Our HIPAA breach news section covers HIPAA breaches such as unauthorized disclosures of protected health information (PHI), improper disposal of PHI, unauthorized PHI access by cybercriminals and rogue healthcare employees, and other security and privacy breaches.

When known, we explain how the breach occurred, the consequences to patients that may have had their PHI compromised, and the actions being taken by the affected healthcare organization to improve safeguards to prevent further HIPAA breaches.

We also explain any actions being taken by the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) and state attorneys general in relation to those breaches.

OCR investigates all data breaches that impact more than 500 individuals to determine whether any HIPAA violations have occurred. When HIPAA Rules are discovered to have been violated, financial penalties may be deemed appropriate. It can take many months or years before any financial penalties for HIPAA breaches are decided. Financial penalties for HIPAA violations tend to be reserved for the most serious breaches of HIPAA Rules. OCR prefers to resolve cases with voluntary compliance and by issuing recommendations to bring policies in line with HIPAA Rules.

The HIPAA breach news section is particularly relevant to healthcare information security professionals, privacy officers, and other individuals who have some responsibility for HIPAA compliance.

The HIPAA breach news reports highlight common areas of non-compliance and new attack vectors used by cybercriminals to gain access to healthcare networks and PHI, the security failings that allowed them to happen, and the measures that have been implemented to prevent them from happening again.

No healthcare organization wants to experience a data breach, but when a breach does occur, lessons can be learned. HIPAA-covered entities can use these breach examples to help train their staff as well as to discover some of the methods other covered entities have adopted to improve data security.

As you will be able to see from the volume of posts in the HIPAA breach news category, healthcare data breaches occur frequently. In 2016 and 2017, healthcare data breaches have been reported on an almost daily basis.

Our HIPAA breach news section is an important source of information about potential security issues that covered entities should be identifying when conducting their own risk assessments. Many of the situations in our HIPAA breach news posts could have been avoided if a risk assessment had identified a vulnerability that was later exploited to gain access to PHI.

The main purpose for adding HIPAA breach news to this website is to highlight specific aspects of HIPAA compliance that are commonly overlooked, often with serious consequences for the covered entity and patients/health plan members.

By raising awareness of the volume of healthcare data breaches, the implications of those breaches, and the penalties that can result, it is hoped that healthcare providers will take decisive action to prevent their patients’ and members’ data from being exposed.

The most recent healthcare data breach reports are listed below. If you want to find out if a specific covered entity has experienced a data breach, please use the search function in the top right hand corner of this webpage.

2019 Healthcare Data Breach Report
Feb13

2019 Healthcare Data Breach Report

Figures from the Department of Health and Human Services’ Office for Civil Rights breach portal show a major increase in healthcare data breaches in 2019. Last year, 510 healthcare data breaches of 500 or more records were reported, which represents a 196% increase from 2018. As the graph below shows, aside from 2015, healthcare data breaches have increased every year since the HHS’ Office for Civil Rights first started publishing breach summaries in October 2009. 37.47% more records were breached in 2019 than 2018, increasing from 13,947,909 records in 2018 to 41,335,889 records in 2019. Last year saw more data breaches reported than any other year in history and 2019 was the second worst year in terms of the number of breached records. More healthcare records were breached in 2019 than in the six years from 2009 to 2014. In 2019, the healthcare records of 12.55% of the population of the United States were exposed, impermissibly disclosed, or stolen. Largest Healthcare Data Breaches of 2019 The table below shows the largest healthcare data breaches of 2019, based on the entity...

Read More
Hospital Sisters Health System Email Breach Impacts 16,167 Patients
Feb12

Hospital Sisters Health System Email Breach Impacts 16,167 Patients

Hospital Sisters Health System has recently discovered an email security breach in August 2019 potentially resulted in unauthorized individuals gaining access to access emails and email attachments containing the protected health information of 16,167 patients. Hospital Sisters Health System is a 15-hospital health system serving patients in Illinois and Wisconsin. Between August 6, 2019 and August 9, 2019, unauthorized individuals gained access to the email accounts of several employees. Prompt action was taken to secure the affected email accounts by changing passwords and a leading computer forensic firm was retained to investigate the breach and determine whether the compromised accounts contained patient information. On December 2, 2019, Hospital Sisters Health System was informed that patient information had potentially been accessed by the attackers. The compromised email accounts were found to contain patient names, birth dates, and a limited amount of clinical information. Some patients also had their health insurance information, Social Security number, and/or driver’s...

Read More
PHI Exposed Due to Sunshine Behavioral Health Group Amazon AWS S3 Bucket Misconfiguration
Feb11

PHI Exposed Due to Sunshine Behavioral Health Group Amazon AWS S3 Bucket Misconfiguration

Portland, OR-based Sunshine Behavioral Health Group, a network of drug an alcohol addiction treatment facilities in California, Colorado, and Texas, has experienced a breach of sensitive patient information. An Amazon AWS S3 bucket was misconfigured which allowed files containing patient billing information to be accessed over the internet. An individual discovered the breach and reported it to Dissent at Databreaches.net. Dissent verified the data and contacted Sunshine Behavioral Health on September 4, 2019 to report the breach and ensure the S3 bucket was secured. Dissent reports that the exposed S3 bucket contained approximately 93,000 files, although that did not correspond to 90,000 patients. A notification about the data breach was sent by ID Experts to the Vermont Attorney General which explains the error was identified on September 4, 2019. The report states that steps were taken to prevent the records from being accessed by unauthorized individuals and further actions were taken on November 14, 2019 to remove the records from general internet access. On December 23, 2019,...

Read More
Slew of Email Security Breaches Reported by Healthcare Organizations
Feb10

Slew of Email Security Breaches Reported by Healthcare Organizations

A further 5 healthcare data breaches of 500 or more records have recently been reported by HIPAA-covered entities and their business associates. Email Account Breach Reported by Shields Health Solutions Shields Health Solutions, a Stoughton, MA-based provider of specialty pharmacy services to hospitals and other covered entities, has discovered an unauthorized individual gained access to the email account of an employee and potentially viewed/copied protected health information. Suspicious activity was detected in the email account of an employee on October 24, 2019. Assisted by a cybersecurity firm, Shields Health Solutions determined an unauthorized individual accessed the account between October 22 and October 24, 2019. The breach was confined to a single email account. The email account contained messages and attachments that included patient names, dates of birth, medical record numbers, provider names, clinical information, prescription information, insurer names, and limited claims information. No evidence was uncovered that suggests patient information was accessed or...

Read More
Health Share of Oregon Notifies 654,000 Members About Business Associate Data Breach
Feb07

Health Share of Oregon Notifies 654,000 Members About Business Associate Data Breach

Oregon’s Medicaid coordinated-care organization, Health Share of Oregon, is notifying approximately 654,000 current and former members that some of their protected health information (PHI) was stored on a laptop computer stolen from its transportation vendor, GridWorks. GridWorks was contracted to manage Health Share’s Ride to Care program, through which Health Share provided non-emergent transportation for its members. Health Share’s policies require business associates to use encryption on all portable devices containing patient information but, for reasons unknown, the GridWorks laptop was not encrypted. PHI stored on the laptop computer included names, addresses, contact telephone numbers, birth dates, Health Share ID numbers, Medicaid numbers, and Social Security numbers. The laptop was stolen in a burglary at GridWorks’ office in November 2019. GridWorks notified Health Share about the laptop theft on January 2, 2020. Health Share started sending notification letters on February 5 to all individuals whose PHI was stored on the laptop. Affected individuals have been offered...

Read More
New York Nursing Center and Phoenix Children’s Hospital Affected by Phishing Attacks
Feb04

New York Nursing Center and Phoenix Children’s Hospital Affected by Phishing Attacks

Village Center for Care dba VillageCare Rehabilitative and Nursing Center (VRNC) and Village Senior Services Corporation dba VillageCareMAX (VCMAX) have fallen victim to a business email compromise (BEC) attack. BEC attacks involve the impersonation of an executive, either using the executive’s genuine email account compromised in a previous attack or by spoofing the executive’s email address. An unauthorized individual, pretending to be member of the executive team, requested sensitive information on VRNC patients and VCMAX members. Believing the request to be legitimate, the employee responded and provided the information as requested. VCMAX and VRNC were alerted to a potential BEC attack on or around December 30, 2019. The investigation confirmed the request was not genuine and sensitive information on VRNC patients and VCMAX members had been impermissibly disclosed. The information sent via email included the names and Medicaid ID numbers of 2,645 VCMAX members and first and last names, dates of birth, insurance provider names, and Insurance ID numbers of 674 VRNC patients....

Read More
Malware Attack Results in Corruption of Medical Records: 30,000 Patients Affected
Feb03

Malware Attack Results in Corruption of Medical Records: 30,000 Patients Affected

On November 21, 2019, Fondren Orthopedic Group, an association of private orthopedic surgery practitioners in Houston and the surrounding areas, experienced a cyberattack that affected certain parts of its IT system. In a substitute breach notice posted on its website, the incident was described as a malware attack that damaged the medical records of certain patients. Prompt action was taken to contain the infection and its systems were restored; however, the medical records corrupted by the malware could not be recovered and have been permanently lost. The corrupted records included patients’ names, addresses, telephone numbers, health insurance information, and diagnosis and treatment information. All patients affected by the incident were current or former patients of Dr. K. Matthew Warnock. Third party forensic investigators were engaged to assist with the investigation and found no evidence of unauthorized data access or exfiltration of data. Fondren Orthopedic Group is reviewing data security policies and procedures and will be enhancing its security protocols to improve...

Read More
Data Breaches Reported by Manchester Ophthalmology, UnitedHealthcare, and Cook County Health
Feb03

Data Breaches Reported by Manchester Ophthalmology, UnitedHealthcare, and Cook County Health

Manchester Ophthalmology in Connecticut has experienced a cyberattack in which the attackers may have gained access to patient information.  The eye care provider became aware of the cyberattack on November 25, 2019 when employees noticed unusual activity on the network. Assisted by a third-party technology firm, it was determined later that day that hackers had gained access to its systems and attempted to deploy ransomware. Access was first gained to the network on November 22, 2019 and continued until November 25. The investigation found no evidence to suggest any patient information was accessed or downloaded by the attackers, but during the investigation it was determined that certain patient information had not been backed up and could not be recovered. The types of data lost included names, patient-created medical histories, and details of the care those patients received at Manchester Ophthalmology. Patients have been advised to exercise caution and monitor their accounts and explanation of benefits statements for any sign of fraudulent use of their information. Manchester...

Read More
Website Error Exposed Personal and Health Data of LabCorp Patients
Jan30

Website Error Exposed Personal and Health Data of LabCorp Patients

Researchers at TechCrunch have identified a security flaw in a website hosting an internal customer relationship management system used by the clinical laboratory network LabCorp. While the system was password protected, the researchers found a flaw in the part of the system that pulled patient files from the back-end system. The flaw allowed patient data to be accessed without requiring a password and the web address was visible to search engines. Google had cached only one document containing the health data of a patient, but by changing the document number in the web address the researchers were able to open other documents containing patient health information. The researchers examined a small selection of files to see what types of data had been exposed. The documents mostly contained information about patients who had tests conducted by LabCorp’s Integrated Oncology specialty testing unit. The documents contained personal information such as names and dates of birth, lab test results and diagnostic data, and for some patients, Social Security numbers. TechCrunch researchers...

Read More
Iowa Department of Human Services Notifies 4,784 Patients About Improper Disposal Incident
Jan27

Iowa Department of Human Services Notifies 4,784 Patients About Improper Disposal Incident

The Iowa Department of Human Services has announced that the protected health information of 4,784 individuals has accidentally been exposed. On November 25, 2019, a member of staff disposed of documents containing the protected health information of Dallas County clients in a regular garbage dumpster, instead of sending the records for shredding. By the time the improper disposal incident was discovered, the dumpster had been emptied. An investigation was launched which revealed the custodial employee who disposed of the paperwork was unaware that the documents contained confidential information. It was not possible to determine exactly which patients were affected, so notification letters were sent to all individuals potentially impacted by the breach. The documents likely contained information such as names, dates of birth, mailing addresses, driver’s license numbers, Social Security numbers, disability information, medical information, banking and wage information, receipt of Medicaid, mental health information, provider names, prescriptions, and substance abuse and illegal...

Read More
Beaumont Health Discovers 20-Month Insider Breach
Jan27

Beaumont Health Discovers 20-Month Insider Breach

Beaumont Health, a not-for-profit 8-hospital health system based in Southfield, MI, has discovered a former employee has accessed the medical records of patients without authorization and is understood to have shared protected health information with another individual. An internal investigation was launched when it was discovered medical records had been accessed without authorization. A review of the former employee’s access logs revealed the unauthorized access first occurred on February 1, 2017 and continued until October 22, 2019. The breach was discovered in December 2018. Beaumont Health said its internal investigation determined on December 10, 2019 that the medical records of 1,182 patients were accessed over a period of 20 months. The information potentially obtained and disclosed included names, addresses, contact telephone numbers, dates of birth, email addresses, health insurance information, reason why medical care was sought, and Social Security numbers. The individual to whom the information was believed to have been disclosed was affiliated with a personal injury...

Read More
Nearly 200,000 Patients Impacted by PIH Health Phishing Attack
Jan24

Nearly 200,000 Patients Impacted by PIH Health Phishing Attack

PIH Health, a 2-hospital nonprofit healthcare network based in Whittier, CA, has started notifying nearly 200,000 patients about a potential breach of their personal and protected health information in June 2019. On June 18, 2019, PIH Health discovered the email accounts of certain employees had been accessed by unauthorized individuals as a result of a targeted phishing attack on its employees. The email accounts were immediately secured and an investigation was launched to determine the nature and extent of the breach. PIH Health engaged leading cybersecurity experts to assist with the investigation and was notified on October 2, 2019, that the email accounts were subject to unauthorized access between June 11, 2019 and June 18, 2019. The email accounts were then reviewed by the same cybersecurity experts to determine whether they contained any patient information. The review was completed on November 12, 2019. PIH Health then attempted to obtain up to date contact information for current and former patients affected by the breach. Notifications were sent by mail to those...

Read More
December 2019 Healthcare Data Breach Report
Jan21

December 2019 Healthcare Data Breach Report

There were 38 healthcare data breaches of 500 or more records reported to the Department of Health and Human Services’ Office for Civil Rights in December 2019, an increase of 8.57% from November 2019. While the number of breaches increased, there was a major reduction in the number of exposed healthcare records, falling from 607,728 records in November 2019 to 393,189 records in December 2019 – A drop of 35.30%. In December the mean breach size was 10,347 records and the median breach size was 3,650 records. It has been a particularly bad year for healthcare data breaches. 2019 was the second worst ever year for healthcare data breaches in terms of the number of patients impacted by breaches. 41,232,527 healthcare records were exposed, stolen, or impermissibly disclosed in 2019. That’s 195.61% more than 2018. More healthcare records were breached in 2019 than in the previous three years combined. The number of reported data breaches also increased 36.12% year-over-year, from 371 breaches in 2018 to 505 breaches in 2019. That makes 2019 the worst every year in terms of the number...

Read More
Phishing Attack Reported by Adventist Health Sonora
Jan20

Phishing Attack Reported by Adventist Health Sonora

Adventist Health Sonora in California has discovered an unauthorized individual has gained access to the email account of a hospital associate and potentially viewed patient information. The email account breach was detected by Adventist Health Sonora’s information security team on September 30, 2019. Immediate action was taken to secure the compromised Office 365 account and an investigation was launched to determine the extent of the breach. The investigation confirmed that access to the Office 365 account was gained following a response to a phishing email and that it was an isolated incident. No other email accounts or systems were affected. The purpose of the attack appears to have been to redirect invoice payments and defraud the hospital and its vendors, rather than to obtain sensitive patient information. According to Adventist Health Sonora, a comprehensive review of the affected account revealed on October 14, 2019 that the account contained the protected health information of 2,653 patients. The types of information exposed included names, dates of birth, medical record...

Read More
Quest Health Systems Discovers Additional Patients Impacted by 2018 Phishing Attack
Jan17

Quest Health Systems Discovers Additional Patients Impacted by 2018 Phishing Attack

Health Quest, now part of Nuvance Health, has discovered the phishing attack it experienced in July 2018 was more extensive than previously thought. Several employees were tricked into disclosing their email credentials by phishing emails, which allowed unauthorized individuals to access their accounts. A leading cybersecurity firm was engaged to assist with the investigation and determine whether any patient information had been compromised. In May 2019, Quest Health learned that the protected health information of 28,910 patients was contained in emails and attachments in the affected accounts and notification letters were sent to those individuals. The compromised accounts contained patient names, contact information, claims information, and some health data. A secondary investigation of the breach revealed on October 25, 2019 that another employee’s email account was compromised which contained protected health information. According to the substitute breach notification on the Quest Health website, the compromised information varied from patient to patient, but may have...

Read More
44,000 Patients Impacted by Phishing Attacks on InterMed and Spectrum Healthcare Partners
Jan17

44,000 Patients Impacted by Phishing Attacks on InterMed and Spectrum Healthcare Partners

The Portland, ME-based healthcare provider InterMed is notifying 33,000 patients that some of their protected health information has potentially been compromised as a result of a phishing attack. The attack was detected on September 6, 2019. An internal investigation confirmed that the account was compromised on September 4 and the attackers had access to the account until September 6, 2019. A leading national computer forensic firm was engaged to investigate the breach and discovered a further three email accounts had also been compromised between September 7 and September 10, 2019. A comprehensive review of the affected email accounts was conducted but it was not possible to determine what emails or attachments, if any, had been viewed by the attackers. The types of information in the compromised accounts varied from patient to patient and may have included patients’ names, dates of birth, health insurance information, and some clinical information. A “very limited” number of patients also had their Social Security number exposed. InterMed started mailing breach notification...

Read More
Phishing Attack on SouthEast Eye Specialist Group Impacts 13,000 Patients
Jan16

Phishing Attack on SouthEast Eye Specialist Group Impacts 13,000 Patients

SouthEast Eye Specialist (SEES) Group in Franklin, TN, is notifying 13,000 patients that some of their protected health information has been exposed as a result of a recent phishing attack. It is unclear from the SEES Group’s substitute breach notice when the phishing attack occurred, but on November 1, 2019, SEES Group determined patient information was contained in email accounts that were accessed by unknown individuals. The breach was discovered when the IT department identified suspicious activity in some employee email accounts. A third-party computer forensics company was retained to assist with the investigation and determine whether any emails or email attachments containing patient information had been viewed or copied by the attackers. The investigation uncovered no evidence to suggest that patient information was viewed or obtained by unauthorized individuals, but it was not possible to rule out the possibility that patient information had been compromised. A painstaking analysis of all emails in the affected accounts revealed they contained information on patients...

