Our HIPAA breach news section covers HIPAA breaches such as unauthorized disclosures of protected health information (PHI), improper disposal of PHI, unauthorized PHI access by cybercriminals and rogue healthcare employees, and other security and privacy breaches.

When known, we explain how the breach occurred, the consequences to patients that may have had their PHI compromised, and the actions being taken by the affected healthcare organization to improve safeguards to prevent further HIPAA breaches.

We also explain any actions being taken by the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) and state attorneys general in relation to those breaches.

OCR investigates all data breaches that impact more than 500 individuals to determine whether any HIPAA violations have occurred. When HIPAA Rules are discovered to have been violated, financial penalties may be deemed appropriate. It can take many months or years before any financial penalties for HIPAA breaches are decided. Financial penalties for HIPAA violations tend to be reserved for the most serious breaches of HIPAA Rules. OCR prefers to resolve cases with voluntary compliance and by issuing recommendations to bring policies in line with HIPAA Rules.

The HIPAA breach news section is particularly relevant to healthcare information security professionals, privacy officers, and other individuals who have some responsibility for HIPAA compliance.

The HIPAA breach news reports highlight common areas of non-compliance and new attack vectors used by cybercriminals to gain access to healthcare networks and PHI, the security failings that allowed them to happen, and the measures that have been implemented to prevent them from happening again.

No healthcare organization wants to experience a data breach, but when a breach does occur, lessons can be learned. HIPAA-covered entities can use these breach examples to help train their staff as well as to discover some of the methods other covered entities have adopted to improve data security.

As you will be able to see from the volume of posts in the HIPAA breach news category, healthcare data breaches occur frequently. In 2016 and 2017, healthcare data breaches have been reported on an almost daily basis.

Our HIPAA breach news section is an important source of information about potential security issues that covered entities should be identifying when conducting their own risk assessments. Many of the situations in our HIPAA breach news posts could have been avoided if a risk assessment had identified a vulnerability that was later exploited to gain access to PHI.

The main purpose for adding HIPAA breach news to this website is to highlight specific aspects of HIPAA compliance that are commonly overlooked, often with serious consequences for the covered entity and patients/health plan members.

By raising awareness of the volume of healthcare data breaches, the implications of those breaches, and the penalties that can result, it is hoped that healthcare providers will take decisive action to prevent their patients’ and members’ data from being exposed.

The most recent healthcare data breach reports are listed below. If you want to find out if a specific covered entity has experienced a data breach, please use the search function in the top right hand corner of this webpage.

Patients Notified of White and Bright Family Dental Server Hack
Feb22

Patients Notified of White and Bright Family Dental Server Hack

Fresno, CA-based White and Bright Family Dental has discovered one of its servers containing patients’ protected health information has been accessed by hackers. Access to the server was gained by the attackers on January 30, 2018. The Fresno Police Department was immediately notified of the incident “so that identification and prosecution of those involved could begin.” That investigation, along with the internal White and Bright Family Dental investigations, are continuing. The dental practice is also in the process of augmenting its security protections to prevent further incidents of this nature from occurring. While HIPAA covered entities have up to 60 days following the discovery of a breach to issue notifications to patients and the Department of Health and Human Services, White and Bright Family Dental acted quickly and sent notifications in the shortest possible time frame to allow victims to take steps to protect their identities. Letters were sent to patients on February 16 and the state attorney general’s office was notified of the breach on February 19. White and...

Read More
1,900 UVA Patients’ PHI Accessed by Hacker Behind FruitFly Malware
Feb22

1,900 UVA Patients’ PHI Accessed by Hacker Behind FruitFly Malware

Almost 1,900 patients of University of Virginia Health System are being notified that an unauthorized individual has gained access to their medical records as a result of a malware infection. The malware had been loaded onto the devices used by a physician at UVa Medical Center. When medical records were accessed by the physician, the malware allowed the hacker to view the data in real time. The malware was first loaded onto the physician’s electronic devices on May 3, 2015, with access possible until December 27, 2016. Over those 19 months, the hacker was able to view the medical records of 1,882 patients. The types of information seen by the hacker included names, addresses, dates of birth, diagnoses, and treatment information, according to a UVa spokesperson. Financial information and Social Security numbers were not exposed as they were not accessible by the physician. Access to the protected health information of its patients stopped in late 2016, although UVa did not discover the breach for almost a year. UVa was notified of the security breach by the FBI on December 23,...

Read More
Sutter Health Notifies Patients of Business Associate Phishing Incident
Feb20

Sutter Health Notifies Patients of Business Associate Phishing Incident

Sutter Health is notifying certain patients that some of their protected health information has been exposed following a phishing attack on one of its business associates – the legal firm Salem and Green. On or around October 11, 2017, a phishing email was received by a staff member at Salem and Green, the response to which gave the attackers access to that individual’s email account. Upon discovery of the attack, a forensics firm was contracted to perform an analysis of the affected computer and network to determine the extent of the attack and whether any sensitive information had been obtained. The investigation revealed the security breach was limited to a single email account and that access to the account was only possible for two days. During the time that the email account was accessible, the attacker had access to all emails in the account, some of which contained the protected health information of certain Sutter Health patients. The types of information potentially accessed by the attacker was limited to names, dates of birth, driver’s license numbers, Social Security...

Read More
AJMC Study Reveals Common Characteristics of Hospital Data Breaches
Feb20

AJMC Study Reveals Common Characteristics of Hospital Data Breaches

The American Journal of Managed Care has published a study of hospital data breaches in the United States. The aim of the study was to identify common characteristics of hospital data breaches, what the biggest problem areas are, the main causes of security incidents and the types of information most at risk. The study revealed hospitals are the most commonly breached type of healthcare provider, accounting for approximately 30% of all large healthcare security incidents reported to the Department of Health and Human Services’ Office for Civil Rights by providers between 2009 and 2016. Over that 7-year time period there were 215 breaches reported by 185 nonfederal acute care hospitals and 30 hospitals experienced multiple breaches of 500 or more healthcare records. One hospital experienced 4 separate breaches in the past 7 years, five hospitals had 3 breaches, and 24 hospitals experienced 2 breaches. In addition to hospitals experiencing the highest percentage of security breaches, those breaches also resulted in the theft/exposure of the highest number of health records. While...

Read More
Another Major Triple-S Advantage Data Breach Has Occurred: 36,000 Affected
Feb15

Another Major Triple-S Advantage Data Breach Has Occurred: 36,000 Affected

The Puerto Rico Health Plan Triple-S Advantage has experienced a privacy breach that has impacted 36,000 plan members. The breach was the result of a mailing error which saw sensitive information of plan members disclosed to incorrect individuals. The protected health information exposed as a result of the mailing was limited and did not include Social Security numbers or financial information; however, plan members’ ID numbers were impermissibly disclosed along with names, dates of service, and treatment codes. The mailing error occurred in November but was not discovered by Triple-S until December 5, 2017. An extensive investigation was launched to determine how the error occurred and action has now been taken to ensure that similar errors do not occur in future mailings to plan members and healthcare providers. Triple-S said in its substitute breach notice that its mailing processes have been changed and that those processes have now been tested. Another mailing run has been conducted and copies of the original letters have now been sent to the correct addresses. Affected plan...

Read More
January 2018 Healthcare Data Breach Report
Feb14

January 2018 Healthcare Data Breach Report

Our January 2018 Healthcare Data Breach Report details the healthcare security incidents reported to the Department of Health and Human Services’ Office for Civil Rights in January 2018. There were 21 security breaches reported to OCR in January which is a considerable improvement on the 39 incidents reported in December 2017. Last month saw 428,643 healthcare records exposed. While there was a 46.15% drop in the number of healthcare data breaches reported in January month over month, 87,022 more records were exposed or stolen than in December. January was the third consecutive month where the number of breached records increased month over month. The mean breach size in January was 20,412 records – very similar to the mean breach size in December 2017 (20,487 records). However, the high mean value was due to a particularly large breach of 279,865 records reported by Oklahoma State University Center for Health Sciences. In January, the healthcare data breaches reported were far less severe than in December. In January the median breach size was 1,500 records. In December it was...

Read More
Coastal Cape Fear Eye Associates Ransomware Attack Impacts 925 Patients
Feb14

Coastal Cape Fear Eye Associates Ransomware Attack Impacts 925 Patients

A Coastal Cape Fear Eye Associates ransomware attack has seen the protected health information of 925 patients compromised. North Carolina’s Coastal Cape Fear Eye Associates, P.A., discovered its systems had been breached on December 5. 2017. Upon discovery of the ransomware attack, Coastal Cape Fear Eye Associates brought in external IT professionals to contain the attack and remove the ransomware. The IT consultants were able to limit the harm caused and the malware was removed, although some files remained locked and inaccessible for some time. According to a substitute breach notice uploaded to the healthcare provider’s website on February 1, 2018, the delay in issuing notifications to affected patients was because it was not possible to access certain files to determine what information was involved and which patients were affected. Coastal Cape Fear Eye Associates has only recently been able to access all encrypted files. Under HIPAA Rules, healthcare organizations are required to report ransomware attacks unless the attacked entity establishes there was a low probability of...

Read More
$100,000 Settlement Shows HIPAA Obligations Don’t End When a Business Closes
Feb14

$100,000 Settlement Shows HIPAA Obligations Don’t End When a Business Closes

HIPAA covered entities and their business associates must abide by HIPAA Rules, yet when businesses close the HIPAA obligations do not end. The HHS’ Office for Civil Rights (OCR) has made this clear with a $100,000 penalty for FileFax Inc., for violations that occurred after the business had ceased trading. FileFax is a Northbrook, IL-based firm that offers medical record storage, maintenance, and delivery services for HIPAA covered entities. The firm ceased trading during the course of OCRs investigation into potential HIPAA violations. An investigation was launched following an anonymous tip – received on February 10, 2015 – about an individual that had taken documents containing protected health information to a recycling facility and sold the paperwork. That individual was a “dumpster diver”, not an employee of FileFax. OCR determined that the woman had taken files to the recycling facility on February 6 and 9 and sold the paperwork to the recycling firm for cash. The paperwork, which included patients’ medical records, was left unsecured at the recycling facility. In...

Read More
How Many HIPAA Violations in 2017 Resulted in Financial Penalties?
Feb11

How Many HIPAA Violations in 2017 Resulted in Financial Penalties?

We are often asked about healthcare data breaches and HIPAA violations and two of the most recent questions are how many HIPAA violations in 2017 resulted in data breaches and how many HIPAA violations occurred in 2017. How Many HIPAA Violations Occurred in 2017? The problem with determining how many HIPAA violations occurred in 2017 is many violations are not reported, and out of those that are, it is only the HIPAA breaches that impact more than 500 individuals that are published by the Department of Health and Human Services’ Office for Civil Rights on its breach portal – often incorrectly referred to as the “Wall of Shame”. To call it a ‘Wall of Shame’ is not fair on healthcare organizations because the breach reports show organizations that have experienced data breaches, NOT organizations that have violated HIPAA Rules. Even organizations with multi-million-dollar cybersecurity budgets, mature security defenses, and advanced employee security awareness training programs can experience data breaches. All it takes if for a patch not to be applied immediately or an employee to...

Read More
Ron’s Pharmacy Services Notifies Patients of Email Account Breach
Feb09

Ron’s Pharmacy Services Notifies Patients of Email Account Breach

San Diego, CA-based Ron’s Pharmacy Services has discovered an email account containing limited protected health information has been compromised by an unknown individual. Suspicious activity was identified on an employee’s email account on October 3, 2017 prompting an investigation; however, it was not until December 21, 2017 that it was determined that an unauthorized individual had accessed messages in the email account containing patient information. An analysis of the emails in the account showed only a limited amount of PHI was compromised: Names, internal account numbers, and payment adjustment information, while a small number of patients also had details of their prescription medications compromised. While PHI access was confirmed, Ron’s Pharmacy is unaware of any misuse of patient information. Ron’s Pharmacy has now notified patients about the breach and reported the incident to the appropriate authorities. In its Feb 2 substitute breach notice, Ron’s Pharmacy explained that rapid action was taken to secure the account and prevent further access. Login credentials were...

Read More
Aetna Seeks At Least $20 Million in Damages from Firm Responsible for HIV Status Data Breach
Feb08

Aetna Seeks At Least $20 Million in Damages from Firm Responsible for HIV Status Data Breach

Aetna has taken legal action against an administrative support company over a July 2017 data breach that saw details of HIV medications visible through the clear plastic windows of envelopes in a mailing. Letters inside some of the envelopes had slipped, making the words ““when filling prescriptions for HIV medications” clearly visible to anyone who saw the envelopes. The privacy breach was condemned by the Legal Action Center and AIDS Law Project of Pennsylvania, who along with Berger & Montague, P.C., filed a class action lawsuit against Aetna seeking damages for breach victims. In January, Aetna settled the lawsuit for $17.16 million. Last month, Aetna also settled violations of HIPAA and state laws for $1.15 million with the New York attorney general over the same breach. The class action was only one of seven filed against the health insurer, and further fines from state attorneys general are to be expected. Several other attorneys general have opened investigations into the breach and may also determine that state laws have been violated. The costs associated with the...

Read More
24,000 Decatur County General Hospital Patients Notified About Malware-Related Data Breach
Feb08

24,000 Decatur County General Hospital Patients Notified About Malware-Related Data Breach

Decatur County General Hospital in Tennessee has discovered malware has been installed on a server housing its electronic medical record system. The attacker potentially gained access to the medical records of up to 24,000 patients. An unauthorized software installation was discovered on November 27, 2017 by the hospital’s medical record system vendor, which is also responsible for maintaining the server on which the system is installed. An investigation revealed the software was a form of malware known as a cryptocurrency miner. Crytptocurrency mining is the use of computer processors to verify cryptocurrency transactions and add them to the public ledger containing details of all transactions since the currency was created. The process of verifying transactions requires computers to solve complex computational problems. Cryptocurrency mining can be performed by anyone with a computer, and in return for solving those computational problems, the miner is rewarded with a small payment for verifying the transaction. A single computer can be used to earn a few dollars a day performing...

Read More
PHI of 842 Western Washington Medical Group Patients Exposed
Feb07

PHI of 842 Western Washington Medical Group Patients Exposed

The protected health information of 842 patients of Western Washington Medical Group was exposed in November 2017. Documents containing sensitive health information were accidentally disposed of with regular trash. On November 13, 2017, the janitorial service used by the medical group emptied shredding bins with regular trash. Instead of sensitive documents being permanently destroyed in accordance with HIPAA Rules, they were emptied into regular trash bins. Western Washington Medical Group discovered the error the following day, but too late to recover the documents as the trash had already been collected and taken to landfill sites for disposal. The breach was limited, but individuals impacted have had a range of sensitive information exposed including names, addresses, medical history forms, diagnoses, medical histories, appointment dates, and health insurance billing information. Patients impacted by the breach had previously visited WWMG Orthopedic, Sports and Spine centers for medical services. Notification letters were sent to all affected individuals by first class mail on...

Read More
Partners HealthCare Notifies 2,600 Patients About May 2017 Breach of PHI
Feb06

Partners HealthCare Notifies 2,600 Patients About May 2017 Breach of PHI

Partners HealthCare System is alerting approximately 2,600 patients that some of their protected health information has been compromised. While HIPAA covered entities have up to 60 days following the discovery of a breach to report the incident to OCR (if the breach impacts 500 or more individuals) and notify breach victims, this incident occurred and was discovered in May 2017. The delay in reporting the incident was due to difficulty identifying patient data which was mixed together with computer code. The breach was a malware incident that was discovered on May 8, 2017 when the healthcare system’s intrusion monitoring system detected suspicious activity. Prompt action was taken to block the malware and third-party forensics consultants were called in to assist with the investigation. The investigators concluded that this was not a targeted attack on Partners HealthCare, and the malware did not provide the attackers with access to its electronic medical record system. However, the investigation did reveal access to certain data was possible as a result of user activity on...

Read More
11,200 CarePlus Health Plan Members Notified of PHI Breach
Feb05

11,200 CarePlus Health Plan Members Notified of PHI Breach

A privacy incident has been experienced by Miami, FL-based CarePlus Health Plans which has seen certain plan members’ protected health information accidentally disclosed to other plan members. Explanation of benefits statements were mailed to its plan members on January 9 and January 16, 2018, although on January 17, CarePlus became aware that some of the statements had been sent to incorrect individuals. The EoB statements included names, addresses, dates of service, providers of services, the services that had been provided, CarePlus identification numbers and CarePlus health plan names. Highly sensitive information such as Social Security numbers and financial information were not detailed on the EoB statements. CarePlus has not received any reports to suggest any of the disclosed information has been misused. The mismailing incident has been investigated by CarePlus and action has been taken to prevent any similar privacy incidents from occurring in the future. CarePlus says the mismailing incident was due to a series of programming and printing errors. Breach...

Read More
Lawsuit Over HIPAA Breach by Mail Service Survives Motion to Dismiss
Feb02

Lawsuit Over HIPAA Breach by Mail Service Survives Motion to Dismiss

A mail service – Press America, Inc – used by a pharmacy benefit manager – CVS Pharmacy – is being sued over an accidental disclosure of 41 individuals’ protected health information. CVS Pharmacy is a business associate of a health plan and is contracted to provide a mail-order pharmacy service for the health plan. The mail service is a subcontractor of CVS Pharmacy, and both entities are bound by HIPAA Rules. CVS Pharmacy signed a business associate agreement with the health plan, and Press America did likewise with CVS Pharmacy as PHI was required in order to perform the mailings. CVS Pharmacy alleges the HIPAA Privacy Rule was violated by Press America when it inadvertently disclosed PHI to unauthorized individuals due to a mismailing incident. The disclosure of some plan members’ PHI was accidental, but the privacy breach violated a performance standard in the CVS Pharmacy’s contract with the health plan. By violating the performance standard, the CVS Pharmacy was required to pay the health plan $1.8 million. A lawsuit was filed by the CVS Pharmacy seeking...

Read More
Phishing Attack on Business Associate Exposes Forrest General Hospital Patients’ PHI
Feb02

Phishing Attack on Business Associate Exposes Forrest General Hospital Patients’ PHI

The management consulting company HORNE LLP, a business associate of Forrest Health’s Forrest General Hospital, is notifying certain hospital patients that some of their protected health information (PHI) has potentially been obtained by a third party after access was gained to the email account of one of its employees. HORNE provides certain Medicare reimbursement services to Forrest General Hospital and as such, requires access to patients’ PHI. HORNE became aware of an email account breach on November 1, 2017 when it discovered the email account of an employee was being used to send phishing emails. The discovery prompted the shut down of the email account and an investigation into a potential breach was launched. That investigation revealed an unauthorized individual had gained access to the employee’s email account the previous day as a result of the employee responding to a phishing email. The phishing attack was investigated by a third-party investigator to determine the nature and extent of the breach and whether the PHI of any patients had been exposed. The investigation...

