Dedicated to providing the latest
HIPAA compliance news

Our HIPAA breach news section covers HIPAA breaches such as unauthorized disclosures of protected health information (PHI), improper disposal of PHI, unauthorized PHI access by cybercriminals and rogue healthcare employees, and other security and privacy breaches.

When known, we explain how the breach occurred, the consequences to patients that may have had their PHI compromised, and the actions being taken by the affected healthcare organization to improve safeguards to prevent further HIPAA breaches.

We also explain any actions being taken by the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) and state attorneys general in relation to those breaches.

OCR investigates all data breaches that impact more than 500 individuals to determine whether any HIPAA violations have occurred. When HIPAA Rules are discovered to have been violated, financial penalties may be deemed appropriate. It can take many months or years before any financial penalties for HIPAA breaches are decided. Financial penalties for HIPAA violations tend to be reserved for the most serious breaches of HIPAA Rules. OCR prefers to resolve cases with voluntary compliance and by issuing recommendations to bring policies in line with HIPAA Rules.

The HIPAA breach news section is particularly relevant to healthcare information security professionals, privacy officers, and other individuals who have some responsibility for HIPAA compliance.

The HIPAA breach news reports highlight common areas of non-compliance and new attack vectors used by cybercriminals to gain access to healthcare networks and PHI, the security failings that allowed them to happen, and the measures that have been implemented to prevent them from happening again.

No healthcare organization wants to experience a data breach, but when a breach does occur, lessons can be learned. HIPAA-covered entities can use these breach examples to help train their staff as well as to discover some of the methods other covered entities have adopted to improve data security.

As you will be able to see from the volume of posts in the HIPAA breach news category, healthcare data breaches occur frequently. In 2016 and 2017, healthcare data breaches have been reported on an almost daily basis.

Our HIPAA breach news section is an important source of information about potential security issues that covered entities should be identifying when conducting their own risk assessments. Many of the situations in our HIPAA breach news posts could have been avoided if a risk assessment had identified a vulnerability that was later exploited to gain access to PHI.

The main purpose for adding HIPAA breach news to this website is to highlight specific aspects of HIPAA compliance that are commonly overlooked, often with serious consequences for the covered entity and patients/health plan members.

By raising awareness of the volume of healthcare data breaches, the implications of those breaches, and the penalties that can result, it is hoped that healthcare providers will take decisive action to prevent their patients’ and members’ data from being exposed.

The most recent healthcare data breach reports are listed below. If you want to find out if a specific covered entity has experienced a data breach, please use the search function in the top right hand corner of this webpage.

Plastic Surgery Clinic Employee Suspected of Stealing 15,000 Patient Records
Jun02

Plastic Surgery Clinic Employee Suspected of Stealing 15,000 Patient Records

A former employee of a Californian plastic surgery clinic is suspected of stealing the medical records of around 15,000 patients. The employee worked at the Rodeo Drive clinic in Beverly Hills run by Dr. Zain Kadri. The employee had been employed as a driver and translator since September 2016, but had subsequently been given other duties such as data entry. Allegedly, she quit the practice on May 13 after being accused of embezzlement. The employee was later discovered to have taken photographs of patients before and during surgical procedures and uploaded those pictures to the image sharing site Snapchat. Further data theft was uncovered in May while the clinic was transferring paper records to digital files. As part of that process, the clinic checked a company phone used by the former employee. Images were discovered on the device including photographs of patients, but also photographs of patient IDs, usernames and passwords, copies of checks and credit and debit card information. Conversations were also reportedly recorded by the employee. It is unclear how much of that...

Read More
Trios Health Discovers Employee Accessed EHR Without Authorization for 41 Months
Jun02

Trios Health Discovers Employee Accessed EHR Without Authorization for 41 Months

The medical records of 570 Trios Health patients have been accessed by an employee, without authorization, over a period of 41 months. In March, Trios Health noticed some irregularities in its EHR logs which suggested patient records were being accessed without any legitimate work purpose for doing so. An investigation was launched to investigate and the employee was placed on leave. The investigation revealed the employee had accessed hospital patient records without authorization between October 2013 and March 2017. The types of information that was viewed included names, contact information, driver’s license numbers, Social Security numbers, dates of service, demographic information and limited medical information such as diagnoses. Interviews were conducted, although a spokesperson for Trios Health said, “We don’t know the motivation,” although it would appear that no harm was intended by the employee. Trios Health says the risk of information being used inappropriately is low, although credit monitoring and identity theft protection services are being offered to affected...

Read More
Molina Healthcare Patient Portal Discovered to Have Exposed Patient Data
May31

Molina Healthcare Patient Portal Discovered to Have Exposed Patient Data

Earlier this month, security researcher Brian Krebs was alerted to a flaw in a patient portal used by True Health Group that allowed patients’ test results to be viewed by other patients. While patients were required to login to the patient portal before viewing their test results, a security flaw allowed then to also view other patients’ results. Now, the Medicaid and Affordable Care Act Insurer Molina Healthcare is investigating a similar flaw in its patient portal that has allowed the sensitive medical information of patients to be accessed by unauthorized individuals. In the case of Molina Healthcare, patients’ medical claims could be accessed without authentication. Brian Krebs contacted Molina Healthcare to alert the company to the flaw. An investigation was conducted and its patient portal was shut down while the issue was resolved. It is unclear for how long the flaw existed, whether medical claims had been viewed by unauthorized individuals, and if so, how many patients had their privacy violated. Potentially, the flaw resulted in the exposure of all customers’ medical...

Read More
Children’s Mercy Hospital Discovers Unauthorized Website Exposed 5,500 Patients’ PHI
May31

Children’s Mercy Hospital Discovers Unauthorized Website Exposed 5,500 Patients’ PHI

A website created by a physician at Children’s Mercy Hospital in Kansas City, MO has recently been discovered to lack appropriate security protections, potentially allowing the protected health information of 5,511 patients to be viewed by unauthorized individuals. The physician created the website with good intentions and used the site as an educational resource. Data uploaded to the website was protected with a password to prevent unauthorized access. However, the protections in place to prevent unauthorized ePHI access did not meet the hospital’s security standards. The lack of security controls on the website meant information uploaded to the website could have been accessed by unauthorized individuals. Contact information (addresses and telephone numbers), Social Security numbers, financial information, health insurance details, photos and other images were not uploaded to the site. However, the website did contain information such as patients’ first and last names, gender, age, medical record number, encounter number, dates of service, admission and discharge dates,...

Read More
Beacon Health Employee Improperly Accessed 1,200 Patient Records Over 3 Year Period
May30

Beacon Health Employee Improperly Accessed 1,200 Patient Records Over 3 Year Period

A former Beacon Health System employee has been discovered to have accessed the medical records of approximately 1,200 patients without authorization over a period of three years. The privacy breach was uncovered during a routine audit of ePHI access logs, with the unauthorized access discovered on March 30, 2017. The employee in question was permitted to access patient records to perform work duties, although access rights were abused and the records of other patients were viewed even though there was no legitimate work reason for doing so. Upon discovery of the unauthorized access, Beacon Health conducted a full review with assistance from an external computer forensics firm and determined the inappropriate access started in March 2014. The employee was interviewed and claimed the records were accessed out of curiosity only and confirmed no information was copied or disclosed to other individuals. The medical records were accessed after patients visited the Emergency Room for treatment. The types of information in the records included patients’ names, ages, room numbers, chief...

Read More
Arizona Department of Health Services Notifies 2,500 Patients of Potential Loss of PHI
May30

Arizona Department of Health Services Notifies 2,500 Patients of Potential Loss of PHI

Data collected as part of a newborn screening program run by the Arizona Department of Health Services (ADHS) has been lost in the mail. The information, which was to be used for billing purposes, contained the personal information, financial data and sensitive health information of approximately 2,500 patients. Names, addresses, phone numbers, Social Security numbers, health insurance information, birth dates, and health information relating to mothers and newborns have all potentially been exposed. While state officials have said no evidence has been found to suggest any of the information has been accessed by unauthorized individuals or misused, ADHS has no idea where the records are located. The information was sent via the U.S. Postal Service to billing contractor Midwest Medical Practice Management of Carbondale, Illinois in two boxes; however, only one of the boxes arrived. The last known location of the missing box was a Postal Service facility in Phoenix, AZ. The U.S. Postal Services has been contacted and a search for the missing box has been conducted. Postal Service...

Read More
Stolen Electromyography Device Contained 836 Patients PHI, says SSM Health
May25

Stolen Electromyography Device Contained 836 Patients PHI, says SSM Health

SSM Health has started notifying patients that some of their protected health information was exposed when a portable device was stolen from DePaul Hospital St Louis in Bridgeton, MO. The device contained the protected health information of 836 patients, including names, medical record numbers, dates of birth and brief details of patients’ chief health complaint.  No insurance details, financial information, Social Security numbers or contact information were stored on the device. Due to the limited data stored on the device, patients are not believed to be at risk of experiencing identity theft or fraud. The portable device was stolen from DePaul hospital overnight between April 12 and the morning of April 13, 2017. The theft has been reported to the local police department and an investigation into the incident is ongoing. The device, which resembles a laptop computer, was part of an electromyography (EMG) medical device. Officials at DePaul hospital believe the device was stolen because it resembles a laptop computer, not for the information stored on the device. No evidence has...

Read More
Impermissible Disclosure of HIV Status to Employer Results in $387,000 HIPAA Penalty
May24

Impermissible Disclosure of HIV Status to Employer Results in $387,000 HIPAA Penalty

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced a new HIPAA settlement to resolve violations of the HIPAA Privacy Rule. St. Luke’s-Roosevelt Hospital Center Inc., has paid OCR $387,200 to resolve potential HIPAA violations discovered during an OCR investigation of a complaint about an impermissible disclosure of PHI. In September 2014, OCR received a complaint about a potential privacy violation involving a patient of St. Luke’s Spencer Cox Center for Health. In the complaint, it was alleged that a member of St Luke’s staff violated the privacy of a patient by faxing protected health information to the individual’s employer. The information in the fax was highly sensitive, including the patient’s sexual orientation, HIV status, sexually transmitted diseases, mental health diagnosis, details of physical abuse suffered, medical care and medications. Instead of faxing the information, the data should have been sent to a personal post box as requested. The investigation revealed that the incident was not the only time that the HIPAA Privacy Rule...

Read More
Leading Cause of Healthcare Data Breaches in April was Hacking
May23

Leading Cause of Healthcare Data Breaches in April was Hacking

The monthly Breach Barometer Report from Protenus shows a significant reduction in the number of exposed healthcare records in April, with 232,060 records exposed compared to more than 1.5 million in March. The number of reported data breaches also fell from 39 to 34. The report offers some further good news. The time taken by healthcare organizations to report security incidents also fell last month. 66% of breaches were reported within the 60-day time period allowed by the Health Insurance Portability and Accountability Act Breach Notification Rule. While it is good news that the trend for reporting data breaches more promptly is continuing, there is still plenty of room for improvement. Protenus reports that in April, it took an average of 51 days from the date of the breach to discovery, and an average of 59 days from the discovery of a breach to the submission of a breach report to the HHS’ Office for Civil Rights. The data for the Protenus Breach Barometer report was supplied by Databreaches.net, which uncovered one of the worst breaches of the year to date. The theft of...

Read More
HIPAA and Ransomware: Healthcare Organizations Reminded of HIPAA Rules Relating to Ransomware
May19

HIPAA and Ransomware: Healthcare Organizations Reminded of HIPAA Rules Relating to Ransomware

Following the recent WannaCry ransomware attacks, the Department of Health and Human Services has been issuing cybersecurity alerts and warnings to healthcare organizations on the threat of attack and steps that can be taken to reduce risk. The email alerts were sent soon after the news of the attacks on the UK’s NHS first started to emerge on Friday May 12, and continued over the course of the week. The alerts provided timely and pertinent information for U.S. healthcare organizations allowing them to take rapid action to counter the threat. While the Office for Civil Rights has previously sent monthly emails to healthcare organizations warning of new threats in its cybersecurity newsletters, the recent alerts were sent much more rapidly and frequently, with four email alerts and conference calls made with industry stakeholders alerting them to the imminent threat. Whether this was a one off in response to a specific and imminent major threat or the HHS plans to issue more timely alerts remains to be seen. However, the rapid communication of the ransomware threat almost certainly...

Read More
Patients’ Email Addresses Accidentally Disclosed by Rutland Regional Medical Center
May18

Patients’ Email Addresses Accidentally Disclosed by Rutland Regional Medical Center

An electronic survey can provide healthcare organizations with valuable information to improve patient services; however, in the case of Rutland Regional Medical Center, it has resulted in a privacy breach. According to the Burlington Free Press, Rutland Regional Medical Center sent emails to more than 700 patients asking for opinions on discharge paperwork in an effort to make improvements to patient discharges. Rather than using an email group or the BCC field to mask patients email addresses, patients email addresses were added to the ‘to’ field. Consequently, the email addresses of more than 700 patients were revealed to all who received the mailshot. The error only revealed the email addresses of patients, many of whom would not have been easily identifiable from their email addresses. However, any patient who was identifiable from their email addresses would also have had their status as a patient of Rutland Regional Medical Center disclosed to other individuals. The email also suggests that the recipient had recently been discharged from hospital; something patients may have...

Read More
Coney Island Hospital Supervisor Allowed Unvetted Volunteer to Access PHI
May17

Coney Island Hospital Supervisor Allowed Unvetted Volunteer to Access PHI

NYC Health + Hospitals has discovered a volunteer accessed the protected health information of almost 3,500 patients without official authorization. The unauthorized disclosure of PHI was discovered by NYC Health + Hospitals on March 10, 2017. The volunteer had worked in the phlebotomy department of Coney Island Hospital for a period of three months under direction of a supervisor. The supervisor arranged for the volunteer to perform a number of tasks, some of which involved accessing certain patients’ PHI. While volunteers would be permitted access to PHI if they had been first vetted by Coney Island Hospital’s Human Resources department, in this case that process had not been completed. When the supervisor instructed the volunteer to perform certain duties that required the PHI of patients to be accessed, the supervisor violated NYC Health + Hospitals polices and Health Insurance Portability and Accountability Act Rules. The activities performed by the volunteer that involved accessing PHI included logging the names of patients in a log book and transporting specimens within the...

Read More
Ransomware Attack Reported by Dallas Senior Living Community
May16

Ransomware Attack Reported by Dallas Senior Living Community

A ransomware attack on the Dallas Senior Living Community, Walnut Place, in February resulted in highly sensitive data being encrypted, including Social Security numbers, driver’s license numbers, birth dates, banking and credit card numbers, health insurance information, clinical information and patients’ and residents’ contact information. The ransomware was installed on its systems on January 25, 2017, with the issue remediated 8 days later on February 2, 2017.  Third-party security experts were called in to assist with the forensic investigation of the breach and conducted a security scan of its systems to ensure all traces of malware had been removed. The incident report has yet to appear on the Department of Health and Human Services’ Office for Civil Rights breach portal, so it is currently unclear exactly how many individuals have been impacted. Ransomware Attacks and HIPAA Rules Ransomware attacks are not always reportable under HIPAA Rules. If an organization can demonstrate there was a low probability of PHI being acquired, accessed, used or disclosed (see OCR ransomware...

Read More
PHI of Thousands of Patients of Bronx Lebanon Hospital Center Exposed Online
May12

PHI of Thousands of Patients of Bronx Lebanon Hospital Center Exposed Online

Highly sensitive medical records of thousands of patients of New York’s Bronx Lebanon Hospital Center have been exposed online. Those records were reportedly accessible for three years as a result of a misconfigured backup server. The exposed records were uncovered by researchers at the Kromtech Security Research Center after conducting a “regular security audit of exposed rsync protocols on Shodan,” a search engine that can be used to find networked devices. Rsync backup servers are used for transferring files between computer systems and for file syncing. The records were not encrypted nor protected with a password and could have been downloaded by any individual who knew where to look. It is currently unclear exactly how many patient records were exposed, with initial reports indicating tens of thousands of patients may have been affected. NBC’s Mary Emily O’Hara recently reported that the breach has impacted at least 7,000 individuals. The misconfiguration allowed the researchers to view highly sensitive information including names, addresses, medical diagnoses, health...

Read More
Security Breach Highlights Need for Patient Portals to be Pen Tested
May11

Security Breach Highlights Need for Patient Portals to be Pen Tested

A range of safeguards must be implemented to ensure networks and EHRs are protected. Encryption should be considered to prevent the loss or theft of devices from exposing the ePHI of patients. However, it is important for healthcare organizations also check their patient portals for potential vulnerabilities and implement safeguards to prevent unauthorized disclosures of sensitive information. The failure to implement appropriate safeguards on web-based applications can easily result in unauthorized disclosures of patients PHI, as was recently demonstrated at True Health Diagnostics. The Frisco, TX-based healthcare services company offers testing for a wide range of diseases and genetic abnormalities, with test information available to patient via a web portal. The web portal allows patients to obtain their test results quickly. Patients are required to register and can only access their records if they first log in to the portal. However, a flaw on the web portal allowed patients to access not only their own test results, but the test results and PHI of other patients. The website...

Read More
Memorial Hermann Health System Hit with $2.4 Million HIPAA Fine
May11

Memorial Hermann Health System Hit with $2.4 Million HIPAA Fine

Memorial Hermann Health System has agreed to settle potential HIPAA Privacy Rule violations with the Department of Health and Human Services’ Office for Civil Rights (OCR) for $2.4 million. The settlement stems from an impermissible disclosure on a press release issued by MHHS in September 2015. Memorial Hermann Health System (MHHS) is a 16-hospital health system based in Southeast Texas, serving patients in the Greater Houston area. In September, a patient visited a MHHS clinic and presented a fraudulent identification card to hospital staff. The fraudulent ID card was identified as such by hospital staff, law enforcement was notified and the patient was arrested. The hospital disclosed the name of the patient to law enforcement, which is allowable under HIPAA Rules. However, the following action taken by the hospital was a violation of the HIPAA Privacy Rule. MHHS issued a press release about the incident but included the patients name in the title of the press release. That press release was approved before release by MHHS senior management, even though naming the patient...

