Our HIPAA breach news section covers HIPAA breaches such as unauthorized disclosures of protected health information (PHI), improper disposal of PHI, unauthorized PHI access by cybercriminals and rogue healthcare employees, and other security and privacy breaches.

When known, we explain how the breach occurred, the consequences to patients that may have had their PHI compromised, and the actions being taken by the affected healthcare organization to improve safeguards to prevent further HIPAA breaches.

We also explain any actions being taken by the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) and state attorneys general in relation to those breaches.

OCR investigates all data breaches that impact more than 500 individuals to determine whether any HIPAA violations have occurred. When HIPAA Rules are discovered to have been violated, financial penalties may be deemed appropriate. It can take many months or years before any financial penalties for HIPAA breaches are decided. Financial penalties for HIPAA violations tend to be reserved for the most serious breaches of HIPAA Rules. OCR prefers to resolve cases with voluntary compliance and by issuing recommendations to bring policies in line with HIPAA Rules.

The HIPAA breach news section is particularly relevant to healthcare information security professionals, privacy officers, and other individuals who have some responsibility for HIPAA compliance.

The HIPAA breach news reports highlight common areas of non-compliance and new attack vectors used by cybercriminals to gain access to healthcare networks and PHI, the security failings that allowed them to happen, and the measures that have been implemented to prevent them from happening again.

No healthcare organization wants to experience a data breach, but when a breach does occur, lessons can be learned. HIPAA-covered entities can use these breach examples to help train their staff as well as to discover some of the methods other covered entities have adopted to improve data security.

As you will be able to see from the volume of posts in the HIPAA breach news category, healthcare data breaches occur frequently. In 2016 and 2017, healthcare data breaches have been reported on an almost daily basis.

Our HIPAA breach news section is an important source of information about potential security issues that covered entities should be identifying when conducting their own risk assessments. Many of the situations in our HIPAA breach news posts could have been avoided if a risk assessment had identified a vulnerability that was later exploited to gain access to PHI.

The main purpose for adding HIPAA breach news to this website is to highlight specific aspects of HIPAA compliance that are commonly overlooked, often with serious consequences for the covered entity and patients/health plan members.

By raising awareness of the volume of healthcare data breaches, the implications of those breaches, and the penalties that can result, it is hoped that healthcare providers will take decisive action to prevent their patients’ and members’ data from being exposed.

The most recent healthcare data breach reports are listed below. If you want to find out if a specific covered entity has experienced a data breach, please use the search function in the top right hand corner of this webpage.

Farmington Medical Group Confirms Cyberattack
Jul28

Farmington Medical Group Confirms Cyberattack

Last month, a series of cyberattacks were discovered to have occurred when healthcare databases were put up for sale on the Darknet marketplace TheRealDeal. The attacks were conducted by a hacker operating under the name TheDarkOverlord (TDO). The names of the organizations that had been attacked were not initially disclosed, although the locations of the organizations were included in the darknet listings. Initially, three healthcare organizations were believed to have been attacked, although the data from a much larger attack on a health insurer was posted a few days later. The initial listings on TheRealDeal included 48,000 records from a healthcare organization in Farmington, Missouri; 210,000 records from a healthcare organization in the Central/Midwest region of the U.S.; and 397,000 records from a healthcare organization in Georgia. The fourth posting contained 9.3 million records from an unnamed U.S. health insurer. The healthcare organization in Georgia, Athens Orthopedic Clinic, has already announced that it was recently attacked. Now the Farmington healthcare group...

Read More
Details Emerge on Laser Dermatologic Surgery Center Data Breach
Jul28

Details Emerge on Laser Dermatologic Surgery Center Data Breach

Laser & Dermatologic Surgery Center reported a data breach to Office for Civil Rights (OCR) on June 14, 2016 that impacted 31,000 patients. It was initially unclear as to the nature of the breach, although further details have now emerged. Laser & Dermatologic Surgery Center has recently changed ownership. Prior to the new owners taking over the company the healthcare provider experienced a ransomware infection. All data were backed up and it was possible to restore all affected files from backups without paying the ransom demand. However, the new owners’ IT department discovered that while the ransomware infection had been addressed, malware was present on its system. It is not clear whether the malware was installed by the same individuals responsible for the ransomware attack. On March 21, 2016., after a review of access logs was conducted, it was also discovered that an unauthorized individual had gained access to the healthcare provider’s network. The first intrusion was determined to have taken place on March 1, 2016. While no evidence was discovered to suggest...

Read More
Athens Orthopedic Clinic Confirms Cyberattack: TDO Dumps More Data
Jul26

Athens Orthopedic Clinic Confirms Cyberattack: TDO Dumps More Data

Athens Orthopedic Clinic has confirmed that its patients have been impacted by a cyberattack which was conducted using the login credentials of one of its software vendors. Electronic medical records of current and former patients were breached according to the notice on the healthcare provider’s website. While the substitute breach notice did not explain the exact nature of the attack nor the number of patients affected by the breach, the incident to which the breach notice refers is the cyberattack conducted by TheDarkOverlord. Athens Orthopedic Clinic is the Georgia healthcare provider from which 397,000 records were stolen. In addition to patient data being offered for sale on darknet marketplace, TheRealDeal, more data have been recently dumped on data sharing website Pastebin. The records of 500 patients were initially disclosed by TDO for verification purposes. A further 509 records have recently been uploaded to Pastebin. The posting, which is still accessible, includes names, genders, ages, dates of birth, client type, social security numbers, addresses, and other raw...

Read More
Midland Healthcare Providers Inform Patients of Privacy Breach
Jul26

Midland Healthcare Providers Inform Patients of Privacy Breach

Earlier this month, we covered a privacy incident reported by Midland Memorial Hospital that resulted in the exposure of 1,468 patient records. The paper files were left unattended at a private residence by Mario M. Gross, M.D., a physician who had previously worked at the hospital. Now two further healthcare providers in Midland, Texas have announced that their patients’ PHI was exposed and potentially compromised in the same incident. Dr. Gross had worked for multiple healthcare organizations in the Midland area. The records of at least 3,511 patients were left unattended and unprotected. Midland Women’s Clinic Notifies 717 Patients of PHI Exposure On April 26, 2016., Midland Women’s Clinic discovered that Gross had left information relating to 717 patients at his former residence according to a press release issued by the clinic. Patients affected by the breach had received medical services prior to 2006 when Gross had last worked at the clinic. The records have now been retrieved and secured and the internal investigation has been completed. The documents contained names, home...

Read More
2.75 Million Dollar HIPAA Settlement Reached with UMMC
Jul22

2.75 Million Dollar HIPAA Settlement Reached with UMMC

Hot on the heels of the 2.7 million HIPAA breach settlement with Oregon Health & Science University comes news of another multi-million-dollar settlement with another university. The Department of Health and Human Services’ Office for Civil Rights announced yesterday that University of Mississippi Medical Center (UMMC) has agreed to settle alleged HIPAA violations and will pay a financial penalty of $2.75 million. UMMC has also agreed to adopt a corrective action plan (CAP) to bring privacy and security standards up to the level required by HIPAA. UMMC Investigated After Theft of Unencrypted Laptop Computer The settlement stems from a breach of patients’ protected health information (PHI) in 2013. A laptop computer issued to UMMC’s Medical Intensive Care Unit (MICU) was discovered to be missing. The laptop computer contained the PHI of 500 patients. The data were not encrypted, although the laptop computer was password protected. The laptop is believed to have been stolen by a visitor who had asked about borrowing one of MICU’s laptops. OCR conducted an investigation into the...

Read More
Sunbury Plaza Dental Discovers Theft of Patient Files
Jul22

Sunbury Plaza Dental Discovers Theft of Patient Files

Thieves have broken into a storage facility used by Sunbury Plaza Dental of Westerville, Ohio and have stolen files containing patients’ full names, along with addresses, dates of birth, and Social Security numbers. Break-ins at storage facilities are not uncommon; however, it is relatively rare for paper files to be taken by thieves. In this case, some patients’ files were removed from the facility. Sunbury Plaza Dental believes the files were taken with intent to use patients’ data to commit identity theft and fraud. The break-in occurred at some point between March 10 and March 20, 2016, although the theft was not discovered by Sunbury Plaza Dental until May 25, almost two months after the incident occurred. Local law enforcement officers were alerted to the theft and break-in and notified Sunbury Plaza Dental of the incident. The majority of files in the storage unit were undisturbed, although some files had been removed, according to healthcare provider’s substitute HIPAA breach notice. All of the files have now been recovered from the thieves and patients’ files are all now...

Read More
Medical Office Documents Discovered in Rock Springs Dumpster
Jul21

Medical Office Documents Discovered in Rock Springs Dumpster

Medical documents containing information about former patients of the College Hill Health Center in Rock Springs, WY., have been discovered in a dumpster. A statement issued by the Wyoming Board of Medicine says the documents have now been retrieved, but an inventory has yet to be conducted. It is unclear exactly how many patients have been affected, the type of documents that were discovered, or the extent of patient information that has been exposed. College Hill Health Center has recently been acquired by Memorial Hospital as part of a settlement with the former owner, Dr. Amr Etman. Dr. Etman and the medical center staff were required to vacate the property by July 8 this year, although patients of the health center were allegedly informed that they could collect their medical records in person prior to June 30, 2016., according to the Rock Springs Rocket Miner. Any medical records which remained became the property of Memorial hospital. Electronic records were turned over to the hospital, and Dr. Etman arranged for the paper medical records to be collected and destroyed, in...

Read More
Lasair Aesthetic Health Notifies Patients of Privacy Breach
Jul20

Lasair Aesthetic Health Notifies Patients of Privacy Breach

Denver, CO-based Lasair Aesthetic Health, P.C., has alerted 1,835 patients that their privacy was violated by a former employee who secretly emailed a limited amount of their protected health information to a personal email account. The former Lasair manager used her mobile phone to login to her work email account on May 11, 2016 and sent documents and a list of patients to her personal email account. The patient list contained a limited amount of patients’ protected health information including full names and details of the amounts that each patient had spent on medical services at Lasair in 2015. No highly sensitive data such as insurance information, Social Security numbers, credit card details or other financial information were compromised, although a couple of patients had photographic images (not including face shots) and treatment results emailed to the former manager’s personal email address. Lasair discovered the privacy incident a day later on May 12, 2016., and launched an internal investigation. The employee was contacted and instructed to delete all patient...

Read More
CareFirst Inc. Data Breach Lawsuit Dismissed for Lack of Standing
Jul15

CareFirst Inc. Data Breach Lawsuit Dismissed for Lack of Standing

A class-action data breach lawsuit filed against CareFirst Inc., and CareFirst of Maryland Inc., following the 1.1 million-record data breach of 2015 – and a second breach in 2014 – has been dismissed by a Maryland federal court for lack of standing. The lawsuit, which was filed by two plaintiffs – Scott Adamson and Pamela Chambliss – was dismissed by Judge Richard Bennett after the pair were unable to allege facts sufficient to support the case. The pair alleged CareFirst had been negligent for failing to protect its computer hardware, resulting in the exposure of plan members’ names, ID numbers, and dates of birth. While any health insurer data breach could potentially place plan members at risk of harm or loss, in this case no Social Security numbers, credit card numbers, or financial information were exposed. The plaintiffs did not allege that their personal information had actually been used, but claimed their personal information had value and its exposure placed them at an increased risk of harm or loss. However, there was some doubt as to the amount of...

Read More
Arkansas Spine & Pain Informs Patients About Bizmatics Security Breach
Jul15

Arkansas Spine & Pain Informs Patients About Bizmatics Security Breach

Little Rock, AR-based Arkansas Pain and Spine is the latest healthcare provider to alert its patients that their protected health information was potentially viewed and copied during the Bizmatics data breach in 2015. In May, healthcare organizations who used the PrognoCIS EMR management tool were notified that patient data have potentially been accessed as a result of a malware infection on a Bizmatics server. The malware was understood to have been loaded on the server in January 2015, but the infection was not discovered until late 2015. Healthcare organizations have up to 60 days to notify patients who have had their PHI exposed. Over the past couple of months, affected healthcare organizations have been sending out breach notifications. Arkansas Pain and Spine was informed on May 12, 2016 that some of its patients had been affected by the security breach. Patients potentially had their names, dates of birth, addresses, health insurance information, Social Security numbers, and other clinical information exposed. Bizmatics contracted an external cybersecurity firm to assist...

