Our HIPAA breach news section covers HIPAA breaches such as unauthorized disclosures of protected health information (PHI), improper disposal of PHI, unauthorized PHI access by cybercriminals and rogue healthcare employees, and other security and privacy breaches.

When known, we explain how the breach occurred, the consequences to patients that may have had their PHI compromised, and the actions being taken by the affected healthcare organization to improve safeguards to prevent further HIPAA breaches.

We also explain any actions being taken by the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) and state attorneys general in relation to those breaches.

OCR investigates all data breaches that impact more than 500 individuals to determine whether any HIPAA violations have occurred. When HIPAA Rules are discovered to have been violated, financial penalties may be deemed appropriate. It can take many months or years before any financial penalties for HIPAA breaches are decided. Financial penalties for HIPAA violations tend to be reserved for the most serious breaches of HIPAA Rules. OCR prefers to resolve cases with voluntary compliance and by issuing recommendations to bring policies in line with HIPAA Rules.

The HIPAA breach news section is particularly relevant to healthcare information security professionals, privacy officers, and other individuals who have some responsibility for HIPAA compliance.

The HIPAA breach news reports highlight common areas of non-compliance and new attack vectors used by cybercriminals to gain access to healthcare networks and PHI, the security failings that allowed them to happen, and the measures that have been implemented to prevent them from happening again.

No healthcare organization wants to experience a data breach, but when a breach does occur, lessons can be learned. HIPAA-covered entities can use these breach examples to help train their staff as well as to discover some of the methods other covered entities have adopted to improve data security.

As you will be able to see from the volume of posts in the HIPAA breach news category, healthcare data breaches occur frequently. In 2016 and 2017, healthcare data breaches have been reported on an almost daily basis.

Our HIPAA breach news section is an important source of information about potential security issues that covered entities should be identifying when conducting their own risk assessments. Many of the situations in our HIPAA breach news posts could have been avoided if a risk assessment had identified a vulnerability that was later exploited to gain access to PHI.

The main purpose for adding HIPAA breach news to this website is to highlight specific aspects of HIPAA compliance that are commonly overlooked, often with serious consequences for the covered entity and patients/health plan members.

By raising awareness of the volume of healthcare data breaches, the implications of those breaches, and the penalties that can result, it is hoped that healthcare providers will take decisive action to prevent their patients’ and members’ data from being exposed.

The most recent healthcare data breach reports are listed below. If you want to find out if a specific covered entity has experienced a data breach, please use the search function in the top right hand corner of this webpage.

Lawsuit Alleges Hospital Worker Disclosed Information about Woman’s Sexual Assault to her Attacker
May13

Lawsuit Alleges Hospital Worker Disclosed Information about Woman’s Sexual Assault to her Attacker

A lawsuit has been filed against Atchison Hospital in Kansas by a rape victim who alleges an x-ray technician at the hospital contacted her attacker and disclosed sensitive information about the treatment she received at the hospital. According to the Kansas City Star, after being raped, the woman sought treatment at the hospital. She underwent a rape kit examination, and allegedly made it clear to the hospital that she did not want her health information to be disclosed to third parties. Despite being against the patient’s wishes and a violation of the HIPAA Privacy Rule, information about the examination was disclosed to her attacker by a female X-ray technician at the hospital. The x-ray technician also told the man that he had been accused of sexually assaulting the patient. Following the disclosure, the man repeatedly harassed and threatened the patient by phone and text message over the following weeks. In addition to receiving a barrage of abuse from her attacker, the lawsuit claims the woman was also harassed by hospital staff. A complaint was filed with the hospital over...

Read More
Phishing Attack Reported by Verity Health’s St. Vincent Medical Center
May09

Phishing Attack Reported by Verity Health’s St. Vincent Medical Center

St. Vincent Medical Center, a part of Verity Health System, has discovered a web email account has been compromised as a result of a response to a phishing email. The breach occurred on March 15, 2016 and involved the email account of a hospital pathologist. The account compromise was detected on March 26 and the account was secured within hours. During the time that the unauthorized individual had access to the account, it was used to send phishing emails to internal and external email addresses. Those messages contained malicious attachments and hyperlinks. According to a substitute breach notice provided to the California Attorney General, no other employee accounts were breached as a result of misuse of the email account. While the intention of the attacker appears to have been to obtain login credentials to other email accounts, during the time that the account was accessible, full access to emails, folders, and email attachments was possible. The investigation into the breach could not confirm whether any patient information in emails and email attachments had been accessed...

Read More
Phishing Attack Impacts 1,100 Spectrum Health Lakeland Patients
May09

Phishing Attack Impacts 1,100 Spectrum Health Lakeland Patients

For the second time in the space of two months, Spectrum Health Lakeland has announced that a breach has exposed the protected health information (PHI) of some of its patients. The previous breach occurred at Wolverine Services Group and impacted around 60,000 of its patients. The latest incident involved an unauthorized individual gaining access to an email account as the result of a response to a phishing email. As with the last breach, the incident occurred at a business associate. OC, Inc., a provider of billing services, discovered an unauthorized individual had gained access to an email account of one of its employees. The email account was discovered to contain the PHI of approximately 1,100 Spectrum Health Lakeland patients. OS Inc. discovered a potential breach on December 21, 2018 after suspicious activity was detected within an employee email account. A third-party computer forensics expert was hired to assist with the investigation and found no evidence to suggest that any PHI in emails and attachments had been accessed or stolen. However, it was not possible to rule...

Read More
Key Findings of the 2019 Verizon Data Breach Investigations Report
May08

Key Findings of the 2019 Verizon Data Breach Investigations Report

Today sees the release of the 2019 Verizon Data Breach Investigations Report. This is the 12th edition of report, which contains a comprehensive summary of data breaches reported by public and private entities around the globe. The extensive report provides in-depth insights and perspectives on the tactics and techniques used in cyberattacks and detailed information on the current threat landscape.  The 2019 Verizon Data Breach Investigations Report is the most comprehensive report released by Verizon to date and includes information from 41,686 reported security incidents and 2,013 data breaches from 86 countries. The report was compiled using data from 73 sources. The report highlights several data breach and cyberattack trends. Some of the key findings of the report are detailed below: C-Suite executives are 12 time more likely to be targeted in social engineering attacks than other employees Cyber-espionage related data breaches increased from 13% of breaches in 2017 to 25% in 2018 Nation-state attacks increased from 12% of attacks in 2017 to 23% in 2018 Financially motivated...

Read More
American Indian Health & Services and Madison Parish Hospital Discover Impermissible PHI Disclosures by Employees
May08

American Indian Health & Services and Madison Parish Hospital Discover Impermissible PHI Disclosures by Employees

American Indian Health & Services, the operator of a community health clinic in Santa Barbara, CA, has discovered a former employee forwarded emails containing the sensitive data of certain employees, patients, and vendors to a personal email account, in violation of HIPAA Rules. The incident was detected on March 7, 2019. An analysis to the email account revealed the former employee, who was employed at the clinic at the time, had forwarded emails to her personal email account between March 26 and February 6, 2019. The emails contained names, billing information, provider names and locations, dates of service, amounts paid/owed for services provided, health insurance and payor information, and Medicare/Medicaid and/or Medical numbers. The incident has been reported to law enforcement, state, and federal regulators and affected individuals have been notified by mail. No reports of misuse of patient information have been received to date, but as a precaution against identity theft and fraud, affected individuals have been offered 12 months of credit monitoring and identity theft...

Read More
Ransomware Attack Reported by American Baptist Homes of the Midwest
May08

Ransomware Attack Reported by American Baptist Homes of the Midwest

American Baptist Homes of the Midwest (ABHM), a provider of assisted living and assisted care facilities throughout the U.S Midwest, has reported a security breach involving the use of ransomware on its network. The attack commenced on or around March 10, 2019. The attack was detected promptly, but only after the encryption routine had commenced. The attack was stopped and affected accounts were secured, but not in time to prevent widespread file encryption. The files encrypted by the ransomware contained the records of many ABHM clients. ABHM’s clinical and billing systems were not affected, only general file systems and email accounts. The attack is believed to have been conducted with the sole purpose of extorting money from ABHM, although due to the nature of access gained to install the ransomware, unauthorized accessing of protected health information could not be ruled. No evidence of data theft or misuse of PHI has been found to date. The types of information stored on the compromised servers and systems included individuals’ names and addresses in combination with the...

Read More
3,193 Employees and Dependents Affected by Bodybuilding.com Data Breach
May07

3,193 Employees and Dependents Affected by Bodybuilding.com Data Breach

The bodybuilding and personal fitness website Bodybuilding.com has announced it has experienced a security incident that may have resulted in the information of customers and employees being accessed by unauthorized individuals. While the breach affecting customers was not a reportable incident under HIPAA, HIPAA does cover group health plans. As such, bodybuilding.com was required to report the breach of group members’ PHI to the Office for Civil Rights. The breach was discovered in February 2019 when suspicious activity was detected on its network. A formal breach investigation was launched which revealed access to the network was gained as a result of an employee falling for a phishing scam. While the data of customers and employees is not believed to have been obtained by unauthorized individuals as a result of the phishing attack, the possibility could not be ruled out. The breach has now been resolved and its systems have been secured. A forced password reset was performed for all users of the website as a precaution. For customers, the information potentially obtained was...

Read More
Touchstone Medical Imaging Fined $3 Million by OCR for Extensive HIPAA Failures
May06

Touchstone Medical Imaging Fined $3 Million by OCR for Extensive HIPAA Failures

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced a settlement has been reached with the Franklin, TN-based diagnostic medical imaging services company, Touchstone Medical Imaging. The settlement resolves multiple violations of HIPAA Rules discovered by OCR during the investigation of a 2014 data breach. Touchstone Medical Imaging has agreed to a settlement of $3,000,000 to resolve the violations and will adopt a corrective action plan (CAP) to address its HIPAA compliance issues. The high settlement amount reflects widespread and prolonged noncompliance with HIPAA Rules. OCR alleged 8 separate violations across 10 HIPAA provisions. The settlement resolves the HIPAA case with no admission of liability. On May 9, 2014, Touchstone Medical Imaging was informed by the FBI that one of its FTP servers was accessible over the Internet and allowed anonymous connections to a shared directory. The directory contained files that included the protected health information (PHI) of 307,839 individuals. As a result of the lack of access controls, files had...

Read More
Mailing Error Sees Inmediata Breach Notification Letters Sent to Incorrect Addresses
May03

Mailing Error Sees Inmediata Breach Notification Letters Sent to Incorrect Addresses

Following a security incident that resulted in the exposure of PHI, Inmediata sent notification letters to affected individuals. However, several individuals have reported receiving notification letters in the mail addressed to other people. The incident that prompted the notifications was a webpage used internally by Inmediata employees that had been accidentally set to allow it to be indexed by search engines. Consequently, the webpage could be found using Internet searches and the PHI of its customers’ patients could be accessed. The forensic investigation did not find evidence to suggest the webpage was subjected to unauthorized access during the time it was accessible online; however, the possibility could not be ruled out. Through the webpage, unauthorized individuals could have accessed the following information: Patients’ names, addresses, dates of birth, gender, doctor’s names, and medical claim information. A small number of individuals also had their Social Security number exposed. Inmediata started sending notification letters to affected individuals on April 22, 2019...

Read More
Class Action Lawsuit Filed Over Baystate Health Phishing Attack
May01

Class Action Lawsuit Filed Over Baystate Health Phishing Attack

In February 2019, Baystate Health experienced a phishing attack that resulted in the exposure of the protected health information (PHI) of 12,000 patients. On April 11, a class action lawsuit was filed on behalf of individuals affected by the breach. The lawsuit was filed by attorney Kevin Chrisanthopoulos in the U.S. District Court in Springfield, MA, three days after Baystate Health announced the breach. The lawsuit alleges plaintiffs now face an elevated risk of identity theft and fraud as a result of the phishing attack and seeks monetary damages for all patients whose PHI was exposed. Upon discovery of the breach, Baystate Health secured its email system and launched an investigation. The investigation revealed the email accounts of nine employees had been compromised as a result of employees responding to phishing emails. The email accounts were subjected to unauthorized access and, as a result, the attacker(s) potentially gained access to patients’ PHI. For most patients, the information exposed was limited to names, birth dates, diagnoses, treatment information, and...

Read More
24,000 Patients Impacted by New Jersey Ransomware Attack
Apr30

24,000 Patients Impacted by New Jersey Ransomware Attack

Paramus, NJ-based orthopedic surgeon, Ronald Snyder, M.D., has learned that an office server containing patient billing information has been compromised and encrypted by ransomware. The attack took place on January 9, 2019 and prevented office staff from accessing patient files. The server was backed up regularly so it was possible to quickly restore almost all files that had been rendered inaccessible without having to pay any ransom demand. Third-party computer forensics consultants were brought in to assist with the investigation, but it was not possible to determine whether patient information had been accessed due to damage caused by the attack. No evidence was uncovered to suggest the attack was conducted as part of an attempt to gain access to patient information, although it was not possible to rule out data access. Consequently, all patients affected by the breach have been notified by mail. The following types of information were stored in files on the server: Names, addresses, dates of birth, genders, co-pay amounts, patient statuses, employment statuses, telephone...

Read More
Three Healthcare Phishing Incidents Result in Exposure of 10,000 Patient Records
Apr30

Three Healthcare Phishing Incidents Result in Exposure of 10,000 Patient Records

National Seating and Mobility, Partners for Quality, and Alana Healthcare have all recently started notifying patients that their protected health information has been exposed as a result of phishing incidents. 3,673 Clients Impacted by Partners For Quality Phishing Attack Partners For Quality, Inc., (PFQ), a provider of services and support for individuals with intellectual and developmental disabilities, discovered unusual activity within certain employee email accounts on February 19, 2019. Assisted by a third-party computer forensics company, PFQ determined that three email accounts had been accessed by an unauthorized individual between January 19 and February 27, 2019. Further analysis of the compromised email accounts revealed they contained the sensitive information of clients and employees. Clients affected by the breach had previously received services from PFQ, Allegheny Children’s Initiative Inc., Citizen Care Inc., Exceptional Adventures, or Milestone Centers Inc. A wide range of highly sensitive protected health information was stored in the compromised email accounts...

Read More
HHS Changes HITECH Act Penalties for HIPAA Violations
Apr29

HHS Changes HITECH Act Penalties for HIPAA Violations

The Department of Health and Human Services has issued a notification of enforcement discretion regarding the civil monetary penalties that are applied when violations of HIPAA Rules are discovered. The HHS has reduced the maximum financial penalty for HIPAA violations in three of the four penalty tiers. The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 increased the penalties for HIPAA violations. The new penalties were based on the level of knowledge a HIPAA covered entity or business associate had about the violation and whether action was voluntarily taken to correct any violations. The 1st penalty tier applies when a covered entity or business associate is unaware that HIPAA Rules were violated and, by exercising a reasonable level of due diligence, would not have known that HIPAA was being violated. The 2nd tier applies when a covered entity knew about the violation or would have known had a reasonable level of due diligence been exercised, but when the violation falls short of willful neglect of HIPAA Rules. The 3rd penalty tier applies...

Read More
The Most Common HIPAA Violations You Should Be Aware Of
Apr26

The Most Common HIPAA Violations You Should Be Aware Of

The most common HIPAA violations that have resulted in financial penalties are the failure to perform an organization-wide risk analysis to identify risks to the confidentiality, integrity, and availability of protected health information (PHI); the failure to enter into a HIPAA-compliant business associate agreement; impermissible disclosures of PHI; delayed breach notifications; and the failure to safeguard PHI. The settlements pursued by the Department of Health and Human Services’ Office for Civil Rights (OCR) are for egregious violations of HIPAA Rules. Settlements are also pursued to highlight common HIPAA violations to raise awareness of the need to comply with specific aspects of HIPAA Rules. This article covers five of the most common HIPAA violations that have resulted in settlements with covered entities and their business associates over the past few years. Are Data Breaches HIPAA Violations? Data breaches are now a fact of life. Even with multi-layered cybersecurity defenses, data breaches are still likely to occur from time to time. OCR understands that healthcare...

Read More
Medical Billing Service Provider Suffers Ransomware Attack 7 Months After Computer Breach
Apr26

Medical Billing Service Provider Suffers Ransomware Attack 7 Months After Computer Breach

Doctors’ Management Service Inc., a Massachusetts-based provider of medical billing services, discovered on December 24, 2018 that malicious software had been downloaded to its network which prevented files from being accessed. An investigation into the security incident was initiated which determined GandCrab ransomware had been deployed. Files were recovered from backups and no ransom was paid. The investigation also revealed that the individual responsible for installing the ransomware had first gained access to its systems on April 1, 2017, 7 months before the ransomware was deployed. Access to the network was gained via Remote Desktop Protocol (RDP) on one of its workstations. Parts of the network that were subjected to unauthorized access contained the protected health information of patients of its clients, which included names, addresses, dates of birth, Social Security numbers, insurance information, Medicare/Medicaid ID numbers, driver’s license numbers, and some diagnostic information. The attack appeared to have been timed to ensure the attack would not be immediately...

Read More
Email Hacking Incidents Result in Exposure of 8,600 Patients’ PHI
Apr25

Email Hacking Incidents Result in Exposure of 8,600 Patients’ PHI

Three more healthcare organizations have discovered unauthorized individuals have gained access to the email accounts of employees and potentially accessed patients’ protected health information. In total, across the three incidents, the PHI of 8,635 patients has been exposed. PHI of 5,319 Patients of Center for Sight and Hearing Exposed Rockford, IL-based Center for Sight and Hearing discovered on January 23, 2019 that an unauthorized individual had gained access to the email account of an employee. The investigation revealed the account was compromised on January 18 and the account contained the PHI of 5,319 patients. A third-party computer forensics company confirmed on February 21, 2019 that names, addresses, and scheduling information was contained in the compromised account. To improve security, Center for Sight and Hearing has implemented a new password management system and multi-factor authentication. 2,290 Patients Notified About Harbor Behavioral Health Phishing Attack Harbor Behavioral Health, a network of counselling and mental health treatment centers in Northwest...

Read More
Washington State University Settles Class Action Data Breach Lawsuit for $4.7 Million
Apr23

Washington State University Settles Class Action Data Breach Lawsuit for $4.7 Million

A $4.7 million settlement has recently been approved by the King County Superior Court to reimburse individuals whose personal information was stolen from Washington State University in April 2017. Washington State University had backed up personal information on portable hard drives which were stored in a safe in a self-storage locker. On April 21, 2017, the university discovered a break-in had occurred at the storage facility and the safe had been stolen. The hard drives contained the sensitive personal information of 1,193,190 individuals. Most of the files on the hard drives were not encrypted. The drives contained the types of information sought by identity thieves: Names, contact information, and Social Security numbers, in addition to health data of patients, college admissions test scores, and other information. The information dated back around 15 years and had been collected by the WSU Social and Economic Sciences Research Center for a research project. While the hard drive was stolen, Washington State University maintains there are no indications any data stored on the...