Read More
PHI of 660 Eastern Maine Medical Center Patients Exposed
Feb02

PHI of 660 Eastern Maine Medical Center Patients Exposed

Eastern Maine Medical Center is notifying 660 patients that some of their protected health information has been exposed. The sensitive information was stored on a portable hard drive that has gone missing from its State Street facility, in Bangor, ME. The device lacked encryption and data on the device could be accessed without the need for a password. Theft has not been confirmed, but the device could not be located during a search of its facility. The drive was last seen in its usual place on December 19, 2017 and was noticed to be missing on December 22. The device belonged to a business associate of Eastern Maine Medical Center and contained limited patient information. No Social Security numbers, financial information, or health insurance details were present on the device, only full names, birth dates, dates of service, medical record numbers, one-word condition descriptors, and procedural images. The patients impacted by the breach had visited the medical center for cardiac ablation procedures between January 3, 2011 and December 11, 2017. Not all patients who visited the...

Read More
Massachusetts Online Breach Reporting Tool Launched: Data Breaches Soon to Be Publicly Listed
Feb02

Massachusetts Online Breach Reporting Tool Launched: Data Breaches Soon to Be Publicly Listed

Massachusetts Attorney General Maura Healey has announced the launch of a new online data breach reporting tool. The aim is to make it as easy as possible for breached entities to submit breach notifications to the Attorney General’s office. Under Massachusetts data breach notification law (M.G.L. c. 93H), organizations experiencing a breach of personal information must submit a notification to the Massachusetts attorney general’s office as soon as it is practicable to do so and without unnecessary delay. Breaches must also be reported to the Director of the Office of Consumer Affairs and Business Regulation (OCABR) and notifications must be issued to affected individuals. “Data breaches are damaging, costly and put Massachusetts residents at risk of identity theft and financial fraud – so it’s vital that businesses come forward quickly after a breach to inform consumers and law enforcement,” said Healey. “This new feature allows businesses to more efficiently report data breaches so we can take action and share information with the public.” Regarding the latter, the Mass. Attorney...

Read More
Class Action Lawsuit against Allscripts Filed following Ransomware Attack
Jan31

Class Action Lawsuit against Allscripts Filed following Ransomware Attack

Last week, a ransomware attack against the EHR vendor Allscripts resulted in thousands of healthcare providers being unable to access patient data or use the e-prescription service. Already, a class action lawsuit against Allscripts has been filed by Florida-based Surfside Non-Surgical Orthopedics. Allscripts provides EHR and e-prescription services to 2,500 hospitals and 19,000 post-acute care organizations. Last week, a new variant of SamSam ransomware infected the company´s data centers in Raleigh and Charlotte, NC, leaving several application offline for up to 1,500 clients. Microsoft and Cisco incident response teams helped the company restore its e-prescribing service by Saturday; but, for many clients, the Allscripts PRO EHR system is still unavailable or experiencing outages. An Allscripts spokesperson has been unable to confirm when a full restore will be completed. The Class Action Lawsuit against AllScripts The class action lawsuit against Allscripts was filed in the United States District Court for the Northern District of Illinois where the company is based. It alleges...

Read More
Malware Causes 5,200-Record Data Breach at DC Assisted Living Facility
Jan26

Malware Causes 5,200-Record Data Breach at DC Assisted Living Facility

A malware infection at Westminster Ingleside King Farm Presbyterian Retirement Communities has potentially enabled the attackers to gain access to the protected health information of thousands of its residents. The Washington D.C., based assisted living facility had implemented a wide range of security solutions to prevent unauthorized access to its systems, although in this instance they were unable to block the attack. The malware was discovered on November 21, 2017, with rapid action taken to identify all instances of the malware on its network and remove the malicious code to prevent further access. While the malware was successfully removed, assistance was sought from third party experts to determine how the attackers had managed to bypass its security defenses, and whether access to the protected health information of its residents had been gained. The investigation into the breach highlighted a number of areas where security could be improved to further protect its systems from attack. Ingleside has now implemented a new firewall, upgraded its antimalware and antivirus...

Read More
Aetna Agrees to Pay $1.15 Million Settlement to Resolve NY Attorney General Data Breach Case
Jan25

Aetna Agrees to Pay $1.15 Million Settlement to Resolve NY Attorney General Data Breach Case

Last July, Aetna sent a mailing to members in which details of HIV medications were clearly visible through the plastic windows of envelopes, inadvertently disclosing highly sensitive HIV information to individuals’ house mates, friends, families, and loved ones. Two months later, a similar privacy breach occurred. This time the mailing related to a research study regarding atrial fibrillation (AFib) in which the term IMACT-AFIB was visible through the window of the envelope. Anyone who saw the envelope could have deduced the intended recipient had an AFib diagnosis. The July breach triggered a class action lawsuit which was recently settled by Aetna for $17.2 million. Aetna must now also cover a $1.15 million settlement with the New York Attorney General to resolve violations of federal and state laws. Attorney General Schneiderman launched an investigation following the breach of HIV information in July, which violated the privacy of 2,460 Aetna members in New York. The September privacy breach was discovered during the course of that investigation. 163 New York Aetna members had...

Read More
Senate Attorney Judiciary Committee Advances South Dakota Data Breach Notification Bill
Jan24

Senate Attorney Judiciary Committee Advances South Dakota Data Breach Notification Bill

The Senate Attorney Judiciary Committee in South Dakota has overwhelmingly voted in favor of introducing data breach notification legislation. The bill, introduced by the Committee on Judiciary at the request of the Attorney General Marty Jackley, advanced after a 7-0 vote. Currently there are only two states in the US that have yet to introduce data breach legislation to protect state residents. With South Dakota now looking likely to introduce new protections for state residents, Alabama looks like it will be the only state lacking a data breach notification law. The Bill – South Dakota Senate Bill No. 62 – requires notifications to be issued to state residents and the Attorney General following a breach that impacts 250 or more state residents. The breach notifications would need to be issued without unnecessary delay and no later than 45 days following the discovery of a breach, unless a delay is requested by law enforcement. Breach notifications would not be required if the breached entity, along with the attorney general, determines that consumers would be unlikely to be...

Read More
Analysis of Healthcare Data Breaches in 2017
Jan24

Analysis of Healthcare Data Breaches in 2017

A summary and analysis of healthcare data breaches in 2017 has been published by Protenus. Data for the report is obtained from Databreaches.net, which tracks healthcare data breaches reported to OCR, the media, and other sources. The 2017 breach report gives an indication of the state of healthcare cybersecurity.  So how has 2017 been? There Were at Least 477 Healthcare Data Breaches in 2017 In some respects, 2017 was a good year. The super-massive data breaches of 2015 were not repeated, and even the large-scale breaches of 2016 were avoided. However, healthcare data breaches in 2017 occurred at rate of more than one per day. There were at least 477 healthcare data breaches in 2017 according to the report. While all those breaches have been reported via one source or another, details of the nature of all the breaches is not known. It is also unclear at this stage exactly how many healthcare records were exposed. Numbers have only been obtained for 407 of the breaches. There was a slight increase (6%) in reported breaches in 2017, up from 450 incidents in 2016. However, there was...

Read More
Pedes Orange County Discovers Physician Accessed and Disclosed PHI Without Authorization
Jan23

Pedes Orange County Discovers Physician Accessed and Disclosed PHI Without Authorization

Pedes Orange County Inc., a California healthcare provider specializing in treatments for vascular disease, is alerting some of its patients that a physician accessed their medical records, without authorization, and provided some of that information to an attorney. Pedes shares its facilities with another medical group, which conducts surgical procedures at the facility during the week. A scheduling tool is also shared with other physicians that use the same facility. On November 14, 2017, Pedes became aware that a physician employed by a different medical group had accessed its electronic medical records database and viewed the records of some of its patients. Pedes did not provide authorization for the EMR to be accessed. Pedes reports that the physician subsequently shared some of the information in the database with an attorney. After discovering the breach, the physician was contacted and Pedes has been working to ensure all copies of patients’ PHI that were obtained from its EMR system are securely destroyed and that no copies remain. The types of information potentially...

Read More
Analysis of Q4 2017 Healthcare Security Breaches
Jan22

Analysis of Q4 2017 Healthcare Security Breaches

Q4, 2017 saw a 13% reduction in healthcare security breaches reported to the Department of Health and Human Services’ Office for Civil Rights. There were 99 data breaches reported in Q3, 2017. In Q4, there were 86 security breaches reported. There were 27 healthcare security breaches reported in September, following by a major decline in breaches in November, when 21 incidents were reported. However, December saw a significant uptick in incidents with 38 reported breaches. Accompanied by the quarterly decline in security incidents was a marked decrease in the severity of breaches. In Q3, there were 8 data breaches reported that impacted more than 50,000 individuals. In Q4, no breaches on that scale were reported. The largest incident in Q4 impacted 47,000 individuals.  Largest Q4, 2017 Healthcare Security Breaches   Covered Entity Entity Type Number of Records Breached Cause of Breach Oklahoma Department of Human Services Health Plan 47000 Hacking/IT Incident Henry Ford Health System Healthcare Provider 43563 Theft Coplin Health Systems Healthcare Provider 43000 Theft Pulmonary...

Read More
Allscripts Ransomware Attack Impacts Cloud EHR and EPCS Services
Jan22

Allscripts Ransomware Attack Impacts Cloud EHR and EPCS Services

An Allscripts ransomware attack occurred on Thursday January 18, resulting in several of the firm’s applications being taken offline, including its cloud EHR and electronic prescriptions platform. The attack came just a few days after two Indiana hospitals experienced SamSam ransomware attacks. The Allscripts ransomware attack is also believed to have involved a variant of SamSam ransmware – a ransomware family extensively used in attacks on healthcare providers. Allscripts is a popular electronic health record (EHR) system and Electronic Prescriptions for Controlled Substances (EPCS) provider, with its platform used by many U.S healthcare organizations, including 2,500 hospitals and 19,000 post-acute care organizations. More than 180,000 physicians, 100,000 electronic prescribing physicians, and 40,000 in-home clinicians use Allscripts. The Allscripts ransomware attack commenced in the early hours of Thursday morning. Rapid action was taken to remove the ransomware and restore data, with the incident response teams at Microsoft and Cisco called in to assist. An investigation...

Read More
Email Hack Sees PHI of 53,000 Pharmacy Patients Exposed
Jan19

Email Hack Sees PHI of 53,000 Pharmacy Patients Exposed

53,173 patients who received services from Onco360 and CareMed Specialty Pharmacy have been notified that some of their protected health information has been compromised. A security breach was suspected on November 14, 2017, when suspicious activity involving an employee’s email account was detected. Third party computer forensics experts were called in to conduct an investigation to determine the nature and scope of the breach. On November 30, it was determined that the breach involved three email accounts. An analysis of the emails in those accounts revealed some messages contained the PHI of patients, which could potentially have been accessed and stolen by the hacker. The information potentially compromised included names, demographic information, clinical information, details of medications provided by the pharmacy, Social Security numbers, and health insurance information. A limited number of patients may also have had some financial information exposed. No reports have been received to suggest any protected health information has been misused, although patients have been...

Read More
Summary of Healthcare Data Breaches in December 2017
Jan18

Summary of Healthcare Data Breaches in December 2017

There was a sharp rise in healthcare data breaches in December, reversing a two-month downward trend. There were 38 healthcare data breaches in December 2017 that impacted more than 500 individuals: An increase of 81% from last month.     Unsurprisingly given the sharp increase in reported breaches, the number of records exposed in December also increased month over month. The records of 341,621 individuals were exposed or stolen in December: An increase of 219% from last month.     December saw a similar pattern of breaches to past months, with healthcare providers experiencing the most data breaches; however, there was a notable increase in breaches reported by health plans in December – rising from 2 in November to six in December.   Causes of Healthcare Data Breaches in December 2017 As was the case last month, hacking/IT incidents and unauthorized access/disclosures were the most common causes of healthcare data breaches in December, although there was a notable increase in theft/loss incidents involving portable electronic devices and paper records.     While hacking...

Read More
Aetna Settles Class Action Lawsuit Filed by Victims of HIV Status Data Breach
Jan18

Aetna Settles Class Action Lawsuit Filed by Victims of HIV Status Data Breach

Aetna has agreed to settle a class action lawsuit filed by victims of a mailing error that resulted in details of HIV medications prescribed to patients being visible through the clear plastic windows of the envelopes. Aetna was not directly responsible for the mailing, instead an error was made by a third-party vendor. For some of the patients, the letters had slipped inside the envelope revealing the patient had been prescribed HIV drugs. In many cases, those envelopes were viewed by flat mates, family members, neighbors, friends, and other individuals, thus disclosing each patient’s HIV information. Is not known how many patients had their HIV information disclosed, although the mailing was sent to 13,487 individuals. Some of the patients were being prescribed medications to treat HIV, others were taking the medication as Pre-exposure Prophylaxis (PrEP) to prevent contracting the disease. Many of the patients who were outed as a result of the breach have faced considerable hardship and discrimination. Several patients have had to seek alternative accommodation after been forced...

Read More
Deadline for Reporting 2017 HIPAA Data Breaches Approaches
Jan17

Deadline for Reporting 2017 HIPAA Data Breaches Approaches

The deadline for reporting 2017 HIPAA data breaches to the Department of Health and Human Services’ Office for Civil Rights is fast approaching. HIPAA-covered entities have a maximum of 60 days from the discovery of a data breach to report security incidents to OCR and notify affected patients. Smaller breaches of PHI do not need to be reported to OCR within this time frame, instead covered entities can delay reporting those breaches to OCR until the end of the calendar year. The maximum allowable time for reporting breaches impacting fewer than 500 individuals is 60 days from the end of the year in which the breach was experienced. The final day for reporting 2017 HIPAA data breaches to OCR is therefore March 1, 2018. A HIPAA data breach is defined as an “acquisition, access, use, or disclosure” of unsecured protected health information (PHI) that is not permitted by the HIPAA Privacy Rule. Unsecured PHI is defined as PHI that is “not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology,”...

Read More
1,300 Patients’ Medical Records Viewed Without Authorization by Palomar Health Nurse
Jan16

1,300 Patients’ Medical Records Viewed Without Authorization by Palomar Health Nurse

More than 1,300 patients of Palomar Medical Center Escondido are being notified that a former nurse viewed their medical records without authorization while they were receiving treatment at the hospital. The privacy violations occurred over a 15-month period between February 10, 2016 and May 7, 2017. The unauthorized access was discovered when access logs were reviewed. The audit revealed a pattern of access that was not consistent with the nurse’s work duties. The audit showed the nurse had viewed the records of patients that had been assigned to her, in addition to patients assigned to another nurse in the same unit. The incident appears to be a case of snooping, rather than data access with malicious intent. Palomar Health has uncovered no evidence to suggest any information was recorded and removed from the hospital, and no reports have been received to suggest any patient information has been misused. Following an internal investigation into the privacy violations, the nurse resigned. The information viewed was limited to names, dates of birth, genders, medical record numbers,...

Read More
Indiana Health System Pays $55K Ransom to Recover Files
Jan16

Indiana Health System Pays $55K Ransom to Recover Files

A ransomware attack on Greenfield, Indiana-based Hancock Health on Thursday forced staff at the hospital to switch to pen and paper to record patient health information, while IT staff attempted to block the attack and regain access to encrypted files. The attack started around 9.30pm on Thursday night when files on its network started to be encrypted. The attack initially caused the network to run slowly, with ransom notes appearing on screens indicating files had been encrypted. The IT team responded rapidly and started shutting down the network to limit the extent of the attack and a third-party incident response firm was called upon to help mitigate the attack. An attack such as this has potential to cause major disruption to patient services, although Hancock Health said patient services were unaffected and appointments and operations continued as normal. An analysis of the attack uncovered no evidence to suggest any patient health information was stolen by the attacker(s). The purpose of the attack was solely to cause disruption and lock files to force the hospital to pay a...

Read More
20% of RNs Had Breaches of Patient Data at Their Organization
Jan15

20% of RNs Had Breaches of Patient Data at Their Organization

A recent survey conducted by the University of Phoenix College of Health Professions indicates registered nurses (RNs) are confident in their organization’s ability to prevent data breaches. The survey was conducted on 504 full time RNs and administrative staff across the United States. Respondents had held their position for at least two years. Almost half of RNs (48%) and 57% of administrative staff said they were very confident that their organization could prevent data breaches and protect against the theft of patient data, even though 19% of administrative staff and 20% of RNs said their organization had had a data breach in the past. 21% did not know if a breach had occurred. The survey confirmed that healthcare organizations have made many changes over the years to better protect data and patient privacy, with most of the changes occurring in the past year, according to a quarter of RNs and 40% of administrative staff. Those changes have occurred across the organization. The biggest areas for change were safety, quality of care, population health, data security and the...

Read More
43,000 Patients of Coplin Health Systems Potentially Impacted by Laptop Theft
Jan11

43,000 Patients of Coplin Health Systems Potentially Impacted by Laptop Theft

West Virginia-based Coplin Health Systems has informed 43,000 patients that their PHI has potentially been exposed as a result of the theft of an unencrypted laptop computer from the vehicle of an employee. Coplin Health was alerted to the theft on November 2, 2017. The theft was immediately reported to law enforcement and an investigation was launched, although at the time of issuing notifications, the laptop computer has not been recovered. While it is possible that protected health information of patients was stored on the laptop, Coplin Health does not believe that was the case, although the possibility of data exposure cannot be ruled out with 100% certainty. Coplin Health notes that the laptop had various security protections in place to ensure the privacy of patients in the event of the laptop being stolen. While the laptop could potentially be used to gain access to patient data, a password would have been required and it is not suspected that the thief had “the sophisticated knowledge and resources necessary to bypass the laptop’s security mechanisms.” Further, Coplin...

