Our HIPAA breach news section covers HIPAA breaches such as unauthorized disclosures of protected health information (PHI), improper disposal of PHI, unauthorized PHI access by cybercriminals and rogue healthcare employees, and other security and privacy breaches.

When known, we explain how the breach occurred, the consequences to patients that may have had their PHI compromised, and the actions being taken by the affected healthcare organization to improve safeguards to prevent further HIPAA breaches.

We also explain any actions being taken by the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) and state attorneys general in relation to those breaches.

OCR investigates all data breaches that impact more than 500 individuals to determine whether any HIPAA violations have occurred. When HIPAA Rules are discovered to have been violated, financial penalties may be deemed appropriate. It can take many months or years before any financial penalties for HIPAA breaches are decided. Financial penalties for HIPAA violations tend to be reserved for the most serious breaches of HIPAA Rules. OCR prefers to resolve cases with voluntary compliance and by issuing recommendations to bring policies in line with HIPAA Rules.

The HIPAA breach news section is particularly relevant to healthcare information security professionals, privacy officers, and other individuals who have some responsibility for HIPAA compliance.

The HIPAA breach news reports highlight common areas of non-compliance and new attack vectors used by cybercriminals to gain access to healthcare networks and PHI, the security failings that allowed them to happen, and the measures that have been implemented to prevent them from happening again.

No healthcare organization wants to experience a data breach, but when a breach does occur, lessons can be learned. HIPAA-covered entities can use these breach examples to help train their staff as well as to discover some of the methods other covered entities have adopted to improve data security.

As you will be able to see from the volume of posts in the HIPAA breach news category, healthcare data breaches occur frequently. In 2016 and 2017, healthcare data breaches have been reported on an almost daily basis.

Our HIPAA breach news section is an important source of information about potential security issues that covered entities should be identifying when conducting their own risk assessments. Many of the situations in our HIPAA breach news posts could have been avoided if a risk assessment had identified a vulnerability that was later exploited to gain access to PHI.

The main purpose for adding HIPAA breach news to this website is to highlight specific aspects of HIPAA compliance that are commonly overlooked, often with serious consequences for the covered entity and patients/health plan members.

By raising awareness of the volume of healthcare data breaches, the implications of those breaches, and the penalties that can result, it is hoped that healthcare providers will take decisive action to prevent their patients’ and members’ data from being exposed.

The most recent healthcare data breach reports are listed below. If you want to find out if a specific covered entity has experienced a data breach, please use the search function in the top right hand corner of this webpage.

350,000 Affected by Oregon Department of Human Services Phishing Attack
Mar22

350,000 Affected by Oregon Department of Human Services Phishing Attack

Oregon Department of Human Services (ODHS) has experienced a phishing attack that has potentially allowed unauthorized individuals to view or obtain the protected health information of more than 350,000 individuals. ODHS learned on January 28, 2019 that unauthorized individuals had gained access to email accounts containing clients’ personal information. Third-party forensics experts from IDExperts were called in to determine the number of individuals affected, the types of data that could have been accessed, and whether clients’ personal information had been extracted. The investigation conformed that nine employees had clicked links in phishing emails and divulged their login credentials, which allowed the attackers to gain access to their email accounts. The first account was compromised on January 8, 2019. The compromised email accounts contained almost 2 million emails. Checks are still being performed to find out which individuals have been affected. ODHS has confirmed that emails in the account contained information such as clients’ first and last names, addresses, birth...

Read More
UCLA Health Settles Class Action Data Breach Lawsuit for $7.5 Million
Mar22

UCLA Health Settles Class Action Data Breach Lawsuit for $7.5 Million

UCLA Health has settled a class action lawsuit filed on behalf of victims of data breach that was discovered in October 2014. UCLA Health has agreed to pay $7.5 million to settle the lawsuit. UCLA Health detected suspicious activity on its network in October 2014 and contacted the FBI to assist with the investigation. The forensic investigation confirmed that hackers had succeeded in gaining access to its network, although at the time it was thought that they did not access the parts of the network where patients’ medical information was stored. However, on May 5, 2015, UCLA confirmed that the hackers had gained access to parts of the network containing patients’ protected health information and may have viewed/copied names, addresses, dates of birth, Medicare IDs, health insurance information, and Social Security numbers. In total, 4.5 million patients were affected by the breach. The Department of Health and Human Services’ Office for Civil Rights investigated the breach and was satisfied with UCLA Health’s breach response and the technical and administrative safeguards that had...

Read More
Verity Health System Suffers Third Phishing Breach in 3 Months
Mar21

Verity Health System Suffers Third Phishing Breach in 3 Months

Verity Health System patients’ PHI was exposed in a phishing attack in 2016, in two further phishing attacks in November 2018, and the 6-hospital health system has now announced yet another attack occurred in January 2019. The latest phishing incident has impacted 14,894 patients. Three employees’ email accounts were compromised in the last three phishing attacks. Verity Health System explained in its breach notification letters that no evidence was uncovered to suggest any patients’ protected health information had been accessed by unauthorized individuals. The attacks are believed to have been conducted for use in further phishing attacks on other individuals in the organization, although PHI access could not be ruled out. The types of information exposed in the latest attack includes names, addresses, contact telephone numbers, dates of birth, diagnoses, treatment information, health insurance policy numbers, subscriber numbers, patient ID numbers, and billing codes. Some of the files attached to emails also included Social Security numbers and driver’s license numbers. Some...

Read More
Medical Device Manufacturer Notifies 277,319 Patients About PHI Exposure
Mar21

Medical Device Manufacturer Notifies 277,319 Patients About PHI Exposure

The Pennsylvania medical device manufacturer and software developer, ZOLL Medical Corporation, has started notifying 277,319 patients about the accidental exposure of some of their personal and medical information. The information was contained in emails that had been archived using a third-party email archiving solution. During a server migration, archived emails were exposed and could potentially have been accessed by unauthorized individuals. Upon discovery of the breach, ZOLL initiated an investigation and hired a third-party computer forensics company to determine whether any unauthorized individuals had accessed emails and viewed or downloaded patient information. The investigation revealed protections had been removed on November 8, 2018 and emails remained accessible until December 28, 2018. No evidence was uncovered to suggest any sensitive information was accessed by unauthorized individuals, but it was not possible to rule out the possibility that personal and medical information had been compromised. An analysis of the archived emails revealed they contained patient...

Read More
Northwestern Medicine Sued Over Medical Information Disclosure on Twitter
Mar20

Northwestern Medicine Sued Over Medical Information Disclosure on Twitter

Northwestern Medicine Regional Medical Group is being sued by a patient whose sensitive medial information was disclosed on Twitter and Facebook. Gina Graziano discovered some of her sensitive medical information had been disclosed on social media websites and contacted Northwestern Medicine to complain about the privacy investigation. Northwestern Medicine investigated the complaint and determined that Graziano’s medical records had been accessed on two separate occasions by a hospital employee who had no treatment relationship with Graziano. The records were accessed on March 5 and 6, 2019, using an employee’s login credentials. Graziano’s medical file contained a range of sensitive information, including her personal details, the reason for a recent visit to the emergency department, lab test results, medications, medical history, imaging results, and other information. Sensitive information which Graziano did not want to be placed in the public domain was disseminated on social media sites causing her to be publicly humiliated. While Northwestern Medicine did not disclose the...

Read More
Database of New Jersey Healthcare Provider Found to be Leaking Patient Data
Mar20

Database of New Jersey Healthcare Provider Found to be Leaking Patient Data

Another unsecured healthcare database has been discovered which contains an estimated 37,000 records. The discovery was made on March 1, 2019 by security researcher Jeremiah Fowler. A brief analysis of the database appeared to show the records belonged to the New Jersey healthcare provider, Home Health Radiology Services LLC. The database contained highly sensitive patient information such as names, addresses, phone numbers, and dates of birth along with medical notes, diagnoses, treatment information, insurance information, and in some cases, Social Security numbers. In a recent blog post on securitydiscovery.com, Fowler explained that 37,000 case files were found along with 1,540 doctor’s information records, chat logs, emails, support tickets, and many other sensitive files. The records were mostly contained in an Elastic database which could be accessed over the internet by anyone without the need for any authentication. The unsecured database was reported to Home Health Radiology Services, which promptly secured the database to prevent any further unauthorized access. It is...

Read More
Potentially Massive Breach of Protected Health Information Discovered
Mar19

Potentially Massive Breach of Protected Health Information Discovered

Sacramento, CA-based medical software provider Meditab Software Inc., and it’s San Juan, PR-based affiliate, MedPharm Services have suffered a massive breach of protected health information. Meditab provides electronic medical record (EMR) and practice management software to hospitals, physician’s offices, and pharmacies. According to the company website, its software is used by more than 2,200 healthcare clients. Meditab also provides a fax processing service and one of the servers used for processing faxes has been discovered to be leaking data and could be accessed over the internet without the need for any authentication. The unprotected fax server was discovered by the Dubai-based cybersecurity firm SpiderSilk. The fax server was hosted on a subdomain of MedPharm Services and housed an Elastisearch database containing fax communications. Those faxes could be accessed in real time. The database was created in March 2018 and housed more than 6 million records. It is currently unclear how many of those records contained protected health information. According to a recent report...

Read More
February 2019 Healthcare Data Breach Report
Mar18

February 2019 Healthcare Data Breach Report

Healthcare data breaches continued to be reported at a rate of more than one a day in February. February saw 32 healthcare data breaches reported, one fewer than January. The number of reported breaches may have fell by 3%, but February’s breaches were far more severe. More than 2.11 million healthcare records were compromised in February breaches – A 330% increase from the previous month. Causes of Healthcare Data Breaches in February 2019 Commonly there is a fairly even split between hacking/IT incidents and unauthorized access/disclosure incidents; however, in February, hacking and IT incidents such as malware infections and ransomware attacks dominated the healthcare data breach reports. 75% of all reported breaches in February (24 incidents) were hacking/IT incidents and those incidents resulted in the theft/exposure of 96.25% of all records that were breached. All but one of the top ten healthcare data breaches in February were due to hacks and IT incidents. There were four unauthorized access/disclosure incidents and 4 cases of theft of physical or electronic PHI. The...

Read More
Three Healthcare Ransomware Attacks Reported: 70,000 Individuals Affected
Mar13

Three Healthcare Ransomware Attacks Reported: 70,000 Individuals Affected

Three ransomware attacks have been reported by healthcare organizations and vendors in the past few days. The PHI of almost 70,000 patients has potentially been compromised in the attacks. 50,000 Individuals Affected by Ransomware Attack on Delaware Guidance Services for Children and Youth Delaware Guidance Services for Children and Youth (DGS) was forced to pay a ransom to recover files that had been encrypted in a Christmas Day ransomware attack. DGS has not publicly disclosed how much was paid for the decryption keys to unlock the files on its data servers. After recovering files, DGS engaged an IT firm to conduct a forensic analysis to determine whether the attackers had gained access to sensitive information prior to encrypting files. The firm found no evidence to suggest that any protected health information had been compromised or stolen. The attack appeared to have been conducted solely for the purpose of extorting money from DGS. DGS started sending notification letters to the parents and guardians on February 26, 2019 alerting them that sensitive information had been...

Read More
More Than 600,000 Michigan Residents Affected by Wolverine Solutions Breach, Warns AG Nessel
Mar13

More Than 600,000 Michigan Residents Affected by Wolverine Solutions Breach, Warns AG Nessel

Michigan Attorney General Dana Nessel has issued a warning to Michigan residents about the ransomware attack on Detroit-based Wolverine Solutions Group, which she says may have affected more than 600,000 Michigan residents. Nessel has advised all individuals who receive a breach notification letter to sign up for credit monitoring services, to monitor their accounts and EoB statements for signs of fraudulent use of their data, to place a fraud alert on their credit file and to consider freezing their credit file as a protection against fraud and identity theft. The cyberattack on Wolverine Solutions Group occurred on or around September 23, 2018. Critical systems were mostly restored within a month, but it has taken considerably longer to determine which clients had been affected. Some clients were only notified about the extent of the attack in March. While the types of information differ from company to company and individual to individual, the exposed information may include data elements such as names, addresses, dates of birth, social security numbers, insurance contract...

Read More
Business Associate Starts Issuing Notifications About August 2018 Laptop Theft
Mar12

Business Associate Starts Issuing Notifications About August 2018 Laptop Theft

A Massachusetts business associate has discovered the electronic protected health information (ePHI) of 2,088 individuals has potentially been viewed by unauthorized individuals. The ePHI was stored on an employee’s laptop computer that was stolen on August 23, 2018. RSC Insurance Brokerage, dba Re-Solutions, started notifying affected healthcare providers about the breach of their patients’ PHI on January 22, 2019, 5 months after the discovery of the theft of the laptop. According to the breach notice submitted to the California Attorney General, a third-party cyber security firm was called in to help determine what files had been stored on the laptop, the types of information that was accessible, and how many individuals had potentially been impacted. The theft was reported to law enforcement at the time and the employee’s credentials were changed to ensure that the laptop could not be used to access RSC systems. However, files were stored on the laptop and could potentially be accessed as while the device was protected with a password, it was not encrypted. No evidence of...

Read More
20K Patients of Pasquotank-Camden Emergency Medical Services Impacted by Server Hack
Mar11

20K Patients of Pasquotank-Camden Emergency Medical Services Impacted by Server Hack

Pasquotank-Camden Emergency Medical Services (PCEMS) has discovered hackers have infiltrated a server that housed its billing system, which contained the protected health information of 20,420 patients. As a result of the intrusion, the hackers potentially gained access to the highly sensitive information of individuals who had previously received medical services from PCEMS. The types of information stored on the server included names, birth dates, Social Security numbers, and some medical information that had been collected by PCEMS. The breach was reported immediately to the Sheriff of Pasquotank County and federal law enforcement agencies, who determined that the hackers were based outside the United States. No evidence was found to indicate patients’ protected health information was stolen and at the time of issuing notification letters to patients, no reports had been received to suggest patient information had been misused. Since data theft could not be ruled out, PCEMS has offered all affected patients 12 months of free credit monitoring and identity theft protection...

Read More
Emerson Hospital Alerts Patients to May 2018 Breach at Claims Processing Vendor
Mar11

Emerson Hospital Alerts Patients to May 2018 Breach at Claims Processing Vendor

Emerson Hospital in Concord, MA, is alerting 6,314 patients that some of their protected health information has been exposed due to a security breach at a third-party vendor in May 2018. The hospital explained that the breach occurred between May 9 and May 17, 2018 and was an unauthorized disclosure incident. A former employee of MiraMed Global Services, a company that helps the hospital collect payments, was discovered to have sent files containing protected health information to a third-party who was not authorized to receive the information. The files contained the types of information usually sought by identity thieves, including names, addresses, Social Security numbers, and insurance policy information. Financial information and health information were not compromised. The employee responsible was fired over the breach and the matter was reported to law enforcement. It is unclear whether the employee responsible has been charged over the theft. A forensic investigation confirmed that ePHI had been stolen, but a spokesperson for the hospital issued a statement saying, “A...

Read More
‘Dozens’ of Northwestern Memorial Hospital Employees Fired for Accessing Jussie Smollett’s Medical Records
Mar08

‘Dozens’ of Northwestern Memorial Hospital Employees Fired for Accessing Jussie Smollett’s Medical Records

A major case of snooping on celebrity medical records has been reported that has resulted in dozens of healthcare workers being fired from Chicago’s Northwestern Memorial Hospital for allegedly accessing the medical records of Jussie Smollett without authorization. Jussie Smollett reportedly attended the hospital’s emergency room for treatment for injuries sustained in an alleged racially motivated attack by two men on January 29, 2019. Following a police investigation into the alleged attack, Chicago Police Superintendent Eddie Johnson announced that the Empire actor had been arrested on February 21 and charged with disorderly conduct and filing a false police report. The police allege that the attack was a hoax and that it had been staged by Smollett as a publicity stunt. The charges against Smollett were dropped on Tuesday 26, March. After Smollett was treated at Northwestern Memorial Hospital, curiosity got the better of some employees who searched for Smollett on the hospital’s system, some of whom accessed his chart and viewed his medical records. Accessing the medical...

Read More
Covenant Care Email Account Breach Impacts 7,858 Patients
Mar08

Covenant Care Email Account Breach Impacts 7,858 Patients

The Aliso Viejo, CA-based provider of residential care and skilled nursing facilities, Covenant Care, has discovered an unauthorized individual gained access to an employee’s email account and may have viewed or obtained the protected health information of 7,858 patients. On January 29, 2019, suspicious activity was detected in relation to the employee’s email account. Third-party forensics investigators were called in to help determine the nature and scale of the breach. The investigation revealed the email account was compromised on January 22, 2019. Access remained possible until the account was secured on January 29. A review of the compromised email account was completed on February 13, 2019 and confirmed that during the time that the account was accessible, emails and email attachments could have been opened. An analysis of the messages revealed they contained patient information. The information on each patient varied from individual to individual and may have included full name, date of birth, Social Security number, health insurance claim number, medical record number,...

Read More
Beazley Report Reveals Major Increase in Healthcare Hacking and Malware Incidents
Mar07

Beazley Report Reveals Major Increase in Healthcare Hacking and Malware Incidents

The latest Beazley Breach Insights Report confirms healthcare is the most targeted industry sector, accounting for 41% of all breaches reported to Beazley Breach Response (BBR) Services. Across all industry sectors, hacking and malware attacks were the most common cause of breaches and accounted for 47% of all incidents, followed by accidental disclosures of sensitive data (20%), insider breaches (8%), portable device loss/theft (6%), and the loss of physical records (5%). Hacking/malware incidents have increased significantly since 2017, which BBR notes is largely due to a 133% increase in business email compromise (BEC) attacks. Accidental disclosure incidents fell across all industries and insider breaches remained at a similar level to 2017. While hacking/malware incidents were the main cause of breaches in all other industry sectors, in healthcare they were on a par with accidental disclosures of protected health information, each accounting for 31% of reported breaches. Insider data breaches were significantly higher than other industry sectors and accounted for 17% of all...

Read More
Ransomware Attack Impacts up to 400,000 Patients of Columbia Surgical Specialists of Spokane
Mar06

Ransomware Attack Impacts up to 400,000 Patients of Columbia Surgical Specialists of Spokane

A ransomware attack on Columbia Surgical Specialists of Spokane in Washington has potentially allowed unauthorized individuals to access the protected health information of up to 400,000 patients. Columbia Surgical Specialists learned of the ransomware attack on January 9, 2019. The security breach was immediately investigated and assistance was provided by IT security provider Intrinium. Files encrypted by the ransomware were found to contain patient information, which included names, driver’s license numbers, Social security numbers and other types of protected health information. Columbia Surgical Specialists told HIPAA Journal that the data security firm “went through our systems with a fine-tooth comb,” and concluded that patient data had not been stolen by the attackers. “but due to the nature of the ransomware and how the infection first began, there cannot be a guarantee.” Columbia Surgical Specialists believes the risk to patients is very low, and notifications were sent to patients out of an abundance of caution. The vulnerability that was exploited to gain access to the...