Read More
Unsecured Database of Addiction Service Provider Potentially Contained Records of 145,000 Patients
Apr23

Unsecured Database of Addiction Service Provider Potentially Contained Records of 145,000 Patients

A database containing highly sensitive information of patients who had previously sought treatment for addiction at rehabilitation centers has been discovered to be freely accessible over the internet. The database contained approximately 4.91 million records which related to an estimated 145,000 patients of the Levittown, PA-based addiction rehabilitation service provider Steps to Recovery. The unsecured database was discovered on March 24, 2019 by Justin Paine, Director of Trust and Safety at Cloudflare. Following the discovery, Paine notified Steps to Recovery and its hosting provider on March 24. No reply was received from Steps to Recovery, but its hosting company made contact and the database has now been secured and is no longer accessible online. Paine had performed a search on the Shodan search engine to identify unsecured databases and devices. According to Paine, the ElasticSearch database contained two indexes which included more than 1.45 GB of data. The information could be accessed by anyone over the internet without the need for any authentication. The database was...

Read More
60,000 Records Exposed in EmCare Phishing Attack
Apr23

60,000 Records Exposed in EmCare Phishing Attack

The Dallas, TX-based physician staffing company EmCare has announced that it has suffered a data breach that has impacted approximately 60,000 individuals, 31,000 of whom were patients. The exposed information was detailed in emails and email attachments in employee email accounts that were accessed by an unauthorized individual after several employees responded to phishing emails and disclosed their email credentials. It is unclear from Emcare’s breach notice when the breach occurred and how long the attackers had access to email accounts. The breach was discovered on February 19, 2019. An investigation was launched and, assisted by a third-party computer forensics company, it was discovered that the compromised email accounts contained information about patients, employees, and contractors. The following information was saved in email accounts and was potentially accessed or copied by the attackers: Names, dates of birth, driver’s license numbers, Social Security numbers, demographic information, and clinical information. The investigation did not uncover evidence to suggest...

Read More
Klaussner Furniture Industries Discovers Health Plan Data of 9,352 Employees Has Potentially Been Compromised
Apr19

Klaussner Furniture Industries Discovers Health Plan Data of 9,352 Employees Has Potentially Been Compromised

The protected health information of 9,352 current and former employees of Klaussner Furniture Industries, Inc., and some dependents of those employees, has been exposed as a result of a security breach. In February 2019, Klaussner Furniture learned that computers had been accessed by unauthorized individuals. A leading cybersecurity firm was retained to conduct a forensic investigation, which confirmed that two computers had been accessed by an unauthorized third party. An analysis of the computers revealed they contained files that included first and last names, dates of birth, addresses, Social Security numbers, health benefit election(s), and some health information. No evidence was found that suggests employee information was accessed, copied, or misused, although it was not possible to rule out data access and exfiltration. Individuals whose information was exposed had either worked at the company in 1998 or were employed at some point between 2004 and February 25, 2019. The sensitive information of dependents of those employees was only exposed if they had been listed on...

Read More
Centrelake Medical Group Discovers Servers Compromised and Virus Deployed
Apr18

Centrelake Medical Group Discovers Servers Compromised and Virus Deployed

Centrelake Medical Group, a network of 8 medical imaging and oncology centers in California, is notifying certain patients that some of their protected health information has been exposed as a result of a computer virus. The computer virus was discovered in February 2019 when it prevented the medical group from accessing its files. The virus appears to be a form of ransomware, although no mention of ransomware or a ransom demand was made in the media notice issued by Centrelake. Centrelake retained a computer forensics company to assist with the investigation to determine the scope of the attack and whether any files containing protected health information had been accessed or copied. The investigation revealed an unauthorized individual had gained access to its servers on January 9, 2019. Prior to deploying the virus on February 19, 2019, the unauthorized individual was able to access the servers undetected. It is not unusual for ransomware to be installed on systems after hackers have breached security defenses. In some cases, ransomware is deployed after the system has been...

Read More
11,639 Individuals Impacted by Riverplace Counseling Center Malware Attack
Apr18

11,639 Individuals Impacted by Riverplace Counseling Center Malware Attack

Riverplace Counseling Center in Anoka, MN, has discovered malware has been installed on its systems which may have allowed unauthorized individuals to gain access to patients’ protected health information. The malware infection was discovered on January 20, 2019. The counseling center engaged an IT firm to conduct a forensic analysis, remove the malware, and restore its systems from backups. The analysis was completed on February 18, 2019. The IT firm did not find evidence that suggested patient information had been subjected to unauthorized access or had been copied, but data access and PHI theft could not be totally ruled out. The types on information stored on the affected systems included names, addresses, dates of birth, health insurance information, Social Security numbers, and treatment information. Affected individuals were notified about the data breach on April 11, 2019 and have been offered identity theft monitoring services via Kroll for 12 months at no cost. No reports have been received to date to suggest any patients’ PHI has been misused. Riverplace Counseling...

Read More
Clearway Pain Solutions Institute Discovers Unauthorized EMR System Access
Apr18

Clearway Pain Solutions Institute Discovers Unauthorized EMR System Access

Gulf Coast Pain Consultants, dba Clearway Pain Solutions Institute, has discovered its EMR system has been accessed by an unauthorized individual. An investigation was launched following the discovery of the breach on February 20, 2019. The investigation revealed the individual accessed a range of patient information. The types of information that were accessed included patients’ names, telephone numbers, home addresses, email addresses, dates of birth, Social Security numbers, health insurance information, name of referring provider, and demographic information. Clinical information contained in medical records could not be accessed and no financial information was exposed. Unauthorized access to the system has now been blocked, a full review of all EMR accounts has been conducted, and access levels and EMR system activity has been validated for all user accounts. A review of policies and procedures is being conducted with regards to the accessing of patient information and updates will be made as appropriate. All patients affected by the breach are now being notified and are...

Read More
Blue Cross of Idaho Website Hacked and Attempts Made to Reroute Payments
Apr17

Blue Cross of Idaho Website Hacked and Attempts Made to Reroute Payments

Blue Cross of Idaho has discovered its website has been hacked and an unauthorized individual gained access to its member portal and viewed the protected health information of some of its members. Blue Cross of Idaho is one of the largest health insurers in the state and serves approximately 560,000 Idahoans. Blue Cross of Idaho’s executive vice president Paul Zurlo said the breach affected around 1% of its members – around 5,600 individuals. (Update 05/03/2019: The HHS breach portal indicates 6,045 individuals have been affected) The website security breach occurred on March 21, 2019 and was discovered the following day. During the time that portal access was possible, the hacker accessed provider remittance documents and attempted to reroute provider financial transactions. Upon discovery of the breach, Blue Cross of Idaho terminated the unauthorized access and secured its portal to prevent financial fraud and further accessing of documents. The incident was reported to the FBI and the investigation remains open. The health insurer is working with internal and external...

Read More
Metrocare Services Suffers Second Phishing Attack in Two Months
Apr17

Metrocare Services Suffers Second Phishing Attack in Two Months

Metrocare Services, a provider of mental health services in North Texas, has experienced a phishing attack which saw the email accounts of several employees accessed by an unauthorized individual. The breach was detected on February 6, 2019 and the affected email accounts were rapidly blocked to prevent further access. The investigation revealed the accounts were first compromised in January 2019. An analysis of the affected accounts revealed they contained the protected health information of 5,290 patients. Patients were notified on April 5, 2019 that the following information could potentially have been accessed as a result of the attack: Name, date of birth, driver’s license information, health insurance information, health information related to the services provided by Metrocare, and for certain patients, Social Security numbers. The breach investigation did not uncover any evidence to suggest emails containing ePHI had been accessed or copied, but ePHI access and theft could not be ruled out. Individuals whose Social Security number was exposed have been offered free access...

Read More
Health Recovery Services Notifies 20,485 Patients About Potential PHI Breach
Apr16

Health Recovery Services Notifies 20,485 Patients About Potential PHI Breach

Health Recovery Services, an Athens, OH-based provider of alcohol and drug addiction services, is notifying 20,485 patients that some of their protected health information may have been accessed by an unauthorized individual. On February 5, 2019, Health Recovery Services discovered an unauthorized IP address had remotely accessed its computer network. Network and information systems were taken offline to prevent further access and a forensic expert was retained to conduct an investigation to determine the nature and scope of the breach. On March 15, 2019, the forensic investigator determined that the IP address first accessed the network on November 14, 2018 and access remained possible until February 5. No evidence was uncovered to suggest any patient information was accessed or copied, although the possibility of data access and theft could not be totally ruled out. Patients whose protected health information was exposed have been notified by mail ‘out of an abundance of caution’. The types of patient information contained in files on the compromised server included names,...

Read More
March 2019 Healthcare Data Breach Report
Apr15

March 2019 Healthcare Data Breach Report

In March 2019, healthcare data breaches continued to be reported at a rate of one a day. 31 healthcare data breaches were reported to the HHS’ Office for Civil Rights by HIPAA-covered entities and their business associates. The March total is almost 14% higher than the average of the past 60 months.   The number of reported breaches fell by 3.12% month over month and there was a 56.79% decrease in the number of breached healthcare records. March saw the healthcare records of 912,992 individuals exposed, impermissibly disclosed, or stolen as a result of healthcare data breaches. Causes of March 2019 Healthcare Data Breaches The HHS’ Office for Civil Rights groups together hacking and other IT incidents such as malware and ransomware attacks. This category dominated the breach reports in March with 19 incidents reported. Hacking/IT incidents accounted for 88.40% of all compromised records (807,128 records). There were 8 unauthorized access/disclosure incidents reported in March. 81,904 healthcare records were impermissibly accessed or disclosed. There were also four theft...

Read More
Minnesota DHS Suffers Another Phishing Attack: State IT Services Struggling to Cope with Barrage of Attacks
Apr12

Minnesota DHS Suffers Another Phishing Attack: State IT Services Struggling to Cope with Barrage of Attacks

The Minnesota Department of Human Services (DHS) has discovered another employee email account has been compromised as a result of a phishing attack. The latest incident has only just been reported, although the breach occurred on or before March 26, 2018. Three Phishing Attacks: 31,800 Records Exposed The breach is in addition to two other phishing attacks that saw email accounts compromised in June and July of 2018. Those attacks were announced in October 2018 and resulted in the exposure of 20,800 Minnesotans’ PHI. The March 26 email account compromise saw the PHI of 10,263 Minnesotans exposed. The March phishing attack allowed the attacker to gain access to the email account of an employee of the Direct care and Treatment Administration. Emails were then sent from that account to co-workers requesting wire transfers be made. The email requests were flagged as suspicious and were reported to MNIT, which secured the account. No wire transfers were made. During the time that the account was accessible, the attacker potentially accessed emails in the account which included...

Read More
PHI of 17,531 Patients Potentially Compromised in Business Associate Phishing Attack
Apr10

PHI of 17,531 Patients Potentially Compromised in Business Associate Phishing Attack

Women’s Health USA Inc., an Avon, CT-based business associate that provides a range of practice management services to healthcare organizations, has experienced a phishing attack that has resulted in the exposure of patients’ protected health information. An investigation was launched following the discovery of suspicious activity within certain employee email accounts. The affected email accounts were secured, and a leading cybersecurity firm was engaged to assist with the investigation and determine the nature and extent of the breach. The investigation confirmed that the email accounts of two employees had been accessed by unauthorized individuals as a result of the employees responding to phishing emails and disclosing their email credentials. The first email account breach occurred on April 5, 2018 and the second account was breached on August 13, 2018. A review of the emails and email attachments in the account revealed they contained a limited amount of protected health information. The exposed information varied from patient to patient but may have included name, date of...

Read More
PHI of 23,811 Palmetto Health Patients Exposed in Phishing Attack
Apr10

PHI of 23,811 Palmetto Health Patients Exposed in Phishing Attack

Palmetto Health – Now Prisma Health – has experienced a phishing attack that has resulted in several email accounts being accessed by unauthorized individuals. Emails were sent to Palmetto Health employees which contained a malicious hyperlink. When the link in the emails was clicked, employees were directed to a realistic-looking web page where they were required to enter their email credentials. Doing so disclosed those credentials to the attackers, who used them to gain access to the email accounts. A third-party computer forensics firm was retained to conduct an investigation into the breach to determine the nature and extent of access and whether any patients’ protected health information had been accessed or obtained. The forensics firm determined that the first of the email accounts were compromised in November 2018. The review process took some time to complete as emails had to be manually checked to determine whether they contained any protected health information. The review process was completed on February 19, 2019 and revealed the protected health information of...

Read More
12,000 Patients of Baystate Health Notified of PHI Exposure Due to Phishing Attack
Apr09

12,000 Patients of Baystate Health Notified of PHI Exposure Due to Phishing Attack

Massachusetts-based Baystate Health has experienced a phishing attack that has resulted in the exposure of the protected health information of approximately 12,000 patients. Several employee email accounts were compromised between February 7 and March 7, 2019. The phishing attacks were identified during the same time frame and in each case, the compromised email accounts were immediately secured. A third-party computer forensics firm was engaged to assist with the investigation. An analysis of the compromised email accounts revealed they contained patients’ names, dates of birth, diagnoses, treatment information, medications and, in some cases, Social Security numbers, health insurance information, and Medicare numbers. All patients whose protected health information was potentially accessed as a result of the attack were notified by mail on April 5. Patients whose Social Security number was exposed have been offered one year of credit monitoring and identity theft protection services without charge. Those services have been offered as a precaution. No evidence has been uncovered...

Read More
Hardin Memorial Health Cyberattack Results in EHR Downtime
Apr09

Hardin Memorial Health Cyberattack Results in EHR Downtime

Hardin Memorial Health in Kentucky has experienced a cyberattack which caused disruption to its IT systems and EHR downtime. The cyberattack started on the evening of Friday April 5. A statement issued by a spokesperson for the health system confirmed that IT systems were disrupted as a result of a security breach. Details of the cyberattack have not yet been released so it is unclear whether this was a hacking incident, malware or ransomware attack. The health system has been working round the clock to restore affected systems and servers. Hardin Memorial Health’s IT team has already brought most IT systems back online and has restored access to its EHR system in some units. Despite the lack of access to its EHR system, business continued as usual and the hospital did not have to cancel appointments. All 50 of its locations remained open. “At no time during this event has the quality and safety of patient care been affected,” said HMH Vice President and Chief Marketing and Development Officer, Tracee Troutt. Upon discovery of the security breach, emergency procedures were...

Read More
Emotet Malware Potentially Exfiltrated PHI of Oregon Endodontic Group Patients
Apr08

Emotet Malware Potentially Exfiltrated PHI of Oregon Endodontic Group Patients

Oregon Endodontic Group has discovered malware has been installed on an office computer which potentially exported data contained in the office’s email account. On November 13, 2018, Oregon Endodontic Group detected suspicious activity within an email account used at its offices. A third -party forensic firm was engaged to assist with the investigation and identify the nature and scope of the security breach. The firm confirmed that a malware variant called Emotet had been downloaded onto an office computer. Emotet is a banking Trojan that is capable of exfiltrating data contained in email accounts. The computer forensics firm could not confirm whether any email data had been exfiltrated, but the possibility could not be ruled out. The email account concerned was analyzed to determine whether it contained any protected health information. The analysis was completed on February 11, 2019. The types of information contained in the account were limited to names along with one of more of the following data elements: Date of birth, diagnosis information, treatment information, and health...

Read More
1,600 Ohio Patients Notified of Impermissible PHI Disclosure
Apr08

1,600 Ohio Patients Notified of Impermissible PHI Disclosure

993 Ohioans who receive benefits from Medicaid or the Ohio Department of Job and Family Services (ODJFS) are being notified that some of their protected health information has been disclosed to unauthorized individuals as a result of a computer error. Three separate incidents were identified. On February 16, 2019, a computer error resulted in a limited amount of protected health information (PHI) of 250 users of the Ohio Benefits Self-Service Portal to appear in another user’s account. The error was identified and corrected the same day. Two further incidents occurred on March 20, 2019. A computer error caused information entered into the Ohio Benefits portal to be saved to incorrect accounts. The computer error has been temporarily fixed and a permanent solution is being developed to prevent any recurrences. As many as 100 individuals were affected. 608 members of ODJFS, 34 recipients of Medicaid benefits, and one individual who received both types of benefits, had some of their PHI mailed to 5 different people as a result of a computer error. The computer error was corrected on...

Read More
Phishing Attack Impacts 14,305 Patients of Main Line Endoscopy Centers
Apr04

Phishing Attack Impacts 14,305 Patients of Main Line Endoscopy Centers

Main Line Endoscopy Centers, a network of outpatient endoscopy facilities in the Malvern, Bala Cynwyd, and Media regions of Pennsylvania, has discovered an unauthorized individual has gained access to the email account of one of its employees following a response to a phishing email. It is not clear exactly when the account was breached, but it was discovered by Main Line on January 30, 2019. A leading computer forensics firm was retained to assist with the investigation and determine which, if any, emails in the account had been opened and whether any patient information had been compromised. The investigation confirmed that the attackers potentially gained access to the protected health information of certain patients, which included names, dates of birth, and limited clinical information. Some patients also had their Social Security number, driver’s license number, and/or health insurance information exposed. All patients affected by the breach were sent breach notification letters on March 29, 2019 and individuals whose Social Security number or driver’s license number were...

Read More
Michigan Practice Forced to Close Following Ransomware Attack
Apr02

Michigan Practice Forced to Close Following Ransomware Attack

A ransomware attack can prove costly to resolve. That cost was not deemed worth it by one Michigan practice, which has now permanently closed its doors. The ransomware encrypted the system at Brookside ENT and Hearing Center in Battle Creek which housed patient records, appointment schedules, and payment information rendering the data inaccessible. The attackers claimed to be able to provide a key to unlock the encryption, but in order to obtain the key to decrypt files, a payment of $6,500 was required. The two owners of the practice, William Scalf, MD and John Bizon, MD, decided not to pay the ransom as there was no guarantee that a valid key would be supplied and, after paying, the attackers could simply demand another payment. Since no payment was made, the attackers deleted all files on the system ensuring no information could be recovered. The partners decided to take early retirement rather than having to rebuild their practice from scratch. The FBI was alerted to the security incident and explained that this appeared to be an isolated attack. No patient data appeared to...