Read More
Pennsylvania Ambulatory Surgery Center Alerts 13K Patients to Ransomware Attack
Jul15

Pennsylvania Ambulatory Surgery Center Alerts 13K Patients to Ransomware Attack

Langhorne, PA-based Ambulatory Surgery Center at St. Mary has announced that it was the victim of a ransomware attack on June 1, 2016, according to the Bucks County Courier Times. The IT department was alerted to the ransomware infection by staff members who were prevented from accessing files stored on its computer network. While other ransomware victims have been forced to give in to attacker’s demands in order to recover encrypted files, the Ambulatory Surgery Center was able to restore all affected files from a backup and did not have to resort to paying the ransom demand. As was confirmed this week by the Department of Health and Human Services’ Office for Civil Rights, a ransomware attack on a healthcare organization requires notifications to be sent to patients to alert them to the possible disclosure of their protected health information. The Ambulatory Surgery Center sent breach notification letters to almost 13,000 patients last week to advise them that their PHI may have been accessed. All individuals affected by the security breach have been offered credit monitoring...

Read More
Stolen Ultrasound Machines Contained PHI, says Kaiser Permanente
Jul14

Stolen Ultrasound Machines Contained PHI, says Kaiser Permanente

Kaiser Permanente discovered that some of its ultrasound machines and other medical equipment had been stolen by two company employees. Kaiser Permanente was alerted to the theft of equipment on June 10 and immediately launched an investigation. Efforts were then made to recover the missing equipment. Kaiser Permanente has now recovered the stolen equipment and has performed an analysis to determine whether any patient data were stored on the devices. Kaiser Permanente determined that some of the machines contained a limited amount of patients’ protected health information including MRN’s, patients first and last names, and ultrasound images. The equipment had been taken from a number of different Kaiser Permanente facilities and had been temporarily moved to a storage unit. The Kaiser Permanente investigation is ongoing, but it is believed that the ultrasound machines and medical equipment were only taken by the employees to sell on for profit, and not for any data stored on the devices. The theft of equipment has been reported to law enforcement and a criminal investigation has...

Read More
Major 2016 Healthcare Data Breaches: Mid Year Summary
Jul11

Major 2016 Healthcare Data Breaches: Mid Year Summary

Cyberattacks on healthcare organizations are now a fact of life. As long as it remains profitable for hackers to conduct attacks on healthcare organizations, the cyberattacks will continue. Given the volume of healthcare data breaches now being reported, it is clear that the healthcare industry must do more to strengthen defenses against cyberattacks, insider threats. To do that, healthcare organizations need to look beyond HIPAA compliance. Healthcare organizations had a torrid time in 2015. In 2015, more healthcare records were stolen than in any other year since records of breaches started being published by the Office for Civil Rights. Some of the cyberattacks on healthcare providers and health insurers resulted in staggering amounts of data being stolen. Major 2016 Healthcare Data Breaches Until the last week in June it looked like the healthcare industry had avoided mega data breaches on the scale of the cyberattacks on Anthem, Premera BlueCross, and Excellus BlueCross BlueShield in 2015. However, as the first half of the year came to an end, a hacker offered a 9.3-million...

Read More
Another Hacked Healthcare Database Listed for Sale: Some Victims Confirmed
Jul11

Another Hacked Healthcare Database Listed for Sale: Some Victims Confirmed

The listing of three healthcare databases containing 655,000 healthcare records in late June was followed by a posting of a much larger health insurer database containing 9.3 million records. Now, a fifth database has been offered for sale. The latest batch of healthcare data contains 23,565 patient records. The latest database was obtained by the hacker TheDarkOverlord “through the token impersonation of an employee.” The organizations whose data have been listed for sale have not come forward and confirmed that they are the victims, although further information has emerged linking two organizations to the latest breaches. After performing some investigative work on the samples provided by the hacker to confirm authenticity of the stolen data, Databreaches.net was able to determine that the database containing 48,000 records most likely came from Midwest Orthopedic Pain & Spine. This batch of data was initially claimed to have come from a healthcare organization in Farmington, Missouri. The DarkOverlord has since confirmed that the data came from the Scott A. Vanness-owned...

Read More
North Ottawa Medical Group Notifies 22,000 of Bizmatics Breach
Jul08

North Ottawa Medical Group Notifies 22,000 of Bizmatics Breach

North Ottawa Medical Group (NOMG) has notified 22,000 of its patients that they have been impacted by a malware infection that was discovered by its EMR management company, Bizmatics. NOMG joins a long list of organizations that have been impacted by the breach. The latest announcement takes the total number of patients affected by the security breach to over 265,000 individuals. The data potentially exposed as a result of the malware infection on Bizmatics’ server include patients’ names, addresses, health visit data, treatment information, health insurance information, and in some cases, Social Security numbers. The last four digits of payment cards could potentially also have been exposed. Patients affected by the breach had previously sought medical services at NOMG’s Internal Medicine, Family Practice, or Women’s Health physician practices. The investigation into the security incident conducted by Bizmatics did not uncover evidence to suggest that patient data had in fact been accessed by unauthorized individuals. The company also could not confirm whether the malware was...

Read More
Midland Memorial Hospital Announces Potential PHI Breach
Jul08

Midland Memorial Hospital Announces Potential PHI Breach

Midland Memorial Hospital has announced that some of its patients’ protected health information has potentially been viewed by unauthorized individuals. On April 8, 2016, the Midland, Texas-based hospital was alerted to a privacy breach that exposed patients’ names, addresses, dates of birth, medical diagnoses, medications, medical procedures, physician’s notes, medical record unit numbers, medical account numbers, and health information. In some cases, patients also had their Social Security numbers exposed. Patients’ PHI was left unprotected at a private residence by Mario M. Gross, M.D., a physician who had previously worked at the hospital. The paper files were left in an area where they could potentially have been accessed by members of the public. Once alerted to the security breach, staff from the hospital visited the residence and retrieved and secured the records. The hospital was unable to determine whether the records had actually been viewed by unauthorized individuals during the time that they were accessible; however, no evidence has been uncovered to suggest that any...

Read More
California Dept. of Corrections and Rehabilitation Reports Health Care Facility Privacy Breach
Jul07

California Dept. of Corrections and Rehabilitation Reports Health Care Facility Privacy Breach

The California Department of Corrections and Rehabilitation has announced that an employee of the Division of Adult Institutions’ California Health Care Facility emailed a document containing patients’ names and Social Security numbers to an individual unauthorized to view the data. The disclosure of patients’ data occurred on May 2, 2016 and was not believed to have been conducted with malicious intent. The email was simply sent to the wrong person. To reduce the risk of similar incidents occurring in the future, the California Health Care Facility has revised its policies and procedures. The email has also been deleted from the email system, although it is possible that the data were viewed by at least one unauthorized individual. All individuals affected by the privacy incident have been advised to place a fraud alert on their credit files and have been told to read the California Attorney General’s consumer tips for victims of privacy breaches and to take the appropriate steps they feel are necessary to mitigate risk. The incident has not yet appeared on the Department of...

Read More
Colorado Allergy Clinic Reports Ransomware Attack
Jul06

Colorado Allergy Clinic Reports Ransomware Attack

Allergy, Asthma & Immunology of the Rockies, P.C. (AAIR) has experienced a ransomware infection on computers used to store the electronic protected health information (ePHI) of patients. The computers that were locked with the malicious file-encrypting malware contained the health records of 6,851 patients. The ePHI stored on the computers included patients’ names, medical test results, and Social Security numbers. The ransomware attack was discovered on May 16, 2016 and affected AAIR’s Glenwood Springs medical office. Staff at the office were unable to access files on computers and IT staff were alerted to a potential cyberattack. The IT department immediately shut down the company’s servers to prevent data exfiltration and to contain the infection. A third party cybersecurity firm was called in to conduct a forensic analysis of the allergy clinic’s network. According to a statement issued by AAIR’s attorney, Kari Hershey, “They weren’t able to track exactly what the hackers did, but what they did find was a draft of the ransom letter on the system.” It is unclear exactly...

Read More
Potential Privacy Breach at Planned Parenthood Dubuque Health Center
Jul05

Potential Privacy Breach at Planned Parenthood Dubuque Health Center

On July 1, 2016, Planned Parenthood of the Heartland announced that the protected health information (PHI) of certain patients of its Dubuque health center in Iowa may have been accessed by unauthorized individuals. The health center permanently closed its doors to patients this April year and the premises was listed for sale and was sold. However, hard copies of patient files were left in the Dubuque health center. In April 2016, individuals entered the medical center and could potentially have viewed and/or copied patient files. The potential breach was discovered by Planned Parenthood on May 6, 2016. The files have now been removed from the premises and have been secured. Planned Parenthood said this was an isolated incident and is not representative of the stringent privacy standards usually maintained by the healthcare organization. Patients affected by the potential privacy breach had sought treatment at the Dubuque health center between August 1, 2008 and April 30, 2014. In total, the PHI of 2,506 patients may have been compromised. Patients have now been notified of the...

Read More
Philadelphia Business Associate Agrees to $650,000 OCR Settlement
Jun30

Philadelphia Business Associate Agrees to $650,000 OCR Settlement

On June 24, 2016, the Department of Health and Human Services’ Office for Civil Rights (OCR) published details of a resolution agreement that was reached with Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS).  CHCS has agreed to settle alleged HIPAA violations with the OCR and has agreed to implement a Corrective Action Plan (CAP). CHCS will also pay a financial penalty of $650,000. CHCS is the sole corporate parent of six nursing facilities – St. Francis Country House, Immaculate Mary Home, St. John Neumann Home, St. Mary’s Manor, St. Martha’s Manor, and St. Monica’s Manor – and provides management services to the nursing facilities. In its capacity as a HIPAA business associate, CHCS is required to comply with HIPAA Rules. In February 2014, each of the six nursing facilities submitted a breach notice to the OCR regarding a breach of ePHI. On April 17, 2014, the OCR launched an investigation into the breach. A large number of OCR investigations into ePHI breaches have revealed failures to comply with HIPAA administrative safeguards – specifically 45...

Read More
Massachusetts General Hospital Reports PHI Incident
Jun30

Massachusetts General Hospital Reports PHI Incident

Massachusetts General Hospital (MGH) has announced that some patients of its dental group had their protected health information exposed earlier this year. The security breach occurred at one of the healthcare provider’s business associates, Patterson Dental Supply Inc., (PDSI). MGH first became aware of the security breach on February 8, 2016. Under normal circumstances, patients would have been notified of the breach within 60 days of discovery – the time frame stipulated in the HIPAA Breach Notification Rule. However, the intrusion was reported to law enforcement which requested MGH delay the issuing of breach notification letters so as not to interfere with the investigation. The investigation continued, but on May 26, 2016., MGH was given permission by law enforcement to start notifying patients of the breach. A substitute breach notice was uploaded to the MGH website on June 29, 2016., just over a month later. According to that notice, “we began notification as quickly as possible once we completed our investigation. The investigation revealed that some patient files that...

Read More
Pruitt Health Alerts Patients to Potential Privacy Breaches after Two Break-ins
Jun29

Pruitt Health Alerts Patients to Potential Privacy Breaches after Two Break-ins

PruittHealth, a provider of home health and hospice services in the southeast United States, has started notifying 1,437 patients of a potential breach of protected health information following two break-ins at its offices in South Carolina. In both cases, it would appear that the thieves were not interested in patient health information, although patients’ files could potentially have been viewed. The first break-in occurred on March 2, 2016. Thieves smashed the glass in the front door and entered the PruittHealth Home Health – Low Country office. No electronic devices were stolen by the thieves and only petty cash was believed to have been taken. However, patient files were stored in the office and could potentially have been accessed. On discovery of the break-in on March 3, PruittHealth staff alerted law enforcement and checked to determine whether any patient files had been accessed or stolen. The files did not appear to have been disturbed and no paper files appeared to have been removed by the thieves. Patients have now been notified that if the files were accessed, their...

