicates with them about prescriptions. In July/August 2017, CSV Caremark’s mailing vendor Fiserve sent letters to patients containing their membership cards and information about how they could obtain their HIV medications. In the lawsuit the complaint alleges HIV-related information was clearly visible through the plastic windows of the envelopes, allowing the information to be viewed by postal service workers, family members, and roommates....

Read More
Theft of Unencrypted Laptop Sees Pathology Lab Patients’ PHI Exposed
Mar26

Theft of Unencrypted Laptop Sees Pathology Lab Patients’ PHI Exposed

An unencrypted laptop computer issued to an employee of Clinical Pathology Laboratories Southeast, Inc., (CPLSE) has been stolen, exposing the protected health information of certain patients and their payment guarantors. Prompt action was taken by CPLSE to prevent the laptop from being used to connect to its network and the theft was reported to law enforcement; however, it is possible that the protected health information stored on the laptop could have been viewed by unauthorized individuals. An internal investigation was conducted to determine the types of information stored on the device which indicated the following PHI elements were potentially exposed: Names, addresses, driver’s license numbers, Social Security numbers, government ID numbers, medical record numbers, and medical treatment information. Patients have now been notified of the breach and advised of the steps they can take to protect themselves against misuse of their data. Complimentary credit monitoring and identity theft protection services have been offered to affected individuals. Steps have also been taken...

Read More
ATI Physical Therapy Data Breach Impacts 35,000 Patients
Mar22

ATI Physical Therapy Data Breach Impacts 35,000 Patients

ATI Physical Therapy has discovered the protected health information of more than 35,000 patients has potentially been compromised when threat actors gained access to the email accounts of some of its employees. A security breach was identified on January 18, 2018 when ATI Physical Therapy discovered the direct deposit information of some of its employees had been changed in its payroll platform. Prompt action was taken to protect its employees and external forensic investigators were called in to determine the full extent and scope of the breach. The investigation revealed the email accounts of certain employees had been compromised and were accessed by unauthorized individuals between January 9 and January 12, 2018. An analysis of the emails in the accounts revealed they contained the protected health information of tens of thousands of patients. The types of information potentially compromised varied per impacted individual, but may have included names, dates of birth, credit/debit card numbers, driver’s license numbers, state ID numbers, Social Security numbers,...

Read More
Insider Data Breaches Continue to Plague the Healthcare Industry
Mar21

Insider Data Breaches Continue to Plague the Healthcare Industry

Protenus has published its February Healthcare Breach Barometer Report. The report includes healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights or disclosed to the media in February 2018. The report, compiled from data collected from databreaches.net, indicates at least 348,889 healthcare records were confirmed as breached in February, although that figure will be considerably higher as the number of people affected by 11 breaches is not yet known. There were 39 security breaches involving protected health information in February – a slight rise from the 37 breaches reported in January, although the number of records exposed was down from January’s total of 473,807 records. Insider breaches continue to pose problems for healthcare providers with 16/39 incidents (41%) involving insiders. Those incidents resulted in the exposure/theft of 51% of all records confirmed as having been exposed or stolen in February. Protenus notes that 94% of insider breaches were the result of errors by healthcare employees, with only one confirmed...

Read More
Ransomware Attack on Finger Lakes Health Cripples Computers
Mar21

Ransomware Attack on Finger Lakes Health Cripples Computers

Geneva, NY-based Finger Lakes Health has experienced a ransomware attack that has crippled its computer system. Staff have been forced to work on pen and paper while the health system attempts to remove the malware and restore access to electronic data. The ransomware attack on the health system started at around midnight on Sunday March 18, 2018, with staff becoming aware of the attack when a ransom demand was issued by the attackers. Finger Lakes Health operates Geneva General Hospital and Soldiers & Sailors Memorial Hospital in Pen Yan and several specialty care practices, primary care physician practices, long-term health facilities, and day care centers in upstate New York. It is unclear exactly how many facilities have been impacted by the ransomware attack. Finger Lakes Health has developed emergency procedures for attack scenarios such as this, which were immediately implemented when the attack was discovered. On March 20, the health system issued a statement to local media channels about the attack explaining that while some of its information systems were...