Read More
Enloe Medical Center Continues to Experience EMR Downtime Due to Ransomware Attack
Jan15

Enloe Medical Center Continues to Experience EMR Downtime Due to Ransomware Attack

A California healthcare provider was attacked with ransomware and two weeks on and its medical record system is still out of action. Enloe Medical Center in Chico, CA, discovered the attack on January 2, 2020. Its entire network was encrypted, including its electronic medical record (EMR) system, which prevented staff from accessing patient information. Emergency protocols were immediately implemented to ensure care could still be provided to patients and only a limited number of elective medical procedures had to be rescheduled. The attack also affected the telephone system which was taken out of action on the day of the attack. The telephone system was restored the following day but its EMR system is still out of action and employees are continuing to rely on pen and paper for recording patient data. While there were some cancelled appointments in the first week after the attack, Enloe Medical Center says care is being provided to patients without delay while work continues to restore its systems. No information has been released on the type of ransomware involved, but the...

Read More
Ransomware Attacks Reported by Florida and Texas Healthcare Providers
Jan10

Ransomware Attacks Reported by Florida and Texas Healthcare Providers

It is becoming increasingly common for threat actors to use ransomware to encrypt files to prevent data access, but also to steal data and threaten to publish or sell on the stolen data if the ransom is not paid. This new tactic is intended to increase the likelihood of victims paying the ransom. The Center for Facial Restoration in Miramar, FL, is one of the latest healthcare providers to experience such an attack. Richard E. Davis MD FACS of The Center for Facial Restoration received a ransom demand on November 8, 2019 informing him that his clinic’s server had been breached and data had been stolen. The attacker said the data could be publicly exposed or traded with third parties if the ransom was not paid. Dr. Davis filed a complaint with the FBI’s Cyber Crimes Center and met with the FBI agents investigating the attack. After the attack occurred, Dr. Davis was contacted by around 15-20 patients who had also been contacted by the attacker and issued with a ransom demand. The patients were told that their photographs and personal data would be published if the ransom demand was...

Read More
Alomere Health Phishing Attack Impacts 49,351 Patients
Jan09

Alomere Health Phishing Attack Impacts 49,351 Patients

Alomere Health in Alexandria, MN is notifying almost 50,000 patients that some of their protected health information was potentially accessed by unauthorized individuals as a result of a phishing attack. Alomere Health learned about the phishing attack on November 6, 2019 and launched an internal investigation which confirmed the account was accessed by an unauthorized individual between October 31 and November 1, 2019. A computer forensics company was engaged to assist with the investigation and discovered on November 10, 2019 that a second email account had been breached on November 6. A comprehensive review of the compromised accounts revealed some emails and email attachments contained protected health information. The types of information potentially compromised in the attack varied from patient to patient and may have included the following data elements: Names, addresses, dates of birth, medical record numbers, health insurance information, treatment information, and/or diagnosis information. A limited number of Social Security numbers and driver’s license numbers were also...

Read More
Up to 25K Patients of the Native American Rehabilitation Association of the Northwest Affected by Malware Attack
Jan09

Up to 25K Patients of the Native American Rehabilitation Association of the Northwest Affected by Malware Attack

Portland, OR-based Native American Rehabilitation Association of the Northwest, Inc., (NARA), a provider of education, physical and mental health services and substance abuse treatment services to native Americans, is alerting certain individuals about a malware infection that has potentially allowed unauthorized individuals to gain access to their protected health information. NARA reports that the attack occurred on November 4, 2019. The malware initially bypassed security systems but was detected later that afternoon. The threat was contained by November 5, 2019 and all passwords on email accounts were reset by November 6. The malware was determined to be the Emotet Trojan: A credential stealer that can also exfiltrate emails and email attachments. It is therefore possible that the attackers obtained emails and attachments in the compromised accounts, some of which included protected health information. According to a NARA press release issued on January 3, 2020, the forensic investigation confirmed that the protected health information of 344 individuals was either accessed by...

Read More
HIPAA Enforcement in 2019
Jan02

HIPAA Enforcement in 2019

It has been another year of heavy enforcement of HIPAA compliance. HIPAA enforcement in 2019 by the Department of Health and Human Services’ Office for Civil Right (OCR) has resulted in 10 financial penalties. $12,274,000 has been paid to OCR in 2019 to resolve HIPAA violation cases. 2019 saw two civil monetary penalties issued and settlements were reached with 8 entities, one fewer than 2018. In 2019, the average financial penalty was $1,227,400. Particularly egregious violations will attract financial penalties, but some of the HIPAA settlements in 2019 provide insights into OCRs preferred method of dealing with noncompliance. Even when HIPAA violations are discovered, OCR prefers to settle cases through voluntary compliance and by providing technical assistance. When technical assistance is provided and covered entities fail to act on OCR’s advice, financial penalties are likely to be issued. This was made clear in two of the most recent HIPAA enforcement actions. OCR launched compliance investigations into two covered entities after being notified about data breaches. OCR...

Read More
North Ottawa Community Health System Discovers 3-Year Insider Breach
Dec30

North Ottawa Community Health System Discovers 3-Year Insider Breach

North Ottawa Community Health System (NOCH) has discovered an employee at North Ottawa Community Hospital in Grand Haven, MI, accessed the medical records of patients without authorization over a period of 3 years. The matter was brought to the attention of the health system on October 15 by another employee. An investigation into the alleged inappropriate access was launched on October 17 and the employee was suspended pending the outcome of the investigation. NOCH confirmed on November 25, 2019 that the employee had accessed the medical records of 4,013 patients without any legitimate work reason for doing so between May 2016 and October 2019. There appeared to be no discernible pattern to the unauthorized access. Patient records appeared to have been accessed at random. No evidence was found to suggest that any patient information was stolen. NOCH believes the employee was accessing patient information out of curiosity. The types of information potentially accessed included names, dates of birth, Social Security numbers, Medicare and Medicaid numbers, health insurance...

Read More
Ann & Robert H. Lurie Children’s Hospital of Chicago Fires Worker for Unauthorized Medical Record Access
Dec30

Ann & Robert H. Lurie Children’s Hospital of Chicago Fires Worker for Unauthorized Medical Record Access

Ann & Robert H. Lurie Children’s Hospital of Chicago, a pediatric specialty hospital in Chicago, IL, has discovered a former employee accessed the medical records of certain patients without a legitimate work reason for doing so. The unauthorized access occurred between September 10, 2018 and September 22, 2019. The hospital learned of the HIPAA violation on November 15, 2019 and immediately terminated the employee’s access to all patient information while the incident was investigated. The employee was subsequently disciplined for the violation of HIPAA and hospital policies and was terminated. The employee was unable to view full Social Security numbers, financial information, or health insurance information. The only types of information that could have been viewed were names, addresses, dates of birth, diagnoses, appointment dates, medical procedures, and other limited medical information. The breach notice published on the hospital’s website makes no mention of the reason why the former employee was accessing patient information, but the hospital says there is no reason to...

Read More
New Mexico Hospital Discovers Malware on Imaging Server
Dec26

New Mexico Hospital Discovers Malware on Imaging Server

Roosevelt General Hospital in Portales, New Mexico has discovered malware on a digital imaging server used by its radiology department. The malware potentially allowed cybercriminals to gain access to the radiological images of around 500 patients. The malware infection was discovered on November 14, 2019 and prompt action was taken to isolate the server to prevent further unauthorized access and block communications with the attackers’ command and control server. The IT department was able to remove the malware and rebuild the server and all patient data was recovered. A scan was conducted to identify any vulnerabilities and the hospital is now satisfied that the server is secured and protected. The investigation into the breach did not uncover any evidence to suggest protected health information and medical images were viewed or stolen by the hackers, but the possibility of unauthorized data access and PHI theft could not be ruled out. The investigation into the security breach is continuing but the hospital’s IT department has confirmed that the breach was limited to the imaging...

Read More
Colorado Department of Human Services and Sinai Health System Alert Patients About HIPAA Breaches
Dec24

Colorado Department of Human Services and Sinai Health System Alert Patients About HIPAA Breaches

The State of Colorado is notifying 12,230 individuals about an impermissible disclosure of some of their protected health information as a result of a mailing error. The error occurred on a Colorado Department of Human Services mailing of Notices to Reapply for food and cash assistance programs. The error came to light on November 6, 2019. The investigation revealed 10,879 Notice to Reapply forms had been sent which contained the information of incorrect individuals. The information of 12, 230 individuals had been incorrectly included on the forms. The information included names, employers, whether the person had a vehicle, and a limited amount of other information related to household resources. No addresses, dates of birth, financial information, Social Security numbers, or other information required for identity theft and fraud were disclosed. Affected individuals were notified about the error on November 10, 2019 and have been advised to either shred the incorrect notices or take them to their local county human services’ office for secure disposal. The risk of misuse of PHI is...

Read More
November 2019 Healthcare Data Breach Report
Dec20

November 2019 Healthcare Data Breach Report

In November 2019, 33 healthcare data breaches of 500 or more records were reported to the Department of Health and Human Services’ Office for Civil Rights (OCR). That represents a 36.5% decrease in reported breaches from October – The worst ever month for healthcare data breaches since OCR started listing breaches on its website in October 2009. The fall in breaches is certainly good news, but data breaches are still occurring at a rate of more than one a day. 600,877 healthcare records were exposed, impermissibly disclosed, or stolen in November. That represents a 9.2% decrease in breached healthcare records from October, but the average breach size increased by 30.1% to 18,208 records in November.   Largest Healthcare Data Breaches in November 2019 Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Location of Breached PHI Ivy Rehab Network, Inc. and its affiliated companies Healthcare Provider 125000 Hacking/IT Incident Email Solara Medical Supplies, LLC Healthcare Provider 114007 Hacking/IT Incident Email Saint Francis Medical Center Healthcare...

Read More
CMS Blue Button 2.0 Coding Bug Exposed PHI of 10,000 Medicare Beneficiaries
Dec19

CMS Blue Button 2.0 Coding Bug Exposed PHI of 10,000 Medicare Beneficiaries

The Centers for Medicare and Medicaid Services (CMS) has discovered a bug in its Blue Button 2.0 API exposed the protected health information of around 10,000 Medicare beneficiaries. Access to the Blue Button API has been temporarily suspended while the CMS completes a comprehensive code review. The CMS has not produced a timeline for when the Blue Button 2.0 service will be resumed. On December 4, 2019, the CMS was alerted to a data anomaly with the Blue Button API by a third-party application partner. The CMS confirmed the data anomaly and immediately suspended access to the production environment while the matter was investigated. The CMS determined the anomaly was due to a coding bug. That bug potentially allowed data to be shared with incorrect Blue Button 2.0 applications and the wrong beneficiaries. The CMS determined 30 applications have been impacted by the bug. The Blue Button platform is used by Medicare beneficiaries to authorize third-party applications, services, and research programs to access their claims data. A CMS identity management system verifies user...

Read More
Email Security Breaches Reported by Conway Medical Center and Equinox Inc.
Dec19

Email Security Breaches Reported by Conway Medical Center and Equinox Inc.

The email accounts of several employees of Conway Medical Center in South Carolina have been accessed by unauthorized individuals. The phishing attack was detected on October 7, 2019 and affected email accounts were immediately secured to prevent further unauthorized access. External cybersecurity experts were engaged to investigate the breach and determine whether patient information had been viewed or acquired. The investigators determined that the first email accounts were compromised in or before July 2019. It took until November 20, 2019 for the investigators to confirm that the protected health information of patients had been exposed as each email had to be checked to determine whether it contained PHI and if it had been accessed. That was largely a manual process. The way the email accounts were accessed meant emails may have synchronized with the attacker’s computer and could have been automatically downloaded. Those emails contained names, addresses, Social Security numbers, dates of birth, phone numbers, dates of admission, discharge dates, CMC account numbers, amount...

Read More
Tidelands Health Recovering from Malware Attack
Dec19

Tidelands Health Recovering from Malware Attack

Tidelands Health in Georgetown, SC, is working round the clock to restore its computer systems after the discovery of malware on its network on December 12, 2019. The attack has forced the healthcare provider to shut down parts of its network and implement emergency protocols. Staff have been using paper records for patients while the malware is removed and systems are restored and brought back online. Patients are being seen and quality care is still being provided, although a limited number of non-emergency appointment have had to be rescheduled, according to Tidelands Health spokesperson, Dawn Bryant. The type of malware involved has not been disclosed, although Tidelands Health has said no data was lost and patient information was not compromised. Third-party cybersecurity experts have been engaged to investigate the attack, remove the malware, and restore its systems. That is a time-consuming, methodical process as the stability and integrity of every system must be thoroughly assessed before it is possible to bring each back online. Stolen Children’s Hope Alliance...

Read More
Truman Medical Centers Notifies 114,466 Patients of Potential PHI Exposure
Dec17

Truman Medical Centers Notifies 114,466 Patients of Potential PHI Exposure

Truman Medical Centers, the largest provider of inpatient and outpatient services in Kansas City, MO, has discovered the protected health information of 114,466 patients was stored on an unencrypted laptop computer that was stolen from the vehicle of one of its employees. The laptop was protected with a password, but it is possible that the password could be cracked and data on the device accessed. At the time of issuing the notifications, Truman Medical Centers has not uncovered any evidence to suggest that any patient information has been accessed by unauthorized individuals or has been misused. The types of information on the laptop varied from patient to patient and may have included patient names along with one or more of the following types of information: Dates of birth, patient account numbers, medical record numbers, Social Security numbers, health insurance information, and limited medical and treatment information, such as diagnoses, dates of service, and provider names. The theft occurred on July 18, 2019, but it took until October 29, 2019 to determine that patient...

Read More
Hackensack Meridian Health Recovering from Ransomware Attack
Dec16

Hackensack Meridian Health Recovering from Ransomware Attack

Hackensack Meridian Health, the largest health network in New Jersey, has announced it experienced a cyberattack last week that saw ransomware deployed on its network. The attack saw files encrypted and took its network offline for two days. Without access to computer systems and medical records, Hackensack Meridian Health was forced to cancel non-emergency medical procedures and doctors and nurses had to switch to pen and paper to allow care to continue to be provided to patients. The attack was detected quickly, law enforcement and regulators were immediately notified, and cybersecurity experts were consulted to determine the best course of action. The health network initially announced that it was experiencing external technical issues so as not to interfere with the investigation but confirmed later in the week that the incident was a ransomware attack. When ransomware is deployed, files need to be restored from backups and systems may need to be rebuilt. That process can take several weeks. In order to prevent continued disruption to patient services, the decision was taken to...

Read More
$85,000 Penalty for Korunda Medical for HIPAA Right of Access Failures
Dec13

$85,000 Penalty for Korunda Medical for HIPAA Right of Access Failures

The Department of Health and Human Services’ Office for Civil Rights has announced its second enforcement action under its HIPAA Right of Access Initiative. Florida-based Korunda Medical has agreed to settle potential violations of the HIPAA Right of Access and will adopt a corrective action plan and bring its policies and procedures in line with the requirements of the HIPAA Privacy Rule. In March 2019, OCR received a complaint from a patient who alleged she had not been provided with a copy of her medical records in the requested electronic format despite making repeated requests. The complainant alleged that Korunda Medical refused to send an electronic copy of her medical records to a third party and was overcharging patients for providing copies of their medical records. Under HIPAA, covered entities are only permitted to charge a reasonable, cost-based fee for providing access to patients’ protected health information. The initial complaint was filed with OCR on March 6, 2019. On March 18, 2019, OCR provided technical assistance to Korunda Medical on the HIPAA Right of Access...

Read More
Ransomware Attack on The Cancer Center of Hawaii Delayed Radiation Therapy for Patients
Dec13

Ransomware Attack on The Cancer Center of Hawaii Delayed Radiation Therapy for Patients

On November 5, 2019 The Cancer Center of Hawaii in Oahu was attacked with ransomware. The attack forced the Cancer Center to shut down its network servers, which meant it was temporarily prevented from providing radiation therapy to patients at Pali Momi Medical Center and St. Francis’ hospital in Liliha. While patient services experienced some disruption, no patient information is believed to have been accessed by the attackers. The forensic investigation into the breach is ongoing but all data stored on its radiology machines has been recovered and its network is now fully operational. It is unclear for how long its network was down and no information has been released so far on the types of patient information that may have been accessed. The Cancer Center has notified the FBI about the breach and will report the incident to appropriate authorities, if the forensic investigators confirm that patient data may have been accessed. The breach was confined to the Cancer Center’s systems. Pali Momi Medical Center and St. Francis’ hospital were unaffected by the attack as their patient...

Read More
Patients Notified of Phishing Attack at Cheyenne Regional Medical Center
Dec12

Patients Notified of Phishing Attack at Cheyenne Regional Medical Center

Cheyenne Regional Medical Center in Wyoming has recently learned that patient information may have been compromised as a result of a phishing attack discovered in April. The medical center was alerted to a potential security breach following the detection of suspicious activity related to employee payroll accounts on or around April 5, 2019. Around a week later, the medical center learned that employee email accounts had been compromised. The investigation revealed the attackers had gained access to employee email accounts between March 27, 2019 and April 8, 2019. The aim of the attack appears to have been to access employee payroll information, although patient information contained in email accounts may also have been accessed. The types of information potentially accessed varied from patient to patient and may have included names, dates of birth, Social Security numbers, driver’s license numbers, dates of service, provider names, medical record numbers, patient identification numbers, medical information, diagnoses, treatment information, and health insurance information. A very...

Read More
Phishing Attacks Reported by Sunrise Community Health and Katherine Shaw Bethea Hospital
Dec11

Phishing Attacks Reported by Sunrise Community Health and Katherine Shaw Bethea Hospital

Evans, CO-based Sunrise Community Health has discovered the email accounts of several employees were compromised as a result of employees responding to phishing emails. The email accounts were accessed by unauthorized individuals between September 11, 2019 and November 22, 2019. Assisted by third party computer forensics experts, Sunrise Community Health determined on November 5, 2019 that the compromised email accounts contained the protected health information of certain patients. The types of data present in the email accounts varied from patient to patient and may have included names, dates of birth, Sunrise patient ID numbers, Sunrise provider names, dates of service, types of clinical examinations performed, the results of those examinations, diagnoses, medication names, and names of health insurance carriers. Sunrise Community Health does not believe the aim of the attack was to obtain patient information, but the possibility of unauthorized data access and data theft could not be ruled out. The attackers appeared to be targeting invoice and payroll information. The...