Read More
Criminal HIPAA Case: Conviction for Respiratory Therapist
Jun28

Criminal HIPAA Case: Conviction for Respiratory Therapist

A former respiratory therapist has been convicted on criminal HIPAA violations by a federal jury in Ohio. The jury agreed with prosecutors that the protected health information of patients was wrongly obtained and that PHI was used to seek and obtain intravenous prescription drugs. Jamie Knapp was employed as a respiratory therapist at the ProMedica Bay Park Hospital in Oregon, Ohio. Over a period of 10 months Knapp improperly accessed the medical records of 596 patients. Knapp was permitted access to patient records in order to conduct her work duties; however, she was only permitted access to the records of patients she was treating. Knapp abused her access rights and viewed the PHI of other patients without authorization, according to the prosecution. Sentencing has been tentatively scheduled for October and Knapp could be jailed for up to a year. It is relatively rare for individuals to be tried for HIPAA violations, even when violations of the Health Insurance Portability and Accountability Act clearly appear to have taken place. Criminal convictions are even rarer. In order...

Read More
Three Hospitals’ Medical Devices Hacked Using Ancient XP Exploits
Jun28

Three Hospitals’ Medical Devices Hacked Using Ancient XP Exploits

Cybercriminals are using increasingly sophisticated methods to gain access to healthcare networks, although according to a recent report – MEDJACK.2 Hospitals Under Siege – from Trap X Research Labs, old school malware and ancient exploits can still be effective. Three hospitals have been discovered to have been infected with malware via medical devices running on legacy systems. The researchers discovered “a multitude of backdoors and botnet connections,” that had been installed using ancient exploits of the unsupported Windows XP platform. Hackers had succeeded in compromising the machines even though the hospitals had modern, sophisticated cybersecurity defenses in place. The initial attacks used old malware which was not detected by advanced security software. The malware was not deemed to pose a threat as the vulnerabilities that the malware exploited had been addressed in Windows 7 and did not exist in later Windows versions. Sophisticated Cybersecurity Defenses Failed to Identify Windows XP Malware Infections One of the hospitals tested by TrapX researchers had a...

Read More
655,000 Health Records from Unreported Data Breaches For Sale on Darknet
Jun27

655,000 Health Records from Unreported Data Breaches For Sale on Darknet

Over the course of the past few weeks there have been huge data dumps from historic cyberattacks on LinkedIn, MySpace, and Tumblr. More recently, over 33 million hacked Twitter accounts were listed for sale online. These accounts are believed to have been hacked using the credentials obtained in the LinkedIn breach. Given the number of healthcare data breaches that have occurred over the past few years, it is to be expected that some of these data will be listed for sale on underground forums as hackers look to turn data into cash. However, three large healthcare databases have just been listed for sale online which do not appear to have come from historic healthcare data breaches. 655,000 Healthcare Records Listed for Sale from Recent Unreported Data Breaches The data appear to have come from three separate breaches. The hacker who listed the data for sale has indicated there will be more to come. The batches of data currently being offered for sale total 655,000 patient records. The data have been listed for sale by the hacker “TheDarkOverlord” who claims the data have been...

Read More
Case Manager Duped naviHealth; Dignity Health Alerts Patients to Privacy Breach
Jun27

Case Manager Duped naviHealth; Dignity Health Alerts Patients to Privacy Breach

Dignity Health is notifying 520 patients that their privacy was violated by a naviHealth employee who gained employment as a case worker using a false name and nursing license. Dignity Health is a not-for-profit public benefit corporation operating in 17 states. The San Francisco-based health system is the fifth largest hospital system in the United States, and is the largest non-profit hospital provider in the state of California. Dignity Health works with a large number of hospitals and provides in-home health services to patients after they have been discharged from hospital. Dignity Health outsources some of its services to the Nashville, Tennessee-based post-acute care management company naviHealth. naviHealth provides PAC management services to over 1.5 million beneficiaries throughout the United States. On June 6, 2016., Dignity Health was informed by naviHealth that an individual had gained employment under false pretenses. The individual was employed by naviHealth as a case worker between June 2015 and May 2016. The case worker was provided with access to the protected...

Read More
Bizmatics Data Breach Victim Count Rises to Almost 177,000
Jun24

Bizmatics Data Breach Victim Count Rises to Almost 177,000

Two further healthcare providers have reported security breaches that have potentially exposed patients’ protected health information, both of which have links to the Bizmatics data breach discovered in December 2015. The Vein Doctor, a Liberty MO-based provider of treatment services for varicose and spider veins, recently submitted a breach report to the Department of Health and Human Services’ Office for Civil Rights indicating 3,000 patients had been affected by a network server and EMR hack. A breach notice has not appeared on the healthcare provider’s website at the time of posting, and it is unclear how much protected health information was exposed in the cyberattack. However, the breach does appear to be linked to Bizmatics. The Vein Doctor uses the PrognoCIS EMR tool developed and maintained by Bizmatics. Other healthcare providers impacted by the Bizmatics breach also used the PrognoCIS tool. Grace Primary Care P.C., also reported a data breach to the OCR which was similarly caused by the hacking of a network server. The breach report, submitted to the OCR on June 7,...

Read More
Nurse Charged with Bank Fraud: HIPAA Breach Trial for Respiratory Therapist
Jun23

Nurse Charged with Bank Fraud: HIPAA Breach Trial for Respiratory Therapist

Healthcare workers can face lengthy jail terms and heavy fines for improperly accessing patient health information. This week, a nurse has been charged with fraud and identity theft and the trial of a respiratory therapist has commenced in Toledo. If found guilty, both could spend time behind bars. Virginia Nurse Charged with Bank Fraud and Identity Theft A nurse formerly employed at Commonwealth Primary Care in Richmond, VA., has been charged with bank fraud and identity theft and is expected to plead guilty to the charges at a plea agreement hearing scheduled for Friday morning. Capri Williams worked for at the West End branch of Commonwealth Primary Care for almost a year. During that time, she is believed to have accessed and copied the protected health information of hundreds of patients. Williams is alleged to have used patient information to fraudulently open bank and credit accounts in patients’ names. Williams has also been accused of making a fraudulent transfer of over $4,000 from one of the patients’ credit cards. According to WTVR, Commonwealth Primary Care received a...

Read More
Texas Health and Human Services Commission Notifies 600 of PHI Exposure
Jun23

Texas Health and Human Services Commission Notifies 600 of PHI Exposure

A storage contractor has informed the Texas Health and Human Services Commission (HHSC) that 15 storage boxes have been discovered to be missing. The boxes were stored at three Iron Mountain facilities in Dallas, Fort Worth, and Irving. The boxes contained files relating to individuals who had applied to HHSC for medical assistance between January 1, 2008 and August 31, 2009. The files contained names, addresses, dates of birth, Social Security numbers, Social Security claim numbers, bank account numbers, Medicaid/individual numbers, and medical record numbers. The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates 600 individuals were affected. Iron Mountain was contracted by HHSC to store boxes of client files prior to the records being permanently destroyed. HHSC is now conducting an investigation into Iron Mountain’s handling of the files and to determine how the boxes were lost. Once the investigation has concluded, HHSC will revise its policies and procedures to reduce the probability of similar incidents occurring in the...

Read More
Indiana Attorney General’s Office Investigates Dumping of Medical Records
Jun18

Indiana Attorney General’s Office Investigates Dumping of Medical Records

Earlier this week, an officer from the Indianapolis Metropolitan Police Department (IMPD) discovered a number of medical records in a public recycling dumpster in Broad Ripple Park, Indianapolis. A number of confidential documents were found in file folders in the dumpster which had been mixed up with newspapers and other paper and cardboard. IMPD recovered the files and folders from the recycling dumpster, although there is no way of telling whether any documents had been removed by members of the public. It is also unclear whether files had been dumped on a single occasion, or whether material had been disposed of over an extended period of time. The Indiana Attorney General’s Office is now involved and efforts have been made to contact recycling and waste disposal companies who potentially may have come into contact with dumped medical records. If any further files and folders are recovered the attorney general’s office will arrange for the files to be collected and secured. According to the police report, the files contain highly sensitive data including patient names,...

Read More
16K ENT and Allergy Center Patients Affected by Bizmatics Breach
Jun18

16K ENT and Allergy Center Patients Affected by Bizmatics Breach

ENT and Allergy Care, P.A. has announced that its patients have been affected by the data breach at Bizmatics. In early 2015, the server used to host the Bizmatics PrognoCIS tool was hacked. Access to the server was gained and data stored on the server were potentially accessed. In December, 2015., the intrusion was detected and access to the server was rapidly shut down. Bizmatics started investigating the cyberattack and enlisted the services of an external computer forensics company. Law enforcement was also notified on the security breach. Bizmatics notified ENT and Allergy Care of the security breach by mail in January 2016; however, at the time it was not possible to tell whether ENT and Allergy Care patients had been affected. The Bizmatics investigation continued, and in April 2016 ENT and Allergy Care was notified that “at least some” data stored in the PrognoCIS tool had been accessed and possibly copied. Bizmatics was unable to determine exactly which patients’ data were accessed. The data stored in the PrognoCIS tool included patients’ names, addresses, and information...

Read More
BA Printing Error Exposed PHI of Walmart Pharmacy Patients
Jun17

BA Printing Error Exposed PHI of Walmart Pharmacy Patients

An error by a vendor of Walmart has resulted in a limited amount of protected health information being disclosed to other pharmacy customers. An error was made when one of Walmart’s vendors printed letters accompanying patient refund checks. That error resulted in patients’ protected health information being printed on letters intended for other individuals. Only a limited amount of information was disclosed, although this was sufficient to warrant the issuing of breach notification letters.  The incident has now been reported to the Department of Health and Human Services’ Office for Civil Rights. The breach report indicates 27,393 patients were impacted by the privacy breach. The breach has not been posted on Walmart’s website at the time of writing, although an explanation of the breach was provided to databreaches.net. Walmart explained that the error occurred on or around May 13, 2016. The letters were mailed to patients on May 15, 2016., and Walmart was made aware of the error 5 days later. Affected patients had their name, pharmacy prescription number or optical order...

Read More
Aspen Hospital Sued for HIPAA Breach by Former Employee
Jun16

Aspen Hospital Sued for HIPAA Breach by Former Employee

A healthcare IT worker formerly employed by Aspen Hospital is suing the hospital and five of its employees for an alleged HIPAA breach after it was disclosed he had contracted HIV. The former employee, only identified as John Doe in the suit, was also a patient at the hospital. His attorneys, Mari Newman, Darold Killmer and Eudoxie Dickey, filed the suit on his behalf and are seeking compensatory and punitive damages, legal fees, and an apology from the hospital for the violation of his privacy. Doe also wants the hospital to change its policies to prohibit the disclosure of sensitive medical information to members of the hospital staff. John Doe had worked in the IT department of Aspen Hospital for 11 years prior to losing his job. Doe was an excellent employee and was well respected in the department according to the suit. He was regularly told he had exceeded expected standards and had often been rated as ‘outstanding’ in his performance evaluations. After filing complaints against the hospital for the disclosure of his HIV status and subsequent retaliatory acts by hospital...

Read More
Ponemon Institute Publishes 2016 Cost of Data Breach Study
Jun16

Ponemon Institute Publishes 2016 Cost of Data Breach Study

For the past 11 years, the Ponemon Institute has conducted an annual benchmark study on the cost of data breaches. This week, the Ponemon Institute published the results of its 2016 Cost of Data Breach Study, which shows the cost of breach resolution continues to rise. The IBM-sponsored study indicates the average total cost of the breach response and resolution has increased to $7.01 million from $6.53 million last year: A rise of 7% year on year. Ponemon puts the average cost per compromised record at $221: A rise of 2% from last year’s figures or $4 per record. The 2016 cost of data breach study was conducted on organizations around the world, including companies based in Australia, Brazil, Canada, France, Germany, India, Italy, Japan, Saudi Arabia, the United Arab Emirates, and the United Kingdom. The global average data breach cost increased from $154 per record to $158 per record, with the total cost increasing from $3.8 million to $4 million per data breach. 383 companies took part in the global study. 64 U.S. companies took part in this year’s benchmark study and 16...

Read More
Kern County Mental Health Department Announces Privacy Breach
Jun14

Kern County Mental Health Department Announces Privacy Breach

Kern County Mental Health Department, CA., (KCMH) has reported a breach of protected health information which occurred during the relocation of its administrative department in April, 2016. The breach involved the exposure of a limited amount of protected health information of patients who had previously received care from KCMH between September 1, and September 30, 2006. When the administrative department relocated, the former offices were renovated. A single document was left behind in the offices and could potentially have been viewed by construction workers. The document was discovered by a KCMH staff member upon return to the offices. During the time that the report was left unprotected, staff members did not have access to the area. The report contained patients’ full names, internal record numbers, service codes, and the unit where treatment was provided. While patients could have been identified as having previously received treatment from KCMH and/or its contractors, the mental health services received were only identifiable by their codes. KCMH confirmed that highly...