Read More
New Jersey IVF Clinic Hack Sees PHI of 14,000 Patients Potentially Compromised
May10

New Jersey IVF Clinic Hack Sees PHI of 14,000 Patients Potentially Compromised

A third-party server hosting the electronic health record database of the New Jersey Diamond Institute for Infertility and Menopause has been hacked and access gained by an unauthorized individual. The Diamond Institute says its database and EHR system was encrypted, so the attackers were unable to access patient health records, although many unencrypted supporting documents were also stored on the server and may have been accessed. It is unclear when the attack took place, although the Diamond Institute learned of the cyberattack on February 27, 2017. A full investigation was rapidly initiated and steps taken to secure the server to prevent further unauthorized activity. The investigation involved checking all documents to determine the patients impacted and the types of data that could potentially have been viewed or copied. The documents were found to contain a limited amount of protected health information relating to more than 14,000 patients. Those data included patients’ names, addresses, birth dates, Social Security numbers, sonograms and lab test results. The breach has...

Read More
Unencrypted Hard Drive Stolen from LSU Health New Orleans: 2,200 Individuals Impacted
May09

Unencrypted Hard Drive Stolen from LSU Health New Orleans: 2,200 Individuals Impacted

Another healthcare provider has announced that an unencrypted device used to store electronic protected health information of patients has been stolen. The medical data of 2,200 patients of Louisiana State University Health New Orleans were stored on a portable hard drive that was stolen from the Department of Neurology Research in March. The theft occurred on or around March 6 and was immediately reported to law enforcement. A suspect was arrested the following day, although the hard drive has not been recovered. Officials do not believe any data on the drive have been misused, although the possibility that ePHI has been viewed cannot be ruled out. LSU Health New Orleans has reconstructed the data on the drive and is notifying affected individuals. The drive contained research data relating to individuals who participated in studies between 1998 and 2009. No Social Security numbers or financial information have been compromised, with the data breach limited to names, dates of birth, diagnosis codes and treatment codes. This is not the first time that an incident such as this has...

Read More
Bitglass Publishes 2017 Healthcare Data Security Report
May04

Bitglass Publishes 2017 Healthcare Data Security Report

Bitglass has recently published its 2017 Healthcare Data Breach Report, the third annual report on healthcare data security issued by the data protection firm. For the report, Bitglass conducted an analysis of healthcare data breach reports submitted to the Department of Health and Human’ Services Office for Civil Rights. The report confirms 2016 was a particularly bad year for healthcare industry data breaches. Last year saw record numbers of healthcare data breaches reported, although the number of healthcare records exposed in 2016 was lower than in 2015. In 2016, 328 healthcare data breaches were reported, up from 268 incidents in 2015. Last year’s healthcare data breaches impacted around 16.6 million Americans. The good news is that while incidents are up, breaches are exposing fewer healthcare records. If the colossal data breach at Anthem Inc., which exposed 78.8 million healthcare records, is considered an anomaly and is excluded from last year’s figures, the number of individuals impacted by healthcare data breaches has fallen for two years in a row. That trend looks set...

Read More
Survey Explores Trust in Healthcare Organizations’ Ability to Keep Data Secure
May04

Survey Explores Trust in Healthcare Organizations’ Ability to Keep Data Secure

A recent survey by Accenture has explored consumers’ attitudes about healthcare data security and revealed the impact healthcare data breaches have had on consumers. The survey showed the extent to which individuals had suffered losses as a result of a data breach, how consumers felt their organization handled data breaches and the effect those breaches had on trust. Trust in Healthcare Providers and Insurers is High In the United States, trust in healthcare providers’ and health insurers’ ability to keep sensitive data secure is high. 88% of respondents said they trusted their physician or other healthcare providers ‘somewhat’ (53%) or ‘a great deal’ (36%). Trust in hospitals was slightly lower at 84% (54% somewhat / 30% a great deal). Health insurers and laboratories that process medical tests fared slightly worse, both somewhat trusted by 54% of respondents and trusted a great deal by 28% of respondents. Distrust –not at all trusted or not trusted very much – was highest in urgent care clinics (25%), non-medical staff at physicians’ and healthcare providers’ offices (36%)...

Read More
Two Harrisburg Practices Report Potential ePHI Breach
May03

Two Harrisburg Practices Report Potential ePHI Breach

Two Harrisburg practices have discovered their systems have been accessed by an unauthorized individual who may have gained access to the electronic protected health information of their patients. Harrisburg Endoscopy and Surgery Center and Harrisburg Gastroenterology in Dauphin County, PA were alerted to a potential intrusion when suspicious system activity was detected on March 17, 2017. While the investigation revealed the system had been accessed, no evidence was uncovered to suggest any ePHI was accessed or stolen by the attacker; however, the possibility of data access could not be ruled out. Out of an abundance of caution, patients were sent breach notification letters on April 28 providing them with information about the breach to allow them to take precautions to protect their identities. It would appear that credit monitoring and identity theft protection services are not being offered to affected patients. The types of information stored on the compromised system included names, demographic information, health insurance details, Social Security numbers, clinical data and...

Read More
Greenway Health Ransomware Attack Stops 400 Clients from Accessing EHRs
May02

Greenway Health Ransomware Attack Stops 400 Clients from Accessing EHRs

Tampa, Florida-based practice management software and EHR vendor, Greenway Health, has experienced a ransomware attack that has affected around 5% of its client base – approximately 400 healthcare organizations. It is unclear whether the ransomware infection resulted in EHR data being encrypted, although clients were temporarily prevented from accessing the cloud-based Intergy EHR/medical management platform. Those clients were forced to resort to using pen and paper while Greenway Health worked to restore its system. Fortunately, all client data were backed up and could be recovered, although that process took time. On April 22, 2017, third-party rapid response security firms were brought in to remove the infection and restore data. A spokesperson for Greenway Health said the teams were “working around the clock to restore access to affected Intergy hosted customers.”  As of yesterday, around half of affected clients had access to the Intergy system restored. While the cloud-based platform was taken out of action, Greenway Health has not uncovered any evidence to...

Read More
Hill Country Memorial Hospital Discovers Email Account Compromise
May01

Hill Country Memorial Hospital Discovers Email Account Compromise

An unauthorized individual has gained access to an email account of an employee of Hill Country Memorial Hospital and sent a number of fraudulent invoices, but potentially also accessed the protected heath information of certain patients. The Fredericksburg, TX hospital discovered the email account of an emergency room employee had been accessed on February 21, 2017. The attack is believed to have been conducted solely for the purpose of sending fraudulent invoices to the hospital’s accounts payable department. However, the email account contained a range of ePHI which could potentially have been accessed and stolen by the attacker. The investigation into the security breach did not reveal whether any emails had been accessed, and if the ePHI of patients had been viewed or copied, but the possibility could not be ruled out. The email account contained patients’ names, addresses, ID numbers, dates of birth, prescription and treatment information, medical diagnoses, procedure information and Social Security Numbers. In is unclear at this stage how the criminal gained access to the...

Read More
PHI Potentially Compromised in Atlantic Digestive Specialists Ransomware Attack
Apr25

PHI Potentially Compromised in Atlantic Digestive Specialists Ransomware Attack

Somersworth, New Hampshire-based Atlantic Digestive Specialists is one of the latest healthcare organizations to report a ransomware attack that has potentially resulted in the protected health information of patients being accessed. The ransomware attack was discovered on February 20, 2017 although a subsequent investigation revealed that the ransomware was installed on February 18. The infection took two days to resolve, during which time access to certain computer systems was limited. All traces of the ransomware were removed from its systems by February 22, 2017. Atlantic Digestive Specialists hired a third-party cybersecurity firm to conduct a thorough investigation of the attack to determine how the infection occurred, the extent of the attack, and which files were potentially accessed by the attackers. The investigation revealed files containing patients’ names, addresses, telephone numbers, medical record numbers, clinical and diagnostic information, health insurance details, and in some cases, Social Security numbers were encrypted. The investigation uncovered no evidence...

Read More
Unencrypted Portable Devices are a HIPAA Breach Waiting to Happen
Apr25

Unencrypted Portable Devices are a HIPAA Breach Waiting to Happen

This week, OCR announced a new settlement with a covered entity to resolve HIPAA violations discovered during the investigation of an impermissible disclosure of ePHI. The incident that sparked the investigation was the theft of an unencrypted laptop computer from the vehicle of a CardioNet employee. This week has also seen two data breaches reported that have similarly involved the theft of portable devices. Earlier this week, Lifespan announced that a MacBook had been left in an employee’s vehicle from where it was stolen. The device was not encrypted and neither protected with a password. ePHI was accessible via the employee’s email account. More than 20,000 patients’ ePHI was potentially compromised. The second incident involved a flash drive rather than a laptop. Western Health Screening (WHS), a Billings, MT-based provider of on-site blood screening services, announced that patients’ names, phone numbers, addresses and some Social Security numbers have been exposed. The data on the drive related to individuals who had undergone blood screening tests between 2008 and 2012. A...

Read More
Lifespan Laptop Theft Exposes ePHI of 20,000 Patients
Apr25

Lifespan Laptop Theft Exposes ePHI of 20,000 Patients

Lifespan has announced a laptop computer has been stolen from the vehicle of one of its employees. A thief stole a number of items from the employee’s car on February 25, 2017, including a MacBook laptop that contained the electronic protected health information of certain Lifespan patients. An investigation into the incident revealed the laptop was not encrypted, and neither was a password required to gain access to the device. Consequently, ePHI contained in the employee’s email account could potentially have been accessed and viewed. An analysis of the email account confirmed that no financial information, Social Security numbers, medical records, nor medical diagnoses were exposed, although emails did contain patients’ names, partial addresses, medical record numbers, demographic information and details of prescriptions. Lifespan took prompt action to secure the email account by changing the employee’s login credentials. While the data stored on the device could have been accessed, the investigation into the incident has not uncovered any evidence to suggest that any...

Read More
Wireless Health Services Provider Settles HIPAA Violations with OCR for $2.5 Million
Apr24

Wireless Health Services Provider Settles HIPAA Violations with OCR for $2.5 Million

2016 was a record year for HIPAA settlements, but 2017 is looking like it will see last year’s record smashed. There have already been six HIPAA settlements announced so far this year, and hot on the heels of the $31,000 settlement announced last week comes another major HIPAA fine. A $2.5 million settlement has been agreed with CardioNet to resolve potential HIPAA violations. CardioNet is a Pennsylvania-based provider of remote mobile monitoring and rapid response services to patients at risk for cardiac arrhythmias. Settlement have previously been agreed with healthcare providers, health plans, and business associates of covered entities, but this is the first-time OCR has settled potential HIPAA violations with a wireless health services provider. While OCR has not previously fined a wireless health services provider for violating HIPAA Rules, the same cannot be said of the violations discovered. Numerous settlements have previously been agreed with covered entities after OCR discovered risk analysis and risk management failures. In this case, the settlement relates to a data...

Read More
OCR Settlement Highlights Importance of Obtaining Signed Business Associate Agreements
Apr21

OCR Settlement Highlights Importance of Obtaining Signed Business Associate Agreements

The Department of Health and Human Services’ Office for Civil Rights has sent another warning to HIPAA-covered entities about the need to obtain signed, HIPAA-compliant business associate agreements with all vendors prior to disclosing any protected health information. Yesterday, OCR announced it has agreed to settle potential violations of the Health Insurance Portability and Accountability Act with The Center for Children’s Digestive Health (CCDH); a small 7-center pediatric subspecialty practice based in Park Ridge, Illinois. On August 13, 2015, OCR conducted a HIPAA compliance review of CCDH following an investigation of FileFax Inc., which was contracted by CCDH to store inactive patient records. The FileFax investigation revealed the company had not signed a business associate agreement prior to being provided with patients’ PHI. The subsequent compliance review of CCDH similarly revealed that no signed business associate agreement existed. CCDH had therefore impermissibly disclosed patients’ PHI to FileFax in violation of HIPAA Rules. CCDH had provided paper records relating...

Read More
Cardiology Center of Acadiana Ransomware Attack Impacts 9,700 Patients
Apr21

Cardiology Center of Acadiana Ransomware Attack Impacts 9,700 Patients

A recent Cardiology Center of Acadiana ransomware attack has resulted in the exposure of almost 9,700 patients’ protected health information. The ransomware attack occurred on February 7, 2017 and was discovered the following day. The attackers targeted a server used by the Lafayette, LA-based cardiology practice and deployed ransomware, which encrypted a range of files containing patients’ names, dates of birth, addresses, billing information, clinical data, medical images and social security numbers. Cardiology Center of Acadiana has not disclosed exactly how the attack occurred, nor the variant of ransomware used in the attack, although the breach report suggests the attackers utilized open external ports on the server. All external ports have now been closed to prevent future attacks and the cardiology center’s antivirus protections have been upgraded. Cardiology Center of Acadiana has not received any reports suggesting patients’ PHI has been copied or misused, although all patients impacted by the incident have been advised to exercise caution in case the attackers were able...

Read More
Employee Terminated for Improperly Dumping PHI
Apr21

Employee Terminated for Improperly Dumping PHI

An employee of New Jersey-based BioReference Laboratories has been terminated for failing to follow company protocols – and HIPAA Rules – regarding the secure disposal of documents containing the protected health information of patients. BioReference Laboratories is the third largest full service clinical diagnostic laboratory in the United States, with locations in New York, New Jersey, Maryland, Massachusetts, Rhode Island, Ohio, Florida, Texas and California. The incident occurred at its facilities in Florida. Company policies require all sensitive paperwork to be securely shredded prior to disposal, in accordance with HIPAA Rules. However, on March 14, 2017, BioReference Laboratories discovered that documents provided to the employee had been disposed of in a dumpster in Davenport, Florida. Upon discovery of the incident, BioReference Laboratories launched an investigation and identified the individual responsible. The decision was taken to terminate the employee for the HIPAA breach. BioReference Laboratories promptly arranged for the documents to be collected and securely...

Read More
Amedisys Notifies Patients of Improper Disposal Incident
Apr18

Amedisys Notifies Patients of Improper Disposal Incident

The medical information of certain patients of Amedisys Home Health of Fayetteville, NC has been disposed of improperly, although all information is believed to have been retrieved. Amedisys ensures all paper copies of patients’ protected health information is shredded and rendered unreadable, indecipherable, and otherwise cannot be reconstructed, in accordance with HIPAA Rules. However, Baton Rouge, LA-based Amedisys was recently informed that two shredding bins had been found behind a Fayetteville business and had not shredded in accordance with company policies. The bins should have been taken to a recycling center where the documents could be securely shredded. After being notified of the HIPAA breach, Amedisys arranged for the bins to be retrieved. A full inventory of the documents was then performed to determine whether patients’ protected health information was present in the documents and which patients had PHI exposed. The documents were discovered to contain patients’ names, demographic information and some medical information related to the services provided by Amedisys....

Read More
21 Employees Found to Have Accessed PHI Without Authorization
Apr17

21 Employees Found to Have Accessed PHI Without Authorization

A routine audit conducted by Virginia Mason Memorial has revealed employees have been accessing the protected health information of patients without authorization. Audits of PHI access logs occasionally reveal rogue employees have been improperly accessing the medical records of patients, but what makes this incident stand out is the number of employees that were discovered to have improperly viewed PHI. The audit revealed 21 employees had deliberately accessed PHI without authorization. Virginia Mason Memorial conducted the audit in January and immediately terminated access to PHI to prevent further privacy breaches. The investigation revealed those 21 employees had accessed the PHI of 419 patients. All of the patients had visited the hospital’s emergency room. The investigation was conducted internally, although the hospital also brought in a third-party cybersecurity firm to conduct a forensic analysis of its systems. That firm has also been searching the darknet to find out if any of the accessed records have made it onto darknet marketplaces. To date, no patient information...

Read More
Protenus Publishes Healthcare Data Breach Report for March 2017
Apr14

Protenus Publishes Healthcare Data Breach Report for March 2017

Protenus has released its Breach Barometer report for March 2017, which shows a significant increase in healthcare data breaches and a major jump in the number of individuals who have had their sensitive data exposed or stolen. In both January and February there were 31 reported healthcare data breaches, although March saw the figure jump to 39 incidents.  February saw relatively few individuals affected by healthcare data breaches. 206,151 patients and health plan members had some of their protected health information exposed last month. However, in March the figure jumped to 1,519,521 – more than 2.5 times the number of individuals impacted by healthcare data breaches in January and February combined. Almost half of those individuals had their ePHI exposed in the same incident – a 697,800-record theft incident reported by Commonwealth Health Corporation. The Protenus report shows insiders were the biggest cause of the healthcare data breaches reported in March, accounting for 44% of the total. There were 10 insider incidents reported in March that involved insider error and seven...

Read More
Ashland Women’s Health Reports Ransomware Attack
Apr13

Ashland Women’s Health Reports Ransomware Attack

Since the start of 2016, cybercriminals have been increasingly turning to ransomware to attack healthcare organizations. Rather than attempting to steal the electronic protected health information of patients, malicious actors are blocking access to ePHI and are issuing ransom demands to restore access. While large healthcare organizations such as MedStar Health are major targets for cybercriminals, healthcare organizations of all sizes are at risk of experiencing ransomware attacks, even small one-practitioner medical centers. This week, one such practice has announced a ransomware attack has resulted in patients’ ePHI being encrypted. Ashland Women’s Health (AWH) is a small obstetrics and gynecology practice in Ashland, Kentucky. Earlier this month, AWH submitted a report of a hacking/IT incident to the Department of Health and Human Services’ Office for Civil Rights. The breach report indicates 19,727 patients were impacted. This week, further information on the security breach has been released. The security breach was caused by a malicious actor who gained access to the...

Read More
Virus Infection at Erie County Medical Center Forces Computer System Shutdown
Apr12

Virus Infection at Erie County Medical Center Forces Computer System Shutdown

A computer virus sent via email to staff at Erie County Medical Center in Buffalo, New York – the main teaching hospital used by the University of Buffalo – has forced the hospital to shut down its entire computer system, parts of which remain out of action three days later. The incident occurred in the early hours of Sunday morning. IT staff reacted promptly and shut down email and took the entire computer system offline as a precaution to prevent the spread of the virus. The IT team, assisted by external security experts, is working to systematically restore its systems. That process is expected to take several days, although most computer systems at the hospital have now been brought back online. The hospital’s email system is still not operational and its website is still inaccessible. The hospital has a backup of all data, including patients’ health information. A full recovery is therefore expected. Staff at the hospital have been forced to temporarily work with pen and paper while the IT security incident is resolved. Communication between care teams has continued...