Read More
Ransomware Attack on Managed Service Provider Impacts More than 100 Dental Practices
Dec09

Ransomware Attack on Managed Service Provider Impacts More than 100 Dental Practices

A Colorado IT firm that specializes in providing managed IT services to dental offices has been attacked with ransomware. Through the firm’s systems, more than 100 dental practices have also been attacked and have had ransomware deployed on their networks. The attack on Englewood, CO-based Complete Technology Solutions (CTS) commenced on November 25, 2019. According to a report on KrebsonSecurity, CTS was issued with a ransom demand of $700,000 for the keys to unlock the encryption. The decision was taken not to pay the ransom. In order to provide IT services to the dental practices, CTS is able to logon to their systems using a remote access tool. That tool appears to have been abused by the attackers, who used it to access the systems of all its clients and deploy Sodinokibi ransomware. Some of the dental practices impacted by the attack have been able to recover data from backups, specifically, dental practices that had a copy of their backup data stored securely offsite. Many dental practices are still without access to their data or systems and are turning patients away due to...

Read More
Southeastern Minnesota Oral & Maxillofacial Surgery Ransomware Attack Impacts 80,000 Patients
Dec06

Southeastern Minnesota Oral & Maxillofacial Surgery Ransomware Attack Impacts 80,000 Patients

Southeastern Minnesota Oral & Maxillofacial Surgery (SEMOMS) has announced it has been attacked with ransomware and that the protected health information of up to 80,000 patients was potentially compromised in the attack. The attack was detected on September 23, 2019. The IT team responded and isolated the affected server and took steps to restore the encrypted data. It is unclear whether the ransom was paid or if the IT team was able to restore the server from backups. Assisted by computer forensics experts, SEMOMS determined that the affected server contained names and X-ray images and that the server had been accessed by an unauthorized individual. No evidence was uncovered to suggest any patient information was accessed or exfiltrated by the attackers, but the possibility of unauthorized ePHI access and data theft could not be discounted. Consequently, notification letters have been sent to all individuals whose protected health information was potentially compromised. Healthcare Administrative Partners Phishing Attack Impacts 17,693 Patients Healthcare Administrative...

Read More
Kalispell Regional Healthcare Sued Over 130,000-Record Data Breach
Dec05

Kalispell Regional Healthcare Sued Over 130,000-Record Data Breach

Kalispell Regional Healthcare in Montana is being sued over a phishing attack in which hackers gained access to employee email accounts containing the protected health information of almost 130,000 patients. The compromised email accounts contained patient information such as names, contact information, medical bill account numbers, medical histories, and health insurance information. Approximately 250 individuals also had their Social Security number exposed. The phishing attack occurred in May 2019, but it was not initially clear which, if any, patients had been affected. It took until August for forensic investigators to determine that patient information had potentially been compromised. All affected patients were notified, and the health system offered 12 months of free credit monitoring and identity theft protection services to patients whose Social Security numbers had potentially been compromised. One of the patients whose personal and health information was compromised, William Henderson, has now taken legal action over the data breach. The lawsuit was filed in Cascade...

Read More
Nebraska Medicine Discovers Insider Data Breach
Dec04

Nebraska Medicine Discovers Insider Data Breach

Nebraska Medicine has discovered an employee has accessed the medical records of patients without any legitimate work reason for doing so over a period of almost three months. The privacy violation was discovered during a routine audit of its medical record system. The audit revealed the employee had first accessed patient records on July 11, 2019 and continued to do so until October 1, 2019 when the privacy violations were discovered. Upon discovery, steps were taken to prevent further unauthorized access while the matter was investigated. The employee in question was fired the day after the privacy violations were discovered. According to a statement released by Nebraska Medicine, affected individuals have been notified by mail and any individual whose Social Security number was potentially viewed has been offered complimentary credit monitoring services for 12 months as a precaution. Nebraska Medicine does not have any reason to believe that any sensitive information has been or will be misused, suggesting the employee was accessing the records out of curiosity. It is unclear...

Read More
Solara Medical Supplies Sued Over 114,000-Record Data Breach
Dec04

Solara Medical Supplies Sued Over 114,000-Record Data Breach

Solara Medical Supplies is facing legal action over a June 2019 data breach that saw the protected health information of more than 114,000 customers exposed and potentially stolen by an unauthorized individual who gained access to its email system. Solara Medical Supplies, a supplier of medical devices and disposable medical products, discovered the breach on June 28, 2019. While initially believed to involve one email account, an investigation revealed several Office 365 email accounts had been compromised for a period of around 6 weeks, starting on April 2, 2019. The types of information exposed as a result of the attack included names, addresses, birth dates, employee ID numbers, Social Security numbers, health insurance information, financial information, credit card/debit card numbers, passport details, state ID numbers, driver’s license numbers, password/PIN or account login information, claims data, billing information, and Medicare/Medicaid IDs. Customers affected by the breach were notified in November and were offered complimentary credit monitoring and identity theft...

Read More
Phishing Attacks Announced by Comprehensive Sleep Care Center, McLaren Health Plan, and Ivy Rehab Physical Therapy
Dec03

Phishing Attacks Announced by Comprehensive Sleep Care Center, McLaren Health Plan, and Ivy Rehab Physical Therapy

Loudoun Medical Group, dba Comprehensive Sleep Care Center (CSCC), has been affected by a phishing attack that occurred on or around June 19, 2019. The IT department was alerted to a potential email security breach when suspicious activity was detected in an employee’s email account. The password was immediately changed to prevent further unauthorized access and the incident was investigated. Forensic investigators confirmed the breach was confined to a single email account that was accessed by an unauthorized individual between June 15, 2019 and June 19, 2019. On October 17, 2019, the investigators confirmed which patient information had been accessed. The information in the email account varied for each patient and may have included the patient’s name along with one or more of the following data elements: Date of birth, Social Security number, passport number, driver’s license number, medical record number, payment card information, patient account number, financial account information, medical history, health insurance information, treatment information and/or date(s) of...

Read More
Great Plains Health Ransomware Attack Prevents Access to Patient Medical Records
Nov28

Great Plains Health Ransomware Attack Prevents Access to Patient Medical Records

North Platte, NE-based Great Plains Health has experienced a ransomware attack that has resulted in the encryption of patient medical records. The attack was detected at around 7pm on Tuesday, November 26. Prompt action was taken to minimize the impact on patients, and staff switched to pen and paper while computer systems were offline. IT staff have been working round the clock dealing with the attack. With access to medical records prevented, the decision was taken to cancel non-emergency patient appointments and some medical procedures, although surgeries and certain imaging procedures are continuing to be provided as normal. The hospital has not switched to emergency operations and is not diverting patients. The attack also impacted its phone and email system, although voicemail is unaffected. Staff have been checking voicemail messages regularly and have been calling patients back who have not been able to get through on the telephone. It is currently unclear whether the ransom demand was paid or if medical records and other encrypted files are being restored from backups....

Read More
$2.175 HIPAA Settlement Agreed with Sentara Hospitals for Breach Notification Rule and BAA Failures
Nov28

$2.175 HIPAA Settlement Agreed with Sentara Hospitals for Breach Notification Rule and BAA Failures

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced its 8th HIPAA financial penalty of 2019. Sentara Hospitals has agreed to settle potential violations of the HIPAA Privacy and Breach Notification Rules and will pay a penalty of $2.175 million and will adopt a corrective action plan to address areas of noncompliance. Sentara operates 12 acute care hospitals in Virginia and North Carolina and has more than 300 care facilities in both states. OCR launched a compliance investigation in response to a complaint from a patient on April 17, 2017. The patient had reported receiving a bill from Sentara containing another patient’s protected health information. Sentara did report the breach to OCR, but the breach report stated that only 8 individuals had been affected, when the mailing had been misdirected and 577 individuals had had some of their PHI impermissibly disclosed. OCR determined that those 577 patients had their information merged with 16,342 different guarantor’s mailing labels. OCR advised Sentara that under the HIPAA Breach Notification...

Read More
Misconfigured Staff Calendars Exposed Information of Children’s Minnesota Patients for Up to 8 Years
Nov26

Misconfigured Staff Calendars Exposed Information of Children’s Minnesota Patients for Up to 8 Years

Children’s Minnesota has started notifying 37,942 patients that information related to their appointments has been exposed and could have been accessed by unauthorized individuals. The internal, electronic calendars used by certain staff members had been configured in a way that allowed them to be viewed by individuals outside of Children’s Minnesota’s system. The misconfiguration was detected on August 26, 2019 and was immediately corrected to prevent unauthorized access. A third-party computer forensics company was engaged to assist with the investigation and determine the extent of the privacy breach. The firm confirmed that in some cases, the calendars may have been misconfigured for several years, with the earliest case determined to be December 2011. The calendars contained a limited amount of patient information, such as patient names, medical record numbers, dates of birth, insurance information, account numbers, appointment times and locations, names of procedures, and healthcare provider names. It was not possible to determine whether the calendars had been accessed by...

Read More
October 2019 Healthcare Data Breach Report
Nov25

October 2019 Healthcare Data Breach Report

There was a 44.44% month-over-month increase in healthcare data breaches in October. 52 breaches were reported to the HHS’ Office for Civil Rights in October. 661,830 healthcare records were reported as exposed, impermissibly disclosed, or stolen in those breaches. This month takes the total number of breached healthcare records in 2019 past the 38 million mark. That equates to 11.64% of the population of the United States. Largest Healthcare Data Breaches in October 2019 Breached Entity Entity Type Individuals Affected Type of Breach Betty Jean Kerr People’s Health Centers Healthcare Provider 152,000 Hacking/IT Incident Kalispell Regional Healthcare Healthcare Provider 140,209 Hacking/IT Incident The Methodist Hospitals, Inc. Healthcare Provider 68,039 Hacking/IT Incident Children’s Minnesota Healthcare Provider 37,942 Unauthorized Access/Disclosure Tots & Teens Pediatrics Healthcare Provider 31,787 Hacking/IT Incident University of Alabama at Birmingham Healthcare Provider 19,557 Hacking/IT Incident Prisma Health – Midlands Healthcare Provider 19,060...

Read More
IT Firm Ransomware Attack Prevents Nursing Homes and Acute Care Facilities from Accessing Medical Records
Nov25

IT Firm Ransomware Attack Prevents Nursing Homes and Acute Care Facilities from Accessing Medical Records

Virtual Care Provider Inc. (VCP), a Wisconsin-based provider of internet and email services, data storage, cybersecurity, and other IT services, has experienced a ransomware attack that has resulted in the encryption of medical records and other data the firm hosts for its clients. Its clients include 110 nursing home operators and acute care facilities throughout the United States. Those entities have been prevented from accessing critical patient data, including medical records. The company provides support for 80,000 computers, in around 2,400 facilities in 45 states. The attack involved Ryuk ransomware, a ransomware strain that has been used to attack many healthcare organizations and managed IT service providers in the United States in recent months. The ransomware is typically deployed as a secondary payload following an initial Trojan download. The attacks often involve extensive encryption and cause major disruption and huge ransom demands are often issued. This attack is no different. A ransom demand of $14 million has reportedly been issued, which the company has said it...

Read More
107,000 Ferguson Medical Group Patients Impacted by Ransomware Attack
Nov22

107,000 Ferguson Medical Group Patients Impacted by Ransomware Attack

Saint Francis Healthcare System has announced that the computer network of Ferguson Medical Group has been attacked with ransomware. The attack occurred on September 21, 2019, before Saint Francis Medical Center acquired the Sikeston, MO-based medical group. Saint Francis Healthcare learned about the ransomware attack on September 21. According to a notice on the Saint Francis Healthcare website, the attackers succeeded in encrypting medical records of all patients who had received medical services at Ferguson Medical Group prior to January 1, 2019. The incident was reported to the Federal Bureau of Investigation and steps were immediately taken to isolate the affected systems. The attackers demanded payment of a ransom for the keys to decrypt files on the network. Since there was no guarantee that the attackers were able to supply working decryption keys and due to other uncertainties, the decision was taken not to pay and to instead recover files from backups. While many files were recovered, some information could not be restored and has been permanently lost. It was not...

Read More
Phishing Attacks Reported by Choice Cancer Care Treatment Center and CAH Holdings
Nov21

Phishing Attacks Reported by Choice Cancer Care Treatment Center and CAH Holdings

Choice Cancer Care Treatment Center (CCCT), a network of cancer care centers in Texas, has discovered the protected health information of 14,673 patients has potentially been accessed by unauthorized individuals as a result of a phishing attack in May 2019. Suspicious activity in the email account of an employee was detected on May 21, 2019. The subsequent investigation confirmed that the account had been accessed by an unauthorized individual between May 1st and May 21st, 2019. The email account was immediately secured, and a third-party digital forensic firm was engaged to conduct a thorough investigation. An analysis of CCCT systems confirmed that the breach was confined to the email system and only one email account had been subjected to unauthorized access. A programmatic and manual review of all emails and email attachments in the account revealed the protected health information of certain patients had been exposed. The review was completed on September 18, 2019. CCCT then reviewed all affected records and confirmed the contact information for all individuals affected....

Read More
Former Aegis Medical Group Employee Potentially Accessed 9,800 Records Without Authorization
Nov20

Former Aegis Medical Group Employee Potentially Accessed 9,800 Records Without Authorization

The Florida physician network, Aegis Medical Group, has started notifying 9,800 patients that their protected health information may have been accessed by a former employee. That individual is understood to have attempted to sell patient records to third parties suspected of being involved in identity theft and fraud. Aegis Medical Group was informed by law enforcement on September 11, 2019 about the employee. The law enforcement investigation determined that the employee attempted to sell the data of just two patients. Working with law enforcement, the physician network determined that the records of up to 9,800 patients were potentially accessed by the employee between July 24, 2019 and September 9, 2019. The information contained in the records was limited to first and last names, dates of birth, account numbers, postal addresses, diagnosis information, and Social Security numbers. Approximately 75% of the records that may have been accessed were physical records rather than electronic copies. Following notification by law enforcement, Aegis Medical Group immediately terminated...

Read More
Solara Medical Supplies and Select Health Network Report Phishing Attacks
Nov19

Solara Medical Supplies and Select Health Network Report Phishing Attacks

Solara Medical Supplies, LLC, a Chula Vista, CA-based provider of medical devices and disposable medical products, has announced that the protected health information of many of its customers has potentially been compromised as a result of a phishing attack. On June 28, 2019, Solara Medical identified suspicious activity in the email account of an employee and an investigation was launched to determine the nature and scope of the breach.  Assisted by third party computer forensics experts, Solara Medical learned that the breach was far more extensive, and several Office 365 email accounts had been compromised between April 2, 2019 and June 20, 2019. A programmatic and manual review of all compromised accounts was conducted to determine which patients’ protected health information had potentially been accessed. The information in the email accounts varied from patient to patient and included patients’ first and last names in combination with one or more of the following data elements: Address, birth date, employee ID number, Social Security number, health insurance information,...

Read More
Update Issued on Unsecured PACS as Exposed Medical Image Total Rises to 1.19 Billion
Nov18

Update Issued on Unsecured PACS as Exposed Medical Image Total Rises to 1.19 Billion

It has been 60 days since Greenbone Networks reported on the mass exposure of medical images on unsecured Picture Archiving and Communication Systems (PACS). In an updated report, the German vulnerability analysis and management platform provider has revealed the problem is getting worse, not better. Picture Archiving and Communication Systems (PACS) servers are extensively used by healthcare providers for archiving medical images and sharing those images with physicians for review, yet many healthcare providers are not ensuring their PACS servers have appropriate security. Consequently, medical images (X-Ray, MRI, CT Scans), along with personally identifiable patient information, is being exposed over the Internet. Anyone who knows where to look and how to search for the files can find them, view them and, in many cases, download the images without any authentication required. The images are not accessible due to software vulnerabilities. Data access is possible because of the misconfiguration of infrastructure and PACS servers. Between July and September 2019, Greenbone Networks...

Read More
93,000 Files Belonging to California Addiction Treatment Center Exposed Online
Nov15

93,000 Files Belonging to California Addiction Treatment Center Exposed Online

An AWS S3 storage bucket belonging to Sunshine Behavioral Health, LLC, a San Juan Capistrano, CA-based network of drug and alcohol addiction rehabilitation centers, has been misconfigured, resulting in the exposure of sensitive patient information. The misconfigured AWS S3 bucket was initially reported to databreaches.net in August 2019. Sunshine Behavioral Health was contacted and the bucket was secured; however, the data exposure does not appear to have been reported to the HHS’ Office for Civil Rights, there is no breach report on the California Attorney General’s website, and no mention of the breach on the Sunshine Behavioral Health website, even though it has been more than 60 days since Sunshine Behavioral Health was made aware of the breach. Dissent of databreaches.net followed up on the breach in November and discovered that files were still exposed. The URLs of the PDF files in the bucket were still accessible and could be viewed without the need for a password. If the URLs had been obtained while the bucket was exposed, the PDF files could have been accessed and...

Read More
Phishing Attacks Reported by UNC Chapel Hill School of Medicine and Starling Physicians
Nov14

Phishing Attacks Reported by UNC Chapel Hill School of Medicine and Starling Physicians

University of North Carolina Chapel Hill School of Medicine has experienced a phishing attack in which the protected health information of 3,716 patients has potentially been accessed by unauthorized individuals. An investigation by third-party forensics experts confirmed that several employee email accounts were compromised between May 17, 2018 and June 18, 2018. It is unclear when the security breach was first detected. The types of information in emails and email attachments in the compromised accounts varied from patient to patient and may have included names, birth dates, demographic information, Social Security numbers, health insurance details, financial account information, and credit card numbers. Affected individuals were notified about the breach on November 12, 2019. Patients whose Social Security numbers were potentially compromised have been offered complimentary credit monitoring and identity theft protection services. Multi-factor authentication has now been implemented and employees have been provided with further cybersecurity and phishing awareness training....

Read More
PHI Theft Incidents Reported by Loyola Medicine and Main Street Clinical Associates
Nov13

PHI Theft Incidents Reported by Loyola Medicine and Main Street Clinical Associates

Main Street Clinical Associates, PA., in Durham, NC has informed certain patients that some of their protected health information was stored on devices that were stolen from its offices. The theft occurred when the Main Street offices had been evacuated due to a severe gas explosion. Staff at the office were ordered to evacuate the building on April 10, 2019 following an explosion in an adjacent building. Files and equipment were left on desks due to the urgent evacuation, and the room containing patient records was left unlocked. The damage to the building was extensive. Staff were not permitted to re-enter the building until September 9, 2019. When the staff returned, it was discovered the offices had been looted and equipment had been stolen. Two laptop computers had been taken, along with the cell phone of a clinician, and a printer containing some patient information. Main Street explained in a recent press release that the laptop computers and cell phone were password-protected, as were files that contained patient information. Since they devices were not encrypted, it is...