Read More
Two More Healthcare Organizations Inform Patients of Bizmatics Breach
Jun13

Two More Healthcare Organizations Inform Patients of Bizmatics Breach

Two more healthcare organizations have started notifying patients that their protected health information was exposed when a hacker infiltrated the PrognoCIS application of third party vendor, Bizmatics Inc. Earlier this year, Bizmatics started notifying some of its clients that its systems had been infiltrated by a hacker, who may have accessed and copied clients’ data from its PrognoCIS electronic medical record (EMR) database. An attacker had succeeded in installing malware on its systems in January 2015, although the malicious software was discovered almost a year later toward the end of 2015. Many of the healthcare organizations affected by the breach were notified in March 2016. The latest two U.S. healthcare providers to announce that their patients had been affected by the Bizmatics breach are the California Health & Longevity Institute, based in Westlake Village near Los Angeles, and the Grand Junction, CO-based Vincent Vein Center. California Health & Longevity Institute submitted a breach report to the Department of Health and Human Services’ Office for Civil...

Read More
12,500 Drug and Alcohol Abuse Program Patients Impacted by San Juan County Hack
Jun10

12,500 Drug and Alcohol Abuse Program Patients Impacted by San Juan County Hack

Last month, San Juan County, NM., announced that a hacker had gained access to its computer systems and potentially viewed the highly confidential data of patients enrolled in its drug and alcohol abuse program. Patients affected by the breach had previously been ordered by the courts to undergo treatment for drug and alcohol abuse after being caught using methamphetamine or driving while under the influence of alcohol. Patients’ names and participation in the drug and alcohol program were potentially revealed to the hacker, along with their addresses, health assessment data, details of prescription medication, and the treatment methods they had been prescribed. San Juan County was alerted to the intrusion within 30 minutes of access being gained, limiting the potential for data to be viewed or copied. Upon discovery of the hack, access to its system and data was terminated. During this short window of opportunity data may have been viewed or copied. San Juan County hired an external cybersecurity firm to conduct a thorough forensic investigation of the security breach. The...

Read More
Washington DC VA Medical Center Breach Exposes PHI of 1,062 Veterans
Jun09

Washington DC VA Medical Center Breach Exposes PHI of 1,062 Veterans

Washington DC Veterans Affairs Medical Center has reported a security incident that has exposed the protected health information of 1,062 veterans. On March 31, 2016, the privacy office of the Washington DC Veterans Affairs Medical Center was notified that a controlled substance monthly report had been discovered to be missing. The report included veterans’ full names along with their full or partial Social Security numbers. An investigation into the incident was launched and attempts were made to locate the missing document, but it has not been recovered. In response to the incident, the medical center has updated its procedures and has now implemented new controls to prevent future privacy breaches of this nature from occurring. All veterans affected by the privacy breach are being sent breach notification letters and will be offered a year of credit monitoring and identity theft protection services without charge. Details of the steps that veterans can take to protect their privacy have also been included in the breach notification letters. Berkeley Endocrine Clinic Informs...

Read More
Two Healthcare Providers Announce Billing-Related PHI Breaches
Jun07

Two Healthcare Providers Announce Billing-Related PHI Breaches

Loyola University Medical Center and University of New Mexico Hospital have discovered separate mailing-related privacy breaches and have started notifying patients of the exposure of a limited amount of their protected health information. Loyola University Medical Center Privacy Breach On April 5, 2016., Loyola University Medical Center discovered billing statements had been sent to incorrect addresses in February 2016. The University had undertaken a project to acquire accurate addresses; however, some billing statements ended up being released to addresses that had not been verified. A limited amount of protected health information was inadvertently disclosed to unauthorized individuals including patients’ names, along with their account number, dates of service, procedure codes, general descriptions of the medical services provided, and the balances due to be paid. No Social Security numbers, credit card details, or insurance information were disclosed. In an effort to minimize the probability of similar privacy breaches occurring, Loyola University Medical Center will also be...

Read More
Up to 400,000 Prisoners’ PHI and SSNs Exposed
Jun07

Up to 400,000 Prisoners’ PHI and SSNs Exposed

Up to 400,000 current and former prisoners incarcerated by the California Department of Corrections and Rehabilitation between 1996 and 2014 have potentially had their Social Security numbers, medical data, and personally identifiable information exposed. The data breach was reported last month by California Correctional Healthcare Services (CCHCS) and a substitute breach notice was posted on the CCHCS website on May 13; however, at the time it was unclear exactly how many prisoners had been affected. While this is still uncertain, the Office for Civil Rights breach report indicates as many as 400,000 individuals may have been affected. An exact figure is not known as the investigation conducted by CCHCS has not determined which individuals’ data were stored on the device. The figure of 400,000 is the total number of patients who had received healthcare services from CCHCS between 1996 and 2014. That makes this the third largest healthcare data breach so far reported in 2016, behind only the 483,000-record breach at Radiology Regional Center, and the 2.2 million-record data breach...

Read More
Anthem Data Breach Lawsuit Heading for Trial
Jun06

Anthem Data Breach Lawsuit Heading for Trial

Following the mammoth 2015 data breach at Anthem Inc., around 100 lawsuits were filed by plan members seeking damages for the exposure of their protected health information. In June last year, the lawsuits were consolidated and moved to the Northern District of California and are being presided over by the Honorable Lucy H. Koh. The cyberattack on Anthem was the largest healthcare data breach ever reported, involving approximately 37 million records and affecting close to 78.8 million individuals. The persons responsible for the cyberattack have not been identified, although the security breach is widely believed to have been a state-sponsored attack by Chinese hackers. Class-action lawsuits are often filed by data breach victims following the exposure of personally identifiable information, although the cases are usually dismissed unless there is concrete evidence of actual harm of losses being suffered by the victims. However, the huge data breach case has survived motions to dismiss and looks set to be heading to trial. Last week, Koh indicated the latest motion by the defense...

Read More
Head of House Select Investigative Panel Calls for HIPAA Investigation into Abortion Clinic PHI Disclosures
Jun06

Head of House Select Investigative Panel Calls for HIPAA Investigation into Abortion Clinic PHI Disclosures

Last week, the head of the House Select Investigative Panel tasked with investigating the trade of baby body parts by abortion clinics wrote to the director of the Department of Health and Human Services’ Office for Civil Rights requesting an investigation into violations of the Health Insurance Portability and Accountability Act (HIPAA). It is alleged that Planned Parenthood – Planned Parenthood Mar Monte (PPMM) and Planned Parenthood Shasta Pacific (PPSP) – and Family Planning Specialists Medical Group (FPS) improperly disclosed the protected health information (PHI) and personally identifiable information (PII) of female patients to StemExpress. In her June 1 letter to Jocelyn Samuels, Rep. Marsha Blackburn explains that employees of StemExpress were provided with details of the abortions that were scheduled to take place on each day and were also given access to the medical files of patients who would be likely to provide fetal tissue donations. Blackburn claims that StemExpress employees were allowed inside of clinics and were given permission to interview patients in...

Read More
ProMedica Uncovers Unauthorized Accessing of PHI by 7 Employees
Jun03

ProMedica Uncovers Unauthorized Accessing of PHI by 7 Employees

ProMedica has recently discovered that seven of its employees had been improperly accessing the protected health information of patients for almost two years. The employees in question had been granted access to patient files in order to perform their work duties, but had accessed the medical records of patients who they were not required to treat, nor was there any legitimate business reason for patient data being accessed. ProMedica was alerted to the privacy breaches on April 7, 2016., and a thorough internal investigation was launched. That investigation revealed that the records of 3,500 patients had been improperly accessed over a period of two years, from May 1, 2014., to April 26, 2016. Affected patients had received medical services at either ProMedica’s Bixby Hospital in Adrian, MI., or Herrick Hospital in Tecumseh, MI. The type of data viewed by the employees include patients’ names, addresses, dates of birth, contact telephone numbers, insurance information, medical diagnoses, details of medications that had been prescribed, and other clinical data. ProMedica’s...

Read More
Integrated Health Solutions Notifies 20K Patients of EHR Breach
Jun02

Integrated Health Solutions Notifies 20K Patients of EHR Breach

Easton, Pennsylvania-based healthcare provider Integrated Health Solutions P.C., has notified 19,776 of its patients that their protected health information may have been accessed by a hacker. The sleep medicine specialists were informed of a security breach by EHR vendor Bizmatics on March 30, 2016. Bizmatics was unable to confirm whether Integrated Health Solutions patient data had been viewed or copied by the unauthorized individual who gained access to its servers, but the company was unable to rule out the possibility. Patients’ names, addresses, health information, and Social Security numbers were stored on the compromised server. Bizmatics provides EHR/EMR software solutions to approximately 15,000 healthcare providers in the United States. The company has not disclosed exactly how many of its clients were affected by the breach, although a number of healthcare providers have now issued breach notifications to patients and have informed the Department of Health and Human Services’ Office for Civil Rights of the breach. Florida-based Eye Associates of Pinellas appears to be...

Read More
40K Podiatry Patients Warned of PHI Exposure
Jun02

40K Podiatry Patients Warned of PHI Exposure

Stamford Podiatry Group P.C., has discovered an unauthorized third party gained access to its computer systems for a period of almost two months earlier this year. The intruder was able to view company data and potentially also accessed the electronic medical record database (EMR). 40,491 patients have now been notified of the privacy breach and potential accessing/theft of their protected health information. EMR data potentially accessed/copied include names, addresses, dates of birth, email addresses, telephone numbers, Social Security numbers, health insurance information, names of treating and referring physicians, and patients’ gender and marital status. Diagnoses, details of treatments, and medical histories were also stored in the EMR and may have been accessed. An investigation into the breach revealed that access was first gained to the company’s systems on February 22, 2016 and continued until the data breach was discovered on April 14, 2016. While the investigation determined that data access was possible, no evidence was uncovered to suggest that data were actually...

Read More
Class-Action Lawsuit Filed Against Sharp Grossmont Hospital for Video Privacy Breach
May30

Class-Action Lawsuit Filed Against Sharp Grossmont Hospital for Video Privacy Breach

A class-action lawsuit has been filed against San Diego’s Sharp Grossmont Hospital for breaching the privacy of thousands of patients during and after a covert surveillance operation into drug theft at the hospital. Sharp Grossmont Hospital had installed hidden cameras in monitors in all three emergency rooms in the hospital in an attempt to obtain video evidence against a physician who was under investigation for the alleged theft of the sedative drug Propofol from operating room drug carts. While it was not the intention of the hospital to film patients, video clips were recorded of patients giving birth and undergoing other medical procedures. According to the lawsuit, approximately 15,000 videos were captured in total, of which 6,966 have been retained by the hospital. The hospital first installed the cameras in July 2012 as part of a year-long investigation into drug theft. The hidden cameras contained motion sensors which were triggered when individuals entered the operating rooms. The investigation ended in June 2013 and the cameras were removed. According to the lawsuit,...

Read More
Tucson Emergency Room Patients’ PHI Stolen from Physician’s Vehicle
May30

Tucson Emergency Room Patients’ PHI Stolen from Physician’s Vehicle

Approximately 1,000 patients in Southern Arizona have been notified of a breach of protected health information following the theft of a physician’s logbook. The logbook had been left in the vehicle of a physician who worked for Emergency Medicine Associates, which provided ER staff for Carondelet Health Network hospitals in Tucson, Arizona. A thief broke into the physician’s vehicle on or around March 25, 2016 and took the logbook. The physician had used the logbook to record brief notes relating to emergency room patients she had treated at Carondelet St. Joseph’s and Carondelet St. Mary’s hospitals in Tucson, AZ., between October 12, 2015 and March 25, 2016. The types of data recorded in the logbook include names, ages, genders, dates of birth, and medical record numbers along with the name of the hospital visited, hospital ID numbers, and dates of emergency room visits. Social Security numbers and health insurance information were not exposed, although some patients’ medical conditions had been noted in the logbook. Dr. Lori Levine, privacy officer for Emergency Medicine...