Read More
2017 Shaping Up to Be Another Record-Breaking Year for Healthcare Data Breaches
Apr07

2017 Shaping Up to Be Another Record-Breaking Year for Healthcare Data Breaches

2016 was a particularly bad year for healthcare data breaches. More data breaches were reported than in any other year since the Department of Health and Human Services’ Office for Civil Rights started publishing healthcare data breach summaries in 2009. In 2016, 329 breaches of more than 500 records were reported to the Office for Civil Rights and 16,655,952 healthcare records were exposed or stolen. 2017 looks set to be another record breaking year for healthcare data breaches. Figures for the first quarter of 2017 show data breaches have increased, with rises in theft incidents, hacks and unauthorized disclosures. By the end of Q1, 2016, 64 breaches of more than 500 records had been reported to OCR and 3,529,759 had been exposed or stolen. Between January 1, 2017 and March 31, 2017, OCR received 79 data breach reports from HIPAA covered entities and business associates. Those breaches have resulted in the theft or exposure of 1,713,591 healthcare records. While fewer individuals have been impacted by healthcare data breaches than in the equivalent period last year, the number of...

Read More
3,365 Patients’ Billing Records Potentially Stolen by Hacker
Apr07

3,365 Patients’ Billing Records Potentially Stolen by Hacker

Atlanta-based Skin Cancer Specialists, P.C., has announced a data security incident has been discovered that has resulted in the exposure of the billing records of 3,365 patients. An unauthorized individual was discovered to have gained access to the healthcare provider’s system on October 15, 2016, with the intrusion detected on February 2, 2017. The system contained the billing records of 3,365 patients. Those records included patients’ names, addresses, telephone numbers, dates of birth, medical record numbers, physician information and health insurance details. Financial information and Social Security numbers were not viewed or obtained by the attacker. Skin Cancer Specialists hired a cybersecurity firm to conduct a thorough investigation into the breach to determine how access was gained. Action has now been taken to secure its systems to prevent further cyberattacks. No evidence of inappropriate use of the billing records was uncovered during the investigation, although patients have been advised to check their explanation of benefits statements for any sign of fraudulent...

Read More
Mental Health Histories and Therapy Session Notes of 3,000+ Patients Sold On Darknet
Apr07

Mental Health Histories and Therapy Session Notes of 3,000+ Patients Sold On Darknet

Databreaches.net has discovered a healthcare data breach of more than 3,000 records. Those records appear to have been sold by the hacker responsible for the attack via a darknet marketplace. The records contained health and mental health histories and therapy session notes from 2007 to present. In total, more than 4,500 patient records were obtained by the hacker, which related to ‘3,000-3,500’ unique individuals. The records included names, addresses, phone numbers and employer details along with SSNs, dates of birth and the names of patients’ physicians. Worse still, the records contained complete family histories, details of substance abuse, legal histories, health and mental health histories, and detailed ‘complete’ notes of therapy sessions spanning several years. The individual responsible for stealing the information listed the records for sale on a darknet marketplace advising potential buyers that the records contained “Everything confessed/discussed in complete privacy is in here for thousands of patients.” The complete set of data was listed for sale for a minimum price...

Read More
Large Hospitals and Teaching-Focused Hospitals Face Greater Risk of Data Breaches
Apr06

Large Hospitals and Teaching-Focused Hospitals Face Greater Risk of Data Breaches

A study recently published in JAMA Internal Medicine examined recent healthcare data breach trends to determine which types of hospitals are the most susceptible to data breaches. The researchers analyzed breach reports submitted to the Department of Health and Human Services’ Office for Civil Rights between October 21, 2009 and December 31, 2016. During that time, 216 hospitals reported 257 breaches of more than 500 patient records. 33 hospitals experienced more than one data breach during that time frame. Four hospitals – Brigham and Women’s Hospital, Cook County Health & Hospitals System, Mount Sinai Medical Center and St. Vincent Hospital and Healthcare Inc – experienced three data breaches. Two hospitals – Montefiore Medical Center and University of Rochester Medical Center & Affiliates – experienced four data breaches. The researchers determined the size of the acute care hospitals by linking the facilities to their Medicare cost reports submitted to the Centers for Medicare and Medicaid Services in the 2014 fiscal year. 141 acute care hospitals were linked to CMS...

Read More
More than 55,000 Patients Impacted by ABCD Pediatrics Ransomware Attack
Apr04

More than 55,000 Patients Impacted by ABCD Pediatrics Ransomware Attack

San Antonio, TX-based ABCD Pediatrics has discovered cybercriminals gained access to its servers and used ransomware to encrypt data, including the protected health information of its patients. The individuals behind the attack may also have gained access to data stored on the healthcare provider’s servers prior to ransomware being deployed. The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates 55,447 patients have been impacted. The attack involved a variant of CrySiS ransomware called Dharma, which started encrypting data on February 6, 2017. Dharma ransomware is not known to exfiltrate data; however, an analysis of the attack revealed a number of suspicious user accounts on the servers, suggesting access had been gained prior to the ransomware being installed. User logs were also discovered that indicated programs or users may have been on the servers for a limited period of time prior to the ransomware being installed. Fortunately, the encryption process was hampered by the anti-virus solution used by ABCD Pediatrics. ABCD...

Read More
Phishing Attack Potentially Impacts 80,000 Patients of Washington University School of Medicine
Mar31

Phishing Attack Potentially Impacts 80,000 Patients of Washington University School of Medicine

A phishing attack on the Washington University School of Medicine has resulted in a number of staff members’ email accounts being compromised. Washington University School of Medicine learned of the phishing attack on January 24, 2017, more than seven weeks after the attack occurred. An investigation into the incident revealed the attack occurred on December 2, 2016. Phishing emails use a variety of social engineering techniques to fool end users into revealing sensitive information such as usernames, passwords, or bank details. In this case, the phishing emails were used to obtain login credentials to staff members’ email accounts. Email accounts contain a treasure trove of information. An investigation revealed the compromised accounts contained the protected health information of 80,270 patients. Data in the accounts included patients’ names, dates of birth, medical record numbers, clinical information, medical diagnoses and treatment information. Some patients’ Social Security numbers were also exposed as a result of the attack. The investigation did not uncover any evidence to...

Read More
Patients’ PHI Accidentally Sent to Media Outlets by Mecklenburg County
Mar29

Patients’ PHI Accidentally Sent to Media Outlets by Mecklenburg County

A spreadsheet containing the protected health information of more than 1,200 patients has been accidentally sent to two media outlets by a worker at Mecklenburg County, NC. The spreadsheet was emailed to the media outlets in response to a freedom of information request. That request was made following the discovery that 185 female patients had not been notified of abnormal Pap smear results. The spreadsheet had been created for state officials who were conducting an audit. County officials discovered the HIPAA breach on Monday and immediately launched an investigation to determine how such an error could have been made. County officials are furious about the privacy breach. Commissioner Vilma Leake said she wanted “to fire everybody on the health department.” County Manager Dena Diorio said “I am absolutely speechless with anger about how something like this could happen.” This is the second HIPAA breach in a month to be discovered by Meklenburg County. WSOCTV said it had previously been sent information that contained the name of an individual that should not have been released. A...

Read More
Estill County Chiropractic Patients Impacted by Ransomware Attack
Mar29

Estill County Chiropractic Patients Impacted by Ransomware Attack

On January 17, 2017, Irvine, KY-based Estill County Chiropractic discovered its computer system had been breached by an unauthorized individual who encrypted files with ransomware . An external computer consultant was hired to conduct a thorough investigation of the incident to determine how the ransomware was installed and the extent of the attack. While many ransomware infections occur as a result of an employee responding to a malicious spam email message, in this case, the attacker was discovered to have previously gained access to Estill County Chiropractic’s computer system. Access to the system was first gained on January 6, 2017, although the ransomware was not installed until January 17. Due to the nature of the attack, it is possible the attacker gained access to the protected health information of patients and stole patient data. The information potentially accessed included patients’ names, addresses, phone numbers, email addresses, dates of birth, clinical information, Social Security numbers, medical diagnoses, provider notes, claims information and health plan...

Read More
Former Employee Accused of Stealing PHI of up to 160,000 Med Center Health Patients
Mar28

Former Employee Accused of Stealing PHI of up to 160,000 Med Center Health Patients

The Kentucky-based 6-hospital health system Med Center Health has reported a data breach affecting approximately 160,000 patients. Med Center Health believes a former employee may have stolen patients’ protected health information (PHI) prior to leaving employment. The former employee has been accused of stealing PHI including names, addresses, health insurance information, Social Security numbers, procedure codes and billing information. Medical records were not compromised at any point. The FBI has been notified and is also investigating along with other federal agencies. Med Center health is in the process of notifying patients of the breach, although the process is expected to take a couple of weeks due to the number of individuals that have been impacted. While the breach has only recently been announced, the data theft incidents date back to 2014 and 2015. The former employee is understood to have taken an encrypted CD and encrypted portable storage device in August 2014 and February 2015. There was no legitimate work reason for ePHI to have been taken, although on both...

Read More
Flowers Hospital Data Breach Lawsuit Awarded Class-Action Status
Mar24

Flowers Hospital Data Breach Lawsuit Awarded Class-Action Status

A lawsuit filed by five plaintiffs following a breach of protected health information at Flowers Hospital in 2013 has finally been awarded class-action status. The lawsuit was filed against Triad of Alabama, the parent company of Flowers Hospital, in 2014. Triad of Alabama submitted motions to dismiss the lawsuit in 2014 and 2015, but the lawsuit survived. In contrast to many healthcare data breach lawsuits that are filed following cyberattacks by hackers, this incident involved an insider. A phlebotomist employed at Flowers Hospital – Kamarian Millender – stole non-hospital records stored at the hospital. The information in those records was used to file fraudulent tax returns in the names of 124 individuals over two years. Millender was arrested in 2014 and was found to be in possession of 54 patient records. Millender was subsequently charged with trafficking stolen identities and aggravated identity theft and pled guilty to stealing 73 identities for the purpose of filing fraudulent tax returns. In total, prosecutors alleged tax returns totaling around $536,000 were submitted...

Read More
Urology Austin Ransomware Attack Announced
Mar23

Urology Austin Ransomware Attack Announced

Urology Austin has started notifying 279,663 patients that some of their protected health information may have been impacted in a recent ransomware attack. Potentially, the attackers gained access to names, addresses, dates of birth, medical information and the Social Security numbers of patients. The attack occurred on January 22, 2017, although rapid detection of the incident limited the damage caused. Within minutes of the attack, the computer network was shut down to prevent the spread of the infection and potential access/exfiltration of PHI.  However, even with the fast response, data stored on the organization’s servers were encrypted. Ransomware often blindly encrypts data. The attacks are intended to cause major disruption to patient services to force an organization into paying a ransom demand to obtain a key to unlock the encryption. Data are not accessed or stolen by the attackers. The risk of patients’ protected health information being accessed and misused after this type of attack is often low. In this case, the decision was taken to provide identity theft monitoring...

Read More
UNC Health Care Reports Exposure of 1300 Prenatal Patients’ PHI
Mar21

UNC Health Care Reports Exposure of 1300 Prenatal Patients’ PHI

Prenatal patients who visited certain obstetric clinics operated by UNC Health Care are being notified that some of their protected health information has been disclosed to local health departments by mistake. Pregnancy Home Risk Screening Forms of Medicaid-eligible patients are sent to local health departments to ensure those individuals are connected with appropriate support services. However, UNC Health Care has discovered that in addition to Medicaid-eligible patients, forms relating to patients who were not eligible for Medicaid were also sent to local health departments. In total, around 1,300 patients have been affected. The privacy breach affects women who had prenatal appointments at the UNC Maternal-Fetal Medicine at Rex Hospital or the Women’s Clinic at the North Carolina Women’s Hospital between April 2014 and February 2017. Pregnancy Home Risk Screening Forms contain patients’ names and addresses, race and ethnicity, Social Security numbers, health and mental health histories, details of patients’ HIV status, any sexually transmitted diseases contracted, medical...

Read More
Snapshot of Healthcare Data Breaches in February 2017
Mar21

Snapshot of Healthcare Data Breaches in February 2017

The Protenus Breach Barometer healthcare data breach report for February includes some good news. Healthcare data breaches have not risen month on month, with both January and February seeing 31 data breaches reported. The report offers some further good news. Healthcare hacking incidents fell in February, accounting for just 12% of the total number of breaches reported during the month. There was also a major fall in the number of healthcare records exposed or stolen. In January, 388,207 healthcare records were reported as being exposed or stolen. In February, the number fell to 206,151 – a 47% drop in exposed and stolen records. However, February was far from a good month for the healthcare industry. IT security professionals have long been concerned about the threat from within, and last month clearly showed those fears are grounded in reality. February saw a major increase in the number of incidents caused by insiders. Insider breaches in February accounted for 58% of the total number of incidents reported for which the cause was known; double the number reported the previous...

Read More
Back Up Drive Stolen: PHI of 1,291 Patients Exposed
Mar20

Back Up Drive Stolen: PHI of 1,291 Patients Exposed

The failure to encrypt backup data on a portable electronic device has resulted in the protected health information of 1,291 individuals being exposed. The device was stolen from Local 693 Plumbers, Pipefitters & HVACR Technicians, a member of the United Association of Journeyman and Apprentices of the Plumbing and Pipefitting Industry of the United States and Canada. The backup device was discovered to be missing on January 23, 2017 following a break-in at Local 693 offices the day before. An investigation revealed the device contained names, telephone numbers, addresses and Social Security numbers of current and former Plumbers & Pipefitters Local 693 Benefit Funds recipients and members of the Plumbers & Pipefitters Local 693 union. The theft has been reported to law enforcement, the Vermont attorney general and the Department of Health and Human Services Office for Civil Rights. While the data on the device could potentially be accessed by unauthorized individuals, an independent information technology consultant who was retained to conduct an investigation believes...

Read More
Almost 18,000 Metropolitan Urology Patients Impacted by Ransomware Attack
Mar17

Almost 18,000 Metropolitan Urology Patients Impacted by Ransomware Attack

Wauwatosa, WI-based Metropolitan Urology Group has recently discovered a ransomware attack that affected two computer servers potentially resulted in the attackers gaining access to the protected health information of 17,634 patients. The ransomware attack occurred on November 28, 2016, although it was initially unclear whether access to patients’ PHI had been gained by the attackers. Metropolitan Urology Group contracted an international information technology company to perform a thorough analysis of the affected servers and its systems to determine the nature and extent of the attack. On January 10, 2017, Metropolitan Urology Group was informed that patient data may have been accessed as a result of the infection. The firm was able to successfully remove the ransomware infection and restore the medical group’s systems. Current patients are unaffected by the security breach. The data stored on the servers related to patients who had received medical services at the medical group’s facilities between 2003 and 2010. The types of data that were potentially accessed include patients’...

Read More
Snooping St. Charles Health System Employee Accessed Almost 2,500 Patient Records
Mar17

Snooping St. Charles Health System Employee Accessed Almost 2,500 Patient Records

The four-hospital St. Charles Health System in central Oregon has discovered an employee accessed the medical records of almost 2,500 patients without authorization over a period of 27 months from October 2014 to January 2017. On January 16, 2017, the unnamed caregiver was discovered to have improperly accessed the medical records of a single patient, prompting a review of her ePHI access logs. That investigation revealed that this was far from a one-off incident. The improper access dated back to October 8, 2014. During that time, the caregiver was found to have accessed 2,459 patient files with no legitimate work reason for doing so. When confronted about the improper access the female employee said she had accessed the records out of curiosity with no malicious intent. The health system said it took ‘swift and appropriate action’ and the employee was disciplined, although it is unclear what the disciplinary action involved and whether the employee was terminated as a result of her actions. The health system does not consider the employee’s actions were criminal in nature, and a...

Read More
Zest Dental Solutions Alerts Customers to Payment Card Information Breach
Mar16

Zest Dental Solutions Alerts Customers to Payment Card Information Breach

Carlsbad, CA-based Zest Dental Solutions has discovered an unauthorized individual has gained access to its e-commerce system and potentially stole the credit card details of some of its customers. A number of customers reported receiving unusual emails containing information related to past Zest Dental Solutions purchases. The complaints prompted an investigation and an external cybersecurity firm was brought in to conduct a thorough analysis of the company’s systems. On February 16, 2017, it was confirmed that the company’s e-commerce system had been breached. That system contained credit card numbers, CVV codes, expiry dates, customers’ names, addresses, and phone numbers. Individuals affected by the security incident had previously made purchases through the website between December 13, 2013 and September 21, 2014 or between November 2, 2016 and February 4, 2017. The breach also impacts customers who purchased items prior to the company changing its name from Zest Anchors. Since credit card details may have been stolen, affected individuals are at risk of experiencing credit...

Read More
Lack of Email Encryption Exposes PHI of 644 Raising St. Louis Participants
Mar14

Lack of Email Encryption Exposes PHI of 644 Raising St. Louis Participants

644 participants of the Raising St. Louis program run by BJC HealthCare have been notified that some of their personally identifiable information has been exposed after it was discovered that protocols for sending sensitive information securely had not been followed. No Social Security numbers, financial information, or test results/treatment data were communicated via unencrypted email, although names, addresses, telephone numbers, dates of birth, visit dates, nursing notes, medication and vaccination information could potentially have been intercepted and viewed by unauthorized individuals. BJC HealthCare has established protocols for communicating sensitive information, although in January it was discovered that those protocols had not been used for communicating personally identifiable information of Raising St. Louis participants to program partners for a period of three years between January 17, 2014 and January 9, 2017. The correct protocol for emailing sensitive data has now been adopted and staff members have been re-educated and instructed to only send sensitive data via...

Read More
Unencrypted Backup Drive Containing 7 Years of PHI Stolen from Denton Heart Group
Mar14

Unencrypted Backup Drive Containing 7 Years of PHI Stolen from Denton Heart Group

The danger of storing unencrypted protected health information has been highlighted by a recent security incident reported by Texas-based Denton Heart Group – A member of the Health Texas Provider Network. A hard drive containing 7 years of EHR backup data was recently discovered to have been stolen. While the device was stored in a locked closet, the data on the device were not encrypted. The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates 21,665 individuals were impacted by the breach. The backup files contained a treasure trove of patient data including names, addresses, phone numbers, dates of birth, Social Security numbers, driver’s license numbers, medical record numbers, insurance provider names and policy numbers, physicians’ names, clinic account numbers, medical diagnoses, lab test results, medications and other clinical data. The backups were made between 2009 and 2016. The theft was discovered by the medical group on January 11, 2017 although the device was believed to have been stolen on or around December...