Read More
Rush University Medical Center Notifies 45,000 Patients of PHI Incident
Mar05

Rush University Medical Center Notifies 45,000 Patients of PHI Incident

Rush University Medical Center is notifying approximately 45,000 patients that their PHI has been exposed as a result of a data incident at a financial services vendor. Rush learned of the incident on January 22, 2019. An employee of the financial services vendor was discovered to have disclosed a file containing patients’ PHI to an unauthorized third party in May 2018. The types of information in the file varied from patient to patient and may have included names, home addresses, dates of birth, health insurance information, and Social Security numbers. No health information was contained in the file and financial data was not exposed. Rush conducted an investigation into the breach and while no evidence was found to suggest patient information had been misused, affected patients have been offered membership to the Experian IdentityWorks Credit 3B service to protect against identity theft and fraud as a precaution. Affected patients have been advised to monitor their financial accounts and explanation of benefits statements from their insurers for any sign of fraudulent activity....

Read More
St. Francis Physicians Services Notifies Patients of Milestone Family Medicine Data Breach
Mar04

St. Francis Physicians Services Notifies Patients of Milestone Family Medicine Data Breach

Bon Secours St. Francis Health System is notifying patients about a security breach that may have resulted in some of their protected health information (PHI) being viewed/obtained by unauthorized individuals who gained access to the systems of Milestone Family Medicine in Greenville, SC. Milestone Family Medicine was affiliated with St. Francis Physicians Services (SFPS) until February 24, 2019, and had previously employed physicians at the practice. SFPS learned of a security breach at the practice on January 4, 2019 and took steps to secure systems and prevent further unauthorized access. An investigation was launched and, assisted by a third-party computer forensics firm, SFPS determined that one of the servers that was accessed included the PHI of certain patients. The attack appears to have targeted EHR systems that were accessible over the Internet. Internet connections providing access to Milestone Family Medicine systems that are not actively being used have been shut down. The types of information that have been compromised include names, addresses, dates of birth, health...

Read More
January 2019 Healthcare Data Breach Report
Feb25

January 2019 Healthcare Data Breach Report

After a relatively quiet month for healthcare data breaches, breach numbers rose to more typical levels and were reported at a rate of more than one per day in January. There were 33 healthcare data breaches reported in January 2019. January was the second successive month where there was a fall in the number of individuals impacted by healthcare data breaches. January’s healthcare data breaches saw 490,937 healthcare records exposed, stolen or impermissibly disclosed. Largest Healthcare Data Breaches in January 2019   Rank Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach 1 Centerstone Insurance and Financial Services (BenefitMall) Business Associate 111589 Hacking/IT Incident 2 Las Colinas Orthopedic Surgery & Sports Medicine, PA Healthcare Provider 76000 Theft 3 Valley Hope Association Healthcare Provider 70799 Hacking/IT Incident 4 Roper St. Francis Healthcare Healthcare Provider 35253 Hacking/IT Incident 5 Managed Health Services Health Plan 31300 Hacking/IT Incident 6 EyeSouth Partners Business Associate 24113 Hacking/IT Incident 7 Dr....

Read More
UConn Health Phishing Attack Sees PHI of 326,000 Patients Exposed
Feb25

UConn Health Phishing Attack Sees PHI of 326,000 Patients Exposed

UConn Health is notifying approximately 326,000 patients that some of their personal information has been exposed as a result of a phishing attack on some of its employees. UConn Health learned about the phishing attack on December 24, 2018. All email accounts were secured, and an internal investigation was launched. The investigation confirmed that multiple email accounts had been accessed by unauthorized individuals. A third-party computer forensics company was retained to investigate the attack and search for protected health information in emails and email attachments in the compromised accounts. While it was not possible to determine who was responsible for the attack nor whether emails and email attachments in the compromised accounts had been viewed by the attacker(s), PHI access could not be ruled out. UConn Health explained in its substitute breach notice that no reports have been received to indicate any patient information has been misused. The majority of individuals affected by the attack were patients. Some employees have also had personal information exposed....

Read More
Multiple Rutland Regional Medical Center Email Accounts Hacked
Feb25

Multiple Rutland Regional Medical Center Email Accounts Hacked

Rutland Regional Medical Center in Rutland City, the largest community hospital in the state of Vermont, has discovered hackers have gained access to the email accounts of nine employees and potentially viewed/obtained patients’ protected health information. On December 21, 2018, an employee of the medical center noticed that their email account had been used to send large quantities of spam emails and on December 28, 2018, a potential security breach was reported to the medical center’s IT department. The IT department determined, on December 31, that the employee’s email account had been remotely accessed by an unauthorized individual. The account was immediately secured and a third-party forensic expert was called in to conduct an investigation into the breach. While the investigation into the breach is ongoing, the forensics expert concluded on February 6, 2019, that nine email accounts had been compromised between November 2, 2018 and February 6, 2019. The types of sensitive information in the compromised email accounts included patients’ full names, dates of birth, contact...

Read More
Insider Wrongdoing Breach at Kentucky Counseling Center Impacts 16,440 Patients
Feb22

Insider Wrongdoing Breach at Kentucky Counseling Center Impacts 16,440 Patients

Kentucky Counseling Center (KCC) has discovered a list of 16,440 patients has been stolen and disclosed to another individual. A current employee is suspected of accessing and copying patient information without authorization, uploading the data to an anonymous file sharing service, and subsequently sending a hyperlink to the list to a former employee of KCC. The former employee received the link to the patient list on January 6, 2019 and reported the privacy breach to KCC. KCC launched an investigation into the insider breach to determine when the list was obtained and who was responsible. KCC believes the list was downloaded and stolen on December 6, 2018 by a then current employee of KCC. That person is no longer employed at the Counseling Center. The motivations behind the HIPAA violations are unclear – Both the unauthorized access/theft and the subsequent impermissible disclosure to a former employee. KCC explained in its breach notification letter that there is no reason to believe that the list was taken with the intent of causing harm to patients. However, due to the nature...

Read More
PHI of Almost 1 Million UW Medicine Patients Exposed Online
Feb21

PHI of Almost 1 Million UW Medicine Patients Exposed Online

Approximately 974,000 patients of UW Medicine have had their protected health information exposed online due to the accidental removal of protections on a website server. The error resulted in sensitive internal files being indexed by search engines. Internet searches allowed sensitive patient information to be accessed by unauthorized individuals without any need for authentication. Seattle-based UW Medicine discovered a vulnerability on a website server on December 26, 2018, following a tip-off from a patient who was performing a Google search of their own name. An investigation was launched to determine how information was exposed, for how long, and how many patients had potentially been affected. UW Medicine determined that an error had been made in the configuration of a database which resulted in internal files being temporarily available over the Internet. The server misconfiguration occurred on December 4, 2019. The incident was attributed to human error. Ironically, the exposed database was used by UW Medicine to keep track of patient health information disclosures. The...

Read More
Patients Receive Notifications of PHI Theft 8 Months After Business Associate Data Breach was Detected
Feb19

Patients Receive Notifications of PHI Theft 8 Months After Business Associate Data Breach was Detected

Sharecare Health Data Services (SHDS), a San Diego company that provides secure electronic exchange and medical records management services for healthcare organizations, has alerted some of its clients that hackers gained access to parts of its systems that contained sensitive patient information. SHDS detected abnormal network activity on June 26, 2018, prompting an in-depth investigation. The investigation revealed hackers gained access to systems containing protected health information as early as May 21, 2018. Access remained possible until June 26, 2018, during which time PHI was accessed and exfiltrated by the hackers to locations outside the U.S. SHDS engaged the services of cybersecurity firm Mandiant to assist with the forensic investigation of the breach. The breach was also reported to the FBI and SHDS has been assisting with its investigation. SHDS has since taken steps to enhance security and prevent further breaches. Data retention policies have been revised, maintenance communications and protocols have been improved to ensure continuity across its network, and SHDS...

Read More
30,000 Patients Notified of Phishing Incident at Memorial Hospital at Gulfport
Feb18

30,000 Patients Notified of Phishing Incident at Memorial Hospital at Gulfport

Memorial Hospital at Gulfport, MS, is notifying approximately 30,000 patients that some of their protected health information has potentially been accessed by an unauthorized individual as a result of a phishing incident. Memorial Hospital discovered a breach of an employee’s email account on December 17, 2018. The compromised account was immediately secured and an investigation was launched to determine the extent of the breach. The investigation revealed the employee responded to a phishing email on December 6, 2018, which gave the attacker access to patients’ protected health information stored in emails and email attachments. Memorial Hospital reports that the breach was limited to names, dates of birth, health insurance information, and information about medical services received at the hospital. A small number of Social Security numbers were also contained in the compromised email account. Patients affected by the incident were notified by mail on February 15, 2019. Complimentary credit monitoring services have been offered to all patients whose Social Security numbers were...

Read More
16-Month Malware Infection at Florida Pulmonary & Sleep Medicine Center Impacts 42,000 Patients
Feb15

16-Month Malware Infection at Florida Pulmonary & Sleep Medicine Center Impacts 42,000 Patients

AdventHealth Medical Group’s Pulmonary & Sleep Medicine in Tavares, FL, formerly known as Lake Pulmonary Critical Care, has discovered hackers gained access to its systems and may have viewed or obtained the protected health information of up to 42,161 patients. Hackers first gained access to the Pulmonary & Sleep Medicine center’s systems in August 2017 as a result of the installation of malware. The malware infection was not discovered until December 27, 2018. The malware was removed and its systems were secured and an investigation was launched to determine the extent of the breach and which patients had been affected. The investigation revealed the hackers gained access to parts of its system where patients’ protected health information was stored. The information that was potentially accessed included names, addresses, email addresses, telephone numbers, dates of birth, health insurance information, Social Security numbers, medical histories, and the race, gender, weight, and height of patients. It is unclear how the malware was installed and why it took 16 months to...

Read More
Anesthesia Associates of Kansas City Discovers Theft of Patient Schedules
Feb13

Anesthesia Associates of Kansas City Discovers Theft of Patient Schedules

Paperwork containing patient information has been stolen from an employee of Anesthesia Associates of Kansas City. The incident occurred on December 14, 2018. The employee had left a bag containing patient schedules in his vehicle. Thieves broke into the vehicle and stole the bag and paperwork. Anesthesia Associates of Kansas City learned of the incident on December 16, 2018 and launched an investigation to determine what paperwork had been stolen. It was not possible to determine with a high degree of certainty exactly which schedules were in the stolen bag. Consequently, the decision was taken to issue notification letters to all patients who had undergone surgical treatment between April 4, 2018 and December 14, 2018. The types of information listed in patient schedules includes names, birth dates, types of surgical procedures, dates of surgery, and the name of the surgeon. Schedules do not contain sensitive information such as addresses, Social Security numbers, insurance information, and financial information. The theft was reported to law enforcement but neither the bag nor...

Read More
United Hospital District Phishing Attack Impacts 2,143 Patients
Feb13

United Hospital District Phishing Attack Impacts 2,143 Patients

Blue Earth, MN-based United Hospital District has discovered patient information was exposed and potentially accessed by an unauthorized individual as a result of a June 2018 phishing attack. The phishing incident resulted in the compromise of a single email account, the credentials to which were obtained as a result of an employee responding to a phishing email. The substitute breach notice on the healthcare provider’s website indicates the account was compromised between June 10, 2018 and June 27, 2018. An in-depth analysis of the compromised account was conducted by third-party cybersecurity professionals who determined on December 12, 2018, that patient information had potentially been accessed. Emails and file attachments in the account were found to contain the protected health information of 2,143 patients. The types of information contained in the email account varied from patient to patient and may have included names, addresses, internal patient identification numbers, health insurance information and, for a limited number of affected patients, diagnoses, treatment...

Read More
2019 Data Breach Barometer Report Shows Massive Increase in Exposed Healthcare Records
Feb13

2019 Data Breach Barometer Report Shows Massive Increase in Exposed Healthcare Records

Protenus has released its 2019 Breach Barometer report: An analysis of healthcare data breaches reported in 2018. The data for the report came from Databreaches.net, which tracks data breaches reported in the media as well as breach notifications sent to the Department of Health and Human Services’ Office for Civil Rights and state attorneys general. The report shows there was a small annual increase in the number of healthcare data breaches but a tripling of the number of healthcare records exposed in data breaches. According to the report, there were 503 healthcare data breaches reported in 2018, up from 477 in 2017. 2017 was a relatively good year in terms of the number of healthcare records exposed – 5,579,438 – but the number rose to 15,085,302 exposed healthcare records in 2018. In 2017, March was the worst month of the year in terms of the number of records exposed and there was a general downward trend in exposed records throughout the rest of the year. In 2018, there was a general increase in exposed records as the year progressed. The number of exposed records increased...

Read More
7,000 Patients Notified About Pawnee County Memorial Hospital Malware Attack
Feb11

7,000 Patients Notified About Pawnee County Memorial Hospital Malware Attack

Pawnee County Memorial Hospital in Pawnee City, Nebraska, is alerting 7,038 patients that some of their protected health information has potentially been accessed by a hacker. On November 29, 2018, the hospital learned that malware had been installed which allowed an unauthorized individual to gain access to its email system. Malware was injected into the hospital’s email system when an employee opened a malicious email attachment. According to Pawnee County Memorial Hospital’s substitute breach notice, the email appeared to have been sent from a trusted source and the email attachment seemed genuine. Assisted by a third-party computer forensics expert, the hospital determined that the email attachment had been opened on November 16, 2018. The hacker was able to access employees’ email accounts from November 16 to November 24. The compromised email accounts contained a range of business reports, clinical reports, clinical summaries, and other internal documents. Those documents contained patients’ full names along with one or more of the following data elements: Date of birth,...

Read More
EyeSouth Partners Email Account Breach Impacts 24,000 Patients of Georgia Eye Associates
Feb08

EyeSouth Partners Email Account Breach Impacts 24,000 Patients of Georgia Eye Associates

EyeSouth Partners has announced that a hacker has gained access to an employee’s email account and has potentially viewed/obtained the electronic protected health information (ePHI) of as many as 24,000 patients. EyeSouth Partners is a business associate of Georgia Eye Associates, South Georgia Eye Partners, Cobb Eye Center, and Georgia Ophthalmology Associates. On October 25, 2018, EyeSouth Partners became aware that an unauthorized individual had gained access to the email account of one of its employees. Prompt action was taken to secure the email account and assess the security of its systems. Procedures were also implemented to enhance information security safeguards to prevent any further email account breaches. The breach investigation revealed the hacker first gained access to the email account on September 11, 2018. Access remained possible until October 25. Third-party computer forensics experts were hired to assist with the investigation and determine which patients had had their ePHI exposed. On December 19, 2018, EyeSouth Partners was informed that the hacker had...

Read More
OCR Settles Cottage Health HIPAA Violation Case for $3 Million
Feb08

OCR Settles Cottage Health HIPAA Violation Case for $3 Million

The Department of Health and Human Services’ Office for Civil Rights (OCR) has agreed to settle a HIPAA violation case with the Santa Barbara, CA-based healthcare provider Cottage Health for $3,000,000. Cottage Health operates four hospitals in California – Santa Barbara Cottage Hospital, Santa Ynez Cottage Hospital, Goleta Valley Cottage Hospital and Cottage Rehabilitation Hospital. In 2013 and 2015, Cottage Health experienced two security incidents that resulted in the exposure of the electronic protected health information (ePHI) of 62,500 patients. In 2013, Cottage Health discovered a server containing patients’ ePHI had not been properly secured. Files containing patients’ ePHI could be accessed over the internet without the need for a username or password. Files on the server contained patient names, addresses, dates of birth, diagnoses, conditions, lab test results and other treatment information. Another server misconfiguration was discovered in 2015. After responding to a troubleshooting ticket, the IT team removed protection on a server which similarly exposed...

Read More
Settlement Reached in Community Health Systems 4.5 Million-Record Data Breach Case
Feb05

Settlement Reached in Community Health Systems 4.5 Million-Record Data Breach Case

Community Health Systems’ (CHS) patients whose protected health information (PHI) was stolen in a cyberattack in 2014 have been offered compensation for the theft of their PHI. Tennessee-based Community Health Systems operates over 200 hospitals, making it one of the largest healthcare systems in the U.S. In 2014, CHS discovered malware had been installed on its network. The malware allowed unauthorized individuals to gain access to patient information between April and June 2014. The cyberattack is believed to have been conducted by threat actors based in China. An advanced malware variant was used in the attack, which had the sole purpose of obtaining sensitive information. An investigation into the breach confirmed that patient data including names, addresses, phone numbers, dates of birth, and Social Security numbers had been exfiltrated. The PHI of 4.5 million patients was stolen by the attackers. At the time it was the largest healthcare data breach to be reported to the Department of Health and Human Services’ Office for Civil Rights and still ranks as one of the top six...

Read More
Malware Attack Reported by Minnesota Infertility Clinic
Feb05

Malware Attack Reported by Minnesota Infertility Clinic

Malware has been installed on the network of Reproductive Medicine and Infertility Associates: A Woodbury, MN, infertility clinic. While no evidence was uncovered to suggest any patient information was accessed or exfiltrated by the malware, the possibility of a data breach could not be ruled out. The malware attack was detected by the clinic on December 5, 2018 and a third-party computer forensics firm was hired to investigate and clean the malware from its systems. While the malware was successfully removed, it was not possible to determine exactly how it was installed on the network. Information stored on systems potentially accessible by the malware included names, dates of birth, addresses, treatment information, health insurance information, and donors’ Social Security numbers. All individuals whose PHI was exposed were notified about the incident on February 1, 2019. As a precaution against fraud, all individuals affected by the breach have been offered complimentary identity theft monitoring services. Anti-malware defenses have now been improved, which include an additional...

Read More
23,500 Patients Impacted by Connecticut Eye Clinic Ransomware Attack
Feb05

23,500 Patients Impacted by Connecticut Eye Clinic Ransomware Attack

Dr. DeLuca Dr. Marciano & Associates, P.C., a primary eye care clinic in Prospect, CT, has experienced a ransomware attack that has resulted in the encryption of files containing patients’ protected health information. The attack occurred on November 29, 2018. Prompt action was taken to shut down the network to prevent the spread of the infection, but it was not possible to stop the encryption of files on two servers used to store patient-related files. A ransom demand was received but no payment was made. The encrypted files were successfully restored from backups. An investigation of the breach revealed that the two servers affected by the attack contained patient files that included information such as patient names, Social Security numbers, and some treatment information. Dr. DeLuca Dr. Marciano & Associates has taken steps to prevent further cyberattacks, which include closing remote access to the network, implementing technical solutions to protect against ransomware, and enhancing its anti-virus software. While there is no indication that patient information was...