Read More
Lawsuit Alleges Sharp Grossmont Hospital Secretly Recorded Patients Having Gynecology Operations
Apr01

Lawsuit Alleges Sharp Grossmont Hospital Secretly Recorded Patients Having Gynecology Operations

A lawsuit has been filed against Sharp HealthCare and Sharp Grossmont Hospital which alleges the hospital secretly recorded video footage of female patients undressing and having gynaecological examinations performed. According to the lawsuit, the hospital installed video cameras in three operating rooms as part of an internal investigation into the theft of the anaesthesia drug, propofol, from drug carts. The cameras were actively recording between July 17, 2012 and June 30, 2013 at its facility on Grossmont Center Drive in El Cajon, San Diego. During the time that the cameras were recording 1,800 patients were filmed undergoing procedures such as hysterectomies, Caesarean births, dilation and curettage for miscarriages, and other surgical procedures. The motion-activated cameras had been installed on drug carts and continued to record even after motion had stopped. A spokesperson for Sharp Grossmont Hospital confirmed that three cameras had been installed to ensure patient safety by determining the cause of missing drugs from the carts. The lawsuit states that, “At times,...

Read More
Security Breaches Reported by DePaul and Southern Hills Eye Care
Apr01

Security Breaches Reported by DePaul and Southern Hills Eye Care

DePaul, a provider of assisted living facilities and healthcare services in New York, North Carolina, and South Carolina, is alerting certain members of its behavioral health program that some of their protected health information has been exposed as a result of a phishing attack. The breach was discovered on February 1, 2019 and the account was immediately secured. The investigation into the breach confirmed that a single email account had been compromised as a result of an employee being fooled by a phishing scam. The email account contained approximately 41,000 emails, which needed to be checked to determine whether they contained any sensitive information. The vast majority of the emails in the account did not contain any significant medical or psychiatric information; however, a small number of emails contained information such as first and last names, dates of birth, and/or Social Security numbers. The aim of the attack appeared to be to use the compromised email account to send further phishing emails. No evidence was found to suggest the attacker viewed or copied emails...

Read More
67,493 Patients of Burrell Behavioral Health Impacted by Business Associate Breach
Apr01

67,493 Patients of Burrell Behavioral Health Impacted by Business Associate Breach

Burrell Behavioral Health is notifying 67,493 patients that their medical records have been accidentally exposed as a result of an error made by an unnamed business associate in August 2018. The error was introduced into the business associate’s internet-facing portal, which resulted in images of Burrell Behavioral Health patients’ protected health information being exposed. The images contained information such as: Name, address, telephone number, birth date, gender, dates of service, types of service provided, health insurance information, driver’s license number, and Social Security number. The exposure of patient data was brought to the attention of Burrell Behavioral Health on January 30, 2019. Burrell Behavioral Health notified its business associate about the data exposure and the server was immediately secured. A forensic investigation was conducted to determine which information had been exposed and whether it was subjected to unauthorized access. The investigation revealed patient information was uploaded to the server in August 2018. No evidence was uncovered to suggest...

Read More
Texas Department of Aging and Disability Services Agrees to $1.6 Million Settlement Over 2015 Data Breach
Mar27

Texas Department of Aging and Disability Services Agrees to $1.6 Million Settlement Over 2015 Data Breach

The Department of Health and Human Services’ Office for Civil Rights has agreed to settle a HIPAA violation case with the Texas Department of Aging and Disability Services (DADS) to resolve HIPAA violations discovered during the investigation of a 2015 data breach that exposed the protected health information of 6,617 Medicaid recipients. The breach was caused by an error in a web application which made ePHI accessible over the internet for around 8 years. DADS submitted a breach report to OCR on June 11, 2015. OCR launched an investigation into the breach to determine whether there had been any violation of HIPAA Rules. On July 2015, OCR notified DADS that the investigation had revealed there had been multiple violations of HIPAA Rules. DADS was deemed to have violated the risk analysis provision of the HIPAA Security Rule – 45 C.F.R. § 164.308(a)(1)(ii)(A) – by failing to conduct a comprehensive, organization-wide risk analysis to identify potential risks to the confidentiality, integrity, and availability of ePHI. There had also been a failure to implement appropriate...

Read More
Superior Dental Care Patients Informed of PHI Exposure Due to Email Account Breach
Mar26

Superior Dental Care Patients Informed of PHI Exposure Due to Email Account Breach

The Centerville, Ohio dental insurance carrier, Superior Dental Care, has discovered an unauthorized individual has gained access to an employee’s email account and potentially viewed the protected health information of certain members. The email account breach was detected on January 23, 2019 following the identification of suspicious activity within the employee’s email account. The password for the account was immediately changed and further unauthorized access was prevented. A third-party computer forensics firm was called in to assist with the investigation and determine the nature and scope of the breach. On February 11, 2019, Superior Dental Care learned that the account had been accessed by an unidentified third party and unauthorized access to the email account was first gained on December 21, 2018. The email account contained information such as names, addresses, Social Security numbers, medical information, and payment information related to dental services received. All individuals affected by the breach have now been notified by mail and the breach has been reported to...

Read More
D.C. Attorney General Proposes Tougher Breach Notification Laws
Mar25

D.C. Attorney General Proposes Tougher Breach Notification Laws

Washington D.C. Attorney General Karl. A. Racine is looking to strengthen data breach notification laws to provide greater protection for D.C. residents when their personal information is exposed in a data breach. On March 21, 2019, Attorney General Racine introduced the Security Breach Protection Amendment Act, which expands the definition of personal information that warrants notifications to be sent to consumers in the event of a data breach. Currently laws in the District of Columbia require breach notifications to be sent if there has been a breach of Social Security numbers, driver’s license numbers, or financial information such as credit and debit card numbers. If passed, the Security Breach Protection Amendment Act will expand the definition of personal information to include taxpayer ID numbers, genetic information including DNA profiles, biometric information, passport numbers, military Identification data, and health insurance information. Attorney General Racine said one of the main reasons why the update was required was to better protect state residents from breaches...

Read More
PHI Exposed in Three Recent Email Security Incidents
Mar25

PHI Exposed in Three Recent Email Security Incidents

Three email system breaches have been reported in the past few days that have resulted in unauthorized individuals gaining access to email accounts containing protected health information. Navicent Health Notifies Patients About July 2018 Phishing Attack Macon, GA-based Navicent Health is notifying certain patients that some of their protected health information has potentially been compromised as a result of an cyberattack on its email system. Upon discovery of the breach in July 2018, law enforcement was notified and a leading computer forensics firm was hired to investigate the breach. Navicent Health explained in a substitute breach notice on its website that it only became clear on January 24 that email accounts containing patient information had been breached. No reason was given as to why it took 6 months from the discovery of the breach to determine that patients’ PHI had been compromised. The types of information potentially accessed by the attackers included names, addresses, dates of birth, and some medical information such as appointment dates and billing information....

Read More
350,000 Affected by Oregon Department of Human Services Phishing Attack
Mar22

350,000 Affected by Oregon Department of Human Services Phishing Attack

Oregon Department of Human Services (ODHS) has experienced a phishing attack that has potentially allowed unauthorized individuals to view or obtain the protected health information of more than 350,000 individuals. ODHS learned on January 28, 2019 that unauthorized individuals had gained access to email accounts containing clients’ personal information. Third-party forensics experts from IDExperts were called in to determine the number of individuals affected, the types of data that could have been accessed, and whether clients’ personal information had been extracted. The investigation conformed that nine employees had clicked links in phishing emails and divulged their login credentials, which allowed the attackers to gain access to their email accounts. The first account was compromised on January 8, 2019. The compromised email accounts contained almost 2 million emails. Checks are still being performed to find out which individuals have been affected. ODHS has confirmed that emails in the account contained information such as clients’ first and last names, addresses, birth...

Read More
UCLA Health Settles Class Action Data Breach Lawsuit for $7.5 Million
Mar22

UCLA Health Settles Class Action Data Breach Lawsuit for $7.5 Million

UCLA Health has settled a class action lawsuit filed on behalf of victims of data breach that was discovered in October 2014. UCLA Health has agreed to pay $7.5 million to settle the lawsuit. UCLA Health detected suspicious activity on its network in October 2014 and contacted the FBI to assist with the investigation. The forensic investigation confirmed that hackers had succeeded in gaining access to its network, although at the time it was thought that they did not access the parts of the network where patients’ medical information was stored. However, on May 5, 2015, UCLA confirmed that the hackers had gained access to parts of the network containing patients’ protected health information and may have viewed/copied names, addresses, dates of birth, Medicare IDs, health insurance information, and Social Security numbers. In total, 4.5 million patients were affected by the breach. The Department of Health and Human Services’ Office for Civil Rights investigated the breach and was satisfied with UCLA Health’s breach response and the technical and administrative safeguards that had...

Read More
Verity Health System Suffers Third Phishing Breach in 3 Months
Mar21

Verity Health System Suffers Third Phishing Breach in 3 Months

Verity Health System patients’ PHI was exposed in a phishing attack in 2016, in two further phishing attacks in November 2018, and the 6-hospital health system has now announced yet another attack occurred in January 2019. The latest phishing incident has impacted 14,894 patients. Three employees’ email accounts were compromised in the last three phishing attacks. Verity Health System explained in its breach notification letters that no evidence was uncovered to suggest any patients’ protected health information had been accessed by unauthorized individuals. The attacks are believed to have been conducted for use in further phishing attacks on other individuals in the organization, although PHI access could not be ruled out. The types of information exposed in the latest attack includes names, addresses, contact telephone numbers, dates of birth, diagnoses, treatment information, health insurance policy numbers, subscriber numbers, patient ID numbers, and billing codes. Some of the files attached to emails also included Social Security numbers and driver’s license numbers. Some...

Read More
Medical Device Manufacturer Notifies 277,319 Patients About PHI Exposure
Mar21

Medical Device Manufacturer Notifies 277,319 Patients About PHI Exposure

The Pennsylvania medical device manufacturer and software developer, ZOLL Medical Corporation, has started notifying 277,319 patients about the accidental exposure of some of their personal and medical information. The information was contained in emails that had been archived using a third-party email archiving solution. During a server migration, archived emails were exposed and could potentially have been accessed by unauthorized individuals. Upon discovery of the breach, ZOLL initiated an investigation and hired a third-party computer forensics company to determine whether any unauthorized individuals had accessed emails and viewed or downloaded patient information. The investigation revealed protections had been removed on November 8, 2018 and emails remained accessible until December 28, 2018. No evidence was uncovered to suggest any sensitive information was accessed by unauthorized individuals, but it was not possible to rule out the possibility that personal and medical information had been compromised. An analysis of the archived emails revealed they contained patient...

Read More
Northwestern Medicine Sued Over Medical Information Disclosure on Twitter
Mar20

Northwestern Medicine Sued Over Medical Information Disclosure on Twitter

Northwestern Medicine Regional Medical Group is being sued by a patient whose sensitive medial information was disclosed on Twitter and Facebook. Gina Graziano discovered some of her sensitive medical information had been disclosed on social media websites and contacted Northwestern Medicine to complain about the privacy investigation. Northwestern Medicine investigated the complaint and determined that Graziano’s medical records had been accessed on two separate occasions by a hospital employee who had no treatment relationship with Graziano. The records were accessed on March 5 and 6, 2019, using an employee’s login credentials. Graziano’s medical file contained a range of sensitive information, including her personal details, the reason for a recent visit to the emergency department, lab test results, medications, medical history, imaging results, and other information. Sensitive information which Graziano did not want to be placed in the public domain was disseminated on social media sites causing her to be publicly humiliated. While Northwestern Medicine did not disclose the...

Read More
Database of New Jersey Healthcare Provider Found to be Leaking Patient Data
Mar20

Database of New Jersey Healthcare Provider Found to be Leaking Patient Data

Another unsecured healthcare database has been discovered which contains an estimated 37,000 records. The discovery was made on March 1, 2019 by security researcher Jeremiah Fowler. A brief analysis of the database appeared to show the records belonged to the New Jersey healthcare provider, Home Health Radiology Services LLC. The database contained highly sensitive patient information such as names, addresses, phone numbers, and dates of birth along with medical notes, diagnoses, treatment information, insurance information, and in some cases, Social Security numbers. In a recent blog post on securitydiscovery.com, Fowler explained that 37,000 case files were found along with 1,540 doctor’s information records, chat logs, emails, support tickets, and many other sensitive files. The records were mostly contained in an Elastic database which could be accessed over the internet by anyone without the need for any authentication. The unsecured database was reported to Home Health Radiology Services, which promptly secured the database to prevent any further unauthorized access. It is...

Read More
Potentially Massive Breach of Protected Health Information Discovered
Mar19

Potentially Massive Breach of Protected Health Information Discovered

Sacramento, CA-based medical software provider Meditab Software Inc., and it’s San Juan, PR-based affiliate, MedPharm Services have suffered a massive breach of protected health information. Meditab provides electronic medical record (EMR) and practice management software to hospitals, physician’s offices, and pharmacies. According to the company website, its software is used by more than 2,200 healthcare clients. Meditab also provides a fax processing service and one of the servers used for processing faxes has been discovered to be leaking data and could be accessed over the internet without the need for any authentication. The unprotected fax server was discovered by the Dubai-based cybersecurity firm SpiderSilk. The fax server was hosted on a subdomain of MedPharm Services and housed an Elastisearch database containing fax communications. Those faxes could be accessed in real time. The database was created in March 2018 and housed more than 6 million records. It is currently unclear how many of those records contained protected health information. According to a recent report...

Read More
February 2019 Healthcare Data Breach Report
Mar18

February 2019 Healthcare Data Breach Report

Healthcare data breaches continued to be reported at a rate of more than one a day in February. February saw 32 healthcare data breaches reported, one fewer than January. The number of reported breaches may have fell by 3%, but February’s breaches were far more severe. More than 2.11 million healthcare records were compromised in February breaches – A 330% increase from the previous month. Causes of Healthcare Data Breaches in February 2019 Commonly there is a fairly even split between hacking/IT incidents and unauthorized access/disclosure incidents; however, in February, hacking and IT incidents such as malware infections and ransomware attacks dominated the healthcare data breach reports. 75% of all reported breaches in February (24 incidents) were hacking/IT incidents and those incidents resulted in the theft/exposure of 96.25% of all records that were breached. All but one of the top ten healthcare data breaches in February were due to hacks and IT incidents. There were four unauthorized access/disclosure incidents and 4 cases of theft of physical or electronic PHI. The...

Read More
Three Healthcare Ransomware Attacks Reported: 70,000 Individuals Affected
Mar13

Three Healthcare Ransomware Attacks Reported: 70,000 Individuals Affected

Three ransomware attacks have been reported by healthcare organizations and vendors in the past few days. The PHI of almost 70,000 patients has potentially been compromised in the attacks. 50,000 Individuals Affected by Ransomware Attack on Delaware Guidance Services for Children and Youth Delaware Guidance Services for Children and Youth (DGS) was forced to pay a ransom to recover files that had been encrypted in a Christmas Day ransomware attack. DGS has not publicly disclosed how much was paid for the decryption keys to unlock the files on its data servers. After recovering files, DGS engaged an IT firm to conduct a forensic analysis to determine whether the attackers had gained access to sensitive information prior to encrypting files. The firm found no evidence to suggest that any protected health information had been compromised or stolen. The attack appeared to have been conducted solely for the purpose of extorting money from DGS. DGS started sending notification letters to the parents and guardians on February 26, 2019 alerting them that sensitive information had been...

Read More
More Than 600,000 Michigan Residents Affected by Wolverine Solutions Breach, Warns AG Nessel
Mar13

More Than 600,000 Michigan Residents Affected by Wolverine Solutions Breach, Warns AG Nessel

Michigan Attorney General Dana Nessel has issued a warning to Michigan residents about the ransomware attack on Detroit-based Wolverine Solutions Group, which she says may have affected more than 600,000 Michigan residents. Nessel has advised all individuals who receive a breach notification letter to sign up for credit monitoring services, to monitor their accounts and EoB statements for signs of fraudulent use of their data, to place a fraud alert on their credit file and to consider freezing their credit file as a protection against fraud and identity theft. The cyberattack on Wolverine Solutions Group occurred on or around September 23, 2018. Critical systems were mostly restored within a month, but it has taken considerably longer to determine which clients had been affected. Some clients were only notified about the extent of the attack in March. While the types of information differ from company to company and individual to individual, the exposed information may include data elements such as names, addresses, dates of birth, social security numbers, insurance contract...

Read More
Business Associate Starts Issuing Notifications About August 2018 Laptop Theft
Mar12

Business Associate Starts Issuing Notifications About August 2018 Laptop Theft

A Massachusetts business associate has discovered the electronic protected health information (ePHI) of 2,088 individuals has potentially been viewed by unauthorized individuals. The ePHI was stored on an employee’s laptop computer that was stolen on August 23, 2018. RSC Insurance Brokerage, dba Re-Solutions, started notifying affected healthcare providers about the breach of their patients’ PHI on January 22, 2019, 5 months after the discovery of the theft of the laptop. According to the breach notice submitted to the California Attorney General, a third-party cyber security firm was called in to help determine what files had been stored on the laptop, the types of information that was accessible, and how many individuals had potentially been impacted. The theft was reported to law enforcement at the time and the employee’s credentials were changed to ensure that the laptop could not be used to access RSC systems. However, files were stored on the laptop and could potentially be accessed as while the device was protected with a password, it was not encrypted. No evidence of...

Read More
20K Patients of Pasquotank-Camden Emergency Medical Services Impacted by Server Hack
Mar11

20K Patients of Pasquotank-Camden Emergency Medical Services Impacted by Server Hack

Pasquotank-Camden Emergency Medical Services (PCEMS) has discovered hackers have infiltrated a server that housed its billing system, which contained the protected health information of 20,420 patients. As a result of the intrusion, the hackers potentially gained access to the highly sensitive information of individuals who had previously received medical services from PCEMS. The types of information stored on the server included names, birth dates, Social Security numbers, and some medical information that had been collected by PCEMS. The breach was reported immediately to the Sheriff of Pasquotank County and federal law enforcement agencies, who determined that the hackers were based outside the United States. No evidence was found to indicate patients’ protected health information was stolen and at the time of issuing notification letters to patients, no reports had been received to suggest patient information had been misused. Since data theft could not be ruled out, PCEMS has offered all affected patients 12 months of free credit monitoring and identity theft protection...