Read More
Server Compromise at Tarleton Medical: PHI Potentially Accessed
Mar14

Server Compromise at Tarleton Medical: PHI Potentially Accessed

Hacking continues to be a leading cause of healthcare data breaches. There have been 55 data breaches reported to the Department of Health and Human Services’ Office for Civil Rights (OCR) as of March 13, 2017, a quarter of which were attributed to hacking. While unauthorized access/disclosure is the leading cause of healthcare data breaches in 2017 with 44% of the total number of reported breaches, hacking incidents have exposed more records. 260,277 patient and health plan member records have been compromised in hacking incidents – 60% of the total number of healthcare records exposed in 2017. The two largest healthcare data breaches of the year to date and seven of the top ten healthcare data breaches of 2017 were due to hacking. A network server was compromised in all of those incidents. The largest hacking incident of 2017 impacted 85,995 patients of VisionQuest Eyecare of Indiana. The second largest incident, which impacted 79,930 individuals, was reported by Emory Healthcare and involved a hacked MongoDB database. Hacked Network Server Discovered by CA-Based Tarleton Medical...

Read More
Virginia Commonwealth University Health System Discovers 3-Year HIPAA Breach
Mar13

Virginia Commonwealth University Health System Discovers 3-Year HIPAA Breach

For the past three years, the electronic medical records of patients of Virginia Commonwealth University Health System have been inappropriately accessed by employees of physician groups. In total, around 2,700 individuals, many of whom were children, have had their medical records viewed and their privacy violated. VCU Health System provides access to patients’ medical records to community physician groups and contracted vendors. Community physicians are able to share patients’ medical records with the VCU Health System to ensure continuity of care when referring patients. Contractors that provide medical equipment to patients are similarly given access to medical records. However, VCU Health System discovered ‘an unusual pattern of accessing medical records’ in January. Further investigation revealed individuals were accessing patients’ medical records without any legitimate business reason for doing so and that records had been accessed for a period of more than three years. The first privacy breach occurred on January 3, 2014 and inappropriate access continued until January 10,...

Read More
Email Error Impacts 6,500 Saliba’s Extended Care Pharmacy Patients
Mar10

Email Error Impacts 6,500 Saliba’s Extended Care Pharmacy Patients

Saliba’s Extended Care Pharmacy in Phoenix, Arizona is alerting more than 6,500 patients to an accidental disclosure of some of their protected health information (PHI). Copies of invoices for December 2016 were sent via Saliba’s Pharmacy’s encrypted email platform to the wrong patients in January. While there is no chance that the emails could have been intercepted by unauthorized individuals, the emails were opened by three patients or their representatives. The incident occurred on January 12, 2017, and Saliba’s Pharmacy discovered the error four days later on January 16. Since HIPAA Rules and patient privacy were accidentally violated, breach notification letters were sent to patients on March 3 to alert them to the incident. Patients have been advised to exercise caution and check their explanation of benefits statements and Saliba’s Pharmacy statements for signs of misuse. However, no reports of any misuse of the information have been received by Saliba’s Pharmacy and the risk of PHI misuse as a result of this impermissible disclosure is believed to be very low. Patients...

Read More
Sharp Healthcare Says Stolen Devices Contained PHI of Patients
Mar06

Sharp Healthcare Says Stolen Devices Contained PHI of Patients

A computer and an external storage drive have been discovered to have been stolen from San Diego-based healthcare provider Sharp Healthcare. The devices were taken from a locked cabinet in an access-controlled patient treatment area of the Sharp Memorial Outpatient Pavilion in Kearny Mesa in San Diego, CA. It is not known when the devices were taken, although they were discovered to be missing on February 6, 2017. The devices were used to store the data of patients who had undergone wellness screening as part of blood pressure and cardiac health studies performed at the outpatient center. The types of data stored on the devices includes patients’ full names, ages, dates of birth, medications currently being taken, a summary of the studies that were being performed and family health histories. The devices were not encrypted, so it is possible that the patient health information stored on both devices could be accessed by unauthorized individuals. An internal investigation was conducted when the devices were discovered to be missing and efforts were made to locate the devices,...

Read More
Improper Disposal of PHI Discovered by Minneapolis Heart Institute
Mar06

Improper Disposal of PHI Discovered by Minneapolis Heart Institute

A member of a cleaning crew at the Minneapolis Heart Institute at Abbott Northwestern Hospital accidentally disposed of documents containing PHI with regular trash. Minneapolis Heart Institute has policies and procedures in place that require all documents containing sensitive patient health information to be securely destroyed in accordance with HIPAA Rules. However, a member of the cleaning team was discovered to have emptied a trash container from a physician’s private office before documents could be securely shredded. The incident was discovered on January 20, 2017, although not in time for the documents to be recovered and securely destroyed. The documents had been emptied into a bin bag which was placed in a regular recycling dumpster at the hospital. It is unclear at this stage how many individuals have been impacted, although as a precaution, the Minneapolis Heart Institute is notifying all patients who were part of the physician’s service group between April 17, 2016 and January 17, 2017. Those individuals have been offered credit monitoring and identity theft protection...

Read More
Healthcare Employee Accessed ePHI Without Authorization for 5 Years
Mar06

Healthcare Employee Accessed ePHI Without Authorization for 5 Years

Healthcare professionals must have access to the protected health information of patients in order to provide medical care and perform healthcare operations. Since access to data can be abused by rogue employees, it is essential that controls are put in place to alert healthcare organizations rapidly when improper access occurs. Rapid identification of improper access can greatly reduce the harm caused. In many cases, improper access is discovered during routine audits of access and application logs. When those audits are conducted on an annual basis, employees may be found to have been improperly accessing patient data for many months. Last month, Chadron Community Hospital and Health Services in Nevada discovered that a rogue employee had been accessing ePHI without any legitimate work reason for doing so. What makes this incident stand out, is how long access had been allowed to continue before it was discovered. An investigation conducted by the healthcare provider revealed that the improper access had gone unnoticed for more than 5 years. During that time, the records of more...

Read More
Vendor Configuration Error Results in Exposure of 14,000 Individuals’ ePHI
Mar06

Vendor Configuration Error Results in Exposure of 14,000 Individuals’ ePHI

A major breach of electronic protected health information has been discovered by Universal Care, dba, Brand New Day – A Medicare approved health plan. On December 28, 2016, Brand New Day became aware that an unauthorized individual had gained access to ePHI provided to one of its HIPAA business associates. Access to ePHI was gained via a third-party vendor system used by Brand New Day’s contracting provider six days previously on December 22, 2016. The breach notification submitted to the California attorney general does not indicate whether the ePHI of plan members was stolen, although the data were accessed and a criminal investigation into the breach has been launched by law enforcement. The types of data accessed include plan members’ names, addresses, phone numbers, dates of birth and Medicare ID numbers. Upon discovery of the incident, Brand New Day immediately launched an investigation and contacted its vendor to ensure that access to ePHI was immediately terminated. The vendor was informed that someone had improperly accessed plan members’ data and rapid action was taken to...

Read More
North Carolina Department of Health and Human Services Email Breach Impacts 12,700
Feb28

North Carolina Department of Health and Human Services Email Breach Impacts 12,700

The North Carolina Department of Health and Human Services has announced that the names, addresses, and Medicaid numbers of 12,731 patients were exposed as a result of an email error. The data were sent via email to adult care homes last year, but the emails were not encrypted. Potentially, the emails could have been intercepted and the data obtained by individuals unauthorized to view the information. The emails were sent on November 30, 2016 and the Department of Health and Human Services’ Office for Civil Rights has now been notified of the incident. No mention has been made of when the incident was discovered. This is the third such incident of this nature to have affected the NC Department of Health and Human Services in the past 38 months. On December 30, 2013, 49,000 Medicaid cards of minors were accidentally mailed to incorrect recipients, exposing Medicaid numbers, names and birth dates. The privacy breach was attributed to human error. Two years later, 1,615 patients were impacted when an unencrypted email containing was sent to the Granville County Health Department. The...

Read More
Vanderbilt University Medical Center Employees Inappropriately Accessed 3,000 Patients’ PHI
Feb27

Vanderbilt University Medical Center Employees Inappropriately Accessed 3,000 Patients’ PHI

Two employees of Vanderbilt University Medical Center have been discovered to have inappropriately accessed the medical records of more than 3,000 patients. The inappropriate ePHI access was discovered during a routine audit of access logs: A requirement of the Health Insurance Portability and Accountability Act (HIPAA). While the HIPAA Security Rule requires audit logs to be regularly reviewed by HIPAA-covered entities, in this case the inappropriate accessing of ePHI continued for 19 months before it was detected. Vanderbilt University Medical Center first became aware of inappropriate ePHI access on December 27, 2016, prompting a full audit of access logs. That audit revealed that two patient transporters at the medical center had viewed more information than was necessary in order for them to perform their work duties. The employees were required to move patients between treatment rooms and hospital floors. The pair were discovered to have first started viewing patients protected health information in May 2015. Medical records of patients continued to be accessed until December...

Read More
Berkeley Medical Center Employee Inappropriately Accessed 7,445 Patients’ Records
Feb27

Berkeley Medical Center Employee Inappropriately Accessed 7,445 Patients’ Records

A Berkeley Medical Center employee has been discovered to have inappropriately accessed the electronic protected health information of more than 7,400 patients over a period of 10 months. WVU Medicine University Healthcare discovered the inappropriate accessing of ePHI by an employee of the Berkeley Medical Center on January 17, 2017 after being alerted to potential data theft by law enforcement. A joint investigation into the employee had been conducted by the FBI and the Berkeley County Sheriff’s Department. As soon as WVU Medicine University Healthcare became aware of the incident, an internal investigation was launched. Two days later, the employee was suspended pending the outcome of the investigation. Information provided to the healthcare provider from law enforcement linked the employee with 113 former patients who had suffered identity theft. The healthcare worker had been employed by WVU Medicine University Healthcare since March 2004 and was required to schedule appointments for patients at both the Berkeley Medical Center in Martinsburg, WV and Jefferson Medical Center...

Read More
Theft, Hacking, Ransomware and Improper Accessing of ePHI – Attacks Coming from All Angles
Feb23

Theft, Hacking, Ransomware and Improper Accessing of ePHI – Attacks Coming from All Angles

Theft, hacking, ransomware, and improper ePHI access by employees – The past few days have seen a diverse range of healthcare data breaches reported. St. Joseph’s Hospital and Medical Center in Arizona, Family Service Rochester of Minnesota, and the University of North Carolina have all reported potential breaches of patients’ ePHI, while Lexington Medical Center in South Carolina has announced that the sensitive data of its employees have been viewed. University of North Carolina Reports Theft of Dental Patients’ ePHI A laptop computer and a SD memory card from a digital camera have been stolen from the car of a postgrad dental resident of the University of North Carolina School of Dentistry. While the devices should have had a number of security measures installed to prevent improper data access, UNC has been unable to confirm whether that was the case. The breach may have resulted in the exposure of around 200 patients’ personal information including full face photographs (without any other PHI), names, dates of birth, dental record numbers, treatment plans, dental and health...

Read More
Horizon BCBS of New Jersey Pays $1.1 Million for HIPAA Violation
Feb21

Horizon BCBS of New Jersey Pays $1.1 Million for HIPAA Violation

The New Jersey Division of Consumer Affairs recently announced that Horizon Blue Cross Blue Shield of New Jersey (Horizon BCBSNJ) has agreed to pay a $1.1 million fine for failing to protect the electronic protected health information of almost 690,000 plan members. The Health Insurance Portability and Accountability Act (HIPAA) requires covered entities to implement administrative, technical and physical safeguard to protect the ePHI of patients and health plan members. While data encryption is not mandatory technical safeguard, it is an addressable issue. Covered entities must therefore consider the use of encryption technologies to protect ePHI at rest and in motion. If data encryption is not chosen, alternative, security measures must be implemented that offer an equivalent level of protection. Covered entities are required to conduct a comprehensive risk analysis to identify potential risks to the confidentiality, integrity and availability of PHI. If laptop computers are used to store the ePHI of patients or plan members, a risk assessment should show that there is a risk of...

Read More
Three Breaches of Physical Medical Records Impact at Least 4,100 Individuals
Feb20

Three Breaches of Physical Medical Records Impact at Least 4,100 Individuals

Three healthcare organizations have recently reported security breaches involving the theft/exposure of physical protected health information. While it is currently unclear exactly how many healthcare patients have been impacted, at least 4,100 individuals are known to have been affected. According to police reports, the total could be as high as 8,000 individuals. The largest confirmed breach has impacted 2,953 employees and residents of Catalina Post-Acute and Rehabilitation of Tucson, AZ. The nursing home and rehabilitation center discovered that documents containing the sensitive information of residents and employees had been left unattended and unprotected in a location accessible by the public. A range of sensitive information was detailed in the documents including names, demographic information, Social Security numbers and medical diagnoses. An internal investigation of the incident was conducted to determine how the information was exposed and the potential for that information to have been inappropriately accessed. No evidence was uncovered to suggest any information had...

Read More
Faxing Error Sees PHI Sent to Local Media Outlet
Feb16

Faxing Error Sees PHI Sent to Local Media Outlet

Seven doctors’ offices in the Fort Worth area of Texas accidentally faxed patients’ protected health information to the wrong fax number. The faxes contained a range of highly sensitive patient information including names, dates of birth, Social Security numbers, medical histories and much more. While such a mistake could potentially see patients’ health information fall into the hands of criminals, in this case the errors saw the faxes sent to local media outlet, WFAA. The faxes received by WFAA related to at least 28 separate patients and should have been sent to Baylor Surgicare of Oakmont. The fax number used by the Fort Worth medical facility was identical to WFAA’s except for a single digit. In this case, the seven doctors’ offices were contacted and informed of the error and the faxes were securely destroyed, although the incident shows how easy it is for sensitive patient data to be sent to incorrect recipients by fax. While an incident such as this is unlikely to result in a HIPAA violation penalty from the Department of Health and Human Services’ Office for Civil Rights,...

Read More
South Fulton Mental Heath Center Discovers Dumped Medical Records
Feb15

South Fulton Mental Heath Center Discovers Dumped Medical Records

Late last week, South Fulton Mental Health Center in Georgia discovered highly sensitive patient health records had been improperly disposed of in a dumpster that was accessible by the public. A statement released by the clinic shortly after the records were discovered confirmed that an investigation had been launched into the HIPAA breach. “A preliminary review suggests that a staff member did not secure the files properly” during the move from the South Fulton Mental Health Center. The files have now been retrieved and secured, although they were accessed by at least one individual. CBS46 was tipped off about the dumped records and a reporter was able to retrieve some documents from the dumpster before they were secured. The documents viewed by the CBS46 reporter contained patients’ names, Social Security numbers and other sensitive information. An internal investigation into the incident is ongoing. While it is possible that an employee made an error and either left the records unsecured or accidentally dumped the records, this is now being viewed as a deliberate act. Fulton...

Read More
Covered Entities Flirting with Fines for Late Data Breach Reports
Feb14

Covered Entities Flirting with Fines for Late Data Breach Reports

Last month, the Department of Health and Human Services’ Office for Civil Rights sent a message to covered entities regarding the late reporting of data breaches with the announcement of a settlement with Chicago-based healthcare network Presense Health. The settlement was the first reached with a covered entity purely to resolve HIPAA Breach Notification Rule violations. Presense Health had delayed the issuing of breach notification letters to patients. Presense Health agreed to settle with OCR for $475,000 to resolve the potential HIPAA violations. However, since the announcement was made, there have been a number of instances where covered entities have unnecessarily delayed the issuing of breach notification letters to patients and data breach reports to OCR. The January Breach Barometer – released by Protenus yesterday – indicates 40% of data breaches reported in January 2017 had notifications sent outside of the timescale required by the Health Insurance Portability and Accountability Act’s Breach Notification Rule. The loss, theft, or exposure of patients’...

Read More
Summary of January 2017 Healthcare Data Breaches Released
Feb14

Summary of January 2017 Healthcare Data Breaches Released

Protenus, in conjunction with databreaches.net, has released a summary of January 2017 healthcare data breaches. The report shows that 2017 started where 2016 left off, with similarly high numbers of healthcare data breach reported. January 2016 saw the lowest number of data breaches of any month in 2016 (21) and also the lowest number of records exposed of any month in the year (104,056 records). 2017 did not start nearly as well. While lower than the average monthly breaches for 2016 (37.5), January saw 31 healthcare data breaches disclosed. Those breaches resulted in the exposure of 388,307 patient and health plan member records. The largest healthcare data breach of January 2017 affected CoPilot Provider Support Services, Inc. The breach impacted 220,000 individuals. However, the breach actually occurred in October 2015, with CoPilot discovering the incident two months later in December 2015. The Department of Health and Human Services’ Office for Civil Rights was only notified of the incident last month, well outside the 60-day deadline for reporting breaches. That was a...

Read More
Automatic Email Forwarding Rule Sent 1,700 Patients’ PHI to Employee’s Personal Account
Feb09

Automatic Email Forwarding Rule Sent 1,700 Patients’ PHI to Employee’s Personal Account

Health Department officials in Multnomah County, OR, have discovered that an employee set up an automatic mail forwarder on an email account that sent all email correspondence to a personal Google email account for a period of around three months. The emails were forwarded to an account outside the control of Multnomah County, in violation of the Health Insurance Portability and Accountability Act. Since the employee works in the Health Department, emails sent to that individual’s official email account contained a range of patients’ electronic protected health information (ePHI). The ePHI included first and last names, ages, medical record numbers, medical diagnoses, dates of service, medication names and prescription numbers. The email forwarder was discovered during a random audit that was conducted on November, 22, 2016. An internal investigation into the incident revealed that the ePHI of 1,700 patients was exposed. The investigation did not uncover any evidence to suggest that any of the forwarded emails had been opened or read, but the possibility that ePHI was...

Read More
Singh and Arora Oncology Hematology Breach Notifications Sent After 5 Months
Feb09

Singh and Arora Oncology Hematology Breach Notifications Sent After 5 Months

A Singh and Arora Oncology Hematology breach is finally being communicated to individuals who had their electronic protected health information exposed, although it has taken 5 months for those letters to be sent. The Health Insurance Portability and Accountability Act’s (HIPAA) Breach Notification Rule requires covered entities – healthcare providers, health plans, healthcare clearinghouses, and business associates of covered entities – to send breach notification letters to patients within 60 days of the discovery of an ePHI breach. The Department of Health and Human Services’ Office for Civil Rights (OCR) must also be notified of a breach in the same timeframe. However, in the case of the Singh and Arora Oncology Hematology breach, the Flint, MI-based cancer treatment center discovered that its systems had been breached on August 22, 2016. While OCR was notified of the breach on October 21, 2016, patients have only just started receiving their letters. The Singh and Arora Oncology Hematology breach actually occurred between February 27, 2016 and July 14, 2016. An...