Read More
12,000 Patients Impacted by Valley Professionals Community Health Center Phishing Attack
Feb04

12,000 Patients Impacted by Valley Professionals Community Health Center Phishing Attack

Valley Professionals Community Health Center in Indiana has experienced a phishing attack that has resulted an employee’s email account being accessed by an unauthorized individual. Phishing attacks often involve the impersonation of companies. In this case, the attacker impersonated a healthcare organization that had previously worked with Valley Professionals Community Health Center. The supposed sender of the email was known to staff at the health center and the email appeared genuine. On November 27, 2018, Valley Professionals Community Health Center detected suspicious activity relating to the employee’s email account. Prompt action was taken to secure the account and an investigation was launched to determine the cause of the activity. Assistance was provided by a third-party computer forensics company, which determined that the account had been accessed by an unauthorized individual between October 26 and November 27, 2018. The emails in the account contained information such as patient names, addresses, dates of birth, Social Security numbers, medical record numbers,...

Read More
13 Accounts Compromised in Roper St. Francis Healthcare Phishing Attack
Feb04

13 Accounts Compromised in Roper St. Francis Healthcare Phishing Attack

A large-scale phishing attack on Charleston, SC-based Roper St. Francis Healthcare has seen attackers gain access to the email accounts of 13 employees. The phishing attack was detected on November 30, 2018 and action was taken to block access to a corporate email account. The investigation into the breach revealed further email accounts had been compromised. The affected accounts were accessed by the attacker between November 15 and December 1, 2018. A third-party computer forensics firm was hired to investigate the breach, which revealed some of the compromised accounts contained patient information including names, medical record numbers, health insurance information, details about services received from Roper St. Francis Healthcare, and for a limited number of patients, Social Security numbers and financial information. All affected patients were notified by mail on January 25, 2019 and have been offered complimentary credit monitoring services. While PHI was potentially accessed, no reports have been received to suggest any PHI has been misused. The HHS’ Office for Civil...

Read More
Aetna Settles HIV Status Breach Case with California AG for $935,000
Feb01

Aetna Settles HIV Status Breach Case with California AG for $935,000

Hartford, CT-based health insurer Aetna has agreed to pay the California Attorney General $935,000 to resolve alleged violations of state laws related to a 2017 privacy breach that exposed state residents’ HIV status. On July 28, 2017, Aetna’s mailing vendor sent letters to plan members who were receiving HIV medications or pre-exposure prophylaxis to prevent them from contracting HIV. The letters contained instructions for their HIV medications; however, information about the HIV medications was clearly visible through the window of the envelopes, resulting in the impermissible disclosure of highly sensitive information to postal workers, friends, family members, and roommates.  Approximately 12,000 individuals were sent letter, 1,991 of whom lived in California. The privacy breach was a violation of HIPAA Rules, and according to California Attorney General Xavier Becerra, also a violation of several California laws including the Unfair Competition Law, the Confidentiality of Medical Information Act, the Health and Safety Code (section 120980), and the State Constitution. In...

Read More
FABEN Obstetrics and Gynecology Informs 6,092 Patients of Ransomware-Related Data Loss
Jan31

FABEN Obstetrics and Gynecology Informs 6,092 Patients of Ransomware-Related Data Loss

Jacksonville, FL-based FABEN Obstetrics and Gynecology has experienced a ransomware attack on a server that housed patients’ protected health information (PHI). The ransomware was detected on November 21, 2018 and resulted in widespread file encryption. An investigation was launched to determine the extent of the attack and whether any patients’ PHI was accessed or stolen by the attackers. An analysis of the files on the server confirmed that files containing patients’ PHI had been encrypted. FABEN determined that the attackers had not accessed the files and that no data had been exfiltrated from the server. The ransomware variant used in the attack was GandCrab. While free decryptors have been made available for some GandCrab ransomware variants, they do not work on the latest versions of the ransomware. A ransom demand was received by FABEN although the decision was taken not to pay the attackers for the key to decrypt the files. The files that had been encrypted were created between January 2007 and April 10, 2017, and included clinical electronic medical records containing...

Read More
Thieves Stole Devices Containing PHI of 7,200 Patients of Integrity House
Jan30

Thieves Stole Devices Containing PHI of 7,200 Patients of Integrity House

A burglary at the offices of the addiction treatment services provider Integrity House has resulted in the exposure of patients’ protected health information. Several electronic devices were stolen in the burglary, including desktop computers, laptop computers and tablets. An investigation by the Integrity House IT team confirmed that some patients’ protected health information was stored on the devices. The burglary was discovered by staff on November 25, 2018. Law enforcement was notified but the stolen devices have not been recovered. The IT department determined that one of the stolen devices contained information such as names, birth dates, Social Security numbers, health insurance information, and a limited amount of treatment information. While it is probable that the devices were stolen for their resale value rather than any sensitive information they contained, it is possible that patient information could be accessed and may be misused. Consequently, as a precaution, Integrity House has offered all affected individuals free identity theft protection and credit monitoring...

Read More
PHI Exposed in Verity Health System Phishing Attack
Jan29

PHI Exposed in Verity Health System Phishing Attack

Verity Health System, a Redwood City-based network of 6 hospitals in California, has announced that the protected health information of certain patients has potentially been compromised as a result of a November 27, 2018 phishing attack. The Office 365 credentials of a Verity Health employee were obtained by a hacker as a result of a response to a phishing email. For a period of approximately one and a half hours, an unauthorized individual gained access to the employee’s email account and sent further phishing emails to Verity Health employees and other individuals in the employee’s contact list. The emails contained a hyperlink that directed the recipients to a malicious website. An investigation into the breach confirmed that none of the recipients of the phishing emails had disclosed their login credentials. The aim of the attacker appeared to be to gain access to further account credentials rather than to obtain sensitive data contained in the compromised account; however, it is possible that some patients’ personal information was viewed or possibly obtained while account...

Read More
Analysis of 2018 Healthcare Data Breaches
Jan28

Analysis of 2018 Healthcare Data Breaches

Our 2018 healthcare data breach report reveals healthcare data breach trends, details the main causes of 2018 healthcare data breaches, the largest healthcare data breaches of the year, and 2018 healthcare data breach fines. The report was compiled using data from the Department of Health and Human Services’ Office for Civil Rights (OCR). 2018 Was a Record-Breaking Year for Healthcare Data Breaches Since October 2009, the Department of Health and Human Services’ Office for Civil Rights has been publishing summaries of U.S. healthcare data breaches. In that time frame, 2,545 healthcare data breaches have been reported. Those breaches have resulted in the theft, exposure, or impermissible disclosure of 194,853,404 healthcare records. That equates to the records of 59.8% of the population of the United States. The number of reported healthcare data breaches has been steadily increasing each year. Except for 2015, the number of reported healthcare data breaches has increased every year. In 2018, 365 healthcare data breaches of 500 or more records were reported, up almost 2% from the...

Read More
23,300 Patients Affected by Critical Care, Pulmonary & Sleep Associates Email Hack
Jan28

23,300 Patients Affected by Critical Care, Pulmonary & Sleep Associates Email Hack

Critical Care, Pulmonary & Sleep Associates (CCPSA) in Colorado has experienced a data breach that has impacted more than 23,300 patients. An email account breach was detected by CCPSA on November 23, 2018 when suspicious activity was detected related to an employee’s email account. The account appeared to have been used to send phishing emails to individuals in the employee’s contact list. Those emails attempted to convince the recipients to make fraudulent payments. Action was promptly taken to lock the hacker out of the account and the entire email environment was secured. All users were required to set new, complex passwords. A third-party computer forensics firm was hired to investigate the attack and determine the scale of the breach. That investigation was concluded on December 14, 2018. The investigation revealed the attacker had gained access to multiple email accounts between August 14 and November 23, 2018. The breach was determined to be limited to the email system. Its medical record system was unaffected. An analysis of the compromised email accounts revealed they...

Read More
Stolen Hard Drive Contained PHI of 76,000 Texas Patients
Jan25

Stolen Hard Drive Contained PHI of 76,000 Texas Patients

All-Star Orthopaedics is alerting patients of Irving, TX-based Las Colinas Orthopedic Surgery & Sports Medicine, PA, that some of their protected health information (PHI) was stored on a hard drive that has been stolen. The hard drive contained X-ray and other diagnostic images of 76,000 patients, along with patients’ names and dates of birth. The hard drive was not encrypted, but special software is required to access the images. The image files would need to be opened in order to see patients’ names and dates of birth. The hard drive was stolen on November 20, 2018 and the theft was reported to the Department of Health and Human Services’ Office for Civil Rights on January 18, 2019. Breach notification letters have now been sent to all affected patients. The theft has prompted All-Star Orthopaedics to implement new security protocols and all portable hard drives will now be encrypted prior to transport. Dermacare Brickell Data Breach Impacts 1,800 Patients On November 20, 2018, the Miami medical practice Dermacare Brickell discovered paperwork containing the PHI of around...

Read More
Alaska Department of Health and Social Services Revises 2018 Breach Victim Total from 501 to 500K-700K
Jan24

Alaska Department of Health and Social Services Revises 2018 Breach Victim Total from 501 to 500K-700K

A laptop computer malware infection discovered by the Alaska Department of Health and Social Services (ADHSS) in April 2018 was initially thought to have potentially allowed hackers to gain access to the electronic protected health information (ePHI) of 501 individuals; however, the breach has been determined to be far more extensive than was initially thought. On January 22, 2019, state officials said the malware potentially allowed the attackers to access and obtain the ePHI of between 500,000 and 700,000 individuals and that notification letters to the additional breach victims people had started to be sent. Two days later, the number of breach victims was revised to 87,000 individuals. The malware variant used in the attack was a variant of the Zeus/Zbot Trojan – An information stealer. The individuals whose ePHI was potentially obtained by the hackers had interacted at some point with the Department of Public Assistance (DPA) through the DPA Northern regional offices. Last year, ADHSS said the laptop had accessed sites in Russia, had unauthorized software installed, and other...

Read More
Valley Hope Association Notifies Patients of Email Account Breach
Jan22

Valley Hope Association Notifies Patients of Email Account Breach

Valley Hope Association has announced that an unauthorized individual has gained access to the email account of an employee. Valley Hope Association became aware of a potential account breach on October 10, 2018, when unusual account activity was detected. Prompt action was taken to prevent further account access and a third-party computer forensics firm was hired to determine the nature and scope of the breach. The investigation confirmed on November 23, 2018, that an unauthorized individual had accessed a single email account between October 9-10, 2018, and potentially viewed emails and attachments containing patients’ protected health information. After a thorough review of all emails and email attachments, the forensics firm confirmed that certain patients’ PHI may have been accessed. The types of information contained in the emails varied from patient to patient and may have included one or more of the following data elements: Name, address, date of birth, Social Security number, medication and prescription information, claims and billing information, medical record number,...

Read More
December 2018 Healthcare Data Breach Report
Jan22

December 2018 Healthcare Data Breach Report

November was a particularly bad month for healthcare data breaches, so it is no surprise that there was an improvement in December. November was the worst month of the year in terms of the number of healthcare records exposed (3,230,063) and the second worst for breaches (34). December was the second-best month for healthcare data breaches with 23 incidents reported, only one more than January. In total, 516,370 records were exposed, impermissibly disclosed, or stolen in breaches reported in December: A considerable improvement on November. Were it not for the late reporting of the Adams County breach, December would have been the best month of the year to date in terms of the records exposed. The Adams County breach was experienced in March 2018, confirmed on June 29, yet reporting to OCR was delayed until December 11. Largest Healthcare Data Breaches in December 2018 Rank Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach 1 Adams County Healthcare Provider 258,120 Unauthorized Access/Disclosure 2 JAND Inc. d/b/a Warby Parker Healthcare Provider 177,890...

Read More
Physician Receives Probation for Criminal HIPAA Violation
Jan18

Physician Receives Probation for Criminal HIPAA Violation

A physician who pleaded guilty to a criminal violation of HIPAA Rules has received 6 months’ probation and has escaped a jail term and fine. The case concerned the wrongful disclosure of patients’ PHI to a pharmaceutical firm. The case was prosecuted by the Department of Justice in Massachusetts in conjunction with a case against Massachusetts-based pharma firm Aegerion. In September 2017, the Novelion Therapeutics subsidiary Aegerion agreed to plead guilty to mis-branding the prescription drug Juxtapid. The case also included deferred prosecution related to criminal liability under HIPAA for causing false claims to be submitted to federal healthcare programs for the drug. Aegerion admitted to conspiring to obtain the individually identifiable health information of patients without authorization for financial gain, in violation of 42 U.S.C. §§ 1320d-6(a) and 1320-6(b)(3) and HIPAA Rules. Aegerion agreed to pay more than $35 million in fines to resolve criminal and civil liability. The DOJ also charged a Georgia-based pediatric cardiologist with criminal violations of HIPAA Rules...

Read More
PHI of Almost 1,000 Lebanon VA Medical Center Patients Impermissibly Disclosed
Jan17

PHI of Almost 1,000 Lebanon VA Medical Center Patients Impermissibly Disclosed

Lebanon VA Medical Center in Pennsylvania has discovered the protected health information of hundreds of elderly patients has been impermissibly disclosed to a family member of a veteran. In November 2018, a member of staff at Lebanon VA Medical Center emailed a document to a family member of a veteran who was searching for nursing home facilities. The list should have contained nursing home facilities that work with the Department of Veteran Affairs; however, a historical list of residents of nursing homes was sent in error. The list contained veterans’ names, abbreviated Social Security numbers, the nursing home where the veteran had been admitted, diagnoses, and service-connection disability rating percentages. “Lebanon VA Medical Center and our employees take our responsibility to protect patient information very seriously,” explained Lebanon VA privacy officer Tonya Hromco. “Along with assistance from national offices, we immediately investigated this inadvertent, unauthorized release of information which occurred in late November.” The incident was an isolated error and steps...

Read More
New Massachusetts Data Breach Notification Law Enacted
Jan16

New Massachusetts Data Breach Notification Law Enacted

A new Massachusetts data breach notification law has been enacted. The new legislation was signed into law by Massachusetts governor Charlie Baker on January 10, 2019 and will come into effect on April 11, 2019. The new legislation updates existing Massachusetts data breach notification law and introduces new requirements for notifications. Under Massachusetts law, a breach is defined as the unauthorized acquisition or use of sensitive personal information that carries a substantial risk of identity theft or fraud. Notifications must be issued if one or more of the following data elements are obtained by an unauthorized individual along with an individual’s first name and last name or first initial and last name. Social Security number Driver’s license number State issued ID card number Financial account number, or credit/ debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account. As with the previous law, there is no set timescale for issuing breach...

Read More
111K Individuals Notified of 4-Month Email Account Compromise
Jan15

111K Individuals Notified of 4-Month Email Account Compromise

Centerstone Insurance and Financial Services, operating as BenefitMall, has started notifying more than 111,000 individuals that some of their protected health information has been exposed, and potentially stolen, in a recent email security incident. Dallas, TX-based BenefitMall is a provider of employee benefits, payroll, HR, and employer services and employs more than 20,000 advisors, brokers, and CPAs across the country. The company is a business associate of several HIPAA-covered entities. On October 11, 2018, the company became aware that email accounts used by its employees had been accessed by an unauthorized individual. A third-party computer forensics firm was retained and an internal investigation was conducted to assess the nature and scope of the breach. The investigation revealed the first email accounts had been compromised in June 2018 and further email accounts were breached and accessed up to October 11 when the attack was detected. Prompt action was taken to secure the compromised email accounts and prevent further remote email account access. The email accounts...

Read More
Sacred Heart Rehabilitation Center Notifies Patients of Phishing Incident
Jan11

Sacred Heart Rehabilitation Center Notifies Patients of Phishing Incident

Memphis, MI-based Sacred Heart Rehabilitation Center, a provider of substance abuse treatment and care services for patients diagnosed with HIV/AIDS, has discovered an unauthorized individual has gained access to the email account of an employee following a response to a phishing email. The email account was breached between April 5 and April 7, 2018. It is unclear when the phishing attack was detected by the rehabilitation center, but the investigation into the breach concluded in November and revealed the account contained some patients’ protected health information. Individuals whose PHI was exposed were sent notification letters on January 9, 2018. The types of information contained in the compromised account included patients’ names, home addresses, diagnoses, treatment information, health insurance information, and Social Security numbers. The number of patients affected by the breach has not been publicly disclosed at this point and the breach has not yet been listed on the Department of Health and Human Services’ Office for Civil Rights breach portal. Sacred Heart...

Read More
Solis Mammography Notifies 500 Patients of PHI Exposure
Jan09

Solis Mammography Notifies 500 Patients of PHI Exposure

An unencrypted laptop computer has been stolen from Ben-Ora, Hansen, Vanesian Imaging Ltd., dba Solis Mammography. Solis Mammography learned on October 17, 2018 that the laptop had been stolen from its Phoenix, AZ clinic and reported the theft to law enforcement. To date the device has not been recovered. Attempts were made to reconstruct the data stored assisted by a leading computer forensics firm. While the investigation confirmed that some patients’ protected health information had been downloaded to the device, it was not possible to ascertain the exact information that had been exposed. Solis Mammography believes information such as patients names, birth dates, health insurance information, lab test results, medical images, and other information could have been stored on the device and have potentially been accessed by the individual in possession of the computer. Solis Mammography does not believe any financial information was downloaded onto the laptop. Solis Mammography has taken steps to further secure patient information including strengthening access controls and...

Read More
Phishing Attack Impacts 2,200 Kent County Community Mental Health Authority Patients
Jan09

Phishing Attack Impacts 2,200 Kent County Community Mental Health Authority Patients

Starting on October 28, 2018, Kent County Community Mental Health Authority, dba Network180, experienced a targeted phishing attack. As is common in advanced phishing attacks, the emails appeared to have been sent from a trusted source. Between November 2 and November 13, three employees responded to the emails and disclosed their credentials, which allowed their encrypted email accounts to be accessed by an unauthorized individual. At least one of the compromised email accounts contained the protected health information (PHI) of patients. A wide range of PHI was included in the emails stored in the compromised account. The types of information that could potentially have been accessed by the attacker varied from patient to patient, but may have included names, addresses, dates of birth, Medicaid/Medicare ID numbers, Internal ID numbers, Waiver Support Application (WSA) numbers, names of healthcare providers, schools that were attended, names of relatives, ethnicity/race, and the Social Security numbers of 20 patients. No financial information is believed to have been exposed. The...