Read More
RoxSan Pharmacy Notifies 1,049 Patients About 2015 Email Breach
Mar20

RoxSan Pharmacy Notifies 1,049 Patients About 2015 Email Breach

Beverly Hills, CA-based RoxSan Pharmacy has notified 1,049 patients that some of their protected health information has been disclosed to a business associate via unencrypted email. The notification letters were mailed to affected individuals last month, although the incident occurred on January 20, 2015. In a recent press release, RoxSan explained that affected individuals are being notified in “as timely a manner as possible”. The delay in issuing notifications was due to “the protected nature of the forensic investigation”. It is unclear when RoxSan Pharmacy became aware of the error. The protected health information was included in a data file that was sent to a single individual – A business associate of the pharmacy – who worked in the legal field. That individual had signed a business associate agreement with the pharmacy and was aware of the responsibilities of HIPAA with respect to patients’ PHI. However, the PHI was exposed as the data file was sent via unencrypted email. The data file only contained a limited amount of protected health information and did not...

Read More
Healthcare Data Breach Statistics
Mar20

Healthcare Data Breach Statistics

We have compiled healthcare data breach statistics from October 2009 when the Department of Health and Human Services’ Office for Civil Rights first started publishing summaries of healthcare data breaches on its website. The healthcare data breach statistics below only include data breaches of 500 or more records as smaller breaches are not published by OCR. The breaches include closed cases and breaches still being investigated by OCR. Our healthcare data breach statistics clearly show there has been an upward trend in data breaches over the past 9 years, with 2017 seeing more data breaches reported than any other year since records first started being published. There have also been notable changes over the years in the main causes of breaches. The loss/theft of healthcare records and electronic protected health information dominated the breach reports between 2009 and 2015, although better policies and procedures and the use of encryption has helped reduce these easily preventable breaches. Our healthcare data breach statistics show the main causes of healthcare data breaches...

Read More
Analysis of February 2018 Healthcare Data Breaches
Mar19

Analysis of February 2018 Healthcare Data Breaches

Our February 2018 healthcare data breach report details the major data breaches reported by healthcare providers, health plans, and business associates in February 2018. Summary of February 2018 Healthcare Data Breaches February may have been a shorter month, but there was an increase in the number of healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights. In February, HIPAA covered entities and business associates reported 25 breaches – a 19% month on month increase in breaches. While there was a higher breach tally this month, the number of healthcare records exposed as a result of healthcare data breaches fell by more than 100,000. In January 428,643 healthcare records were exposed. February 2018 healthcare data breaches saw 308,780 healthcare records exposed. Largest Healthcare Data Breaches of February 2018 The largest healthcare data breaches reported to the Office for Civil Rights in February are listed below. Covered Entity Covered Entity Type Individuals Affected Type of Breach Location of PHI St. Peter’s Surgery...

Read More
Multiple Email Accounts Compromised at Primary Health Care
Mar18

Multiple Email Accounts Compromised at Primary Health Care

Primary Health Care Inc., a non-profit network of community health centers in Des Moines, Marshalltown and Ames, IA, has discovered malicious actors have gained access to the email accounts of four employees and have potentially viewed or obtained patients’ protected health information. Primary Health Care issued a press release and uploaded a substitute breach notice to its website on March 16, 2018 explaining the breach occurred on February 28, 2017. The breach was detected the following day on March 1, 2017. Primary Health Care is in the process of notifying affected patients and will be reporting the incident to the Department of Health and Human Services’ Office for Civil Rights. No explanation is provided as to why the breach took a year to report. Primary Health Care responded quickly to the breach and terminated access to the compromised email accounts and hired a third-party computer forensics expert to conduct an investigation into the attack. The investigation revealed access to four email accounts and their associated Google Drives was gained by the attacker(s),...

Read More
Almost 10,000 Individuals Notified of Improper PHI Disposal Incident by ShopRite
Mar15

Almost 10,000 Individuals Notified of Improper PHI Disposal Incident by ShopRite

A ShopRite pharmacy in Millville, New Jersey has discovered an electronic device used to capture the signatures of customers has been disposed of without first wiping the device of all stored protected health information. A limited amount of protected health information was stored on the device, which included patients’ names, dates of birth, phone numbers, zip codes, prescription numbers, medication names, signatures, date and time of collection/delivery, and in some cases, details of over-the-counter medications containing pseudoephedrine (PSE). The device was used by customers to acknowledge the store’s privacy policy and payment for prescriptions by insurance carriers. Information was also collected on sales of products containing PSE to meet legal requirements. Individuals affected by the incident had collected prescriptions or purchased PSE products between 2007 and 2013. The device was disposed of in June 2016. The improper disposal of the device is not understood to have resulted in PHI being compromised and no reports of PHI access or misuse have been received by ShopRite,...