Read More
Hacker Gains Access to Records of 4,668 Princeton Pain Management Patients
Feb08

Hacker Gains Access to Records of 4,668 Princeton Pain Management Patients

Princeton Pain Management, a healthcare provider specializing in the management of chronic pain, has reported a hacking incident has impacted 4,668 of its patients. The breach affects individuals who visited its medical centers in New Jersey, Pennsylvania, and New York for treatment. It is not known for how long the hacker had access to Princeton Pain Management’s systems, although the breach was discovered on November 28, 2016. Upon discovery of the breach, a cybersecurity firm was retained to conduct a thorough forensic investigation to determine how access to its systems had been gained, the types of information that were potentially accessed, and which patients were impacted. An internal investigation into the breach was also launched. The investigation revealed that a wide range of sensitive electronic protected health information (ePHI) had potentially been accessed, including names, telephone numbers, addresses, birth dates, Social Security numbers, driver’s license numbers, Medicare numbers, government identification numbers, diagnostic information, treatment information,...

Read More
WellCare Health Reports Security Breach Affecting 24,800 Patients
Feb08

WellCare Health Reports Security Breach Affecting 24,800 Patients

In August 2016, Summit Reinsurance Services experienced a data breach affecting a number of its healthcare clients. Highmark Blue Cross Blue Shield of Delaware was informed in early January that 19,000 of its members were impacted by the breach. Now, WellCare Health Plans has announced that 24,809 of its members have also been impacted by that security incident. Summit Reinsurance Services had previously been contracted by WellCare to provide reinsurance services. WellCare no longer uses SummitRe as its reinsurance service provider, although the breach dates back to before WellCare’s association with the company was terminated. WellCare was informed on December 27, 2016 that a ransomware infection had occurred at SummitRe on August 8, 2016 and that its members’ electronic protected health information had potentially been accessed by the attacker. The ransomware encrypted a range of sensitive data including names, member IDs, home addresses, dates of birth, Social Security numbers, medical diagnoses and provider names and locations. While many ransomware infections occur randomly as...

Read More
Verity Health System Announces Details of 10K-Record Data Breach
Feb07

Verity Health System Announces Details of 10K-Record Data Breach

Verity Health System – A Redwood City-based Californian health system comprising six hospitals, the Verity Medical Foundation, and the Verity Physician Network – has discovered that one of its websites was breached by a hacker who gained access to the electronic protected health information (ePHI) of thousands of its former patients. The unauthorized individual accessed a Verity Medical Foundation (San Jose) Medical Group website that contained a wide range of protected health information on “more than 9,000 patients”. Verity Health System discovered that its systems had been breached on January 6, 2017. An investigation into the breach was immediately launched and a third-party cybersecurity firm was brought in to conduct a full forensic analysis. That analysis determined that access to the website was first gained in October 2015 and continued until early January 2017. Verity Health System reports that Social Security numbers were not stored on the website and financial information was not viewed, apart from the last four digits of credit/debit card numbers. The website...

Read More
Family Medicine East, Chartered Alerts 6,800 Patients to ePHI Exposure
Feb06

Family Medicine East, Chartered Alerts 6,800 Patients to ePHI Exposure

Family Medicine East, Chartered of Wichita, KS, has reported the theft of a computer from its Rock Road facilities. Thieves broke into the locked clinic on December 8, 2016 and stole a desktop computer and a printer. The computer, which was unencrypted, contained the protected health information of almost 7,000 patients. Law enforcement was notified of the break-in and theft, although the individual(s) responsible have not been apprehended and the stolen computer has not been recovered. The data on the computer were backed up so the theft has not resulted in the loss of any ePHI although an investigation of data backups did reveal that a considerable number of images and office notes were stored on the device. The medical notes were mostly transcriptions of dictated physicians’ notes and related to patients that had visited Family Medicine East, Chartered for medical services between 2003 and 2004. The notes contain details of what was discussed during patients’ appointments and included patients’ names, birth dates, appointment dates, physician’s names, symptoms, details of...

Read More
$3.2 Million HIPAA Civil Monetary Penalty for Children’s Medical Center of Dallas
Feb02

$3.2 Million HIPAA Civil Monetary Penalty for Children’s Medical Center of Dallas

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced that Children’s Medical Center of Dallas has paid a civil monetary penalty of $3.2 million to resolve multiple HIPAA violations spanning several years. It is relatively rare for OCR a HIPAA Civil Monetary Penalty to be paid by a HIPAA-covered entity to resolve HIPAA violations discovered during OCR data breach investigations. In the vast majority of cases when serious violations of the Health Insurance Portability and Accountability Act are discovered by OCR investigators, the covered entity in question enters into a voluntary settlement with OCR. Typically, this sees the covered entity pay a lower amount to OCR to resolve the HIPAA violations. OCR attempted to resolve the matter via informal means between November 6, 2015, to August 30,2016, before issuing a Notice of Proposed Determination on September 30, 2016. In the Notice of Proposed Determination, OCR explained that Children’s Medical Center of Dallas could file a request for a hearing, although no request was received. Consequently,...

Read More
Email Account Compromised: 1,200 MultiCare Patients’ ePHI Exposed
Jan27

Email Account Compromised: 1,200 MultiCare Patients’ ePHI Exposed

The Tacoma, WA-based MultiCare Health System has announced that the email account of one of its employees has been compromised by a hacker following a successful phishing attack. The five-hospital health system issued a statement yesterday about the email security breach confirming patients’ protected health information had been compromised. It is unclear when access to the email account was first gained, although the email security breach was discovered by MultiCare Health on November 27, 2016. An investigation into the breach was immediately launched and rapid action was taken to secure the health system’s email accounts, including resetting passwords on all email accounts. However, the investigation revealed that only one email account had been compromised. An analysis of the email account revealed that emails contained the ePHI of 1,200 former and current patients. Data potentially accessed by the attacker included patients’ names, addresses, dates of birth, genders, dates of service, account balances, and diagnosis and treatment information. MultiCare has confirmed that the...

Read More
Hospital Employee Discovered to Have Improperly Accessed 6,200 Patient Records
Jan26

Hospital Employee Discovered to Have Improperly Accessed 6,200 Patient Records

Covenant HealthCare has notified more than 6,000 patients that their electronic medical records were inappropriately accessed by one of its employees. The improper access was discovered during a November 2016 audit of EMR access logs. The audit revealed an unusual pattern of medical record access by a single employee. Covenant HealthCare immediately ordered a full review of ePHI access by the employee to determine which medical records had been accessed and whether there was any legitimate reason for those records to have been viewed. The review revealed that the Covenant HealthCare employee first started improperly accessing its electronic medical record system on February 1, 2016. The improper access continued for nine months until November 21, 2016 and involved 6,197 patients. A range of data were potentially viewed including patient’s names, dates of birth, home addresses, health insurance information, diagnostic and treatment information, medical record numbers, Social Security numbers and driver’s license numbers. Covenant HealthCare spokesperson Kristin Knoll said in a...

Read More
Mailing Error Sees 1,126 Letters Sent to Patients’ Previous Addresses
Jan26

Mailing Error Sees 1,126 Letters Sent to Patients’ Previous Addresses

A ‘software glitch’ has resulted in billing statements and other communications sent by TriHealth of Cincinnati being mailed to patients’ former addresses. The privacy breach was discovered in November 2016, and impacts 1,126 TriHealth patients. The glitch caused current addresses to be substituted with former addresses. In some cases, mail may have been forwarded on to the correct address, although TriHealth was unable to determine whether this was the case.  Letters have now been mailed to the correct addresses and affected patients have been notified of the error by mail. The error affected mailings of billing statements, appointment reminder letters, and other correspondence between November 15, 2015 and January 12, 2017 when the error was discovered. Individuals affected by the error had all mailings directed to wrong addresses between those dates. The types of protected health information contained in the mailings varied from patient to patient. PHI that was potentially exposed was limited to patients’ names, visit dates, descriptions of medical service provided, places of...

Read More
South Carolina Hospital Reports Loss of Camera Containing Babies’ PHI
Jan25

South Carolina Hospital Reports Loss of Camera Containing Babies’ PHI

Roper St. Francis Mount Pleasant Hospital in South Carolina has discovered that a digital camera used to take photographs of new born babies has been lost and potentially stolen. As is recommended by the National Center for Missing and Exploited Children, photographs of new born babies are taken by hospital staff for security reasons. In the event that a baby goes missing, the digital images can be used for identification purposes. According to hospital spokesperson Andy Lyons, the camera was stored in a secure location in the hospital not accessible by the general public. Following the discovery that the camera was missing, an extensive search of the hospital was conducted, although the missing camera has not yet been located. The camera stored images on a memory card which was in the device when it went missing. The memory card is believed to contain the images of approximately 500 babies born at the hospital between November 2015 and November 2016. The photos also contained physicians’ names, the birthdate of each baby, and the babies’ names. Parents of the babies are being...

Read More
ePHI Improperly Accessed, Copied, and Lost by Employee
Jan25

ePHI Improperly Accessed, Copied, and Lost by Employee

The protected health information of 600 individuals who received treatment for mental health disorders and/or substance abuse at a Baltimore treatment center has been compromised. On November 28, 2016, Complete Wellness discovered that highly confidential information had been accessed and copied onto a flash drive without authorization. Even though the treatment center was able to identify the individual responsible, it was not possible to recover the drive as the device was allegedly lost by the employee. While no reports of misuse of the information contained on the device have been received by Complete Wellness, the possibility remains that the drive has been found and patient data accessed. Data stored on the device included patients’ names, phone numbers. home addresses, email addresses, ages and dates of birth, languages spoken, ethnicity, race, marital statuses, the names of primary care physicians, emergency contact information, level of education, employer information, hurricane victim status, living situation, arrest history, military service information, and whether...

Read More
Theft of Unencrypted Laptop Exposes Wonderful Health & Wellness Patients’ ePHI
Jan24

Theft of Unencrypted Laptop Exposes Wonderful Health & Wellness Patients’ ePHI

Los Angeles-based Wonderful Health and Wellness has notified patents that their electronic protected health information (ePHI) was exposed in early December, 2016 when an unencrypted laptop computer was stolen from the company’s Wonderful Center for Health Innovation. Staff at the Center discovered the laptop computer was missing on December 12 when they returned to work after the weekend, with the theft having occurred at some point between December 9 and 12. The theft was immediately reported to law enforcement, although the device has not been recovered. The laptop contained a range of protected health information including patients’ names along with their home addresses, telephone numbers, dates of birth, email addresses, clinical account numbers, medical conditions, treatment information, treatment dates, and test results. No Social Security numbers or financial information were stored on the device. While the laptop computer was not encrypted, software had been installed which allows data on the device to be remotely deleted, although only if the laptop is used to connect to...

Read More
Court of Appeals Rules Horizon BCBS Class Action Has Standing Without Evidence of ID Theft
Jan24

Court of Appeals Rules Horizon BCBS Class Action Has Standing Without Evidence of ID Theft

The United States Court of Appeals for the Third Circuit has ruled that a class action lawsuit filed by customers of Horizon Blue Cross Blue Shield whose protected health information was exposed when two laptop computers were stolen from its New Jersey offices does have standing, even without proof of harm. The case had previously been dismissed by U.S. District Judge Claire Cecchi. The incident which led to the lawsuit occurred between November 1 and 3, 2013. Two unencrypted laptop computers containing the personal information of 839,000 plan members were stolen from Horizon BCBS’s headquarters in Newark, NJ. Stored on the laptops were names, addresses, birth dates, Social Security numbers, medical histories, demographic data, lab test results, insurance information, and other care-related data. Four plaintiffs – Courtney Diana, Karen Pekelney, Mark Meisel, and Mitchell Rindner – are named on the lawsuit, which was filed on behalf of themselves and other customers whose personal information was exposed. The complainants maintain that the laptop computers were targeted...

Read More
CoPilot Provider Support Services Alerts 220,000 Patients to Historic ePHI Incident
Jan23

CoPilot Provider Support Services Alerts 220,000 Patients to Historic ePHI Incident

An unauthorized individual has accessed and downloaded the highly sensitive information of approximately 220,000 osteoarthritis patients from a website database maintained by CoPilot Provider Support Services. The website is used by physicians to determine whether ORTHOVISC® and MONOVISC® injections are covered by patients’ health insurance. The information entered via the website is added to a database maintained by CoPilot. That database was downloaded by an unauthorized individual, although according to a breach notice issued by CoPilot, the database was not accessible to the general public at any point. While not explicitly stated in the breach notice, the wording suggests that the individual responsible for the breach was a former employee. CoPilot believes it identified the person responsible and details of its investigation were passed to law enforcement.  CoPilot reports that the law enforcement investigation confirmed CoPilot’s conclusions to be correct. While it is possible that data were accessed and downloaded with malicious intent, CoPilot does not believe the...

Read More
Hacking Group Attempts to Extort Funds from Cancer Services Provider
Jan20

Hacking Group Attempts to Extort Funds from Cancer Services Provider

TheDarkOverlord has struck again, this time the victim was a small Indiana cancer charity. The attack occurred on January 11 and was accompanied with a 50 Bitcoin ($43,000) ransom demand. Little Red Door Cancer Services of East Central Indiana was threatened with the publication of confidential data if the ransom was not paid. The charitable organization provides a range of services to help victims of cancer live normal lives during treatment, recovery, and at end of life. Little Red Door provides an invaluable service to cancer patients in East Central Indiana, with its limited funds carefully spent to provide the maximum benefit to cancer patients and their families. The payment of a $43,000 ransom would have had a significant impact on the good work the organization does, and would have taken funding away from the people who need it most. Little Red Door followed the advice of the FBI and refused to pay. Little Red Door spokesperson, Aimee Fant, issued a statement saying the organization “will not pay a ransom when all funds raised must instead go to serving families, all stage...

Read More
Protenus Releases 2016 Healthcare Data Breach Report
Jan20

Protenus Releases 2016 Healthcare Data Breach Report

Protenus, in conjunction with Databreaches.net, has published its 2016 healthcare data breach report, summarizing the hacks and mishaps that have resulted in patient and health plan members’ protected health information being exposed or stolen. Fortunately, 2016 has not seen the mega data breaches of 2015, although it has been far from a good year. More than 27 million healthcare records were stolen in 2016 across 450 reported data breaches. The total number of breached records may be down year on year, but the total number of incidents has increased. 2016 has been the worst year for healthcare industry breaches since records first started being kept. The Protenus 2016 healthcare data breach report includes data breaches that have already been reported to the Department of Health and Human Services’ Office for Civil Rights, in addition to those that have been disclosed to the media but not yet uploaded to the OCR breach portal. In total, there were 27,314,647 individuals affected by healthcare data breaches in 2016, with detailed information available for 380 of the 450 incidents....

Read More
$2.2 Million Settlement for Impermissible Disclosure of ePHI
Jan19

$2.2 Million Settlement for Impermissible Disclosure of ePHI

The U.S. Department of Health and Human Services’ Office for Civil Rights has agreed a $2.2 million settlement with MAPFRE Life Assurance Company of Puerto Rico – A subsidiary of MAPFRE S.A., of Spain – to resolve potential noncompliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The settlement relates to the impermissible disclosure of the electronic protected health information of 2,209 patients in 2011. On September 29, 2011, a portable USB storage device (pen drive) was left overnight in the IT Department from where it was stolen. The device contained a range of patients’ ePHI, including full names, Social Security numbers and dates of birth. The device was not protected by a password and data on the device were not encrypted. MAPFRE Life reported the device theft to OCR, which launched an investigation to determine whether HIPAA Rules had been violated, as is customary with all breaches of ePHI that impact more than 500 individuals. Multiple Areas of Noncompliance with HIPAA Rules Discovered During the course of the investigation,...

Read More
Potential ePHI Breach Impacts 3,600 Children’s Hospital Los Angeles Patients
Jan18

Potential ePHI Breach Impacts 3,600 Children’s Hospital Los Angeles Patients

3,594 patients of Children’s Hospital Los Angeles (CHLA) and Children’s Hospital Los Angeles Medical Group (CHLAMG) are being notified of a potential breach of their electronic protected health information following the theft of an unencrypted, password-protected laptop computer. The laptop was stolen from the locked vehicle of a CHLAMG employee who practices at CHLA. The theft is understood to have occurred on October 18, 2016. CHLAMG encrypts its laptop computers, and while the investigation into the breach initially indicated the laptop had been encrypted to institutional standards, on December 21, 2016, CHLA determined that there was a possibility that the device had not been encrypted. Typically, laptops are stolen by thieves for the value of the device, not for data stored on the devices. Laptops are wiped, have software reinstalled, and are sold on. While it cannot be confirmed that this was the case in this instance, CHLA investigators were able to determine that the laptop computer has not been used to connect to the Internet since it was stolen, suggesting the device was...

Read More
Sentara Healthcare Informs 5,454 Patients of ePHI Breach
Jan18

Sentara Healthcare Informs 5,454 Patients of ePHI Breach

Sentara Healthcare is notifying 5,454 patients that some of their electronic protected health information has been accessed by an unauthorized individual. It is unclear when the cybersecurity incident occurred, although law enforcement informed Sentara Healthcare of the security breach on November 17, 2016. Sentara Healthcare launched an investigation into the potential data breach in November and determined that the cybersecurity incident was experienced by one of its third party vendors. Sentara has not disclosed which vendor was attacked, nor whether the incident was an internal breach involving one of the vendor’s employees or if patient data were accessed by a hacker. The data breach affects vascular and thoracic patients who received medical services at Sentara Healthcare’s Virginia hospitals between 2012 and 2015. Patients have been notified of the data breach by mail and have been told that highly sensitive protected health information was inappropriately accessed. The information viewed – and potentially copied – by an unauthorized third party includes patients’ names,...

Read More
Highmark BCBS of Delaware Investigates Data Breach Affecting 19,000 Individuals
Jan17

Highmark BCBS of Delaware Investigates Data Breach Affecting 19,000 Individuals

Highmark BlueCross BlueShield of Delaware is investigating a data breach that has impacted 19,000 beneficiaries of employer-paid health plans. The data breach involves two subcontractors of Highmark BCBS – Summit Reinsurance Services and BCS Financial Corporation. Karen Kane, Highmark BSBC director of privacy and information management, issued a statement saying 16 current and former Highmark self-insured customers have been impacted. Affected individuals have now been notified of the breach by mail. The breach notification letters were sent by Summit Reinsurance Services (SummitRe). In the letters, consumers were informed that some of their highly sensitive protected health information had potentially been accessed by unauthorized individuals. A ransomware infection was discovered by SummitRe on August 5, 2016, although a forensic analysis of the cyberattack revealed that access to Summit’s systems was first gained on March 12, 2016. SummitRe stated in the letters that the forensic investigation into the breach is ongoing, although no direct evidence has been uncovered to suggest...