Read More
31,876 Managed Health Services of Indiana Health Plan Members Notified of Impermissible Disclosure of PHI
Jan08

31,876 Managed Health Services of Indiana Health Plan Members Notified of Impermissible Disclosure of PHI

Managed Health Services, the Indianapolis, IN-based managed care entity that runs the Hoosier Healthwise and Hoosier Care Connect Medicaid programs, has discovered the protected health information (PHI) of 31,876 plan members has potentially been disclosed in two separate breaches that were announced in December 2018. 31,300 Plan Members Notified of Phishing-Related PHI Breach A phishing attack on a business associate of Managed Health Services has potentially resulted in the disclosure of some plan members PHI. On or around July 30, 2018, employees of LCP Transportation responded to phishing emails and provided the attacker with credentials that allowed their email accounts to be remotely accessed. LCP Transportation disabled the affected email accounts on September 7, 2018. A third-party computer forensics firm was hired to assist with the investigation. While no evidence of PHI misuse has been detected, it is possible that emails in the accounts were accessed by the attacker. Some of the emails in the compromised accounts contained plan members’ PHI including names, addresses,...

Read More
1,080 Chaplaincy Health Care Patients Potentially Impacted by Phishing Attack
Jan07

1,080 Chaplaincy Health Care Patients Potentially Impacted by Phishing Attack

Chaplaincy Health Care, a not-for-profit healthcare provider based in Richland, WA, has experienced a phishing attack that has resulted in the exposure of 1,080 patients’ protected health information. The phishing attack occurred on November 20, 2018 and was discovered within 4 hours. Prompt action was taken to block unauthorized access and a third-party computer forensics firm was hired to assist with the breach investigation. The investigation confirmed that a single email account was accessed by the attacker. After gaining access to the email account, the attacker attempted to access further accounts. The breach was discovered when the employee was alerted that her account had been used to send a phishing email to an email contact. No evidence was uncovered to suggest any patient health information was viewed or copied but, out of an abundance of caution, all patients affected by the breach have been offered complimentary credit monitoring and identity theft protection services through LifeLock for 12 months. Patients were notified about the breach on January 3, 2019. The firm...

Read More
Ransomware Attack on Podiatric Offices of Bobby Yee Impacts 24,000 Patients
Jan07

Ransomware Attack on Podiatric Offices of Bobby Yee Impacts 24,000 Patients

A ransomware attack on the Podiatric Offices of Bobby Yee has resulted in the encryption of files containing the protected health information (PHI) of up to 24,000 patients and other individuals. The attack took place on October 29, 2018. Medical records were encrypted by the ransomware along with files containing information such as full name, address, contact telephone number(s), gender, birth date, Social Security number, and health insurance information. Prompt action was taken to protect patient data and an investigation into the breach did not uncover any evidence to suggest the attacker viewed or copied any patients’ PHI. The Podiatric Offices of Bobby Yee explained in a December 20, 2018, press release “We may need to reconfirm or reconstruct the information, including your medical information.” It is unclear whether the ransom was paid to obtain the key to decrypt patient data or whether files were recovered from backups. Humana Insurance Applicants Affected by Bankers Life Data Breach Humana has announced that certain insurance applicants have had some of their personal...

Read More
Advertising Expenditures Increase 64% Following a Healthcare Data Breach
Jan07

Advertising Expenditures Increase 64% Following a Healthcare Data Breach

A recent study has explored the relationship between advertising expenditures and healthcare data breaches. The study shows hospitals significantly increase advertising spending following a data breach. Healthcare Data Breaches Are the Costliest to Mitigate Healthcare data breaches are the most expensive to mitigate, far higher than breaches in other industry sectors. According to the Ponemon Institute/IBM Security’s 2018 cost of a data breach study, healthcare data breaches cost, on average, $408 per lost or stolen record. The costs are double, or in some cases almost triple, those in other industry sectors. Healthcare data breaches are the most expensive to mitigate, far higher than breaches in other industry sectors. Click To Tweet In addition to the high costs of mitigating the breaches, the same study confirmed that loss of patients to competitors is a very real threat. Data breaches cause damage to a brand and trust in an organization can be easily lost when confidential personal information is exposed or stolen. The Ponemon Institute study revealed healthcare organizations...

Read More
Blue Cross Blue Shield of Michigan Members Notified of Business Associate Ransomware Attack
Jan04

Blue Cross Blue Shield of Michigan Members Notified of Business Associate Ransomware Attack

A business associate of Blue Cross Blue Shield of Michigan has experienced a ransomware attack that has potentially resulted in the theft of plan members’ protected health information. This is the second data breach affecting Blue Cross Blue Shield of Michigan plan members to be reported in December. Some plan members’ PHI was stored on a laptop computer that was stolen from a different business associate. The latest breach was experienced by Austin, TX-based Wolverine Solutions Group, a vendor that provides business services to Blue Cross Blue Shield of Michigan and several other healthcare clients. On September 23, 2018, ransomware was installed on its network that resulted in the encryption of files on servers and workstations, including files containing protected health information. A third-party computer forensics firm conducted an investigation into the breach but found no evidence of data exfiltration; however, data theft could not be entirely ruled out. The types of information that was potentially accessed and copied included demographic data, health plan contract numbers,...

Read More
Email Account Breach Impacts Thousands of Choice Rehabilitation Residents
Jan03

Email Account Breach Impacts Thousands of Choice Rehabilitation Residents

Choice Rehabilitation of Creve Coeur, MO, has discovered an unauthorized individual hacked into a corporate email account of one of its employees and set up a mail forwarder to send emails to a personal email account. The breach occurred on July 1, 2018 and the mail forwarder remained active until September 30, 2018. A detailed analysis of the email account revealed the protected health information of certain residents was included in billing documents attached to emails that had been sent to its associated skilled nursing facilities. Highly sensitive information such as financial data, Social Security numbers, Medicare and Medicaid numbers, dates of birth and contact information remained secure at all times. The breach was limited to billing information related to physical, speech, and occupational therapy provided to patients such as names, payor information, medical record numbers, start and end dates of therapy, diagnoses, treatment information, billing codes, and the name of the facility where care was provided. Upon discovery of the breach, access to the compromised email...

Read More
Vendor of Dental Center of Northwest Ohio Suffers Ransomware Attack
Jan02

Vendor of Dental Center of Northwest Ohio Suffers Ransomware Attack

Current and former patients of the Dental Center of Northwest Ohio in Toledo, OH, are being notified that some of their protected health information has potentially been compromised as a result of a ransomware attack on one of its vendors. Arakyta, a managed IT service provider, notified the dental center on September 1, 2018, of a security breach on a server hosting certain dental center systems. Assisted by third-party computer experts, the dental center determined on November 7, 2018, that an unknown, unauthorized individual had gained access to the server and had potentially viewed or copied patient data. No evidence of data theft was detected and no reports have been received from patients to suggest any protected health information was stolen and misused. However, since it was not possible to rule out data theft with a high degree of certainty, the decision was taken to issue notifications to patients and to provide them with complimentary credit monitoring and identity theft restoration services. The types of data potentially viewed/copied by the attacker included full...

Read More
Orlando Family Physicians Group Phishing Attack Impacts 8,400 Patients
Jan02

Orlando Family Physicians Group Phishing Attack Impacts 8,400 Patients

8,400 patients of the Humana-owned Family Physicians Group in Orlando are being notified that some of their protected health information has potentially been compromised as a result of a phishing attack. Family Physicians Group is one of the largest providers of healthcare for Medicare and Medicaid beneficiaries in Central Florida and operates 22 clinics in the region. An investigation into the breach confirmed that an employee’s email account was accessed by an unauthorized individual on August 7, 2018. Unauthorized account access remained possible until August 21, 2018, when the breach was discovered and login credentials were changed. The login credentials were obtained by the attacker when the employee responded to a phishing email. Affected patients were notified about the incident on December 28, 2018. It is unclear why it took more than 4 months to issue notifications to patients. An analysis of the emails in the compromised account confirmed certain messages contained the protected health information of patients. No financial data or Social Security numbers were recorded in...

Read More
15,000 Customers Notified About Blue Cross Blue Shield of Michigan Data Breach
Dec31

15,000 Customers Notified About Blue Cross Blue Shield of Michigan Data Breach

Approximately 15,000 customers of Blue Cross Blue Shield of Michigan have been notified that some of their private information was stored on a laptop computer that was stolen from an employee of a business associate of one of its subsidiaries. The laptop computer was stolen on October 26, 2018, and Blue Cross Blue Shield of Michigan was alerted to the exposure of plan members’ protected health information (PHI) on November 12, 2018. The breach affects members of Blue Cross’ Medicare Advantage health insurance plans. Notifications are now being mailed to all plan members affected by the breach. The laptop computer was protected with a password and plan members’ data stored on the device had been encrypted; however, the employee’s credentials may also have been stolen. Consequently, there is a risk that PHI could have been accessed. The data stored on the stolen laptop was limited to names, addresses, members’ identification numbers, dates of birth, genders, provider information, diagnoses, and medications. The laptop did not contain Social Security numbers or financial data....

Read More
Largest Healthcare Data Breaches of 2018
Dec27

Largest Healthcare Data Breaches of 2018

This post summarizes the largest healthcare data breaches of 2018: Healthcare data breaches that have resulted in the loss, theft, unauthorized accessing, impermissible disclosure, or improper disposal of 100,000 or more healthcare records. 2018 has seen 18 data breaches that have exposed 100,000 or more healthcare records. 8 of those breaches saw more than half a million healthcare records exposed, and three of those breaches exposed more than 1 million healthcare records. A Bad Year for Healthcare Data Breaches As of December 27, 2018, the Department of Health and Human Services’ Office for Civil Rights (OCR) has received notifications of 351 data breaches of 500 or more healthcare records. Those breaches have resulted in the exposure of 13,020,821 healthcare records. It is likely that the year will finish on a par with 2017 in terms of the number of reported healthcare data breaches; however, more than twice as many healthcare records have been exposed in 2018 than in 2017. In 2017, there were 359 data breaches of 500 or more records reported to OCR. Those breaches resulted in...

Read More
Data of More Than 500,000 Staff and Students Compromised in San Diego School District Phishing Attack
Dec27

Data of More Than 500,000 Staff and Students Compromised in San Diego School District Phishing Attack

The San Diego School District has announced it has suffered a major phishing attack that has resulted in the exposure of the personal data, including health information, of more than 500,000 staff and students. The phishing attack was detected in October 2018; however, an investigation into the breach revealed the hacker had network access for almost a year. Access to the network was first gained in January 2018 and the attacker continued to access the network until November 2018. The decision was taken not to alert the hacker to the discovery of the breach immediately. Instead, the school district first investigated the breach to determine the nature of the attack and the extent to which its network had been compromised. Access was only terminated when the initial phase of the investigation was completed. San Diego School District conducted the investigation in conjunction with the San Diego Unified Police and has identified the hacker responsible for the attack. All compromised accounts have now been reset and unauthorized access to staff and student data is no longer possible....

Read More
Massachusetts Attorney General Issues $75,000 HIPAA Violation Fine to McLean Hospital
Dec21

Massachusetts Attorney General Issues $75,000 HIPAA Violation Fine to McLean Hospital

Massachusetts Attorney General Maura Healey has issued a $75,000 HIPAA violation fine to McLean Hospital over a 2015 data breach that exposed the protected health information (PHI) of approximately 1,500 patients. McLean Hospital, a psychiatric hospital in Belmont, MA, allowed an employee to regularly take 8 backup tapes home. When the employee was terminated in May 2015, McLean Hospital was only able to recover four of the backup tapes. The backup tapes were unencrypted and contained the PHI of approximately 1,500 patients, employees, and deceased donors of the Harvard Brain Tissue Resource Center. The lost backup tapes included clinical and demographic information such as names, Social Security numbers, medical diagnoses, and family histories. In addition to the exposure of PHI, the state AG’s investigation revealed there had been employee training failures and McLean Hospital had not identified, assessed, and planned for security risks. The loss of the tapes was also not reported in a timely manner and the hospital had failed to encrypt PHI stored on portable devices or use an...

Read More
November 2018 Healthcare Data Breach Report
Dec20

November 2018 Healthcare Data Breach Report

For the second consecutive month there has been an increase in both the number of reported healthcare data breaches and the number of records exposed, stolen, or impermissibly disclosed. November was the worst month of the year to date for healthcare data breaches in terms of the number of exposed healthcare records. 3,230,063 records were exposed, stolen, or impermissibly disclosed in the breaches reported in November. To put that figure into perspective, that’s more records than were exposed in all 180 data breaches reported to the HHS’ Office for Civil Rights (OCR) in the first half of 2018. There were 34 healthcare data breaches reported to OCR in November, making it the second worst month of the year to date for breaches, behind June when 41 breaches were reported. Largest Healthcare Data Breaches in November 2018 The largest healthcare data breach of 2018 was reported in November by Accudoc Solutions, a business associate of Atrium Health that provides healthcare billing services. That single breach resulted in the exposure of more than 2.65 million healthcare records....

Read More
Credit Card Numbers Exposed in BJC Healthcare Breach
Dec19

Credit Card Numbers Exposed in BJC Healthcare Breach

BJC HealthCare, one of the largest not-for-profit healthcare networks in the United States, has discovered hackers have gained access to the website hosting its patient portal and have uploaded malware that potentially intercepted credit/debit card numbers as they were entered in the payment portal. The breach was discovered on November 19, 2018. The internal investigation revealed malware had been uploaded to the payment portal on October 25, 2018 and payment information may have been intercepted until November 8, 2018. During that time, 5,850 credit/debit card payments had been processed. BJC HealthCare reports that no Social Security numbers or medical information was compromised. The breach was limited to patients’ names, addresses, and dates of birth, along with the name, billing address, and credit card information or bank information of the person making the payment. While the above information was potentially intercepted, BJC HealthCare has not received any reports to suggest the attackers obtained and misused patients’ or payors’ data. However, all affected individuals...

Read More
Up to 32,000 Patients Impacted by Elizabethtown Community Hospital Email Account Breach
Dec18

Up to 32,000 Patients Impacted by Elizabethtown Community Hospital Email Account Breach

Approximately 32,000 patients of the University of Vermont Health Network’s Elizabethtown Community Hospital are being notified that some of their protected health information (PHI) has been exposed as a result of email account breach. On October 18, 2018, Elizabethtown Community Hospital discovered an unauthorized individual had gained access to an employee’s email account. The password for the compromised email account was immediately changed and a leading forensic security firm was retained to conduct an investigation into the breach. The investigation, which lasted 60 days, confirmed that a single email account was compromised on October 9, 2018. The hospital’s information technology systems were not accessed and medical records remained secure at all times. An analysis of the breached email account revealed it contained the PHI of around 32,000 patients. The types of information that were exposed differed from patient to patient and may have included names, addresses, dates of birth, primary information such as medical record numbers, dates of service, summaries of services...

Read More
PHI Accessed by Contra Costa Health Plan Contractor Who Falsified Identity to Win Contracts
Dec17

PHI Accessed by Contra Costa Health Plan Contractor Who Falsified Identity to Win Contracts

Contra Costa Health Plan (CCHP) has started notifying certain patients that some of their protected health information may have been viewed by an unauthorized individual. That individual was a contractor who won a series of contracts related to utilization management. The contractor first started working with CCHP on December 1, 2014, and was given access to systems containing health plan records to complete her contracted duties. On May 22, 2018, CCHP learned that the contractor had falsified her identity in order to win the contracts. Upon discovery of the fraud, CCHP terminated the contract and blocked access to its systems. A full audit of the activities of the contractor was conducted to determine what systems had been accessed and whether plan members’ data had been viewed. The audit revealed that the contractor had accessed plan members’ health plan records while performing her utilization management duties, although no evidence was uncovered to suggest any of the information contained in those records has been further disclosed by the contractor or used inappropriately. The...

Read More
16,000 Mind & Motion Patients Impacted by Ransomware Attack
Dec14

16,000 Mind & Motion Patients Impacted by Ransomware Attack

Mind & Motion Developmental Centers of Georgia has announced that hackers have succeeded in installing ransomware and malware on a server, which has potentially allowed them to gain access to patients’ protected health information. The ransomware was downloaded and executed on a server housing Mind & Motion medical records. The types of data that were potentially compromised includes names, addresses, birth dates, patients’ gender, medical histories, medical diagnoses, health insurance information, and Social Security numbers. It is also possible that medical records were compromised as a result of the attack. Mind & Motion discovered the ransomware attack on September 30, 2018. An IT vendor, TeamLogic IT, was retained to investigate the breach, determine how the attack occurred, and help recover data that had been rendered inaccessible by the ransomware. In addition to the ransomware infection, TeamLogic IT discovered an inactive keylogger and a spam emailer on the server. All malware was successfully removed and associated accounts were deleted. TeamLogic IT did not...

Read More
EmblemHealth Pays $100,000 HIPAA Violation Penalty to New Jersey for 2016 Data Breach
Dec11

EmblemHealth Pays $100,000 HIPAA Violation Penalty to New Jersey for 2016 Data Breach

The health insurance provider EmblemHealth has been fined $100,000 by New Jersey for a 2016 data breach that exposed the protected health information (PHI) of more than 6,000 New Jersey plan members. On October 3, 2016, EmblemHealth sent Medicare Part D Prescription Drug Plan Evidence of Coverage documents to its members. The mailing labels included beneficiary identification codes and Medicare Health Insurance Claim Numbers (HCIN), which mirror Social Security numbers. The documents were sent to more than 81,000 policy members, 6,443 of whom were New Jersey residents. The New Jersey Division of Consumer Affairs investigated the breach and identified policy, procedural, and training failures. Previous mailings of Evidence of Coverage documents were handled by a trained employee, but when that individual left EmblemHealth, mailing duties were handed to a team manager who had only been given minimal task-specific training and worked unsupervised. That individual sent a data file to EmblemHealth’s mailing vendor without first removing HCINs, which resulted in the HCINs being printed...

Read More
48,000 Patients of Frisco Medical Center Notified of Breach of Payment Information
Dec11

48,000 Patients of Frisco Medical Center Notified of Breach of Payment Information

Baylor Scott & White Medical Center in Frisco, TX, has discovered the payment information of almost 48,000 patients and guarantors may have been compromised. The medical center, which is jointly managed by United Surgical Partners International (USPI) and Baylor Scott & White Health, discovered an issue with the credit card processing system of one of its vendors. The investigation revealed there had been a week-long computer intrusion between September 22 and September 29. Upon discovery of the issue, the medical center informed the vendor and stopped all credit card processing through the vendor’s system. Baylor Scott & White Health did not uncover evidence to suggest any patient/guarantor information had been further disclosed or misused; however, as a precaution, all individuals affected by the incident have been offered one year of complimentary credit monitoring services through TransUnion Interactive. The security breach was limited to the third-party vendor’s system. Hospital information and clinical systems remained secure at all times. No health information or...