Read More
Emerson Hospital Alerts Patients to May 2018 Breach at Claims Processing Vendor
Mar11

Emerson Hospital Alerts Patients to May 2018 Breach at Claims Processing Vendor

Emerson Hospital in Concord, MA, is alerting 6,314 patients that some of their protected health information has been exposed due to a security breach at a third-party vendor in May 2018. The hospital explained that the breach occurred between May 9 and May 17, 2018 and was an unauthorized disclosure incident. A former employee of MiraMed Global Services, a company that helps the hospital collect payments, was discovered to have sent files containing protected health information to a third-party who was not authorized to receive the information. The files contained the types of information usually sought by identity thieves, including names, addresses, Social Security numbers, and insurance policy information. Financial information and health information were not compromised. The employee responsible was fired over the breach and the matter was reported to law enforcement. It is unclear whether the employee responsible has been charged over the theft. A forensic investigation confirmed that ePHI had been stolen, but a spokesperson for the hospital issued a statement saying, “A...

Read More
‘Dozens’ of Northwestern Memorial Hospital Employees Fired for Accessing Jussie Smollett’s Medical Records
Mar08

‘Dozens’ of Northwestern Memorial Hospital Employees Fired for Accessing Jussie Smollett’s Medical Records

A major case of snooping on celebrity medical records has been reported that has resulted in dozens of healthcare workers being fired from Chicago’s Northwestern Memorial Hospital for allegedly accessing the medical records of Jussie Smollett without authorization. Jussie Smollett reportedly attended the hospital’s emergency room for treatment for injuries sustained in an alleged racially motivated attack by two men on January 29, 2019. Following a police investigation into the alleged attack, Chicago Police Superintendent Eddie Johnson announced that the Empire actor had been arrested on February 21 and charged with disorderly conduct and filing a false police report. The police allege that the attack was a hoax and that it had been staged by Smollett as a publicity stunt. The charges against Smollett were dropped on Tuesday 26, March. After Smollett was treated at Northwestern Memorial Hospital, curiosity got the better of some employees who searched for Smollett on the hospital’s system, some of whom accessed his chart and viewed his medical records. Accessing the medical...

Read More
Covenant Care Email Account Breach Impacts 7,858 Patients
Mar08

Covenant Care Email Account Breach Impacts 7,858 Patients

The Aliso Viejo, CA-based provider of residential care and skilled nursing facilities, Covenant Care, has discovered an unauthorized individual gained access to an employee’s email account and may have viewed or obtained the protected health information of 7,858 patients. On January 29, 2019, suspicious activity was detected in relation to the employee’s email account. Third-party forensics investigators were called in to help determine the nature and scale of the breach. The investigation revealed the email account was compromised on January 22, 2019. Access remained possible until the account was secured on January 29. A review of the compromised email account was completed on February 13, 2019 and confirmed that during the time that the account was accessible, emails and email attachments could have been opened. An analysis of the messages revealed they contained patient information. The information on each patient varied from individual to individual and may have included full name, date of birth, Social Security number, health insurance claim number, medical record number,...

Read More
Beazley Report Reveals Major Increase in Healthcare Hacking and Malware Incidents
Mar07

Beazley Report Reveals Major Increase in Healthcare Hacking and Malware Incidents

The latest Beazley Breach Insights Report confirms healthcare is the most targeted industry sector, accounting for 41% of all breaches reported to Beazley Breach Response (BBR) Services. Across all industry sectors, hacking and malware attacks were the most common cause of breaches and accounted for 47% of all incidents, followed by accidental disclosures of sensitive data (20%), insider breaches (8%), portable device loss/theft (6%), and the loss of physical records (5%). Hacking/malware incidents have increased significantly since 2017, which BBR notes is largely due to a 133% increase in business email compromise (BEC) attacks. Accidental disclosure incidents fell across all industries and insider breaches remained at a similar level to 2017. While hacking/malware incidents were the main cause of breaches in all other industry sectors, in healthcare they were on a par with accidental disclosures of protected health information, each accounting for 31% of reported breaches. Insider data breaches were significantly higher than other industry sectors and accounted for 17% of all...

Read More
Ransomware Attack Impacts up to 400,000 Patients of Columbia Surgical Specialists of Spokane
Mar06

Ransomware Attack Impacts up to 400,000 Patients of Columbia Surgical Specialists of Spokane

A ransomware attack on Columbia Surgical Specialists of Spokane in Washington has potentially allowed unauthorized individuals to access the protected health information of up to 400,000 patients. Columbia Surgical Specialists learned of the ransomware attack on January 9, 2019. The security breach was immediately investigated and assistance was provided by IT security provider Intrinium. Files encrypted by the ransomware were found to contain patient information, which included names, driver’s license numbers, Social security numbers and other types of protected health information. Columbia Surgical Specialists told HIPAA Journal that the data security firm “went through our systems with a fine-tooth comb,” and concluded that patient data had not been stolen by the attackers. “but due to the nature of the ransomware and how the infection first began, there cannot be a guarantee.” Columbia Surgical Specialists believes the risk to patients is very low, and notifications were sent to patients out of an abundance of caution. The vulnerability that was exploited to gain access to the...

Read More
Rush University Medical Center Notifies 45,000 Patients of PHI Incident
Mar05

Rush University Medical Center Notifies 45,000 Patients of PHI Incident

Rush University Medical Center is notifying approximately 45,000 patients that their PHI has been exposed as a result of a data incident at a financial services vendor. Rush learned of the incident on January 22, 2019. An employee of the financial services vendor was discovered to have disclosed a file containing patients’ PHI to an unauthorized third party in May 2018. The types of information in the file varied from patient to patient and may have included names, home addresses, dates of birth, health insurance information, and Social Security numbers. No health information was contained in the file and financial data was not exposed. Rush conducted an investigation into the breach and while no evidence was found to suggest patient information had been misused, affected patients have been offered membership to the Experian IdentityWorks Credit 3B service to protect against identity theft and fraud as a precaution. Affected patients have been advised to monitor their financial accounts and explanation of benefits statements from their insurers for any sign of fraudulent activity....

Read More
St. Francis Physicians Services Notifies Patients of Milestone Family Medicine Data Breach
Mar04

St. Francis Physicians Services Notifies Patients of Milestone Family Medicine Data Breach

Bon Secours St. Francis Health System is notifying patients about a security breach that may have resulted in some of their protected health information (PHI) being viewed/obtained by unauthorized individuals who gained access to the systems of Milestone Family Medicine in Greenville, SC. Milestone Family Medicine was affiliated with St. Francis Physicians Services (SFPS) until February 24, 2019, and had previously employed physicians at the practice. SFPS learned of a security breach at the practice on January 4, 2019 and took steps to secure systems and prevent further unauthorized access. An investigation was launched and, assisted by a third-party computer forensics firm, SFPS determined that one of the servers that was accessed included the PHI of certain patients. The attack appears to have targeted EHR systems that were accessible over the Internet. Internet connections providing access to Milestone Family Medicine systems that are not actively being used have been shut down. The types of information that have been compromised include names, addresses, dates of birth, health...

Read More
January 2019 Healthcare Data Breach Report
Feb25

January 2019 Healthcare Data Breach Report

After a relatively quiet month for healthcare data breaches, breach numbers rose to more typical levels and were reported at a rate of more than one per day in January. There were 33 healthcare data breaches reported in January 2019. January was the second successive month where there was a fall in the number of individuals impacted by healthcare data breaches. January’s healthcare data breaches saw 490,937 healthcare records exposed, stolen or impermissibly disclosed. Largest Healthcare Data Breaches in January 2019   Rank Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach 1 Centerstone Insurance and Financial Services (BenefitMall) Business Associate 111589 Hacking/IT Incident 2 Las Colinas Orthopedic Surgery & Sports Medicine, PA Healthcare Provider 76000 Theft 3 Valley Hope Association Healthcare Provider 70799 Hacking/IT Incident 4 Roper St. Francis Healthcare Healthcare Provider 35253 Hacking/IT Incident 5 Managed Health Services Health Plan 31300 Hacking/IT Incident 6 EyeSouth Partners Business Associate 24113 Hacking/IT Incident 7 Dr....

Read More
UConn Health Phishing Attack Sees PHI of 326,000 Patients Exposed
Feb25

UConn Health Phishing Attack Sees PHI of 326,000 Patients Exposed

UConn Health is notifying approximately 326,000 patients that some of their personal information has been exposed as a result of a phishing attack on some of its employees. UConn Health learned about the phishing attack on December 24, 2018. All email accounts were secured, and an internal investigation was launched. The investigation confirmed that multiple email accounts had been accessed by unauthorized individuals. A third-party computer forensics company was retained to investigate the attack and search for protected health information in emails and email attachments in the compromised accounts. While it was not possible to determine who was responsible for the attack nor whether emails and email attachments in the compromised accounts had been viewed by the attacker(s), PHI access could not be ruled out. UConn Health explained in its substitute breach notice that no reports have been received to indicate any patient information has been misused. The majority of individuals affected by the attack were patients. Some employees have also had personal information exposed....

Read More
Multiple Rutland Regional Medical Center Email Accounts Hacked
Feb25

Multiple Rutland Regional Medical Center Email Accounts Hacked

Rutland Regional Medical Center in Rutland City, the largest community hospital in the state of Vermont, has discovered hackers have gained access to the email accounts of nine employees and potentially viewed/obtained patients’ protected health information. On December 21, 2018, an employee of the medical center noticed that their email account had been used to send large quantities of spam emails and on December 28, 2018, a potential security breach was reported to the medical center’s IT department. The IT department determined, on December 31, that the employee’s email account had been remotely accessed by an unauthorized individual. The account was immediately secured and a third-party forensic expert was called in to conduct an investigation into the breach. While the investigation into the breach is ongoing, the forensics expert concluded on February 6, 2019, that nine email accounts had been compromised between November 2, 2018 and February 6, 2019. The types of sensitive information in the compromised email accounts included patients’ full names, dates of birth, contact...

Read More
Insider Wrongdoing Breach at Kentucky Counseling Center Impacts 16,440 Patients
Feb22

Insider Wrongdoing Breach at Kentucky Counseling Center Impacts 16,440 Patients

Kentucky Counseling Center (KCC) has discovered a list of 16,440 patients has been stolen and disclosed to another individual. A current employee is suspected of accessing and copying patient information without authorization, uploading the data to an anonymous file sharing service, and subsequently sending a hyperlink to the list to a former employee of KCC. The former employee received the link to the patient list on January 6, 2019 and reported the privacy breach to KCC. KCC launched an investigation into the insider breach to determine when the list was obtained and who was responsible. KCC believes the list was downloaded and stolen on December 6, 2018 by a then current employee of KCC. That person is no longer employed at the Counseling Center. The motivations behind the HIPAA violations are unclear – Both the unauthorized access/theft and the subsequent impermissible disclosure to a former employee. KCC explained in its breach notification letter that there is no reason to believe that the list was taken with the intent of causing harm to patients. However, due to the nature...

Read More
PHI of Almost 1 Million UW Medicine Patients Exposed Online
Feb21

PHI of Almost 1 Million UW Medicine Patients Exposed Online

Approximately 974,000 patients of UW Medicine have had their protected health information exposed online due to the accidental removal of protections on a website server. The error resulted in sensitive internal files being indexed by search engines. Internet searches allowed sensitive patient information to be accessed by unauthorized individuals without any need for authentication. Seattle-based UW Medicine discovered a vulnerability on a website server on December 26, 2018, following a tip-off from a patient who was performing a Google search of their own name. An investigation was launched to determine how information was exposed, for how long, and how many patients had potentially been affected. UW Medicine determined that an error had been made in the configuration of a database which resulted in internal files being temporarily available over the Internet. The server misconfiguration occurred on December 4, 2019. The incident was attributed to human error. Ironically, the exposed database was used by UW Medicine to keep track of patient health information disclosures. The...

Read More
Patients Receive Notifications of PHI Theft 8 Months After Business Associate Data Breach was Detected
Feb19

Patients Receive Notifications of PHI Theft 8 Months After Business Associate Data Breach was Detected

Sharecare Health Data Services (SHDS), a San Diego company that provides secure electronic exchange and medical records management services for healthcare organizations, has alerted some of its clients that hackers gained access to parts of its systems that contained sensitive patient information. SHDS detected abnormal network activity on June 26, 2018, prompting an in-depth investigation. The investigation revealed hackers gained access to systems containing protected health information as early as May 21, 2018. Access remained possible until June 26, 2018, during which time PHI was accessed and exfiltrated by the hackers to locations outside the U.S. SHDS engaged the services of cybersecurity firm Mandiant to assist with the forensic investigation of the breach. The breach was also reported to the FBI and SHDS has been assisting with its investigation. SHDS has since taken steps to enhance security and prevent further breaches. Data retention policies have been revised, maintenance communications and protocols have been improved to ensure continuity across its network, and SHDS...

Read More
30,000 Patients Notified of Phishing Incident at Memorial Hospital at Gulfport
Feb18

30,000 Patients Notified of Phishing Incident at Memorial Hospital at Gulfport

Memorial Hospital at Gulfport, MS, is notifying approximately 30,000 patients that some of their protected health information has potentially been accessed by an unauthorized individual as a result of a phishing incident. Memorial Hospital discovered a breach of an employee’s email account on December 17, 2018. The compromised account was immediately secured and an investigation was launched to determine the extent of the breach. The investigation revealed the employee responded to a phishing email on December 6, 2018, which gave the attacker access to patients’ protected health information stored in emails and email attachments. Memorial Hospital reports that the breach was limited to names, dates of birth, health insurance information, and information about medical services received at the hospital. A small number of Social Security numbers were also contained in the compromised email account. Patients affected by the incident were notified by mail on February 15, 2019. Complimentary credit monitoring services have been offered to all patients whose Social Security numbers were...

Read More
16-Month Malware Infection at Florida Pulmonary & Sleep Medicine Center Impacts 42,000 Patients
Feb15

16-Month Malware Infection at Florida Pulmonary & Sleep Medicine Center Impacts 42,000 Patients

AdventHealth Medical Group’s Pulmonary & Sleep Medicine in Tavares, FL, formerly known as Lake Pulmonary Critical Care, has discovered hackers gained access to its systems and may have viewed or obtained the protected health information of up to 42,161 patients. Hackers first gained access to the Pulmonary & Sleep Medicine center’s systems in August 2017 as a result of the installation of malware. The malware infection was not discovered until December 27, 2018. The malware was removed and its systems were secured and an investigation was launched to determine the extent of the breach and which patients had been affected. The investigation revealed the hackers gained access to parts of its system where patients’ protected health information was stored. The information that was potentially accessed included names, addresses, email addresses, telephone numbers, dates of birth, health insurance information, Social Security numbers, medical histories, and the race, gender, weight, and height of patients. It is unclear how the malware was installed and why it took 16 months to...

Read More
Anesthesia Associates of Kansas City Discovers Theft of Patient Schedules
Feb13

Anesthesia Associates of Kansas City Discovers Theft of Patient Schedules

Paperwork containing patient information has been stolen from an employee of Anesthesia Associates of Kansas City. The incident occurred on December 14, 2018. The employee had left a bag containing patient schedules in his vehicle. Thieves broke into the vehicle and stole the bag and paperwork. Anesthesia Associates of Kansas City learned of the incident on December 16, 2018 and launched an investigation to determine what paperwork had been stolen. It was not possible to determine with a high degree of certainty exactly which schedules were in the stolen bag. Consequently, the decision was taken to issue notification letters to all patients who had undergone surgical treatment between April 4, 2018 and December 14, 2018. The types of information listed in patient schedules includes names, birth dates, types of surgical procedures, dates of surgery, and the name of the surgeon. Schedules do not contain sensitive information such as addresses, Social Security numbers, insurance information, and financial information. The theft was reported to law enforcement but neither the bag nor...

Read More
United Hospital District Phishing Attack Impacts 2,143 Patients
Feb13

United Hospital District Phishing Attack Impacts 2,143 Patients

Blue Earth, MN-based United Hospital District has discovered patient information was exposed and potentially accessed by an unauthorized individual as a result of a June 2018 phishing attack. The phishing incident resulted in the compromise of a single email account, the credentials to which were obtained as a result of an employee responding to a phishing email. The substitute breach notice on the healthcare provider’s website indicates the account was compromised between June 10, 2018 and June 27, 2018. An in-depth analysis of the compromised account was conducted by third-party cybersecurity professionals who determined on December 12, 2018, that patient information had potentially been accessed. Emails and file attachments in the account were found to contain the protected health information of 2,143 patients. The types of information contained in the email account varied from patient to patient and may have included names, addresses, internal patient identification numbers, health insurance information and, for a limited number of affected patients, diagnoses, treatment...

Read More
2019 Data Breach Barometer Report Shows Massive Increase in Exposed Healthcare Records
Feb13

2019 Data Breach Barometer Report Shows Massive Increase in Exposed Healthcare Records

Protenus has released its 2019 Breach Barometer report: An analysis of healthcare data breaches reported in 2018. The data for the report came from Databreaches.net, which tracks data breaches reported in the media as well as breach notifications sent to the Department of Health and Human Services’ Office for Civil Rights and state attorneys general. The report shows there was a small annual increase in the number of healthcare data breaches but a tripling of the number of healthcare records exposed in data breaches. According to the report, there were 503 healthcare data breaches reported in 2018, up from 477 in 2017. 2017 was a relatively good year in terms of the number of healthcare records exposed – 5,579,438 – but the number rose to 15,085,302 exposed healthcare records in 2018. In 2017, March was the worst month of the year in terms of the number of records exposed and there was a general downward trend in exposed records throughout the rest of the year. In 2018, there was a general increase in exposed records as the year progressed. The number of exposed records increased...

Read More
7,000 Patients Notified About Pawnee County Memorial Hospital Malware Attack
Feb11

7,000 Patients Notified About Pawnee County Memorial Hospital Malware Attack

Pawnee County Memorial Hospital in Pawnee City, Nebraska, is alerting 7,038 patients that some of their protected health information has potentially been accessed by a hacker. On November 29, 2018, the hospital learned that malware had been installed which allowed an unauthorized individual to gain access to its email system. Malware was injected into the hospital’s email system when an employee opened a malicious email attachment. According to Pawnee County Memorial Hospital’s substitute breach notice, the email appeared to have been sent from a trusted source and the email attachment seemed genuine. Assisted by a third-party computer forensics expert, the hospital determined that the email attachment had been opened on November 16, 2018. The hacker was able to access employees’ email accounts from November 16 to November 24. The compromised email accounts contained a range of business reports, clinical reports, clinical summaries, and other internal documents. Those documents contained patients’ full names along with one or more of the following data elements: Date of birth,...