Read More
QuadMed Discovers PHI of More than 9,850 Patients Was Impermissibly Disclosed to Employees
Mar14

QuadMed Discovers PHI of More than 9,850 Patients Was Impermissibly Disclosed to Employees

QuadMed, a Wisconsin-based provider of medical, laboratory, pharmacy, fitness, and physical therapy services, has discovered the protected health information of 9,854 patients has potentially been impermissibly disclosed to certain employees. In November 2013, QuadMed took over an onsite clinic at Hillenbrand Inc. Occupational health information of employees of the Batesville, IN-based manufacturer was maintained in an electronic medical record system and access to the system was shared with QuadMed. Certain QuadMed employees required access to the data for the administration of occupational health matters. Take overs of clinics at WI-based Stoughton Trailers and Whirlpool Corporation’s Clyde, OH plant also saw occupational health-related information in EMRs shared with the firm and made accessible to some of its employees. On December 26, 2017, QuadMed discovered a technical issue affected the PHI stored in the EMRs used at the Hillenbrand and Stoughton Trailers clinics which allowed its employees to access more than the minimum necessary amount of PHI than was permissible....

Read More
PHI of 33,420 BJC Healthcare Patients Exposed on Internet for 8 Months
Mar13

PHI of 33,420 BJC Healthcare Patients Exposed on Internet for 8 Months

The protected health information of 33,420 patients of BJC Healthcare has been accessible on the Internet for eight months without any need for authentication to view the information. BJC Healthcare is one of the largest not-for profit healthcare systems in the United States. The St. Louis-based healthcare organization runs two nationally recognized hospitals in Missouri – Barnes-Jewish Hospital and St. Louis Children’s Hospital along with 13 others. The health system employs more than 31,000 individuals, has over 154,000 hospital admissions and performs more than 175,000 home health visits a year. On January 23, 2018, BJC Healthcare performed a security scan which revealed one of its servers had been misconfigured which allowed sensitive information to be accessed without authentication. Action was immediately taken to reconfigure and secure the server to prevent data from being accessed. The investigation revealed an error had been made configuring the server on May 9, 2017, leaving documents and copies of identification documents accessible. Highly sensitive...

Read More
HIMSS Survey Reveals Top Healthcare Security Threats
Mar09

HIMSS Survey Reveals Top Healthcare Security Threats

HIMSS has published the results of its annual healthcare cybersecurity survey, which provides insights into the state of cybersecurity in healthcare and identifies the top healthcare security threats. The HIMSS 2018 cybersecurity survey was conducted on 239 respondents from the healthcare industry between December 2017 and January 2018. The results of the survey were announced at the HIMSS 2018 Conference & Exhibition in Las Vegas. 36.8% of respondents had positions in executive management and 37.2% were employed in non-executive management positions. The remaining 25.9% were in non-management positions such as cybersecurity specialists and analysts. 41.2% of respondents were primarily responsible for cybersecurity, 32.6% had some responsibility, and 11.8% sometimes had responsibility for cybersecurity. Most Healthcare Organizations Have Experienced a Significant Security Incident in the Past 12 Months The threat of healthcare cyberattacks is greater than ever and the past 12 months has been a torrid year. In the past 12 months, 75.7% of respondents said they had experienced a...

Read More
Alabama Data Breach Notification Act Passed by State Senate
Mar08

Alabama Data Breach Notification Act Passed by State Senate

The Alabama Data Breach Notification Act (Senate Bill 318) has advanced for consideration by the House of Representatives after being unanimously passed by the Alabama Senate last week. Alabama is one of two states that has yet to introduce legislation that requires companies to issue notifications to individuals whose personal information is exposed in data breaches. The other state – South Dakota – is also considering introducing similar legislation to protect state residents. The Alabama Data Breach Notification Act, proposed by Sen. Arthur Orr (R-Decatur), requires companies doing business in the state of Alabama to issue notifications to state residents when their sensitive personal information has been exposed and it is reasonably likely to result in breach victims coming to substantial harm. Entities that would be required to comply with the Alabama Data Breach Notification Act are persons, sole proprietorships, partnerships, government entities, corporations, non-profits, trusts, estates, cooperative associations, and other business entities that acquire or use sensitive...