Read More
Tens of Thousands of TennCare and Florida Blue Members Impacted Business Associate Phishing Attack
Nov13

Tens of Thousands of TennCare and Florida Blue Members Impacted Business Associate Phishing Attack

Further healthcare organizations have confirmed they have been affected by a data breach at Magellan Health National Imaging Associates, a business associate of several HIPAA-covered entities that provides managed pharmacy and radiology benefits services. Danville, PA-based Geisinger Health Plan announced last month that 5,848 of its members had been affected by the breach and Albuquerque, NM-based Presbyterian Health Plan has confirmed that 56,226 of its members have been affected. In the past few days, health insurance company Florida Blue and the Tennessee state Medicaid program, TennCare, have made similar announcements. The phishing attack occurred on May 28, 2019. Magellan Health NIA learned of the breach on July 5, 2019 and took action to secure the affected email account. The breach was detected when the compromised account was used to send out large quantities of spam email. The internal investigation confirmed that the mailbox had been accessed on several occasions by an individual based outside the United States. The purpose of the attack appears to have been solely to...

Read More
Salem Health Hospitals & Clinics and Delta Dental of Arizona Notify Patients About Phishing Attacks
Nov11

Salem Health Hospitals & Clinics and Delta Dental of Arizona Notify Patients About Phishing Attacks

Salem Health Hospitals & Clinics in Oregon experienced a phishing attack on July 31, 2019 that resulted in an unauthorized individual gaining access to the email accounts of several employees. The breach was detected within a day of the accounts being accessed and the compromised accounts were secured. Patients were notified about the breach on September 27 and were told that a review of the affected accounts was underway. The compromised email accounts were expected to contain a limited amount of patient information such as names, dates of birth, and information related to the medical services patients had received. At the time of issuing the notice, the investigation into the breach was ongoing. On Thursday, November 7, 2019, Salem Health spokesperson, Elijah Penner, said “The incident was reviewed thoroughly, and Salem Health has no indication that any patient information has been misused.” No evidence was uncovered to suggest patient information in emails and email attachments was accessed. Salem Health has advised affected patients to exercise caution and monitor...

Read More
Two Maine Healthcare Providers Report Email Security Breaches Impacting 52,000 Patients
Nov07

Two Maine Healthcare Providers Report Email Security Breaches Impacting 52,000 Patients

InterMed, one of the largest healthcare providers in Southern Maine, has discovered the personal and health information of up to 30,000 patients has potentially been accessed by an unauthorized individual as a result of a recent email security breach. On September 6, 2019, InterMed discovered an employee’s email account had been accessed by a third-party without authorization. An independent investigation into the breach revealed the account was compromised on September 4 and a further three employee email accounts were also found to have been compromised between September 7 and September 10, 2019. Emails and attachments in the compromised accounts contained patient information such as names, dates of birth, clinical information, and health insurance information, and for 155 individuals, Social Security numbers. The breach was limited to email accounts. The electronic medical record system was not accessed. It was not possible to determine whether emails in the account were actually viewed. The compromised email accounts were immediately secured, and affected patients were notified...

Read More
Texas Health Resources Reports Data Breach Affecting 82,577 Patients
Nov06

Texas Health Resources Reports Data Breach Affecting 82,577 Patients

82,577 patients of Texas Health Resources have had some of their health information impermissibly disclosed as a result of a misconfiguration of its billing system. Texas Health Resources is one of the largest faith-based health systems in the United States and the largest in North Texas, with facilities in 16 counties serving more than 7 million patients. On August 23, 2019, Texas Health Resources learned that an error in its billing system had resulted in patient information being incorrectly matched with guarantors. The error caused mailings to be sent to incorrect patients or their guarantors. The error occurred on July 19, 2019 and affected mailings up to September 4, 2019. An investigation was launched to determine which individuals had been affected and the types of patient information that had been impermissibly disclosed. The investigation revealed the following types of information were included in the mailings and had been sent to incorrect individuals: Name, service date, account number, names of treating physicians, name of health insurer, amount owed, and in some...

Read More
Brooklyn Hospital Center Malware Attack Results in Loss of Patients’ Health Records
Nov04

Brooklyn Hospital Center Malware Attack Results in Loss of Patients’ Health Records

Brooklyn Hospital Center in New York has announced that a security breach occurred in late July 2019 that resulted in malware being installed on some of the hospital’s servers. The attack was discovered promptly, and steps were taken to limit the harm caused; however, it was not possible to prevent certain files from being encrypted. A third-party digital forensics firm was retained to assess the nature and extent of the malware attack and assist with the recovery of encrypted files. On September 4, following ‘exhaustive efforts’ to recover the encrypted files, it was determined that certain patient information was unrecoverable. Entire medical records have not been lost, but some patients’ dental and cardiac images could not be restored. The hospital is currently conducting a review to determine which patients have been affected and those individuals will be notified in due course. As is often the case with ransomware attacks such as this, the goal of the attackers appears to have been to extort money from the hospital rather than gain access to patient information. No reports of...

Read More
California Mental Health Services Provider Discovers Unauthorized Email Account Access and File Deletion
Nov04

California Mental Health Services Provider Discovers Unauthorized Email Account Access and File Deletion

The Guidance Center (TGC), a nonprofit provider of mental health care services to disadvantaged children and their families in Long Beach, Compton, San Pedro, and Avalon in California, has discovered a breach of its digital environment. In a breach notification letter to the California Attorney General, Xavier Becerra, TGC’s counsel explained that unusual activity was detected within TGC’s digital environment in late March 2019. Staff had reported that files and backups appeared to be missing. An internal investigation was launched which concluded the files had been deleted. Further investigation also showed that a TGC computer had been reconfigured to allow it to be remotely accessed. TGC believes the change to the computer and deletion of files was most likely the work of a former employee. The matter was reported to both the Long Beach Police Department and the FBI, and the individual suspected of the illegal access was sent a cease and desist letter by TGC’s attorney on March 30, 2019. Following that letter, all further unauthorized access stopped. On April 19, 2019, TGC...

Read More
Utah Valley Eye Center Hacking Incident Leads to Phishing Attack on Patients
Nov01

Utah Valley Eye Center Hacking Incident Leads to Phishing Attack on Patients

Utah Valley Eye Center in Provo, UT is warning patients that some of their personal information may have been accessed by an unauthorized individual following a security breach involving its scheduling reminder portal on June 28, 2018. The hacker obtained the email addresses of 5,764 patients and sent each a phishing email in an attempt to gain access to PayPal credentials. The emails spoofed PayPal and advised the recipients that they had received a payment. Upon discovery of the security breach, Utah Valley Eye Center contacted all individuals who had been emailed to warn them about the security breach. No evidence has been uncovered to suggest any other information was accessed or misused, although the hacker would have had access to patient names, addresses, phone numbers, and dates of birth. No personal health or financial information is believed to have been accessed. Only 5,764 phishing emails were sent, but Utah Valley Eye Center could not determine exactly how many patients’ protected health information was viewed or obtained by the hacker. The decision was therefore...

Read More
Prisma Health Website Breach Potentially Impacts 22,000 Individuals
Oct30

Prisma Health Website Breach Potentially Impacts 22,000 Individuals

Prisma Health Midlands is notifying approximately 19,000 patients and 3,000 employees about a data breach involving the Palmetto Health website. Prisma Health – formerly Palmetto Health – learned on August 29, 2019 that an unauthorized individual had obtained the login credentials of a Prisma Health employee. Those credentials allowed the attacker to access the Palmetto Health website, which contained volunteer registration information and patient pre-registration forms that had been completed online. Those forms related to 6 Midlands hospitals and contained information such as names, addresses, dates of birth, limited health information and, for certain individuals, their Social Security number. No medical records or financial information were exposed. Prisma Health was not able to determine for how long the credentials were accessible. Upon discovery of the incident, the employee’s password was changed to prevent any further unauthorized access and policies and procedures are being updated to prevent similar breaches in the future. Affected individuals have been notified by mail...

Read More
Quest Diagnostics $195,000 Class Action Settlement Approved by Federal Judge
Oct30

Quest Diagnostics $195,000 Class Action Settlement Approved by Federal Judge

Following a November 2016 cyberattack at Quest Diagnostics that resulted in an unauthorized individual accessing and stealing the personal information and medical test results of 34,000 individuals, a class action lawsuit was filed by the breach victims. Quest Diagnostics proposed a $195,000 settlement to resolve the case. The settlement has recently been approved by a New Jersey district court judge. The types of information obtained by the hacker included names, phone numbers, dates of birth, and the results of medical tests, including HIV test results. The lawsuit alleged Quest Diagnostics had violated New Jersey laws and had been negligent for failing to safeguard the sensitive health information of its clients, Quest Diagnostics had breached its contract with clients, and that the company failed to provide timely notifications to patients informing them about the hacking incident and theft of their data. Quest Diagnostics maintains the claims are meritless, but the decision was taken to settle the lawsuit to avoid ongoing litigation and further legal costs. Under the terms of...

Read More
Improper Disposal Incident at Smith’s Food & Drug Affects Almost 58,000 Patients
Oct29

Improper Disposal Incident at Smith’s Food & Drug Affects Almost 58,000 Patients

Salt Lake City, OH-based Smith’s Food & Drug has announced that the pharmacy records of around 58,000 patients have been disposed of in an improper manner. The improper disposal incident was discovered by the grocery and drug store chain on August 29, 2019 and affected customers of its store at 4600 East Sunset Road in Henderson, NV. 12 boxes of files containing physical pharmacy records, including prescriptions, were disposed of by a former associate in an improper manner. The records were not shredded, pulped, burned, or pulverized to render them unreadable, indecipherable, and ensure they could not otherwise be reconstructed, as is required by HIPAA. The boxes of files were put in the store’s trash compactor along with regular trash. Since the records are no longer accessible, it was not possible to determine which patients were impacted and the exact types of information that had been exposed. Smith’s Food & Drug has estimated the sensitive information of approximately 57,600 patients was likely contained in the pharmacy records. The types of HIPAA-covered information...

Read More
Report Suggests Augmented Security Following a Data Breach Contributes to Increase in Patient Mortality Rate
Oct28

Report Suggests Augmented Security Following a Data Breach Contributes to Increase in Patient Mortality Rate

Healthcare data breaches lead to a reduction in the quality of care provided to patients, according to a study recently published in Health Services Research. Researchers analyzed data from Medicare Compare which details quality measures at hospitals. Data from 2012-2016 was analyzed and compared with data from the HHS’ Office for Civil Rights on data breaches of more than 500 records over the same period. The researchers analyzed data on 3,025 Medicare-certified hospitals, 311 of which had experienced a data breach. According to the study, the time it took from a patient arriving at the hospital to an electrocardiogram being performed increased by up to 2.7 minutes at hospitals that had experienced a data breach. A ransomware attack that prevents clinicians from accessing patient data will limit their ability to provide essential medical services to patients, so a delay in conducting tests and obtaining the results is to be expected. However, the delays were found to continue for months and years after an cyberattack was experienced. The study showed that 3-4 years after a breach...

Read More
Betty Jean Kerr People’s Health Centers Ransomware Attack Impacts 152,000 Patients
Oct28

Betty Jean Kerr People’s Health Centers Ransomware Attack Impacts 152,000 Patients

St Louis, MO-based Betty Jean Kerr People’s Health Centers experienced a ransomware attack on September 2, 2019 that prevented staff at its health centers from accessing certain types of patient, provider, and employee information. The security incident was detected on September 3 and law enforcement was notified. A ransom demand was received, but the decision was taken not to pay. A third-party IT firm was engaged to assist with recovery, but it has not been possible to recover the encrypted data. The encrypted data is considered to have been permanently lost, unless a decryptor is developed by security researchers that allows files to be recovered. No mention has been made about the type of ransomware used in the attack and if backup files were also encrypted in the attack. The investigation revealed the following types of information had been encrypted in the attack: Patient names, addresses, dates of birth, Social Security numbers, pharmacy data, health insurance information, dental x-rays, and a limited amount of clinical data. Affected patients had received medical services...

Read More
Geisinger Health Plan Notifies Members About Business Associate Phishing Attack
Oct24

Geisinger Health Plan Notifies Members About Business Associate Phishing Attack

Danville, PA-based Geisinger Health Plan has discovered the protected health information (PHI) of some of its members has been exposed as a result of a suspected phishing attack on one of its business associates, Magellan NIA. Magellan NIA provides radiology benefits management services to the health plan, which requires access to plan members’ PHI. Magellan NIA discovered the breach on July 5, 2019 when suspicious activity was detected in the email account of one of its employees. The account was immediately secured to prevent further unauthorized access and misuse and an investigation was launched to determine the extent of the breach. The investigation revealed the account was breached on May 28, and there had been several connections to the account between up until July 5. Those connections were made from a location outside the United States. Geisinger Health Plan believes the sole purpose of the attack was to gain access to email accounts for the purpose of spamming, rather than to steal sensitive plan member data. However, it was not possible to rule out unauthorized data...

Read More
Slew of HIPAA Violations Leads to $2.15 Million Civil Monetary Penalty for Jackson Health System
Oct23

Slew of HIPAA Violations Leads to $2.15 Million Civil Monetary Penalty for Jackson Health System

The Department of Health and Human Services’ Office for Civil Rights has imposed a $2.15 million civil monetary penalty against the Miami, FL-based nonprofit academic medical system, Jackson Health System (JHS), for a slew of violations of HIPAA Privacy Rule, Security Rule, and Breach Notification Rule. In July 2015, OCR became aware of several media reports in which the PHI of a patient was impermissibly disclosed. The individual was a well-known NFL football player. Photographs of an operating room display board and schedule had also been shared on social media by a reporter. OCR launched an investigation in October 2015 and opened a compliance review in relation to the impermissible disclosure. JHS investigated and submitted a report confirming a photograph was taken in which two patients PHI was visible, including the PHI of a well-known person in the community. The internal investigation revealed an employee had been accessing patient information without authorization since 2011. During that time, the employee had accessed the records of 24,188 patients without any legitimate...

Read More
140,209 Patients Notified of Kalispell Regional Healthcare Phishing Attack
Oct23

140,209 Patients Notified of Kalispell Regional Healthcare Phishing Attack

Kalispell Regional Healthcare in Montana is in the process of notifying approximately 140,000 patients that some of their protected health information (PHI) was potentially compromised in a security breach over the summer. Kalispell Regional Healthcare operates Kalispell Regional Medical Center, a 138-bed hospital in Kalispell, MT. The breach has affected most of its patients. The breach affected Kalispell Regional’s email system and was the result of multiple employees being fooled by a “highly sophisticated” phishing scam. Employees responding to the phishing email inadvertently disclosed their login credentials to the attacker who used the credentials to remotely access their email accounts. Kalispell Regional learned of the breach on August 28. Upon discovery of the breach, all affected email accounts were disabled to prevent further unauthorized access, the security breach was reported to law enforcement, and an internal investigation was launched to determine the extent of the breach. The investigation revealed the email account was breached on May 24, 2019 and the...

Read More
Sensitive Data of Millions of Patients Discovered to Be Freely Accessible Over the Internet
Oct22

Sensitive Data of Millions of Patients Discovered to Be Freely Accessible Over the Internet

The sensitive health information of millions of patients has been exposed over the internet as a result of the failure of nine companies to secure their medical databases. The exposed patient data was discovered by security researchers at WizeCase. The research team, led by Avishai Efrat, used publicly available tools to search for exposed data that could be accessed without the need for any usernames or passwords. The firm then offers to help those organizations fix their data leaks and better secure their data. In all cases, the researchers attempted to contact the healthcare organizations concerned to advise them about the misconfigured databases to allow steps to be taken to secure the data and prevent unauthorized access, but in several cases no response was received. The researchers contacted databreaches.net and received assistance in contacting the companies concerned. When no response was received, the researchers contacted local authorities and hosting companies for assistance. Several attempts were made to get the data secured over the space of a month before the...

Read More
South Texas Dermatopathology Notifies 15,982 Patients About AMCA Data Breach
Oct22

South Texas Dermatopathology Notifies 15,982 Patients About AMCA Data Breach

South Texas Dermatopathology is the last known victim of the data breach at American Medical Collection Agency (AMCA) to report the breach to the Department of Health and Human Services Office for Civil Rights (OCR) and notify affected patients. The breach appeared on the OCR breach portal on October 7, 2019 and indicates 15,982 patients have been affected. AMCA was a business associate of the San Antonio, TX-based medical testing laboratory and provided billings and collection services. South Texas Dermatopathology was informed about the security breach at AMCA in May 2019 and was told that some of its patients’ information was potentially compromised as a result of the hacking of AMCA systems. An unauthorized individual first gained access to AMCA systems on August 1, 2018. Access remained possible up to March 30, 2019 when the breach was detected and its systems were secured. During that time, the unauthorized individual had access to parts of AMCA systems that contained information such as names, addresses, phone numbers, dates of birth, balance information, dates of service,...

Read More
September 2019 Healthcare Data Breach Report
Oct21

September 2019 Healthcare Data Breach Report

September saw 36 healthcare data breaches of more than 500 records reported to the Department of Health and Human Services’ Office for Civil Rights, which represents a 26.53% decrease in breaches from the previous month. 1,957,168 healthcare records were compromised in those breaches, an increase of 168.11% from August. The large number of breached records is largely down to four reported incidents, each of which involved hundreds of thousands of healthcare records. Three of those incidents have been confirmed as ransomware attacks. Largest Healthcare Data Breaches in September 2019 The largest breach of the month was due to a ransomware attack on Jacksonville, FL-based North Florida OB-GYN, part of Women’s Care of Florida. 528,188 healthcare records were potentially compromised as a result of the attack. Sarrell Dental also experienced a ransomware attack in which the records of 391,472 patients of its Alabama clinics were encrypted. 320,000 records of patients of Premier Family Medical in Utah were also potentially compromised in a ransomware attack. The University of Puerto Rico...

Read More
VA OIG: Records of Thousands of Veterans Exposed to 25,000 VA Employees via Shared Network Drives
Oct21

VA OIG: Records of Thousands of Veterans Exposed to 25,000 VA Employees via Shared Network Drives

Internal Department of Veteran Affairs (VA) communications, disability claims, and the health information of thousands of veterans have been exposed and could be accessed by VA employees authorized to view the information, according to the findings of a Department of Veteran Affairs’ Office of Inspector General (VA OIG) audit. VA OIG conducted an audit of the VA’s Milwaukee Regional Office following a tipoff by a whistleblower in September 2018 about the exposure of sensitive information on shared network drives, which the whistleblower claimed could be accessed by employees unauthorized to view the information. VA OIG audit visited the Milwaukee offices in January 2019 and confirmed that sensitive information had been stored on two shared network drives on the VA Enterprise network, which could be accessed by veterans service organization (VSO) officers, even if those officers did not represent those veterans. The auditors determined that any Veterans Benefits Administration employee who had permission to access the VA network remotely could have accessed the files stored on the...