Read More
6,450 Prairie Fields Family Medicine Patients Notified About Email-Related Privacy Breach
Dec10

6,450 Prairie Fields Family Medicine Patients Notified About Email-Related Privacy Breach

Prairie Fields Family Medicine in Fremont, NE, is alerting 6,450 patients that some of their protected health information was contained in an unencrypted spreadsheet that was inadvertently sent to the wrong email recipient. The email was sent on October 1, 2018, and the error was discovered the same day. Prairie Fields Family Medicine has made multiple attempts to contact the owner of the email account to ensure the spreadsheet is securely deleted but, so far, no response has been received. The lack of contact has led Prairie Fields Family Medicine to believe the email account is no longer in use and has been abandoned, although the possibility remains that the spreadsheet has been opened and patient information has been compromised. The spreadsheet did not contain any financial data or health information typically contained in medical records. The breach was limited to patients’ first and last names, birth date, telephone number, first language spoken, sex, race, and, for certain patients, primary and secondary health insurer information, including providers’ names and account...

Read More
16,000 Redwood Eye Center Patients Impacted by MSP Breach
Dec07

16,000 Redwood Eye Center Patients Impacted by MSP Breach

A managed service provider that hosts the electronic health records of Redwood Eye Center in Vallejo, CA, has experienced a security breach that has resulted in the exposure of 16,000 patients’ protected health information. IT Lighthouse provides computer support and application hosting services, including the hosting of electronic health records. During the evening of September 19, 2018, hackers succeeded in installing ransomware on a server that was hosting the electronic health records of patients of Redwood Eye Center. Redwood Eye Center was notified about the security breach on September 20, 2018. A third-party computer forensics firm was hired by IT Lighthouse to assist with the investigation and a specialized medical software vendor was consulted and helped Redwood Eye Center recover the affected data. The types of data that were potentially accessed by the attackers included patients’ names, addresses, birth dates, health insurance information, and medical treatment information. The investigation did not uncover any evidence to suggest the attackers accessed the PHI of...

Read More
PHI of 41,000 Patients of Cancer Centers of America Potentially Compromised in Phishing Attack
Dec05

PHI of 41,000 Patients of Cancer Centers of America Potentially Compromised in Phishing Attack

Cancer Centers of America’s Western Regional Medical Center in Bullhead City, AZ, has discovered the email account of one of its employees has been compromised as a result of a response to a phishing email. The phishing email appeared to have been sent from the email account of a Cancer Treatment Centers of America executive and used social engineering techniques to fool the employee into disclosing login credentials to the account. The attacker was able to access the account, but only for a limited time as the account compromise was detected by IT staff and the user ‘s account password was reset. However, during the time that the email account was accessible it is possible that some messages containing patients’ protected health information (PHI) was accessed. Cancer Treatment Centers of America called in a nationally recognized computer forensics firm to assist with the investigation. While it was not possible to tell which, if any, emails were accessed, it was discovered that the compromised email account contained the PHI of 41,948 patients. The information in the emails varied...

Read More
Ransomware Attacks Reported by Healthcare Providers in Illinois and Rhode Island
Dec05

Ransomware Attacks Reported by Healthcare Providers in Illinois and Rhode Island

A roundup of recent healthcare ransomware attacks, privacy breaches, and security incidents that have been announced in the past few days. Center for Vitreo-Retinal Diseases Ransomware Attack Impacts 20,371 Patients The Center for Vitreo-Retinal Diseases in Libertyville, IL, experienced a ransomware attack that resulted in the encryption of data on its servers. The attack was detected on September 18, 2018. The investigation into the breach suggests the attacker may have gained access to the protected health information of 20,371 patients that was stored on the affected servers. The attack appeared to have been conducted with the intention of extorting money from the practice. While it is possible that patient information was accessed by the attacker, no evidence of unauthorized data access, data theft, or misuse of patient information has been discovered. The information that was potentially compromised included names, addresses, telephone numbers, birth dates, health insurance information, health data, and the Social Security numbers of Medicare patients. The Center for...

Read More
12 State Attorneys General File HIPAA Breach Lawsuit Against Medical Informatics Engineering
Dec05

12 State Attorneys General File HIPAA Breach Lawsuit Against Medical Informatics Engineering

A multi-state federal lawsuit has been filed against Medical Informatics Engineering and NoMoreClipboard over the 2015 data breach that exposed the data of 3.9 million individuals. Indiana Attorney General Curtis Hill is leading the lawsuit and 11 other states are participating – Arizona, Arkansas, Florida, Iowa, Kansas, Kentucky, Louisiana, Minnesota, Nebraska, North Carolina and Wisconsin. This is the first time that state attorneys general have joined forces in a federal lawsuit over a data breach caused by violations of the Health Insurance Portability and Accountability Act. The lawsuit seeks a financial judgement, civil penalties, and the adoption of a corrective action plan to address all compliance failures. A Failure to Implement Adequate Security Controls The lawsuit alleges Medical Informatics Engineering failed to implement appropriate security to protect its computer systems and sensitive patient data and, as a result of those failures, a preventable data breach occurred. According to the lawsuit, “Defendants failed to implement basic industry-accepted data...

Read More
7,000 Patients Affected by Georgia Spine and Orthopaedics of Atlanta Phishing Attack
Nov29

7,000 Patients Affected by Georgia Spine and Orthopaedics of Atlanta Phishing Attack

Georgia Spine and Orthopaedics of Atlanta (GSOA) is notifying thousands of patients that some of their protected health information has been exposed, and potentially stolen, as a result of a phishing attack. An investigation into the data breach revealed an unauthorized individual gained access to an email account as a result of the employee responding to a phishing email. That response allowed the attacker to obtain the employee’s email account password. Third-party computer forensics experts were contracted to conduct a detailed investigation into the attack to determine the extent of the breach and find out which patients had been affected. The investigation confirmed that a single email account had been compromised on July 11, 2018. An evaluation of GSOA’s technology systems was also conducted to ensure that they were secure. In order to determine which patients had been affected, a painstaking manual analysis of all emails in the compromised account was performed to determine which messages had been accessed by the attacker. GSOA reports that the way the email account was...

Read More
DOJ Indicts Two Iranian Hackers for Role in SamSam Ransomware Attacks
Nov29

DOJ Indicts Two Iranian Hackers for Role in SamSam Ransomware Attacks

The U.S. Department of Justice has announced significant progress has been made in the investigation of the threat actors behind the SamSam ransomware attacks that have plagued the healthcare industry over the past couple of years. The DOJ, assisted the Royal Canadian Mounted Police, Calgary Police Service, and the UK’s National Crime Agency and West Yorkshire Police, have identified two Iranians who are believed to be behind the SamSam ransomware attacks. Both individuals – Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri – have been operating out of Iran since 2016 and have been indicted on four charges: Conspiracy to commit fraud and related computer activity Conspiracy to commit wire fraud Intentional damage to a protected computer Transmitting a demand in relation to damaging a protected computer The DOJ reports that this is the first ever U.S. indictment against criminals over a for-profit ransomware, hacking, and extortion scheme. In contrast to many threat actors who use ransomware for extortion, the SamSam ransomware group conducts targeted, manual attacks on...

Read More
2.65 Million Atrium Health Patients Impacted by Business Associate Data Breach
Nov28

2.65 Million Atrium Health Patients Impacted by Business Associate Data Breach

AccuDoc Solutions Inc., a provider of healthcare billing services, has experienced a major data breach in which the protected health information of 2,650,000 patients of Atrium Health was exposed. Morrisville, NC-based AccuDoc Solutions prepares bills for patients and operates the online payment system used by Atrium Health, a network of 44 hospitals throughout North Carolina, South Carolina and Georgia. On October 1, 2018, AccuDoc Solutions notified Atrium Health that some of its databases had been compromised. The breach investigation revealed hackers had gained access to AccuDoc Solutions databases between September 22 and September 29, 2018. An extensive forensic investigation into the attack confirmed that patient information had been compromised, but the information stored in its databases could only be viewed. No PHI was downloaded by the attackers nor distributed via other channels. AccuDoc Solutions reports that the breach was due to a security vulnerability at a third-party vendor. The business relationship with that vendor has now been terminated. AccuDoc Systems has...

Read More
Tandigm Health Website Vulnerability Exposed 7,000 Patients’ PHI
Nov27

Tandigm Health Website Vulnerability Exposed 7,000 Patients’ PHI

A vulnerability on a website used by the value-based healthcare company Tandigm Health could potentially have been exploited to gain access to patients’ protected health information. The website vulnerability was discovered by Tandigm Health on September 25, 2018. A leading computer forensics firm assisted with the investigation to determine whether the flaw could be exploited remotely, whether patients’ protected health information had been accessed, and the types of information that may have been exposed. The investigation confirmed that the flaw could have been exploited to gain access to sensitive patient information between April 24, 2017 and December 31, 2017. The information accessible through the website was limited to names, birth dates, medical information, and health insurance information. Approximately 7,000 patients’ protected health information was accessible through the website. The investigation did not uncover any evidence to suggest the flaw had been exploited and no reports been received to suggest patient information has been stolen or misused. Out of an...

Read More
Mercy Medical Center North Iowa Notifies 1,900 Patients About Potential PHI Exposure
Nov27

Mercy Medical Center North Iowa Notifies 1,900 Patients About Potential PHI Exposure

Mercy Medical Center North Iowa has discovered a former employee potentially accessed the medical records of patients without authorization over a period of 12 months. An internal investigation suggested a former employee had inappropriately accessed patient information between July 2017 and July 2018. The employee had been given access to patient information to complete work duties, but Mercy Medical Center North Iowa was unable to confirm whether all records had been accessed for appropriate job-related purposes. The types of information the former employee accessed was limited to names, addresses, birth dates, medications, and insurance information. Breach notification letters were mailed to affected patients on November 26, 2018 and all individuals whose personal information was exposed have been offered 12 months of complimentary identity theft protection services. The discovery of the unauthorized access has prompted Mercy Medical Center North Iowa to review its privacy practices and further training will be provided to employees to reinforce past training on hospital and...

Read More
OCR Fines Allergy Practice $125,000 for Impermissible PHI Disclosure
Nov26

OCR Fines Allergy Practice $125,000 for Impermissible PHI Disclosure

The Department of Health and Human Services’ Office for Civil Rights (OCR) has fined a Hartford allergy practice $125,000 over alleged violations of the HIPAA Privacy Rule. On October 6, 2015, OCR received a copy of a civil rights complaint that had been filed with the Department of Justice (DOJ). The complainant alleged Allergy Associates of Hartford – A Connecticut healthcare provider that specializes in treating patients with allergies – had impermissibly disclosed her protected health information to a TV reporter. The complainant had previously contacted a local TV station after she had been turned away from the allergy practice because of her service animal. The TV reporter subsequently contacted the practice seeking comment. A physician at the practice spoke to the reporter and impermissibly disclosed some of the patient’s protected health information. OCR’s investigation confirmed there had been an impermissible disclosure of PHI, in violation of the HIPAA Privacy Rule – 45 C.F.R. § 164.502(a). The physician in question had already been advised by the practice’s...

Read More
53% Of Healthcare Data Breaches Due to Insiders and Negligence
Nov22

53% Of Healthcare Data Breaches Due to Insiders and Negligence

The healthcare industry has had more than its fair share of hacking incidents, but the biggest threat comes from within. The actions of healthcare providers, health insurers, and their employees cause more breaches than hacking, malware, and ransomware attacks. Researchers at Michigan State University and Johns Hopkins University analyzed data breaches reported to the Department of Health and Human Services’ Office for Civil Rights (OCR) over the past 7 years and found that more than half of breaches were the result on internal negligence. The research study, which was recently published in the journal JAMA Internal Medicine, is a follow-on from a 2017 study that explored the risk of hospital data breaches and the types of hospitals that were most prone to data breaches. While the previous research cast light on which hospitals were most vulnerable, little information was available on the main causes of the breaches. The latest study addresses that gap in knowledge. The researchers performed a retrospective analysis of the 1,183 healthcare data breaches reported to OCR between...

Read More
October 2018 Healthcare Data Breach Report
Nov21

October 2018 Healthcare Data Breach Report

Our October 2018 healthcare data breach report shows there has been a month-over-month increase in healthcare data breaches with October seeing more than one healthcare data breach reported per day. 31 healthcare data breaches were reported by HIPAA-covered entities and their business associates in October – 6 incidents more than the previous month. It should be noted that one breach at a business associate was reported to OCR as three separate breaches. The number of breached records in September (134,006) was the lowest total for 6 months, but the downward trend did not continue in October. There was a massive increase in exposed protected health information (PHI) in October. 2,109,730 records were exposed, stolen or impermissibly disclosed – 1,474% more than the previous month. In October, the average breach size was 68,055 records and the median was 4,058 records. Largest Healthcare Data Breaches in October 2018 There were 11 healthcare data breaches of more than 10,000 records reported in October – A 120% increases from the five 10,000+ record breaches in September. The...

Read More
Key Dental Group Alerts Patients About Potential HIPAA Violation
Nov21

Key Dental Group Alerts Patients About Potential HIPAA Violation

Key Dental Group, a dental practice in Pembroke Pines, FL, is informing patients of an alleged HIPAA violation that could potentially result in the unauthorized accessing of patients’ protected health information (PHI). After changing its electronic medical record (EMR) database provider, Key Dental Group requested its former vendor, MOGO, the return its EMR database. Even though the end user license agreement (EULA) stated that all patient data must be returned on termination of the agreement, MOGO has refused to return the database. MOGO communicated to Key Dental Group, via its attorney, that the database would not be returned. The Pembroke Pines dental practice alleges that in addition to violating the EULA, MOGO, as a HIPAA business associate, is in violation of the Health Insurance Portability and Accountability Act. Any security breach, such as the unauthorized accessing of patients’ protected health information, requires notifications to be sent to affected patients. Key Dental Group cannot say whether the database has been accessed after the termination of the EULA,...

Read More
Stolen FHN Healthcare Laptop Contained the PHI of 4,458 Patients
Nov21

Stolen FHN Healthcare Laptop Contained the PHI of 4,458 Patients

FHN Healthcare, which operates FHN Memorial Hospital in Freeport, IL, and a network of family healthcare centers throughout northwest Illinois, has learned that a laptop computer containing the protected health information of 4,458 patients has been stolen from the vehicle of an employee. The theft was immediately reported to law enforcement, but the device has not been recovered. FHN Healthcare reconstructed the data stored on the device and discovered it contained names, addresses, birth dates, medical record numbers, health insurance information, medical information, Social Security numbers, and driver’s license numbers. FHN healthcare already encrypts all its laptop computers, although the investigation into the incident revealed that the stolen device had not been encrypted and was only protected with a password. FHN reports that the lack of encryption was due to a technical issue with its encryption software and that the missed device was an isolated incident. The discovery of the encryption failure has prompted FHN Healthcare to re-encrypt all its laptop computers. The...

Read More
128,400 Employees and Patients Impacted by Phishing Attack on Albany Cancer Treatment Center
Nov20

128,400 Employees and Patients Impacted by Phishing Attack on Albany Cancer Treatment Center

New York Oncology Hematology in Albany, NY, has announced that hackers have gained access to 15 employee email accounts which contained the sensitive information of as many as 128,400 current and former patients and employees. As is common in phishing attacks, the emails contained a hyperlink to a seemingly legitimate email login page which requested usernames and passwords. When the information was entered it was harvested by the attackers. According to the substitute breach notice on the New York Oncology Hematology website, each compromised email account only remained accessible for a short period of time before access was terminated. The email breaches were identified by New York Oncology Hematology’s IT vendor, which shut down access to the compromised accounts by resetting the passwords. Access to 14 email accounts was gained on April 20, and a second attack took place between April 21 and April 27, which resulted in a further email account being compromised. New York Oncology Hematology hired a third-party computer forensics firm to investigate the breach and, on October 1,...

Read More
Email Hacking Incident Reported by Episcopal Health Services
Nov20

Email Hacking Incident Reported by Episcopal Health Services

Certain current and former patients of St. John’s Episcopal Hospital and Episcopal Health Services in New York are being notified that some of their protected health information has potentially been compromised. On September 18, 2018, Episcopal Health Services became aware of suspicious activity in several employee email accounts. An investigation was immediately launched, and a third-party digital forensics firm was called in to determine the nature and scope of the breach. The investigation revealed multiple employee email accounts had been compromised between August 28, 2018 and October 5, 2018. A thorough review of the compromised email accounts was completed on November 1. The types of information exposed differed from patient to patient but may have included name, date of birth, Social Security number, medical history, prescription information, diagnoses, treatment information, medical record number, financial information, and health insurance information. “Episcopal Health Services is committed to, and takes very seriously, its responsibility to protect all data entrusted to...

Read More
HealthEquity Notifies 165,800 Individuals of Email Security Breach
Nov19

HealthEquity Notifies 165,800 Individuals of Email Security Breach

HealthEquity is notifying 165,800 individuals that some of their protected health information has been exposed as a result of a email security breach. HealthEquity is a Utah-based company that provides services to help individuals gain tax advantages to offset the cost of healthcare, either through employers or health plans. Those services include health savings accounts (HSAs), health flexible spending arrangements (FSAs), limited purpose FSAs, and dependent care reimbursement accounts (DCRAs). In order to provide those services, HealthEquity has access to protected health information, some of which is communicated via email for business purposes. On October 5, 2018, HealthEquity’s security team discovered two Office 365 email accounts had been accessed by an unauthorized individual. On October 20, 2018, following an analysis of the cyberattack, HealthEquity confirmed that two employee email accounts had been breached and that those accounts contained the sensitive personal information of employees and individuals who benefited from its services through their health plan or...

Read More
2,393 Patients of Southwest Washington Regional Surgery Center Impacted by Phishing Attack
Nov16

2,393 Patients of Southwest Washington Regional Surgery Center Impacted by Phishing Attack

Southwest Washington Regional Surgery Center in Vancouver, WA, has suffered a phishing attack that has resulted in the exposure of 2,393 patients’ protected health information. The breach was confined to a single email account and no evidence was uncovered to suggest any emails have been accessed or downloaded by the attacker. An extensive investigation was conducted with assistance provided by a third-party cybersecurity firm. The investigation concluded on September 25. The investigation included a manual review of all emails in the compromised account to identify patients affected and the types of information that may have been compromised. Southwest Washington Regional Surgery Center explained in its breach notice that the beach was limited to the following PHI elements: Names, driver’s license numbers, Social Security numbers, medical information, and for a limited number of patients, credit card numbers. The investigation revealed the email account was compromised on May 27, 2018 and access remained possible until August 13, 2018. Patients impacted by the breach were sent...