Read More
Medical Colleagues of Texas Hacking Incident Impacts 68K Patients
May26

Medical Colleagues of Texas Hacking Incident Impacts 68K Patients

Medical Colleagues of Texas, a physicians’ group in Katy, TX., has discovered an unauthorized individual gained access to its system containing the records of more than 68,000 patients. The exact nature of the incident has not been disclosed and an investigation into the security breach is ongoing. The physicians’ group was unaware how access was gained to its systems at the time of posting the breach notice; however, the investigation into the breach has determined that personnel files and patient medical records have potentially been accessed. Data stored on the compromised system include patients’ names, addresses, Social Security numbers, and health insurance information. The intrusion was first detected on March 8, 2016 when an office employee noticed unusual activity on the computer network of the obstetrics group. The activity was determined to be caused by an unauthorized individual who had gained remote access to the network. A computer forensics firm was called in to investigate the security breach. An attorney for the Medical Colleagues of Texas, Lindsay Nickle, issued a...

Read More
95K More Patients Discovered to Have Been Impacted by Bizmatics Data Breach
May25

95K More Patients Discovered to Have Been Impacted by Bizmatics Data Breach

The Office for Civil Rights has received two further breach reports from healthcare providers impacted by the Bizmatics data breach. Almost 95,000 patients of the two healthcare facilities have potentially had their data accessed by hackers. Southeast Eye Institute P.A, doing business as Eye Associates of Pinellas, has notified 87,314 patients of the breach, while Lafayette Pain Care, PC., has potentially had the data of 7,500 individuals scanned by hackers. Eye Associates of Pinellas was notified by Bizmatics on March 30, 2016., that some of its patients’ data were accessed by unauthorized third parties. The data potentially viewed include patients’ names, telephone numbers, home addresses, dates of birth, health insurance information, and Social Security numbers.  Patients affected by the breach had visited Eye Associates of Pinellas prior to November 15, 2015. According to the breach notice posted by Eye Associates of Pinellas, Bizmatics had segregated data to improve security, but the company was unable to determine if the separated data fields had been matched by the...

Read More
ACLU Claims Myriad Genetics Violated HIPAA Rules by Withholding Genetic Data
May24

ACLU Claims Myriad Genetics Violated HIPAA Rules by Withholding Genetic Data

Late last week, a complaint was filed with the Department of Health and Human Services’ Office for Civil Rights by the American Civil Liberties Union after Myriad Genetics refused to provide four patients with copies of their full genetic records – an alleged breach of the HIPAA Privacy Rule. The patients in question had undergone genetic tests to assess hereditary risk for bladder, breast, and ovarian cancer. Myriad provided the patients with details of the genetic factors which were deemed to be significant and useful for healthcare providers. However, the data provided to the patients did not include information about all of the genetic variants Myriad’s testing had uncovered. The patients requested copies of all of their genetic data that was held by Myriad Genetics, including the genetic variants that Myriad deemed not to pose a risk to the patients. Myriad refused to provide copies saying the patients were not entitled to copies of the withheld data. It was claimed that the withheld data was not part of the designated record set which Myriad is required to provide to patients...

Read More
Apology Issued by Sharp Grossmont Hospital for Filming and Sharing Videos of Obstetrics Patients
May19

Apology Issued by Sharp Grossmont Hospital for Filming and Sharing Videos of Obstetrics Patients

An apology has been issued by Sharp Grossmont Hospital for violating the privacy of patients by filming them undergoing surgical procedures and subsequently sharing those videos with a third party. Videos were recorded using hidden surveillance cameras as part of a sting operation to catch a thief who was believed to be stealing narcotic drugs from anesthesia carts in the operating theater of the Women’s Health Center. The hospital set up surveillance cameras hidden inside moveable monitors in three operating rooms at the Women’s Health Center at Sharp Grossmont Hospital to obtain evidence of drug thefts from anesthesia carts. Some of the recorded clips show an anesthesiologist taking bottles of the anesthetic propofol from the carts and placing them in his top pocket. Over the course of the surveillance operation – which took place between July 2012 and July 2013 – 12 bottles of propofol were allegedly stolen from the cart by the anesthesiologist. The video footage of the thefts was submitted to the California Medical Board as evidence. The accused anesthesiologist’s...

Read More
4000 Michigan Chiropractic Patients Notified of Potential Data Breach
May19

4000 Michigan Chiropractic Patients Notified of Potential Data Breach

4,082 patients of Complete Chiropractic & Bodywork Therapies (CCBT) of Ann Arbor, MI., have been notified of a potential breach of protected health information after malware was discovered on one of the company’s servers. The malware was discovered on March 19, 2016., after the server malfunctioned. The malfunctioning of the server triggering CCBT’s security protocols which included isolating the server, blocking Internet access, and changing all workstation and third party passwords. CCBT also installed an additional firewall as an extra precaution. External forensics experts were brought in to investigate the security incident. Their investigation revealed malware had been installed which scanned the network for passwords and login information and transmitted sensitive data to the hacker(s) command and control server. The server stored patient data including treatment and billing information, in addition to encrypted medical record data. Encrypted information included patient names, addresses, dates of birth, health and diagnosis information, and Social Security numbers. The...

Read More
Zocdoc Notifies Patients of Breach Discovered in June 2015
May18

Zocdoc Notifies Patients of Breach Discovered in June 2015

This week, Zocdoc – an online medical booking system – notified the California Attorney General’s office of a breach of personal information that was first identified almost a year ago. Programming errors were discovered in June 2015., that allowed past and present practice staff members to gain access to their Provider Dashboard’s after their usernames had been removed from the system or their access had otherwise been limited. The usernames had been provided to medical and dental practices that had signed up to use the Zocdoc appointment system. Patients affected by the data breach have now been sent notification letters advising them that their name, phone number, email address, appointment history, and in some cases Social Security number, could have been accessed by staff members at each practice that were unauthorized to view the information. Health insurance information and medical histories could also have potentially been accessed if patients had provided that information via Zocdoc when making appointments. According to the breach notice, “Access may have...

Read More
2,100 Veterans Had Their PHI Exposed in April
May17

2,100 Veterans Had Their PHI Exposed in April

Each month the Department of Veteran Affairs issues a report to congress on the information security incidents experienced by VA facilities over the course of the month. Protected health information (PHI) exposures increased considerably in April, with 2,105 veterans’ PHI being accidentally disclosed or exposed. In total, 2556 veterans were affected by information security incidents in April, resulting in the VA sending 1,690 breach notification letters. Due to the relatively high risk of misuse of data, 866 veterans were offered credit protection services. While the number of veterans affected by these security incidents was considerably higher than in March – when 522 veterans were affected by information security incidents and 417 had their PHI exposed – fewer incidents were reported by VA facilities. In April there were 39 lost and stolen device incidents compared to 54 in April, lost PIV cards fell from 172 to 128, mishandling incidents dropped from 89 to 87, and 146 mis-mailed incidents were reported compared to 147 incidents last month. Major VA Data Breaches Reported in...

Read More
Laptop Thefts Expose the PHI of California Healthcare Patients
May16

Laptop Thefts Expose the PHI of California Healthcare Patients

Three potential healthcare data breaches have been recently reported, two of which occurred as a result of the theft of laptop computers and exposed the protected health information (PHI) of healthcare patients in California. California Correctional Health Care Services Reports Theft of Laptop Computer On February 25, 2016., an unencrypted password-protected laptop computer was stolen from the vehicle of an employee of California Correctional Health Care Services (CCHCS). The laptop may have been used to store the PHI of patients of the California Department of Corrections and Rehabilitation. According to a May 14 substitute breach notice submitted to the California Office of the Attorney General, CCHCS identified the breach on April 25. CCHCS conducted an investigation into the incident but was not able to determine whether sensitive data were actually stored on the device. CCHCS believes that if sensitive data were exposed, affected individuals would be those who had been imprisoned between 1996 and 2014. Data potentially stored on the laptop include custodial information,...

Read More
Ponemon: 89 Percent of Healthcare Organizations Have Experienced a Data Breach
May13

Ponemon: 89 Percent of Healthcare Organizations Have Experienced a Data Breach

This week saw the publication of the Ponemon Institute’s Sixth Annual Benchmark Study on Privacy and Security of Healthcare Data. This year’s study shows 89% of healthcare organizations have now experienced a data breach while 60% of business associates of healthcare organizations have experienced a breach of healthcare data. All of these healthcare data breaches are taking their toll and are costing the industry dearly. An estimated $6.2 billion is being spend on resolving healthcare data breaches. This year’s report shows that cybercriminals caused 50% of the healthcare data breaches reported over the course of the last 12 months; an increase of 5% year on year. The remaining data breaches were caused by mistakes made by healthcare employees and their vendors. Frequency and Severity of Cyberattacks Continue to Rise The healthcare industry is uniquely vulnerable to cyberattacks. Healthcare organizations store vast quantities of valuable data, yet many organizations do not have sufficiently robust defenses to keep those data secured. Security infrastructure is often found to be...

Read More
Florida Medical Clinic Notifies 1,000 Patients of Privacy Breach
May13

Florida Medical Clinic Notifies 1,000 Patients of Privacy Breach

Florida Medical Clinic, PA., has notified 1,000 patients that their due balance statements were exposed online as a result of a misconfiguration of its Patient Portal. Between November 18, and January 6, 2016., due balance statements of some patients were viewed by industrial account patients when they logged onto the Patient Portal. Only a limited amount of patient data was viewable so there is not believed to be a high risk of patients coming to harm or suffering losses as a result of the breach. Patients’ names, mailing address, provider names, dates of service, descriptions of procedures, and charges due were viewable by individuals unauthorized to view the information. At no point were Social Security numbers, dates of birth, credit card numbers, financial information, or other highly sensitive data accessed. Upon discovery of the privacy breach, Florida Medical Clinic launched an investigation which revealed that the vendor of its Patient Portal – Greenway Health – had turned on a setting on the Portal by accident which resulted in due balance statements being viewable...

Read More
UnityPoint Health’s Allen Hospital Discovers 7-Year Privacy Breach
May12

UnityPoint Health’s Allen Hospital Discovers 7-Year Privacy Breach

An employee of UnityPoint Health’s Allen Hospital in Waterloo, Iowa, was recently discovered to have abused her access rights to patient health information over a period of seven years. During that time, the employee is understood to have improperly accessed the protected health information of 1,620 patients. The inappropriate accessing of PHI was discovered by Allen Hospital on March 14, 2016. The discovery triggered a full review, which revealed the employee had first started inappropriately accessing patient records in September 2009. The data potentially accessed by the employee include patients’ names, dates of birth, home addresses, health insurance information, medical record numbers, and treatment information. Some patients’ Social Security numbers may also have been viewed. Many employees are discovered to have accessed patient records without authorization, although what makes this case stand out is how long it took Allen Hospital to discover the HIPAA breach. Jim Waterbury, Allen Hospital’s vice president for institutional advancement, said the reason it took so long for...

Read More
Transcription Service Provider Exposes PHI of Children’s National Health System Patients
May11

Transcription Service Provider Exposes PHI of Children’s National Health System Patients

Washington D.C.-based Children’s National Health System (CNHS) has alerted patients to a breach of their protected health information following an error by a transcription service provider which allowed patients’ data to be indexed by the search engines. CNHS is one of a number of healthcare clients affected by the data breach. Ascend Healthcare Systems was contracted by CNHS to transcribe physician’s notes and was supplied with transcription documents in 2014; however, those documents could potentially have been accessed via search engines due to a misconfiguration with a File Transfer Protocol (FTP) site. Transcription services were provided to CNHS by Ascend between May 1, 2014 and June 23, 2014; however, on February 25, 2016, CNHS discovered that some of its patients’ data had been exposed online. An investigation into the privacy breach was immediately launched and CNHS determined that for a period of one week in February, data were accessible via Google. The breach is understood to have lasted between February 19 and February 25, 2016. The data stored in the transcription...

Read More
Are You Prepared for A Business Associate Data Breach?
May09

Are You Prepared for A Business Associate Data Breach?

HIPAA-covered entities may be prepared to execute their breach response procedures for a security breach that exposes patients’ Protected Health Information (PHI), but what about business associate data breaches? Have policies and procedures been developed to ensure a rapid breach response can be executed if a business associate suffers a data breach? The Department of Health and Human Services’ Office for Civil Rights has recently warned HIPAA-covered entities that they must take steps to ensure they can deal with a business associate data breach should one occur. OCR: HIPAA-Covered Entities Find Business Associate Data Breach Management Difficult The recent OCR cyber-awareness bulletin confirmed the need for action to be taken by HIPAA-covered entities to prepare for data breaches experienced by their vendors. The bulletin indicates a large percentage of covered entities are concerned that business associate data breaches may not be reported to them. OCR also suggests that when a business associate data breach does occur, covered entities are often unsure whether their vendors’...