Read More
EyeSouth Partners Email Account Breach Impacts 24,000 Patients of Georgia Eye Associates
Feb08

EyeSouth Partners Email Account Breach Impacts 24,000 Patients of Georgia Eye Associates

EyeSouth Partners has announced that a hacker has gained access to an employee’s email account and has potentially viewed/obtained the electronic protected health information (ePHI) of as many as 24,000 patients. EyeSouth Partners is a business associate of Georgia Eye Associates, South Georgia Eye Partners, Cobb Eye Center, and Georgia Ophthalmology Associates. On October 25, 2018, EyeSouth Partners became aware that an unauthorized individual had gained access to the email account of one of its employees. Prompt action was taken to secure the email account and assess the security of its systems. Procedures were also implemented to enhance information security safeguards to prevent any further email account breaches. The breach investigation revealed the hacker first gained access to the email account on September 11, 2018. Access remained possible until October 25. Third-party computer forensics experts were hired to assist with the investigation and determine which patients had had their ePHI exposed. On December 19, 2018, EyeSouth Partners was informed that the hacker had...

Read More
OCR Settles Cottage Health HIPAA Violation Case for $3 Million
Feb08

OCR Settles Cottage Health HIPAA Violation Case for $3 Million

The Department of Health and Human Services’ Office for Civil Rights (OCR) has agreed to settle a HIPAA violation case with the Santa Barbara, CA-based healthcare provider Cottage Health for $3,000,000. Cottage Health operates four hospitals in California – Santa Barbara Cottage Hospital, Santa Ynez Cottage Hospital, Goleta Valley Cottage Hospital and Cottage Rehabilitation Hospital. In 2013 and 2015, Cottage Health experienced two security incidents that resulted in the exposure of the electronic protected health information (ePHI) of 62,500 patients. In 2013, Cottage Health discovered a server containing patients’ ePHI had not been properly secured. Files containing patients’ ePHI could be accessed over the internet without the need for a username or password. Files on the server contained patient names, addresses, dates of birth, diagnoses, conditions, lab test results and other treatment information. Another server misconfiguration was discovered in 2015. After responding to a troubleshooting ticket, the IT team removed protection on a server which similarly exposed...

Read More
Settlement Reached in Community Health Systems 4.5 Million-Record Data Breach Case
Feb05

Settlement Reached in Community Health Systems 4.5 Million-Record Data Breach Case

Community Health Systems’ (CHS) patients whose protected health information (PHI) was stolen in a cyberattack in 2014 have been offered compensation for the theft of their PHI. Tennessee-based Community Health Systems operates over 200 hospitals, making it one of the largest healthcare systems in the U.S. In 2014, CHS discovered malware had been installed on its network. The malware allowed unauthorized individuals to gain access to patient information between April and June 2014. The cyberattack is believed to have been conducted by threat actors based in China. An advanced malware variant was used in the attack, which had the sole purpose of obtaining sensitive information. An investigation into the breach confirmed that patient data including names, addresses, phone numbers, dates of birth, and Social Security numbers had been exfiltrated. The PHI of 4.5 million patients was stolen by the attackers. At the time it was the largest healthcare data breach to be reported to the Department of Health and Human Services’ Office for Civil Rights and still ranks as one of the top six...

Read More
Malware Attack Reported by Minnesota Infertility Clinic
Feb05

Malware Attack Reported by Minnesota Infertility Clinic

Malware has been installed on the network of Reproductive Medicine and Infertility Associates: A Woodbury, MN, infertility clinic. While no evidence was uncovered to suggest any patient information was accessed or exfiltrated by the malware, the possibility of a data breach could not be ruled out. The malware attack was detected by the clinic on December 5, 2018 and a third-party computer forensics firm was hired to investigate and clean the malware from its systems. While the malware was successfully removed, it was not possible to determine exactly how it was installed on the network. Information stored on systems potentially accessible by the malware included names, dates of birth, addresses, treatment information, health insurance information, and donors’ Social Security numbers. All individuals whose PHI was exposed were notified about the incident on February 1, 2019. As a precaution against fraud, all individuals affected by the breach have been offered complimentary identity theft monitoring services. Anti-malware defenses have now been improved, which include an additional...

Read More
23,500 Patients Impacted by Connecticut Eye Clinic Ransomware Attack
Feb05

23,500 Patients Impacted by Connecticut Eye Clinic Ransomware Attack

Dr. DeLuca Dr. Marciano & Associates, P.C., a primary eye care clinic in Prospect, CT, has experienced a ransomware attack that has resulted in the encryption of files containing patients’ protected health information. The attack occurred on November 29, 2018. Prompt action was taken to shut down the network to prevent the spread of the infection, but it was not possible to stop the encryption of files on two servers used to store patient-related files. A ransom demand was received but no payment was made. The encrypted files were successfully restored from backups. An investigation of the breach revealed that the two servers affected by the attack contained patient files that included information such as patient names, Social Security numbers, and some treatment information. Dr. DeLuca Dr. Marciano & Associates has taken steps to prevent further cyberattacks, which include closing remote access to the network, implementing technical solutions to protect against ransomware, and enhancing its anti-virus software. While there is no indication that patient information was...

Read More
12,000 Patients Impacted by Valley Professionals Community Health Center Phishing Attack
Feb04

12,000 Patients Impacted by Valley Professionals Community Health Center Phishing Attack

Valley Professionals Community Health Center in Indiana has experienced a phishing attack that has resulted an employee’s email account being accessed by an unauthorized individual. Phishing attacks often involve the impersonation of companies. In this case, the attacker impersonated a healthcare organization that had previously worked with Valley Professionals Community Health Center. The supposed sender of the email was known to staff at the health center and the email appeared genuine. On November 27, 2018, Valley Professionals Community Health Center detected suspicious activity relating to the employee’s email account. Prompt action was taken to secure the account and an investigation was launched to determine the cause of the activity. Assistance was provided by a third-party computer forensics company, which determined that the account had been accessed by an unauthorized individual between October 26 and November 27, 2018. The emails in the account contained information such as patient names, addresses, dates of birth, Social Security numbers, medical record numbers,...

Read More
13 Accounts Compromised in Roper St. Francis Healthcare Phishing Attack
Feb04

13 Accounts Compromised in Roper St. Francis Healthcare Phishing Attack

A large-scale phishing attack on Charleston, SC-based Roper St. Francis Healthcare has seen attackers gain access to the email accounts of 13 employees. The phishing attack was detected on November 30, 2018 and action was taken to block access to a corporate email account. The investigation into the breach revealed further email accounts had been compromised. The affected accounts were accessed by the attacker between November 15 and December 1, 2018. A third-party computer forensics firm was hired to investigate the breach, which revealed some of the compromised accounts contained patient information including names, medical record numbers, health insurance information, details about services received from Roper St. Francis Healthcare, and for a limited number of patients, Social Security numbers and financial information. All affected patients were notified by mail on January 25, 2019 and have been offered complimentary credit monitoring services. While PHI was potentially accessed, no reports have been received to suggest any PHI has been misused. The HHS’ Office for Civil...

Read More
Aetna Settles HIV Status Breach Case with California AG for $935,000
Feb01

Aetna Settles HIV Status Breach Case with California AG for $935,000

Hartford, CT-based health insurer Aetna has agreed to pay the California Attorney General $935,000 to resolve alleged violations of state laws related to a 2017 privacy breach that exposed state residents’ HIV status. On July 28, 2017, Aetna’s mailing vendor sent letters to plan members who were receiving HIV medications or pre-exposure prophylaxis to prevent them from contracting HIV. The letters contained instructions for their HIV medications; however, information about the HIV medications was clearly visible through the window of the envelopes, resulting in the impermissible disclosure of highly sensitive information to postal workers, friends, family members, and roommates.  Approximately 12,000 individuals were sent letter, 1,991 of whom lived in California. The privacy breach was a violation of HIPAA Rules, and according to California Attorney General Xavier Becerra, also a violation of several California laws including the Unfair Competition Law, the Confidentiality of Medical Information Act, the Health and Safety Code (section 120980), and the State Constitution. In...

Read More
FABEN Obstetrics and Gynecology Informs 6,092 Patients of Ransomware-Related Data Loss
Jan31

FABEN Obstetrics and Gynecology Informs 6,092 Patients of Ransomware-Related Data Loss

Jacksonville, FL-based FABEN Obstetrics and Gynecology has experienced a ransomware attack on a server that housed patients’ protected health information (PHI). The ransomware was detected on November 21, 2018 and resulted in widespread file encryption. An investigation was launched to determine the extent of the attack and whether any patients’ PHI was accessed or stolen by the attackers. An analysis of the files on the server confirmed that files containing patients’ PHI had been encrypted. FABEN determined that the attackers had not accessed the files and that no data had been exfiltrated from the server. The ransomware variant used in the attack was GandCrab. While free decryptors have been made available for some GandCrab ransomware variants, they do not work on the latest versions of the ransomware. A ransom demand was received by FABEN although the decision was taken not to pay the attackers for the key to decrypt the files. The files that had been encrypted were created between January 2007 and April 10, 2017, and included clinical electronic medical records containing...

Read More
Thieves Stole Devices Containing PHI of 7,200 Patients of Integrity House
Jan30

Thieves Stole Devices Containing PHI of 7,200 Patients of Integrity House

A burglary at the offices of the addiction treatment services provider Integrity House has resulted in the exposure of patients’ protected health information. Several electronic devices were stolen in the burglary, including desktop computers, laptop computers and tablets. An investigation by the Integrity House IT team confirmed that some patients’ protected health information was stored on the devices. The burglary was discovered by staff on November 25, 2018. Law enforcement was notified but the stolen devices have not been recovered. The IT department determined that one of the stolen devices contained information such as names, birth dates, Social Security numbers, health insurance information, and a limited amount of treatment information. While it is probable that the devices were stolen for their resale value rather than any sensitive information they contained, it is possible that patient information could be accessed and may be misused. Consequently, as a precaution, Integrity House has offered all affected individuals free identity theft protection and credit monitoring...

Read More
PHI Exposed in Verity Health System Phishing Attack
Jan29

PHI Exposed in Verity Health System Phishing Attack

Verity Health System, a Redwood City-based network of 6 hospitals in California, has announced that the protected health information of certain patients has potentially been compromised as a result of a November 27, 2018 phishing attack. The Office 365 credentials of a Verity Health employee were obtained by a hacker as a result of a response to a phishing email. For a period of approximately one and a half hours, an unauthorized individual gained access to the employee’s email account and sent further phishing emails to Verity Health employees and other individuals in the employee’s contact list. The emails contained a hyperlink that directed the recipients to a malicious website. An investigation into the breach confirmed that none of the recipients of the phishing emails had disclosed their login credentials. The aim of the attacker appeared to be to gain access to further account credentials rather than to obtain sensitive data contained in the compromised account; however, it is possible that some patients’ personal information was viewed or possibly obtained while account...

Read More
Analysis of 2018 Healthcare Data Breaches
Jan28

Analysis of 2018 Healthcare Data Breaches

Our 2018 healthcare data breach report reveals healthcare data breach trends, details the main causes of 2018 healthcare data breaches, the largest healthcare data breaches of the year, and 2018 healthcare data breach fines. The report was compiled using data from the Department of Health and Human Services’ Office for Civil Rights (OCR). 2018 Was a Record-Breaking Year for Healthcare Data Breaches Since October 2009, the Department of Health and Human Services’ Office for Civil Rights has been publishing summaries of U.S. healthcare data breaches. In that time frame, 2,545 healthcare data breaches have been reported. Those breaches have resulted in the theft, exposure, or impermissible disclosure of 194,853,404 healthcare records. That equates to the records of 59.8% of the population of the United States. The number of reported healthcare data breaches has been steadily increasing each year. Except for 2015, the number of reported healthcare data breaches has increased every year. In 2018, 365 healthcare data breaches of 500 or more records were reported, up almost 2% from the...

Read More
23,300 Patients Affected by Critical Care, Pulmonary & Sleep Associates Email Hack
Jan28

23,300 Patients Affected by Critical Care, Pulmonary & Sleep Associates Email Hack

Critical Care, Pulmonary & Sleep Associates (CCPSA) in Colorado has experienced a data breach that has impacted more than 23,300 patients. An email account breach was detected by CCPSA on November 23, 2018 when suspicious activity was detected related to an employee’s email account. The account appeared to have been used to send phishing emails to individuals in the employee’s contact list. Those emails attempted to convince the recipients to make fraudulent payments. Action was promptly taken to lock the hacker out of the account and the entire email environment was secured. All users were required to set new, complex passwords. A third-party computer forensics firm was hired to investigate the attack and determine the scale of the breach. That investigation was concluded on December 14, 2018. The investigation revealed the attacker had gained access to multiple email accounts between August 14 and November 23, 2018. The breach was determined to be limited to the email system. Its medical record system was unaffected. An analysis of the compromised email accounts revealed they...

Read More
Stolen Hard Drive Contained PHI of 76,000 Texas Patients
Jan25

Stolen Hard Drive Contained PHI of 76,000 Texas Patients

All-Star Orthopaedics is alerting patients of Irving, TX-based Las Colinas Orthopedic Surgery & Sports Medicine, PA, that some of their protected health information (PHI) was stored on a hard drive that has been stolen. The hard drive contained X-ray and other diagnostic images of 76,000 patients, along with patients’ names and dates of birth. The hard drive was not encrypted, but special software is required to access the images. The image files would need to be opened in order to see patients’ names and dates of birth. The hard drive was stolen on November 20, 2018 and the theft was reported to the Department of Health and Human Services’ Office for Civil Rights on January 18, 2019. Breach notification letters have now been sent to all affected patients. The theft has prompted All-Star Orthopaedics to implement new security protocols and all portable hard drives will now be encrypted prior to transport. Dermacare Brickell Data Breach Impacts 1,800 Patients On November 20, 2018, the Miami medical practice Dermacare Brickell discovered paperwork containing the PHI of around...

Read More
Alaska Department of Health and Social Services Revises 2018 Breach Victim Total from 501 to 500K-700K
Jan24

Alaska Department of Health and Social Services Revises 2018 Breach Victim Total from 501 to 500K-700K

A laptop computer malware infection discovered by the Alaska Department of Health and Social Services (ADHSS) in April 2018 was initially thought to have potentially allowed hackers to gain access to the electronic protected health information (ePHI) of 501 individuals; however, the breach has been determined to be far more extensive than was initially thought. On January 22, 2019, state officials said the malware potentially allowed the attackers to access and obtain the ePHI of between 500,000 and 700,000 individuals and that notification letters to the additional breach victims people had started to be sent. Two days later, the number of breach victims was revised to 87,000 individuals. The malware variant used in the attack was a variant of the Zeus/Zbot Trojan – An information stealer. The individuals whose ePHI was potentially obtained by the hackers had interacted at some point with the Department of Public Assistance (DPA) through the DPA Northern regional offices. Last year, ADHSS said the laptop had accessed sites in Russia, had unauthorized software installed, and other...

Read More
Valley Hope Association Notifies Patients of Email Account Breach
Jan22

Valley Hope Association Notifies Patients of Email Account Breach

Valley Hope Association has announced that an unauthorized individual has gained access to the email account of an employee. Valley Hope Association became aware of a potential account breach on October 10, 2018, when unusual account activity was detected. Prompt action was taken to prevent further account access and a third-party computer forensics firm was hired to determine the nature and scope of the breach. The investigation confirmed on November 23, 2018, that an unauthorized individual had accessed a single email account between October 9-10, 2018, and potentially viewed emails and attachments containing patients’ protected health information. After a thorough review of all emails and email attachments, the forensics firm confirmed that certain patients’ PHI may have been accessed. The types of information contained in the emails varied from patient to patient and may have included one or more of the following data elements: Name, address, date of birth, Social Security number, medication and prescription information, claims and billing information, medical record number,...

Read More
December 2018 Healthcare Data Breach Report
Jan22

December 2018 Healthcare Data Breach Report

November was a particularly bad month for healthcare data breaches, so it is no surprise that there was an improvement in December. November was the worst month of the year in terms of the number of healthcare records exposed (3,230,063) and the second worst for breaches (34). December was the second-best month for healthcare data breaches with 23 incidents reported, only one more than January. In total, 516,370 records were exposed, impermissibly disclosed, or stolen in breaches reported in December: A considerable improvement on November. Were it not for the late reporting of the Adams County breach, December would have been the best month of the year to date in terms of the records exposed. The Adams County breach was experienced in March 2018, confirmed on June 29, yet reporting to OCR was delayed until December 11. Largest Healthcare Data Breaches in December 2018 Rank Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach 1 Adams County Healthcare Provider 258,120 Unauthorized Access/Disclosure 2 JAND Inc. d/b/a Warby Parker Healthcare Provider 177,890...

Read More
Physician Receives Probation for Criminal HIPAA Violation
Jan18

Physician Receives Probation for Criminal HIPAA Violation

A physician who pleaded guilty to a criminal violation of HIPAA Rules has received 6 months’ probation and has escaped a jail term and fine. The case concerned the wrongful disclosure of patients’ PHI to a pharmaceutical firm. The case was prosecuted by the Department of Justice in Massachusetts in conjunction with a case against Massachusetts-based pharma firm Aegerion. In September 2017, the Novelion Therapeutics subsidiary Aegerion agreed to plead guilty to mis-branding the prescription drug Juxtapid. The case also included deferred prosecution related to criminal liability under HIPAA for causing false claims to be submitted to federal healthcare programs for the drug. Aegerion admitted to conspiring to obtain the individually identifiable health information of patients without authorization for financial gain, in violation of 42 U.S.C. §§ 1320d-6(a) and 1320-6(b)(3) and HIPAA Rules. Aegerion agreed to pay more than $35 million in fines to resolve criminal and civil liability. The DOJ also charged a Georgia-based pediatric cardiologist with criminal violations of HIPAA Rules...

Read More
PHI of Almost 1,000 Lebanon VA Medical Center Patients Impermissibly Disclosed
Jan17

PHI of Almost 1,000 Lebanon VA Medical Center Patients Impermissibly Disclosed

Lebanon VA Medical Center in Pennsylvania has discovered the protected health information of hundreds of elderly patients has been impermissibly disclosed to a family member of a veteran. In November 2018, a member of staff at Lebanon VA Medical Center emailed a document to a family member of a veteran who was searching for nursing home facilities. The list should have contained nursing home facilities that work with the Department of Veteran Affairs; however, a historical list of residents of nursing homes was sent in error. The list contained veterans’ names, abbreviated Social Security numbers, the nursing home where the veteran had been admitted, diagnoses, and service-connection disability rating percentages. “Lebanon VA Medical Center and our employees take our responsibility to protect patient information very seriously,” explained Lebanon VA privacy officer Tonya Hromco. “Along with assistance from national offices, we immediately investigated this inadvertent, unauthorized release of information which occurred in late November.” The incident was an isolated error and steps...