Read More
Brandywine Pediatrics Alerts 27,000 to Potential ePHI Breach
Jan17

Brandywine Pediatrics Alerts 27,000 to Potential ePHI Breach

Wilmington, DE-based healthcare provider Brandywine Pediatrics, P.A. has informed tens of thousands of its patients that some of their protected health information has potentially been accessed by an unknown individual. The security breach involved a computer virus, which was discovered on one of the organization’s file servers. While it has not been explicitly stated that the virus was ransomware, Brandywine Pediatrics has informed patients that the virus rendered ePHI inaccessible. In order to regain access to files it was necessary to restore files from data backups. The virus infection was discovered on October 25, 2016, sparking a full investigation. A third-party computer forensics expert was contracted to conduct an investigation. That investigation revealed that a number of practice files containing ePHI had potentially been accessed. Sensitive data in the files included names, addresses, medical information, and health insurance details of patients. Brandywine Pediatrics has confirmed that Social Security numbers, credit card/debit card numbers and financial data were not...

Read More
OCR HIPAA Enforcement: Summary of 2016 HIPAA Settlements
Jan12

OCR HIPAA Enforcement: Summary of 2016 HIPAA Settlements

The Department of Health and Human Services’ Office for Civil Rights has stepped up its enforcement activities in recent years, and 2016 HIPAA settlements were at record levels. In total, payments of $22,855,300 were made to OCR in 2016 to resolve alleged HIPAA violations. Seven settlements were in excess of $1,500,000. In 2016, OCR settled alleged HIPAA violations with 12 healthcare organizations. Last year also saw an Administrative Law Judge rule that civil monetary penalties previously imposed on a covered entity – Lincare Inc. – by OCR were lawful, bringing the total to thirteen for 2016. Lincare was only the second healthcare organization required to pay a civil monetary penalty for violations of the Health Insurance Portability and Accountability Act. All other organizations opted to settle with OCR voluntarily. Financial penalties are not always appropriate. OCR prefers to settle potential HIPAA violations using non-punitive measures. Financial penalties are reserved for the most severe violations of HIPAA Rules, when widespread non-compliance is discovered, or in cases...

Read More
Atmore Community Hospital Employee Inappropriately Accessed 1,000 Patient Records
Jan12

Atmore Community Hospital Employee Inappropriately Accessed 1,000 Patient Records

A routine audit of PHI access logs has revealed that a former employee of Atmore Community Hospital in Alabama accessed the electronic health information of approximately 1,000 patients without authorization over a period of 13 months. The audit was conducted by Infirmary Management Services, Inc, which manages the hospital. The privacy violations were discovered to have occurred between October 3, 2015 and November 11, 2016. Fortunately, the information accessed was limited and no financial information, Social Security numbers or medical records were viewed, although the individual did view names of patients, their admission dates, and hospital flowsheets. Data access was permitted in order for the employee to complete work duties, but despite having received training on HIPAA Rules and hospital policies covering patient privacy, the individual viewed patients’ protected health information when there was no legitimate work reason for doing so. The access is believed to have occurred out of curiosity and no information is thought to have been copied or distributed to any other...

Read More
Cosmetic Surgery Center Reports Ransomware Infection: 11,400 Patients Impacted
Jan10

Cosmetic Surgery Center Reports Ransomware Infection: 11,400 Patients Impacted

Another healthcare provider has announced that a ransomware infection has resulted in patients’ protected health information being encrypted, and potentially accessed, by cybercriminals. The Susan M. Hughes Center, a provider of aesthetic medicine and cosmetic surgery services in New Jersey and Philadelphia, discovered ransomware had been installed on its computer system on August 30, 2016. A computer server was attacked and infected which resulted in files containing patients’ names, telephone numbers, dates of service, payment amounts, and details of services provided being encrypted. The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates 11,400 patients have been impacted. Upon discovery of the incident, passwords were reset and action was taken to isolate the affected server. Fortunately, the center was able to switch to a backup system while the infection was resolved. According to the substitute breach notice posted on the company website, an investigation into the attack was immediately launched and an external...

Read More
Emory Healthcare Joins 28,000 Other Victims of MongoDB Ransom Attacks
Jan09

Emory Healthcare Joins 28,000 Other Victims of MongoDB Ransom Attacks

A hacker by the name of Harak1r1 has taken advantage of a misconfigured MongoDB healthcare database containing 200,000 records of Emory Healthcare patients. The hacker stole the database and issued a 0.2 Bitcoin ransom demand for its safe return. Emory healthcare is the largest healthcare provider in Georgia with headquarters in Atlanta. The database contained the protected health information of patients of the Emory Brain Health Center. Information in the database includes patients’ names, addresses, email addresses, dates of birth, medical ID numbers, and phone numbers. However, while the attack involves a ransom demand, Harak1r1 is not using ransomware.  The database of Emory Healthcare was accessed, the database was stolen, and the data tables wiped. Emory Healthcare is far from the only victim. More than 4,000 companies have been attacked by Harak1r1. The attacks on misconfigured MongoDB databases were discovered by the ethical hacker Victor Gevers of GDI Foundation on December 27, 2016. Gevers found a MongoDB database that had been left unsecured.  When the database was...

Read More
Foreign Government-Backed Hacker Was Behind 2015 Anthem Breach
Jan08

Foreign Government-Backed Hacker Was Behind 2015 Anthem Breach

The massive 2015 data breach at Anthem Inc., which resulted in the theft of more than 78.8 million health plan members’ records, was likely the work of a foreign government-backed hacker, according to a recent report issued by the California Department of Insurance. Anthem Inc., the second largest health insurer in the United States, announced the massive cyberattack in February 2015, almost a month after the breach was discovered. However, the cyberattack occurred almost a year earlier with Anthem’s database discovered to have been infiltrated on February 18, 2014. Data stolen in the attack included members’ Social Security numbers, birth dates, employment details, addresses, email addresses, and Medical identification numbers. The attackers were able to bypass multiple layers of cybersecurity defenses with a single phishing email sent to an employee of one of Anthem’s subsidiaries. The response to the email allowed the attacker to download malware onto Anthem’s network, which in turn allowed access to Anthem’s database of members. The attackers also managed to infiltrate 90 other...

Read More
Fetal Tissue Firms Guilty of Systemic HIPAA Violations
Jan06

Fetal Tissue Firms Guilty of Systemic HIPAA Violations

The U.S. House of Representatives Select Investigative Panel has published the findings from its investigation into the sale of fetal tissue by abortion clinics, revealing systemic HIPAA violations by both abortion clinics and tissue procurement businesses. An investigation was requested by the Energy and Commerce Subcommittee on Oversight and Investigations following revelations made by undercover journalist David Daleiden. In 2015, Daleiden arranged a serious of meetings with businesses involved in the fetal tissue procurement industry via the not-for-profit group Center for Medical Progress (CMP). Daleiden secretly recorded abortion providers – and companies involved in the fetal tissue business – detailing the nature of the business of buying and selling tissues from aborted fetuses. Daleiden’s meetings uncovered some dark truths about the practices employed by abortion clinics to obtain fetal tissue, including how termination procedures were often changed in order to obtain more intact specimens, including the use of illegal abortion procedures. The investigation...

Read More
Massachusetts Data Breach Notification Archive Now Available Online
Jan05

Massachusetts Data Breach Notification Archive Now Available Online

The Office of Consumer Affairs and Business Regulation of the state of Massachusetts has taken a major step toward improving transparency by making its data breach notification archive available to the public. Previously, members of the public were permitted to view the breach reports, but only by submitting a public records request. Now all breach notifications made to the state’s Office of Consumer Affairs and Business Regulation can be viewed online. The Massachusetts Data Breach Notification Archive can be viewed and downloaded in PDF form, with the identity theft report detailing the date the incident was reported, the organization affected, breach type, number of residents impacted, types of sensitive data exposed (SSNs, Driver’s license numbers, financial information, credit/debit card numbers), and whether credit monitoring services have been offered to breach victims. The reports include breaches of both physical records and electronic personal information from 2007. The report for 2016 currently includes 1,865 breach summaries. State law (Chapter 93H) requires all...

Read More
Largest Healthcare Data Breaches of 2016
Jan04

Largest Healthcare Data Breaches of 2016

2016 was a particularly bad year for healthcare data breaches. The largest healthcare data breaches of 2016 were nowhere near the scale of those seen in 2015 – 16,471,765 records were exposed compared to 113,267,174 records in 2015 – but more covered entities reported breaches than in any other year since OCR started publishing breach summaries on its ‘Wall of Shame’ in 2009. 2016 ranks as the second worst year in terms of the number of patient and health plan members’ records that have been exposed in a single year. As of February 6, 2017 there have been 329 reported breaches of more than 500 records that have been uploaded to the OCR breach portal. 2017 looks set to be another particularly bad year for data breaches. 2016 Healthcare Data Breaches of 500 or More Records   Year Number of Breaches (500+) Number of Records Exposed 2016 329 16,471,765 2015 270 113,267,174 2014 307 12,737,973 2013 274 6,950,118 2012 209 2,808,042 2011 196 13,150,298 2010 198 5,534,276 2009 18 134,773 Total 1801 171,054,419   Largest Healthcare Data Breaches of 2016 While the above...

Read More
108 L.A. County Employees Fall for Phishing Attack: 756,000 Impacted
Jan03

108 L.A. County Employees Fall for Phishing Attack: 756,000 Impacted

It has taken some time for the County of Los Angeles to announce it was the victim of a major phishing attack, especially considering the attack was discovered within 24 hours of the May, 2016 breach. However, notification had to be delayed so as not to interfere with an “extensive” criminal investigation. The investigation into the phishing attack was conducted by county district attorney Jackie Lacey’s cyber investigation response team. In many cases, cybercriminals are able to effectively mask their identities and it is relatively rare for the individuals responsible for phishing attacks to be identified. Bringing individuals to justice is harder still. All too often the perpetrators are based overseas. In this case, the investigation has resulted in the identification of a suspect: Austin Kelvin Onaghinor, 37, of Nigeria. On December 15, 2016, a criminal arrest warrant for Onaghinor was issued. Onaghinor faces nine charges related to the phishing attack, including theft and misuse of L.A. County confidential information, unauthorized computer access, and identity theft....

Read More
Healthcare Pages Intercepted and Posted Online
Dec30

Healthcare Pages Intercepted and Posted Online

Providence Health & Services, a not-for-profit health system operating in Alaska, California, Montana, Oregon, and Washington, has discovered its paging system has been breached by an unauthorized individual. Pages were intercepted and posted online exposing a limited amount of patients’ protected health information. The individual responsible for the pager attack posted pager transmissions that included patients’ names, room numbers, medication data, birth dates, medical record numbers, symptoms, diagnoses, and details of medical procedures. Providence Health & Services reports that the information sent via its pager network was limited to the minimum necessary information, in accordance with HIPAA Rules. Pages were accessed and disclosed publicly between October 25 and October 28, 2016. The breach was discovered on October 27. The breach notification letters sent to patients explain that PHI was only accessible on the website for a “couple of minutes at most.” The incident was not limited to Providence Health & Services. Other healthcare organizations were also...

Read More
Regular PHI Access Log Audits Can Prevent Major PHI Breaches
Dec30

Regular PHI Access Log Audits Can Prevent Major PHI Breaches

Infirmary Health has announced that an employee has been fired after being discovered to have accessed the health records of approximately 1,000 patients without authorization. The individual was required to access patients’ protected health information (PHI) for legitimate work reasons, yet data access rights were abused. The employee worked in the Atmore Community Hospital: A 49-bed facility serving patients in Escambia and Monroe counties in Alabama. A routine audit of PHI access logs on November 18, 2016 revealed that the individual first started inappropriately accessing patient records from October 3, 2015.  Records continued to be inappropriately accessed until November 11, 2016. According to a press release issued by Infirmary Health, the information accessed was limited to patient names, admission dates and flowsheets. It is unclear why the information was accessed, although it is not believed that any data have been disclosed to any other individual nor copied and removed from the hospital. PHI appears to have been accessed purely out of curiosity. In accordance with...

Read More
Ransomware Encrypts Health Data for Three Months; PHI Still Inaccessible
Dec29

Ransomware Encrypts Health Data for Three Months; PHI Still Inaccessible

Casa Grande, AZ-based Desert Care Family and Sports Medicine has alerted 500 patients to a potential breach of their protected health information (PHI) as a result of a ransomware infection. The ransomware was installed on a server used to store PHI in August this year; however, despite attempts to unlock the encryption, patient data have still not been decrypted and have remained inaccessible for more than three months. The information stored on the server includes patients’ names, addresses, birthdates, account numbers, diagnoses, treatment information, and disability codes. The healthcare provider took the affected server to a number of IT specialists in an attempt to unlock the encryption but to no avail. Free decryptors are available for certain ransomware variants via the No More Ransom Project; however, many of the most commonly used ransomware variants have yet to be cracked. The only options for recovering locked data are to pay the ransom demand or to restore the encrypted files from backups. Unfortunately, there is no guarantee that payment of a ransom will result in the...

Read More
Patient Posts PHI of New Hampshire State Psychiatric Hospital Patients Online
Dec28

Patient Posts PHI of New Hampshire State Psychiatric Hospital Patients Online

New Hampshire Department of Health and Human Services has alerted approximately 15,000 patients to a breach of some of their personal and highly sensitive information. Patient data were accessed by a former patient in October 2015 and were posted on a social media website. The data accessed and posted online by the former patient included names and addresses along with Medicaid ID numbers and Social Security numbers. The patient gained access to the data on a laptop computer located in the hospital library. Patients are permitted to use the library and the computers, although access to patients’ protected health information should not have been possible. At the time of the breach the patient was observed accessing ‘non-confidential’ hospital data by a staff member. The incident was reported to a supervisor and steps were taken to restrict access to the library computers. At the time, it was not known that sensitive data were accessed. While a supervisor was alerted to the incident, the matter was not escalated and neither the New Hampshire Hospital nor the New Hampshire Department...

Read More
UCLA Medical Center Investigates Potential Breach of Kanye West’s Medical Records
Dec26

UCLA Medical Center Investigates Potential Breach of Kanye West’s Medical Records

UCLA Health Medical Center in Los Angeles is conducting an internal investigation into a potential HIPAA breach that occurred around Thanksgiving weekend. On November 21, 2016, Kanye West checked in to the hospital and stayed for 8 days. During his stay at the hospital, a number of nurses and other medical staff allegedly accessed his medical records without authorization. It would appear than the employees could not resist the temptation to snoop on his medical records. The unauthorized viewing of celebrities’ medical records is a problem for hospitals, in particular medical facilities in Los Angeles and New York. In recent years, there have been a number of incidences of the privacy of celebrities being violated by curious hospital employees. Numerous employees have been found to have accessed the records of celebrities out of personal curiosity, although in many cases, inside information has been sold to gossip websites and tabloids. A former employee of UCLA Medical Center plead guilty to accessing and selling the medical records of Farrah Fawcett and Brittney Spears to the...

Read More
Increase in Ransomware and Cyberattacks Linked to Fall in Price of Health Data
Dec23

Increase in Ransomware and Cyberattacks Linked to Fall in Price of Health Data

The value of health records on the black market dropped substantially in 2016. A set of health records is now reportedly attracting a price of between $1.50 and $10, according to a recent report from TrapX. Back in 2012, the value of a complete set of health records was around $50 to $60. The fall in price is easy to explain. Last year saw more than 113 million healthcare records breached, according to figures from the Department of Health and Human Services’ Office for Civil Rights. The vast majority of those records are in the hands of cybercriminals. Supply is now outstripping demand and just like any commodity, that results in a dramatic fall in prices. Stealing medical records is now much less profitable which means cybercriminals have to recoup their losses from somewhere. That does not mean the healthcare industry is likely to be attacked less. Instead the fall in price is likely to lead to even more attacks. In order to make the same level of profit, more records need to be stolen and sold on. The fall in the price of healthcare records has also prompted cybercriminals to...

Read More
Fairbanks Hospital Alerts Patients to Potential 3-Year Internal HIPAA Breach
Dec22

Fairbanks Hospital Alerts Patients to Potential 3-Year Internal HIPAA Breach

Fairbanks Hospital in Indianapolis, IN., has discovered that the electronic health information of its patients could have been accessed by all of its employees for a period of at least three years. Protections had been put in place to prevent unauthorized accessing of electronic health records by staff members, but on October 18, 2016, the hospital became aware that some files had been stored on an internal network that lacked those protections and could be accessed by all employees, even those who were unauthorized to view patients’ electronic information. Following the discovery, an independent forensics expert was called in to determine the nature and scope of the problem. That individual was able to determine that the files were accessible since November 2013, and potentially longer. It was not possible to say whether the files were accessible before that date. Attempts were made to determine whether the files had been accessed by employees during the time that they were unprotected, but access logs were not kept so it was not possible to determine whether any unauthorized...

Read More
Website Glitch Exposes Personal Information of KP Members
Dec22

Website Glitch Exposes Personal Information of KP Members

Kaiser Permanente is alerting certain members to the potential disclosure of a limited amount of their personal information to other KP members after a glitch was discovered in the company’s online ‘Estimates’ tool. On November 16, 2016, Kaiser Permanente updated the Estimates tool on the kp.org website; however, an error occurred during the update that potentially resulted in members’ name, address, age, copay information, deductible payments from 2016, and out of pocket expenses from 2016 being displayed to another user of the tool. Individuals potentially affected by the error visited the website and used the tool from the date that the update was applied until November 28, 2016 when the error was discovered and corrected. Kaiser Permanente has informed affected patients that there was only a small chance that their information was viewed by another person. At no point were Social Security numbers, claims information, or banking details exposed. The error did not result in the mass disclosure of PHI to other members. In each case, an individual who used the tool may have had...

Read More
Community Health Plan of Washington Announces 400,000-Record Data Breach
Dec21

Community Health Plan of Washington Announces 400,000-Record Data Breach

An unplugged security vulnerability at a business associate of Community Health Plan of Washington has resulted in the exposure of the protected health information (PHI) of almost 400,000 plan members. Community Health Plan of Washington is now in the process of notifying all affected members that highly sensitive information including names, addresses, dates of birth, Social Security numbers, and health insurance information have been exposed and compromised. The data breach was confirmed on November 30, 2016, although Community Health Plan of Washington first became aware of a potential breach on November 7 after a tip-off was received. Staff at the health plan picked up a voicemail message from an individual who reported a vulnerability that had been discovered in the network of one of the health plan’s business associates. That vulnerability could be exploited to gain access to members’ data. Community Health Plan of Washington followed up on the tip-off and contacted the firm in question, which is a subsidiary of NTT Data. The firm provides technical services to the health...