Read More
Ransomware Attacks Reported by Monterey Health Center and Magnolia Pediatrics
Oct18

Ransomware Attacks Reported by Monterey Health Center and Magnolia Pediatrics

Monterey Health Center in Milwaukie, OR, has experienced a ransomware attack that encrypted its electronic medical records system. The attack commenced on August 12, 2019 and prevented patient data from being accessed. Assisted by a third-party vendor, the health center successfully restored all patient data quickly and was able to continue providing care to its patients. It is unclear whether the medical records were restored from backups or if the ransom demand was paid. Third party forensic investigators were retained to investigate the attack and determine whether patient data had been copied by the attackers. The investigation found no evidence of data exfiltration, although unauthorized data access could not be totally ruled out. To date, no reports have been received about any misuse of patient information. The following information was potentially compromised: Names, addresses, dates of birth, Social Security numbers, driver’s license numbers, medical histories, diagnoses, lab test results, treatment information, medications, health insurance information, claims...

Read More
Malicious Code on Mission Health E-Commerce Websites Enabled Data Theft for 3 Years
Oct18

Malicious Code on Mission Health E-Commerce Websites Enabled Data Theft for 3 Years

Mission Health in Western North Carolina has discovered malicious code has been installed on its e-commerce websites that were used by patients to purchase health products. The malicious code was capable of capturing payment information as it was entered on the websites. That information was then sent to an unauthorized third party. The breach was discovered by Mission Health in June 2019. The breach investigation revealed the malicious code had been inserted into the genuine code of the website three years previously in March 2016. The affected websites were taken offline and are being rebuilt. At the time of writing, those websites are not operational. Only limited information about the breach has been released and there is currently no substitute breach notification letter on the Mission Health website. It is unclear how the breach was discovered. Typically, when credit card information is stolen, credit card firms trace fraudulent activity back to a specific retailer or website and advise the company that their systems have been compromised. In such cases, the fraudulent...

Read More
Roger Severino Gives Update on OCR HIPAA Enforcement Priorities
Oct17

Roger Severino Gives Update on OCR HIPAA Enforcement Priorities

Roger Severino, Director of the HHS’ Office for Civil Rights, has given an update on OCR’s HIPAA enforcement priorities at the OCR/NIST 11th Annual HIPAA Conference in Washington D.C. Severino confirmed that one of OCR’s top policy initiatives is still enforcing the rights of patients under the HIPAA Privacy Rule and ensuring they are given timely access to their health information at a reasonable cost. Under HIPAA, patients have the right to view and check their medical records and obtain a copy of their health data, yet there are still healthcare organizations that are making this difficult. OCR has already agreed to settle one case this year with a HIPAA-covered entity that failed to provide a patient with a copy of her health information. OCR had to intervene before those records were provided to the patient. The entity in question, Bayfront Health St Petersburg, paid a financial penalty of $85,000 to resolve the HIPAA violation. More financial penalties will be issued to covered entities that fail to comply with this important provision of HIPAA. Severino confirmed that...

Read More
Hunt Regional Healthcare Revises May 2018 Data Breach Total
Oct15

Hunt Regional Healthcare Revises May 2018 Data Breach Total

Texas-based Hunt Regional Healthcare has discovered a May 2018 cyberattack was much more extensive than previously thought. On May 14, 2019, Hunt Regional was informed by the FBI that its systems had been the subject of a sophisticated, targeted cyberattack in May 2018 and that a small subset of its patients had had their protected health information (PHI) exposed. Those individuals had previously received medical services at Hunt Regional Medical Center. The PHI was stored in a limited area of the network to which the hackers had gained access and those individuals were notified about the breach in July 2019. A more detailed investigation was then conducted with assistance provided by third-party computer forensics experts, who discovered the hackers had gained access to other parts of the network that were not initially thought to have been compromised. These additional parts of the network contained the PHI of patients of other facilities in the network: Hunt Regional Medical Center in Greenville, Hunt Regional Emergency Medical Center – Commerce, Hunt Regional Emergency Medical...

Read More
Philadelphia Department of Public Health Data Breach Exposed Data of Hepatitis Patients
Oct14

Philadelphia Department of Public Health Data Breach Exposed Data of Hepatitis Patients

The Philadelphia Department of Public Health (PDPH) has discovered sensitive information of patients with hepatitis B and hepatitis C has been exposed over the internet and could be accessed by anyone without the need for authentication. The breach came to light on Friday October 12, 2019 following notification from a reporter from The Philadelphia Inquirer. The issue was corrected within minutes of the hospital being notified of the breach. An investigation has now been launched to determine the nature, cause, and extent of the breach. New cases of hepatitis B and hepatitis C must be reported to PDPH by medical providers to enable tracking and monitoring of the disease. Both diseases can be transmitted through contact with bodily fluids of an infected person. New cases are often the result of sharing of needles by intravenous drug users. New cases of both forms of hepatitis are monitored as part of the PDPH opioids initiative. The data supplied by healthcare providers had been uploaded to a website tool that allows aggregated data to be visualized through charts using Tableau...

Read More
68,000 Patients of Methodist Hospitals Impacted by Phishing Attack
Oct09

68,000 Patients of Methodist Hospitals Impacted by Phishing Attack

In June 2019, Gary, Indiana-based Methodist Hospitals discovered an unauthorized individual had gained access to the email account of one of its employees following the detection of suspicious activity in the employee’s email account. An investigation was immediately launched and third-party computer forensics experts were called in to determine the extent of the breach and whether any patient information had been accessed or copied by the attacker. The investigation revealed two email accounts had been compromised as a result of employees responding to phishing emails. It took until August 7, 2019 for the forensic investigators to determine that a breach had occurred and patient information had been compromised. One of the compromised email accounts was discovered to have been accessed by an unauthorized individual from March 13, 2019 to June 12, 2019, and the second account was subjected to unauthorized access on June 12, 2019 and from July 1 to July 8. As is typical in forensic investigations, it was not possible to determine whether the attacker viewed or copied patient...

Read More
CHI Health Ransomware Attack Impacts 48,000 Lakeside Patients
Oct08

CHI Health Ransomware Attack Impacts 48,000 Lakeside Patients

The Omaha, NE-based 14-hospital health system, CHI Health, has experienced a ransomware attack in which the protected health information of approximately 48,000 patients has potentially been compromised. The attack was discovered on August 1, 2019 and affected an old electronic health record system that contained the medical records patients who had received medical services at CHI Health’s Lakeside Orthopedic Clinic prior to April 2016. The investigation confirmed that a database used by the medical record system had been encrypted in the attack. A full investigation into the attack was launched and while it is possible that patient information was accessed or copied by the attackers, no evidence of unauthorized data access or data exfiltration was discovered and there have been no reports of misuse of patient information. The attack appears to have been conduced solely with the aim of extorting money from CHI Health. The types of information contained in the database included patient names, addresses, contact telephone numbers, dates of birth, Social Security numbers, diagnoses,...

Read More
Cancer Treatment Centers of America Experiences Another Phishing Attack
Oct07

Cancer Treatment Centers of America Experiences Another Phishing Attack

Cancer Treatment Centers of America (CTCA) is notifying certain patients that some of their protected health information (PHI) has been exposed as a result of a phishing-related email security breach that occurred in July 2019 at its Southeastern Regional Medical Center. The attack was identified on July 29, 2019 when suspicious activity was detected in the email account of a CTCA staff member. The breach investigation revealed the attacker had gained access to the account for a period of around 7 days from July 22. Upon detection of the breach, the user’s email account was secured to prevent further unauthorized access. The investigation did not uncover any evidence to suggest patient information in emails and email attachments were accessed or copied by the attacker, but the possibility could not be ruled out. The types of information potentially accessed included names along with addresses, phone numbers, dates of birth, health insurance information, medical information, and medical record numbers, and other patient identifiers. No Social Security numbers were exposed in the...

Read More
UAB Medicine Phishing Attack Impacts 19,000 Patients
Oct07

UAB Medicine Phishing Attack Impacts 19,000 Patients

UAB Medicine is alerting patients about an August 7, 2019 phishing attack that resulted in the email accounts of several employees of UAB Medical Center in Birmingham, AL being accessed by the attackers. Upon discovery of the breach, the passwords on affected email accounts were changed to prevent further unauthorized access and UAB Medicine engaged a leading cybersecurity firm to investigate the breach. An analysis of the compromised email accounts revealed they contained the protected health information (PHI) of 19,557 patients, including names and one or more of the following data elements: Medical record number, date of birth, dates of service, location of service, diagnoses, and treatment information. A limited number of patients also had their Social Security number exposed. UAB Medicine provides security awareness training to its workforce and has taught employees how to identify phishing emails. In this instance, despite that training, several employees responded to the emails and disclosed their email account credentials. Those credentials were used to gain access to email...

Read More
Goshen Health Notifies 9,160 Patients of Historic PHI Breach
Oct03

Goshen Health Notifies 9,160 Patients of Historic PHI Breach

Goshen Health in Indiana has started notifying 9,160 patients that some of their protected health information (PHI) may have been compromised in a phishing-related email breach in August 2018. Upon discovery of the breach the compromised email accounts were secured and the breach was investigated. At the time, the security breach was determined not to require notifications to patients as PHI did not appear to have been compromised. However, on August 1, 2019, Goshen Health became aware that the compromised email accounts did contain the PHI of certain patients and notification letters were necessary. The breach occurred between August 2, 2018 and August 13, 2018. An unidentified, unauthorized individual gained access to the email accounts of two Goshen colleagues. Following the breach, Goshen Health enhanced its email security protections and as part of that process used additional forensic tools and technology to re-evaluate the breach. Third-party forensics experts were retained in November 2018 to reassess the incident, but no evidence of unauthorized PHI access or PHI theft was...

Read More
DCH Health System Ransomware Attack Temporarily Cripples 3 Alabama Hospitals
Oct02

DCH Health System Ransomware Attack Temporarily Cripples 3 Alabama Hospitals

DCH Health System has been forced to close all three of its Alabama hospitals for all but critical new patients following a ransomware attack. The attack prevented staff at DCH Regional Medical Center in Tuscaloosa, Northport Medical Center, and Fayette Medical Center from accessing computer systems, which were taken out of action as a result of the attack which commenced in the early hours of Tuesday, October 1, 2019. Emergency procedures were implemented at all three hospitals to ensure day to day healthcare operations could continue and care is continuing to be provided to patients currently at the hospital. Critical patients are being accepted, but individuals scheduled for outpatient procedures or tests have been advised to call before attending. Ambulance services have been advised to take patients to alternate facilities if possible. The health system started using backup files to restore certain system components which allowed those systems to be brought back online. DCH Health System also purchased the decryption keys from the attacker. “We worked with law enforcement and...

Read More
391,472 Patients Impacted by Sarrell Dental Ransomware Attack
Oct02

391,472 Patients Impacted by Sarrell Dental Ransomware Attack

Sarrell Dental, an Alabama-based not-for-profit provider of Children’s dental and optical services, has experienced a ransomware attack in which the protected health information of its patients may have been compromised. Sarrell Dental is the largest provider of dental services in the state of Alabama and operates 17 clinics in the state. In July 2019, ransomware was deployed on its network which resulted in widespread file encryption. Upon discovery of the attack, the network was deactivated, and an investigation was launched. Affected clinics were closed for two weeks while the breach was investigated and systems were restored. A ransom demand was received but it was not paid. Patient information was restored from backups. A third-party computer forensics team was engaged to assist with the investigation to determine the extent of the breach. That investigation revealed that the attackers may have first gained access to Sarrell Dental systems as early as January 2019. No evidence was found to suggest patient information was accessed or copied by the attackers, but the possibility...

Read More
PHI Potentially Compromised in Cybersecurity Breach at North Florida OB-GYN
Oct01

PHI Potentially Compromised in Cybersecurity Breach at North Florida OB-GYN

Jacksonville, FL-based North Florida OB-GYN has discovered hackers gained access to certain parts of its computer system containing patients’ personal and health information and deployed a virus that caused widespread file encryption. Upon discovery of the breach on July 27, 2019, networked computer systems were shut down and breach response and recovery procedures were initiated. Third party IT consultants assisted with the investigation and confirmed that parts of its networked computer systems had been subjected to unauthorized access and a virus had been used to encrypted certain files. The investigation revealed its systems had most likely been compromised on or before April 29, 2019. While system access was confirmed, no evidence of unauthorized data access or theft of personal or medical information was found; however, unauthorized data access and data exfiltration could not be ruled out. Protected health information potentially compromised in the attack varied from patient to patient and may have include name, demographic information, birth date, driver’s license number, ID...

Read More
Wood Ranch Medical Announces Permanent Closure Due to Ransomware Attack
Sep30

Wood Ranch Medical Announces Permanent Closure Due to Ransomware Attack

Another healthcare provider has announced it will be permanently closing its doors as a direct result of a ransomware attack. The devastating attack occurred at Wood Ranch Medical in Simi Valley, CA, which recently announced that the practice will permanently close on December 17, 2019. The attack occurred on August 10, 2019 and resulted in its servers being infected with ransomware. The attack caused widespread file encryption and prevented medical records from being accessed. The extent of the attack was such that computer systems were permanently damaged making file recovery impossible. The practice had created backups of patient records, but those backups were also encrypted and could not be used to restore patient data. Ransomware attacks are usually conducted with the sole purpose of extorting money. Files are encrypted and a ransom demand is issued. If the ransom is not paid, files remain permanently encrypted. Payment of the ransom comes with no guarantee that file recovery will be possible and encourages further attacks. For these reasons the FBI recommends ransom payments...

Read More
Senator Demands Answers Over Exposure of Medical Images in Unsecured PACS
Sep27

Senator Demands Answers Over Exposure of Medical Images in Unsecured PACS

Sen. Mark Warner (D-Virginia) has written to TridentUSA Health Services demanding answers about a breach of sensitive medical images at one of its affiliates, MobileXUSA. Sen. Warner is the co-founder of the Senate Cybersecurity Caucus, which was set up as bipartisan educational resource to help the Senate engage more effectively on cybersecurity policy issues. As part of the SCC’s efforts to improve cybersecurity in healthcare, in June Sen. Warner asked NIST to develop a secure file sharing framework and wrote to healthcare stakeholder groups in February requesting they share best practices and the methods they used to reduce cybersecurity risk and improve healthcare data security. The latest letter was sent a few days after ProPublica published a report of an investigation into unsecured Picture Archiving and Communications Systems (PACS). PACS are used by hospitals and other healthcare organizations for viewing, storing, processing, and transmitting medical images such as MRIs, CT scans, and X-Rays. The report revealed more than 303 medical images of approximately 5 million...

Read More
Ransomware Attacks Reported by People’s Injury Network Northwest and Berry Family Services
Sep27

Ransomware Attacks Reported by People’s Injury Network Northwest and Berry Family Services

Kent, WA-based People’s Injury Network Northwest (PINN), a physical rehabilitation company for industrial rehabilitation patients, has experienced a ransomware attack in which patient information may have been accessed by the attackers. The attack occurred on April 22, 2019 and saw three servers infected with ransomware. The attack was discovered the following day and the servers were taken offline. The decision was taken not to pay the ransom demand and encrypted files were restored from backups. PINN reports that it was possible to recover most of the data on the servers. A computer forensics firm was retained to conduct an investigation to determine whether the attackers gained access to or stole information on the servers. No evidence of unauthorized data access or data theft were discovered; however, it was not possible to rule out to possibility of unauthorized data access or exfiltration. Consequently, the decision was taken to notify patients whose personal and protected health information was potentially compromised. Affected individuals had received services from PINN up...

Read More
Study Reveals Types of Protected Health Information Most Commonly Exposed in Healthcare Data Breaches
Sep24

Study Reveals Types of Protected Health Information Most Commonly Exposed in Healthcare Data Breaches

Researchers from Michigan State University and Johns Hopkins University have conducted a study of healthcare data breaches over the past 10 years to examine what types of information are most commonly exposed in healthcare data breaches. The study, published in the journal Annals of Internal Medicine on Monday September 23, 2019, confirms that the health information of approximately 169 million Americans was exposed, compromised, or impermissibly disclosed in 1,461 data breaches at 1,388 entities between October 2009 and July 2019. Those breaches each impacted 500 or more individuals and were reportable incidents under HIPAA and the HITECH Act. The researchers explain that information about the types of information exposed in data breaches is not widely available to the public, since it is not a requirement to share the types of data that have been compromised in the breaches. It is therefore difficult for researchers to classify the amount and types of healthcare information exposed and gain an accurate picture of the consequences of the breaches. “When the media reports...

Read More
August 2019 Healthcare Data Breach Report
Sep23

August 2019 Healthcare Data Breach Report

In August, healthcare data breaches continued to be reported at a rate of more than 1.5 per day, which is around twice the monthly average in 2018 (29.5 breaches per month). This is the second successive month when breaches have been reported at such an elevated level. While the number of breaches has not changed much since last month (49 compared to 50), there has been a substantial reduction in the number of exposed records.   August saw 729,975 healthcare records breached compared to 25,375,729 records in July, 3,452,442 records in June, and 1,988,376 records in May. The exceptionally high breach total for July was mostly due to the massive data breach at American Medical Collection Agency (See below for an update on the AMCA breach total). Causes of August 2019 Healthcare Data Breaches Hacking and other IT incidents dominated the breach reports in August. 32 breaches were attributed to hacking/IT incidents, which is almost double the number of breaches from all other causes. Hacking/IT incidents breached 602,663 healthcare records – 82.56% of all records breached in...

Read More
Campbell County Health Ransomware Attack Causes Major Disruption to Patient Services
Sep23

Campbell County Health Ransomware Attack Causes Major Disruption to Patient Services

Campbell County Health in Gillette, WY, has experienced a ransomware attack that has disabled hospital systems and is preventing access to patient information. The attack started in the early hours of Friday September 20, 2019 according to the Department of Health. An investigation into the attack has been launched and efforts are continuing to remove the ransomware, restore encrypted files, and bring systems back online; however, at the time of writing, Campbell County Health is continuing to experience major disruption to medical services. Campbell County Health reports that all of its systems have been affected. At this stage, no evidence has been uncovered to suggest patient information has been subjected to unauthorized access or misused. The Emergency Department, Maternal Child (OB) department, and the Walk-In Clinic remain open and staff are on hand to triage and treat patients. Transfers to alternate facilities will be arranged, if appropriate, and the County’s Emergency Medical Services (EMS) has additional ambulances to meet demand. Patients already receiving care are...