Read More
HealthCare.gov Data Breach Exposed Personal Information of 94,000 Individuals
Nov15

HealthCare.gov Data Breach Exposed Personal Information of 94,000 Individuals

Last month, the Centers for Medicare & Medicaid Services (CMS) announced that the HealthCare.gov website had been hacked and the sensitive data of approximately 75,000 individuals had potentially been compromised. This week, the CMS issued an update on the breach confirming more people had been affected than was initially thought. The revised estimate has seen the number of breach victims increased to 93,689. The initial breach announcement was light on details about the exact nature of the breach and the types of information that had potentially been compromised. In the initial announcement the CMS explained that suspicious activity was detected on the site on October 13 and on October 16 a breach was confirmed. Steps were immediately taken to secure the site and prevent any further data access or data theft. The CMS started sending out breach notification letters on November 7 which explain the breach in more detail, including the types of information that were potentially accessed. CMS explained that the ‘suspicious activity’ it detected was certain agent and broker accounts...

Read More
30,000 Patients Impacted by May Eye Care Center Ransomware Attack
Nov14

30,000 Patients Impacted by May Eye Care Center Ransomware Attack

A July 2018 ransomware attack on May Eye Care Center in Hanover, PA saw a range of sensitive patient information encrypted, including data in its electronic medical record system. The ransomware attack was discovered by May Eye Care on July 29, 2018. The ransomware was downloaded on a server that contained patients’ names, addresses, dates of birth, insurance information, diagnoses, treatment information, clinical information, and a limited number of Social Security numbers. May Eye Care Center called in a leading computer forensics company to investigate the breach and an IT firms that specializes in data security was engaged to conduct a full review of security systems and protocols. Security has now been improved to prevent further attacks. A ransom demand was received, but no payment was made. May Eye Care Center was able to recover all of the files encrypted by the ransomware from backups without any loss of data. Al patients impacted by the incident have been notified and the breach was reported to the Department of Health and Human Services’ Office for Civil Rights on...

Read More
1,800 Patients’ PHI Compromised in Metrocare Services Phishing Attack
Nov14

1,800 Patients’ PHI Compromised in Metrocare Services Phishing Attack

Metrocare Services, the largest provider of mental health services in North Texas, has suffered a phishing attack that has resulted in the exposure of 1,804 patients’ protected health information. Several employee email accounts were compromised in the attack, with the first account breach occurring on August 2, 2018. Metrocare did not discover the phishing attacks until September 4. As soon as the breach was discovered, steps were taken to secure the accounts. Metrocare has also given its employees additional training on information security, additional measures are being introduced to improve the security of its information technology infrastructure, and email security has been strengthened. The investigation into the breach could not determine whether any emails containing patients’ protected health information were accessed by the attackers, but data access could not be ruled out. No reports have been received that suggest any PHI has been misused. The types of information that were exposed differed from patient to patient and included data such as names, dates of birth,...

Read More
Former Chilton Medical Center IT Worker Gets 5 Years’ Probation for Theft of Equipment Containing ePHI
Nov13

Former Chilton Medical Center IT Worker Gets 5 Years’ Probation for Theft of Equipment Containing ePHI

A former IT worker at Chilton Medical Center in New Jersey has been sentenced to 5 years’ probation for the theft of IT equipment that contained the protected health information of some of its patients. Sergiu Jitcu, of Saddle Brook, NJ, had previously been employed by Chilton Medical Center. On October 31, 2017, Chilton Medical Center learned that one of its hard drives had been sold on eBay. The purchaser discovered databases on the hard drive that appeared to include the protected health information (PHI) of some of its patients. The subsequent investigation revealed the hard drive contained the PHI of 4,600 patients who had received medical services at Chilton Medical Center between May 1, 2008 and October 15, 2017. The types of information on the hard drive included names, addresses, dates of birth, allergy information, medical record numbers, and medications. The theft was reported to the Morris County Prosecutor’s Office and was linked to Jitcu. The Morris County Prosecutor’s Office Specialized Crime Division obtained a search warrant for Jitcu’s home and vehicle and...

Read More
Health First Phishing Attack Impacts 42,000 Customers
Nov13

Health First Phishing Attack Impacts 42,000 Customers

Health First Inc., a four-hospital Florida-based health system, experienced a hacking/IT incident earlier this year that was reported to the Department of Health and Human Services’ Office for Civil Rights on October 5. According to the OCR breach summary, 42,000 customers were affected by the breach. Further information has now been released on the nature of the breach. According to Health First, the email accounts of multiple employees were compromised in the phishing attack. The exposed protected health information was contained in the compromised email accounts. The electronic medical record system was unaffected by the attack. An investigation into the breach revealed the attackers first gained access to employee email accounts in February 2018. Those email accounts were used to conduct further phishing attacks on other Health First employees until May 2018. According to Health First, the attackers gained access to “a small number” of employee email accounts. The compromised email accounts contained a limited amount of protected health information such as names, addresses, and...

Read More
1,216 Patient Records Impermissibly Accessed by Former Upstate University Hospital Employee
Nov12

1,216 Patient Records Impermissibly Accessed by Former Upstate University Hospital Employee

Upstate University Hospital in Syracuse, NY, is notifying 1,216 patients that some of their protected health information (PHI) has been impermissibly accessed by a former employee. Upstate University Hospital discovered the breach on September 12, 2018, which prompted a full investigation to determine which patients had had their privacy violated. The investigation revealed that the former employee first accessed patient health records without any legitimate work reason for doing so on November 3, 2016. Patient records continued to be accessed until October 23, 2017. The investigation did not uncover any evidence to suggest any information had been printed, copied, or forwarded outside the organization. It is unclear why the former employee accessed the records. No information on the motives behind the privacy violations has been made public. Highly sensitive information such as Social Security numbers, financial information, health insurance information and other information typically sought by identity thieves were not compromised and remained secure at all times. The breach was...

Read More
Billing Records of 12,331 Patients of Inova Health System Have Been Compromised
Nov09

Billing Records of 12,331 Patients of Inova Health System Have Been Compromised

Falls Church, VA-based Inova Health System has started notifying 12,331 patients that some of their protected health information has been accessed by an unauthorized individual. Inova Health System was contacted by law enforcement on September 5, 2018 over a suspected breach of patients’ billing information. A leading computer forensics firm was engaged to conduct an investigation into the breach to determine the nature of the attack and the extent of the breach. The investigation revealed its billing system was first accessed by an unauthorized individual in January 2017, and again between July and October 2017. Access was gained using the login credentials of an Inova employee. Peculiarly, Inova also reported that the same individual also gained access to paper billing records of a small number of patients in December 2016, which suggests that this may have been an insider breach involving a former employee, business associate or another individual with access to Inova facilities. However, no information about the individual responsible for the breach has been made public by...

Read More
Altus Hospital Baytown Suffers Dharma Ransomware Attack
Nov09

Altus Hospital Baytown Suffers Dharma Ransomware Attack

Altus Hospital in Baytown, TX, has experienced a ransomware attack that resulted in the encryption of many hospital records. The electronic medical record system was not affected, although some of the encrypted files contained patients’ protected health information including names, home addresses, contact telephone numbers, birth dates, Social Security numbers, credit card information, driver’s license numbers, and medical information. The attack was discovered on September 3, 2018. Altus Hospital received a ransom demand; however, assisted by a third-party security consultant, Altus Hospital was able to restore all affected files from backups. The investigator determined that the attacker gained access to the hospital’s servers before deploying a Dharma ransomware variant. Altus Hospital believes the aim of the attack was solely to extort money from the hospital. Data access and theft of patient information is not believed to have occurred. While the attack was limited to Baytown hospital servers, some of the information stored on those servers came from the following affiliated...

Read More
566,217 Customers of Chicago-Based Health Insurer Impacted by Data Breach
Nov07

566,217 Customers of Chicago-Based Health Insurer Impacted by Data Breach

The Chicago-based health insurer Bankers Life, a division of CNO Financial Group Inc., has discovered hackers gained access to its systems and potentially stole the personal information of more than half a million individuals. Bankers Life provides a range of insurance services to customers, including life insurance, long term care insurance, health insurance, and Medicare supplemental insurance and is the largest division of CNO Financial Group. Hackers gained access to its systems between May 30 and September 13, 2018. Bankers Life said it discovered the breach on August 7, 2018. The hackers gained access to a range of sensitive personal information of a ‘limited number’ of its employees. A ‘limited group’ of customers had names, Social Security numbers, driver’s license numbers, bank account numbers, state identification numbers, medication information, diagnoses, and treatment information exposed. The protected health information of a much larger group of customers was also potentially accessed by the hackers. For that group, names, addresses, dates of birth, insurance policy...

Read More
Q3 Healthcare Data Breach Report: 4.39 Million Records Exposed in 117 Breaches
Nov07

Q3 Healthcare Data Breach Report: 4.39 Million Records Exposed in 117 Breaches

The latest installment of the Breach Barometer Report from Protenus shows there was a quarterly fall in the number of healthcare data breaches compared to Q2, 2018; however, the number of healthcare records exposed, stolen, or impermissibly disclosed increased in Q3. In each quarter of 2018, the number of healthcare records exposed in data breaches has risen. Between January and March 1,129,744 healthcare records were exposed in 110 breaches. Between April and June, 3,143,642 records were exposed in 142 breaches, and 4,390,512 healthcare records were exposed, stolen, or impermissibly disclosed between July and September in 117 breaches. The largest healthcare data breach in Q3 was reported by the Iowa Health System UnityPoint Health. The breach was due to a phishing attack that saw multiple email accounts compromised. Those accounts contained the protected health information of more than 1.4 million patients. That breach was the second phishing attack experienced by UnityPoint Health. An earlier phishing attack resulted in the exposure of 16,400 healthcare records. In Q3, hacking...

Read More
Ransomware Attacks Increase: Healthcare Industry Most Heavily Targeted
Nov02

Ransomware Attacks Increase: Healthcare Industry Most Heavily Targeted

Ransomware attacks are on the rise once again and healthcare is the most targeted industry, according to the recently published Beazley’s Q3 Breach Insights Report. 37% of ransomware attacks managed by Beazley Breach Response (BBR) Services affected healthcare organizations – more than three times the number of attacks as the second most targeted industry: Professional services (11%). Kaspersky Lab, McAfee, and Malwarebytes have all released reports in 2018 that suggest ransomware attacks are in decline; however, Beazley’s figures show monthly increases in attacks in August and September, with twice the number of attacks in September compared to the previous month. It is too early to tell if this is just a blip or if attacks will continue to rise. The report highlights a growing trend in cyberattacks involving multiple malware variants. One example of which was a campaign over the summer that saw the Emotet banking Trojan downloaded as the primary payload with a secondary payload of ransomware. Emotet is used to steal bank credentials and has the capability to download further...

Read More
Missouri Department of Health and Senior Services Contractor Improperly Retained 10,400 Individuals’ PHI
Oct30

Missouri Department of Health and Senior Services Contractor Improperly Retained 10,400 Individuals’ PHI

The Missouri Department of Health and Senior Services (MHSS) is notifying 10,400 patients of a data privacy incident involving some of their protected health information (PHI). Under Health Insurance Portability and Accountability Act (HIPAA) Rules, HIPAA-covered entities are permitted to share patients’ PHI with contractors that perform certain duties on behalf of the covered entity. The contractors, who are classed as business associates, must enter into a business associate agreement with the covered entity and agree to comply with HIPAA Rules. When the association ends, the business associates must return all PHI to the covered entity or, under the direction of the covered entity, ensure that the PHI is permanently and securely erased. MHSS has discovered that an IT contractor has improperly retained the PHI of 10,400 patients after the contracted duties had been completed. Further, patients’ PHI was stored in an electronic file that was not password-protected. The IT contractor had worked on an information system used by the MHSS prior to September 30, 2016. On August 30,...

Read More
Stolen Raley’s Pharmacy Laptop May Have Contained PHI of 10,000 Patients
Oct30

Stolen Raley’s Pharmacy Laptop May Have Contained PHI of 10,000 Patients

Approximately 10,000 patients of Raley’s Pharmacy are being notified that some of their protected health information (PHI) has potentially been compromised. On September 24, 2018, a laptop computer was stolen from a Raley’s pharmacy that may have contained some patients’ PHI. Raley’s pharmacy immediately launched an investigation to determine what information was stored on the device. Interviews were conducted with staff members who had used the device in an attempt to understand the types of content that may have been exposed. The email accounts of employees were also checked for attachments and links to documents that contained ePHI, to determine which files had been downloaded or were stored in cache files in a temporary directory on the laptop. After careful analysis, Raley’s Pharmacy was able to determine that the only patients affected by the security incident were those that had visited a Raley’s, Bel Air, and Nob Hill Foods pharmacy between January 1, 2017 and September 24, 2018 to have prescriptions filled. An analysis of the files which had potentially been downloaded to...

Read More
PHI of 40,000 Patients of Sioux City Eye Clinic Potentially Compromised
Oct26

PHI of 40,000 Patients of Sioux City Eye Clinic Potentially Compromised

The protected health information of up to 40,000 patients of the Jones Eye Clinic and its affiliated surgery center, CJ Elmwood Partners, L.P, in Sioux City, IA has potentially been compromised. The breach is the result of a ransomware attack which affected data stored in an information system used for scheduling appointments and billing patients. Electronic medical records were unaffected as they were housed in a separate system which was not accessed by the attacker. Jones Eye Clinic discovered the ransomware attack on August 23, 2018, although an investigation by a third-party forensic investigator revealed that the attacker gained access to its system and installed the ransomware on the evening of August 22. A ransom was demanded for the keys to decrypt the files; however, no payment was made as it was possible to recover the files from backups. A full data restoration was completed on August 23. The investigation into the ransomware attack did not uncover any evidence to suggest that the attacker viewed or obtained patient data, although since data theft could not be ruled...

Read More
Catawba Valley Medical Center Phishing Attack Impacts 20,000 Patients
Oct25

Catawba Valley Medical Center Phishing Attack Impacts 20,000 Patients

On August 13, 2018, Catawba Valley Medical Center (CVMC) in Hickory, NC discovered an unauthorised individual accessed the email account of a CVMC employee. Upon discovery of the email breach, steps were taken to secure the account and prevent further access and a third-party computer forensics firm was called in to assist with the investigation and determine the extent of the breach. That investigation revealed that between July 4 and August 17, 2018, three employees’ email accounts had been compromised after the employees responded to phishing emails. Some of the emails in those accounts contained patients’ protected health information including names, dates of birth, details of medical services received at CVMC, health insurance details, and for certain patients, Social Security numbers. No evidence was found to suggest that any emails had been accessed or copied and no information has been received to suggest patient health information has been misused in any way. The phishing incidents have prompted CVMC to hire security experts to enhance employee education, more robust email...

Read More
Email Error Exposed the PHI of 8,000 Members of FirstCare Health Plans
Oct24

Email Error Exposed the PHI of 8,000 Members of FirstCare Health Plans

Texas-based First Care Health Plans is notifying more than 8,000 plan members that some of their personal information may have been impermissibly disclosed as a result of automated reports being accidentally emailed to an incorrect recipient. The daily reports were automatically generated and sent to an email distribution list. The reports contained medical requests which included members’ names, member ID numbers, procedure codes, descriptions of treatments, authorization numbers, and names of treating providers. On August 15, 2018, the FirstCare IT security team became aware that the reports had been sent to an external email address in error and the emails had not been encrypted. An investigation into the incident revealed the reports had been sent over a period of 17 months, starting on March 22, 2017. The reports contained the protected health information of 8,056 plan members. FirstCare explained in its breach notice that various security solutions had been deployed to monitor for unauthorized access, acquisition, and unauthorized use of ePHI, but they had failed to identify...

Read More
Phishing Attack on Children’s Hospital of Philadelphia Results in Double Account Breach
Oct24

Phishing Attack on Children’s Hospital of Philadelphia Results in Double Account Breach

Children’s Hospital of Philadelphia (CHOP) has discovered the email accounts of two employees have been compromised following successful phishing attacks on August 23 and August 29, 2018. On August 24, CHOP discovered an unauthorized individual had gained access to the email account of a one of its physicians. The investigation revealed the account was first accessed the previous day. Two weeks later, on September 6, CHOP discovered a second email account had also been compromised. In that case, access to the account was first gained on August 29. In both cases, prompt action was taken to secure the accounts and prevent further access. A leading computer forensics firm was also retained to assist with the investigation and assess the scope of the breach. An analysis of the email accounts revealed the individual(s) behind the phishing attacks may have been able to gain access to the protected health information (PHI) of a limited number of patients of CHOP’s neonatal and fetal programs. The information that was exposed differs from patient to patient and may have included a full...

Read More
September 2018 Healthcare Data Breach Report
Oct23

September 2018 Healthcare Data Breach Report

For the second consecutive month there has been a reduction in both the number of reported healthcare data breaches and the number of exposed healthcare records. In September, there were 25 breaches of 500 or more records reported to the Department of Health and Human Services’ Office for Civil Rights – the lowest breach tally since February. There was also a substantial reduction in the number of exposed/stolen healthcare records in September. Only 134,000 healthcare records were exposed/stolen in September – A 78.5% reduction in compared to August. Fewer records were exposed in September than in any other month in 2018. Causes of September 2018 Healthcare Data Breaches In August, hacking/IT incidents dominated the healthcare breach reports, but there was a major increase (55.55%) in unauthorized access/disclosure breaches in September, most of which involved paper records. There were no reported cases of lost paperwork or electronic devices containing ePHI, nor any improper disposal incidents. While there were fewer hacking/IT incidents than unauthorized access/disclosure...

Read More
OIG Publishes 2016 Medicaid Data Breach Report
Oct23

OIG Publishes 2016 Medicaid Data Breach Report

A new report released by the Department of Health and Human Services’ Office of Inspector General (OIG) has revealed the vast majority of Medicaid data breaches are relatively minor and only affect an extremely limited number of individuals. For the study, OIG assessed all breaches reported by Medicaid agencies and their contractors in 2016. According to the report, the records of 515,000 Medicaid beneficiaries were exposed in 2016, spread across 1,260 data breaches. Almost two thirds of Medicaid data breaches reported in 2016 affected a single person with a further 29% of breaches affecting between 1 and 9 individuals. Large-scale breaches, which resulted in the data of 500 or more beneficiaries being exposed, accounted for 1% of the annual total. While the breach causes were highly varied, the majority of incidents were the result of simple errors such as misaddressing a letter, fax, or email. Those breaches only resulted in a very limited amount of PHI being exposed, such as a beneficiary name and Medicaid or other ID number. Out of the 1,260 breaches only 303 resulted in the...