Read More
Bay Area Children’s Association Notifies Patients of PHI Theft
May09

Bay Area Children’s Association Notifies Patients of PHI Theft

On April 1, 2016, Bay Area Children’s Association (BACA) was notified that the electronic health records of its patients may have been stolen by hackers. The notice was received from BACA’s electronic health record (EHR) provider which had discovered access to its systems had been gained by unauthorized individuals and malware had been installed. The EHR provider, which was not named in the breach notice, believes the malware was first installed on its systems in January 2015. Consequently, patients’ health data and personal information could conceivably have been in the hands of criminals for over 15 months. After being notified of the potential theft of protected health information, BACA contacted it’s EHR provider to find out more about the extent of the breach and the data that could have been accessed. BACA was informed on April 22, 2016 that there was no way of telling which patients had been affected, and whether data had actually been obtained by the attackers. Consequently, all patients whose data were stored in the EHR have had to be notified of security breach. The data...

Read More
Ohio MHAS Exposes PHI of 59K Patients by Mailing Surveys on Postcards
May09

Ohio MHAS Exposes PHI of 59K Patients by Mailing Surveys on Postcards

This week, patients of the Ohio Department of Mental Health and Addiction Services (OMHAS) were notified of a privacy incident that occurred on February 3, 2016. Patients were sent a satisfaction survey by mail; however, the survey request was sent on postcards rather than in sealed envelopes. Consequently, the fact that each patient had received services related to mental health and addition was inadvertently exposed along with patients’ names and addresses. This was not the first time that these mailings were sent to patients. Each year, OMHAS sends customer satisfaction surveys to patients to obtain feedback about the services they received. The aim of the mailings is to obtain data from patients that can be used to improve the services OMHAS provides and as part of the reporting requirements required for the federal Mental Health Block Grant. On February 25, 2016, OMHAS became aware that the mailing breached Health Insurance Portability and Accountability Act Rules. An investigation into the privacy breach revealed that similar mailings had been sent in the past. In total,...

Read More
Saint Agnes Medical Center Victim of BEC Attack
May06

Saint Agnes Medical Center Victim of BEC Attack

Saint Agnes Medical Center of Fresno, CA., is in the process of notifying 2,812 employees of a cyberattack that occurred on May 2, 2016. On Monday this week, an employee of Saint Agnes responded to a phishing email and sent copies of employees’ W-2 data to an attacker. The disclosed data included the names of employees along with their home addresses, salary details, withholding information, and Social Security numbers. The email request appeared to have come from the Chief Executive Office of Saint Agnes. The phishing attack was rapidly identified, although not before data were disclosed to the attacker. All employees affected by the data breach have been provided with a year of credit monitoring and identity restoration services through Experian without charge. Affected employees have also been advised to contact the IRS to find out if a fraudulent tax refund has been claimed in their name. The email scam is referred to as a Business Email Compromise (BEC) attack. This year has seen a number of BEC attacks on healthcare providers. The phishing scam is convincing as the emails...

Read More
Data Breach Class-Action Lawsuit Denied by Penn. Superior Court
May05

Data Breach Class-Action Lawsuit Denied by Penn. Superior Court

A proposed class-action lawsuit filed against two health plans for the exposure of members’ protected health information has been rejected by the Pennsylvania Supreme Court. Avrum Baum filed a lawsuit against Keystone Mercy Health Plan and AmeriHealth Mercy Health Plan in 2010 following the loss of a flash drive containing the data of approximately 286,000 patients. One of the patients affected by the data breach was Baum’s special needs daughter. Baum claimed in the suit that the loss of the device violated the privacy rights of patients. He also claimed the health plans had been negligent by failing to protect the data of patients, and the health plans had inaccurately told patients that their protected health information (PHI) was secured. Baum claimed that deceptive practices were used, which violated Uniform Trade Practices and Consumer Protection Law (UTPCPL). In July 2013, the class-action lawsuit was denied by a trial judge as Baum could not show that his daughter’s PHI was stored on the device and that the case did not have standing because Baum had not purchased his...

Read More
Buffalo Medical Group Says Alleged HIPAA Violations Are Unfounded
May04

Buffalo Medical Group Says Alleged HIPAA Violations Are Unfounded

Last month, a breach notification letter was received by media outlets and at least one patient of the Buffalo Medical Group (BMG) warning that the protected health information (PHI) of certain patients had been impermissibly disclosed to an unauthorized individual. The letters were sent on BMG headed paper, and the letter indicated that it had been authored by three members of the BMG staff who chose to remain anonymous. The letter claims that the PHI of certain patients had been impermissibly disclosed and the privacy violations had been brought to the attention of a dermatologist at BMG, yet nothing had been done. The letter claimed that the privacy of patients was violated by a licensed practice nurse who had been disclosing patients’ PHI to a boyfriend. The offenses, which if true would have violated the Health Insurance Portability and Accountability Act (HIPAA), had allegedly taken place some years previously. According to the letter, when the nurse broke off the relationship in August 2015 the ex-boyfriend notified a dermatologist of the privacy violations. No action...

Read More
HIPAA Business Associate Notifies Patients of Data Breach
May03

HIPAA Business Associate Notifies Patients of Data Breach

EqualizeRCM Services, an Austin, TX-based vendor of billing services, is in the process of sending breach notification letters to patients to alert them to the potential exposure of their Protected Health Information after an employee’s laptop computer was stolen. At this stage it is unclear how many individuals have been impacted as the security breach has not yet been added to the Department of Health and Human Services’ Office for Civil Rights breach portal. Patients of the following healthcare facilities have been impacted by the data breach: Central Dallas Surgery Center Hermann Drive Surgical Hospital Kirby Surgical Center Microsurgery Institute (Houston, Dallas) Northstar Healthcare Surgery Center (Scottsdale, Houston, Dallas) Plano Surgical Hospital Southwest Freeway Surgery Center Victory Medical Center Houston The laptop computer contained a number of unencrypted documents which could potentially be accessed by unauthorized individuals. The documents did not contain any Social Security numbers or financial account numbers, although personally identifiable information and...

Read More
Verizon: Human Error the Main Cause of Security Incidents
Apr29

Verizon: Human Error the Main Cause of Security Incidents

The Verizon 2016 Data Breach Investigations Report was released this week. The biggest cause of security incidents over the past 12 months has been what Verizon calls “miscellaneous errors,” a category which includes misconfigured IT systems, improper disposal of company data, lost and stolen devices and email errors. In the case of the latter, 26% of breaches were caused by individuals emailing data to incorrect individuals. Weak passwords continue to cause organizations problems. 63% of confirmed data breaches were attributed to either poor passwords, default login credentials that had not been changed, or the use of stolen login credentials. Cyberattacks are often made possible due to the failure to install patches promptly. In the majority of cases, hackers exploit vulnerabilities that have existed for months, even though patches have been made available. Verizon reports that 85% of successful exploits of took advantage of the top 10 known vulnerabilities. The biggest cause of data breaches this year is web application attacks, which have increased by 33% since the 2015 report....

Read More
Edwin Shaw Rehabilitation Hospital Patients’ PHI Exposed
Apr28

Edwin Shaw Rehabilitation Hospital Patients’ PHI Exposed

Akron General Health System is notifying 975 patients of the Akron General Edwin Shaw Rehabilitation hospital that some of their protected health information has been exposed after an employee lost an unencrypted flash drive. The flash drive contained “generic” data on patients that had visited the hospital for treatment between 2010 and 2011. No Social Security numbers, financial information, dates of birth, addresses, or phone numbers were exposed. Patients therefore face a low risk of the information being used inappropriately, should the device have been recovered by a third party. Data stored on the device include patient names, medical record numbers, treatment provided, name of the insurance carrier, and referring provider. The flash drive was believed to have been lost on February 19, 2015. An Edwin Shaw employee who worked at the Cuyahoga Falls rehab center had taken the portable storage device off-site while attending a business meeting. The employee discovered the drive to be missing five days later. The loss was reported to the hospital and an investigation was...

Read More
Vail Valley Medical Center Notifies 3,118 Patients of Unauthorized PHI Disclosure
Apr27

Vail Valley Medical Center Notifies 3,118 Patients of Unauthorized PHI Disclosure

Vail Valley Medical Center (VVMC) is in the process of notifying 3,118 patients of the inappropriate disclosure of some of their protected health information (PHI). A physical therapist formerly employed at Howard Head Sports Medicine was discovered to have copied the PHI of patients and taken the data to his new employer. Prior to leaving employment, the physical therapist downloaded patient PHI onto a USB drive on two separate occasions. VVMC discovered the former employee’s HIPAA violations on February 16, 2016. An internal investigation revealed that the physical therapist had inappropriately accessed patient PHI and copied data on December 1, and December 30, 2015. No Social Security numbers, credit card numbers, bank account details, dates of birth, or addresses were taken, although the former employee did obtain patient names, patient ages, dates of service, amounts paid for medical services, and details of medical diagnoses, conditions, treatments, functional test outcomes, and progress information. Patients affected by the breach had previously attended the Vail Valley...

Read More
Mail Delivery Truck Stolen: 2400 Inland Empire Health Plan Members’ PHI Exposed
Apr25

Mail Delivery Truck Stolen: 2400 Inland Empire Health Plan Members’ PHI Exposed

Kaiser Permanente is in the process of notifying 2,400 members of the Inland Empire Health Plan of the theft of Evidence of Coverage handbooks from a mail delivery truck. The names and addresses of plan members were also exposed. The data, which are classed as Protected Health Information under the Health Insurance Portability and Accountability Act, were stolen from a mail delivery truck at some point between March 12 and March 14, 2016. In a breach of Kaiser Permanente’s vendor mail delivery policies, the truck containing the handbooks was left unattended in a non-secure area. It would appear that the delivery truck had been left in a parking lot in the city of Santa Clarita, CA., over the weekend. Thieves gained entry to the vehicle and drove it to an unspecified location where they robbed the vehicle of its contents. The theft was reported to law enforcement in Santa Clarita and the vehicle was subsequently recovered, but not the Evidence of Coverage handbooks. The handbooks were for California Medi-Cal members in Southern California. Kaiser Permanente does not believe the...

Read More
Flash Drive Theft Exposes PHI of 2700 Oneida Health Center Dental Clinic Patients
Apr22

Flash Drive Theft Exposes PHI of 2700 Oneida Health Center Dental Clinic Patients

An unencrypted flash drive containing the protected health information of 2,700 patients of the Oneida Health Center Dental Clinic has been discovered to be missing. The portable storage device is believed to have been stolen internally and an investigation into the theft is still being conducted by the dental clinic. Local law enforcement was also notified and an investigation was conducted, although the flash drive has not been recovered. The drive was stolen from the Oneida Health Center on the Oneida Reservation at 525 Airport Drive on February 17, 2016. The device contained a limited amount of patient data including patient names, patient identification numbers, and dental insurance identification numbers. Patients affected by the breach had visited the dental clinic between February 2, 2015 and February 17, 2016. No Social Security numbers, dates of birth, or financial information were stored on the device. Patients have now been notified of the breach by mail in accordance with Health Insurance Portability and Accountability Act Rules. Oneida Health Center has no reason to...

Read More
Wyoming Medical Center Phishing Attack Exposes PHI of 3,184 Patients
Apr22

Wyoming Medical Center Phishing Attack Exposes PHI of 3,184 Patients

A phishing attack on Wyoming Medical Center of Casper in February has resulted in the exposure of 3,184 patients’ protected health information. Two employees clicked on links contained in phishing emails and compromised their accounts. The first employee to fall for the phishing scam clicked on the link on February 22, 2016, with the second employee falling for the scam three days later. Wyoming Medical Center quickly became aware that email accounts had been compromised because the accounts were used by the attackers to send spam emails to other hospital employees. According to a statement released by hospital spokeswoman Kristy Bleizeffer, access to the email accounts was gained for 15 minutes only. As soon as the intrusion was discovered, IT staff started updating passwords to lock out the attackers. An investigation into the breach did not uncover any evidence to suggest emails were accessed by the attacker. Due to the limited time that the email accounts were compromised it is unlikely that the attackers succeeded in gaining access to the PHI of patients. An investigation into...