Read More
St. Rose Dominican Hospital Patients Impacted by DJO Global PHI Breach
Jan10

St. Rose Dominican Hospital Patients Impacted by DJO Global PHI Breach

DJO Global, a provider of medical technologies to help patients maintain and regain natural motion, has discovered that some patients’ information has been exposed, and potentially disclosed, to unauthorized individuals. Individuals who had received a DJO Global device in the emergency room, Urgent Care Site, or the Same Day Surgery Center of the Siena, San Martin or De Lima campuses of St. Rose Dominican Hospital in Las Vegas, NV between July 17 and October 16, 2017 have potentially been affected. Those individuals are likely to have signed a DJO Global Patient Product Agreement confirming they had received one of the company’s devices. Those consent forms should have been sent to DJO Global; hhowever, a batch of consent forms was not received. A DJO employee collected the forms from St. Rose Dominican Hospital and should have taken them to DHL to be delivered to DJO Global; however, the forms were lost in transit. They are believed to have been lost between collection from the hospital and delivery to DHL. The forms contained the following information: Name, phone number,...

Read More
Lack of Encryption on Hard Drive Results in the Exposure of 9387 Patients’ PHI
Jan10

Lack of Encryption on Hard Drive Results in the Exposure of 9387 Patients’ PHI

Framingham, MA-based Charles River Medical Associates has discovered the danger of failing to use encryption to protect data stored on portable hard drives. In late November, the practice discovered one of its portable hard drives was missing. The device contained x-ray images, names, patient ID numbers, and birth dates. Every patient who had visited the Framingham radiology lab for a bone density scan since 2010 had their x-ray images exposed – almost 9,400 individuals. The hard drive was used by the practice as a backup device and updated the stored data each month with bone density scans from the past four weeks. The last time the device was used was for the October data backup. In late November, when the monthly backup was scheduled to be made, the portable drive could not be found. A full search of the premises was conducted, which took several weeks, but the device could not be located. All staff members were questioned about the whereabouts of the drive, but no one had seen the device in the past four weeks. Charles River Medical Associates has now declared the device lost...

Read More
Oklahoma State University Center for Health Sciences Informs Patients of PHI Breach
Jan09

Oklahoma State University Center for Health Sciences Informs Patients of PHI Breach

Oklahoma State University Center for Health Sciences (OSUCHS) has discovered an unauthorized individual has gained access to parts of its computer network and potentially accessed files containing billing information of Medicaid patients. The security breach was discovered on November 7, 2017 with access to the network terminated the following day. Third party computer forensics experts were called upon to conduct a comprehensive investigation to determine which parts of the network had been accessed, and whether patient health information had been accessed or stolen. The investigation confirmed that patient health information could potentially have been viewed, although it was not possible to determine whether patient information had been accessed or stolen. OSUCHS reports that it has not received conclusive information to suggest any patient information has been misused. Out of an abundance of caution, all individuals potentially impacted by the incident have been notified of the breach by mail and advised that they should be alert to the possibility that their personal...

Read More
Phishing Attack on Florida Agency for Health Care Administration Impacts 30,000 Medicaid Recipients
Jan09

Phishing Attack on Florida Agency for Health Care Administration Impacts 30,000 Medicaid Recipients

The Agency for Health Care Administration in Florida has discovered an unauthorized individual has gained access to a single email account as a result of an employee falling for a phishing scam. The employee received and responded to the malicious phishing email on November 15, 2017 and disclosed login credentials that allowed the attacker to remotely access his/her email account and, potentially, the protected health information of as many as 30,000 Medicaid enrollees. The agency discovered the security breach on November 20 and performed a password reset to prevent further access. The incident was also reported to the agency’s inspector general, who launched an investigation into the attack. Preliminary findings of that investigation were released late last week. According to an agency press release issued on Friday, the unauthorized individual may have partially or fully accessed information such as names, Medicaid ID numbers, addresses, dates of birth, diagnoses, medical conditions, and Social Security numbers. Approximately 6% of individuals impacted by the incident had either...

Read More
Compassion Care Hospice Hack Impacts 1,128 Patients
Jan05

Compassion Care Hospice Hack Impacts 1,128 Patients

Compassionate Care Hospice Las Vegas (CCHLV) has discovered an unauthorized individual gained access to its network and server and potentially viewed 1,128 patients’ protected health information. On October 28, 2017, CCHLV discovered its network had been accessed by an unauthorized individual. Upon discovery of the breach, CCHLV hired third-party forensics experts to conduct a thorough investigation to determine the nature of the breach and to identify all patients who were potentially affected. While the investigation confirmed access to data was possible, no evidence was uncovered to suggest any sensitive information was viewed or stolen by the attacker. However, it was not possible to rule out data access and theft with 100% certainty. The types of information stored on the parts of the network that could have been accessed included names, dates of birth, addresses, Medicare numbers, medical treatment information, health insurance information, and archived electronic health records. Financial information was not stored on the part of the network compromised in the attack and...

Read More
Kaiser Permanente Reports Two Security Incidents Impacting 5,000 Members
Jan04

Kaiser Permanente Reports Two Security Incidents Impacting 5,000 Members

Kaiser Permanente has experienced two security incidents which have recently been reported to the Department of Health and Human Services’ Office for Civil Rights. In total, more than 5,000 individuals have been impacted by the breaches. Both breaches affect members of the Kaiser Foundation Group Health Plan. The most serious incident, in terms of the number of individuals impacted, was an email-related breach affecting 4,389 health plan members in the San Bernardino County area of Southern California. An unauthorized individual was discovered to have gained access to the email account of a Southern California Permanente physician, which contained a limited amount of protected health information. Kaiser Permanente conducted an extensive investigation to determine the nature and full extent of the breach. While the email account was accessed, Kaiser Permanente believes the risk to plan members is low due to the nature of data contained in the email account. The email account did not contain highly sensitive information such as bank account details, credit card numbers, insurance...

Read More
Largest Healthcare Data Breaches of 2017
Jan04

Largest Healthcare Data Breaches of 2017

This article details the largest healthcare data breaches of 2017 and compares this year’s breach tally to the past two years, which were both record-breaking years for healthcare data breaches. 2015 was a particularly bad year for the healthcare industry, with some of the largest healthcare data breaches ever discovered. There was the massive data breach at Anthem Inc., the likes of which had never been seen before. 78.8 million healthcare records were compromised in that single cyberattack, and there were also two other healthcare data breaches involving 10 million or more records. 2015 was the worst ever year in terms of the number of healthcare records exposed or stolen. 2016 was a better year for the healthcare industry in terms of the number of healthcare records exposed in data breaches. There was no repeat of the mega data breaches of the previous year. Yet, the number of incidents increased significantly. 2016 was the worst ever year in terms of the number of breaches reported by HIPAA-covered entities and their business associates. So how have healthcare organizations...

Read More
29,000 Patients Notified of Employee-Related Data Breach at SSM Health
Jan02

29,000 Patients Notified of Employee-Related Data Breach at SSM Health

The St. Louis, MO-based not-for-profit health system SSM Health has discovered a former employee has been accessing the health records of patients without any legitimate work reason for doing so for 8 months. The former employee worked in SSM Health’s customer service call center, and as such, did not have access to financial information, only demographic, health, and clinical information. The improper access was detected by SSM health on October 30, prompting a thorough investigation to determine the records that had been accessed and which patients were potentially at risk. The investigation revealed the records of patients in multiple states were accessed by the employee between February 13 and October 20, 2017. The employee was primarily interested in the records of patients of a primary care physician in the St. Louis area, specifically patients who had been prescribed a controlled substance. While that subset of patients was relatively small, it was not possible to determine the full scope of the privacy breach, so SSM Health took the decision to notify all patients whose...

Read More
Colorado Practice Hacked Twice in a Week
Jan02

Colorado Practice Hacked Twice in a Week

A family and sports medicine practice in Colorado has discovered a hacker gained access to its systems and encrypted files with ransomware. Longs Peak Family Practice (LPFP) in Longmont CO, identified suspicious activity on its network on November 5, 2017 and took rapid action to secure its systems. However, before that was possible, the attacker ran ransomware code which encrypted files on certain parts of its network. LPFP was prepared for such attacks, and was able to recover the encrypted files and rebuild its systems from backups. However, five days after the initial intrusion was detected, LPFP discovered a second attack had occurred, and its systems had been accessed in a second attack. Ransomware was not involved in the second incident. While the first incident was dealt with internally, when the second attack was discovered, LPFP called in a leading computer forensics form to assist with the investigation, conduct scans for malware and backdoors, and ensure that unauthorized access to its systems was blocked. That investigation revealed that an unauthorized individual had...

Read More
24,000 Patients Impacted by Emory Healthcare Data Breach
Dec29

24,000 Patients Impacted by Emory Healthcare Data Breach

Emory Healthcare (EHC) has discovered a former employee obtained the protected health information of several thousand EHC patients and uploaded the data to a Microsoft Office 365 OneDrive account, where it could potentially be accessed by other individuals. The former employee was a physician at Emory Healthcare, who now works for the University of Arizona (UA) College of Medicine. EHC says patient information was taken without authorization and without its knowledge. EHC was alerted to the incident by the University of Arizona, and received a list of affected individuals on October 18, 2017. The OneDrive account could only be accessed by the physician, other former EHC physicians now at UA, UA staff who investigated the incident, and potentially a limited number of other UA staff members who had a specific type of UA email account. PHI was not exposed on the Internet and no other individuals are believed to have been able to view the information. UA hired a third-party forensic team to conduct an investigation, although no evidence was uncovered to suggest patient information was...

Read More
Jones Memorial Hospital Alerts Patients to Ongoing Cyberattack
Dec29

Jones Memorial Hospital Alerts Patients to Ongoing Cyberattack

University of Rochester Medicine’s Jones Memorial Hospital in Wellsville, NY is currently experiencing a cyberattack that has caused unexpected downtime. The attack is understood to have started on Wednesday December 27 and has caused disruption to some of its information services. At the time of writing, the nature of the cyberattack is unclear and it has yet to be resolved.  The cyberattack is limited to Jones Memorial Hospital. No other locations have been impacted. While some systems are unavailable, Jones Memorial Hospital has announced on its website that the financial and medical information of its patients does not appear to have been compromised. If the investigation concludes that there has been a breach of health information, patients will be notified accordingly. Further information on the attack will also be posted on the hospital’s website as and when new information becomes available. The hospital notified law enforcement and the New York State Department of the attack when its systems went down. Hospital IT staff are being assisted by the IT departments at the...

Read More
Scrub Nurse Fired for Photographing Employee-Patient’s Genitals
Dec28

Scrub Nurse Fired for Photographing Employee-Patient’s Genitals

A scrub nurse who took photographs of a patient’s genitals and shared the images with colleagues has been fired, while the patient, who is also an employee at the same hospital, has filed a lawsuit seeking damages for the harm caused by the incident. The employee-patient was undergoing incisional hernia surgery at Washington Hospital. She alleges in a complaint filed in Washington County Court, that while she was unconscious, a scrub nurse took photographs of her genitals on a mobile phone and shared the photographs with co-workers. Photographing patients without their consent is a violation of HIPAA Rules, and one that can attract a significant financial penalty. Last Year, New York Hospital settled a HIPAA violation case with the Department of Health and Human Services’ Office for Rights and paid a financial penalty of $2.2 million. In that case, a television crew had been authorized to film in the hospital, but consent from the patients in the footage had not been obtained. In the Washington Hospital HIPAA breach, the patient, identified in the lawsuit only as Jane Doe, claims...

Read More
Children’s Hospital Los Angeles Alerts Parents to Impermissible Disclosure of Children’s PHI
Dec28

Children’s Hospital Los Angeles Alerts Parents to Impermissible Disclosure of Children’s PHI

Children’s Hospital Los Angeles is notifying parents of a privacy breach that saw the protected health information (PHI) of children disclosed to incorrect insurance payors. The privacy breach was discovered on November 29, 2017, with notifications sent to affected patients on December 19. The impermissible disclosure of PHI included names, addresses, medical record numbers, birth dates, dates of service, and descriptions of the services provided. Upon discovery of the privacy breach, the insurance payors were contacted and instructed to delete the information. Satisfactory assurances have been received that the information has now been deleted and the medical records of affected patients have been updated to include correct payor information. No reports have been received to suggest any of the disclosed information has been used inappropriately; however, out of an abundance of caution, affected patients have been offered credit monitoring/protection services with ID Experts without charge. In the breach notification letters, parents have been advised to monitor insurance...

Read More
Phishing Attack on Colorado Mental Health Institute Sees PHI Exposed
Dec27

Phishing Attack on Colorado Mental Health Institute Sees PHI Exposed

The Colorado Mental Health Institute at Pueblo has discovered one of its employees has fallen for a phishing scam that potentially allowed the attacker to gain access to the protected health information of as many as 650 patients. The Colorado Mental Health Institute at Pueblo is a 449-bed hospital providing inpatient care for patients. The hospital serves patients with pending criminal charges that require competency evaluations, individuals found by the courts to be incompetent to proceed, and individuals found not guilty of crimes due to insanity. The phishing attack occurred on November 1, 2017. The employee inadvertently disclosed login credentials that allowed the attacker to gain access to a state-issued computer. Unauthorized activity on the computer was detected the following day and access to the device was promptly blocked. The forensic investigation did not uncover any evidence to suggest the protected health information of patients had been accessed or stolen, although the possibility of unauthorized access and data theft could not be ruled out with complete certainty....

Read More
Access to Dental Records Lost for 5 Days Due to Ransomware
Dec27

Access to Dental Records Lost for 5 Days Due to Ransomware

A dental practice in Reno, NV has experienced a ransomware attack that prevented dental records and images from being accessed for five days. Wager Evans Dental experienced the ransomware attack on October 30, 2017. The malicious software was installed on one computer and one server used by the practice. Ransomware can be installed in a number of ways, although most commonly attacks occur via email. That appears to be the case with this attack, with the practice suspecting ransomware was downloaded when an employee clicked on a malicious hyperlink or email attachment. IT staff and other experts were able to restore the encrypted files and remove the ransomware, although the process took five days. Access to patient records and images was not regained until November 4. The files encrypted by the ransomware contained sensitive information such as names, dates of birth, addresses, diagnoses, treatment plans, images, health insurance information, and Social Security numbers. A comprehensive investigation of the attack was conducted and while it is possible that data could have been...

Read More
Protenus Releases November Healthcare Data Breach Report
Dec21

Protenus Releases November Healthcare Data Breach Report

Protenus has released its November healthcare data breach report – a summary of healthcare data breaches reported by HIPAA-covered entities. The report shows there has been a month on month fall in healthcare data breaches, and a major reduction in the number of records exposed by data breaches. November saw the lowest total of the year to date for breaches with 28 incidents included in the report – four incidents fewer than February, the previous best month when 32 breaches were reported. This is the second consecutive month when reported breaches have fallen. There were 46 breaches reported in September and 37 in October. November was also the best month of the year in terms of the number of records exposed. 83,925 individuals were impacted by healthcare data breaches in November. The previous lowest total was May, when 138,957 records were exposed. November was the third consecutive month where the number of breached records fell. While the November healthcare data breach report offers some good news, the fall in breaches and breached records should be taken with a large pinch...

Read More
Almost 10,000 Patients Impacted by Nebraska Ransomware Attack
Dec21

Almost 10,000 Patients Impacted by Nebraska Ransomware Attack

Columbus Surgery Center, LLC and Eye Physicians, P.C., in Columbus, Nebraska have experienced a ransomware attack that has potentially resulted in the protected health information of almost 10,000 patients being accessed by the attackers. The ransomware attack occurred on October 7, 2017 and saw a wide range of files on some servers being encrypted by the ransomware. A ransom demand was issued by the attackers, although it was not paid. The encrypted files were restored from a recent backup to allow services to be continued to be offered to patients. Third-party computer forensics professionals were called in to assist with the investigation of the attack to determine whether the attackers gained access to, viewed, or copied patient information and to investigate how access to the servers was gained and how the ransomware was installed. The investigation did not uncover evidence to suggest any patient health information was stolen, but data access could not be ruled out with a high degree of confidence. Consequently, the incident was reportable to the Department of Health and Human...

Read More
Potential Data Theft Incident Reported by Austin Manual Therapy
Dec20

Potential Data Theft Incident Reported by Austin Manual Therapy

1,750 patients of Austin Manual Therapy (AMT) have been notified that some of their protected health information may have been accessed and stolen by a criminal attacker who gained access to AMT’s computer system. A forensic investigation by a leading national cybersecurity team revealed access was first gained on October 3, 2017 and continued until October 9, when the intrusion was detected and blocked. According to the breach notice posted on the AMT website, access was not gained to the company’s electronic medical record system. Only a limited portion of the network was accessed – one computer and a shared file system. While the forensic investigation confirmed that access to some files had been gained, it was not clear how much information was viewed and which, if any, documents had been stolen. An analysis of the file system and computer showed that the following information could have been accessed: Names, addresses, dates of birth, phone numbers, dates of service, charge amounts, occupations, insurance coverage and policy information, health screening information,...

Read More
1,900 MidMichigan Medical Center Patients Notified After Documents Found in the Street
Dec20

1,900 MidMichigan Medical Center Patients Notified After Documents Found in the Street

MidMichigan Medical Center (MMC) in Alpena has alerted patients to a potential breach of their health information, which may have literally fallen into the hands of individuals unauthorized to view the information. On the evening of November 18, a MMC cardiologist removed patient files from the Alpena cardiology office without authorization. The files were transported to the cardiologist’s vehicle in a storage container, but the container had not been properly secured. Close to a parking lot near 12th Avenue/Chisholm Street, the container was dropped, spilling the contents on the ground. The documents were caught by the wind and started blowing round the street. Some of the documents were picked up by members of the public, who informed the hospital that documents containing sensitive patient information was blowing around the street. The hospital contacted law enforcement to provide assistance collecting the paperwork. Dr. Richard Bates, vice president of medical affairs at MMC issued a statement saying all of the paperwork is believed to have been retrieved, so the risk to...

Read More
6,600 Patients Discover PHI Has Been Exposed
Dec20

6,600 Patients Discover PHI Has Been Exposed

NYU Langone Health System has discovered a binder containing a log of presurgical insurance authorizations was accidentally recycled by a cleaning company in October. The binder contained records relating to around 2,000 patients. Information in the binder included names, birth dates, dates of service, current procedural terminology code, diagnosis codes, insurer names, and insurance ID numbers. In some cases, brief notes may have been present, along with insurance approvals/denials and inpatient/outpatient status. No Social Security numbers were recorded in the paperwork, and neither any financial information. As required by HIPAA, NYU Langone Health System had implemented a policy that requires all PHI to be disposed of securely when it is no longer required, typically by shredding documents. Since the binder was taken for recycling by accident, that did not occur. Since insurance ID numbers were present in the logs, NYU Langone Health System has offered all affected patients complimentary identity theft protection services and cyber monitoring services through ID Experts for one...