Read More
56,226 Presbyterian Health Plan Members Affected by Phishing Attacks at Magellan Health Subsidiaries
Sep20

56,226 Presbyterian Health Plan Members Affected by Phishing Attacks at Magellan Health Subsidiaries

The Scottsdale, AZ-based managed care company, Magellan Health, has discovered two of its subsidiaries have experienced phishing attacks that exposed the protected health information of members of Albuquerque, NM-based Presbyterian Health Plan. The phishing attacks were experienced by National Imaging Associates and Magellan Healthcare, which both provide services to Presbyterian Health Plan. Both incidents were reported to the Department of Health and Human Services’ Office for Civil Rights on September 17, 2019. The National Imaging Associates incident was discovered on July 5 and affected 589 individuals and the Magellan Healthcare breach was discovered on July 12 and affected 55,637 individuals. Both incidents occurred within a few days but they are not believed to be related. The email accounts of two employees were breached on May 28 and June 6, 2019. Both of those individuals handled data related to members of the health plan. The investigation determined the aim of the attack was to compromise email accounts to use them to distribute spam email. No evidence was uncovered to...

Read More
Ramsey County Expands 2018 Phishing Attack Victim Count from 599 to 117,905
Sep19

Ramsey County Expands 2018 Phishing Attack Victim Count from 599 to 117,905

Ramsey County has discovered an August 2018 phishing attack has impacted far more individuals than initially thought. The victim count has been increased from 599 to 117,905. The initial breach report stated the email accounts of 26 employees were compromised in a phishing attack on or around August 9. The attack was identified promptly and the affected accounts were secured. The individuals responsible conducted the attack in order to re-route employees’ paychecks. The initial investigation, conducted with assistance from a data security firm, concluded on October 12, 2018 that the attackers would have been able to access sensitive information contained in the compromised accounts. The accounts were discovered to contain clients’ names, addresses, dates of birth, Social Security numbers, and limited medical information. Ramsey County reported the breach to the HHS’ Office for Civil Rights on December 11, 2018 and notified affected clients. The initial breach report indicated 599 clients had been affected. 9 months on and Ramsey County has announced that 117,905 individuals have...

Read More
Shore Specialty Consultants Pulmonology Group Breach Impacts 9,700 Patients
Sep16

Shore Specialty Consultants Pulmonology Group Breach Impacts 9,700 Patients

New Jersey-based Shore Specialty Consultants Pulmonology Group (SSCPG) is notifying 9,700 patients that some of their protected health information (PHI) has potentially been subjected to unauthorized access as a result of a recent security breach. On July 8, 2019, SSCPG discovered a hacker gained access to a network server containing patient information. The breach was detected within a day and the server was secured. A forensic investigation of the breach did not uncover any evidence to suggest patient information was accessed or stolen, but the possibility could not be ruled out. The compromised server contained the PHI of patients who had previously participated in sleep studies at SSCPG. Highly sensitive information such as Social Security numbers, health insurance information and financial information were not exposed. The breach was limited to patients’ names, dates of birth, details of the care received at SSCPG, and some information relating to the sleep study. The breach prompted SSCPG to conduct a review of its policies and procedures and additional security measures are...

Read More
Phishing Incidents Reported by Fraser and East Central Indiana School Trust
Sep16

Phishing Incidents Reported by Fraser and East Central Indiana School Trust

East Central Indiana School Trust (ECIST) has started notifying more than 3,200 individuals that some of their protected health information (PHI) has been exposed as a result of a recent phishing attack. On May 19, 2019, an employee was fooled into disclosing email account credentials which were used by the attacker to gain access to that individual’s email account. The breach was detected on May 22, 2019 and the account was secured. A third-party computer forensics company was retained to investigate the breach and determine whether patient information was compromised or stolen in the attack. The forensics firm did not uncover any evidence to suggest emails in the account were opened or downloaded by the attacker, but the possibility of unauthorized data access and theft could not be ruled out. The compromised email account contained information such as employees’ and dependents’ names, dates of birth, Social Security numbers, driver’s license numbers, prescription details, health insurance information, and some medical information. The breach has been reported to the HHS’ Office...

Read More
Utah Ransomware Attack Impacts 320,000 Patients
Sep10

Utah Ransomware Attack Impacts 320,000 Patients

The Utah physician group, Premier Family Medicine, is notifying 320,000 patients that some of their protected health information has potentially been compromised as a result of a recent ransomware attack. The attack occurred on July 8, 2019 and temporarily prevented access to patient data and certain systems. According to the August 30, 2019 breach notice on its website, the physician group notified law enforcement and engaged the services of technical consultants to investigate the breach and regain access to its systems and patient data. It is unclear whether the ransom demand was paid. The breach affected all ten of its Utah County locations. “Even though our investigation has found no reason to believe patient information was accessed or taken, we are very concerned that this event even occurred and have taken steps to further enhance the security of our systems,” said Premier Family Medicine chief administrator, Robert Edwards. Community Psychiatric Clinic Breaches Impact 15,537 Patients Community Psychiatric Clinic, a provider of mental health services in Seattle, WA, has...

Read More
OCR Settles First HIPAA Violation Case Under 2019 Right of Access Initiative
Sep10

OCR Settles First HIPAA Violation Case Under 2019 Right of Access Initiative

Earlier this year, the Department of Health and Human Services’ Office for Civil Rights (OCR) announced that one of the main areas of HIPAA enforcement in 2019 would be HIPAA right of access failures, including untimely responses to access requests and overcharging for copies of medical records. The HIPAA right of access allows patients to obtain copies of their medical records on request. HIPAA-covered entities are required to honor those requests and provide patients with access to PHI or copies of health data contained in a ‘designated record set’ within 30 days of the request being received. A covered entity is permitted to charge a reasonable, cost-based fee for providing a copy of the individual’s PHI, which can include the cost of certain labor, supplies and postage. HIPAA-covered entities that fail to provide copies of records in a reasonable time frame or charge excessive amounts for providing a copy of a patient’s PHI are in violation of the HIPAA Privacy Rule – See 45 CFR 164.501. Such violations can attract a sizable financial penalty. This week, OCR has announced...

Read More
Study Confirms Why Prompt Data Breach Notifications Are So Important
Sep05

Study Confirms Why Prompt Data Breach Notifications Are So Important

When healthcare organizations experience a data breach it is understandable that breach victims will be upset and angry. Information is provided to healthcare organizations in the understanding that safeguards have been implemented to keep that information private and confidential. When patients and health plan members learn that their sensitive, private information has been exposed or stolen, many choose to take their business elsewhere. According to a new study* by the credit reporting agency Experian, if the breach response is properly managed and the breached entity is transparent and issues notifications promptly, customer churn rate can be kept to an absolute minimum. The Health Insurance Portability and Accountability Act’s (HIPAA) Breach Notification Rule requires notifications to be issued to breach victims ‘without unreasonable delay’ and no later than 60 days from the discovery of the breach. However, a majority of patients expect to be notified much more quickly. The study showed 73% of patients/plan members expect to be notified about a breach within 24 hours of the...

Read More
Multiple Email Accounts Compromised in UC Health Phishing Attack
Sep05

Multiple Email Accounts Compromised in UC Health Phishing Attack

University of Cincinnati Health (UC Health) is investigating a security breach that saw the email accounts of multiple employees accessed by an unauthorized individual. The attack occurred between July 6 and July 12, 2019 and involved ‘a limited number’ of employee email accounts. An analysis of the compromised email accounts revealed they contained patients’ names, birth dates, medical record numbers, and some clinical information. A forensic analysis of UC Health email system was unable to establish whether the attackers opened or copied any emails or email attachments.  UC Health is attempting to determine exactly which patients have been affected and notification letters will be sent “in the coming weeks.” UC Health announced the breach on its website on September 4, 2019. UC Health will be enhancing email security and re-educating employees to help them identify phishing and other malicious emails. The incident has not yet appeared on the HHS’ Office for Civil Rights website, so it is unknown how many patients have been affected. Conway Regional Medical Center Phishing Attack...

Read More
Artesia General Hospital Phishing Attack Impacts 13,905 Patients
Sep05

Artesia General Hospital Phishing Attack Impacts 13,905 Patients

Artesia General Hospital in Artesia, NM, has discovered the protected health information (PHI) of 13,905 patients has been compromised in a phishing attack. The breach was detected when an employee’s email account was discovered to have been used to send unauthorized emails. The breach was detected on June 18, 2019 and the forensic analysis revealed the account had been accessed by an unauthorized individual between June 11 to June 18. A leading computer forensics company was engaged to investigate the breach, but no evidence of data theft was discovered. To date, no reports have been received to suggest PHI has been stolen or misused. The email accounts contained patients’ names, birth dates, patient account numbers, medical record numbers, health insurance information, and some treatment and/or clinical information, such as diagnoses, dates of service, and provider names. A small subset of affected patients also had Social Security numbers exposed. The hospital has re-enforced security awareness training and additional measures are being implemented to improve email security....

Read More
122,000 Providence Health Plan Members Impacted by Dominion National Data Breach
Sep04

122,000 Providence Health Plan Members Impacted by Dominion National Data Breach

In July 2019, Dominion National, an insurer and administrator of dental and vision benefits, announced the discovery of a major data breach that impacted around 2.9 million health plan members. Hackers had gained access to Dominion National servers in 2010. The breach was detected on April 24, 2019. Providence Health Plan has recently announced the breach at Dominion National affected 122,000 of its plan members. Virginia-based Dominion National administers Providence Health Plan’s dental program in Oregon, and as such, had access to plan members’ protected health information (PHI), including names, addresses, dates of birth, insurance information, and Social Security numbers. Dominion National started administering the health plan’s dental program in 2015. The breach was therefore limited to customers who participated in the dental program between 2015 and 2019. Affected Providence Health Plan members were notified by Dominion National in August and have been offered two years of complimentary credit monitoring and identity theft protection services. Laptop Theft from Business...

Read More
82% of Healthcare Organizations Have Experienced a Cyberattack on Their IoT Devices
Sep03

82% of Healthcare Organizations Have Experienced a Cyberattack on Their IoT Devices

82% of healthcare providers that have implemented Internet-of-Things (IoT) devices have experienced a cyberattack on at least one of those devices over the course of the past 12 months, according to the Global Connected Industries Cybersecurity Survey from Swedish software company Irdeto. For the report, Irdeto surveyed 700 security leaders from healthcare organizations and firms in the transportation, manufacturing, and IT industries in the United States, United Kingdom, Germany, China, and Japan. Attacks on IoT devices were common across all those industry sectors, but healthcare organizations experienced the most cyberattacks out of all industries under study. The biggest threat from these IoT cyberattacks is theft of patient data. The attacks also have potential to compromise end user safety, result in the loss of intellectual property, operational downtime and damage to the organization’s reputation. The failure to effectively secure the devices could also potentially result in a regulatory fine. When asked about the consequences of a cyberattack on IoT devices, the biggest...

Read More
73 Email Accounts Compromised in Major Phishing Attack on NCH Healthcare System
Sep02

73 Email Accounts Compromised in Major Phishing Attack on NCH Healthcare System

The importance of security awareness training for healthcare employees has been highlighted by a recent phishing attack on Bonita Springs, FL-based NCH Healthcare System. The attack was detected on June 14, 2019 when suspicious email activity was identified in relation to its payroll system. The investigation revealed a staggering 73 employees had responded to phishing emails and disclosed their account credentials to the scammers. It is common for healthcare organizations to identify an email account breach and later discover the attack was more extensive than originally thought. Oftentimes, several emails accounts are discovered to have been compromised, often as a result of lateral phishing – The use of one compromised email account to send phishing emails to other individuals in the organization. However, a breach as extensive as this is fortunately rare. NCH Healthcare system is still investigating the attack and is being assisted by a third-party computer forensics firm. The initial findings of the investigation suggest the attackers were not concerned with obtaining PHI,...

Read More
Ransomware Attack Impacts More Than 400 U.S. Dental Practices
Aug30

Ransomware Attack Impacts More Than 400 U.S. Dental Practices

A ransomware attack on a medical record backup service has prevented hundreds of dental practices in the United States from accessing their patients’ records. The attack occurred on August 26, 2019 and affected the DDS Safe backup solution developed by Wisconsin-based software company, Digital Dental Record (DDS). The DDS system was accessed via an attack on its cloud management provider, West Allis, WI-based PerCSoft. Ironically, the DDS website states DDS Safe helps to protect dental practices against ransomware attacks. The attack did not affect all dental practices using the DDS Safe solution. Initial reports suggest between 400 and 500 of the 900 dental practices using the solution have been affected by the REvil/Sodinokibi ransomware attack. PerCSoft, assisted by a third-party software company, has obtained a decryptor and is in the process of recovering the encrypted files. According to a statement from DDS, recovery of files is estimated to take between 30 minutes to 4 hours per client. Some dental practices have reported file loss as a result of the attack and others have...

Read More
33,370 Mount Sinai Hospital Patients Impacted by AMCA Breach
Aug29

33,370 Mount Sinai Hospital Patients Impacted by AMCA Breach

Mount Sinai Hospital has discovered the protected health information (PHI) of 33,730 patients was compromised in the cyberattack on American Medical Collection Agency (AMCA).  The hospital is the 24th known victim of the massive AMCA breach, which has affected almost 25 million patients. AMCA notified Mount Sinai Hospital on June 4, 2019 that an unauthorized individual had gained access to a web payment page, through which the PHI of its clients’ patients could be accessed. The webpage was compromised on August 1, 2018 and unauthorized access continued until March 30, 2019 when the breach was discovered and the web page was secured. The breach only affected patients with outstanding medical bills that had been passed to AMCA for collection. The breach involved names, name of lab or medical service provider, dates of service, referring physician’s name, health insurance information, and other medical information related to the services provided by Mount Sinai. Some patients also had financial information exposed. Those individuals were notified directly by AMCA and offered credit...

Read More
Georgia Court of Appeals to Decide Whether Athens Orthopedic Data Breach Victims Are Entitled to Damages
Aug28

Georgia Court of Appeals to Decide Whether Athens Orthopedic Data Breach Victims Are Entitled to Damages

A class action lawsuit filed by victims of a June 2016 cyberattack on Athens Orthopedic in Georgia has gone before the Georgia Supreme Court to determine whether breach victims are entitled to recover damages. The cyberattack in question saw the personal information, Social Security numbers, and health insurance information of approximately 200,000 individuals stolen by the hacking group, Dark Overlord. The Dark Overlord has conducted numerous attacks on healthcare organizations in the United States over the past three years. Initially, attacks were conducted to steal sensitive data, which was subsequently sold on dark web marketplaces. More recently, attacks have involved data theft and extortion. A ransom demand is issued to breached entities that must be paid in order to prevent publication of the stolen data.  Athens Orthopedic did not pay the ransom demand. The Dark Overlord gained access to Athens Orthopedic’s systems via an attack on a “nationally-known health care information management contractor,” the login credentials of which were used to steal patient data. Athens...

Read More
AMCA Data Breach Total Nears 25M as Wisconsin Diagnostic Laboratories Confirms 115K Record Breach
Aug28

AMCA Data Breach Total Nears 25M as Wisconsin Diagnostic Laboratories Confirms 115K Record Breach

The victim count from the American Medical Collection Agency (AMCA) data breach has risen to almost 25 million as yet another healthcare organization has announced it has been impacted by the breach. Wisconsin Diagnostic Laboratories (WDL), a network of 13 medical testing facilities in and around Milwaukee, is notifying 114,985 patients that some of their protected health information was compromised in the AMCA data breach. On June 3, 2019, AMCA informed WDL that some of its patients’ data had been compromised as a result of the hacking of a web payment portal. The hacker gained access to the payment page on August 1, 2018. The breach was detected on March 30, 2019 and unauthorized access was terminated. The types of information in AMCA systems was limited to patients’ names, dates of birth, dates of service, names of lab or medical service providers, referring physician’s name, balances owed to WDL, and other medical information related the services provided by WDL. No Social Security numbers or lab test results were compromised in the breach. A limited number of individuals also...

Read More
July 2019 Healthcare Data Breach Report
Aug26

July 2019 Healthcare Data Breach Report

May 2019 was the worst ever month for healthcare data breaches with 46 reported breaches of more than 500 records. More breaches were reported in May than any other month since the HHS’ Office for Civil Rights started publishing breach summaries on its website in 2009. That record of 44 breaches was broken in July. July saw 50 healthcare data breaches of more than 500 records reported to the Department of Health and Human Services’ Office for Civil Rights, which is 13 more breaches than the monthly average for 2019 and 20.5 more breaches than the monthly average for 2018. July 2019 was the second worst month in terms of the number of healthcare records exposed. 25,375,729 records are known to have been exposed in July. There are still 5 months left of 2019, yet more healthcare records have been breached this year than in all of 2016, 2017, and 2018 combined. More than 35 million individuals are known to have had their healthcare records compromised, exposed, or impermissibly disclosed this year. Causes of July 2019 Healthcare Data Breaches   The main reason for the increase in...

Read More
Phishing Attack on Presbyterian Healthcare Services Exposed PHI of 183,000 Patients
Aug26

Phishing Attack on Presbyterian Healthcare Services Exposed PHI of 183,000 Patients

The Albuquerque, NM-based not-for-profit health system, Presbyterian Healthcare Services, has experienced a phishing attack that saw the email accounts of several employees subjected to unauthorized access. The phishing attack was discovered by Presbyterian Healthcare Services on June 6, 2019. The breach investigation revealed the email accounts were compromised a month previously, on or around May 9, 2019. Upon discovery of the breach, all affected email accounts were secured to prevent further access. An analysis of the compromised email accounts revealed they contained the protected health information (PHI) of 183,370 individuals. Compromised PHI was limited to names, dates of birth, Social Security numbers, and clinical and health plan information. Affected individuals have been advised to check their statements from their providers and health plans for signs of misuse of their personal information. Presbyterian Healthcare Services has implemented additional safeguards to protect its email system and all employees will be required to undergo annual cybersecurity training....