Read More
Identity Thief Sentenced to 4 Years for Selling Stolen Rotech Healthcare Data
Dec19

Identity Thief Sentenced to 4 Years for Selling Stolen Rotech Healthcare Data

A Florida man has been sentenced to serve four years in federal jail for selling medical records obtained from the medical device firm, Rotech Healthcare. Vickie Lorenzo Bryant, 39, from Plant City, FL made contact with a government informant in May 2016 and offered to sell personally identifiable information of 957 individuals who had received medical devices from Rotech Healthcare. This was not the first time Bryant had attempted to sell stolen data to identity thieves and fraudsters. The confidential informant had previously purchased other individuals’ data from Bryant and had used the information to obtain Florida driver’s licenses, make counterfeit credit cards, and purchase mobile phones in the victims’ names. Bryant met with the informant on two occasions in June 2016 and sold the data of 957 different individuals. Bryant asked to be paid $15,000 for the batch of data or $15 per identity. Around 1,000 documents were handed over to law enforcement and were found to contain a range of personal and medical information about the victims, including names, addresses, Social...

Read More
Oak Cliff Orthopaedic Associates Alerts Patients to Potential PHI Breach
Dec19

Oak Cliff Orthopaedic Associates Alerts Patients to Potential PHI Breach

More than 1,000 current and former patients of Oak Cliff Orthopaedic Associates have been notified that unauthorized individuals may have viewed some of their protected health information. Boxes of paper business records and other items were stolen from an off-site storage facility used by the Dallas orthopedic firm. It is currently unclear when the theft occurred and how long the thieves had access to the information, although the theft was discovered on October 17, 2016. The documents contained patients’ names, addresses, and medical record numbers, although an investigation revealed that some of the documents also contained certain patients’ credit card numbers, Social Security numbers, and banking information.  Patients affected by the incident had received medical services from Oak Cliff Orthopaedic Associates between 2006 and 2007. The Lewisville Police Department did manage to recover the stolen files and they have now been returned to Oak Cliff Orthopaedic Associates and are now secured. The stolen items were found in a hotel room, but it is unclear whether the thieves have...

Read More
November 2016 Worst Month for Healthcare Data Breaches: 57 Incidents Reported
Dec16

November 2016 Worst Month for Healthcare Data Breaches: 57 Incidents Reported

Many people will be glad to see the back of 2016. It has been a difficult year, especially for healthcare organizations. Ransomware attacks have increased, hacking incidents are up, and more data breaches have been reported this year than in any other year since records started to be kept by the Department of Health and Human Services’ Office for Civil Rights (OCR). The year is certainly not ending well. November saw the highest number of healthcare data breaches of any month in 2016, including August; a particularly bad month for the healthcare industry when 42 protected health information (PHI) breaches were reported by covered entities. However, November’s total was 35% higher than August and 60% higher than October, according to the November Breach Barometer Report from Protenus. Last month, 57 healthcare data breaches reported which is almost two incidents per day. Fortunately, the breaches that were reported were relatively small and the downward trend in the number of exposed/stolen records continued for the second month in a row. In total, 458,639 healthcare records were...

Read More
Princeton Medicine Ransomware Attack Reported
Dec14

Princeton Medicine Ransomware Attack Reported

Princeton Medicine physician Dr. Melissa D. Selke has alerted 4,200 patients to a potential breach of their electronic protected health information. An unauthorized individual gained access to a server containing ePHI and on October 6, 2016,  ransomware was installed. The ransomware encrypted a range of files on the server including an information system containing patients’ names, phone numbers, addresses, Social Security numbers, driver’s license numbers, health insurance details, medical record numbers, diagnoses, treatment information, treating physician information, and treatment dates. Upon discovery of the ransomware infection, a computer forensics expert was brought in to conduct a thorough investigation. It was possible to rapidly restore the encrypted files; however, the investigation revealed that the person behind the attack could potentially have viewed and copied patient data. No evidence was uncovered to suggest that this was the case, although it was not possible to rule out the possibility that ePHI had been accessed. The Hillsborough, NJ-based physician has now...

Read More
Quest Diagnostics Announces 34,000-Record ePHI Breach
Dec13

Quest Diagnostics Announces 34,000-Record ePHI Breach

Madison, New Jersey-based clinical laboratory service provider Quest Diagnostics is alerting 34,000 patients that some of their electronic protected health information (ePHI) has been stolen. Quest Diagnostics is business associate of many healthcare providers across the United States. Consequently, patients across the United States have been impacted by the breach. On November 26, 2016, an unknown individual gained access to the MyQuest by Care360® Internet application and successfully exfiltrated a range of patient data. The intrusion was detected two days later when staff returned to work on Monday. Upon discovery of the breach, access to the Internet application was blocked to prevent any further data from being accessed or copied and a leading cybersecurity firm was contracted to conduct a thorough investigation of the breach. The investigation revealed that patients’ test results were copied along with names, dates of birth, and some telephone numbers, although no highly sensitive data such as Social Security numbers, health Insurance information, or financial data were...

Read More
Further 4,100 Cardiac Patients Notified of Breach of ePHI
Dec13

Further 4,100 Cardiac Patients Notified of Breach of ePHI

A further 4,100 cardiac patients have been notified that some of their protected health information was exposed due to a security breach at Wilmington, DE-based Ambucor Health Solutions (AHS). The patients had previously had cardiac devices fitted at the New Mexico Heart Institute in Albuquerque. The Heart Institute contracted Ambucor Health Solutions to provide a cardiac monitoring service for its patients. AHS had implemented appropriate technical, physical, and administrative safeguards to prevent the unauthorized disclosure of patients’ electronic protected health information in accordance with HIPAA Rules; however, a former AHS employee breached company policies and accessed and copied patients’ ePHI to two flash drives prior to leaving employment. The data copied to the devices included patients’ names, birthdates, phone numbers, addresses, medication information, testing data, information about patients’ medical devices, where the patient had the device fitted, the name of the technician who fitted the device, and the name of patients’ physicians. It is unclear why the data...

Read More
Lost CD Contained Social Security Numbers of 18,854 Health Plan Members
Dec08

Lost CD Contained Social Security Numbers of 18,854 Health Plan Members

18,854 health plan members have been notified of a potential breach of their protected health information following the loss of a compact disc in the mail. An employee at Aetna Signature Administrators (ASA), a provider of network and management services to group health plans, mailed a CD containing sensitive health plan members’ information to another ASA employee. The CD was mailed on September 6 and the envelope was delivered on September 9; however, the CD was missing from the envelope. The CD contained reports that had been provided to ASA by health plans or health plan administrators. The reports were used by ASA to evaluate and select programs and services for health plan members. The reports contained the dates of birth of health plan members along with their Social Security numbers, and in some instances, names and addresses. Individuals impacted by the incident were notified of the potential ePHI breach last month. Since Social Security numbers were exposed, ASA has offered all affected individuals a year of identity theft protection services through Equifax (Equifax...

Read More
Ransomware Attack Reported by East Valley Community Health Center
Dec08

Ransomware Attack Reported by East Valley Community Health Center

West Covina, CA-based East Valley Community Health Center (EVCHC) has started notifying patients that some of their electronic protected health information was compromised when ransomware was installed on one of its servers. The ransomware attack occurred on October 18, 2016 and involved a ransomware variant called Troldesh/Shade. As with other forms of ransomware, Troldesh conducts scans of its local environment and encrypts a wide range of file types with an asymmetric encryption algorithm, preventing the files from being accessed. Troldesh is supplied by the ransomware author as a development kit, which allows affiliates to run their own ransomware campaigns. The ransomware is usually distributed via spam email campaigns via file attachments containing malicious JavaScript code. However, in this case, an unauthorized individual logged onto a EVCHC server and installed the ransomware. Many different files were encrypted, one of which contained the electronic health information of EVCHC patients. The file was used by EVCHC for logging claims that had been submitted to health...

Read More
Tampa General Hospital Settles Class Action Data Breach Lawsuit
Dec07

Tampa General Hospital Settles Class Action Data Breach Lawsuit

According to figures from the Federal Trade Commission, Florida is one of the top three states for fraud and identity theft. Criminals in the state use stolen consumer data to steal identities and file fraudulent tax returns, with the data often coming from healthcare organizations. Fraudsters often target the lowest paid healthcare workers and pay them to steal patients’ personal information and Social Security numbers. Many Florida hospitals have fired employees who have been discovered to have abused their access to patient health information and passed stolen information on to identity thieves. Victims of fraud can suffer considerable losses which can prove difficult to recover. Legal action can be taken against the healthcare organizations that experience internal data breaches, although the lawsuits very rarely succeed. One such lawsuit was filed against Tampa General Hospital. The class action lawsuit – John Doe v. Florida Health Sciences Center Inc. d/b/a Tampa General Hospital – alleged the hospital had been negligent for failing to protect patient data;...

Read More
Glendale Adventist Medical Center Fires Nurse for Inappropriately Accessing ePHI
Dec05

Glendale Adventist Medical Center Fires Nurse for Inappropriately Accessing ePHI

A nurse employed by Glendale Adventist Medical Center in Glendale, CA has been fired for inappropriately accessing the medical records of 528 patients of the medical center and White Memorial Medical Center in Boyle Heights, CA. The privacy breach was discovered in June 2016, although it is unclear when the nurse first started inappropriately accessing patient data. Glendale Adventist Medical Center discovered patient data were being accessed during a routine security review. An investigation into the privacy violations was launched after access logs showed that the employee had been abusing data access privileges. The nurse had been provided with access to ePHI in order to perform work duties. The former employee worked as a per-diem nurse according to a report in the Los Angeles Times. The investigation into the privacy breaches is ongoing, and as such, only a limited amount of information has been released. A spokesperson for Glendale Adventist Medical Center did confirm with the L.A Times that sensitive patient information that was potentially accessed included names,...

Read More
Sagewood Retirement Community Attacked with Ransomware
Dec02

Sagewood Retirement Community Attacked with Ransomware

Sagewood, a retirement community in Phoenix, AZ, has notified 800 current and former residents about a ransomware attack that has potentially resulted in some of their electronic protected health information (ePHI) being accessed by the attackers. Sagewood enlisted the services of a computer forensics firm to investigate the attack. According to the substitute breach notice on the Sagewood website, the attack was short-lived. It was possible to isolate and contain the infection within an hour of it being discovered. Since it is possible that access to ePHI was gained, the incident has been reported to the Department of Health and Human Services’ Office for Civil Rights in accordance with HIPAA Rules. Patients have also been notified of the incident by mail if they have been affected. Ransomware locks files with powerful encryption which prevents the victims from gaining access to their data. After files are locked, the victims are presented with a ransom demand. Payment must be made in order to receive the key to unlock the encryption. Ransomware could also potentially give the...

Read More
OptumHealth New Mexico Announces 2000-Record Data Breach
Dec02

OptumHealth New Mexico Announces 2000-Record Data Breach

OptumHealth New Mexico has notified 2,006 patients of a privacy breach that was caused by one of its vendors. The vendor had downloaded some electronic protected health information to a flash drive, which was then sent to an undisclosed recipient by mail using the U.S. Postal Service. The flash drive did not arrive at its destination. Upon discovery of the loss, the U.S. Postal Service was notified but attempts to locate the device have so far failed, although according to the substitute breach notice issued by OptumHealth, the matter is still being investigated. It is unclear why, with many secure methods of sending sensitive data, the vendor chose to post the flash drive nor why the contents of the drive were not encrypted. OptumHealth was notified of the potential privacy breach on September 26, 2016 and breach notification letters were mailed to all affected individuals on November 17. A substitute breach notice was recently uploaded to the OptumHealth website as it was not possible to contact all affected individuals by mail. Patients have been informed that the data stored on...

Read More
1,745 Berkshire Medical Center Patients Impacted by Ambucor Health Solutions Breach
Nov30

1,745 Berkshire Medical Center Patients Impacted by Ambucor Health Solutions Breach

Berkshire Medical Center (BMC) in Pittsfield, Massachusetts has been informed that 1,745 patients of its cardiology department have been impacted by the security breach at Ambucor Health Solutions (AHS). The Wilmington, DE-based business associate provides a remote monitoring service for BMC patients that have been fitted with cardiac devices. In July, AHS discovered an employee had emailed the protected health information of 41 patients to a personal email account prior to leaving the company. However, an investigation into the incident revealed that more patient had been affected than was initially thought. The employee had also copied some protected health information onto two thumb drives. Those devices were recovered via law enforcement and were found to contain the sensitive data of thousands of patients. AHS has now contacted all healthcare providers whose patients have been impacted by the breach and is notifying all affected individuals by mail, although it is the responsibility of each impacted healthcare provider to notify the Department of Health and Human Services’...

Read More
CHI Franciscan Health Alerts Patients to ePHI Exposure
Nov28

CHI Franciscan Health Alerts Patients to ePHI Exposure

CHI Franciscan Health has started notifying patients about the potential exposure of some of their electronic protected health information after a laptop computer was stolen from an employee. According to The News Tribune, a CHI Franciscan Health employee had a backpack stolen on October 18. The backpack contained documents that included some patient health information, a work laptop computer, and a mobile phone. The backpack also contained a day planner, in which the login credentials for the laptop were recorded. The information in the documents could potentially have been viewed and the login credentials could have been used to gain access to the electronic protected health information stored on the laptop. CHI Franciscan Health has not received any reports to suggest any information has been accessed or used inappropriately, although patients have been informed to take precautions against identity theft. All affected individuals have been offered a year of credit monitoring services without charge. The exposed ePHI/PHI includes the names, phone numbers, Social Security numbers,...

Read More
Vascular Surgical Associates Hacking Incident Reported
Nov25

Vascular Surgical Associates Hacking Incident Reported

Vascular Surgical Associates – A group of specialty-trained vascular surgeons in Atlanta – has announced that it has been the victim of a hacking incident that has potentially resulted in certain protected health information being viewed by unauthorized individuals. IT staff noticed unusual activity on one of the company’s servers on or around September 13, 2016. An investigation into the anomaly was launched, which revealed the server had been improperly accessed using login credentials supplied to some of the group’s vendors. Access to patient data was first gained on March 25, 2016 when a software application upgrade was performed. The investigation did not confirm whether patient health information had been obtained by the hackers, although for more than five months it would have been possible for the login credentials to have been used to view patient data. As soon as IT staff determined the server had been compromised access was immediately terminated. The server is now secure and Vascular Surgical Associates is confident that no further unauthorized access is possible....

Read More
Privacy Breach Reported by Wentworth-Douglass Hospital
Nov25

Privacy Breach Reported by Wentworth-Douglass Hospital

Wentworth-Douglass Hospital in Dover, New Hampshire has started alerting patients to a privacy breach experienced by one of its vendors, Ambucor Health Solutions. Ambucor Health Solutions provides a remote-monitoring service for cardiac devices for hospitals throughout the United States. Earlier this month, the company started notifying its clients of a privacy breach caused by one of its former employees. Prior to leaving employment, the employee downloaded sensitive company data onto two flash drives. The data breach was discovered by Ambucor Health Solutions over the summer and an investigation was launched. The incident was reported to law enforcement, and the subsequent investigation resulted in the flash drives being recovered in July. An analysis of the contents of the drives, which was completed in September, revealed the downloaded data included a range of electronic health information of cardiac patients from a number of the company’s clients, and included the protected health information of 775 patients of Wentworth-Douglass Hospital. Social Security numbers, financial...

Read More
Chiropractic Clinics Alert Patients to Billing Vendor Breach
Nov23

Chiropractic Clinics Alert Patients to Billing Vendor Breach

Two providers of chiropractic services in California have started notifying their patients of a security breach affecting their billing software company. Luque Chiropractic, Inc., and Watsonville Chiropractic, Inc., were alerted to a cloud storage account breach on November 18, 2016., following a data security incident that saw patient data accessed by an unauthorized individual. The breach was experienced by EMR4all, Inc., and affected clients that used the company’s associated billing service. EMR4all, Inc provides free EMR software for physical therapy, occupational therapy, and chiropractic practices throughout the United States, while billing services are provided by Rehab Billing Solutions. In early September, security researcher Chris Vickery discovered a cloud storage account used by EMR4all/Rehab Billing Solutions could be freely accessed via the Internet. The cloud storage account contained the health records and personal information of many thousands of patients from more than 30 providers of physical therapy and chiropractic services. Vickery was able to access and...

Read More
Briar Hill Management Notifies 2,000 Individuals of February Laptop Loss
Nov22

Briar Hill Management Notifies 2,000 Individuals of February Laptop Loss

Briar Hill Management, a Ridgeland, MS-based provider of management services for skilled nursing facilities in Mississippi, has lost a laptop computer containing the sensitive data of 2,000 nursing facility residents. The laptop was discovered to be missing on February 26, 2016, although at the time it was not believed that the laptop contained any resident health information. However, according to the breach notice recently uploaded to the company website, an investigation into the incident revealed that the employee who had been assigned the laptop computer had breached company policies and had downloaded sensitive information onto the device. The data stored on the unencrypted laptop included residents’ names, addresses, birth dates, dates of service, Social security numbers, prescription information, and medical records. Briar Hill Management says “the laptop did not contain all of these types of information for every affected resident.” The breach notice does not state when Briar Hill Management discovered sensitive information had been exposed. Briar Hill Management conducted...

Read More
Eye Institute of Marin Notifies Patients of Ransomware Data Loss
Nov20

Eye Institute of Marin Notifies Patients of Ransomware Data Loss

The San Rafael, CA-based Eye Institute of Marin has informed some of its patients that a ransomware attack on its electronic medical record provider has potentially resulted in some of their electronic protected health information being accessed by the attackers. The EMR system contained a considerable amount of sensitive patient data including names, telephone numbers, addresses, birth dates, race, gender, Social Security numbers, medical histories, medical diagnoses, prescription information, health insurance details, health visit information, charges and payment details, and emergency contact information. No financial information or credit/debit card numbers were exposed as these were stored separately in a different system. The incident was investigated at the time by a third party computer forensics company. The firm’s analysis of the attack did not uncover any evidence to suggest that patient data were accessed or copied by the attackers, although the possibility of data access could not be ruled out entirely. The ransomware attack took place on July 26, 2016. The electronic...