Read More
$2.3 Million 21st Century Oncology HIPAA Settlement Agreed with OCR
Dec15

$2.3 Million 21st Century Oncology HIPAA Settlement Agreed with OCR

A 21st Century Oncology HIPAA settlement has been agreed with the Department of Health and Human Services’ Office for Civil Rights (OCR) to resolve potential HIPAA violations discovered during the investigation of a 2015 breach of 2.2 million patients’ PHI. The breach in question was discovered by the Federal Bureau of Investigation (FBI) in 2015. The FBI informed 21st Century Oncology on November 13 and December 13, 2015, that an unauthorized individual accessed and stole information from one of its patient databases. 21st Century Oncology conducted an investigation with the assistance of a third-party computer forensics company and discovered the network SQL database was potentially first accessed on October 3, 2015. The database was accessed through Remote Desktop Protocol from an Exchange Server within 21st Century Oncology’s network. The database contained the protected health information of 2,213,597 individuals. As occurs after all data breaches that impact more than 500 individuals, OCR conducted an investigation into the 21st Century Oncology data breach. That...

Read More
Texas and Pennsylvania Data Breaches Exposed More than 5,000 Patients’ PHI
Dec15

Texas and Pennsylvania Data Breaches Exposed More than 5,000 Patients’ PHI

Midland Memorial Hospital in Midland, TX, and Washington Health System Greene in Waynesburg, PA, have announced they have discovered patients’ protected health information has been exposed. Washington Health System Greene Discovers Hard Drive Missing Washington Health System Greene is alerting 4,145 patients that some of their protected health information has been exposed after a hard drive was discovered to be missing. A portable hard drive used with a bone densitometry machine in the Radiology department was discovered to be missing on October 11, 2017. While it is possible that the hard drive may have been misplaced, a search of the hospital did not uncover the device, and the missing device has been reported to the Pennsylvania State Police Department as a potential theft. The device contained information on patients who visited the hospital for bone density scans between 2007 and October 11, 2017. The information stored on the device was limited to names, height, weight, race, and gender, while some patients also had details of health issues, the name of their prescribing...

Read More
Illinois Physicians Network Discovers Paper Records Missing from Storage Facility
Dec14

Illinois Physicians Network Discovers Paper Records Missing from Storage Facility

Over the past two months there have been several data breaches reported by HIPAA-covered entities involving the loss or theft of physical records. In November, 7 breaches involving paper records were reported to the HHS’ Office for Civil Rights, and a further 5 incidents were reported the previous month. Now another incident has been reported in Illinois. Franciscan Physician Network of Illinois and Specialty Physicians of Illinois LLC have discovered payment records that were kept in a storage facility are missing. The storage facility in Chicago Heights was shared by both physician groups. The loss/theft of the paperwork is one of the largest breaches of the past few months, potentially impacting as many as 22,000 patients. The payment records were from 2015-2017 and 2010. The boxes of files were confirmed as missing on November 21, 2017, with notifications issued on December 13, 2017. The loss of files was discovered following a routine records request, but the records could not be located. An inventory of the storage facility was conducted, and 40 boxes of files were determined...

Read More
November 2017 Healthcare Data Breach Report
Dec14

November 2017 Healthcare Data Breach Report

In November 2017, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) received 21 reports of healthcare data breaches that impacted more than 500 individuals; the second consecutive month when reported breaches have fallen. While the number of breaches was down month on month, the number of individuals impacted by healthcare data breaches increased from 71,377 to 107,143. Main Causes of November 2017 Healthcare Data Breaches In November there was an even spread between hacking/IT incidents, unauthorized disclosures, and theft/loss of paper records or devices containing ePHI, with six breaches each. There were also three breaches reported involving the improper disposal of PHI and ePHI. Two of those incidents involved paper records and one involved a portable electronic device. The two largest data breaches reported in November – the 32,000-record breach at Pulmonary Specialists of Louisville and the 16,474-record breach at Hackensack Sleep and Pulmonary Center – were both hacking/IT incidents. The former involved an unauthorized individual potentially...

Read More
Noncompliance with HIPAA Costs Healthcare Organizations Dearly
Dec13

Noncompliance with HIPAA Costs Healthcare Organizations Dearly

Noncompliance with HIPAA can carry a significant cost for healthcare organizations, yet even though the penalties for HIPAA violations can be considerable, many healthcare organizations have substandard compliance programs and are violating multiple aspects of HIPAA Rules. The Department of Health and Human Services’ Office for Civil Rights (OCR) commenced the much delayed second phase of HIPAA compliance audits last year with a round of desk audits, first on healthcare organizations and secondly on business associates of covered entities. Those desk audits revealed many healthcare organizations are either struggling with HIPAA compliance, or are simply not doing enough to ensure HIPAA Rules are followed. The preliminary results of the desk audits, released by OCR in September, showed healthcare organizations’ compliance efforts were largely inadequate. 94% of organizations had inadequate risk management plans, 89% were rated as inadequate on patients’ right to access their PHI, and 83% had performed inadequate risk analyses. It would appear that for many healthcare organizations,...

Read More
AMA Study Reveals 83% of Physicians Have Experienced a Cyberattack
Dec13

AMA Study Reveals 83% of Physicians Have Experienced a Cyberattack

Following the HIMSS Analytics/Mimecast survey that revealed 78% of healthcare organizations have experienced a ransomware or malware attack in the past 12 months, comes a new report on healthcare cybersecurity from the American Medical Association (AMA) and Accenture. The Accenture/AMA survey was conducted on 1,300 physicians across the United States and aimed to take the ‘physician’s pulse on cybersecurity.’ The survey confirmed that it is no longer a case of whether a cyberattack will be experienced, it is just a matter of when cyberattacks will occur and how frequently. 83% of physicians who took part in the survey said they had previously experienced a cyberattack. When asked about the nature of the cyberattacks, the most common type was phishing. 55% of physicians who had experienced a cyberattack said the incident involved phishing – A similar finding to the HIMSS Analytics survey which revealed email was the top attack vector in healthcare. 48% of physicians who experienced a cyberattack said computer viruses such as malware and ransomware were involved. Physicians at medium...

Read More
Email Top Attack Vector in Healthcare Cyberattacks
Dec12

Email Top Attack Vector in Healthcare Cyberattacks

A recent study conducted by HIMSS Analytics for email security firm Mimecast has revealed 78% of healthcare organizations have experienced a ransomware or malware attack in the past 12 months. Far from ransomware or malware attacks being occasional events, many of the healthcare organizations that participated in the survey have experienced more than a dozen malware or ransomware attacks in the past year. While there are several possible ways that ransomware and malware can be installed, healthcare providers rated email as the number one attack vector. When asked to rank attack vectors, Email was rated as the most likely source of a data breach by 37% of respondents, with the second most likely source of a data breach being ‘other portable devices’, ranked as the main threat by 10% of organizations. 59% of organizations ranked email first, second, or third as the most likely attack vector. In second place was laptops, which were ranked 1, 2, or 3 by 44% of organizations. Given the frequency of email based attacks this year, it is no surprise that healthcare organizations believe...

Read More
Oklahoma Health Department Re-Notifies 47,000 of 2016 Data Breach
Dec11

Oklahoma Health Department Re-Notifies 47,000 of 2016 Data Breach

In April 2016, the Oklahoma Department of Human Services experienced a data breach, and while notifications were sent to affected individuals and the DHS’ Office of Inspector General shortly after the breach was detected, a breach notice was not submitted to the HHS’ Office for Civil Rights – A breach of HIPAA Rules. Now, more than 18 months after the 60-day reporting window stipulated in the HIPAA Breach Notification Rule has passed, OCR has been notified. OCR has instructed the Oklahoma Department of Human Services to re-notify the 47,000 Temporary Assistance for Needy Families clients that were impacted by the breach to meet the requirements of HIPAA. The breach in question occurred in April 2016 when an unauthorized individual gained access to a computer at Carl Albert State College in Poteau, Oklahoma. The computer contained records of current and former Temporary Assistance for Needy Families clients. The data on the server included names, addresses, dates of birth, and Social Security numbers. Once the breach was identified, Carl Albert State College secured its systems to...

Read More
UNC Health Care Breach Potentially Impacts 24,000 Patients
Dec11

UNC Health Care Breach Potentially Impacts 24,000 Patients

A computer used by UNC Dermatology & Skin Cancer Center in Chapel Hill, NC, has been stolen, exposing the protected health information of approximately 24,000 patients. The computer was stolen by thieves during a burglary on October 8, 2017. UNC Health Care said a database on the stolen computer contained the protected health information of patients who had previously visited the Burlington Dermatology Center at 1522 Vaughn Road. UNC Healthcare took over the practice in September 2015, and details of patients who had visited the center for treatment prior to September 2015 were stored in the password-protected database. Since the database requires a password to gain access to patient information, it is possible that no PHI has been disclosed. However, since passwords can be guessed, and the database was not encrypted, patients are being notified of the potential privacy breach to meet HIPAA and N.C. Identity Theft Act requirements. The database contained information such as names, addresses, phone numbers, dates of birth, Social Security numbers, and the employment status of...

Read More
11,350 Sinai Health System Patients Potentially Impacted by Phishing Attack
Dec08

11,350 Sinai Health System Patients Potentially Impacted by Phishing Attack

The email accounts of two employees of Chicago’s Sinai Health System have been compromised in a recent phishing attack. Sinai Health System reports that the phishing attack occurred on October 2, and that it was quickly identified and mitigated. Access to the compromised accounts was possible only for a matter of hours. Cybersecurity experts were called in to assist with the investigation, and while the possibility of PHI access cannot be ruled out, the risk faced by patients is believed to be low. No evidence has been uncovered to suggest any financial information was accessed, although an analysis of the email accounts revealed a range of protected health information of 11,350 patients was contained in the email accounts and could potentially have been viewed. As a precaution against identity theft and fraud, patients impacted by the breach have been offered identity theft protection and credit monitoring services free of charge for 12 months. Mitigating the Ever-present Threat from Phishing Phishing is the biggest cybersecurity threat faced by organizations, with the healthcare...

Read More
New Jersey Sleep Medicine Specialists Experience Ransomware Attack
Dec08

New Jersey Sleep Medicine Specialists Experience Ransomware Attack

The New Jersey-based Hackensack Sleep and Pulmonary Center, specialists in sleep disorders and pulmonary conditions and diseases, has experienced a ransomware attack that resulted in the protected health information of certain patients being encrypted. The ransomware attack occurred on September 24, 2017 and resulted in medical record files being encrypted by the virus. The attack was discovered the following day. As is typical in these attacks, the attackers issued a ransom demand, the payment of which was necessary in order to obtain the keys to unlock the encryption. Hackensack Sleep and Pulmonary Center was prepared for ransomware attacks, and had made backups of all files, and the backups were stored securely offline. The backups were used to recover all encrypted data without paying the ransom. While data access is a possibility with ransomware attacks, the purpose of ransomware is usually to make data inaccessible and force victims to pay for the key to unlock the encryption. Ransomware attacks typically do not involve data access or data theft. Hackensack Sleep and...

Read More
880 Patients Potentially Impacted by Baptist Health Louisville Phishing Attack
Dec06

880 Patients Potentially Impacted by Baptist Health Louisville Phishing Attack

Baptist Health in Louisville, KY has notified 880 patients that some of their protected health information has potentially been accessed and stolen by hackers. The security breach was discovered on October 3, 2017, when irregular activity was detected on the email account of an employee. Baptist Health was able to determine that a third party sent a phishing email to the employee, who responded and disclosed login credentials allowing the email account to be accessed. Those login credentials were subsequently used by an unknown individual to gain access the email account. The email account contained the protected health information of 880 patients, although it is unclear whether any of the emails were viewed. The motive behind the attack may not have been to gain access to sensitive information. What is known, is access was used to send further phishing emails to other email accounts. Following the discovery of the breach, Baptist Health responded quickly to limit the potential for harm and disabled the affected email accounts and performed a password reset to prevent further...

Read More
18,500 Patients PHI Exposed After Multiple Email Accounts Were Compromised
Dec06

18,500 Patients PHI Exposed After Multiple Email Accounts Were Compromised

The Detroit-based Henry Ford Health System has started notifying almost 18,500 patients that some of their protected health information has potentially been accessed by an unauthorized individual. The breach was detected on October 3, 2017 when unauthorized access to the email accounts of several employees was detected. While protected health information was potentially accessed or stolen, the health system’s EHR system was not compromised at any point. All data was confined to the compromised email accounts. It is currently unclear exactly how access to the email accounts was gained. Typically, breaches such as this involve phishing attacks, where multiple emails are sent to healthcare employees that fool them into disclosing their login credentials. An internal investigation into the breach is ongoing to determine the cause of the attack and how the login credentials of some of its employees were stolen. Henry Ford Health System has conducted a review of all emails in the accounts and has determined that 18,470 patients have been affected. The emails contained a range of...

Read More
Hospital Employee Fired for Accessing Medical Records Without Authorization
Dec06

Hospital Employee Fired for Accessing Medical Records Without Authorization

Lowell General Hospital in Massachusetts has discovered the medical records of 769 patients have been accessed by an employee without any legitimate work reason for doing so. By accessing the medical records, the employee breached hospital policies and violated the privacy of patients. Upon discovery of the breach, and completion of the subsequent investigation, the employee was terminated. Lowell General Hospital was satisfied that only one person was involved, and that this was not a widespread problem at the hospital. Patients impacted by the security incident have been notified and a breach notice has been placed on the hospital website. Patients have been informed that the types of information accessed by the former employee included names, dates of birth, medical diagnoses, and information relating to treatments provided to patients. No financial information, health insurance details, or Social Security numbers were viewed by the employee, and the investigation uncovered no evidence to suggest that any of the information that was accessed has been misused. Lowell General...

Read More
PHI of 28,000 Mental Health Patients Allegedly Stolen by Healthcare Employee
Dec05

PHI of 28,000 Mental Health Patients Allegedly Stolen by Healthcare Employee

Center for Health Care Services (CHCS) in San Antonio, a provider of mental health treatment and support services for individuals with intellectual and developmental disabilities, has discovered documents containing the protected health information of patients have been stolen by a former employee. Breach notification letters have been sent to 28,434 patients who received services at CHCS before the summer of 2016 informing them of the breach. The breach was only discovered on November 7, 2017, but the data theft occurred more than 17 months ago. The former employee was terminated on May 31, 2016, with the data downloaded onto a personal laptop after the individual was fired, according to a recent CHCS press release. The breach came to light during discovery in a litigation case between the former employee and CHCS. No details have been released about the nature of the litigation. The stolen documents contained a wide range of highly sensitive data on patients, including adults and children. The data included names, dates of birth, addresses, Social Security numbers, dates and...

Read More
Medical Records from Pennsylvania Obs/Gyn Clinic Found at Public Recycling Center
Dec04

Medical Records from Pennsylvania Obs/Gyn Clinic Found at Public Recycling Center

Paper files containing names, Social Security numbers, and medical histories, including details of cancer diagnoses and sexually transmitted diseases, have been dumped at a recycling center in Allentown, Pennsylvania. The files appear to have come from Women’s Health Consultants, an obstetrics and gynecology practice that had centers in South Whitehall Township and Hanover Township, PA. Women’s Health Consultants is no longer in business. How the records came to be dumped at the recycling center is unknown as the container where the records were disposed of was not covered by surveillance cameras. The center does have a locked recycling container where sensitive documents containing confidential information can be disposed of securely, but that container was not used. The records were dumped in a container where they could be accessed by unauthorized individuals. The person who discovered the files left an anonymous tip on the non-emergency line of the Allentown communication center. According to The Morning Call, a city employee visited the recycling center and pushed...

Read More
UAB Medicine Alerts 652 Patients of PHI Exposure
Dec01

UAB Medicine Alerts 652 Patients of PHI Exposure

The UAB Medicine Viral Hepatitis Clinic in Birmingham, AL has experienced a breach of patients’ protected health information (PHI). UAB Medicine uses flash drives to transfer data from its Fibroscan machine to a computer. On October 25, 2017, two flash drives were discovered to be missing. The portable storage devices contained a limited amount of PHI of 652 patients. Information stored on the devices included first and last names, gender, birth dates, images and numbers relating to test results, medical diagnosis, names of referring physician, and the dates and times of the examination. UAB Medicine has confirmed that no Social Security numbers, financial information, insurance details, addresses, or phone numbers were stored on the flash drives. An extensive search of Viral Hepatitis Clinic was conducted, but the flash drives could not be located. The investigation into the breach is continuing. It is not known whether the flash drives were accidentally disposed of, lost within the facility, or if they were stolen. UAB Medicine therefore cannot say whether the PHI on the devices...

Read More
Personal Information of New York Pharmacy Customers Exposed in Improper Disposal Incident
Nov30

Personal Information of New York Pharmacy Customers Exposed in Improper Disposal Incident

ShopRite Supermarkets, Inc., has announced that some of its pharmacy customers have been impacted by a security breach involving the improper disposal of a device used to capture customers’ signatures. The device was used at the ShopRite, Kingston, NY location between 2005 and 2015 and stored personal and medical information. Customers who visited the pharmacy and had prescriptions filled between 2005 and 2015 have potentially been impacted by the incident. For those customers, the device stored information such as names, phone numbers, prescription numbers, dates and times of pickup or delivery, zip codes, medication names, and customers’ signatures. The device was also used for customers who bought an over-the-counter product containing pseudoephedrine. Those customers have had their driver’s license number, zip code, details of the product purchased, and personal and medical information exposed. In the substitute breach notice posted on the Wakefern Food Corp., website, customers have been advised that the device was disposed of by accident in February 2016, although ShopRite...

Read More
7,000 Patients Impacted by Extortion Attempt on Sports Medicine Provider
Nov28

7,000 Patients Impacted by Extortion Attempt on Sports Medicine Provider

Massachusetts-based Sports Medicine & Rehabilitation Therapy (SMART) has alerted 7,000 patients to a breach of their protected health information. Potentially, the breach impacted all patients whose information was recorded during a visit to a SMART center prior to December 31, 2016. The breach, which occurred in September 2017, was an extortion attempt. Hackers gained access to SMART systems, allegedly stole data, and demanded a ransom payment to prevent the information from being released online. No indication was provided in the breach notification letters to suggest the ransom was paid, although SMART has informed its patients that there is “no reason to believe that the data has been or will be used for further nefarious purposes.” The matter has been investigated by the FBI and Homeland Security although the details of the investigations have not been released. An attempt was made by SMART to obtain a copy of the police report through the Freedom of Information Act, although at the time the notifications were sent, no copy had been received. The information potentially...