Read More
1.25 Million Records Exposed in Employees Retirement System of Texas Data Breach
Oct23

1.25 Million Records Exposed in Employees Retirement System of Texas Data Breach

The Employees Retirement System of Texas (ERS) has discovered a flaw in its ERS OnLine portal allowed certain individuals to view information of other members after logging into the portal. ERS explained that a coding error, introduced on January 1, 2018, affected the “Annual Out-of-Pocket Premium” function of its ERS OnLine system. The function is used by some retirees, direct-pay members, employees on leave without pay and COBRA participants. The function “allows participants who pay their Texas Employees Group Benefits Program (GBP) premiums with after-tax dollars to see their own premium payment information.” However, the flaw meant that certain ERS members were displayed information about other members and in some cases, certain beneficiaries – if those beneficiaries had received some form of payment from ERS and had information in the ERS OnLine system. ERS notes that the coding error only returned other members’ information when individuals performed a modified search via the affected function and therefore it is “very unlikely” than most members information was...

Read More
Ransomware Attack Impacts 16,000 National Ambulatory Hernia Institute Patients
Oct22

Ransomware Attack Impacts 16,000 National Ambulatory Hernia Institute Patients

On September 13, 2018, the National Ambulatory Hernia Institute in California experienced a ransomware attack that resulted in certain files on its network being encrypted. According to the breach notice uploaded to the healthcare provider’s website, the attackers were potentially able to gain access to demographic data of patients recorded prior to July 19, 2018. In total, 15,974 patients have had some of their protected health information exposed as a result of the attack. The information potentially accessed by the attackers was limited to names, addresses, birth dates, diagnoses, appointment dates and times, and Social Security numbers. Patients who visited National Ambulatory Hernia Institute facilities for the first time after July 19, 2018 were unaffected by the breach. Due to the sensitive nature of the exposed information, the National Ambulatory Hernia Institute has advised affected patients to obtain identity monitoring services for a period of at least one year. The breach notice does not state whether those services are being provided to patients free of charge. The...

Read More
$16 Million Anthem HIPAA Breach Settlement Takes OCR HIPAA Penalties Past $100 Million Mark
Oct16

$16 Million Anthem HIPAA Breach Settlement Takes OCR HIPAA Penalties Past $100 Million Mark

OCR has announced that an Anthem HIPAA breach settlement has been reached to resolve potential HIPAA violations discovered during the investigation of its colossal 2015 data breach that saw the records of 78.8 million of its members stolen by cybercriminals. Anthem has agreed to pay OCR $16 million and will undertake a robust corrective action plan to address the compliance issues discovered by OCR during the investigation. The previous largest ever HIPAA breach settlement was $5.55 million, which was agreed with Advocate Health Care in 2016. “The largest health data breach in U.S. history fully merits the largest HIPAA settlement in history,” said OCR Director Roger Severino. Anthem Inc., an independent licensee of the Blue Cross and Blue Shield Association, is America’s second largest health insurer. In January 2015, Anthem discovered cybercriminals had breached its defenses and had gained access to its systems and members’ sensitive data. With assistance from cybersecurity firm Mandiant, Anthem determined this was an advanced persistent threat attack – a continuous and targeted...

Read More
Email Accounts Compromised at Biomarin Pharmaceutical and Envision Healthcare Corporation
Oct12

Email Accounts Compromised at Biomarin Pharmaceutical and Envision Healthcare Corporation

Novato, CA-based Biomarin Pharmaceutical has discovered two employee email accounts have been compromised as a result of a phishing attack in which a temporary employee’s login credentials were obtained by the attacker. The attack was discovered on June 21, 2018 and immediate action was taken to prevent further unauthorized account access. The investigation into the breach determined that the email accounts had been accessed by an unauthorized individual, but it was not possible to tell whether any emails were opened or copied by the attacker. An analysis of the compromised accounts suggests a document containing names, health insurance information and Social Security numbers may have been in one or both email accounts at the time the breach. Due to the nature of exposed data, affected individuals have been advised to place a fraud alert on their credit files as a precaution against identity theft and fraud and urged to monitor explanation of benefits statements from insurers for medical services which have not been received. Biomarin Pharmaceutical has now secured its network and...

Read More
Minnesota DHS Notifies 21,000 Patients That Their PHI Has Potentially Been Compromised
Oct12

Minnesota DHS Notifies 21,000 Patients That Their PHI Has Potentially Been Compromised

The Minnesota Department of Human Services has mailed letters to approximately 21,000 individuals on medical assistance to alert them to a possible breach of their protected health information (PHI) due to two recent phishing attacks. Two DHS employees’ email accounts have been confirmed as having been compromised as a result of the employees clicking on links in phishing emails. The investigation into the breach determined that the attackers accessed both email accounts although it was not possible to determine which, if any, emails in the account had been accessed or copied by the attackers. Minnesota DHS has reason to believe that other employees may also have been targeted and could also have clicked on links in phishing emails, but it has not yet been confirmed whether their accounts have been breached. The investigation into the phishing attacks is ongoing. The two email account breaches occurred on June 28 and July 9, 2018, although the IT department only determined that the accounts had been breached in August. Upon discovery of the phishing attack, both accounts were...

Read More
Michigan Medicine Notifies 3,600 Patients of PHI Disclosure Due to Mailing Error
Oct09

Michigan Medicine Notifies 3,600 Patients of PHI Disclosure Due to Mailing Error

Michigan Medicine is notifying more than 3,600 patients of an impermissible disclosure of a limited amount of their protected health information. In early September 2018, the Michigan Medicine Development Office launched a fundraising campaign that involved sending letters to a large number of its patients. A third-party vendor was contracted to print the letters for the mailing and while many of the letters were printed correctly, an error was made by the printing company that resulted in an impermissible disclosure of certain patients’ personal information. According to Michigan Medicine, the error was introduced when the printing company installed new software. As a result of the error, a proportion of the letters contained information that was intended for other Michigan Medicine patients and did not match the name and address on the outside of the envelope. Since this was a fundraising mailing, the letters did not contain any medical information, Social Security numbers, financial data, or other highly sensitive information. Patients affected by the error has their name,...

Read More
California HIV Patient PHI Breach Lawsuit Allowed to Move Forward
Oct08

California HIV Patient PHI Breach Lawsuit Allowed to Move Forward

A lawsuit filed by Lambda Legal on behalf of a victim of a data breach that saw the highly sensitive protected health information of 93 lower-income HIV positive individuals stolen by unauthorized individuals has survived a motion to dismiss. The former administrator of the California AIDS Drug Assistance Program (ADAP), A.J. Boggs & Company, submitted a motion to dismiss but it was recently rejected by the Superior Court of California in San Francisco. In the lawsuit, Lambda Legal alleges A.J. Boggs & Company violated the California AIDS Public Health Records Confidentiality Act, the California Confidentiality of Medical Information Act, and other state medical privacy laws by failing to ensure an online system was secure prior to implementing that system and allowing patients to enter sensitive information. A.J. Boggs & Company made its new online enrollment system live on July 1, 2016, even though it had previously received several warnings from nonprofits and the LA County Department of Health that the system had not been tested for vulnerabilities. It was alleged...

Read More
PHI of 37,000 Gold Coast Health Plan Members Potentially Compromised
Oct08

PHI of 37,000 Gold Coast Health Plan Members Potentially Compromised

Camarillo, CA-based Gold Coast Health Plan is informing approximately 37,000 plan members that some of their protected health information has potentially been obtained by hackers who succeeded in compromising the email account of one of its employees. The employee was fooled by a phishing email and the attackers gained access to the email account on June 18, 2018. Access remained possible until August 1, 2018. Gold Coast Health Plan discovered the security breach on August 8 and took steps to secure the account and prevent any further remote access. A leading third-party cybersecurity firm was engaged to conduct an investigation into the breach and assess the scope of the incident and determine whether any patients’ health information was accessed. It was not possible to rule out PHI access and data theft with 100% certainty, although no reports have been received to date that suggest any PHI in the account has been misused. Gold Coast Health Plan believes the attack was financially motivated and the purpose of the attackers was to gain access to banking information in order to...

Read More
Summary of Recent Healthcare Data Breaches
Oct05

Summary of Recent Healthcare Data Breaches

A round up of healthcare data breaches recently announced by healthcare providers and business associates of HIPAA covered entities. Tillamook Chiropractic Clinic Discovers 26-Month Malware Infection The medical records of 4,058 patients of the Tillamook Chiropractic Clinic in Tillamook, OR have been stolen as a result of a malware infection. On August 3, 2018, the clinic conducted an internal security audit which showed that malware had been installed on its network, even though a firewall was in place, antivirus and antimalware software were installed and up to date, and its software was fully patched. An investigation into the security breach revealed the malware had been installed on May 24, 2016 and had remained undetected for 26 months. The malware had been installed on the primary insurance billing system, which the clinic reports was used as a staging area by the attackers to collect patient records before exfiltrating the data. The information believed to have been stolen includes full names, home addresses, work addresses, dates of birth, phone numbers, diagnoses, lab...

Read More
PHI of 1,800 Patients Found Abandoned in Houston Street
Oct03

PHI of 1,800 Patients Found Abandoned in Houston Street

Paperwork containing the protected health information of approximately 1,800 patients has been discovered abandoned in a Midtown, Houston street by an employee of the CBS-affiliated television station KBOU 11. The paperwork contained information such as patients’ names, birth dates, diagnoses, treatment information, medications, vital signs, and admission dates. KBOU launched an investigation into the breach and determined the paperwork related to patients from five Houston hospitals – MD Anderson Cancer Center, LBJ Hospital, Children’s Memorial Hermann, Memorial Hermann Hospital, and TIRR Memorial Hermann. The investigation led to UT Health. According to the report, the records were stolen from the locked trunk of a vehicle belonging of a medical resident who, while studying at UT Health’s McGovern Medical School, had worked at the above hospitals. The records were stolen from his vehicle in July. Officials at UT Health confirmed to KBOU that they are aware of the breach. Reporters spoke to the medical graduate and confirmed that the incident had not been reported to the...

Read More
Study Reveals 70% Increase in Healthcare Data Breaches Between 2010 and 2017
Sep28

Study Reveals 70% Increase in Healthcare Data Breaches Between 2010 and 2017

There has been a 70% increase in healthcare data breaches between 2010 and 2017, according to a study conducted by two physicians at the Massachusetts General Hospital Center for Quantitative Health. The study, published in the Journal of the American Medical Association on September 25, involved a review of 2,149 healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights between 2010 and 2017. “While we conduct scientific programs designed to recognize the enormous research potential of large, centralized electronic health record databases, we designed this study to better understand the potential downsides for our patients – in this case the risk of data disclosure,” said Dr. Thomas McCoy Jr, director of research at Massachusetts General Hospital’s Center for Quantitative Health in Boston and lead author of the study. Every year, with the exception of 2015, the number of healthcare data breaches has increased, rising from 199 breaches in 2010 to 344 breaches in 2017. Those breaches have resulted in the loss, theft, exposure, or...

Read More
Claxton-Hepburn Medical Center Fires Several Employees for Inappropriate PHI Access
Sep27

Claxton-Hepburn Medical Center Fires Several Employees for Inappropriate PHI Access

Claxton-Hepburn Medical Center, a not-for-profit 115-bed community hospital in Ogdensburg, NY, has fired several employees for accessing patient health records without authorization. The PHI breaches were discovered during an internal investigation. It is unclear whether that investigation was launched following a complaint that had been received or if the patient privacy violations were uncovered during a routine audit of PHI access logs – A requirement of HIPAA. Claxton-Hepburn Medical Center has not publicly disclosed how many employees were terminated over the violations, only reporting that all employees who purposely committed the acts were terminated. It is also currently unclear exactly how many patients’ PHI was breached. Claxton-Hepburn Medical Center has confirmed that training is given to all employees on the first day of employment detailing the requirements of HIPAA and the importance of protecting the privacy of patients. All employees are made aware that accessing patient health information is only permitted when PHI needs to be viewed to complete work duties or...

Read More
Protected Health Information Stolen in Aspire Health Phishing Attack
Sep27

Protected Health Information Stolen in Aspire Health Phishing Attack

Aspire Health, a Nashville, TN-based provider of in-home services for patients diagnosed with serious illnesses, has experienced a phishing attack that resulted in the email account of an employee being accessed by an unauthorized individual. Once access to the email account was gained, the attacker forwarded 124 emails to an external email account. Several of the forwarded email messages contained the protected health information of patients and “confidential and proprietary information and files”. According to a statement issued by a spokesperson for Aspire Health, breach notification letters have already been sent to a “small handful” of its patients, although the exact number affected by the breach has not been disclosed. The data breach has yet to appear on the Department of Health and Human Services’ Office for Civil Rights’ breach portal. As is the case with many phishing scams, an email was sent to the employee which contained a hyperlink to a website which requested login credentials. The website, created on August 28, 2018, is hosted in the Russian Federation and was...

Read More
UMass Memorial Health Care Pays $230,000 to Resolve Alleged HIPAA Violations
Sep24

UMass Memorial Health Care Pays $230,000 to Resolve Alleged HIPAA Violations

Mass Memorial Health Care has been fined $230,000 by the Massachusetts attorney general for HIPAA failures related to two data breaches that exposed the protected health information (PHI) of more than 15,000 state residents. A lawsuit was filed against UMass Memorial Health Care in which attorney general Maura Healey claimed UMass Memorial Medical Group Inc., and UMass Memorial Medical Center Inc., failed to implement sufficient measures to protect patients’ sensitive health information. In two separate incidents, employees accessed and copied patient health information without authorization and used that information to open cell phone and credit card accounts in the victims’ names. It was also alleged that UMass Memorial Medical Group Inc., and UMass Memorial Medical Center Inc., were both aware of employee misconduct, yet failed to properly investigate complaints related to data breaches and discipline the employees concerned in a timely manner. Both entities also failed to ensure that patients’ PHI was properly safeguarded. These failures violated Massachusetts data security...

Read More
August 2018 Healthcare Data Breach Report
Sep21

August 2018 Healthcare Data Breach Report

August was a much better month for the healthcare industry with fewer data breaches reported than in July. In August, 28 healthcare data breaches were reported to the HHS’ Office for Civil Rights, a 17.86% month-over-month reduction in data breaches. There was also a major reduction in the number of healthcare records that were exposed or stolen. In August, 623,688 healthcare records were exposed or stolen – A 267.56% reduction from August, when 2,292,522 healthcare records were breached. Causes of Healthcare Data Breaches in August 2018 Hacking incidents dominated the breach reports in August, accounting for 53.57% of all reported data breaches and 95.73% of all records exposed or disclosed in August. Eight of the top ten breaches were the result of hacks, malware, or ransomware attacks. Insider breaches are a major problem in the healthcare industry, more so than other verticals. In August there were nine insider breaches – 32.14% of the healthcare data breaches in August. Those breaches involved the unauthorized access or impermissible disclosure of 18,488 healthcare...

Read More
$999,000 in HIPAA Penalties for Three Hospitals for Boston Med HIPAA Violations
Sep20

$999,000 in HIPAA Penalties for Three Hospitals for Boston Med HIPAA Violations

Three hospitals that allowed an ABC film crew to record footage of patients as part of the Boston Med TV series have been fined $999,000 by the Department of Health and Human Services’ Office for Civil Rights (OCR) for violating Health Insurance Portability and Accountability Act (HIPAA) Rules. This is the second HIPAA violation case investigated by OCR related to the Boston Med TV series. On April 16, 2016, New York Presbyterian Hospital settled its HIPAA violation case with OCR for $2.2 million to resolve the impermissible disclosure of PHI to the ABC film crew during the recording of the series and for failing to obtain consent from patients. Fines for Boston Medical Center, Brigham and Women’s Hospital, & Massachusetts General Hospital Boston Medical Center (BMC) settled its HIPAA violations with OCR for $100,000. OCR investigators determined that BMC had impermissibly disclosed the PHI of patients to ABC employees during production and filming of the TV series, violating 45 C.F.R. § 164.502(a). Brigham and Women’s Hospital (BWH) settled its HIPAA violations...

Read More
Phishing Attack on Ohio Living Exposed PHI of 6,500 Individuals
Sep20

Phishing Attack on Ohio Living Exposed PHI of 6,500 Individuals

Ohio Living, a provider of life plan communities and home health services in Ohio, has discovered an unauthorized individual has gained access to the email accounts of some of its employees. Ohio Living detected suspicious activity related to an employee’s email account on July 10, 2018. An investigation was immediately launched, and a third-party computer forensics expert was hired to investigate the breach and determine how access to the account was gained. On July 19, 2018, Ohio Living was informed that several email accounts had been compromised on July 10 and that those accounts had been accessed by an unauthorized individual. It was not possible to determine whether any emails were opened or if any emails were downloaded by the attacker. A review of the compromised accounts revealed they contained the protected health information of 6,510 individuals. Upon discovery of the breach, passwords were reset on all accounts known to have been compromised and a full password reset was performed on all other employees’ email accounts. Ohio Living has also provided further training to...

Read More
Brooklyn Emergency Room Worker Accused of Stealing and Selling Patients’ PHI
Sep20

Brooklyn Emergency Room Worker Accused of Stealing and Selling Patients’ PHI

A former employee of the emergency department of Brooklyn’s Kings County Hospital is alleged to have stolen the protected health information of at least 100 individuals while working at the hospital and disclosed that information to another individual using an encrypted smartphone app. Orlando Jemmott, 52, was employed at the hospital for 12 years between March 2006 and April 2018 and was given access to patient health records in order to complete his work duties. Jemmott was required to enter patient information into the hospital’s system such as demographic data and information on patients’ symptoms and health complaints. In June 2017, the FBI received a tip that Jemmott was stealing patient information and selling the data to another individual. The woman claimed the information was being sent via the WhatsApp encrypted messaging app. The woman took Jemmott’s mobile phone from his house and handed it over to the FBI along with a photo from his WhatsApp profile. A warrant was then obtained by the FBI to search the phone. The search revealed hundreds of communications between...