Read More
Patients Notified of KinetoRehab Physical Therapy Laptop Theft
Nov18

Patients Notified of KinetoRehab Physical Therapy Laptop Theft

New York-based KinetoRehab Physical Therapy has started sending HIPAA breach notification letters to patients alerting them to the potential exposure of some of their protected health information. On September 16, 2016, KinetoRehab discovered a laptop computer was missing from its facilities. A review of security camera footage revealed the laptop computer had been stolen. While the laptop bag has now been found, the laptop computer had been removed and has not been recovered. The incident was reported to law enforcement and efforts are currently being made to locate the individual identified from the CCTV camera footage. The laptop contained data on a limited number of patients, although those affected by the breach have had highly sensitive information exposed. The laptop contained patients’ names, birthdates, Social Security numbers, insurance information, and notes relating to the physical therapy provided by the clinic. Patients affected by the incident had visited KinetoRehab Physical Therapy for treatment between November 2011 and March 2013. While the data stored on the...

Read More
Healthcare Data Breaches Fell in October
Nov17

Healthcare Data Breaches Fell in October

There was a fall in the number of data breaches reported by healthcare organizations in the United States in October, according to the latest Breach Barometer report from Protenus. This is the second month in a row where the number of data breaches have fallen. The number of reported breaches dropped from an annual high of 42 incidents in August to 35 breaches in October; two fewer breaches than were reported last month. However, the number of exposed records increased from 246,876 in September to 776,533 records in October. The final victim count for the month could be considerably higher as while 35 breaches were reported, the number of individuals impacted by four of those incidents is not yet known. There were some notable IT security incidents reported last month: Four healthcare organizations reported being attacked with ransomware in October. Three of those incidents resulted in a permanent loss of healthcare data. Two organizations attempted to recover data from backups, only for the backup recovery process to fail, while one healthcare organization reported data loss as a...

Read More
Emblem Health Mailing Error Exposes Members’ Social Security Numbers
Nov16

Emblem Health Mailing Error Exposes Members’ Social Security Numbers

Emblem Health, one of the largest health plans in the United States, has discovered a printing error has resulted in some members’ Social Security numbers being printed on the outside of envelopes during a recent mailing. The New York-based health insurer says the privacy breach affects members of its subsidiary company, Group Health Inc. (GHI). The error was made while mailing Medicare Prescription Drug Plan Evidence of Coverage documents to health plan members. Normally, all mailings include a unique mailing identifier which is printed on the envelope. These ID numbers are randomly generated and are included on the envelopes to help keep track of mailings. However, for the latest mailing, an error was made that resulted in members Health Insurance Claim Number (HICN) being included in the electronic file that was sent to the health plan’s mailing vendor. That number was then printed on the envelopes instead of the mailing identifier. HICN numbers are formed from members’ 9-digit Social Security numbers. Affected members therefore had their Social Security numbers printed on...

Read More
Horizon BCBS of New Jersey Privacy Breach Impacts 170,000 Members
Nov16

Horizon BCBS of New Jersey Privacy Breach Impacts 170,000 Members

Horizon Blue Cross Blue Shield of New Jersey has been alerted to a printing error that resulted in a limited amount of members’ protected health information being disclosed to other plan members. According to a statement issued by Horizon BCBSNJ, the error was made by its printing vendor, Command Marketing Innovations of Garfield. Between October 31 and November 2, Horizon BCBSNJ’s vendor printed and mailed Explanation of Benefit letters to members; however, an error resulted in some members’ names, claim numbers, Member ID numbers, dates of service, service codes, provider and facility names, and a limited description of services being printed on EOB letters that were send to other members. Horizon BCBSNJ says the error was identified on November 2 and the printing run was halted, but not before letters had been mailed to around 170,000 members. Not all of those members will have received letters containing the PHI of other members, but Horizon BCBSNJ has been unable to determine exactly how many of the letters included other members’ PHI. According to Horizon spokesman Kevin...

Read More
Best Health Physical Therapy Fires Billing Service Provider for PHI Breach
Nov15

Best Health Physical Therapy Fires Billing Service Provider for PHI Breach

Best Health Physical Therapy LLC has notified 1,100 patients that some of their electronic protected health information has potentially been accessed and downloaded by a third party. The data breach occurred at Best Health Physical Therapy’s billing service provider, Rehab Billing Solutions (RBS). Best Health Physical Therapy was notified of the breach on September 23, 2016 after RBS was contacted by MacKeeper security researcher Chris Vickery and advised that client data had been exposed and was freely accessible online. Patient records were stored on Amazon’s Simple Storage Service (S3) by RBS; however, Vickery discovered the records had not been secured. Without controls to prevent access, Vickery was able to gain access to more than 260,000 files. Those files contained 61GB of confidential data. The breach affected approximately 30 clients of RBS including Best Health Physical Therapy. Vickery notified Databreaches.net of the data exposure in September and assistance was provided notifying affected parties. After learning of the lack of protections, RBS acted quickly and...

Read More
Austin Pulmonary Consultants Reports Improper Disposal of PHI
Nov15

Austin Pulmonary Consultants Reports Improper Disposal of PHI

Austin Pulmonary Consultants PA has reported a HIPAA breach to the Department of Health and Human Services’ Office for Civil Rights that has impacted 889 patients. On September 8, 2016 Austin Pulmonary Consultants discovered that a third party vendor that had been contracted to provide cleaning services at its recently opened offices at 5920 W. William Cannon, Building 1, Suite 150 in Austin, Texas had improperly disposed of documents containing the protected health information of patients. The documents had been designated for secure disposal and should have been shredded and rendered unreadable and unusable in accordance with HIPAA Rules, but were accidentally disposed of with regular trash. The documents contained highly sensitive patient information including names, home addresses, dates of birth, Social Security numbers, medical information, the names of payment guarantors, their addresses and Social Security numbers, and medical payment information. Breach notification letters were mailed to all affected patients on November 7, 2016 and steps have been taken to reduce the...

Read More
Seguin Dermatology Announces Ransomware Attack: ePHI Access Likely
Nov14

Seguin Dermatology Announces Ransomware Attack: ePHI Access Likely

Texas-based Seguin Dermatology has started informing patients of a ransomware attack that has likely resulted in electronic protected health information (ePHI) being inappropriately accessed. The attack occurred on or around September 12, 2016 and involved a server used by the office of Robert J. Magnon, M.D. The ransomware encrypted numerous file types preventing data access. While the server was not used to store electronic medical records, some ePHI was in the encrypted files. Upon discovery of the ransomware attack, Seguin Dermatology contacted an external IT firm which was able to remove the ransomware and restore data from backups. A thorough forensic analysis of the affected server was performed to determine the extent of the attack and whether patient data had been compromised. The IT firm concluded that there was a high likelihood that the attackers accessed the ePHI of patients. The firm was unable to confirm whether patient data had been stolen, although the possibility could not be ruled out. Financial data including credit and debit cards were not encrypted and...

Read More
Ambucor Health Solutions Breach Impacts 2,500 Greenville Health System Patients
Nov10

Ambucor Health Solutions Breach Impacts 2,500 Greenville Health System Patients

Approximately 2,500 patients of Greenville Health System in South Carolina have been affected by a privacy incident involving one of the health system’s vendors: Delaware-based Ambucor Health Solutions. Ambucor Health Solutions provides a remote-monitoring labor service for cardiac devices. According to the substitute breach notice on the Greenville Health System website, a former Ambucor Health Solutions employee downloaded some electronic protected health information from the company prior to leaving employment. The data were downloaded without authorization, although two flash drives containing patient data were subsequently turned over to law enforcement, which notified Ambucor Health Solutions in July this year. The data on the storage devices were discovered to contain a range of ePHI of patients of GHS’ Carolina Cardiology Consultants. Approximately one fifth of cardiac-monitored patients were affected by the privacy breach. The data on the devices included the names of patients, their dates of birth, phone numbers, home addresses, race, prescribed medications, medical...

Read More
Broward Health Discovers Breach ‘Linked’ to Florida Identity Theft Gang
Nov10

Broward Health Discovers Breach ‘Linked’ to Florida Identity Theft Gang

Two breaches of protected health information involving healthcare employees have come to light this month, the first of which is understood to have occurred in 2011/2012, although it has only just been made public. Earlier this year, law enforcement officers visited the home of an individual as part of a routine investigation and discovered documents containing the personal information of patients of Broward Health Imperial Point in Fort Lauderdale, Florida. According to the Florida Bulldog, the documents were hospital facesheets which contained patients’ names, addresses, phone numbers, dates of birth, Social Security numbers, insurers’ names, insurance guarantor details, emergency contact information, and reasons for visits. Data are understood to have been removed from Broward Health Imperial Point facilities between November 2011 and March 2012, according to the substitute breach notice on the Broward Health website. It is unclear whether the individual in possession of the data was a current or former employee of Broward Health. Broward Health’s senior vice president and chief...

Read More
Kaiser Permanente Notifies Members of ePHI Exposure
Nov08

Kaiser Permanente Notifies Members of ePHI Exposure

Kaiser Permanente is notifying some of its members of a website configuration error that resulted in the exposure of some of their protected health information. Fortunately, the error was rapidly identified and ePHI was only exposed for around two hours. An upgrade to the Kp.org website was performed on October 12, 2016 to improve webpage loading speed; however, a misconfiguration resulted in some members ePHI being exposed to other members and site visitors. Individuals affected by the incident had logged into the kp.org website between 11.26 p.m. (PT) on October 12 and 01:46 a.m. (PT) October 13. The extent of ePHI exposed depends on the webpages members visited after logging in, although the exposed information was limited in nature and did not include any highly sensitive data such as Social Security numbers or financial information. While data could have been viewed by other members and site visitors, the number of individuals who could potentially have viewed other individuals’ ePHI was limited due to the timing of the website update and the rapid identification of the error....

Read More
Theft of Unencrypted Laptop Results in Exposure of 3,100 Patients’ ePHI
Nov04

Theft of Unencrypted Laptop Results in Exposure of 3,100 Patients’ ePHI

MGA Home Healthcare has notified 3,119 patients that some of their electronic protected health information (ePHI) has been exposed after an unencrypted laptop computer was stolen from the vehicle of an employee. The theft occurred at some point between August 19 and August 20, 2016 and was discovered on August 20. The incident was reported to law enforcement immediately, while the Department of Health and Human Services’ Office for Civil Rights was notified of the breach on October 19. The delay in notifying patients and OCR was due to the time it took to conduct a thorough review of the exposed data and to determine which patients had been impacted. The information stored on the laptop includes patients’ names, home addresses, demographic data, and information relating to the medical services provided to patients.  MGA Home Healthcare determined that only 32 patients had their driver’s license or Social Security number exposed. All affected patients have been offered identity theft protection services for a period of one year in case any exposed data are used inappropriately....

Read More
Subpoena Issued Demanding Release of OPM’s Anthem Audit
Nov01

Subpoena Issued Demanding Release of OPM’s Anthem Audit

Shortly after the announcement of a massive cyberattack on Anthem Inc., – the nation’s second largest insurance company – several class-action lawsuits were filed by victims of the breach. The cyberattack exposed sensitive members’ data including names, birthdates, and Social Security numbers. In total, around 78.8 million members were affected by the breach. The lawsuits, which have since been consolidated by the Judicial Panel on Multidistrict Litigation, claim Anthem failed to secure and protect members’ sensitive data which has left the plaintiffs facing an increased risk of fraud that will last a lifetime. At the time of filing the lawsuits, financial harm had not been suffered, yet now more than a year later many of the members of the class-action have discovered their data have been used for fraud. Identities have been stolen, credit cards have been applied for, notices of fraudulent financial activity have been received, and credit scores have been damaged. Anthem notified members of the breach of sensitive data and offered credit monitoring and identity theft...

Read More
Seattle Indian Health Board and Florida Hospital Announce Privacy Breaches
Oct26

Seattle Indian Health Board and Florida Hospital Announce Privacy Breaches

On August 10, 2016, Seattle Indian Health Board discovered the email account of an employee had been hacked, potentially giving the attacker access to sensitive patient data including names, dates of birth, patient ID numbers, Social Security numbers and other PHI stored in the account. It would appear that the email account was not hacked for the purpose of stealing patient health information, although it is possible that patient data were viewed during the time the account was compromised. The breach was rapidly identified and the email system was shut down within four hours of the account being compromised. During that time the attacker had managed to send emails from the account to unknown individuals, although no emails containing patient health information were forwarded from the account. Security controls were in place to ensure that any account compromise was rapidly identified, although additional security measures are now being implemented to reduce the risk of future email account breaches. All employees were required to reset their passwords and have received training...

Read More
Health Access Network Employee Fired for Improperly Accessing Patient Files
Oct26

Health Access Network Employee Fired for Improperly Accessing Patient Files

Health Access Network has notified “less than 500” patients of its Lincoln Medical Center that their protected health information was improperly accessed by an employee. On August 18, Health Access discovered the employee had accessed patient health records without any legitimate reason for doing so. After proof of improper access was obtained, the employee was interviewed but she did not give hospital officials any reason as to why she had viewed patient records. The woman had been provided with access to files in order to complete her work duties. Health Access Network did not disclose the exact nature of the data accessed by the employee, although the woman was authorized to view patient names, financial information, and Social Security numbers. A review of data access logs revealed no information had been downloaded by the woman, although it was not possible to tell if any patient information had been manually copied. An investigation of the employee’s computer activities was launched to determine the extent of the privacy breach. The investigation revealed employee records had...

Read More
Physical Therapy Provider Discovers Cloud Storage Account Breach
Oct26

Physical Therapy Provider Discovers Cloud Storage Account Breach

California-based Silver Creek Fitness and Physical Therapy has been alerted to a potential privacy breach by its billing and software vendors. A cloud storage account containing the protected health information of some of its patients had been left unprotected and could be freely accessed via the Internet. An unnamed security researcher discovered an Amazon S3 storage account used by the healthcare provider’s billing and software vendors had been improperly secured. The storage account was accessed by the researcher, who succeeded in downloading information from the account. An investigation into the security breach was launched that showed security protections were not present for a period of four months between May 2016, and September 11, 2016 when the breach was discovered. The storage account contained highly sensitive patient information including names, prescription details, dates of birth, Social Security numbers, driver’s license numbers, progress notes, Medicare numbers, treatment locations and treatment dates. Information was downloaded by the security researcher on...

Read More
BayState Health Discovers 13,000 Patients Impacted by Phishing Attack
Oct24

BayState Health Discovers 13,000 Patients Impacted by Phishing Attack

Springfield-MA-based Baystate Health has announced that five employees have fallen victim to a phishing scam that has potentially resulted in the exposure of the protected health information of as many as 13,000 patients. Scam emails were sent to a number of Baystate Health employees in August this year. The emails were well-written and realistic and appeared to have been sent internally from the human resources office. The emails appeared to have been sent to advise employees of some important changes to salaries and other important HR importation. However, by following the instructions in the email to view the information, employees inadvertently gave the attackers access to their email accounts and also a Baystate Health database which contained sensitive patient data. An investigation was launched into the phishing attack which revealed that names, demographic information, patient ID numbers, and dates of birth were all potentially been accessed by the attackers. Certain patients’ treatments and diagnoses were also exposed as a result of the scam. The investigation did not...

Read More
2016 Set to be A Record Breaking Year for Healthcare Data Breaches
Oct21

2016 Set to be A Record Breaking Year for Healthcare Data Breaches

Healthcare security breaches have been increasing steadily throughout the year and the trend has continued throughout quarter 3. More healthcare data breaches have been reported in July, August and September than in any other month of the year. In fact, more healthcare data breaches have been reported to the Department of Health and Human Services’ Office for Civil Rights (OCR) so far in 2016 than in all of 2009, 2010, 2011, 2012, and 2013. So far this year OCR has been informed of 243 healthcare data breaches. The breach count for 2016 to date has almost reached the count for all of 2015 – when 269 protected health information breaches were reported to OCR. There are still just over two months left of the year, although 2016 is well on track to be the worst year for healthcare data breaches. On the positive side, the massive data breaches of 2015 have not been repeated in 2016. To date, the health records of 14,310,091 individuals have been exposed or stolen. By this time last year, the victim count stood at 112,784,979 individuals spread across 226 security breaches. Only 2014 –...

Read More
CalOptima Discovers Breach That Impacts 56,000 Members
Oct18

CalOptima Discovers Breach That Impacts 56,000 Members

CalOptima is alerting members to a privacy breach for the second time in a month. This time it was not a printing error that resulted in PHI being exposed, but the actions of a departing employee. Prior to leaving employment, the former employee downloaded the protected health information of individuals who were enrolled in the county’s health plan for low-income and disabled Californians. The first HIPAA breach, which occurred between July 29 and August 2, impacted 1,000 individuals and resulted in a limited amount of PHI being disclosed to other members. The latest breach involved more data elements and appears to have impacted tens of thousands of members. The Orange County Register has reported that 56,000 breach notification letters were dispatched on October 14 advising members of the breach. That equates to 7% of CalOptima’s members. The exact number of breach victims will not be known until the incident appears on the Department of Health and Human Services’ Office for Rights’ breach portal. CalOptima discovered PHI had been downloaded onto an unencrypted flash drive and...

Read More
Rainbow Children’s Clinic Ransomware Attack Resulted in Data Loss
Oct18

Rainbow Children’s Clinic Ransomware Attack Resulted in Data Loss

Another day, another healthcare ransomware attack. This time it was the Rainbow Children’s Clinic – a team of dedicated pediatricians providing medical services to children in the Grand Prairie/Arlington area of Texas. On August 3, 2016, a hacker gained access to the clinic’s computer system and encrypted a range of data stored on its servers including the protected health information of patients. The ransomware prevented critical patient files from being accessed, which naturally had a direct impact on patients. However, in addition to encrypting records, an investigation of the security breach by an independent computer forensics expert revealed that some patient data were deleted and have been irrevocably lost. The data that were encrypted or deleted include names, dates of birth, addresses, Social Security numbers, medical information, medical payment information, and guarantors’ names, addresses, and Social Security numbers. Patients affected by the security incident have been notified of the breach by mail. All have been offered credit monitoring and identity theft...

Read More
Integrity Transitional Hospital Learns of Data Breach
Oct17

Integrity Transitional Hospital Learns of Data Breach

Integrity Transitional Hospital of Denton, TX has discovered an unauthorized individual gained access to its computer system and potentially viewed lab test results and other sensitive patient data. The security breach affects patients of a number of different healthcare providers. The security breach was discovered when suspicious activity was detected on its network on August 15, 2016. Access to the system was rapidly shut down and a third party computer forensics firm was hired to conduct a thorough analysis of its systems to determine whether any protected health information had been accessed or copied. Integrity Transitional Hospital receives laboratory specimens from a number of companies working on behalf of healthcare providers and submits those specimens to laboratories for testing. The investigation revealed a system used to store data relating to those services and billing was compromised and the protected health information of patients could potentially have been viewed. While data access was possible, no reports of data misuse have been received by the hospital in the...

Read More