Read More
Cottage Health Fined $2 Million By California Attorney General’s Office
Nov28

Cottage Health Fined $2 Million By California Attorney General’s Office

Santa Barbara-based Cottage Health has agreed to settle a data breach case with the California attorney general’s office. Cottage Health will pay $2 million to resolve multiple violations of state and federal laws. Cottage Health was investigated by the California attorney general’s office over a breach of confidential patient data in 2013. The breach was discovered by Cottage Health on December 2, 2013, when someone contacted the healthcare network and left a message on its voicemail system warning that sensitive patient information had been indexed by the search engines and was freely available via Google. The sensitive information of more than 50,000 patients was available online, without any need for authentication such as a password and the server on which the information was stored was not protected by a firewall. The types of information exposed included names, medical histories, diagnoses, prescriptions, and lab test results. In addition to the individual who alerted Cottage Health to the breach, the server had been accessed by other individuals during the time that it was...

Read More
Second Unencrypted Laptop Stolen from Rocky Mountain Health Care Services
Nov21

Second Unencrypted Laptop Stolen from Rocky Mountain Health Care Services

Rocky Mountain Health Care Services of Colorado Springs has discovered an unencrypted laptop has been stolen from one of its employees. This is the second such incident to be discovered in the space of three months. The latest incident was discovered on September 28. The laptop computer was discovered to contain the protected health information of a limited number of patients. The types of information stored on the device included first and last names, addresses, dates of birth, health insurance information, Medicare numbers, and limited treatment information. The incident has been reported to law enforcement and patients impacted by the incident have been notified by mail. Rocky Mountain Health Care Services, which also operates as Rocky Mountain PACE, BrainCare, HealthRide, and Rocky Mountain Options for Long Term Care, also discovered on June 18, 2017 that a mobile phone and laptop computer were stolen from a former employee. The devices contained names, dates of birth, addresses, limited treatment information, and health insurance details. To date, only one of those incidents...

Read More
9,500 Patients Impacted by Medical College of Wisconsin Phishing Attack
Nov21

9,500 Patients Impacted by Medical College of Wisconsin Phishing Attack

A Medical College of Wisconsin phishing attack has resulted in the exposure of approximately 9,500 patients’ protected health information. The attackers managed to gain access to several employees’ email accounts, which contained a range of sensitive information of patients and some faculty staff. The types of information in the compromised email accounts included names, addresses, medical record numbers, dates of birth, health insurance details, medical diagnoses, treatment information, surgical information, and dates of service. A very limited number of individuals also had their Social Security numbers and bank account information exposed. The incident occurred over the space of a week in the summer between July 21 and July 28 when spear phishing emails were sent to specific individuals at the Medical College of Wisconsin. Responding to those emails resulted in the attackers gaining access to email login credentials. Medical College of Wisconsin brought in a computer forensics firm to conduct an investigation into the phishing attack, and while that investigation established...

Read More
November Healthcare Breach Barometer Report Highlights Seriousness of Insider Data Breaches
Nov20

November Healthcare Breach Barometer Report Highlights Seriousness of Insider Data Breaches

Protenus has released its November 2017 healthcare Breach Barometer Report. After a particularly bad September, healthcare data breach incidents fell to more typical levels, with 37 breaches tracked in October. The monthly summary of healthcare data breaches includes incidents reported to the Department of Health and Human Services’ Office for Civil Rights (OCR), and incidents announced via the media and tracked by databreaches.net. Those incidents include several breaches that have yet to be reported to OCR, including a major breach that has impacted at least 150,000 individuals – The actual number of individuals impacted will not be known until the investigation has been completed. The numbers of individuals impacted by 8 breaches have not yet been disclosed. Including the 150,000 individuals impacted by largest breach of the month, there were 246,246 victims of healthcare data breaches in October 2017 – the lowest monthly total since May 2017. The healthcare industry has historically recorded a higher than average number of data breaches due to insiders, although over the...

Read More
Suspected Phishing Attack on UPMC Susquehanna Exposes 1,200 Patients’ PHI
Nov20

Suspected Phishing Attack on UPMC Susquehanna Exposes 1,200 Patients’ PHI

UPMC Susquehanna, a network of hospitals and medical centers in Williamsport, Wellsboro, and Muncy in Pennsylvania, has announced that the protected health information of 1,200 patients has potentially been accessed by unauthorized individuals. Access to patient information is believed to have been gained after an employee responded to a phishing email. While details of the breach date have not been released, UPMC Susquehanna says it discovered the breach on September 21, when an employee reported suspicious activity on their computer. An investigation was launched, which revealed unauthorized individuals had gained access to that individual’s device. It is not known whether the attacker viewed, stole, or misused any patient information, but the possibility of data access and misuse could not be ruled out. The information potentially accessed includes names, contact information, dates of birth, and Social Security numbers. The individuals potentially impacted by the incident had previously received treatment at various UPMC Susquehanna hospitals including Muncy Valley Hospital,...

Read More
Florida Blue Data Breach Impacts 939 Individuals
Nov17

Florida Blue Data Breach Impacts 939 Individuals

Blue Cross and Blue Shield of Florida, dba Florida Blue, has announced that the personally identifiable information of a limited number of insurance applicants has been exposed online. Florida Blue was alerted to the exposure of patient data in late August and immediately launched an investigation. Florida Blue reports that the investigation revealed 475 insurance applications had been backed up to the cloud by an unaffiliated insurance agent, Real Time Health Quotes (RTHQ). The data backup included agency files and copies of health, dental, and life insurance applications from 2009 to 2014. Those files were left vulnerable as an unsecured cloud server was used to store the backup files. Consequently, those files could have been accessed by the public via the Internet. While data access and theft of personally identifiable information remains a possibility, Florida Blue has received no reports that any of the exposed information has been used for malicious purposes. The files contained information such as the names of applicants, dates of birth, demographic information, medical...

Read More
Boxes of Medical Records Stolen from New Jersey Medical Practice
Nov17

Boxes of Medical Records Stolen from New Jersey Medical Practice

Otolaryngology Associates of Central Jersey is alerting patients to a breach of their protected health information, following a burglary at an off-site storage facility in East Brunswick, NJ. The thieves took 13 boxes of paper medical records from the facility, which included information such as names, addresses, health insurance account numbers, birth dates, dates of military service, and the names of treating physicians. A limited number of driver’s license numbers and Social Security numbers were also included in the stolen records. The burglary was quickly identified and law enforcement was notified. An internal investigation was launched, and steps were taken to reduce the likelihood of similar breaches occurring in the future. The medical records were being stored in accordance with state and federal laws, and related to past patients that had received treatment at either of Otolaryngology Associates of Central Jersey’s two facilities in East Brunswick and Franklin townships. All affected individuals have now been notified of the breach. While the perpetrators of many...

Read More
October 2017 Healthcare Data Breaches
Nov16

October 2017 Healthcare Data Breaches

In October 2017, there were 27 healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights. Those data breaches resulted in the theft/exposure of 71,377 patient and plan member records. October saw a significant fall in the number of reported breaches compared to September, and a major fall in the number of records exposed. October saw a major reduction in the number of breached records, with the monthly total almost 85% lower than September and almost 88% lower than the average number of records breached over the preceding three months. Healthcare providers were the worst hit in October with 19 reported data breaches. There were six data breaches reported by health plans and at least two incidents involved business associates of HIPAA-covered entities. October 2017 Healthcare Data Breaches by Covered Entity Type Main Causes of October 2017 Healthcare Data Breaches Unauthorized access/disclosures were the biggest causes of healthcare data breaches in October. There were 14 breaches reported involving unauthorized access/disclosures, 8...

Read More
MongoDB and AWS Incorporate New Security Controls to Prevent Data Breaches
Nov10

MongoDB and AWS Incorporate New Security Controls to Prevent Data Breaches

Amazon has announced that new safeguards have been incorporated into its cloud server that will make it much harder for users to misconfigure their S3 buckets and accidentally leave their data unsecured. While Amazon will sign a business associate agreement with HIPAA-covered entities, and has implemented appropriate controls to ensure data can be stored securely, but user errors can all too easily lead to data exposure and breaches. Those breaches show that even HIPAA-compliant cloud services have potential to leak data. This year has seen many organizations accidentally leave their S3 data exposed online, including several healthcare organizations. Two such breaches were reported by Accenture and Patient Home Monitoring. Accenture was using four unsecured cloud-based storage servers that stored more than 137 GB of data including 40,000 plain-text passwords. The Patient Home Monitoring AWS S3 misconfiguration resulted in the exposure of 150,000 patients’ PHI. In response to multiple breaches, Amazon has announced that new safeguards have been implemented to alert users to exposed...

Read More
Cook County Health and Hospitals System Patients Impacted by Experian Health Breach
Nov10

Cook County Health and Hospitals System Patients Impacted by Experian Health Breach

Cook County Health and Hospitals System, a health system comprising two hospitals and more than a dozen community health centers in Cook County Illinois, has alerted patients to a breach of their protected health information. The breach occurred at Experian Health, a business associate of Cook County Health and Hospitals System. Experian Health is contracted to determine insurance eligibility and limited patient information is disclosed to the business associate for this purpose. The breach occurred in March 2017 during an upgrade of Experian Health’s computer system. The protected health information of 727 patients was accidentally sent to other healthcare systems. The PHI disclosed was limited and did not include the types of information sought by cybercriminals to commit identity theft. Due to the limited disclosure of PHI, and the fact that the information was sent to organizations covered by HIPAA Rules, the risk to patients is believed to be low. To date, Experian Health has not been notified of any unauthorized uses of the disclosed information. The breach was limited to...

Read More
2017 Data Breach Report Reveals 305% Annual Rise in Breached Records
Nov09

2017 Data Breach Report Reveals 305% Annual Rise in Breached Records

A 2017 data breach report from Risk Based Security (RBS), a provider of real time information and risk analysis tools, has revealed there has been a 305% increase in the number of records exposed in data breaches in the past year. For its latest breach report, RBS analyzed breach reports from the first 9 months of 2017. RBS explained in a recent blog post, 2017 has been “yet another ‘worst year ever’ for data breaches.” In Q3, 2017, there were 1,465 data breaches reported, bringing the total number of publicly disclosed data breaches up to 3,833 incidents for the year. So far in 2017, more than 7 billion records have been exposed or stolen. RBS reports there has been a steady rise in publicly disclosed data breaches since the end of May, with September the worst month of the year to date. More than 600 data breaches were disclosed in September. Over the past five years there has been a steady rise in reported data breaches, increasing from 1,966 data breaches in 2013 to 3,833 in 2017. Year on year, the number of reported data breaches has increased by 18.2%. The severity of data...

Read More
Long-Term Malware Infection Discovered by Catholic Charities of the Diocese of Albany
Nov09

Long-Term Malware Infection Discovered by Catholic Charities of the Diocese of Albany

In August, while Catholic Charities of the Diocese of Albany (CCDA) was performing an upgrade of its computer security software, malware was discovered to have been installed on one of the computer servers used by its Glens Falls office, which served patients in Saratoga, Warren and Washington Counties in New York. Fast action was taken to block access to the server and CCDA called in a computer security firm to conduct an investigation into the unauthorized access. The investigation, which took several weeks to complete, revealed that access to the server potentially dated back to 2015. While access to the server was possible and malware had been installed, the investigation did not uncover evidence to suggest the protected health information of patients had been viewed or stolen. An analysis of the server revealed the stored files contained the protected health information of 4,624 patients. The information potentially accessed by the attackers included names, addresses, birthdates, diagnosis codes, dates of service, and for some patients, their health insurance ID numbers which...

Read More
Aging Agency Reports Ransomware Attack: 8,750 Patients Impacted
Nov09

Aging Agency Reports Ransomware Attack: 8,750 Patients Impacted

The Ottawa-based East Central Kansas Area Agency on Aging (ECKAAA) has experienced a ransomware attack that has resulted in the encryption of files on one of the agency’s servers. Those files contained the protected health information (PHI) of 8,750 patients. The attack occurred on September 5, 2017 and was immediately recognized by ECKAAA, which took prompt action to limit the spread of the infection. As a result, only parts of the server had files encrypted. Those files were discovered to contain names, telephone numbers, addresses, birthdates, Medicaid numbers, and Social Security numbers. ECKAAA hired a cybersecurity firm to assist with the investigation and determine the true extent and nature of the attack. The investigation revealed the ransomware variant used was a variant of Crysis/Dharma – a ransomware variant known to encrypt files stored locally, on mapped network drives, and unmapped network shares. Crysis/Dharma ransomware also deletes shadow volume copies to hamper recovery. While the investigation uncovered no evidence of exfiltration of data, the possibility of...

Read More
Healthcare Data Breach Analysis Questioned
Nov08

Healthcare Data Breach Analysis Questioned

Large healthcare providers experience more data breaches than smaller healthcare providers, at least that is what a healthcare data breach analysis from Johns Hopkins University Carey School of Business suggests. For the study, the researchers used breach reports submitted to the Department of Health and Human Services’ Office for Civil Rights. HIPAA-covered entities are required to submit breach reports to OCR, and under HITECT Act requirements, OCR publishes the breaches that impact more than 500 individuals. The Ge Bai, PhD., led study, which was published in the journal JAMA Internal Medicine, indicates between 2009 and 2016, 216 hospitals had reported a data breach and 15% of hospitals reported more than one breach. The analysis of the breach reports suggest teaching hospitals are more likely to suffer data breaches – a third of breached hospitals were major teaching centers. The study also suggested larger hospitals were more likely to experience data breaches. Now, a team of doctors from Vanderbilt University, in Nashville, TN have called the data breach statistics details...

Read More
Former Employees of Virginia Medical Practice Inappropriately Used Patient Information
Nov06

Former Employees of Virginia Medical Practice Inappropriately Used Patient Information

Two former employees of Valley Family Medicine in Staunton, VA have been discovered to have inappropriately used a patient list, in violation of the practice’s policies. The list was used to inform patients of a new practice that was opening in the area. One of the employees used the list to send postcards to Valley Family Medicine patients to advise them that a new practice, unaffiliated to Valley Family Medicine, was being opened. Patients were invited to visit the new practice. The mailing was sent in mid-July this year, although it was not discovered by Valley Family Medicine until September 15. The discovery prompted a full investigation of the breach, which confirmed that the only information used by the employees was the information contained on the list. That information was limited to names and addresses. No other protected health information was taken or used by the employees. Those two individuals are no longer employed at the practice and the list has now been recovered. Valley Family Medicine is satisfied that there have been no further misuses or disclosures of the...

Read More
TJ Samson Community Hospital Discovers Inappropriate Accessing of 683 Patients’ PHI
Nov04

TJ Samson Community Hospital Discovers Inappropriate Accessing of 683 Patients’ PHI

An independent care provider who provides care to patients of TJ Samson Community Hospital in South Central Kentucky, has been discovered to have inappropriately accessed the protected health information (PHI) of 683 patients of TJ Samson Community Hospital in Glasgow, KY and the TJ Health Columbia Clinic. The inappropriate access was discovered during a routine audit of PHI access logs on August 25, 2017. The subsequent investigation revealed two individuals from the healthcare provider’s office had accessed the protected health information of patients, without any legitimate work reason for doing so. Access to patients PHI is necessary in order for independent health care providers to conduct their work duties, although in this case, the PHI of patients was accessed even though the patients were not being treated by the individuals. TJ Samson interviewed both individuals about the alleged unauthorized access and is satisfied that no further uses or disclosures of PHI have occurred. In response to the incident, TJ Samson has terminated access for the individuals in question. The...

Read More
Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) Introduced by NY AG
Nov03

Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) Introduced by NY AG

The Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) has been introduced into the legislature in New York by Attorney General Eric T. Schneiderman. The aim of the act is to protect New Yorkers from needless breaches of their personal information and to ensure they are notified when such breaches occur. The program bill, which was sponsored by Senator David Carlucci (D-Clarkstown) and Assembly member Brian Kavanagh (D-Manhattan), is intended to improve protections for New York residents without placing an unnecessary burden on businesses. The introduction of the SHIELD Act comes weeks after the announcement of the Equifax data breach which impacted more than 8 million New Yorkers. In 2016, more than 1,300 data breaches were reported to the New York attorney general’s office – a 60% increase in breaches from the previous year. Attorney General Schneiderman explained that New York’s data security laws are “weak and outdated” and require an urgent update. While federal laws require some organizations to implement data security controls, in New York, there are no...

Read More
Lawnmower Engine Manufacturer Reports HIPAA Breach
Nov01

Lawnmower Engine Manufacturer Reports HIPAA Breach

Briggs Stratton Corporation, a manufacturer of lawnmower engines, may not appear to be a HIPAA covered entity since the firm is not in the healthcare industry and does not provide services to healthcare organizations as a business associate. However, the company is required to comply with HIPAA Rules. When the company experienced a potential breach of employee information, the incident was a reportable security breach, OCR required notification, and notification letters had to be issued to its employees. Just because a company does not operate in the healthcare industry does not mean that HIPAA does not apply. Briggs Stratton was required to comply with HIPAA Rules due to its self-insured group health plan. Employers and health plan sponsors are required to ensure that HIPAA policies are put in place for their group health plans, that any ePHI created, accessed, stored, or transmitted is safeguarded to the standards required by the HIPAA Security Rule and all HIPAA Rules are followed. That includes entering into business associate agreements with any entity that has access to the...

Read More
Tips for Reducing Mobile Device Security Risks
Nov01

Tips for Reducing Mobile Device Security Risks

An essential part of HIPAA compliance is reducing mobile device security risks to a reasonable and acceptable level. As healthcare organizations turn to mobiles devices such as laptop computers, mobile phones, and tablets to improve efficiency and productivity, many are introducing risks that could all too easily result in a data breach and the exposure of protected health information (PHI). As the breach reports submitted to the HHS’ Office for Civil Rights show, mobile devices are commonly involved in data breaches. Between January 2015 and the end of October 2017, 71 breaches have been reported to OCR that have involved mobile devices such as laptops, smartphones, tablets, and portable storage devices. Those breaches have resulted in the exposure of 1,303,760 patients and plan member records. 17 of those breaches have resulted in the exposure of more than 10,000 records, with the largest breach exposing 697,800 records. The majority of those breaches could have easily been avoided. The Health Insurance Portability and Accountability Act (HIPAA) Security Rule does not demand...