Read More
EmblemHealth Fined $575,000 by NY Attorney General for HIPAA Breach
Mar07

EmblemHealth Fined $575,000 by NY Attorney General for HIPAA Breach

A 2016 mailing error by EmblemHealth that saw the Health Insurance Claim Numbers of 81,122 plan members printed on the outside of envelopes has resulted in a $575,000 settlement with the New York Attorney General. While all mailings include a unique patient identifier on the envelope, in this case the potential for harm was considerable as Health Insurance Claim numbers are formed using the Social Security numbers of plan members. Announcing the settlement, New York Attorney General Eric T. Schneiderman explained that Health Insurance Portability and Accountability Act (HIPAA) Rules require HIPAA covered entities to implement administrative, physical, and technical safeguards to ensure the confidentiality of patients’ and plan members’ protected health information. The error that saw Social Security numbers exposed violated HIPAA Rules. EmblemHealth failed to comply with “many standards and procedural specifications” required by HIPAA. Attorney General Schneiderman also said that printing Social Security numbers on the outside of envelopes violated New York General Business Law §...

Read More
16,000 Individuals Impacted by Two Email-Related Breaches
Mar06

16,000 Individuals Impacted by Two Email-Related Breaches

Two email-related data breaches have been reported that have resulted in the disclosure of the protected health information of more than 16,000 individuals. Flexible Benefit Service Corporation Breach Impacts 5,123 Individuals Flexible Benefit Service Corporation (Flex), a Chicago-Il-based general agency and benefit administrator serving health insurance carriers, has announced the discovery of a phishing attack that resulted in an unauthorized individual gaining access to a corporate email account. The security breach was detected on December 6, 2017 when an email account of a company employee was discovered to be sending phishing emails. The email account was compromised after a single employee responded to a phishing email and disclosed login credentials to the email account. A third-party forensics firm was contracted to conduct an investigation into the breach and ascertain the extent of the attacker’s activities. The investigation highlighted the likely intentions of the attacker. Once access to the email account was gained, the attacker performed searches looking for details...

Read More
How to Report a HIPAA Violation Anonymously
Mar06

How to Report a HIPAA Violation Anonymously

In this post we explain how to report a HIPAA violation anonymously if you feel your (or someone else’s) privacy has been violated of if HIPAA Rules are not being followed in your organization. When Can an Alleged HIPAA Violation be Reported? Most healthcare organizations go to great lengths to ensure they are in compliance with HIPAA Rules, but occasionally HIPAA regulations are violated by management or employees. In such cases, a complaint can be lodged with the Department of Health and Human Services’ Office for Civil Rights (OCR) – the main enforcer of HIPAA Rules. However, complaints will only result in action being taken if the complaint is submitted within 180 days of the date of discovery that HIPAA Rules were violated. In limited cases, when there is ‘good cause’ that it was not possible to file a complaint within 180 days, an extension may be granted. Note that OCR cannot investigate any alleged violation of the HIPAA Privacy Rule that occurred before April 14, 2003 or Security Rule violations that occurred before April 20, 2005 because compliance with those...

Read More
New York Surgery & Endoscopy Center Discovers 135,000-Record Data Breach
Mar05

New York Surgery & Endoscopy Center Discovers 135,000-Record Data Breach

A malware infection at St. Peter’s Surgery & Endoscopy Center in New York has potentially allowed hackers to gain access to the medical records of almost 135,000 patients. This is the second largest healthcare data breach of 2018, the largest to hit New York state since the 3,466,120-record data breach at Newkirk Products, Inc. in August 2016, and the fifth largest healthcare data breach in New York since the Department of Health and Human Services’ Office for Civil Rights started publishing data breach summaries in October 2009. The data breach at St. Peter’s Surgery & Endoscopy Center was discovered on January 8, 2018: The same day as hackers gained access to its server. The rapid detection of the malware limited the time the hackers had access to the server and potentially prevented patients’ data from being viewed or copied. However, while no evidence of data access or data theft was discovered, it was not possible to rule either out with a high degree of certainty. In its substitute branch notice, St. Peter’s Surgery & Endoscopy Center says the servers it uses...