Read More
Mailing Vendor Blamed for Blue Cross and Blue Shield of Rhode Island Privacy Breach
Sep19

Mailing Vendor Blamed for Blue Cross and Blue Shield of Rhode Island Privacy Breach

Blue Cross and Blue Shield of Rhode Island (BCBSRI) is alerting 1,567 plan members that some of their protected health information has been impermissibly disclosed by one of its business associates. A BCBSRI vendor was contracted to send explanation of benefits statements to plan members which contain summaries of the healthcare services members have received under their health plan. However, an error was made which resulted in statements being sent to incorrect individuals. The explanation of benefits statements included members’ BCBSRI ID number, their service provider(s), the service(s) provided, and the cost of the claims. The impermissible disclosure of PHI was attributed to an error made by the vendor when combining the explanation of benefits statements for certain individuals who are covered under the same policy. Combining the statements was intended to reduce the number of summaries received by some members. The error resulted in some explanation of benefits statements being incorrectly combined in the mid-July mailings, which resulted in the summaries being sent to...

Read More
Independence Blue Cross Notifies 17,000 Members of Online Exposure of Their PHI
Sep18

Independence Blue Cross Notifies 17,000 Members of Online Exposure of Their PHI

Independence Blue Cross is notifying thousands of plan members that some of their protected health information has been exposed online and has potentially been accessed by unauthorized individuals. The Independence Blue Cross privacy office was informed about the exposed information on July 19 and immediately launched an investigation. A leading forensics investigation firm was hired to investigate the incident and establish whether any plan members’ information was accessed during the time it was exposed. Independence Blue Cross said an employee had uploaded a file containing plan members’ protected health information to a public facing website on April 23, 2018. The file remained accessible until July 20 when it was removed from the website. The information contained in the file was limited. No financial information or Social Security numbers were exposed. Affected plan members only had their name, diagnosis codes, provider information, date of birth, and information used for processing claims exposed. Despite a thorough investigation, it was not possible to determine whether any...

Read More
CMS: Fairview Southdale Hospital Videotaped Patients Without Knowledge or Consent
Sep17

CMS: Fairview Southdale Hospital Videotaped Patients Without Knowledge or Consent

The HHS’ Centers for Medicare and Medicaid Services (CMS) has investigated Fairview Southdale Hospital in Edina, MN over an alleged violation of patient privacy. The CMS confirmed that patients were videotaped during psychiatric evaluations in the emergency department without their knowledge or consent.  The hospital was cited for violating patient privacy. According to the Star Tribune, the CMS launched an investigation following a complaint from a patient who had been taken to the hospital for a psychiatric evaluation against her will in May 2017. The patient was escorted to the hospital as police officers were concerned about her state of mental health and feared she may cause harm to herself or others. After being released, the patient took legal action over her admission to the hospital and how she was treated by the police. As part of that lawsuit, the patient requested a copy of the security camera footage from the hospital. While the patient expected to receive a copy of the videotape from the front of the hospital showing her entering the facility, the videotape showed her...

Read More
Fetal Diagnostic Institute of the Pacific Experiences Ransomware Attack
Sep17

Fetal Diagnostic Institute of the Pacific Experiences Ransomware Attack

The Fetal Diagnostic Institute of the Pacific (FDIP) in Honolulu, HI, experienced a ransomware attack on June 30, 2018. File-encrypting software was installed on an FDIP server and encrypted a wide range of file types, including patient medical records. FDIP engaged the services of a leading cybersecurity company to conduct a full investigation into the breach to determine whether patient data was accessed by the attackers and also to assist with breach remediation. The investigation did not uncover any evidence to suggest that patients’ protected health information was accessed, viewed, or stolen by the individuals behind the attack, although it was not possible to rule out data access and data theft with a high level of confidence. Consequently, the incident is being treated as a HIPAA breach, patients are being notified, and the Department of Health and Human Services’ Office for Civil Rights (OCR) has been informed. An analysis of the files encrypted by the ransomware revealed they contained a range of protected health information. Patients affected by the security breach may...

Read More
Email Security Breaches Reported by Hopebridge (IN) and United Methodist Homes (NY)
Sep14

Email Security Breaches Reported by Hopebridge (IN) and United Methodist Homes (NY)

Hopebridge, an Indiana-based network of 28 autism treatment centers throughout the Midwest, has discovered it has been the victim of a phishing attack that has potentially resulted in an unauthorized individual gaining access to the protected health information (PHI) of its patients. A security breach was detected on July 19, 2018 prompting a thorough investigation. A leading third-party computer forensics firm was engaged to assess the nature and scope of the breach and all accounts and systems were immediately secured to lock out the attacker. The investigation revealed several employees had been fooled by phishing emails that had been sent between March and July 2018. Several email accounts were compromised as a result of employees’ responses to those emails. An analysis of the compromised email accounts revealed they contained a limited amount of patients’ PHI – Their names, the services they received from Hopebridge, and an inferred autism diagnosis. The results of the forensic investigation suggest that it was not the intention of the attacker to gain access to PHI, instead...

Read More
Texas Nurse Fired for Social Media HIPAA Violation
Sep13

Texas Nurse Fired for Social Media HIPAA Violation

A nurse at a Texas children’s hospital has been fired for violating Health Insurance Portability and Accountability Act (HIPAA) Rules by posting protected health information on a social media website. The pediatric ICU/ER nurse worked at Texas Children’s Hospital and posted a series of comments on Facebook about a rare case of measles at the hospital. The nurse was an anti-vaxxer and posted about the experience of seeing a boy at the hospital suffering from the disease – a disease that could have been prevented through vaccination. Her comments explained how the disease was much worse that she expected it to be, having not encountered anyone with the measles in the past.  She explained that it was a “rough” experience seeing the boy suffering from the disease. She also explained in her posts, “I think it’s easy for us non-vaxxers to make assumptions, but most of us have never and will never see one of these diseases,” and “By no means have I changed my vax stance, and I never will. But this poor kid was bad off and as a parent, I could see vaccinating out of fear,” as reported by...

Read More
Phishing Attack on Acadiana Computer Systems Exposed the PHI of 31,000 Individuals
Sep12

Phishing Attack on Acadiana Computer Systems Exposed the PHI of 31,000 Individuals

Acadiana Computer Services Inc., a Lafayette, LA-based provider of software and business solutions for the healthcare industry, has discovered an unauthorized individual has gained access to the email account of one of its employees. The security breach was detected on July 6, 2018 and external access to the account was immediately disabled. An independent cybersecurity expert was retained to conduct a forensic analysis of the breach and determine the nature and scope of the attack. An analysis of the emails in the compromised account revealed they contained the personal information of several of its clients’ patients. The information potentially accessed was limited to names, addresses, treatment information, billing information, and for a limited number of individuals, Social Security numbers. The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates 31,151 individuals have had their protected health information exposed as a result of the email account breach. Those individuals had previously received medical services from the...

Read More
Reliable Respiratory Phishing Attack Impacts 21,000 Patients
Sep10

Reliable Respiratory Phishing Attack Impacts 21,000 Patients

The Norwood, MA-based respiratory care provider Reliable Respiratory has experienced a phishing attack that has affected several thousand of its patients. A cyberattack was suspected on July 3, 2018, following the detection of unusual activity in an employee’s email account. An investigation was launched to determine the cause of that activity, which revealed the employee had been targeted with a phishing campaign. The response to a phishing email resulted in the disclosure of that individual’s login credentials. The unusual account activity was detected on July 3 and the account was immediately secured. Computer forensic specialists were retained to determine the nature and extent of the breach. The breach investigation confirmed that the account had been accessed by an unauthorized individual between June 28 and July 2. An analysis of the emails contained in the account showed a wide range of protected health information could potentially have been accessed by the attacker. Patients are now being notified of the breach by mail and have been advised to monitor their account...

Read More
Medical Records from New Mexico Hospital Found Scattered in Street
Sep07

Medical Records from New Mexico Hospital Found Scattered in Street

The New Mexico Department of Health is currently investigating how the private medical records of some of its patients came to fall from a truck during transportation from the hospital to a secure storage facility. The records came from Turquoise Lodge Hospital, a rehabilitation center run by the New Mexico Department of Health that specializes in the treatment of parents and pregnant women who are recovering from substance abuse. The hospital had arranged for patients’ medical records to be collected and transported to a new location for storage. The paperwork was collected from the hospital on Thursday August 30; however, during transit some of those records fell out of the delivery truck onto a busy Albuquerque street. KRQE News 13 sent reporters to the scene who discovered medical records strewn along Avenida Cesar Chavez at I-25. Some of the paperwork had been collected by members of the public. The paperwork contained highly sensitive personally identifiable information (PII) and protected health information (PHI), including patients’ names, their medical histories, billing...

Read More
NY Attorney General Fines Arc of Erie County $200,000 for Security Breach
Sep04

NY Attorney General Fines Arc of Erie County $200,000 for Security Breach

The Arc of Erie County has been fined $200,000 by the New York Attorney General for violating HIPAA Rules by failing to secure the electronic protected health information (ePHI) of its clients. In February 2018, The Arc of Erie County, a nonprofit social services agency and chapter of the The Arc Of New York, was notified by a member of the public that some of its clients’ sensitive personal information was accessible through its website. The information could also be found through search engines. The investigation into the security breach revealed sensitive information had been accessible online for two and a half years, from July 2015 to February 2018 when the error was corrected. The forensic investigation into the security incident revealed multiple individuals from outside the United States had accessed the information on several occasions. The webpage should only have been accessible internally by staff authorized to view ePHI and should have required a username and password to be entered before access to the data could be gained. In total, 3,751 clients in New York had...

Read More
Mailing Error Resulted in Impermissible Disclosure of 19,570 Missouri Care Members’ PHI
Aug30

Mailing Error Resulted in Impermissible Disclosure of 19,570 Missouri Care Members’ PHI

An error in a mailing to Missouri Care members reminding them to book well-child visits has resulted in the accidental disclosure of the personal information of almost 20,000 children to other Missouri Care members. The personal information detailed in the letters was limited to children’s names, ages, and the names of their provider’s. Health information and other sensitive data was not exposed, so the potential for the information to be misused is low. However, out of an abundance of caution, parents and legal guardians of affected children have been advised to monitor their credit card bills and account statements for any suspicious activity and told not to respond to any email requests asking for further personal information. Free credit monitoring services have been offered to all individuals affected by the breach. WellCare Health Plans Inc., discovered the error on July 25, 2018 and launched an investigation to determine how the error occurred and the individuals that were impacted. The mailing had been sent to 19,570 individuals, although it is unclear how many of those...

Read More
1,790 Patients Impacted by Phishing Attack on Los Angeles Drug and Alcohol Treatment Center
Aug29

1,790 Patients Impacted by Phishing Attack on Los Angeles Drug and Alcohol Treatment Center

The West Los Angeles-based drug and alcohol treatment center, Authentic Recovery Center, is alerting 1,790 individuals that some of their personally identifiable information (PII) and protected health information (PHI) has potentially been obtained by an unauthorized individual as a result of a phishing attack. The phishing attack was discovered on June 21, 2018 prompting a full investigation. The investigation confirmed that the breach was limited to a single email account. All other email accounts and systems remained secure at all times. Access was first gained the email account on June 7, 2018 and continued until the breach was detected on June 21 and the account was secured. An email-by-email analysis of the compromised account revealed it contained the PII and PHI of clients and employees. Employee information accessible through the account was limited to name and driver’s license number, with the exception of two individuals who also had their address, contact telephone number, date of birth, and Social Security number exposed. Clients impacted by the incident had their name...

Read More
July 2018 Healthcare Data Breach Report
Aug24

July 2018 Healthcare Data Breach Report

July 2018 was the worst month of 2018 for healthcare data breaches by a considerable distance. There were 33 breaches reported in July – the same number of breaches as in June – although 543.6% more records were exposed in July than the previous month. The breaches reported in July 2018 impacted 2,292,552 patients and health plan members, which is 202,859 more records than were exposed in April, May, and June combined. A Bad Year for Patient Privacy So far in 2018 there have been 221 data breaches of more than 500 records reported to the Department of Health and Human Services’ Office for Civil Rights. Those breaches have resulted in the protected health information of 6,112,867 individuals being exposed, stolen, or impermissibly disclosed. To put that figure into perspective, it is 974,688 more records than were exposed in healthcare data breaches in all of 2017 and there are still five months left of 2018. Largest Healthcare Data Breaches of 2018 (Jan-July) Entity Name Entity Type Records Exposed Breach Type UnityPoint Health Business Associate 1,421,107 Hacking/IT Incident CA...

Read More
Central Colorado Dermatology Ransomware Attack Potentially Resulted in PHI Access
Aug21

Central Colorado Dermatology Ransomware Attack Potentially Resulted in PHI Access

Central Colorado Dermatology (CCD) has notified more than 4,000 patients that some of their protected health information (PHI) has potentially been accessed by hackers during a ransomware attack on its computer network. An unauthorized individual gained access to CCD’s computer network and deployed ransomware on a server. Medical records and patients’ medical charts were not accessed, although certain files and scanned fax communications were encrypted. Some of those files contained PHI. An investigation was launched to determine whether protected health information was accessed or stolen although it was not possible to determine with a high degree of certainty whether any PHI was viewed or copied. CCD did not uncover any evidence to suggest that PHI had been accessed or stolen, although some of the software that had been installed on its network could have allowed files to be downloaded. The files that could have been accessed including the following information: Names, addresses, contact telephone numbers, dates of birth, email addresses, Insurance information, Social Security...

Read More
Phishing Attack on Legacy Health Results In Exposure of 38,000 Patients’ PHI
Aug21

Phishing Attack on Legacy Health Results In Exposure of 38,000 Patients’ PHI

Legacy Health has discovered an unauthorized individual has gained access to its email system and the protected health information (PHI) of approximately 38,000 patients. The Portland, OR-based health system operates two regional hospitals, four community hospitals, and 70 clinics in Oregon, Southwest Washington, and the and the Mid-Willamette Valley and is the second largest health system in the Portland Metro Area. The data breach was discovered on June 21, 2018, although the email accounts were first accessed by an unauthorized individual in May. Legacy Health determined that access was gained to the email accounts as a result of employees being duped by phishing emails. Email breaches can take a considerable amount of time to investigate. While tools are available to scan email accounts for protected health information, many of the emails in compromised accounts need to be individually checked, which can involve manual checks of hundreds of thousands of messages.  According to Legacy Health Spokesperson Kelly Love, “We’ve been moving at as fast a pace as we can to...

Read More
9,350 Patients of Gordon Schanzlin New Vision Institute Notified of Data Breach
Aug20

9,350 Patients of Gordon Schanzlin New Vision Institute Notified of Data Breach

The Gordon Schanzlin New Vision Institute in La Jolla, CA, is alerting thousands of patients that their medical records may have been stolen after files containing protected health information were discovered in the possession of an individual unauthorized to hold the information. The data breach came to light following an investigation conducted by the U.S. Postal Inspection Service. A raid was conducted on a property in Southern California and a box of medical records was discovered in the property. The files contained information such as names, dates of service, addresses, health insurance information, Social Security numbers, and health and clinical information. Gordon Schanzlin was notified of the discovery on June 15, 2018, and an internal investigation was immediately launched to determine the nature and scope of the breach and how the medical records had been stolen. While it could not be confirmed with 100% certainty, Gordon Schanzlin believes the medical records were part of a batch of files that were stolen from a storage unit that was broken into in October 2017. The...

Read More
Court Approves Anthem $115 Million Data Breach Settlement
Aug20

Court Approves Anthem $115 Million Data Breach Settlement

The $115 million settlement proposed by Anthem Inc., in 2017 to resolve the class action lawsuits filed by victims of its 78.8 million-record data breach in 2015 received final approval on Thursday, August 16. The Anthem cyberattack resulted in plan members’ names, dates of birth, health insurance information, Social Security numbers and other data elements stolen by cybercriminals. Several class-action lawsuits were filed in the wake of the breach, which were consolidated into a single lawsuit by the Judicial Panel for Multidistrict Litigation in June 2015. The case was assigned to the U.S District Court for the Northern District of California, where a large proportion of the class members reside. While 78.8 million individuals had protected health information (PHI) exposed when Anthem’s network was hacked, there are only 19.1 million members of the class action lawsuit, all of whom were able to demonstrate that their personal information was stored in the data center that was attacked by hackers. Following the data breach, Anthem offered breach victims 24 months of credit...

Read More
InterAct of Michigan Discovers Email Account Compromise
Aug17

InterAct of Michigan Discovers Email Account Compromise

InterAct of Michigan, a provider of mental health and substance abuse treatments through clinics in Kalamazoo and Grand Rapids, has discovered an unauthorized individual has gained access to the email account of an employee and potentially viewed and copied the protected health information of 1,290 patients. The attack was discovered on June 8, 2018 prompting a thorough investigation to determine the nature and scope of the breach. Immediate action was taken to terminate access to the compromised account and an internal investigation was launched. A leading computer forensics company was retained to provide assistance with the investigation. On July 30, 2018, InterAct of Michigan determined that the protected health information of certain patients had potentially been accessed. The information was present in emails and email attachments in the compromised account. The exposed PHI included clients’ names and Social Security numbers. For some patients, date of birth, prescription details, and treatment history may also have been accessed. Due to the sensitive nature of the...

Read More
258,000 Wisconsin Residents Notified of Adams County Government Data Breach
Aug17

258,000 Wisconsin Residents Notified of Adams County Government Data Breach

More than 258,000 people have had their personal health information, personal identification information and/or tax information exposed as a result of a data security incident in Adams County, Wisconsin. A potential security breach was detected on March 28, 2018 after questionable activity was identified on the Adams County computer system and network. An investigation was launched to determine whether any sensitive data had been accessed and on June 29, a data breach was confirmed to have occurred. Some evidence has been found that suggests PHI and PII has been accessed and potentially obtained by an unauthorized individual. 258,102 individuals have potentially been affected. The exposed data was collected between January 1, 2013 and March 28, 2018 and were stored on the systems used by the departments of Health and Human Services, Child Support, Veteran Service Office, Extension Office, Adams County Employees, Solid Waste, and the Sheriff’s Office. A criminal investigation has been launched into the breach and the suspect(s) have been prevented from accessing the entire...

Read More
417,000 Individuals Affected by Augusta University Health Phishing Attack
Aug17

417,000 Individuals Affected by Augusta University Health Phishing Attack

A serious data breach has been reported by Augusta University Health that has impacted an estimated 417,000 individuals including patients, faculty members and a limited number of students. Most of the patients affected by the breach had previously received medical services at Augusta University Medical Center or Children’s Hospital of Georgia, although patients from over 80 outpatient clinics in Georgia have also been affected and had their personally identifiable information (PII) and protected health information (PHI) exposed. A wide range of PII and PHI was exposed, including names, addresses, dates of birth, lab test results, diagnoses, medications, treatment information, dates of service, medical record numbers, surgical information, and health insurance details. Augusta University Health said only a small percentage of individuals had a driver’s license number or Social Security number exposed. The PII and PHI were saved in emails and email attachments. Augusta University Health said a data security incident was discovered on September 11, 2017 following a phishing attack on...

Read More