Read More
8,000 Patients Notified of PHI Exposure After Office Burglary
Oct30

8,000 Patients Notified of PHI Exposure After Office Burglary

A limited amount of protected health information (PHI) of almost 8,000 patients of Brevard Physician Associates has been exposed after a desktop computer was stolen in a burglary. The incident occurred on September 4, 2017 – Labor Day – when the offices were closed. In the early morning, thieves broke in and stole three desktop computers. The burglary triggered the alarm system and police responded to the incident, although not in time to apprehend the criminals. A forensic analysis of the office was performed, although to date the individuals responsible have not been apprehended and the computers not recovered. Two of the computers did not contain any protected health information, but the third computer had five audit files saved to the hard drive. The information in those audit files was limited, although there was sufficient information to warrant the issuing of breach notifications to patients. Brevard Physician Associates acted quickly and dispatched breach notification letters to affected patients well within the timeframe allowed by the HIPAA Breach Notification Rule. In...

Read More
932 Texas Children’s Health Plan Members’ PHI Emailed to Personal Account by Employee
Oct28

932 Texas Children’s Health Plan Members’ PHI Emailed to Personal Account by Employee

The protected health information (PHI) of 932 members of the Texas Children’s Health Plan has been discovered to have been emailed to the personal email account of a former employee. The incident was discovered on September 21, 2017, although the former employee emailed the data late last year in November and December 2016. The emails were discovered during a routine review. Texas Children’s Health Plan responded to the breach promptly and has taken action to mitigate risk. The health insurance plan has also implemented additional safeguards to prevent similar incidents from occurring in the future and employees have been re-trained on hospital policies and HIPAA Rules. While the reason for the PHI being emailed to the personal email account has not been disclosed, the breach report uploaded to the insurance plan website explains no evidence has been uncovered to suggest any plan member information has been used inappropriately. However, the incident has been reported to law enforcement. As is required by the HIPAA Breach Notification Rule, the incident has been reported to the...

Read More
Data Breach Highlights Danger of Using USB Drives to Store PHI
Oct26

Data Breach Highlights Danger of Using USB Drives to Store PHI

The Man-Grandstaff VA Medical Center in Spokane, WA has discovered two USB drives containing the protected health information of almost 2,000 veterans have been stolen. The two devices were being used to store data from a standalone, non-networked server that was being decommissioned. One of the devices was the master drive used to move the medical center’s Anesthesia Record Keeper database to its virtual archive server. According to a statement issued by the medical center, that transfer had taken place in January. It is unclear why the database was still on the drive. The devices were stolen on July 18, 2017 from a contract employee while on a service call to a VA hospital in Oklahoma City. Man-Grandstaff VA Medical Center was not able to determine exactly what information was stored on the USB drives, although the database on the virtual archive server was checked and found to contain full names, addresses, phone numbers, surgical information, insurance information, and Social Security numbers. 1,915 individuals who have potentially been affected are being notified of the breach...

Read More
The Most Common HIPAA Violations You Should Be Aware Of
Oct26

The Most Common HIPAA Violations You Should Be Aware Of

The most common HIPAA violations that have resulted in financial penalties are the failure to perform an organization-wide risk analysis to identify risks to the confidentiality, integrity, and availability of protected health information (PHI); the failure to enter into a HIPAA-compliant business associate agreement; impermissible disclosures of PHI; delayed breach notifications; and the failure to safeguard PHI. The settlements pursued by the Department of Health and Human Services’ Office for Civil Rights (OCR) are for egregious violations of HIPAA Rules. Settlements are also pursued to highlight common HIPAA violations to raise awareness of the need to comply with specific aspects of HIPAA Rules. This article covers five of the most common HIPAA violations that have resulted in settlements with covered entities and their business associates over the past few years. Are Data Breaches HIPAA Violations? Data breaches are now a fact of life. Even with multi-layered cybersecurity defenses, data breaches are still likely to occur from time to time. OCR understands that healthcare...

Read More
FirstHealth Attacked with New WannaCry Ransomware Variant
Oct24

FirstHealth Attacked with New WannaCry Ransomware Variant

FirstHealth of the Carolinas, a Pinehurst, SC-based not for profit health network, has been attacked with a new WannaCry ransomware variant. WannaCry ransomware was used in global attacks in May this year. More than 230,000 computers were infected within 24 hours of the global attacks commencing. The ransomware variant had wormlike properties and was capable of spreading rapidly and affecting all vulnerable networked devices. The campaign was blocked when a kill switch was identified and activated, preventing file encryption.  However, FirstHealth has identified the malware used in its attack and believes it is a new WarnnaCry ransomware variant. The FirstHealth ransomware attack occurred on October 17, 2017. The ransomware is believed to have been introduced via a non-clinical device, although investigations into the initial entry point are ongoing to determine exactly how the virus was introduced. FirstHealth reports that its information system team detected the attack immediately and implemented security protocols to prevent the spread of the malware to other networked devices....

Read More
Beazley Publishes 2017 Healthcare Data Breach Report
Oct23

Beazley Publishes 2017 Healthcare Data Breach Report

Beazley, a provider of data breach insurance and response services, has published a special report on healthcare data breaches covering the first nine months of 2017. While hacking and malware attacks are common, by far the biggest cause of healthcare data breaches in 2017 was unintended disclosures. Hacking and malware accounted for 19% of breaches, while unintended disclosures accounted for 41% of incidents. The figures show healthcare organizations are still struggling to prevent human error from resulting in the exposure of health data. As Beazley explains in its report, it is easier to control and mitigate internal breaches than it is to block cyberattacks by outsiders, yet many healthcare organizations are failing to address the problem effectively. “We urge organizations not to ignore this significant risk and to invest time and resources towards employee training.” Beazley notes that the number of cases of employee snooping on records and other insider incidents is getting worse. This time last year, 12% of healthcare data breaches were insider incidents, but in 2017 the...

Read More
RiverMend Health Email Breach Impacts 1300 Patients
Oct20

RiverMend Health Email Breach Impacts 1300 Patients

Augusta, GA-based RiverMend Health, a provider of specialty behavioral health services including services for drug and alcohol addiction, has discovered an unauthorized individual has gained access to the email account of one of its employees. The unauthorized access was detected on August 10, 2017, when suspicious emails were identified being sent from the employee’s account. The suspicious email activity was investigated and access to the account was blocked on August 11, 2017. The investigation revealed access to the account was first gained two weeks previously on July 27. During the two weeks that the email account was accessible, it is possible that the employee’s emails were accessed by the attacker. Those emails contained a range of protected health information of 1,300 current and former patients.  RiverMend Health has retained the services of a leading computer forensics firm to assist with the investigation and determine the full nature of the breach and the extent of the attack. RiverMend Health has not disclosed how access to the email account was gained, but has said...

Read More
Healthcare Phishing Attack Potentially Impacts 16,500 Patients
Oct19

Healthcare Phishing Attack Potentially Impacts 16,500 Patients

Phishing is arguably the biggest data security threat faced by healthcare organizations. The past few weeks have seen several attacks reported by healthcare organizations, with the latest healthcare phishing attack one of the most serious, having affected as many as 16,562 patients. Chase Brexton Health Care reports that the attack occurred on August 2 and August 3, 2017, when multiple phishing emails were delivered to the inboxes of its employees. Phishing attacks commonly take the form of bogus invoices and fake package delivery notifications, although these emails purported to be surveys. After employees completed the surveys they were required to enter their login information. Four employees fell for the scam and divulged their user account credentials. The phishing attack was discovered on August 4 and access to the employees’ accounts was blocked.  However, on August 2 and 3, the accounts of those employees were accessed and the attackers re-route employee payments to their own bank account. While the aim of the phishing attack did not appear to be to gain access to patient...

Read More
Healthcare Data Breaches in September Saw Almost 500K Records Exposed
Oct19

Healthcare Data Breaches in September Saw Almost 500K Records Exposed

Protenus has released its Breach Barometer report which shows there was a significant increase in healthcare data breaches in September. The report includes healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights and security incidents tracked by databreaches.net. The latter have yet to appear on the OCR ‘Wall of Shame.’ In total, Protenus/databreaches.net tracked 46 healthcare data breaches in September. While the total number of breach victims has not been confirmed for all incidents, at least 499,144 healthcare records are known to have been exposed or stolen. The number of records exposed or stolen in four of the month’s breaches has yet to be disclosed. The high number of incidents makes September the second worst month of 2017 for healthcare industry data breaches. Only June was worse, when 52 data breaches were reported. In August, 33 data breaches were reported by healthcare organizations. The report confirms the worst incident of the month was a ransomware attack that saw the records of 128,000 individuals made...

Read More
Theft of Unencrypted Laptop Potentially Results in PHI Exposure
Oct18

Theft of Unencrypted Laptop Potentially Results in PHI Exposure

An unencrypted laptop computer has been stolen from the vehicle of an employee of Bassett Family Practice in Virginia, potentially resulting in the exposure of patients’ protected health information. The theft is understood to have occurred over the weekend of 12/13 August. Patients were notified of the exposure of their data on October 13, 2017. The delay in issuing notifications was due to the time taken to recover the missing files from backups and to analyse those files to determine which patients had been affected and the types of PHI stored on the device. The laptop computer was discovered to contain some information about patients’ visits to the practice, along with their names, date of birth, account number, and their insurance provider’s name. The laptop also contained information related to account balances. No Social Security numbers or credit or debit card information were stored on the device. It is not company practice to store any protected health information on laptop computers. The files were transferred to the device as Bassett Family Practice was transitioning to...

Read More
Namaste Health Care Pays Ransom to Recover PHI
Oct17

Namaste Health Care Pays Ransom to Recover PHI

A hacker gained access to a file server used by Ashland, MI-based Namaste Health Care and installed ransomware, encrypting a wide range of data including patients’ protected health information. Access was gained to the file server over the weekend of August 12-13 and ransomware was installed; however, prior to the installation of ransomware it is unclear whether patients’ PHI was accessed or stolen. The Ashland clinic discovered its data had been encrypted when staff returned to work on Monday, August 14. Prompt action was taken to prevent any further accessing of its file server, including disabling access and taking the server offline. An external contractor was brought in to help remediate the attack and remove all traces of malware from its system. In order to recover data, Namaste Health Care made the decision to pay the attacker’s ransom demand. In this case, a valid key was supplied by that individual and it was possible to unlock the encrypted files. The clinic was able to recover data and bring its systems back online after a few days. The incident prompted the clinic to...

Read More
8,362 Patients Potentially Impacted by Advanced Spine & Pain Center Breach
Oct17

8,362 Patients Potentially Impacted by Advanced Spine & Pain Center Breach

The San Antonio, TX, Advanced Spine & Pain Center (ASPC) has notified patients of a potential breach and unauthorized use of their protected health information. Potentially, as many as 8,362 patients have been affected by the incident. ASPC became aware of a potential breach of ePHI on July 31, 2017 when some patients reported receiving a telephone call claiming payment for an outstanding bill was required. An investigation was launched to determine whether ASPC systems had been breached. That investigation revealed unauthorized individuals had gained access to an ASPC server. Unauthorized access occurred even though extensive protections had been put in place, including firewalls, network filtering, security monitoring, password protection, and antivirus software. While unauthorized access was confirmed, it was unclear whether any sensitive information was accessed by those individuals. It was also not possible to determine whether the telephone calls received by some patients were linked to the security breach. Since it is possible that patients’ ePHI was viewed or obtained...

Read More
Q3, 2017 Healthcare Data Breach Report
Oct16

Q3, 2017 Healthcare Data Breach Report

In Q3, 2017, there were 99 breaches of more than 500 records reported to the Department of Health and Human Services’ Office for Civil Rights (OCR), bringing the total number of data breaches reported in 2017 up to 272 incidents. The 99 data breaches in Q3, 2017 saw 1,767,717 individuals’ PHI exposed or stolen. So far in 2017, the records of 4,601,097 Americans have been exposed or stolen as a result of healthcare data breaches. Q3 Data Breaches by Covered Entity Healthcare providers were the worst hit in Q3, reporting a total of 76 PHI breaches. Health plans reported 17 breaches and there were 6 data breaches experienced by business associates of covered entities. There were 31 data breaches reported in July, 29 in August, and 39 in September. While September was the worst month for data breaches, August saw the most records exposed – 695,228. The Ten Largest Healthcare Data Breaches in Q3, 2017 The ten largest healthcare data breaches reported to OCR in Q3, 2017 were all the result of hacking/IT incidents. In fact, 36 out of the 50 largest healthcare data breaches in...

Read More
Bill Introduced to Standardize State Data Breach Notification Laws
Oct16

Bill Introduced to Standardize State Data Breach Notification Laws

The HIPAA Breach Notification Rule explains how HIPAA covered entities and their business associates’ data breach response should include issuing notifications to patients, plan members and the HHS’ Office for Civil Rights. Healthcare organizations must also comply with state data breach notification laws, which in some U.S. states, requires notifications to be issued more rapidly. Those laws cover different types of information, have additional notification requirements, and in some states, require credit monitoring and identity theft protection services to be offered to breach victims. Currently, there are 48 separate state data breach notification laws. For a small health system operating in one or two states, keeping up to date with relevant state data breach notification laws is straightforward. For large health systems and health plans that operate in multiple states, keeping up to date with changes to state laws, and ensuring compliance with those laws, can be a challenge. Bill Proposes Standardization of State Data Breach Notification Laws Congressman Jim Langevin (D-RI)...

Read More
How Should You Respond to an Accidental HIPAA Violation?
Oct12

How Should You Respond to an Accidental HIPAA Violation?

The majority of HIPAA covered entities, business associates, and healthcare employees take great care to ensure HIPAA Rules are followed, but what happens when there is accidental HIPAA violation? How should healthcare employees, covered entities, and business associates respond? How Should Employees Report an Accidental HIPAA Violation? Accidents happen. If a healthcare employee accidentally views the records of a patient, if a fax is sent to an incorrect recipient, an email containing PHI is sent to the wrong person, or any other accidental disclosure of PHI has occurred, it is essential that the incident is reported to your Privacy Officer. Your Privacy Officer will need to determine what actions need to be taken to mitigate risk and reduce the potential for harm. The incident will need to be investigated, a risk assessment may need to be performed, and a report of the breach may need to be sent to the Department of Health and Human Services’ Office for Civil Rights (OCR). You should explain that a mistake was made and what has happened. You will need to explain which patient’s...

Read More
PHI of 10,500 Patients of an Illinois Psychiatrist Exposed
Oct12

PHI of 10,500 Patients of an Illinois Psychiatrist Exposed

The medical files of more than 10,000 patients of a Naperville, IL-based psychiatrist – Dr. Riaz Baber, M.D. – have been discovered in the basement of an Aurora property by the woman who rented the house from the psychiatrist. The files had been stored in the basement for at least 4 years. The tenant, Barbara Jarvis-Neavins, was allegedly provided with a key to the basement by the psychiatrist’s wife as access was required when workmen had to visit the property. She was told that she was required to accompany workmen when they needed access. Jarvis-Neavins said she wanted to report the presence of the files – and that she could access the storage area – but thought that by doing so she would be asked to vacate the property. When she was told that she had to move out as the house was being sold, she contacted law enforcement – including the FBI – and state regulators to report the unsecured files. The FBI referred her to the Department of Health and Human Services’ Office for Civil Rights and she filed a complaint. She also contacted NBC 5. NBC 5 reporters...

Read More
47GB of Medical Records and Test Results Found in Unsecured Amazon S3 Bucket
Oct11

47GB of Medical Records and Test Results Found in Unsecured Amazon S3 Bucket

Researchers at Kromtech Security have identified another unsecured Amazon S3 bucket used by a HIPAA-covered entity. The unsecured Amazon S3 bucket contained 47.5GB of medical data relating to an estimated 150,000 patients. The medical data in the files included blood test results, physician’s names, case management notes, and the personal information of patients, including their names, addresses, and contact telephone numbers. The researchers said many of the stored documents were PDF files, containing information on multiple patients that were having weekly blood tests performed. In total, approximately 316,000 PDF files were freely accessible. The tests had been performed in patient’s homes, as requested by physicians, by Patient Home Monitoring Corporation. Kromtech researchers said the data could be accessed without a password. Anyone with an Internet connection, that knew where to look, could have accessed all 316,000 files. Whether any unauthorized individuals viewed or downloaded the files is not known. The researchers were also unable to tell how long the Amazon S3 bucket...

Read More
Summary of September 2017 Healthcare Data Breaches
Oct10

Summary of September 2017 Healthcare Data Breaches

There were 39 healthcare data breaches involving more than 500 records reported to the Department of Health and Human Services’ Office for Civil Rights in September 2017. Those breaches resulted in the theft/exposure of 473,074 patients’ protected health information. September 2017 Healthcare Data Breaches September 2017 healthcare data breaches followed a similar pattern to previous months. Healthcare providers suffered the most breaches with 27 reported incidents, followed by health plans with 10 breaches, and 2 breaches reported by business associates of covered entities. The biggest cause of healthcare data breaches in September was unauthorized access/disclosures (18 breaches), closely followed by hacking and IT incidents (17 breaches). Three theft incidents were reported and one covered entity reported the loss of an unencrypted device containing ePHI. All of the incidents involving loss or theft of devices related to laptops. One incident also involved a desktop computer and another the theft of physical records. There were no reported cases of improper disposal of PHI.  ...

Read More
Network Health Phishing Attack Impacts 51,000 Plan Members
Oct10

Network Health Phishing Attack Impacts 51,000 Plan Members

Wisconsin-based insurer Network Health has notified 51,232 of its plan members that some of their protected health information (PHI) has potentially been accessed by unauthorized individuals. In August 2017, some Network Health employees received sophisticated phishing emails. Two of those employees responded to the scam email and divulged their login credentials to the attackers, who used the details to gain access to their email accounts. The compromised email accounts contained a range of sensitive information including names, phone numbers, addresses, dates of birth, ID numbers, and provider information. No financial information or Social Security numbers were included in the compromised accounts, although certain individuals’ health insurance claim numbers and claim information was potentially accessed. The breach was detected rapidly and the affected accounts were shut down to limit the harm caused. An external cybersecurity consultant was brought in to assess the extent of the attack and perform a forensic analysis to determine whether access to other parts of the network...