Read More
Massachusetts General Hospital Data Breach Impacts 10,000 Patients
Aug23

Massachusetts General Hospital Data Breach Impacts 10,000 Patients

Massachusetts General Hospital (MGH) has discovered computer applications used by researchers in its Department of Neurology have been subjected to unauthorized access. The individual responsible would have been able to access the protected health information of approximately 10,000 patients. MGH discovered the breach on June 24, 2019 and immediately terminated access to the applications and databases. An investigation was launched, and a forensic investigator was engaged to help determine the nature and scope of the breach. The investigation confirmed that two applications had been subjected to unauthorized access between June 10 and June 16, 2019. Via the applications, the unauthorized individual would have been able to view information in databases related to specific neurology research studies. The types of information in the databases varied from patient to patient and may have included: Name, marital status, age, date of birth, sex, race, ethnicity, dates of visits and tests, medical record number, diagnoses, treatment information, biomarkers, genetic information, assessments...

Read More
Rhode Island Healthcare Provider Hacked: 3,000 Records Potentially Compromised
Aug22

Rhode Island Healthcare Provider Hacked: 3,000 Records Potentially Compromised

Rhode Island Ear, Nose and Throat Physicians Inc. (RIENT) is notifying 2,943 patients that some of their health information was stored on a server which was subjected to unauthorized access on June 19, 2019 when a hacker gained access to its network. The breach was detected the same day and the network was secured. A third-party computer forensics firm was hired to assist with the investigation and help determine the nature and extent of the breach. The compromised servers did not contain the medical records of all patients, only records of patients who received medical services between May 1, 2019 and June 12, 2019.  The forensic investigation did not uncover any evidence to suggest patient information was viewed or copied and no reports have been received to suggest patient information has been misused. For the majority of affected patients, the breach was limited to names, dates of birth, and clinical information. A small subset of patients also had their Social Security number exposed. Patients whose Social Security number was exposed have been offered complimentary credit...

Read More
Medical Records of Western Connecticut Health Network Patients Exposed
Aug22

Medical Records of Western Connecticut Health Network Patients Exposed

Nuvance Health has started notifying certain Western Connecticut Health Network (WCHN) patients that some of their protected health information has been exposed. On June 11, 2019, WCHN sent a box of medical records to the Connecticut State Department of Public Health. The package was sent via the U.S. Postal Service (USPS), but the package was damaged in transit, exposing the contents of the package. WCHN was notified and retrieved the damaged package from the USPS. A spokesperson for WCHN said there was no indication that any information had been removed and misused and that the package did not appear to have left the custody of the USPS until it was collected by WCHN personnel. WCHN has now changed its procedures for sending protected health information to ensure similar incidents are prevented in the future. Patients were notified on August 19, 2019. The types of information in the records was limited to names, addresses, dates of birth, provider names, medical record numbers, diagnosis dates, diagnoses, and medical test results. The HHS’ Office for Civil Rights breach...

Read More
30K Integrated Regional Laboratories Patients Impacted by AMCA Breach
Aug20

30K Integrated Regional Laboratories Patients Impacted by AMCA Breach

Integrated Regional Laboratories (IRL) in Florida is notifying approximately 30,000 patients that their protected health information (PHI) was potentially compromised in the American Medical Collection Agency (AMCA) data breach discovered on March 20, 2019. On June 3, 2019, AMCA notified IRL about its security breach and confirmed on June 13, 2019 that the PHI of IRL patients had been exposed. IRL posted a breach notice on its website on July 30, and patients are being notified. IRL stopped sending patient information to AMCA when the breach was discovered, and the company is no longer using AMCA’s services. AMCA has been instructed to securely destroy all copies any IRL patients’ PHI. According to the breach summary on the HHS’ Office for Civil Rights website, 29,644 patients were affected by the breach. Over the past few days, the breach summaries of several victims of the AMCA breach have been added to the OCR’s breach portal. HIPAA Journal has been tracking breach reports and has identified 22 HIPAA-covered entities that have been affected by the breach. So far, 24,739,540...

Read More
PHI Exposed in Phishing Attacks on Michigan Medicine and Virginia Gay Hospital
Aug19

PHI Exposed in Phishing Attacks on Michigan Medicine and Virginia Gay Hospital

5,466 patients of Michigan Medicine are being notified that some of their protected health information has been exposed in a recent phishing attack. In July, Michigan Medicine employees were targeted in large scale phishing campaign. 3,200 Michigan Medicine employees received phishing emails containing a hyperlink to a legitimate looking web page that requested the user’s email login credentials. Three employees responded to the emails and disclosed their credentials. Those accounts were subjected to unauthorized access and were used to send further phishing emails. Michigan Medicine detected suspicious activity in the email accounts on July 8, 9 and 12, 2019 and performed a password reset to prevent any further unauthorized access. As a precaution, the passwords were also resent on the email accounts of all employees who received one of the phishing emails. Two of the accounts were discovered to contain patient information. In addition to a patient’s name, one or more of the following may have been compromised: Address, date of birth, medical record number, diagnostic information,...

Read More
Ohio Eye Care Provider Suffers Ransomware Attack
Aug15

Ohio Eye Care Provider Suffers Ransomware Attack

Eye Care Associates, a fully integrated regional eye care provider in northeast Ohio, experienced a ransomware attack in late July which took its computer systems out of action. Two weeks after the attack occurred, its computer systems remain locked. According to Director of Operations, Mary Jo Silva, the attack occurred in the early hours of July 28, 2019. The Beaver Township Police Department was notified about the attack and the board was informed. A ransom demand was received, but no amount was stated on the demand. Contact with the attackers was required in order to discover how needed to be paid. Silva said no contact was made with the attackers and no payment was made. Eye Care Associates has been working with its backup and file storage service provider to recover all encrypted files. Silva expects systems to be brought back online in the next couple of days. An investigation into the attack has uncovered no evidence to suggest patient information was stolen. The Business Journal reports that the ransomware was delivered via email. The attack has caused considerable...

Read More
Hackers Demand $1 Million Ransom from Washington Hospital
Aug15

Hackers Demand $1 Million Ransom from Washington Hospital

A ransomware attack on an Aberdeen, WA-hospital and associated clinics is still causing problems two months after the attack occurred. The attackers have demanded $1 million for the keys to unlock the encryption. On June 15, 2019, Grays Harbor Community Hospital started experiencing IT problems. The attack occurred on a Saturday when staffing was limited so initially the problem was attributed to an IT issue. On Monday it became apparent that ransomware was involved and steps were taken to isolate the infection and secure the network; however, the attackers had already moved laterally and had gained access to servers and the systems used by Harbor Medical Group clinics. The initial point of attack appears to have been a response to a phishing email by a single employee. Harbor Medical Group operates 8 clinics in the Aberdeen and Hoquiam region, and those clinics were the worst affected by the attack. Grays Harbor Community Hospital used older software, which prevented the ransomware from being installed on the hospital’s main computer system. The clinics used more recent software,...

Read More
Renown Health Discovers PHI was Stored on Lost Thumb Drive
Aug14

Renown Health Discovers PHI was Stored on Lost Thumb Drive

Renown Health, the largest healthcare provider in Northern Nevada, has started notifying certain patients that some of their protected health information (PHI) may have been compromised. Patient information was present in files on a portable storage device (thumb drive) discovered to be missing on June 30, 2019. An extensive search of the facility was conducted but the thumb drive could not be located. An investigation was conducted to determine what files had been saved to the device and which patients had their PHI exposed. Files on the storage device related to patients who had received inpatient services at Renown South Meadows Medical Center between January 1, 2012 and June 14, 2019. The types of information in the files included names, diagnoses, medical record numbers, clinical information, admission dates, and physicians’ names.  No Social Security numbers or financial information were stored on the device. Patients have been advised to exercise caution and monitor their accounts and explanation of benefits statements for any signs of fraudulent activity. Renown Health will...

Read More
More than 10,000 FDNY EMS Patients Notified of PHI Exposure
Aug12

More than 10,000 FDNY EMS Patients Notified of PHI Exposure

10,292 EMS patients who were taken to hospital by a New York Fire Department (FDNY) ambulance between 2011 and 2018 have had some of their protected health information exposed. According to FDNY spokesperson Myles Miller, there was “a loss of data caused by one employee’s failure to follow the department’s data security policies.” The fire department learned on March 4, 2019 that an employee’s personal hard drive was missing. The hard drive had been used by the employee to store files containing patient information such as patient care reports. A patient care report is created when a 911 call is received that requires an ambulance to respond. The reports contained information on 10,253 patients such as name, address, telephone number, date of birth, insurance details, health condition, and for approximately 3,000 patients, their Social Security number. All affected individuals are now being notified of the breach and individuals whose Social Security number was exposed have been offered complimentary credit monitoring services. “The FDNY is treating the incident as if the...

Read More
Email Security Breaches Expose PHI of Seattle Community Psychiatric Clinic Patients
Aug09

Email Security Breaches Expose PHI of Seattle Community Psychiatric Clinic Patients

Community Psychiatric Clinic in Seattle, WA, a provider of accredited outpatient, mental health treatment, and counselling services, has experienced two security breaches in which patient information may have been compromised. In both cases, an unauthorized individual gained access to an employee’s Microsoft Office 365 account. The first security breach was detected on March 12, 2019 when an employee’s account was subjected to unauthorized access. The affected account was immediately secured, passwords were changed, and the employee’s hard drive was restored.  The email account also had additional protections added to prevent similar breaches from occurring in the future. The investigation did not uncover any evidence to suggest that patient data had been stolen. Around two months later on May 8, 2019, a second email account was discovered to have been compromised in a separate attack. The attacker used the email account to send a fraudulent wire transfer request to another member of staff. The transfer was executed, but due to the fast response of the clinic, it was possible to...

Read More
PHI of Tens of Thousands of Patients Exposed Online Due to Database Misconfiguration
Aug08

PHI of Tens of Thousands of Patients Exposed Online Due to Database Misconfiguration

A database containing the personal information of individuals who had expressed an interest in Amarin Pharma’s cholesterol drug Vascepa® has been exposed online. The database was maintained by third party vendor and contained information such as full names, addresses, telephone numbers, email addresses, medications, and interest in a copay card for Vascepa®. Amarin learned of the breach via media reports of an exposed database containing information of Amarin customers and immediately launched an investigation. The company quickly determined which database had been exposed and took steps to suspend active data feeds and the database was secured the same day. The vendor’s investigation revealed a database misconfiguration had occurred which rendered the database accessible online between May 2, 2018 and June 20, 2019. An investigation by the vendor confirmed that the database had been subjected to unauthorized access by a third party between May 29, 2019 and June 20, 2019, and during that time data had been copied. Amarin and its vendor are continuing to investigate the breach and...

Read More
Further 185,000 Individuals Affected by AMCA Data Breach
Aug08

Further 185,000 Individuals Affected by AMCA Data Breach

Three more healthcare organizations have announced they have been affected by the data breach at American Medical Collection Agency (AMCA): West Hills Hospital & Medical Center in California, Inform Diagnostics, and CompuNet Clinical Laboratories. The AMCA data breach was first announced more than two months ago. Most of the companies impacted by the breach were notified by AMCA in May/June that some of their patients’ data had potentially been compromised, but it has taken several weeks for those companies to be provided with sufficient information to make announcements and sent notification letters. The breach at AMCA occurred between August 1, 2018 and March 30, 2019. During that period, an unauthorized individual had access to a web payment page, through which it was possible to obtain personal and financial information. Affected individuals had had their information passed to AMCA to collect outstanding bills for medical services. The latest announcements bring the total number of companies known to have been affected to 21. It is not yet known how many patients of West...

Read More
Presbyterian Healthcare Services Data Breach Impacts 183,000 Patients
Aug05

Presbyterian Healthcare Services Data Breach Impacts 183,000 Patients

New Mexico-based Presbyterian Healthcare Services is notifying approximately 183,000 patients and health plan members that some of their protected health information (PHI) has been exposed in a recent security breach. On or around May 6, 2019, several Presbyterian Healthcare Services employees received phishing emails. Certain employees responded to the emails and inadvertently disclosed their credentials to the attackers. Those credentials were used to gain access to accounts containing sensitive information such as names, dates of birth, and Social Security numbers. Presbyterian Healthcare Services became aware of the breach on June 9 and immediately secured the affected accounts. The breach investigation uncovered no evidence to suggest any personal information was accessed or stolen by the attacker and no reports been received to suggest any PHI has been misused. Affected individuals have been offered complimentary credit monitoring and identity theft protection services for 12 months and have been advised to monitor their accounts and explanation of benefits statements...

Read More
Imperial Health Ransomware Attack Impacts More Than 111,000 Patients
Aug02

Imperial Health Ransomware Attack Impacts More Than 111,000 Patients

Imperial Health, a physicians’ network serving patients in Southwest Louisiana, is alerting more than 111,000 patients that some of their protected health information has potentially been compromised in a recent ransomware attack. An unauthorized party had succeeded in downloading ransomware onto the network, which encrypted files and a database used by the Imperial Health’s Center for Orthopaedics (CFO). The attack was detected on May 19, 2019. The database contained the protected health information of 116,262 patients. While no evidence of data access or data theft was uncovered during the investigation, it was not possible to rule out a breach of PHI. The decision was therefore taken to issue notifications to affected patients to allow them to take step to eliminate any risk of harm. The information stored in the database related to patients who had previously received medical services at CFO. The information varied from patient to patient and may have included name, address, telephone number, birth date, Social Security number, medical record number, diagnoses, treatment...

Read More
First Half of 2019 Sees 31.6 Million Healthcare Records Breached
Aug02

First Half of 2019 Sees 31.6 Million Healthcare Records Breached

It has been a particularly bad six months for the healthcare industry. Data breaches have been reported in record numbers and the number of healthcare records exposed on a daily basis is extremely concerning. The trend of more than one healthcare data breach a day has continued throughout 2019, even reaching a rate of 2 per day in May. According to the 2019 Mid-Year Data Breach Barometer Report from Protenus and Databreaches.net, 31,611,235 healthcare records were breached between January 2019 and June 2019. To put that figure into perspective, it is double the number of records exposed in healthcare data breaches in the entirety of 2018 (14,217,811 records). One breach stands out from the 285 incidents reported in the first half of the year: The data breach at American Medical Collection Agency (AMCA). A batch of stolen credentials on a dark net marketplace was traced back to AMCA, which discovered its payment web page had been compromised for months. It is not yet known exactly how many healthcare records were exposed in the incident, but 18 clients are known to have been...

Read More
More than 522,000 Puerto Rico Patients Impacted by Ransomware Attack
Jul30

More than 522,000 Puerto Rico Patients Impacted by Ransomware Attack

More than half a million patients in Bayamón, Puerto Rico have been affected by a ransomware attack on a medical center and its associated hospital. Bayamón Medical Center and Puerto Rico Women and Children’s Hospital discovered on May 21, 2019 that their computer systems had been infected with ransomware. The ransomware encrypted a wide range of files and prevented hospital staff from accessing patient information ‘for a short period of time,’ according to a July 19, 2019 press release announcing the attack. Approximately 522,000 current and former patients are being notified about the ransomware attack as a precautionary measure. The internal investigation into the attack confirmed that patient information was affected, but no evidence of unauthorized data access or theft was identified. The information potentially compromised was limited to names, demographic information, clinical information, financial information, and in some cases, diagnosis information, dates of birth, and Social Security numbers. The ransomware attack only rendered data temporarily inaccessible and...

Read More
Kentucky Community Health Center Pays $70,000 Ransom to Recover PHI
Jul29

Kentucky Community Health Center Pays $70,000 Ransom to Recover PHI

On June 7, 2019, Louisville, KY-based Park DuValle Community Health Center suffered a ransomware attack. Hackers succeeded in gaining access to its network and installed ransomware which rendered its medical record system and appointment scheduling platform inaccessible. The not-for-profit health center provides medical services to the uninsured and low-income patients in the western Louisville area. For seven weeks, employees at the health center have been recording patient information on pen and paper and have had to rely on patients’ accounts of past treatments and medications. With its systems out of action, no patient data could be viewed, and appointments could not be scheduled. The clinic had to operate on a walk-in basis. The medical record system contained the records of around 20,000 current and former patients who had previously received treatment at one of its medical centers in Louisville, Russell, Newburg, or Taylorsville. This is not the first ransomware attack suffered by the health center this year.  A prior attack occurred on April 2, 2019, which similarly took...

Read More
2019 Cost of A Data Breach Study Reveals Increase in U.S. Healthcare Data Breach Costs
Jul24

2019 Cost of A Data Breach Study Reveals Increase in U.S. Healthcare Data Breach Costs

The Ponemon Institute/IBM Security has published its 2019 Cost of a Data Breach Report – A comprehensive analysis of data breaches reported in 2018. The report shows data breach costs have continue to rise and the costliest breaches are experienced by healthcare organizations, as has been the case for the past 9 years. Average Data Breach Costs $3.92 Million Over the past five years, the average cost of a data breach has increased by 12%. The global average cost of a data breach has increased to $3.92 million. The average breach size is 25,575 records and the cost per breached record is now $150; up from $148 last year. Globally, the healthcare industry has the highest breach costs with an average mitigation cost of $6.45 million. Healthcare data breaches typically cost 65% more than data breaches experienced in other industry sectors. Data breach costs are the highest in the United States, where the average cost of a data breach is $8.19 million – or $242 per record. The average cost of a healthcare data breach in the United States is $15 million. Healthcare Data Breaches Cost...

Read More
June 2019 Healthcare Data Breach Report
Jul24

June 2019 Healthcare Data Breach Report

For the past two months, healthcare data breaches have been reported at a rate of 1.5 per day – Well above the typical rate of one per day. In June, data breaches returned to more normal levels with 30 breaches of more than 500 healthcare records reported in June – 31.8% fewer than May 2019.   While the number of reported data breaches fell,  June saw a 73.6% increase in the number of health records exposed in data breaches. 3,452,442 healthcare records were exposed in the 30 healthcare data breaches reported in June. Largest Healthcare Data Breaches in June 2019 The increase in exposed records is due to a major breach at the dental health plan provider Dominion Dental Services (Dominion National Insurance Company). Dominion discovered an unauthorized individual had access to its systems and patient data for 9 years. During that time, the protected health information of 2,964,778 individuals may have been stolen. That makes it the largest healthcare data breach to be reported to the Office for Civil Rights so far in 2019 – At least for a month until entities affected by...

Read More
15,000 Patient Records Exposed in Phishing Attack on HIPAA Business Associate
Jul23

15,000 Patient Records Exposed in Phishing Attack on HIPAA Business Associate

Northwood Inc., a Madison Heights, MI-based HIPAA business associate, has announced that a hacker has gained access to the email account of one of its employees and potentially viewed or obtained sensitive patient information. The breach was discovered on May 6, 2019 while investigating suspicious activity related to an employee’s email account. When a breach was confirmed, a leading computer forensics expert was hired to assist with the investigation and determine the nature and full extent of the attack. The forensic investigation revealed the employee’s email account was accessed by an unauthorized individual(s) from May 3 to May 6. No evidence was found to suggest any emails had been viewed or copied, but data access and data theft could not be ruled out. All emails and email attachments in the account had to be checked to determine whether they contained any patient information. On June 19, Northwood determined patients’ protected health information had been exposed and may have included a patient’s name along with one or more of the following data elements: Address, date of...