Read More
New Massachusetts Data Breach Notification Law Enacted
Jan16

New Massachusetts Data Breach Notification Law Enacted

A new Massachusetts data breach notification law has been enacted. The new legislation was signed into law by Massachusetts governor Charlie Baker on January 10, 2019 and will come into effect on April 11, 2019. The new legislation updates existing Massachusetts data breach notification law and introduces new requirements for notifications. Under Massachusetts law, a breach is defined as the unauthorized acquisition or use of sensitive personal information that carries a substantial risk of identity theft or fraud. Notifications must be issued if one or more of the following data elements are obtained by an unauthorized individual along with an individual’s first name and last name or first initial and last name. Social Security number Driver’s license number State issued ID card number Financial account number, or credit/ debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account. As with the previous law, there is no set timescale for issuing breach...

Read More
111K Individuals Notified of 4-Month Email Account Compromise
Jan15

111K Individuals Notified of 4-Month Email Account Compromise

Centerstone Insurance and Financial Services, operating as BenefitMall, has started notifying more than 111,000 individuals that some of their protected health information has been exposed, and potentially stolen, in a recent email security incident. Dallas, TX-based BenefitMall is a provider of employee benefits, payroll, HR, and employer services and employs more than 20,000 advisors, brokers, and CPAs across the country. The company is a business associate of several HIPAA-covered entities. On October 11, 2018, the company became aware that email accounts used by its employees had been accessed by an unauthorized individual. A third-party computer forensics firm was retained and an internal investigation was conducted to assess the nature and scope of the breach. The investigation revealed the first email accounts had been compromised in June 2018 and further email accounts were breached and accessed up to October 11 when the attack was detected. Prompt action was taken to secure the compromised email accounts and prevent further remote email account access. The email accounts...

Read More
Sacred Heart Rehabilitation Center Notifies Patients of Phishing Incident
Jan11

Sacred Heart Rehabilitation Center Notifies Patients of Phishing Incident

Memphis, MI-based Sacred Heart Rehabilitation Center, a provider of substance abuse treatment and care services for patients diagnosed with HIV/AIDS, has discovered an unauthorized individual has gained access to the email account of an employee following a response to a phishing email. The email account was breached between April 5 and April 7, 2018. It is unclear when the phishing attack was detected by the rehabilitation center, but the investigation into the breach concluded in November and revealed the account contained some patients’ protected health information. Individuals whose PHI was exposed were sent notification letters on January 9, 2018. The types of information contained in the compromised account included patients’ names, home addresses, diagnoses, treatment information, health insurance information, and Social Security numbers. The number of patients affected by the breach has not been publicly disclosed at this point and the breach has not yet been listed on the Department of Health and Human Services’ Office for Civil Rights breach portal. Sacred Heart...

Read More
Solis Mammography Notifies 500 Patients of PHI Exposure
Jan09

Solis Mammography Notifies 500 Patients of PHI Exposure

An unencrypted laptop computer has been stolen from Ben-Ora, Hansen, Vanesian Imaging Ltd., dba Solis Mammography. Solis Mammography learned on October 17, 2018 that the laptop had been stolen from its Phoenix, AZ clinic and reported the theft to law enforcement. To date the device has not been recovered. Attempts were made to reconstruct the data stored assisted by a leading computer forensics firm. While the investigation confirmed that some patients’ protected health information had been downloaded to the device, it was not possible to ascertain the exact information that had been exposed. Solis Mammography believes information such as patients names, birth dates, health insurance information, lab test results, medical images, and other information could have been stored on the device and have potentially been accessed by the individual in possession of the computer. Solis Mammography does not believe any financial information was downloaded onto the laptop. Solis Mammography has taken steps to further secure patient information including strengthening access controls and...

Read More
Phishing Attack Impacts 2,200 Kent County Community Mental Health Authority Patients
Jan09

Phishing Attack Impacts 2,200 Kent County Community Mental Health Authority Patients

Starting on October 28, 2018, Kent County Community Mental Health Authority, dba Network180, experienced a targeted phishing attack. As is common in advanced phishing attacks, the emails appeared to have been sent from a trusted source. Between November 2 and November 13, three employees responded to the emails and disclosed their credentials, which allowed their encrypted email accounts to be accessed by an unauthorized individual. At least one of the compromised email accounts contained the protected health information (PHI) of patients. A wide range of PHI was included in the emails stored in the compromised account. The types of information that could potentially have been accessed by the attacker varied from patient to patient, but may have included names, addresses, dates of birth, Medicaid/Medicare ID numbers, Internal ID numbers, Waiver Support Application (WSA) numbers, names of healthcare providers, schools that were attended, names of relatives, ethnicity/race, and the Social Security numbers of 20 patients. No financial information is believed to have been exposed. The...

Read More
31,876 Managed Health Services of Indiana Health Plan Members Notified of Impermissible Disclosure of PHI
Jan08

31,876 Managed Health Services of Indiana Health Plan Members Notified of Impermissible Disclosure of PHI

Managed Health Services, the Indianapolis, IN-based managed care entity that runs the Hoosier Healthwise and Hoosier Care Connect Medicaid programs, has discovered the protected health information (PHI) of 31,876 plan members has potentially been disclosed in two separate breaches that were announced in December 2018. 31,300 Plan Members Notified of Phishing-Related PHI Breach A phishing attack on a business associate of Managed Health Services has potentially resulted in the disclosure of some plan members PHI. On or around July 30, 2018, employees of LCP Transportation responded to phishing emails and provided the attacker with credentials that allowed their email accounts to be remotely accessed. LCP Transportation disabled the affected email accounts on September 7, 2018. A third-party computer forensics firm was hired to assist with the investigation. While no evidence of PHI misuse has been detected, it is possible that emails in the accounts were accessed by the attacker. Some of the emails in the compromised accounts contained plan members’ PHI including names, addresses,...

Read More
1,080 Chaplaincy Health Care Patients Potentially Impacted by Phishing Attack
Jan07

1,080 Chaplaincy Health Care Patients Potentially Impacted by Phishing Attack

Chaplaincy Health Care, a not-for-profit healthcare provider based in Richland, WA, has experienced a phishing attack that has resulted in the exposure of 1,080 patients’ protected health information. The phishing attack occurred on November 20, 2018 and was discovered within 4 hours. Prompt action was taken to block unauthorized access and a third-party computer forensics firm was hired to assist with the breach investigation. The investigation confirmed that a single email account was accessed by the attacker. After gaining access to the email account, the attacker attempted to access further accounts. The breach was discovered when the employee was alerted that her account had been used to send a phishing email to an email contact. No evidence was uncovered to suggest any patient health information was viewed or copied but, out of an abundance of caution, all patients affected by the breach have been offered complimentary credit monitoring and identity theft protection services through LifeLock for 12 months. Patients were notified about the breach on January 3, 2019. The firm...

Read More
Ransomware Attack on Podiatric Offices of Bobby Yee Impacts 24,000 Patients
Jan07

Ransomware Attack on Podiatric Offices of Bobby Yee Impacts 24,000 Patients

A ransomware attack on the Podiatric Offices of Bobby Yee has resulted in the encryption of files containing the protected health information (PHI) of up to 24,000 patients and other individuals. The attack took place on October 29, 2018. Medical records were encrypted by the ransomware along with files containing information such as full name, address, contact telephone number(s), gender, birth date, Social Security number, and health insurance information. Prompt action was taken to protect patient data and an investigation into the breach did not uncover any evidence to suggest the attacker viewed or copied any patients’ PHI. The Podiatric Offices of Bobby Yee explained in a December 20, 2018, press release “We may need to reconfirm or reconstruct the information, including your medical information.” It is unclear whether the ransom was paid to obtain the key to decrypt patient data or whether files were recovered from backups. Humana Insurance Applicants Affected by Bankers Life Data Breach Humana has announced that certain insurance applicants have had some of their personal...

Read More
Advertising Expenditures Increase 64% Following a Healthcare Data Breach
Jan07

Advertising Expenditures Increase 64% Following a Healthcare Data Breach

A recent study has explored the relationship between advertising expenditures and healthcare data breaches. The study shows hospitals significantly increase advertising spending following a data breach. Healthcare Data Breaches Are the Costliest to Mitigate Healthcare data breaches are the most expensive to mitigate, far higher than breaches in other industry sectors. According to the Ponemon Institute/IBM Security’s 2018 cost of a data breach study, healthcare data breaches cost, on average, $408 per lost or stolen record. The costs are double, or in some cases almost triple, those in other industry sectors. Healthcare data breaches are the most expensive to mitigate, far higher than breaches in other industry sectors. Click To Tweet In addition to the high costs of mitigating the breaches, the same study confirmed that loss of patients to competitors is a very real threat. Data breaches cause damage to a brand and trust in an organization can be easily lost when confidential personal information is exposed or stolen. The Ponemon Institute study revealed healthcare organizations...

Read More
Blue Cross Blue Shield of Michigan Members Notified of Business Associate Ransomware Attack
Jan04

Blue Cross Blue Shield of Michigan Members Notified of Business Associate Ransomware Attack

A business associate of Blue Cross Blue Shield of Michigan has experienced a ransomware attack that has potentially resulted in the theft of plan members’ protected health information. This is the second data breach affecting Blue Cross Blue Shield of Michigan plan members to be reported in December. Some plan members’ PHI was stored on a laptop computer that was stolen from a different business associate. The latest breach was experienced by Austin, TX-based Wolverine Solutions Group, a vendor that provides business services to Blue Cross Blue Shield of Michigan and several other healthcare clients. On September 23, 2018, ransomware was installed on its network that resulted in the encryption of files on servers and workstations, including files containing protected health information. A third-party computer forensics firm conducted an investigation into the breach but found no evidence of data exfiltration; however, data theft could not be entirely ruled out. The types of information that was potentially accessed and copied included demographic data, health plan contract numbers,...

Read More
Email Account Breach Impacts Thousands of Choice Rehabilitation Residents
Jan03

Email Account Breach Impacts Thousands of Choice Rehabilitation Residents

Choice Rehabilitation of Creve Coeur, MO, has discovered an unauthorized individual hacked into a corporate email account of one of its employees and set up a mail forwarder to send emails to a personal email account. The breach occurred on July 1, 2018 and the mail forwarder remained active until September 30, 2018. A detailed analysis of the email account revealed the protected health information of certain residents was included in billing documents attached to emails that had been sent to its associated skilled nursing facilities. Highly sensitive information such as financial data, Social Security numbers, Medicare and Medicaid numbers, dates of birth and contact information remained secure at all times. The breach was limited to billing information related to physical, speech, and occupational therapy provided to patients such as names, payor information, medical record numbers, start and end dates of therapy, diagnoses, treatment information, billing codes, and the name of the facility where care was provided. Upon discovery of the breach, access to the compromised email...

Read More
Vendor of Dental Center of Northwest Ohio Suffers Ransomware Attack
Jan02

Vendor of Dental Center of Northwest Ohio Suffers Ransomware Attack

Current and former patients of the Dental Center of Northwest Ohio in Toledo, OH, are being notified that some of their protected health information has potentially been compromised as a result of a ransomware attack on one of its vendors. Arakyta, a managed IT service provider, notified the dental center on September 1, 2018, of a security breach on a server hosting certain dental center systems. Assisted by third-party computer experts, the dental center determined on November 7, 2018, that an unknown, unauthorized individual had gained access to the server and had potentially viewed or copied patient data. No evidence of data theft was detected and no reports have been received from patients to suggest any protected health information was stolen and misused. However, since it was not possible to rule out data theft with a high degree of certainty, the decision was taken to issue notifications to patients and to provide them with complimentary credit monitoring and identity theft restoration services. The types of data potentially viewed/copied by the attacker included full...

Read More
Orlando Family Physicians Group Phishing Attack Impacts 8,400 Patients
Jan02

Orlando Family Physicians Group Phishing Attack Impacts 8,400 Patients

8,400 patients of the Humana-owned Family Physicians Group in Orlando are being notified that some of their protected health information has potentially been compromised as a result of a phishing attack. Family Physicians Group is one of the largest providers of healthcare for Medicare and Medicaid beneficiaries in Central Florida and operates 22 clinics in the region. An investigation into the breach confirmed that an employee’s email account was accessed by an unauthorized individual on August 7, 2018. Unauthorized account access remained possible until August 21, 2018, when the breach was discovered and login credentials were changed. The login credentials were obtained by the attacker when the employee responded to a phishing email. Affected patients were notified about the incident on December 28, 2018. It is unclear why it took more than 4 months to issue notifications to patients. An analysis of the emails in the compromised account confirmed certain messages contained the protected health information of patients. No financial data or Social Security numbers were recorded in...

Read More
15,000 Customers Notified About Blue Cross Blue Shield of Michigan Data Breach
Dec31

15,000 Customers Notified About Blue Cross Blue Shield of Michigan Data Breach

Approximately 15,000 customers of Blue Cross Blue Shield of Michigan have been notified that some of their private information was stored on a laptop computer that was stolen from an employee of a business associate of one of its subsidiaries. The laptop computer was stolen on October 26, 2018, and Blue Cross Blue Shield of Michigan was alerted to the exposure of plan members’ protected health information (PHI) on November 12, 2018. The breach affects members of Blue Cross’ Medicare Advantage health insurance plans. Notifications are now being mailed to all plan members affected by the breach. The laptop computer was protected with a password and plan members’ data stored on the device had been encrypted; however, the employee’s credentials may also have been stolen. Consequently, there is a risk that PHI could have been accessed. The data stored on the stolen laptop was limited to names, addresses, members’ identification numbers, dates of birth, genders, provider information, diagnoses, and medications. The laptop did not contain Social Security numbers or financial data....

Read More
Largest Healthcare Data Breaches of 2018
Dec27

Largest Healthcare Data Breaches of 2018

This post summarizes the largest healthcare data breaches of 2018: Healthcare data breaches that have resulted in the loss, theft, unauthorized accessing, impermissible disclosure, or improper disposal of 100,000 or more healthcare records. 2018 has seen 18 data breaches that have exposed 100,000 or more healthcare records. 8 of those breaches saw more than half a million healthcare records exposed, and three of those breaches exposed more than 1 million healthcare records. A Bad Year for Healthcare Data Breaches As of December 27, 2018, the Department of Health and Human Services’ Office for Civil Rights (OCR) has received notifications of 351 data breaches of 500 or more healthcare records. Those breaches have resulted in the exposure of 13,020,821 healthcare records. It is likely that the year will finish on a par with 2017 in terms of the number of reported healthcare data breaches; however, more than twice as many healthcare records have been exposed in 2018 than in 2017. In 2017, there were 359 data breaches of 500 or more records reported to OCR. Those breaches resulted in...

Read More
Data of More Than 500,000 Staff and Students Compromised in San Diego School District Phishing Attack
Dec27

Data of More Than 500,000 Staff and Students Compromised in San Diego School District Phishing Attack

The San Diego School District has announced it has suffered a major phishing attack that has resulted in the exposure of the personal data, including health information, of more than 500,000 staff and students. The phishing attack was detected in October 2018; however, an investigation into the breach revealed the hacker had network access for almost a year. Access to the network was first gained in January 2018 and the attacker continued to access the network until November 2018. The decision was taken not to alert the hacker to the discovery of the breach immediately. Instead, the school district first investigated the breach to determine the nature of the attack and the extent to which its network had been compromised. Access was only terminated when the initial phase of the investigation was completed. San Diego School District conducted the investigation in conjunction with the San Diego Unified Police and has identified the hacker responsible for the attack. All compromised accounts have now been reset and unauthorized access to staff and student data is no longer possible....

Read More
Massachusetts Attorney General Issues $75,000 HIPAA Violation Fine to McLean Hospital
Dec21

Massachusetts Attorney General Issues $75,000 HIPAA Violation Fine to McLean Hospital

Massachusetts Attorney General Maura Healey has issued a $75,000 HIPAA violation fine to McLean Hospital over a 2015 data breach that exposed the protected health information (PHI) of approximately 1,500 patients. McLean Hospital, a psychiatric hospital in Belmont, MA, allowed an employee to regularly take 8 backup tapes home. When the employee was terminated in May 2015, McLean Hospital was only able to recover four of the backup tapes. The backup tapes were unencrypted and contained the PHI of approximately 1,500 patients, employees, and deceased donors of the Harvard Brain Tissue Resource Center. The lost backup tapes included clinical and demographic information such as names, Social Security numbers, medical diagnoses, and family histories. In addition to the exposure of PHI, the state AG’s investigation revealed there had been employee training failures and McLean Hospital had not identified, assessed, and planned for security risks. The loss of the tapes was also not reported in a timely manner and the hospital had failed to encrypt PHI stored on portable devices or use an...

Read More
November 2018 Healthcare Data Breach Report
Dec20

November 2018 Healthcare Data Breach Report

For the second consecutive month there has been an increase in both the number of reported healthcare data breaches and the number of records exposed, stolen, or impermissibly disclosed. November was the worst month of the year to date for healthcare data breaches in terms of the number of exposed healthcare records. 3,230,063 records were exposed, stolen, or impermissibly disclosed in the breaches reported in November. To put that figure into perspective, that’s more records than were exposed in all 180 data breaches reported to the HHS’ Office for Civil Rights (OCR) in the first half of 2018. There were 34 healthcare data breaches reported to OCR in November, making it the second worst month of the year to date for breaches, behind June when 41 breaches were reported. Largest Healthcare Data Breaches in November 2018 The largest healthcare data breach of 2018 was reported in November by Accudoc Solutions, a business associate of Atrium Health that provides healthcare billing services. That single breach resulted in the exposure of more than 2.65 million healthcare records....

Read More
Credit Card Numbers Exposed in BJC Healthcare Breach
Dec19

Credit Card Numbers Exposed in BJC Healthcare Breach

BJC HealthCare, one of the largest not-for-profit healthcare networks in the United States, has discovered hackers have gained access to the website hosting its patient portal and have uploaded malware that potentially intercepted credit/debit card numbers as they were entered in the payment portal. The breach was discovered on November 19, 2018. The internal investigation revealed malware had been uploaded to the payment portal on October 25, 2018 and payment information may have been intercepted until November 8, 2018. During that time, 5,850 credit/debit card payments had been processed. BJC HealthCare reports that no Social Security numbers or medical information was compromised. The breach was limited to patients’ names, addresses, and dates of birth, along with the name, billing address, and credit card information or bank information of the person making the payment. While the above information was potentially intercepted, BJC HealthCare has not received any reports to suggest the attackers obtained and misused patients’ or payors’ data. However, all affected individuals...