Read More
Resold Fax Machine Prints Documents Containing PHI
Oct06

Resold Fax Machine Prints Documents Containing PHI

A fax machine used by a physician at Grand Rapids, MI, based Spectrum Health System was recently discovered to contain the PHI of around 20 patients. The fax machine was purchased from resale shop by a local resident, who discovered documents were still stored in the memory of the machine. When attempting to print off a fax transmission report, the device started printing documents containing sensitive patient information such as names, addresses, dates of birth, details of dependents, diagnoses, test results, and insurance information. The incident was brought to the attention of Wood TV’s Target 8 team, which investigated and traced the device to Spectrum Health’s Dr. Wendy Zink. Spectrum Health was contacted about the breach and Chief Privacy Officer Leah Voigt confirmed that all electronic equipment containing ePHI is sent to a business associate that ensures ePHI on the devices is permanently erased in accordance with HIPAA Rules. Spectrum Health has certification to prove that was the case and that the vendor also confirmed data had been permanently destroyed. The fax machine...

Read More
Texas Patients Just Informed of 2015 CoPilot Data Breach
Oct04

Texas Patients Just Informed of 2015 CoPilot Data Breach

Patients of a Texas orthopedic clinic are just finding out that some of their protected health information was exposed in a 2015 CoPilot data breach. In October 2015, a website maintained by CoPilot Provider Support Services was accessed by an unauthorized individual. That individual gained access to, and downloaded, the PHI of more than 220,000 patients. The website was used by providers to find out whether two drugs – ORTHOVISC® and MONOVISC® – were covered by the patients’ health insurance. CoPilot discovered its website had been breached on December 23, 2015, and launched an investigation. The individual who accessed the data was identified and the matter was reported to law enforcement. No information was believed to have been accessible by the public. While the incident was resolved, CoPilot delayed issuing breach notifications until January 2017. That delay resulted in a $130,000 fine from the New York Attorney General in June 2017. It has been two years since the breach, and eight months from when notifications were issued, but some breach victims are only just...

Read More
What are the HIPAA Breach Notification Requirements?
Oct04

What are the HIPAA Breach Notification Requirements?

All HIPAA covered entities must familiarize themselves with the HIPAA breach notification requirements and develop a breach response plan that can be implemented as soon as a breach of unsecured protected health information is discovered. While most HIPAA covered entities should understand the HIPAA breach notification requirements, organizations that have yet to experience a data breach may not have a good working knowledge of the requirements of the Breach Notification Rule. Vendors that have only just started serving healthcare clients may similarly be unsure of the reporting requirements and actions that must be taken following a breach. The issuing of notifications following a breach of unencrypted protected health information is an important element of HIPAA compliance. The failure to comply with HIPAA breach notification requirements can result in a significant financial penalty. With this in mind, we have compiled a summary of the HIPAA breach notification requirements for covered entities and their business associates. Summary of the HIPAA Breach Notification Requirements...

Read More
13,000 Patients Potentially Impacted by Mercy Health Love County Hospital Breach
Sep30

13,000 Patients Potentially Impacted by Mercy Health Love County Hospital Breach

A Mercy Health Love County Hospital breach has potentially impacted more than 13,000 patients in Oklahoma. On June 23, 2017, the hospital discovered an employee had stolen a laptop computer and paper records from a storage unit used by the hospital. According to the breach notice issued by Mercy Health, the records of 10 patients were taken from the storage unit along with the laptop. The theft of PHI was initially investigated by the Love County Sheriff’s Office. That investigation revealed the former employee had used the stolen information to fraudulently obtain credit cards in the patients’ names. A second individual is also understood to have been involved. While Mercy Health had up to 60 days to notify patients of the breach under HIPAA Rules, all ten patients were notified immediately. Mercy Health is working with the Love County Sherriff’s Office, the United States Postal Services, and the U.S. Secret Service which are all investigating the incident. Mercy Health said in its breach notice, “Although there is no evidence that files belonging to patients aside from the ten...

Read More
Our Lady of the Angels Hospital Breach Impacts 1,140 Patients
Sep29

Our Lady of the Angels Hospital Breach Impacts 1,140 Patients

Our Lady of the Angels Hospital has discovered a former employee accessed the medical records of 1,140 patients without authorization. The employee had been granted access to the protected health information in order to conduct work duties; however, hospital staff became aware the employee was accessing medical records without any legitimate work reason for doing so. The improper access was discovered on July 25, 2017, and the employee’s access to the medical record system was immediately terminated, as was the employee. Rene Ragas, President and CEO, Our Lady of the Angels Hospital, said, “Patient privacy is a top priority and we have a zero-tolerance policy for employees who improperly access patient data.” A thorough investigation was conducted to determine which patients had been impacted, which revealed the former employee had been inappropriately accessing the medical records of patients for more than three years. The Bogalusa, LA hospital was acquired by the Franciscan Missionaries of Our Lady Health System on March 17, 2014, which is the date given for when the improper...

Read More
PeaceHealth Employee Accessed Medical Records Without Authorization for Almost 6 Years
Sep29

PeaceHealth Employee Accessed Medical Records Without Authorization for Almost 6 Years

PeaceHealth, a not-for-profit Catholic health system based in Vancouver, WA, has discovered one of its former employees had accessed the medical records of almost 2,000 of its patients without any legitimate work reason for doing so. The unauthorized access was discovered by PeaceHealth on August 9, 2017, triggering an investigation. PeaceHealth determined the improper access started in November 2011 and continued until July 2017. The investigation confirmed Social Security numbers and financial information were not accessed by the employee, although patient names, medical record numbers, admission and discharge dates, medical diagnoses, and progress notes were all viewed. Due to the nature of information that was accessed, and the results of the internal investigation, PeaceHealth does not believe any patients impacted by the breach are at risk of identity theft. However, all impacted individuals have been advised to remain vigilant and review their credit reports and account statements for any sign of fraudulent activity. Patients impacted by the breach had visited either the...

Read More
Ransomware Attack Potentially Impacts 128,000 Arkansas Patients
Sep28

Ransomware Attack Potentially Impacts 128,000 Arkansas Patients

Arkansas Oral Facial Surgery Center in Fayetteville has experienced a ransomware attack that has potentially impacted up to 128,000 of its patients. Ransomware was believed to have been installed on its network between July 25 and 26, 2017. The attack was detected rapidly, although not before files, x-ray images, and documents had been encrypted. The incident did not result in the encryption of its patient database, except for a ‘relatively limited’ set of patients who data related to their recent visits encrypted. Those patients had visited the center for medical services in the three weeks prior to the ransomware attack. The ransomware attack is still under investigation, although to date, no evidence of data theft has been found. Arkansas Oral Facial Surgery Center believes the sole purpose of the attack was to extort money, and not to steal data; however, it has not been possible to rule out data access or data theft with a high degree of certainty. The files and images that were potentially accessed included information such as names, addresses, dates of birth, Social Security...

Read More
Another Healthcare Organization Attacked by The Dark Overlord
Sep26

Another Healthcare Organization Attacked by The Dark Overlord

Following a couple of months of relative quiet, the hacking group TheDarkOverlord has announced another successful attack on a U.S. healthcare provider, Mass-based SMART Physical Therapy (SMART PT). The hack reportedly occurred on September 13, 2017, with the announcement of the data theft disclosed by TDO on Twitter on Friday 22, 2017.  No mention was made about how access to the data was gained, although it was confirmed to databreaches.net that the attack took advantage of the use of weak passwords. The entire database of patients was reportedly stolen. Databreaches.net was provided with the patient database and has confirmed the authenticity of the attack. The database contained a wide range of information on 16,428 patients, including contact information, dates of birth and Social Security numbers. This was an extortion attempt and a demand for payment in Bitcoin was reportedly sent to SMART PT, although no payment has been made, nor will it be. SMART PT spokesperson Joanne Ponte confirmed to databreaches.net that they refuse to communicate with criminals and give in to the...

Read More
Lost Laptop Sees PHI of 3,725 Veterans Exposed
Sep25

Lost Laptop Sees PHI of 3,725 Veterans Exposed

A decommissioned laptop computer previously used by the Mann-Grandstaff VA Medical Center (MGVAMC) in Spokane, WA, has been discovered to be missing, potentially resulting in the exposure of sensitive patient data. The laptop was paired with a hematology analyzer and stored data related to hematology tests. The laptop was in use between April 2013 and May 2016, but was decommissioned when the device became unusable. The laptop, which had been supplied by a vendor, was replaced; however, an equipment inventory revealed the device to be missing. The device should have been returned to the vendor, although the vendor has no record of the laptop ever being recalled from MGVAMC. An inventory of equipment at the MGVAMC lab determined the device was missing. A full search of the medical center was conducted but the laptop could not be located. It was not possible to tell exactly what information had been stored on the device, or the exact number of patients whose protected health information may have been exposed. MGVAMC concluded all patients who submitted samples for hematology tests...

Read More
HIPAA Business Associate Data Breach Impacts 21,856 Individuals
Sep21

HIPAA Business Associate Data Breach Impacts 21,856 Individuals

The importance of reviewing system activity logs has been underscored by recent HIPAA business associate data breach. Nebraska-based CBS Consolidated Inc., doing business as Cornerstone Business & Management Solutions, conducted a routine review of system logs on July 10, 2017 and discovered an unfamiliar account on the server. Closer examination of that account revealed it was being used to download sensitive data from the server, including the protected health information of patients that used its medical supplies. 21,856 patients who received durable medical supplies from the company through their Medicare coverage have potentially been affected. The types of data obtained by the hacker included names, addresses, dates of birth, insurance details, and Social Security numbers. While personal information was exposed, the hacker was not able to obtain details of any medical conditions suffered by patients, nor details of any items purchased or financial information. It is currently unclear how the account was created, although an investigation into the incident is ongoing. CBS...

Read More
Fall in Healthcare Data Breaches in August: Rise in Breach Severity
Sep21

Fall in Healthcare Data Breaches in August: Rise in Breach Severity

Healthcare data breaches have fallen for the second month in a row, according to the latest installment of the Breach Barometer report from Protenus/Databreaches.net. In August, there were 33 reported healthcare data breaches, down from 36 incidents in July and 56 in June. While the reduction in data breaches is encouraging, that is still more than one healthcare data breach per day. August may have been the second best month of the year to date in terms of the number of reported incidents, but it was the third worst in terms of the number of individuals impacted. 575,142 individuals were impacted by healthcare data breaches in July, with the figure rising to 673,934 individuals in August. That figure will rise further still, since two incidents were not included in that total since it is not yet known how many individuals have been affected. The worst incident of the month was reported by Pacific Alliance Medical Center – A ransomware attack that impacted 266,133 patients – one of the worst ransomware incidents of the year to date. Throughout the year, insider incidents have...

Read More
The Compliancy Group Helps Imperial Valley Family Care Medical Group Pass HIPAA Audit
Sep20

The Compliancy Group Helps Imperial Valley Family Care Medical Group Pass HIPAA Audit

The Department of Health and Human Services’ Office for Civil Rights commenced the second round of HIPAA compliance audits late last year. The audit program consists of desk-based audits of HIPAA-covered entities and business associates, followed by a round of in-depth audits involving site visits. The desk audits have been completed, with the site audits put on hold and expected to commence in early 2018. Only a small number of covered entities have been selected to be audited as part of the second phase of compliance audits; however, covered entities that have escaped an audit may still be required to demonstrate they are in compliance with HIPAA Rules. In addition to the audit program, any HIPAA-covered entities that experiences a breach of more than 500 records will be investigated by OCR to determine whether the breach was the result of violations of HIPAA Rules. OCR also investigates complaints submitted through the HHS website. The first round of HIPAA compliance audits in 2011/2012 did not result in any financial penalties being issued, but that may not be the case for the...

Read More
1,081 St. Louis Patients Alerted About Improper PHI Disclosure
Sep20

1,081 St. Louis Patients Alerted About Improper PHI Disclosure

1,081 patients of the MS Center of Saint Louis and Mercy Clinic Neurology Town and Country are being informed that they may be contacted for marketing and research purposes by pharmaceutical companies and other third-parties, even though they may not have given their permission to be contacted. HIPAA Rules do not permit patients to be contacted for marketing or research purposes unless consent to do so has first been obtained. However, an error has resulted in patients’ information being disclosed to third parties in error and patients may be contacted by telephone, mail or email as a result. The MS Center and Mercy Clinic Neurology Town and Country report that medication onboarding forms were accidentally provided to pharmaceutical companies, even though the forms had not been signed by patients. The error also means patients’ protected health information has been impermissibly disclosed. Protected health information detailed on the forms includes names, email addresses, telephone numbers, home addresses, health insurance information, and in some cases, treatment and prescription...

Read More
Florida Healthy Kids Corporation Announces 2,000 Patients’ Impacted by Phishing Scam
Sep20

Florida Healthy Kids Corporation Announces 2,000 Patients’ Impacted by Phishing Scam

Reports of phishing attacks on healthcare organizations are arriving thick and fast. The latest HIPAA-covered entity to announce it has fallen victim to a phishing scam is Florida Healthy Kids Corporation, an administrator of the Florida KidCare program. On July 25, 2017, phishing emails started to arrive in the inboxes of members of staff, some of whom responded and inadvertently gave the attackers access to the sensitive information of members of the KidCare program. The phishing attack was identified the following day and access to the compromised email accounts was immediately blocked. While the incident was mitigated promptly, the attackers had access to email accounts and data contained in those accounts for approximately 24 hours. During that time, it is possible that the emails were accessed and sensitive information copied, although no reports of abuse of that information have been received and it is not clear whether any information was actually stolen. An analysis of the compromised email accounts revealed the personal information of 2,000 individuals was potentially...

Read More
5 Months to Notify Patients of Augusta University Medical Center Phishing Attack
Sep18

5 Months to Notify Patients of Augusta University Medical Center Phishing Attack

An Augusta University Medical Center phishing attack has resulted in an unauthorized individual gaining access to the email accounts of two employees. It is unclear exactly when the phishing attack was discovered, although an investigation into the breach was concluded on July 18, 2017. That investigation confirmed access to the employees’ email accounts was gained between April 20-21, 2017. Upon discovery of the breach, access to the email accounts was disabled and passwords were reset. The investigation did not confirm whether any of the information in the accounts had been accessed or copied by the attackers. Patients impacted by the breach have now been notified – five months after the breach occurred. Patients have been informed that the compromised email accounts contained sensitive information such as names, addresses, dates of birth, driver’s license numbers, financial account information, prescription details, diagnoses, treatment information, medical record numbers and Social Security numbers. The amount of information exposed varied for each patient. It is currently...

Read More
Phishing Attack Results in the Exposure of PHI at Morehead Memorial Hospital
Sep18

Phishing Attack Results in the Exposure of PHI at Morehead Memorial Hospital

Morehead Memorial Hospital in Eden, NC has announced two employees have fallen victim to a phishing attack that resulted in an unauthorized individual gaining access to their email accounts. Those accounts contained the protected health information of patients and sensitive information on employees. Upon discovery of the breach, access to the email accounts was blocked and the hospital performed a network-wide password reset. Leading computer forensics experts were hired to assist with the investigation and determine the extent of the breach. The investigation confirmed that access to the accounts was possible and sensitive patient and employee information could have been accessed. While no reports have been received to suggest any information in the accounts has been misused, the possibility of data access and data theft could not be ruled out. The types of information exposed includes names, health insurance payment summaries, health insurance information, treatment overviews, and a limited number of Social Security numbers. Phishing attacks such as this are common. Emails are...

Read More
Hospital Employee Fired Over 26,000-Record Arkansas DHS Privacy Breach
Sep18

Hospital Employee Fired Over 26,000-Record Arkansas DHS Privacy Breach

A former employee of the Arkansas Department of Human Services (DHS) has been fired from her new position at the state hospital for emailing spreadsheets containing the protected health information of patients to a personal email account. Yolanda Farrar worked as a payment integrity coding analyst for the DHS, but was fired on March 24, 2017. According to a statement issued by DHS spokesperson Amy Webb, Farrar was fired for “violations of DHS policy on professionalism, teamwork and diligent and professional performance.” The day previously, Farrar had spoken with her supervisor about issues relating to her performance and learned that she was about to be terminated. Within minutes of that conversation, Farrar emailed spreadsheets from her work email account to a personal email address. Farrar decided to take legal action against DHS for unfair dismissal. Attorneys working for DHS were preparing to represent the agency in court and were checking emails sent by Farrar through her work email account. They discovered the emails and spreadsheets on August 7. The DHS privacy...

Read More
Hospital Staff Discovered to Have Taken and Shared Photographs of Patient’s Genital Injury
Sep15

Hospital Staff Discovered to Have Taken and Shared Photographs of Patient’s Genital Injury

An investigation has been conducted into a privacy violation at the University of Pittsburgh Medical Center’s Bedford Memorial hospital, in which photographs and videos of a patient’s genitals were taken by hospital staff and in some cases, were shared with other individuals including non-hospital staff. The patient was admitted to the hospital in late December 2017, with photos/videos shared over the following few weeks. The patient was admitted to the hospital on December 23, 2016 with a genital injury – a foreign object had been inserted into the patient’s penis and was protruding from the end. The bizarre injury attracted a lot of attention and several staff members not involved with the treatment of the patient were called into the operating room to view the injury. Multiple staff members took photographs and videos of the patient’s genitals while the patient was sedated and unconscious. The privacy breach was reported by one hospital employee who alleged images/videos were being shared with other staff members not involved in the treatment of the patient. The complaint...

Read More
Hand Rehabilitation Specialists Suffers Breach of Almost 13,000 Patients’ PHI
Sep15

Hand Rehabilitation Specialists Suffers Breach of Almost 13,000 Patients’ PHI

Hand & Upper Extremity Centers has announced a security breach has potentially impacted almost 13,000 patients. The breach occurred at Thousand Oaks, CA-based Hand Rehabilitation Specialists (HRS). While it is unclear when the breach actually occurred, HRS was notified about a potential security incident on July 5, 2017. According to the substitute breach notice uploaded to the HBS website, an unauthorized individual is believed to have gained access to HBS systems and potentially viewed and exfiltrated patient data. As soon as HBS became aware of the incident, law enforcement was contacted and the Ventura County Sherriff’s Office conducted a forensic investigation of the computer system used by HBS. The incident was also reported to the Federal Bureau of Investigation. Law enforcement found no evidence to suggest any patient data had been exfiltrated, although it was not possible to rule out data theft with a high degree of certainty. The breach affects patients seen between 2004 and 2013, as well as their payment guarantors. The types of information potentially accessed...