Read More
New York Hospital Fined $2.2 Million for Unauthorized Filming of Patients
Apr22

New York Hospital Fined $2.2 Million for Unauthorized Filming of Patients

The Department of Health and Human Services’ Office for Civil Rights (OCR) has fined New York Presbyterian Hospital (NYP) $2.2 million for allowing patients to be filmed for a TV show without obtaining prior permission from the patients. In 2011, an ABC crew was permitted to film inside NYP facilities for the show “NY Med” featuring Dr. Mehmet Oz. A number of patients were filmed including a dying man and another patient who was seriously distressed. The footage was aired in 2012. Authorization to film had been given by NYP, although not all patients gave their consent to be filmed. One of the patients was Mark Chanko . He had been rushed to hospital after being hit by a sanitation truck. He was filmed receiving treatment from chief surgery resident Sebastian Schubl. Despite the best efforts of Schubl, Chanko died from the injuries sustained in the accident. Chanko had not given NYP permission to film him. To hide his identity ABC used blurring and voice alteration software. This did not prevent the crew from viewing Chanko’s PHI and it was not sufficient to hide his identity from...

Read More
Patient Treatment Centers of America Notifies Patients of Hacking Incident
Apr21

Patient Treatment Centers of America Notifies Patients of Hacking Incident

Patient Treatment Centers of America (PTCOA) and Interventional Surgery Institute (ISI) are notifying patients of a security breach suffered by third party vendor Bizmatics. Bizmatics operates PrognoCIS; an electronic health record and practice management tool used by a number of large number of healthcare organizations including PTCOA. PTCOA uses PrognoCIS to store and organize patient medical files. Earlier this year PTCOA/ISI were notified by Bizmatics of a cyberattack that resulted in hackers gaining access to the company’s data servers. Data stored by PrognoCIS EHR software were potentially compromised in the attack. The information potentially accessed includes patients’ medical records (visit information, diagnoses, treatment data etc.), personal information such as names and addresses, health insurance information, Driver’s License numbers, other ID numbers, and in some cases, Social Security numbers. According to the breach notice submitted to the Department of Health and Human Services’ Office for Civil Rights, 19,397 PTCOA patients have been affected by the Bizmatics...

Read More
A Decade of Data Breaches: Healthcare Industry Data Breaches Have Exposed 176.5 Million Records
Apr19

A Decade of Data Breaches: Healthcare Industry Data Breaches Have Exposed 176.5 Million Records

For more than a decade the Identity Theft Resource Center (ITRC) has been keeping track of data breaches in the United States. The ITRC data breach list has been growing steadily over the years, although in recent years the number of data breaches has grown substantially. This week a new milestone was reached. The total number of data breaches recorded by ITRC has exceeded 6,000. More than 851 million records have been exposed since ITRC first started keeping records in 2005, and the last 10 years have seen a 397% increase in data breaches. ITRC’s analysis of data breaches covers all industry sectors. The organization’s analysts determined that 32.7 percent of data breaches resulted in the exposure of Social Security numbers – or 245.2 million records. Since 2010, 142 million Social Security numbers have been exposed in data breaches. Healthcare industry data breaches accounted for 16.6% of Social Security number exposures. ITRC figures show that healthcare industry breaches have resulted in the exposure of over 176.5 million records since the organization first started tracking...

Read More
PHI of Alabama CVS Pharmacy Patients Exposed
Apr19

PHI of Alabama CVS Pharmacy Patients Exposed

The theft of a laptop computer from a business associate of CVS pharmacy has resulted in the exposure of customers’ protected health information. The privacy breach affects certain patients who have previously filled out prescriptions at a single CVS pharmacy in Alabama – The CVS pharmacy at 8370 Highway 31 in Calera. Data stored on the laptop computer include the names of patients along with contact telephone numbers, home addresses, details of the prescriptions provided, and numbers and dispensing dates. No Social Security numbers or financial information were exposed. The theft occurred on March 16, 2016., and CVS was notified of the data breach on March 22. All affected patients have now been notified of the privacy breach by mail. The laptop theft was reported to the Indianapolis Police Department although the laptop computer has not been recovered. CVS requires its vendors to encrypt all patient information although in this case encryption was not used. This was a breach of the vendor’s contractual obligations, although the incident was not deemed to be severe enough to...

Read More
VA Monthly Information Security Report Shows Fall in Breach Victims in March
Apr18

VA Monthly Information Security Report Shows Fall in Breach Victims in March

The Department of Veteran Affairs has sent its monthly report to Congress detailing the information security incidents affecting VA facilities in March, 2016. 522 veterans were impacted by security incidents in March, 417 of which had their protected health information compromised. This month’s report shows a substantial reduction in breach victims. In February, 707 veterans had their PHI exposed and 817 security incidents were reported. While the breach victim count was considerably lower in March, the VA report shows an increase in the number of lost PIV cards, lost and stolen device incidents, and mis-mailed incidents. Only mishandled incidents and pharmacy mis-mailings fell in March. The VA had 54 lost/stolen device incidents compared to 43 in February. There were 172 lost PIV cards compared to 154 in February, and 147 mis-mailed incidents: 16 more than the previous month. Mishandled incidents fell from 106 to 89 in March, and only 3 pharmacy mis-mailings occurred. 5 fewer than February. There was only one major security incident reported in March, which impacted 211 veterans...

Read More
Atique Orthodontics Reports Potential Breach of Patient PHI
Apr18

Atique Orthodontics Reports Potential Breach of Patient PHI

San Antonio-based Atique Orthodontics, P.A., has discovered an unauthorized person gained access to an office computer for a period of just over a month earlier this year. The unauthorized accessing of the computer first occurred on February 29, 2016., with the remote access possible until March 30, 2016., when the security breach was discovered. During the time that remote access was possible, a server containing the protected health information of orthodontics patients could potentially have been accessed. Atique Orthodontics has not discovered any evidence to suggest that the protected health information of patients was actually compromised, although the possibility exists that data may have been improperly accessed. Atique Orthodontics took action to block remote access as soon as the security breach was discovered and there is no further risk of data being accessed by the individual. Atique is in the process of enhancing security and will be implementing further technical controls to prevent similar incidents from occurring in the future. The server contained highly sensitive...

Read More
Federal Court Rules Data Breach Covered by CGL Insurance Policy
Apr14

Federal Court Rules Data Breach Covered by CGL Insurance Policy

A federal appeals court ruled this week that Travelers Insurance has a duty to defend Portal Healthcare Solutions in a class-action lawsuit filed by patients whose medical records were exposed on the Internet in 2013. The lawsuit was filed following the exposure of 2,300 patients’ medical records in 2012/2013. The records were stored on computer server that could be accessed over the Internet, and the data of some patients had been indexed by the search engines. Two patients filed a class-action lawsuit after discovering their data could be accessed via Google. The patients claimed they both searched for their own names on Google and the first links that appeared were for their medical records. Both were patients of Glen Falls Hospital in New York. The lawsuit was filed against Portal Healthcare Solutions, which was contracted by Glen Falls Hospital to store patients’ medical records. The server on which doctors’ notes were stored should have been secured; however, a configuration error resulted in data being left unprotected. The files were accessible due to a misconfigured...

Read More
1400 Healthcare Organizations Notified of American College of Cardiology Privacy Breach
Apr14

1400 Healthcare Organizations Notified of American College of Cardiology Privacy Breach

1,400 organizations have been notified that patient data supplied to the American College of Cardiology (ACC) via the national cardiovascular data registry has been inadvertently disclosed to a third party vendor. While the total number of affected patients has not yet been disclosed, almost 100,000 individuals are understood to have been affected. Participating healthcare organizations enter patient data into the ACC-maintained registry and use the database to measure and improve the cardiovascular care provided to patients. The ACC employed a software development company to redesign the registry and supplied 250 tables of fabricated patient data to populate the database for testing purposes. However, one of the tables supplied to the vendor contained real patient data including names, dates of birth, internal patient ID numbers, and Social Security numbers. The data were supplied to the vendor at some point between 2009 and 2010, although the improper disclosure was not discovered until December 2015. The ACC notified all affected institutions in February and supplied them with...

Read More
Buffalo Medical Group Patients Notified of Alleged HIPAA Violation
Apr13

Buffalo Medical Group Patients Notified of Alleged HIPAA Violation

When a HIPAA violation occurs, the covered entity is required to notify patients that their protected health information has been exposed. However, in a bizarre turn of events, a number of patients of the Buffalo Medical Group have received breach notification letters that have been sent without Buffalo Medical Group’s knowledge. The letters have been printed on the Buffalo Medical Group’s letterhead, and details the physicians employed in the Department of Dermatology have also been included in the letter. Patients have been advised that a member of staff has disclosed their names and details of medical conditions to a new boyfriend. The member of staff concerned is named in the letter, and it is claimed that the HIPAA violations took place in the office, starting around August 2015. Confidential data was allegedly disclosed over the staff member’s cell phone within earshot of other workers. After the relationship ended the ex-boyfriend is alleged to have contacted Buffalo Medical Group by letter explaining that HIPAA violations had occurred. No response was allegedly received,...

Read More
Anthem’s Request to Access Breach Victims’ Computers Denied
Apr13

Anthem’s Request to Access Breach Victims’ Computers Denied

Following any significant breach of protected health information HIPAA covered entities can expect breach victims to file lawsuits to recover damages. Last year’s 78.8 million-record data breach at Anthem Inc., is no exception. Over 100 lawsuits have been filed by plaintiffs to recover damages. Some of the suits are speculative, with plaintiffs attempting to recover damages for the increased risk of harm now faced, although some breach victims are claiming to have suffered actual losses as a result of the Anthem data breach. It is not surprising that the insurer’s legal team has attempted to determine whether the victims have actually suffered losses as a direct result of the Anthem breach. In 2015, over 113 million healthcare records were exposed or stolen. The majority of those records were stolen in the Anthem data breach, but it is conceivable that identity theft could have resulted from another healthcare – or non-healthcare – data breach, from a lack of basic security measures applied by the victims, or from the inadvertent installation of malware on victims’...

Read More
Florida Department of Health Notifies Palm Beach County Patients of PHI Breach
Apr12

Florida Department of Health Notifies Palm Beach County Patients of PHI Breach

The Florida Department of Health in Palm Beach County has discovered approximately 1,000 patients have had their protected health information inappropriately disclosed, although at this stage little information has been released on the exact nature of the data breach. In February, the DOH was informed by law enforcement officers that there had been a potential breach of patients’ protected health information. A list containing the names, dates of birth, phone numbers, Social Security numbers, Medicaid numbers, and medical record numbers had been recovered. Florida DOH was asked to verify that the individuals on the list were DOH patients. The patients were identified as having visited DOH facilities in Palm Beach County. At this stage no information has been released to indicate how the list was obtained by law enforcement. No employees have been implicated at this point in time and an investigation into the breach is ongoing. All affected patients have been contacted by mail and informed that their PHI has been exposed. They have been advised to obtain a free credit report, review...

Read More
OptumRx and Einstein Health Network Inform Patients of Recent PHI Breaches
Apr11

OptumRx and Einstein Health Network Inform Patients of Recent PHI Breaches

OptumRx is in the process of notifying patients about a breach of their Protected Health Information after an unencrypted laptop computer was stolen from one of its vendors. An employee of an unnamed company which provides prescription delivery services on behalf of OptumRx left a laptop computer in a vehicle from where it was stolen. The theft occurred on March 16, 2016 and OptumRx was notified of the theft by its vendor on March 22, 2016. The laptop contained patient data including names, addresses, drug prescription information, prescription providers, and health plan names. No Social Security numbers or financial information were stored on the laptop, although some patients had their date of birth exposed. The breach notice submitted to the California Attorney General does not mention whether the laptop was password protected. Additional security measures have now been implemented on laptop computers used by OptumRx’s vendor. Further staff training will be conducted to reinforce policies and procedures already put in place by the vendor. All affected patients have been offered...

Read More
Rogue Employee Steals PHI of 2,000 Pointe Medical Services Patients
Apr06

Rogue Employee Steals PHI of 2,000 Pointe Medical Services Patients

A former employee of Pointe Medical Services has been accused of stealing the protected health information of patients and disclosing the data to her new employer. The data theft came to light when a patient complained to Pointe Medical Services that contact had been made by another healthcare service provider in an attempt to solicit business. The patient was concerned that PHI had been compromised and contacted Pointe Medical Services around February 11, 2016. An internal investigation was launched and Pointe Medical Services discovered patient information had been downloaded and copied by Kimberly Hunt, ARNP, who was previously employed by the company. That information was subsequently shared with L.A. Quinn M.D., P.A. and Carter’s Ortega Pharmacy, Inc. Hunt is alleged to have downloaded the PHI of 2,000 patients and copied their names, phone numbers, dates of birth, appointment status, reason for appointments, insurer’s name, health plan name, and insurance account type. To prevent further harm, Pointe Medical Services took legal action and obtained an injunction from the...