Read More
Up to 32,000 Patients Impacted by Elizabethtown Community Hospital Email Account Breach
Dec18

Up to 32,000 Patients Impacted by Elizabethtown Community Hospital Email Account Breach

Approximately 32,000 patients of the University of Vermont Health Network’s Elizabethtown Community Hospital are being notified that some of their protected health information (PHI) has been exposed as a result of email account breach. On October 18, 2018, Elizabethtown Community Hospital discovered an unauthorized individual had gained access to an employee’s email account. The password for the compromised email account was immediately changed and a leading forensic security firm was retained to conduct an investigation into the breach. The investigation, which lasted 60 days, confirmed that a single email account was compromised on October 9, 2018. The hospital’s information technology systems were not accessed and medical records remained secure at all times. An analysis of the breached email account revealed it contained the PHI of around 32,000 patients. The types of information that were exposed differed from patient to patient and may have included names, addresses, dates of birth, primary information such as medical record numbers, dates of service, summaries of services...

Read More
PHI Accessed by Contra Costa Health Plan Contractor Who Falsified Identity to Win Contracts
Dec17

PHI Accessed by Contra Costa Health Plan Contractor Who Falsified Identity to Win Contracts

Contra Costa Health Plan (CCHP) has started notifying certain patients that some of their protected health information may have been viewed by an unauthorized individual. That individual was a contractor who won a series of contracts related to utilization management. The contractor first started working with CCHP on December 1, 2014, and was given access to systems containing health plan records to complete her contracted duties. On May 22, 2018, CCHP learned that the contractor had falsified her identity in order to win the contracts. Upon discovery of the fraud, CCHP terminated the contract and blocked access to its systems. A full audit of the activities of the contractor was conducted to determine what systems had been accessed and whether plan members’ data had been viewed. The audit revealed that the contractor had accessed plan members’ health plan records while performing her utilization management duties, although no evidence was uncovered to suggest any of the information contained in those records has been further disclosed by the contractor or used inappropriately. The...

Read More
16,000 Mind & Motion Patients Impacted by Ransomware Attack
Dec14

16,000 Mind & Motion Patients Impacted by Ransomware Attack

Mind & Motion Developmental Centers of Georgia has announced that hackers have succeeded in installing ransomware and malware on a server, which has potentially allowed them to gain access to patients’ protected health information. The ransomware was downloaded and executed on a server housing Mind & Motion medical records. The types of data that were potentially compromised includes names, addresses, birth dates, patients’ gender, medical histories, medical diagnoses, health insurance information, and Social Security numbers. It is also possible that medical records were compromised as a result of the attack. Mind & Motion discovered the ransomware attack on September 30, 2018. An IT vendor, TeamLogic IT, was retained to investigate the breach, determine how the attack occurred, and help recover data that had been rendered inaccessible by the ransomware. In addition to the ransomware infection, TeamLogic IT discovered an inactive keylogger and a spam emailer on the server. All malware was successfully removed and associated accounts were deleted. TeamLogic IT did not...

Read More
EmblemHealth Pays $100,000 HIPAA Violation Penalty to New Jersey for 2016 Data Breach
Dec11

EmblemHealth Pays $100,000 HIPAA Violation Penalty to New Jersey for 2016 Data Breach

The health insurance provider EmblemHealth has been fined $100,000 by New Jersey for a 2016 data breach that exposed the protected health information (PHI) of more than 6,000 New Jersey plan members. On October 3, 2016, EmblemHealth sent Medicare Part D Prescription Drug Plan Evidence of Coverage documents to its members. The mailing labels included beneficiary identification codes and Medicare Health Insurance Claim Numbers (HCIN), which mirror Social Security numbers. The documents were sent to more than 81,000 policy members, 6,443 of whom were New Jersey residents. The New Jersey Division of Consumer Affairs investigated the breach and identified policy, procedural, and training failures. Previous mailings of Evidence of Coverage documents were handled by a trained employee, but when that individual left EmblemHealth, mailing duties were handed to a team manager who had only been given minimal task-specific training and worked unsupervised. That individual sent a data file to EmblemHealth’s mailing vendor without first removing HCINs, which resulted in the HCINs being printed...

Read More
48,000 Patients of Frisco Medical Center Notified of Breach of Payment Information
Dec11

48,000 Patients of Frisco Medical Center Notified of Breach of Payment Information

Baylor Scott & White Medical Center in Frisco, TX, has discovered the payment information of almost 48,000 patients and guarantors may have been compromised. The medical center, which is jointly managed by United Surgical Partners International (USPI) and Baylor Scott & White Health, discovered an issue with the credit card processing system of one of its vendors. The investigation revealed there had been a week-long computer intrusion between September 22 and September 29. Upon discovery of the issue, the medical center informed the vendor and stopped all credit card processing through the vendor’s system. Baylor Scott & White Health did not uncover evidence to suggest any patient/guarantor information had been further disclosed or misused; however, as a precaution, all individuals affected by the incident have been offered one year of complimentary credit monitoring services through TransUnion Interactive. The security breach was limited to the third-party vendor’s system. Hospital information and clinical systems remained secure at all times. No health information or...

Read More
6,450 Prairie Fields Family Medicine Patients Notified About Email-Related Privacy Breach
Dec10

6,450 Prairie Fields Family Medicine Patients Notified About Email-Related Privacy Breach

Prairie Fields Family Medicine in Fremont, NE, is alerting 6,450 patients that some of their protected health information was contained in an unencrypted spreadsheet that was inadvertently sent to the wrong email recipient. The email was sent on October 1, 2018, and the error was discovered the same day. Prairie Fields Family Medicine has made multiple attempts to contact the owner of the email account to ensure the spreadsheet is securely deleted but, so far, no response has been received. The lack of contact has led Prairie Fields Family Medicine to believe the email account is no longer in use and has been abandoned, although the possibility remains that the spreadsheet has been opened and patient information has been compromised. The spreadsheet did not contain any financial data or health information typically contained in medical records. The breach was limited to patients’ first and last names, birth date, telephone number, first language spoken, sex, race, and, for certain patients, primary and secondary health insurer information, including providers’ names and account...

Read More
16,000 Redwood Eye Center Patients Impacted by MSP Breach
Dec07

16,000 Redwood Eye Center Patients Impacted by MSP Breach

A managed service provider that hosts the electronic health records of Redwood Eye Center in Vallejo, CA, has experienced a security breach that has resulted in the exposure of 16,000 patients’ protected health information. IT Lighthouse provides computer support and application hosting services, including the hosting of electronic health records. During the evening of September 19, 2018, hackers succeeded in installing ransomware on a server that was hosting the electronic health records of patients of Redwood Eye Center. Redwood Eye Center was notified about the security breach on September 20, 2018. A third-party computer forensics firm was hired by IT Lighthouse to assist with the investigation and a specialized medical software vendor was consulted and helped Redwood Eye Center recover the affected data. The types of data that were potentially accessed by the attackers included patients’ names, addresses, birth dates, health insurance information, and medical treatment information. The investigation did not uncover any evidence to suggest the attackers accessed the PHI of...

Read More
PHI of 41,000 Patients of Cancer Centers of America Potentially Compromised in Phishing Attack
Dec05

PHI of 41,000 Patients of Cancer Centers of America Potentially Compromised in Phishing Attack

Cancer Centers of America’s Western Regional Medical Center in Bullhead City, AZ, has discovered the email account of one of its employees has been compromised as a result of a response to a phishing email. The phishing email appeared to have been sent from the email account of a Cancer Treatment Centers of America executive and used social engineering techniques to fool the employee into disclosing login credentials to the account. The attacker was able to access the account, but only for a limited time as the account compromise was detected by IT staff and the user ‘s account password was reset. However, during the time that the email account was accessible it is possible that some messages containing patients’ protected health information (PHI) was accessed. Cancer Treatment Centers of America called in a nationally recognized computer forensics firm to assist with the investigation. While it was not possible to tell which, if any, emails were accessed, it was discovered that the compromised email account contained the PHI of 41,948 patients. The information in the emails varied...

Read More
Ransomware Attacks Reported by Healthcare Providers in Illinois and Rhode Island
Dec05

Ransomware Attacks Reported by Healthcare Providers in Illinois and Rhode Island

A roundup of recent healthcare ransomware attacks, privacy breaches, and security incidents that have been announced in the past few days. Center for Vitreo-Retinal Diseases Ransomware Attack Impacts 20,371 Patients The Center for Vitreo-Retinal Diseases in Libertyville, IL, experienced a ransomware attack that resulted in the encryption of data on its servers. The attack was detected on September 18, 2018. The investigation into the breach suggests the attacker may have gained access to the protected health information of 20,371 patients that was stored on the affected servers. The attack appeared to have been conducted with the intention of extorting money from the practice. While it is possible that patient information was accessed by the attacker, no evidence of unauthorized data access, data theft, or misuse of patient information has been discovered. The information that was potentially compromised included names, addresses, telephone numbers, birth dates, health insurance information, health data, and the Social Security numbers of Medicare patients. The Center for...

Read More
12 State Attorneys General File HIPAA Breach Lawsuit Against Medical Informatics Engineering
Dec05

12 State Attorneys General File HIPAA Breach Lawsuit Against Medical Informatics Engineering

A multi-state federal lawsuit has been filed against Medical Informatics Engineering and NoMoreClipboard over the 2015 data breach that exposed the data of 3.9 million individuals. Indiana Attorney General Curtis Hill is leading the lawsuit and 11 other states are participating – Arizona, Arkansas, Florida, Iowa, Kansas, Kentucky, Louisiana, Minnesota, Nebraska, North Carolina and Wisconsin. This is the first time that state attorneys general have joined forces in a federal lawsuit over a data breach caused by violations of the Health Insurance Portability and Accountability Act. The lawsuit seeks a financial judgement, civil penalties, and the adoption of a corrective action plan to address all compliance failures. A Failure to Implement Adequate Security Controls The lawsuit alleges Medical Informatics Engineering failed to implement appropriate security to protect its computer systems and sensitive patient data and, as a result of those failures, a preventable data breach occurred. According to the lawsuit, “Defendants failed to implement basic industry-accepted data...

Read More
7,000 Patients Affected by Georgia Spine and Orthopaedics of Atlanta Phishing Attack
Nov29

7,000 Patients Affected by Georgia Spine and Orthopaedics of Atlanta Phishing Attack

Georgia Spine and Orthopaedics of Atlanta (GSOA) is notifying thousands of patients that some of their protected health information has been exposed, and potentially stolen, as a result of a phishing attack. An investigation into the data breach revealed an unauthorized individual gained access to an email account as a result of the employee responding to a phishing email. That response allowed the attacker to obtain the employee’s email account password. Third-party computer forensics experts were contracted to conduct a detailed investigation into the attack to determine the extent of the breach and find out which patients had been affected. The investigation confirmed that a single email account had been compromised on July 11, 2018. An evaluation of GSOA’s technology systems was also conducted to ensure that they were secure. In order to determine which patients had been affected, a painstaking manual analysis of all emails in the compromised account was performed to determine which messages had been accessed by the attacker. GSOA reports that the way the email account was...

Read More
DOJ Indicts Two Iranian Hackers for Role in SamSam Ransomware Attacks
Nov29

DOJ Indicts Two Iranian Hackers for Role in SamSam Ransomware Attacks

The U.S. Department of Justice has announced significant progress has been made in the investigation of the threat actors behind the SamSam ransomware attacks that have plagued the healthcare industry over the past couple of years. The DOJ, assisted the Royal Canadian Mounted Police, Calgary Police Service, and the UK’s National Crime Agency and West Yorkshire Police, have identified two Iranians who are believed to be behind the SamSam ransomware attacks. Both individuals – Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri – have been operating out of Iran since 2016 and have been indicted on four charges: Conspiracy to commit fraud and related computer activity Conspiracy to commit wire fraud Intentional damage to a protected computer Transmitting a demand in relation to damaging a protected computer The DOJ reports that this is the first ever U.S. indictment against criminals over a for-profit ransomware, hacking, and extortion scheme. In contrast to many threat actors who use ransomware for extortion, the SamSam ransomware group conducts targeted, manual attacks on...

Read More
2.65 Million Atrium Health Patients Impacted by Business Associate Data Breach
Nov28

2.65 Million Atrium Health Patients Impacted by Business Associate Data Breach

AccuDoc Solutions Inc., a provider of healthcare billing services, has experienced a major data breach in which the protected health information of 2,650,000 patients of Atrium Health was exposed. Morrisville, NC-based AccuDoc Solutions prepares bills for patients and operates the online payment system used by Atrium Health, a network of 44 hospitals throughout North Carolina, South Carolina and Georgia. On October 1, 2018, AccuDoc Solutions notified Atrium Health that some of its databases had been compromised. The breach investigation revealed hackers had gained access to AccuDoc Solutions databases between September 22 and September 29, 2018. An extensive forensic investigation into the attack confirmed that patient information had been compromised, but the information stored in its databases could only be viewed. No PHI was downloaded by the attackers nor distributed via other channels. AccuDoc Solutions reports that the breach was due to a security vulnerability at a third-party vendor. The business relationship with that vendor has now been terminated. AccuDoc Systems has...

Read More
Tandigm Health Website Vulnerability Exposed 7,000 Patients’ PHI
Nov27

Tandigm Health Website Vulnerability Exposed 7,000 Patients’ PHI

A vulnerability on a website used by the value-based healthcare company Tandigm Health could potentially have been exploited to gain access to patients’ protected health information. The website vulnerability was discovered by Tandigm Health on September 25, 2018. A leading computer forensics firm assisted with the investigation to determine whether the flaw could be exploited remotely, whether patients’ protected health information had been accessed, and the types of information that may have been exposed. The investigation confirmed that the flaw could have been exploited to gain access to sensitive patient information between April 24, 2017 and December 31, 2017. The information accessible through the website was limited to names, birth dates, medical information, and health insurance information. Approximately 7,000 patients’ protected health information was accessible through the website. The investigation did not uncover any evidence to suggest the flaw had been exploited and no reports been received to suggest patient information has been stolen or misused. Out of an...

Read More
Mercy Medical Center North Iowa Notifies 1,900 Patients About Potential PHI Exposure
Nov27

Mercy Medical Center North Iowa Notifies 1,900 Patients About Potential PHI Exposure

Mercy Medical Center North Iowa has discovered a former employee potentially accessed the medical records of patients without authorization over a period of 12 months. An internal investigation suggested a former employee had inappropriately accessed patient information between July 2017 and July 2018. The employee had been given access to patient information to complete work duties, but Mercy Medical Center North Iowa was unable to confirm whether all records had been accessed for appropriate job-related purposes. The types of information the former employee accessed was limited to names, addresses, birth dates, medications, and insurance information. Breach notification letters were mailed to affected patients on November 26, 2018 and all individuals whose personal information was exposed have been offered 12 months of complimentary identity theft protection services. The discovery of the unauthorized access has prompted Mercy Medical Center North Iowa to review its privacy practices and further training will be provided to employees to reinforce past training on hospital and...

Read More
OCR Fines Allergy Practice $125,000 for Impermissible PHI Disclosure
Nov26

OCR Fines Allergy Practice $125,000 for Impermissible PHI Disclosure

The Department of Health and Human Services’ Office for Civil Rights (OCR) has fined a Hartford allergy practice $125,000 over alleged violations of the HIPAA Privacy Rule. On October 6, 2015, OCR received a copy of a civil rights complaint that had been filed with the Department of Justice (DOJ). The complainant alleged Allergy Associates of Hartford – A Connecticut healthcare provider that specializes in treating patients with allergies – had impermissibly disclosed her protected health information to a TV reporter. The complainant had previously contacted a local TV station after she had been turned away from the allergy practice because of her service animal. The TV reporter subsequently contacted the practice seeking comment. A physician at the practice spoke to the reporter and impermissibly disclosed some of the patient’s protected health information. OCR’s investigation confirmed there had been an impermissible disclosure of PHI, in violation of the HIPAA Privacy Rule – 45 C.F.R. § 164.502(a). The physician in question had already been advised by the practice’s...

Read More
53% Of Healthcare Data Breaches Due to Insiders and Negligence
Nov22

53% Of Healthcare Data Breaches Due to Insiders and Negligence

The healthcare industry has had more than its fair share of hacking incidents, but the biggest threat comes from within. The actions of healthcare providers, health insurers, and their employees cause more breaches than hacking, malware, and ransomware attacks. Researchers at Michigan State University and Johns Hopkins University analyzed data breaches reported to the Department of Health and Human Services’ Office for Civil Rights (OCR) over the past 7 years and found that more than half of breaches were the result on internal negligence. The research study, which was recently published in the journal JAMA Internal Medicine, is a follow-on from a 2017 study that explored the risk of hospital data breaches and the types of hospitals that were most prone to data breaches. While the previous research cast light on which hospitals were most vulnerable, little information was available on the main causes of the breaches. The latest study addresses that gap in knowledge. The researchers performed a retrospective analysis of the 1,183 healthcare data breaches reported to OCR between...

Read More
October 2018 Healthcare Data Breach Report
Nov21

October 2018 Healthcare Data Breach Report

Our October 2018 healthcare data breach report shows there has been a month-over-month increase in healthcare data breaches with October seeing more than one healthcare data breach reported per day. 31 healthcare data breaches were reported by HIPAA-covered entities and their business associates in October – 6 incidents more than the previous month. It should be noted that one breach at a business associate was reported to OCR as three separate breaches. The number of breached records in September (134,006) was the lowest total for 6 months, but the downward trend did not continue in October. There was a massive increase in exposed protected health information (PHI) in October. 2,109,730 records were exposed, stolen or impermissibly disclosed – 1,474% more than the previous month. In October, the average breach size was 68,055 records and the median was 4,058 records. Largest Healthcare Data Breaches in October 2018 There were 11 healthcare data breaches of more than 10,000 records reported in October – A 120% increases from the five 10,000+ record breaches in September. The...

Read More
Key Dental Group Alerts Patients About Potential HIPAA Violation
Nov21

Key Dental Group Alerts Patients About Potential HIPAA Violation

Key Dental Group, a dental practice in Pembroke Pines, FL, is informing patients of an alleged HIPAA violation that could potentially result in the unauthorized accessing of patients’ protected health information (PHI). After changing its electronic medical record (EMR) database provider, Key Dental Group requested its former vendor, MOGO, the return its EMR database. Even though the end user license agreement (EULA) stated that all patient data must be returned on termination of the agreement, MOGO has refused to return the database. MOGO communicated to Key Dental Group, via its attorney, that the database would not be returned. The Pembroke Pines dental practice alleges that in addition to violating the EULA, MOGO, as a HIPAA business associate, is in violation of the Health Insurance Portability and Accountability Act. Any security breach, such as the unauthorized accessing of patients’ protected health information, requires notifications to be sent to affected patients. Key Dental Group cannot say whether the database has been accessed after the termination of the EULA,...