Read More
AMCA Victim Count Swells to Almost 25 Million Records
Jul23

AMCA Victim Count Swells to Almost 25 Million Records

The number of healthcare providers confirmed to have been affected by the data breach at American Medical Collection Agency (AMCA) has grown considerably over the past few days. The victim count is now nearing 25 million and 18 healthcare providers are now known to have been affected. The AMCA breach was discovered by its parent company, Retrieval Masters Credit Bureau (RMCB), on March 21, 2019. An investigation was launched to determine the extent of the attack, which revealed the hacker had access to the AMCA payment web page for around 8 months. During that time, the hacker had access to vast quantities of sensitive patient information, including financial information and Social Security numbers. AMCA notified all entities that had been affected by the breach in May 2019; however, only limited information was released. Most of the covered entities affected by the breach were not given sufficient information to allow the affected patients to be identified. Quest Diagnostics was the first to announce that it has been impacted by the breach, closely followed by LabCorp and...

Read More
Thousands of Patients Impacted by Breaches at Cancer Treatment Centers of America and Edgepark Medical Supplies
Jul22

Thousands of Patients Impacted by Breaches at Cancer Treatment Centers of America and Edgepark Medical Supplies

Edgepark Medical Supplies (EMS) has discovered an unauthorized individual has gained access to certain customer accounts and changed addresses and had their orders redirected to other addresses. On May 13, 2019, EMS discovered the potential breach and disabled the affected online accounts. The investigation revealed an unauthorized individual gained access to the accounts by using brute force tactics, often referred to as a password spraying attack. This is an automated, sustained attempt to gain access to accounts by using commonly used passwords and dictionary words until the correct password is guessed. Once account passwords had been guessed, shipping addresses were changed to redirect orders. It is possible that orders have been placed by the attacker unbeknown to Edgepark.com account holders. EMS is still investigating the breach and will be issuing refunds to any customers who have been charged for fraudulent orders. In addition to fraudulent use of their accounts, the following information may have been viewed/obtained by the hacker: Customer name, address, date of birth,...

Read More
21,400 Patients Impacted by St. Croix Hospice Phishing Attack
Jul19

21,400 Patients Impacted by St. Croix Hospice Phishing Attack

St. Croix Hospice, a provider of hospice care throughout the Midwest, has discovered an unauthorized individual gained access to the email account of an employee and potentially viewed patient information. The breach was detected on May 10, 2019 when suspicious email activity was detected in the account. A third-party computer forensics firm was hired to assist with the investigation and discovered several employees’ email accounts were compromised between April 23, 2019 and May 11, 2019. It was not possible to determine whether any patient information had been accessed or copied, but the forensics firm did confirm that the accounts had been subjected to unauthorised access. An extensive systemic review of the compromised email accounts was conducted to identify which patients had had their protected health information exposed. On June 21, 2019, it was confirmed that protected health information had been exposed. The review has now been completed and patients are being notified that their name, address, financial information, Social Security number, health insurance information,...

Read More
Wise Health System Phishing Attack impacts 35,899 Patients
Jul19

Wise Health System Phishing Attack impacts 35,899 Patients

Wise Health System in Decatur, TX, has started sending notifications to patients to inform them that some of their protected health information (PHI) has been exposed as a result of a phishing attack. 35,899 patients have potentially been affected. The attack occurred on March 14, 2019. Several employees received phishing emails and some responded and disclosed their account credentials. The credentials were then used to gain access to the Employee Kiosk, where the attacker(s) attempted to reroute payroll direct deposits.  Attempts were made to redirect approximately 100 direct deposit payments. Wise Health had policies in place that require a paper check to be printed for two successive payrolls following a change to direct deposit information. The checks were printed in the payroll on April 5 and the unusually high number of checks raised the alarm. Thanks to the two-check policy, the fraud was prevented and no payments were redirected.  A system wide password change was immediately performed to lock out the attackers and two third-party forensic firms were hired to investigate...

Read More
2.2 Million Clinical Pathology Laboratories Patients Affected by AMCA Breach
Jul18

2.2 Million Clinical Pathology Laboratories Patients Affected by AMCA Breach

Clinical Pathology Laboratories in Texas has recently discovered the protected health information (PHI) of approximately 2.2 million of its patients has potentially been compromised in the data breach at American Medical Collection Agency (AMCA). AMCA provides debt collection services to many healthcare companies, which requires access to the PHI of patients with outstanding bills. A cyberattack on the AMCA payment website allowed hackers to can access to the site, and through it, the PHI of patients. Hackers had access to the payment website for 8 months before the breach was detected. As of today, July 18, 2019, five AMCA clients have confirmed they have been affected by the breach. First came Quest Diagnostics, which announced through an SEC filing that 11.9 million of its patients had been affected. That was closely followed by LabCorp’s announcement that 7.7 million records had been exposed.  BioReference Laboratories also confirmed that around 422,000 of its patients had been affected, and recently 13,000 patients of Penobscot Community Health Center in Maine have been...

Read More
Penobscot Community Health Center Victim of AMCA Breach
Jul16

Penobscot Community Health Center Victim of AMCA Breach

Another healthcare provider has discovered it has been affected by the security breach at American Medical Collection Agency (AMCA). AMCA recently discovered an unauthorized individual had gained access to systems containing protected health information (PHI) provided by its clients. Its systems were first subjected to unauthorized access on August 1, 2018 and the breach persisted until March 30, 2019. Penobscot Community Health Center (PCHC), a not for profit health center in Bangor, ME, contracted with AMCA for billing collection services. AMCA notified PCHC on May 15, 2019 that the PHI of approximately 13,000 of its patients had potentially been compromised. In order to provide billing collection services, AMCA was provided with a limited amount of PHI. The only PHI provided to AMCA was for patients whose accounts had been sent to AMCA for debt collection and in each case the information disclosed was limited to the minimum necessary amount. During the 8 months that AMCA systems were subjected to unauthorized access the following types of information were potentially viewed or...

Read More
Email Account Hack Affects 25,000 Adirondack Health Patients
Jul15

Email Account Hack Affects 25,000 Adirondack Health Patients

Vermont-based Adirondack Health is notifying approximately 25,000 patients that some of their protected health information has potentially been obtained by a hacker. The information may have included patients’ names, dates of birth, Medicare ID numbers or health insurance member numbers, and limited treatment and/or clinical information. A subset of patients also had their Social Security number exposed. Adirondack Health is part of Adirondacks Accountable Care Organization (ACO), which includes various different healthcare providers. For monitoring purposes and to help improve the quality of services provided to patients, ACO receives and analyzes certain patient information. ACO recently discovered an unauthorized individual had gained access to the email account of an employee. The breach was detected on March 4, 2019 and the account was immediately secured. The hacker had access to the account for a period of two days. ACO checked every email and attachment in the compromised account to determine whether any PHI had been exposed. There was only one item in the compromised...

Read More
Premera Blue Cross Settles Multi-State Action for $10 Million
Jul12

Premera Blue Cross Settles Multi-State Action for $10 Million

Premera Blue Cross has agreed to a $10 million settlement to resolve a multi-state data breach lawsuit involving 30 state attorneys general. The settlement resolves alleged violations of state and federal laws that contributed to its 10.4 million record data breach in 2014. A hacker gained access to Premera Health’s network on May 5, 2014 and remained undetected until March 6, 2015. For almost a year the hacker had access to highly sensitive plan member information such as names, contact information, dates of birth, member ID numbers, and Social Security numbers. Alabama, Alaska, Arizona, Arkansas, California, Connecticut, Florida, Hawaii, Idaho, Indiana, Iowa, Kansas, Kentucky, Louisiana, Massachusetts, Minnesota, Mississippi, Montana, Nebraska, Nevada, New Jersey, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Rhode Island, Utah, Vermont and Washington all participated in the lawsuit. Washington State Attorney General Bob Ferguson led the investigation and looked at the security vulnerabilities that had been exploited by the hacker to gain access to such a large amount of...

Read More
More than 1,000 Essential Health Patients Impacted by Nemadji Research Corporation Breach
Jul11

More than 1,000 Essential Health Patients Impacted by Nemadji Research Corporation Breach

Essentia Health, an integrated health system serving Minnesota, Wisconsin, North Dakota, and Idaho, is sending notifications to more than 1,000 patients alerting them to the exposure of some of their protected health information (PHI). Like many healthcare providers, Essentia Health works with a third-party vendor that provides billing services to help recover lost revenue. Those services were provided by a Bruno, MN-based billing services firm called Nemadji Research Corporation. Essentia Health provided Nemadji with certain types of PHI to allow the company to perform its contracted services. Essentia Health did not disclose exactly what types of information were exposed in the substitute breach notice posted on its website. On March 28, 2019, Nemadji discovered unusual activity in an employee’s email account. The investigation revealed the employee had fallen for a phishing scam and had disclosed login credentials to the attacker. The account was subjected to unauthorized access for a period of several hours before the account was deactivated. The subsequent investigation...

Read More
Phishing Attack on California Business Associate Impacts 14,591 DHS Patients
Jul10

Phishing Attack on California Business Associate Impacts 14,591 DHS Patients

Nemadji Research Corporation, doing business as California Reimbursement Enterprises, has announced an unauthorized individual has gained access to the email account of an employee and may have viewed or copied the protected health information (PHI) of its clients’ patients. California Reimbursement Enterprises is a business associate of several healthcare facilities and hospitals in California and provides patient eligibility and billing services. The company also provides services to the Los Angeles County Department of Health Services (DHS). A potential email account breach was detected on March 28, 2019 when IT staff identified unusual activity in an employee’s email account. Assisted by a third-party computer forensics expert, Nemadji determined the employee responded to a phishing email the same day and the attacker accessed the account for several hours. All emails in the account were checked and on June 5, 2019, Nemadji confirmed that patient information had been exposed and notifications were issued to affected business partners. The breached email account contained...

Read More
Sensitive Data Potentially Compromised in Tennessee Hospice Phishing Attack
Jul05

Sensitive Data Potentially Compromised in Tennessee Hospice Phishing Attack

Alive Hospice in Nashville, TN, a provider of end-of-life care, palliative care, bereavement support and community education in middle Tennessee, has announced that the email account of an employee was subjected to unauthorized access in May 2019. Around May 6, 2019, suspicious activity was detected in an employee’s email account. The password for the account was immediately changed and an investigation was launched into the cause of the breach. The investigation revealed the email account was compromised on May 4, 2019 and hackers had access to the email account for a period of two days. Only one email account was compromised. Unauthorized account access was confirmed, but no evidence was found to suggest any patient information was accessed or stolen. The types of information in emails and email attachments varied from patient to patient and may have included the following types of PHI in addition to a patient’s name: Date of birth, Social Security number, driver’s license number, financial account number, medical history, treatment information, prescription information, treating...

Read More
PHI of 10,893 Summa Health Patients Potentially Compromised in Phishing Attack
Jul04

PHI of 10,893 Summa Health Patients Potentially Compromised in Phishing Attack

Akron, Ohio-based Summa Health has discovered an unauthorized individual has gained access to four employee email accounts containing patients’ protected health information (PHI). Summa Health became aware of the breach on May 1, 2019 and launched an investigation that revealed 2 email accounts had been breached in August 2018, and a further two accounts between March 11, 2019 and March 29, 2019. All four accounts were immediately secured and a third-party computer forensics firm was hired to determine whether any patient information had been accessed or stolen. The firm found no evidence of data theft or PHI access, although it was not possible to rule out the possibility that patient information was compromised in the breach. An analysis of the compromised accounts revealed they contained the following types of PHI: Patient names, dates of birth, medical record numbers, patient account numbers, clinical information, and treatment information. In total, 10,893 patients were affected. A small subset of those patients also had their Social Security numbers and/or driver’s license...

Read More
Student Sues Hospital for Unauthorized Use of PHI as Teaching Tool
Jul04

Student Sues Hospital for Unauthorized Use of PHI as Teaching Tool

A medical student is suing Marshall University and Cabell Huntington Hospital over the impermissible disclosure of some of his protected health information (PHI) to a class of students. The student, who is identified as J.M.A in the lawsuit, claims his x-rays were used as a teaching tool by a professor at Marshall University Joan C. Edwards School of Medicine, but information identifying J.M.A. as the patient had not been removed or redacted from the images. The matter had been brought to the attention of the university by another faculty member. On April 15, 2018, the dean of the medical school wrote to J.M.A to inform him of the privacy violation. The university was unaware that the professor was using the image as a teaching tool. J.M.A. claims he has suffered shame, embarrassment, humiliation, and severe anxiety as a direct result of the disclosure of his identity. It is unclear how many people viewed J.M.A’s x-rays and how many of those individuals disclosed what they saw to others. J.M.A is represented by Troy N. Giatras, Matthew W. Stonestreet, and Phillip A. Childs of The...

Read More
2.9 Million Members Affected by Dominion National 9-Year PHI Breach
Jul03

2.9 Million Members Affected by Dominion National 9-Year PHI Breach

Dominion National, a Virginia-based insurer, health plan administrator, and administrator of dental and vision benefits, has experienced a data security incident involving the personal information of individuals connected to the services it provides. Hackers first gained access to its servers in 2010. Following an internal alert, Dominion National launched an internal investigation and determined on April 24, 2019 that its systems had been breached. A leading cybersecurity company performed a comprehensive forensic analysis and review of affected data and confirmed the sensitive information of current and former members of Dominion National and Avalon Vision plans may have been compromised along with the PHI of individuals who are members of health plans for which the company provides administration services for. Data relating to individuals affiliated with the organizations that the company administers dental and vision benefits for, plan producers, and participating healthcare providers were also potentially compromised. Unauthorized access to its systems first occurred on August...

Read More
UChicago Accused of Illegally Sharing Patient Data with Google
Jul01

UChicago Accused of Illegally Sharing Patient Data with Google

A lawsuit has been filed by a former patient of UChicago Medicine who claims his medical records – and those of hundreds of thousands of other patients – have been shared with Google without authorization. UChicago Medicine, UChicago Medical Center, and Google have been named in the lawsuit. The suit claims patient information was shared with Google as part of study aimed to advance the use of artificial intelligence, but patient authorization was not obtained in advance and data were not properly deidentified. In 2017, UChicago Medicine started sending patient data to Google as part of a project to look at how historical health record data could be used to predict future medical events. Patient data were fed into a machine learning system which attempted to make health predictions about patients. The HIPAA Privacy Rule does not prohibit such disclosures, but prior to patient health information being disclosed, patients must either give their consent or protected health information must first be de-identified – Stripped of the 18 identifiers that allow protected health information...

Read More
5 Million Records Exposed Due to Unsecured MongoDB Marketing Database
Jul01

5 Million Records Exposed Due to Unsecured MongoDB Marketing Database

A MongoDB database containing the personal records of around 5 million individuals has been left exposed on the internet. The database contained personal information and health data and belonged to MedicareSupplement.com, a website run by TZ Insurance Solutions which helps individuals find a Medigap insurance plan. Individuals looking for coverage can visit the website to find out more about suitable health plans and can obtain quotes by filling out an online form and entering their personal information. Researchers from Compariteh and security researcher Bob Diachenko discovered the database on May 13, 2019. The marketing database contains information such as name, address, telephone number, email address, IP address, date of birth, gender, and information relating to health, life, auto, and supplemental insurance.  Around 239,000 records included the area of insurance interest. It is unclear for how long the database was exposed, but it was indexed by the search engine BinaryEdge on May 10, 2019. The researchers reported the breach to MedicareSupplement.com but no response was...

Read More
2,200 Franciscan Health Patients Notified of Unauthorized PHI Access by Employee
Jun26

2,200 Franciscan Health Patients Notified of Unauthorized PHI Access by Employee

Mishawaka, IN-based Franciscan Health has discovered the protected health information of approximately 2,200 patients has been accessed by a former employee without authorization. The privacy violation was discovered during a routine privacy audit. Franciscan Health announced that it was confirmed on May 24, 2019 that an employee in the quality research department had accessed the electronic medical records of patients without authorization and with no legitimate work reason for doing so. The individual concerned is no longer employed by Franciscan Health and the matter has been reported to law enforcement. While unauthorized PHI access was confirmed, Franciscan Health found no evidence to suggest that the employee copied, transmitted, or disclosed any patient information. Patient information was stored in Franciscan Health’s medical record system, which has been in use since 2012. Through that system, the former employee accessed patient records containing information such as names, addresses, email addresses, dates of birth, phone numbers, gender information, race/ethnicity, last...

Read More
Ransomware Attacks Reported by California and Illinois Clinics
Jun24

Ransomware Attacks Reported by California and Illinois Clinics

Patients of Quantum Vision Centers and Eye Surgery Center in Illinois are being notified that some of their protected health information may have been compromised in an April 2019 ransomware attack. An unauthorized individual gained access to certain Quantum systems and deployed ransomware on April 18, 2019. The ransomware encrypted files, some of which contained information such as names, dates of birth, addresses, health insurance information, and Social Security numbers. A third-party computer forensics firm has been hired to help determine the nature and scope of the attack. The investigation is ongoing, but it is believed that the malware was not used to steal any patient information. The sole purpose of the attack appears to have been to extort money from the business. Encrypted files are now being recovered and backup measures have been implemented to ensure services can continue to be provided to patients, albeit with some disruption. It is currently unclear exactly how many patients have been affected. Affected individuals have been offered one year of credit monitoring...

Read More
Phishing Attacks Reported by Broome County, NY and UMassMemorial Community Healthlink
Jun21

Phishing Attacks Reported by Broome County, NY and UMassMemorial Community Healthlink

Broome County in New York has started notifying 7,048 individuals that some of their protected health information (PHI) was compromised in a phishing attack on county employees. Broome County officials learned about the attack on January 2, 2019 when it was discovered that an employee’s direct deposit account information had been changed. An investigation was immediately launched which revealed ‘numerous’ Broome County email accounts had been compromised as a result of responses to phishing emails. Further, an unauthorized individual had also gained access to employees’ PeopleSoft accounts. A computer forensics expert was hired to assist with the investigation and determine how and when access to the accounts was first gained. That investigation revealed the first accounts were compromised on November 20, 2018 and further accounts were compromised up to January 2, 2019. Employee direct deposit information has been checked and all emails and email attachments in the compromised accounts have been analyzed. Broome County says multiple county departments were affected, including the...

Read More