Read More
New York Hospital Sued for Disclosing Patient’s HIV Status to Employer
Sep14

New York Hospital Sued for Disclosing Patient’s HIV Status to Employer

Earlier this year, the Department of Health and Human Services’ Office for Civil Rights settled a case with Mount Sinai St. Luke’s Hospital to resolve alleged HIPAA violations over a 2014 impermissible disclosure of a patient’s HIV positive status to his employer. St. Luke’s Hospital had faxed a document to the mailroom of the patient’s employer, rather than sending the information to a post office box as requested by the patient via his Authorization for Release of Medical Information form. The hospital, formerly known as the Spencer Cox Center for Health, also faxed the PHI of another patient to an office where he volunteered. St. Luke’s Hospital agreed to pay OCR $387,000 to resolve the case. St. Luke’s Hospital also agreed to a corrective action plan that required a review of its policies and procedures concerning PHI disclosures and further training of its employees. St. Luke’s Hospital accepted a mistake was made and the measures being undertaken will help to ensure similar incidents do not occur in the future. However, the hospital has refused to enter into a settlement...

Read More
Patient Health Records Discovered in a Denver Alley
Sep14

Patient Health Records Discovered in a Denver Alley

Approximately 70 patient files containing sensitive personal and medical information have been discovered in an alley in Denver, CO. The files contained details of patients’ medical histories, insurance information, and Social Security numbers – The types of information sought by identity thieves and fraudsters. The paperwork had been disposed of in a dumpster accessible by the public. The records came from the Blue Skies Clinic in Boulder, CO., which was purchased more than a decade ago from chiropractor Otsie Stowell, according to Fox31, Denver. Two chiropractors took control of the records of approximately 800-1000 patients when they bought the practice. Some of those records were stored in the basement of the practice, which was recently cleared. It is unclear how many records were disposed in the alley, although only 70 files were recovered. The records were disposed of by mistake and no one at the clinic was aware that sensitive information was being stored in the basement, according to a statement provided to FOX31 by one of the chiropractors, Rory Lee. Lee also apologized...

Read More
CareFirst Data Breach Lawsuit May be Heading to the Supreme Court
Sep14

CareFirst Data Breach Lawsuit May be Heading to the Supreme Court

In June 2014, hackers succeeded in gaining access to a database maintained by CareFirst BlueCross BlueShield and the protected health information of 1.1 million of its members. The types of information exposed as a result of the hack included names, email addresses, dates of birth, and subscriber ID numbers. Lawsuits were filed following the breach, with the plaintiffs seeking damages for the elevated risk of identity theft and fraud they faced as a result of the breach. In 2016, the U.S. District Court for the District of Columbia and dismissed one punitive class action lawsuit against CareFirst – Chantal Attias vs. Carefirst, Inc. – for lack of standing. Further complaints were also dismissed by two federal district courts. However, on August 1, 2017, the case was revived when the U.S. District Court for the District of Columbia allowed the case to proceed, even though there was not a concrete, identifiable injury to plaintiffs. CareFirst submitted a motion for a stay to allow an appeal to be filed with the Supreme Court. Last week, U.S. District Court for the...

Read More
Healthcare Industry Tops List for Class Action Data Breach Lawsuits
Sep13

Healthcare Industry Tops List for Class Action Data Breach Lawsuits

In 2016, the healthcare industry faced the most class-action data breach lawsuits, according to a new analysis of data breach lawsuits by the law firm, Bryan Cave, LLP, although the risk of litigation following a breach is still relatively low. To produce the 2017 data breach litigation report, Bryan Cave conducted a comprehensive review and analysis of all class action lawsuits filed by victims of data security breaches in 2016. The report explains that while there is always a threat of legal action being taken by data breach victims, the risk of a company facing litigation following a data breach is fairly low due to the difficult plaintiffs have establishing an injury has been caused. Year over year, there was a slight (7%) increase in class action lawsuits filed against companies that have experienced a data breach although there was a fall in the number of breaches that resulted in lawsuits. The report shows only 3.3% of data breaches in 2016 resulted in class action lawsuits compared to between 4%-5% in previous years. In total, 76 class actions were filed in 2016 as a result...

Read More
3,400 Patients of Children’s Hospital Colorado Potentially Impacted by Email Hack
Sep11

3,400 Patients of Children’s Hospital Colorado Potentially Impacted by Email Hack

Almost 3,400 patients of Children’s Hospital Colorado are being notified that some of their protected health information has potentially been accessed by an unauthorized individual who gained access to the email account of a staffer. The incident was discovered by the Aurora, CO hospital on July 11, 2017, prompting a full investigation to determine the scale and scope of the breach. A third-party computer forensics firm was hired to assist with the investigation to help identify how access to the email account was gained, whether any other systems had been compromised, and to identify any actions taken by the attacker. An analysis of data in the email account showed a limited amount of PHI was potentially compromised, including names, addresses, dates of birth, telephone numbers, medical diagnoses, treatment information and other clinical information. No financial information, insurance details, Social Security numbers or other highly sensitive data were exposed. The investigation confirmed the breach was limited to a single email account and its EHR was not affected. While access...

Read More
Mailing Error and PHI Breach Underscores Need for Greater Oversight
Sep08

Mailing Error and PHI Breach Underscores Need for Greater Oversight

Healthcare organizations must take care not to expose protected health information in mailings. Recently, there have been two incidents reported that involved sensitive information being disclosed as a result of a lack of oversight when corresponding with patients by mail. A third-party error resulted in details of HIV medications used by Aetna plan members being improperly disclosed. Letters were sent in sealed envelopes, although prescribed HIV medications were clearly visible through the clear plastic windows of the envelopes. Last year, Emblem Health sent a mailing in which patients’ Social Security numbers were accidentally printed on the outside of envelopes and the Ohio Department of Mental Health and Addiction Services sent a survey to patients on a postcard rather than using letters in sealed envelopes. In that case, the fact that the patient was, or had been, undergoing treatment for mental health issues was disclosed to any individual who happened to view the postcard. A similar incident has recently affected patients of University of Wisconsin-Madison’s Department of...

Read More
Community Memorial Health System Phishing Attack Reported
Sep07

Community Memorial Health System Phishing Attack Reported

The protected health information of almost 1,000 patients has potentially been accessed as a result of a recent Community Memorial Health System phishing attack. On June 22, 2017, a Community Memorial Health System employee responded to a phishing email and divulged his/her login credentials, allowing an unauthorized individual to gain access to a single email account. The employee realized the mistake the following day and reported the breach to the IT department, which launched an investigation to determine whether any patient information could have been accessed. The email account was discovered to contain a selection of protected health information including patients’ names, medical record numbers, dates of services, and a limited amount of health information. The Social Security numbers of some patients were also potentially compromised. No bank account information or credit/debit card numbers were exposed. The discovery of protected health information in the email account prompted Community Memorial Health System to bring in a computer forensics expert to determine whether...

Read More
OCR Head Expects Major HIPAA Settlement for a Big, Juicy, Egregious Breach in 2017
Sep06

OCR Head Expects Major HIPAA Settlement for a Big, Juicy, Egregious Breach in 2017

Roger Severino, the Director of the Department of Health and Human Services’ Office for Civil Rights (OCR) has stated his main enforcement priority for 2017 is to find a “big, juicy, egregious” HIPAA breach and to use it as an example for other healthcare organizations on the dangers of failing to follow HIPAA Rules. When deciding on which cases to pursue, OCR considers the opportunity to use the case as an educational tool to remind covered entities of the need to comply with specific aspects of HIPAA Rules. At the recent ‘Safeguarding Health Information’ conference run by OCR and NIST, Severino explained that “I have to balance that law enforcement instinct with the educational component that we do.” Severino went on to say, “I really want to make sure people come into compliance without us having to enforce. I want to underscore that.” Severino did not explain what aspect of noncompliance with HIPAA Rules OCR is hoping to highlight with its next big, juicy settlement, although no healthcare organization is immune to a HIPAA penalty if they are found to have violated HIPAA...

Read More
Alaska DHSS Discovers Malware Infection and Possible PHI Breach
Sep05

Alaska DHSS Discovers Malware Infection and Possible PHI Breach

A Trojan horse virus has been discovered on two computers used by the Alaska Department of Health and Social Services. The virus potentially allowed malicious actors to gain access to the data stored on the devices. Katie Marquette, Communications Director of the Alaska DHSS, issued a statement confirming there was “a potential HIPAA breach of more than 500 individuals.” At present, the exact number of individuals affected has not been disclosed. An analysis of the two malware-infected computers revealed the attackers, who are believed to be located in the Western region, may have been able to obtain sensitive information such as Office of Children’s Services (OCS) documents and reports. Those documents contained details of family case files, medical diagnoses and observations, personal information and other related information. The investigation into the breach is ongoing and the DHSS Information Technology and Security team is currently attempting to determine the exact nature of the breach and whether any sensitive data were accessed or exfiltrated. Individuals impacted by the...

Read More
Former Employee of The Neurology Foundation Discovered to Have Obtained Patient Data
Sep05

Former Employee of The Neurology Foundation Discovered to Have Obtained Patient Data

The Neurology Foundation in Providence, RI has investigated an employee who had been discovered to be using a company credit card to make unauthorized purchases. The investigation revealed that individual copied and removed a range of sensitive patient information from the organization. In breach of the Neurology Foundation’s policies, the former employee copied data relating to the Foundation’s patients onto an external hard drive which was stored in the employee’s home. The Neurology Foundation discovered the employee had copied data onto the hard drive during an exit interview on May 3, 2017. That revelation prompted the Foundation to retain a computer forensics firm to conduct an investigation into the employee’s activities and determine the types of data copied to the storage device and the number of patients impacted. That investigation also revealed the former employee had breached company policies by copying sensitive data onto his/her desktop computer and several zip drives. The information copied to the external storage device included patients’ names, addresses, phone...

Read More
19,000 Impacted by Medical Oncology Hematology Consultants Ransowmare Incident
Sep04

19,000 Impacted by Medical Oncology Hematology Consultants Ransowmare Incident

A server and several workstations used by Newark, Delaware-based Medical Oncology Hematology Consultants (MOHC) have had sensitive data encrypted by ransomware. The ransomware attack was discovered on July 7, 2017, although the attack first started around three weeks previously on June 17. The attack resulted in certain electronic files being encrypted, preventing access to data. Upon discovery of the attack, MOHC launched an investigation to determine the extent of the attack, the files affected, and whether any protected health information had been accessed or stolen. In addition to the Internal investigation, a third-party cybersecurity firm was contracted to assist with the recovery of encrypted data. MOHC determined that some of the encrypted files contained patients’ protected health information which could potentially have been accessed during the attack. The types of information potentially compromised were limited to patients’ names, phone numbers, dates of birth, health and treatment information. In total, 19,203 patients were potentially impacted by the incident. MOHC...

Read More
106,000 Mid-Michigan Physicians’ Patients Potentially Impacted by Breach
Aug31

106,000 Mid-Michigan Physicians’ Patients Potentially Impacted by Breach

The protected health information of 106,000 current and former patients of the radiology center of Mid-Michigan Physicians has potentially been compromised. McLaren Medical Group, which manages Mid-Michigan Physicians, has announced that the breach affected a system that stored scanned internal documents such as physician orders and scheduling information, which included protected health information such as names, addresses, telephone numbers, dates of birth, Social Security numbers, medical record numbers, and diagnoses. McLaren Medical Group discovered the breach in March this year, although the investigation into the security breach was protracted and notifications were delayed until the investigation was completed. That investigation confirmed the protected health information of seven individuals was definitely accessed, although potentially, the records of 106,000 patients could also have been viewed as a result of the radiology center’s system being compromised. McLaren Medical Group says its computer system has been reconstructed with additional security protections in place...

Read More
Lawsuit Filed Against Aetna for Disclosure of HIV Status of Patients
Aug31

Lawsuit Filed Against Aetna for Disclosure of HIV Status of Patients

A class action lawsuit has been filed against Aetna following a privacy breach that saw the HIV positive status of up to 12,000 individuals impermissibly disclosed. Details of prescribed HIV medications were visible through the clear plastic windows of envelopes, along with individuals’ names and addresses, in a recent mailing. The letters related to pharmacy benefits and information on how HIV medications could be received. As a result of an error, which has been attributed to letters slipping inside the envelopes, many individuals had had their HIV status disclosed to neighbors, family members and roommates. While breach notification letters have been sent to 12,000 individuals who received the mailing, it is unclear exactly how many individuals had details of their HIV medications disclosed. Last week, Aetna announced that “this type of mistake is unacceptable,” and confirmed action was being taken to ensure proper safeguards are put in place to prevent similar incidents from happening. However, for individuals affected by the error, serious and irreparable harm has been caused....

Read More
Website Update Exposes PHI of 8,800 Silver Cross Hospital Patients
Aug29

Website Update Exposes PHI of 8,800 Silver Cross Hospital Patients

Silver Cross Hospital in New Lenox, IL, has learned that the protected health information of 8,862 patients has been exposed as a result of a software update performed by a business associate that manages certain parts of its website. The software upgrade was performed on the website in November 2016, which resulted in security settings being inadvertently reconfigured. As a result, information entered by patients in webforms was made available over the Internet and could potentially have been accessed by unauthorized individuals. Silver Cross Hospital said change to the security settings was discovered internally on June 14, 2017. The vendor was immediately contacted and the site was rapidly secured. A computer forensics firm was contracted to perform an analysis of the website to establish whether any of the exposed information had been accessed by unauthorized individuals during the seven months that data were accessible. The investigation did not uncover any evidence to suggest unauthorized individuals navigated to the forms and viewed patient health information, although the...

Read More
Ransomware Attack on Salina Family Healthcare Impacts 77,000 Patients
Aug29

Ransomware Attack on Salina Family Healthcare Impacts 77,000 Patients

In June, ransomware was installed on servers and workstations at Salina Family Healthcare in Kansas resulting in the encryption and potential disclosure of patients’ protected health information. The attack occurred on June 18, 2017. Salina Family Healthcare was able to limit the extent of the attack by taking swift action to secure its systems. It was also possible to restore the encrypted data from recent backups so no ransom needed to be paid. A third-party computer forensics firm was contracted to analyze its systems to determine how the ransomware was installed and whether the attackers succeeded in gaining access to or stealing patient data. While evidence of data theft was not uncovered, the firm was unable to rule out the possibility that the actors behind the attack viewed or copied patient data. The protected health information potentially accessed includes names, addresses, dates of birth, Social Security numbers, medical treatment information, and health insurance details. While data access was possible, no reports have been received to suggest any information has...

Read More
Third-Party Mailing Error Sees Aetna Plan Members’ HIV Status Disclosed
Aug25

Third-Party Mailing Error Sees Aetna Plan Members’ HIV Status Disclosed

Aetna is in the news again for the wrong reasons, having experienced another protected health information breach. The latest incident impacts approximately 12,000 Aetna plan members and resulted in highly sensitive information being disclosed to unauthorized individuals. An error was made in a recent mailing to plan members. That error resulted in the HIV positive status of members being disclosed to other individuals. The letters advised plan members about their options for filling in their HIV prescriptions. However, some of that information was visible through the transparent plastic window in the envelope along with names and addresses. The mailing was sent by a third-party vendor on July 28, 2017. Aetna was notified of the error by the Legal Action Center and the AIDS Law Project of Pennsylvania, which in turn were notified of the error by some individuals whose HIV status had been disclosed. Those individuals said that in addition to the information being visible to the mailman, the letters had been viewed by roommates, neighbors and family members. The potential harm caused...

Read More
Credit Monitoring Services Must Now Be Offered to Breach Victims in Delaware
Aug24

Credit Monitoring Services Must Now Be Offered to Breach Victims in Delaware

For the first time in 10 years, Delaware has amended its data breach notification law and has now introduced some of the strictest requirements of any state. Any ‘person’ operating in the state of Delaware must now notify individuals of the exposure or theft of their sensitive information and must offer breach victims complimentary credit monitoring services for 12 months. Connecticut was the first state to introduce similar laws, with California also requiring the provision of credit monitoring services to breach victims. Breach victims must also be advised of security incidents involving their sensitive information ‘as soon as possible’ and no later than 60 days following the discovery of a breach. The new law also requires companies operating in the state to implement “reasonable” security measures to safeguard personal information – Delaware is the 14th state to require companies to adopt security measures to ensure sensitive information is protected. The definition of ‘personal information’ has also been expanded and now includes usernames/email addresses in combination with a...

Read More
MJHS Phishing Attack Result in the Exposure of 28,000 Individuals’ PHI
Aug24

MJHS Phishing Attack Result in the Exposure of 28,000 Individuals’ PHI

There has been a spate of phishing attacks on healthcare organizations in the past few weeks. The increased threat of attacks prompted the Department of Health and Human Services’ Office for Civil Rights to issue a warning to healthcare organizations, urging them to improve their defenses by conducting regular security awareness training sessions for employees. Phishing is the number one attack vector for delivering malware and successful attacks can result in the theft of considerable amounts of sensitive data. Email accounts contain a wide range of sensitive data on patients – information that can be used to commit identity theft and medical fraud, although oftentimes attacks are conducted to gain access to emails accounts for the purposes of spamming. In the case of the phishing attack on MJHS, the motive of the malicious actor is unknown. Fortunately, rapid identification and mitigation of the attack limited the attacker’s window of opportunity. The compromised email accounts were secured before the accounts could be used to send any emails, although it is possible that the...

Read More
34,000 Impacted by Ransomware Attack at St. Mark’s Surgical Center
Aug23

34,000 Impacted by Ransomware Attack at St. Mark’s Surgical Center

Another healthcare organization has been attacked with ransomware, resulting in the protected health information of almost 34,000 patients being encrypted and made inaccessible. St. Mark’s Surgical Center in Fort Myers, FL experienced the ransomware attack on April 13, 2017, which prevented patient data from being accessed until April 17, 2017. The ransomware was installed on the center’s server which contained patient’s names, dates of birth, Social Security numbers and treatment information. An investigation into the breach was immediately conducted to determine the extent of the attack and to find out which data had been encrypted and the number of patients impacted. That investigation revealed the protected health information of 33,877 patients was potentially accessed by the attackers. A third-party cybersecurity firm was called in to assist with the removal of the ransomware and to conduct a thorough forensic investigation. The firm was able to confirm that all traces of the malware were removed and further access to the server was blocked. The firm also investigated whether...

Read More