Read More
Stolen FHN Healthcare Laptop Contained the PHI of 4,458 Patients
Nov21

Stolen FHN Healthcare Laptop Contained the PHI of 4,458 Patients

FHN Healthcare, which operates FHN Memorial Hospital in Freeport, IL, and a network of family healthcare centers throughout northwest Illinois, has learned that a laptop computer containing the protected health information of 4,458 patients has been stolen from the vehicle of an employee. The theft was immediately reported to law enforcement, but the device has not been recovered. FHN Healthcare reconstructed the data stored on the device and discovered it contained names, addresses, birth dates, medical record numbers, health insurance information, medical information, Social Security numbers, and driver’s license numbers. FHN healthcare already encrypts all its laptop computers, although the investigation into the incident revealed that the stolen device had not been encrypted and was only protected with a password. FHN reports that the lack of encryption was due to a technical issue with its encryption software and that the missed device was an isolated incident. The discovery of the encryption failure has prompted FHN Healthcare to re-encrypt all its laptop computers. The...

Read More
128,400 Employees and Patients Impacted by Phishing Attack on Albany Cancer Treatment Center
Nov20

128,400 Employees and Patients Impacted by Phishing Attack on Albany Cancer Treatment Center

New York Oncology Hematology in Albany, NY, has announced that hackers have gained access to 15 employee email accounts which contained the sensitive information of as many as 128,400 current and former patients and employees. As is common in phishing attacks, the emails contained a hyperlink to a seemingly legitimate email login page which requested usernames and passwords. When the information was entered it was harvested by the attackers. According to the substitute breach notice on the New York Oncology Hematology website, each compromised email account only remained accessible for a short period of time before access was terminated. The email breaches were identified by New York Oncology Hematology’s IT vendor, which shut down access to the compromised accounts by resetting the passwords. Access to 14 email accounts was gained on April 20, and a second attack took place between April 21 and April 27, which resulted in a further email account being compromised. New York Oncology Hematology hired a third-party computer forensics firm to investigate the breach and, on October 1,...

Read More
Email Hacking Incident Reported by Episcopal Health Services
Nov20

Email Hacking Incident Reported by Episcopal Health Services

Certain current and former patients of St. John’s Episcopal Hospital and Episcopal Health Services in New York are being notified that some of their protected health information has potentially been compromised. On September 18, 2018, Episcopal Health Services became aware of suspicious activity in several employee email accounts. An investigation was immediately launched, and a third-party digital forensics firm was called in to determine the nature and scope of the breach. The investigation revealed multiple employee email accounts had been compromised between August 28, 2018 and October 5, 2018. A thorough review of the compromised email accounts was completed on November 1. The types of information exposed differed from patient to patient but may have included name, date of birth, Social Security number, medical history, prescription information, diagnoses, treatment information, medical record number, financial information, and health insurance information. “Episcopal Health Services is committed to, and takes very seriously, its responsibility to protect all data entrusted to...

Read More
HealthEquity Notifies 165,800 Individuals of Email Security Breach
Nov19

HealthEquity Notifies 165,800 Individuals of Email Security Breach

HealthEquity is notifying 165,800 individuals that some of their protected health information has been exposed as a result of a email security breach. HealthEquity is a Utah-based company that provides services to help individuals gain tax advantages to offset the cost of healthcare, either through employers or health plans. Those services include health savings accounts (HSAs), health flexible spending arrangements (FSAs), limited purpose FSAs, and dependent care reimbursement accounts (DCRAs). In order to provide those services, HealthEquity has access to protected health information, some of which is communicated via email for business purposes. On October 5, 2018, HealthEquity’s security team discovered two Office 365 email accounts had been accessed by an unauthorized individual. On October 20, 2018, following an analysis of the cyberattack, HealthEquity confirmed that two employee email accounts had been breached and that those accounts contained the sensitive personal information of employees and individuals who benefited from its services through their health plan or...

Read More
2,393 Patients of Southwest Washington Regional Surgery Center Impacted by Phishing Attack
Nov16

2,393 Patients of Southwest Washington Regional Surgery Center Impacted by Phishing Attack

Southwest Washington Regional Surgery Center in Vancouver, WA, has suffered a phishing attack that has resulted in the exposure of 2,393 patients’ protected health information. The breach was confined to a single email account and no evidence was uncovered to suggest any emails have been accessed or downloaded by the attacker. An extensive investigation was conducted with assistance provided by a third-party cybersecurity firm. The investigation concluded on September 25. The investigation included a manual review of all emails in the compromised account to identify patients affected and the types of information that may have been compromised. Southwest Washington Regional Surgery Center explained in its breach notice that the beach was limited to the following PHI elements: Names, driver’s license numbers, Social Security numbers, medical information, and for a limited number of patients, credit card numbers. The investigation revealed the email account was compromised on May 27, 2018 and access remained possible until August 13, 2018. Patients impacted by the breach were sent...

Read More
HealthCare.gov Data Breach Exposed Personal Information of 94,000 Individuals
Nov15

HealthCare.gov Data Breach Exposed Personal Information of 94,000 Individuals

Last month, the Centers for Medicare & Medicaid Services (CMS) announced that the HealthCare.gov website had been hacked and the sensitive data of approximately 75,000 individuals had potentially been compromised. This week, the CMS issued an update on the breach confirming more people had been affected than was initially thought. The revised estimate has seen the number of breach victims increased to 93,689. The initial breach announcement was light on details about the exact nature of the breach and the types of information that had potentially been compromised. In the initial announcement the CMS explained that suspicious activity was detected on the site on October 13 and on October 16 a breach was confirmed. Steps were immediately taken to secure the site and prevent any further data access or data theft. The CMS started sending out breach notification letters on November 7 which explain the breach in more detail, including the types of information that were potentially accessed. CMS explained that the ‘suspicious activity’ it detected was certain agent and broker accounts...

Read More
30,000 Patients Impacted by May Eye Care Center Ransomware Attack
Nov14

30,000 Patients Impacted by May Eye Care Center Ransomware Attack

A July 2018 ransomware attack on May Eye Care Center in Hanover, PA saw a range of sensitive patient information encrypted, including data in its electronic medical record system. The ransomware attack was discovered by May Eye Care on July 29, 2018. The ransomware was downloaded on a server that contained patients’ names, addresses, dates of birth, insurance information, diagnoses, treatment information, clinical information, and a limited number of Social Security numbers. May Eye Care Center called in a leading computer forensics company to investigate the breach and an IT firms that specializes in data security was engaged to conduct a full review of security systems and protocols. Security has now been improved to prevent further attacks. A ransom demand was received, but no payment was made. May Eye Care Center was able to recover all of the files encrypted by the ransomware from backups without any loss of data. Al patients impacted by the incident have been notified and the breach was reported to the Department of Health and Human Services’ Office for Civil Rights on...

Read More
1,800 Patients’ PHI Compromised in Metrocare Services Phishing Attack
Nov14

1,800 Patients’ PHI Compromised in Metrocare Services Phishing Attack

Metrocare Services, the largest provider of mental health services in North Texas, has suffered a phishing attack that has resulted in the exposure of 1,804 patients’ protected health information. Several employee email accounts were compromised in the attack, with the first account breach occurring on August 2, 2018. Metrocare did not discover the phishing attacks until September 4. As soon as the breach was discovered, steps were taken to secure the accounts. Metrocare has also given its employees additional training on information security, additional measures are being introduced to improve the security of its information technology infrastructure, and email security has been strengthened. The investigation into the breach could not determine whether any emails containing patients’ protected health information were accessed by the attackers, but data access could not be ruled out. No reports have been received that suggest any PHI has been misused. The types of information that were exposed differed from patient to patient and included data such as names, dates of birth,...

Read More
Former Chilton Medical Center IT Worker Gets 5 Years’ Probation for Theft of Equipment Containing ePHI
Nov13

Former Chilton Medical Center IT Worker Gets 5 Years’ Probation for Theft of Equipment Containing ePHI

A former IT worker at Chilton Medical Center in New Jersey has been sentenced to 5 years’ probation for the theft of IT equipment that contained the protected health information of some of its patients. Sergiu Jitcu, of Saddle Brook, NJ, had previously been employed by Chilton Medical Center. On October 31, 2017, Chilton Medical Center learned that one of its hard drives had been sold on eBay. The purchaser discovered databases on the hard drive that appeared to include the protected health information (PHI) of some of its patients. The subsequent investigation revealed the hard drive contained the PHI of 4,600 patients who had received medical services at Chilton Medical Center between May 1, 2008 and October 15, 2017. The types of information on the hard drive included names, addresses, dates of birth, allergy information, medical record numbers, and medications. The theft was reported to the Morris County Prosecutor’s Office and was linked to Jitcu. The Morris County Prosecutor’s Office Specialized Crime Division obtained a search warrant for Jitcu’s home and vehicle and...

Read More
Health First Phishing Attack Impacts 42,000 Customers
Nov13

Health First Phishing Attack Impacts 42,000 Customers

Health First Inc., a four-hospital Florida-based health system, experienced a hacking/IT incident earlier this year that was reported to the Department of Health and Human Services’ Office for Civil Rights on October 5. According to the OCR breach summary, 42,000 customers were affected by the breach. Further information has now been released on the nature of the breach. According to Health First, the email accounts of multiple employees were compromised in the phishing attack. The exposed protected health information was contained in the compromised email accounts. The electronic medical record system was unaffected by the attack. An investigation into the breach revealed the attackers first gained access to employee email accounts in February 2018. Those email accounts were used to conduct further phishing attacks on other Health First employees until May 2018. According to Health First, the attackers gained access to “a small number” of employee email accounts. The compromised email accounts contained a limited amount of protected health information such as names, addresses, and...

Read More
1,216 Patient Records Impermissibly Accessed by Former Upstate University Hospital Employee
Nov12

1,216 Patient Records Impermissibly Accessed by Former Upstate University Hospital Employee

Upstate University Hospital in Syracuse, NY, is notifying 1,216 patients that some of their protected health information (PHI) has been impermissibly accessed by a former employee. Upstate University Hospital discovered the breach on September 12, 2018, which prompted a full investigation to determine which patients had had their privacy violated. The investigation revealed that the former employee first accessed patient health records without any legitimate work reason for doing so on November 3, 2016. Patient records continued to be accessed until October 23, 2017. The investigation did not uncover any evidence to suggest any information had been printed, copied, or forwarded outside the organization. It is unclear why the former employee accessed the records. No information on the motives behind the privacy violations has been made public. Highly sensitive information such as Social Security numbers, financial information, health insurance information and other information typically sought by identity thieves were not compromised and remained secure at all times. The breach was...

Read More
Billing Records of 12,331 Patients of Inova Health System Have Been Compromised
Nov09

Billing Records of 12,331 Patients of Inova Health System Have Been Compromised

Falls Church, VA-based Inova Health System has started notifying 12,331 patients that some of their protected health information has been accessed by an unauthorized individual. Inova Health System was contacted by law enforcement on September 5, 2018 over a suspected breach of patients’ billing information. A leading computer forensics firm was engaged to conduct an investigation into the breach to determine the nature of the attack and the extent of the breach. The investigation revealed its billing system was first accessed by an unauthorized individual in January 2017, and again between July and October 2017. Access was gained using the login credentials of an Inova employee. Peculiarly, Inova also reported that the same individual also gained access to paper billing records of a small number of patients in December 2016, which suggests that this may have been an insider breach involving a former employee, business associate or another individual with access to Inova facilities. However, no information about the individual responsible for the breach has been made public by...

Read More
Altus Hospital Baytown Suffers Dharma Ransomware Attack
Nov09

Altus Hospital Baytown Suffers Dharma Ransomware Attack

Altus Hospital in Baytown, TX, has experienced a ransomware attack that resulted in the encryption of many hospital records. The electronic medical record system was not affected, although some of the encrypted files contained patients’ protected health information including names, home addresses, contact telephone numbers, birth dates, Social Security numbers, credit card information, driver’s license numbers, and medical information. The attack was discovered on September 3, 2018. Altus Hospital received a ransom demand; however, assisted by a third-party security consultant, Altus Hospital was able to restore all affected files from backups. The investigator determined that the attacker gained access to the hospital’s servers before deploying a Dharma ransomware variant. Altus Hospital believes the aim of the attack was solely to extort money from the hospital. Data access and theft of patient information is not believed to have occurred. While the attack was limited to Baytown hospital servers, some of the information stored on those servers came from the following affiliated...

Read More
566,217 Customers of Chicago-Based Health Insurer Impacted by Data Breach
Nov07

566,217 Customers of Chicago-Based Health Insurer Impacted by Data Breach

The Chicago-based health insurer Bankers Life, a division of CNO Financial Group Inc., has discovered hackers gained access to its systems and potentially stole the personal information of more than half a million individuals. Bankers Life provides a range of insurance services to customers, including life insurance, long term care insurance, health insurance, and Medicare supplemental insurance and is the largest division of CNO Financial Group. Hackers gained access to its systems between May 30 and September 13, 2018. Bankers Life said it discovered the breach on August 7, 2018. The hackers gained access to a range of sensitive personal information of a ‘limited number’ of its employees. A ‘limited group’ of customers had names, Social Security numbers, driver’s license numbers, bank account numbers, state identification numbers, medication information, diagnoses, and treatment information exposed. The protected health information of a much larger group of customers was also potentially accessed by the hackers. For that group, names, addresses, dates of birth, insurance policy...

Read More
Q3 Healthcare Data Breach Report: 4.39 Million Records Exposed in 117 Breaches
Nov07

Q3 Healthcare Data Breach Report: 4.39 Million Records Exposed in 117 Breaches

The latest installment of the Breach Barometer Report from Protenus shows there was a quarterly fall in the number of healthcare data breaches compared to Q2, 2018; however, the number of healthcare records exposed, stolen, or impermissibly disclosed increased in Q3. In each quarter of 2018, the number of healthcare records exposed in data breaches has risen. Between January and March 1,129,744 healthcare records were exposed in 110 breaches. Between April and June, 3,143,642 records were exposed in 142 breaches, and 4,390,512 healthcare records were exposed, stolen, or impermissibly disclosed between July and September in 117 breaches. The largest healthcare data breach in Q3 was reported by the Iowa Health System UnityPoint Health. The breach was due to a phishing attack that saw multiple email accounts compromised. Those accounts contained the protected health information of more than 1.4 million patients. That breach was the second phishing attack experienced by UnityPoint Health. An earlier phishing attack resulted in the exposure of 16,400 healthcare records. In Q3, hacking...

Read More
Ransomware Attacks Increase: Healthcare Industry Most Heavily Targeted
Nov02

Ransomware Attacks Increase: Healthcare Industry Most Heavily Targeted

Ransomware attacks are on the rise once again and healthcare is the most targeted industry, according to the recently published Beazley’s Q3 Breach Insights Report. 37% of ransomware attacks managed by Beazley Breach Response (BBR) Services affected healthcare organizations – more than three times the number of attacks as the second most targeted industry: Professional services (11%). Kaspersky Lab, McAfee, and Malwarebytes have all released reports in 2018 that suggest ransomware attacks are in decline; however, Beazley’s figures show monthly increases in attacks in August and September, with twice the number of attacks in September compared to the previous month. It is too early to tell if this is just a blip or if attacks will continue to rise. The report highlights a growing trend in cyberattacks involving multiple malware variants. One example of which was a campaign over the summer that saw the Emotet banking Trojan downloaded as the primary payload with a secondary payload of ransomware. Emotet is used to steal bank credentials and has the capability to download further...

Read More
Missouri Department of Health and Senior Services Contractor Improperly Retained 10,400 Individuals’ PHI
Oct30

Missouri Department of Health and Senior Services Contractor Improperly Retained 10,400 Individuals’ PHI

The Missouri Department of Health and Senior Services (MHSS) is notifying 10,400 patients of a data privacy incident involving some of their protected health information (PHI). Under Health Insurance Portability and Accountability Act (HIPAA) Rules, HIPAA-covered entities are permitted to share patients’ PHI with contractors that perform certain duties on behalf of the covered entity. The contractors, who are classed as business associates, must enter into a business associate agreement with the covered entity and agree to comply with HIPAA Rules. When the association ends, the business associates must return all PHI to the covered entity or, under the direction of the covered entity, ensure that the PHI is permanently and securely erased. MHSS has discovered that an IT contractor has improperly retained the PHI of 10,400 patients after the contracted duties had been completed. Further, patients’ PHI was stored in an electronic file that was not password-protected. The IT contractor had worked on an information system used by the MHSS prior to September 30, 2016. On August 30,...

Read More
Stolen Raley’s Pharmacy Laptop May Have Contained PHI of 10,000 Patients
Oct30

Stolen Raley’s Pharmacy Laptop May Have Contained PHI of 10,000 Patients

Approximately 10,000 patients of Raley’s Pharmacy are being notified that some of their protected health information (PHI) has potentially been compromised. On September 24, 2018, a laptop computer was stolen from a Raley’s pharmacy that may have contained some patients’ PHI. Raley’s pharmacy immediately launched an investigation to determine what information was stored on the device. Interviews were conducted with staff members who had used the device in an attempt to understand the types of content that may have been exposed. The email accounts of employees were also checked for attachments and links to documents that contained ePHI, to determine which files had been downloaded or were stored in cache files in a temporary directory on the laptop. After careful analysis, Raley’s Pharmacy was able to determine that the only patients affected by the security incident were those that had visited a Raley’s, Bel Air, and Nob Hill Foods pharmacy between January 1, 2017 and September 24, 2018 to have prescriptions filled. An analysis of the files which had potentially been downloaded to...

Read More
PHI of 40,000 Patients of Sioux City Eye Clinic Potentially Compromised
Oct26

PHI of 40,000 Patients of Sioux City Eye Clinic Potentially Compromised

The protected health information of up to 40,000 patients of the Jones Eye Clinic and its affiliated surgery center, CJ Elmwood Partners, L.P, in Sioux City, IA has potentially been compromised. The breach is the result of a ransomware attack which affected data stored in an information system used for scheduling appointments and billing patients. Electronic medical records were unaffected as they were housed in a separate system which was not accessed by the attacker. Jones Eye Clinic discovered the ransomware attack on August 23, 2018, although an investigation by a third-party forensic investigator revealed that the attacker gained access to its system and installed the ransomware on the evening of August 22. A ransom was demanded for the keys to decrypt the files; however, no payment was made as it was possible to recover the files from backups. A full data restoration was completed on August 23. The investigation into the ransomware attack did not uncover any evidence to suggest that the attacker viewed or obtained patient data, although since data theft could not be ruled...

Read More