Read More
Window Envelope Privacy Breach Exposes ID Numbers of 70,320 Tufts Health Plan Members
Mar02

Window Envelope Privacy Breach Exposes ID Numbers of 70,320 Tufts Health Plan Members

Tufts Health Plan is alerting 70,320 of its members that their health plan member ID numbers have been exposed. A mailing vendor used by Tufts Health Plan sent Tufts Medicare Preferred ID cards to Medicare Advantage members between December 11, 2017 and January 2, 2018. Window envelopes were used which naturally allowed plan members’ names and addresses to be seen, but Tufts Health Plan member IDs were also visible through the plastic windows of the envelopes. The mailing error was discovered by Tufts Health Plan on January 18. Tufts Health Plan notes that its member IDs are not comprised of Social Security numbers or Medicare numbers, but potentially the member ID numbers could be misused by individuals to receive services covered by the health plan. Legal experts were consulted about the breach to assess the potential risk to plan members. The risk of misuse of the numbers is believed to be very low as the only individuals likely to see the member IDs would be employees of the postal service. Plan members have been told that in the unlikely event that their member IDs are misused...

Read More
Hacking Responsible for 83% of Breached Healthcare Records in January
Mar01

Hacking Responsible for 83% of Breached Healthcare Records in January

The latest installment of the Protenus Healthcare Breach Barometer report has been released. Protenus reports that overall, at least 473,807 patient records were exposed or stolen in January, although the number of individuals affected by 11 of the 37 breaches is not yet known. The actual total is likely to be considerably higher, possibly taking the final total to more than half a million records. The report shows insiders are continuing to cause problems for healthcare organizations. Insiders were the single biggest cause of healthcare data breaches in January. Out of the 37 healthcare data breaches reported in January 12 were attributed to insiders – 32% of all data breaches. While insiders were the main cause of breaches, the incidents affected a relatively low number of individuals – just 1% of all records breached. Insiders exposed 6,805 patient records, although figures could only be obtained for 8 of the 12 breaches. 7 incidents were attributed to insider error and five were due to insider wrongdoing. Protenus has drawn attention to one particular insider breach. A nurse...

Read More
Ransomware Attack Impacts 6,550 Jemison Internal Medicine Patients
Feb28

Ransomware Attack Impacts 6,550 Jemison Internal Medicine Patients

On December 20, 2017, a ransomware attack on Jemison Internal Medicine of Alabama resulted in electronic health records being encrypted, preventing the healthcare provider from gaining access to patient data. A ransom demand was issued for the keys to unlock the encryption although no payment was made to the attacker. Jemison Internal Medicine had viable backups of electronic protected health information and restored data after reinstalling the operating system on affected computers. An analysis of its system post-data restoration revealed no traces of the malicious software remained. While ransomware attacks are often indiscriminate and occur as a result of employees responding to phishing emails, this attack was more targeted. The investigation into the security breach revealed an unauthorized individual had gained access to Jemison Internal Medicine’s computer system and had access for a period of approximately 3 months. The investigation did not uncover any evidence to suggest the EMR system was accessed by the attacker, although it was not possible to rule out data access with...

Read More
Medical University of South Carolina’s Hard Line on HIPAA Violations Sees 13 Fired in a Year
Feb27

Medical University of South Carolina’s Hard Line on HIPAA Violations Sees 13 Fired in a Year

According to a recent report in the Post and Courier, the Medical University of South Carolina (MUSC) terminated 13 employees last year for violating HIPAA Rules by snooping on patient records. In total, there were 58 privacy violations in 2017 at MUSC, all of which have been reported to the Department of Health and Human Services’ Office for Civil Rights. All of the breaches affected only small numbers of patients. Out of the 58 breaches, 11 incidents were categorized as snooping on medical records. Other breaches were unauthorized disclosures such as when the health information of a patient is accidentally sent or faxed to the wrong person. Over the past five years, there have been 307 breaches detected at MUSC, resulting in 30 members of non-physician staff being fired. None of the breaches have been listed on the OCR breach portal, which only shows breaches impacting 500 or more individuals. Under HIPAA Rules, all PHI breaches must be reported, although it is only large breaches of more than 500 records that are made public and are detailed on the breach portal. The revelations...

Read More