Read More
7,500 Patients Notified of Indian Health Service PHI Theft
Apr05

7,500 Patients Notified of Indian Health Service PHI Theft

The medical records of approximately 7,500 patients of an Indian Health Service medical center have been recovered from storage units in Waterflow in New Mexico, at least 5 months after they were stolen by a former employee. Back in October, the records of 470 patients of the Northern Navajo Medical Center in Shiprock were found in a public storage facility by a community member. The matter was reported to the Navajo Area Indian Health Service on October 5, 2015, and staff were sent to recover the documents. According to the IHS breach notice, the Department of Health and Human Services Office of Inspector General Investigator investigated the breach and discovered that files had been taken by a former employee. Some of the employee’s personal items were also located in the storage facility. The investigation revealed that the data breach was much more extensive than initially thought. A further 7,000 documents were also recovered from storage facilities and have now been returned to the medical center. Now that the files have been recovered, patients are being notified of the...

Read More
Phishing Attack Reported by Metropolitan Jewish Health System Inc.
Apr05

Phishing Attack Reported by Metropolitan Jewish Health System Inc.

Metropolitan Jewish Health System, Inc., (MJHS) is the latest healthcare organization to announce it has fallen victim to a phishing attack. The incident appears to have resulted in one email account being compromised, although an investigation is still ongoing to determine if any other email accounts were also affected. An employee of MJHS responded to a phishing email on January 18, 2016., but the breach was not discovered until January 22, giving the attacker access to the email account for four days. As soon as MJHS learned of the incident the email account was shut down and an investigation was launched. An analysis of the data contained in the employee’s email account revealed 2,483 patients’ protected health information had potentially been compromised. MJHS did not disclose whether emails had been accessed by the attacker, but no reports have been received to suggest any PHI has been used inappropriately. Patients affected by the data breach had previously received medical services from Menorah Center for Rehabilitation and Nursing Care; MJHS Home Care; MJHS Hospice and...

Read More
Ransomware and HIPAA: Are Attacks Reportable?
Apr01

Ransomware and HIPAA: Are Attacks Reportable?

Following a number of high-profile ransomware attacks on hospitals, the issue of whether ransomware attacks are reportable under HIPAA has been raised by a number of privacy experts. So far attacks on hospitals, including the Hollywood Presbyterian Medical Center attack in February, have not been added to the HHS breach portal and are unlikely to appear. The healthcare organizations that have announced they have been hit with ransomware infections claim that while files were encrypted, patient data were unaffected. But what about situations when malicious file-encrypting software does lock files containing the PHI of patients? Would those ransomware attacks be reportable under HIPAA? The Department of Health and Human Services’ Office for Civil Rights must be informed of malware attacks that result in hackers gaining access to PHI, but with ransomware the situation is less clear. If ransomware encrypts the Protected Health Information of patients, the attackers are the only individuals with a security key to unlock the data. That does not mean that PHI has been viewed or acquired...

Read More
Vendor Error Places Mind Springs Health Patients’ PHI in Search Engines
Mar30

Vendor Error Places Mind Springs Health Patients’ PHI in Search Engines

Earlier this month, Virtua Medical Group announced a data breach that resulted from an error made by a transcription service vendor. The protected health information (PHI) of 1,654 patients could be accessed via the Internet and data had been indexed by search engines. It would appear that Virtua was not the only company to be affected by the server configuration error made by its business associate. Mind Springs Health, a Colorado-based provider of mental health and substance abuse services, appears to also have been affected. 2,147 patients have now been notified that their PHI has been exposed as a result of a server misconfiguration error made by an unnamed transcription service provider. As was the case with the Virtua Medical Group data breach, the incident occurred in early January. The substitute breach notice placed on the Mind Springs Health website does not mention when the error occurred, only that it was discovered on January 8, 2016. Highly sensitive data such as Social Security numbers, financial information, credit card numbers, and insurance details were not...

Read More
2,200 Michigan Dental Patients Notified of PHI Breach
Mar29

2,200 Michigan Dental Patients Notified of PHI Breach

2,200 Blue Chip Dental patients have been notified that a backup system installed to safeguard patients’ protected health information (PHI) has played a part in its exposure. The Social Security numbers, medical insurance information, names, and addresses of patients have potentially been compromised as a result of the loss of a portable storage device used to store data backups. Late last year, Blue Chip Dental implemented a backup system to better protect patient data. The backup system was installed “to store our digital information offsite in case of fire or other disaster to our building,” according to the substitute breach notice placed on the company website. The backup system was part of a $25,000 digital security overhaul. On January 26, 2016, a portable storage device used for the backup system was discovered to have gone missing. No evidence has been uncovered to suggest data have been obtained or accessed inappropriately although the missing backup drive has now been declared lost. Blue Chip Dental contacted the firm used to install the digital security system and...

Read More
Data-Capturing Virus Discovered by Mercy Hospital in Iowa City
Mar29

Data-Capturing Virus Discovered by Mercy Hospital in Iowa City

A computer virus may have allowed hackers to obtain the data of approximately 15,000 patients of Mercy Iowa City, according to a statement released by the hospital late last week. Patients started to be notified of the security breach by mail on Friday March 25, 2016., and have been informed that their name, address, date of birth, medical diagnoses, treatment information, and health insurance details – including their policy number and provider name – may have been compromised. Some Social Security numbers could also have been improperly accessed as a result of the infection. Only a small percentage of Mercy patients have been affected by the breach, all of whom had previously visited either Iowa City’s Mercy Hospital or Mercy Clinic for treatment. Mercy enlisted the services of a leading computer forensics firm to conduct a full analysis of its computer systems after a tip off was received from law enforcement on January 29, 2015., about a potential computer virus infection. The forensic analysis revealed a number of the hospital’s computers had been infected with a virus...

Read More
February Information Security Report Released by VA
Mar25

February Information Security Report Released by VA

The Department of Veteran Affairs (VA) may have suffered fewer security incidents in February; however, the number of veterans affected was significantly higher than January. There was also a major increase in the number of veterans who had their PHI exposed. In January, the VA reported that 568 individuals had been affected by security incidents, with 236 having their protected health information exposed. In February, the breach victim count increased to 817 – an increase of 44% – with 707 having had their PHI exposed – an increase of almost 200% month on month. As a result of those data breaches, the VA provided credit monitoring services to 245 veterans – 57 fewer than in January. The number of incidents involving lost and stolen devices fell slightly from 46 incidents in January to 43 incidents in February. The number of lost PIV cards was unchanged, with 46 reported in both January and February. The VA reported a reduction in mishandled incidents and mis-mailed incidents. In January there were 121 reported mishandled incidents, with 106 reported in February. Mis-mailed...

Read More
JASACare Email System Breach Impacts 1,154 Patients
Mar24

JASACare Email System Breach Impacts 1,154 Patients

JASACare, a New York-based home care services provider, has reported it has been attacked by hackers who managed to gain access to its email system. The attack is believed to have been conducted in order to steal money from corporate accounts by making fraudulent bank transfers. However, as a consequence of the breach of an employee’s email account, patient and employee data was potentially compromised. The attack took place on January 29, 2016., with the breach lasting for under two hours. Rapid identification of the attack is believed to have severely limited the opportunity for any harm to be caused to employees and patients. However, the possibility exists that data was viewed or copied by the attackers during the time they had access to the email account. JASACare has reported that no evidence has been uncovered to suggest that was the case, or that any data were actually downloaded by the attackers. As soon as the email system compromise was discovered, access was blocked by changing the password of the compromised account. An analysis of the compromised email account...

Read More
Virtua Medical Group Vendor Error Puts Patient Data in Search Engines
Mar21

Virtua Medical Group Vendor Error Puts Patient Data in Search Engines

Virtua Medical Group has notified 1,654 patients that some of their protected health information had been accidentally indexed by search engines and was accessible over the Internet. An error was made by a transcription vendor during a server upgrade that resulted in patients’ names, birthdates, physicians’ names, and treatment information being indexed by search engines for up to three weeks. The server error occurred in early January and the error was identified on January 21, 2016. No financial data, insurance information, or Social Security numbers were exposed. Upon discovery of the error, Virtua Medical Group contacted its vendor to secure the data and efforts were made to remove the records from the search engines. The information is no longer accessible. It is unclear whether data were accessed by unauthorized individuals during the period they were accessible, although no reports of inappropriate data use have been reported. As a result of the breach of patient data, Virtua Medical Group has terminated its relationship with the transcription vendor. According to a...

Read More
OCR Announces $3.9 Million Settlement with Feinstein Institute for Medical Research
Mar17

OCR Announces $3.9 Million Settlement with Feinstein Institute for Medical Research

The Department of Health and Human Services’ Office for Civil Rights has announced it has settled potential HIPAA violations with Feinstein Institute for Medical Research for $3.9 million. This is the second largest settlement amount agreed with OCR, behind the $4.8 million settlement with New York and Presbyterian Hospital and Columbia University in 2014. However, this is the largest amount paid by a single covered entity, beating last year’s 3.5 million settlement with Triple S Management Corporation. The news comes a day after OCR announced another large settlement – The $1.55 million paid by North Memorial Health Care. Feinstein Institute for Medical Research is a not-for-profit biomedical research institute based in New York. Feinstein is sponsored by Northwell Health, Inc., the new name for North Shore Long Island Jewish Health System, a large 21-hospital and 450 practice health system based in Manhasset, NY. The settlement stems from an investigation into a breach of 13,000 research participants’ data in 2012. As was the case with North Memorial Health Care, the breach...

Read More
6,893 Patient Records Exposed Due to Centers Plan for Healthy Living Laptop Theft
Mar17

6,893 Patient Records Exposed Due to Centers Plan for Healthy Living Laptop Theft

Centers Plan for Healthy Living, a Staten Island NY-based managed care organization, has announced that a laptop computer containing the protected health information of Medicare/Medicaid recipients has been stolen from its corporate offices. The laptop theft was discovered on January 4, 2016., with the device believed to have been taken on or around January 1. Following the discovery of the theft, Centers Plan conducted an investigation and determined that the laptop may have contained a file containing data relating to 6,893 Medicare and Medicaid recipients. No Social Security numbers, financial information, credit card numbers, health data, or other highly sensitive information were contained in the file, although some individuals have had their Medicare and/or Medicaid numbers exposed. Other data believed to have been contained in the file include full names, dates of birth, and home addresses. The theft was immediately reported to law enforcement although the laptop computer has not been recovered. Centers Plan does not believe the laptop was stolen for the data stored on the...

Read More
EHR of Geauga Medical Center Improperly Accessed by Employee
Mar17

EHR of Geauga Medical Center Improperly Accessed by Employee

A former employee of University Hospitals Geauga Medical Center in Chardon, OH., has been discovered to have improperly accessed the protected health information of 677 patients. An internal review of access logs was conducted after UH discovered a pattern of “unusual access” of its electronic health record system. The investigation, completed on January 13, 2016., revealed that an employee had accessed patient health records without any legitimate reason for doing so. The information accessed included patient names, medical record numbers, dates of birth, details of prescribed medications, and other data recorded during patient visits to Geauga Medical Center. The employee first started inappropriately accessing patient health records on August 15, 2015, with periodic access continuing until January 3, 2016. No reason was given as to why the individual had accessed the data, although UH does not believe the records were accessed with a view to committing identity theft. UH has not received any reports of inappropriate use of the data or of patients coming to harm as a result of...

Read More
$1.55 Million HIPAA Settlement for Lack of BAA and Risk Analysis Failures
Mar17

$1.55 Million HIPAA Settlement for Lack of BAA and Risk Analysis Failures

The Department of Health and Human Services’ Office for Civil Rights has announced it has reached a settlement with North Memorial Health Care of Minnesota over alleged HIPAA violations from a 2011 data breach. North Memorial has agreed to pay $1,550,000 to OCR to settle the HIPAA violation charges. Following a PHI breach reported on September 27, 2011, OCR conducted an investigation and discovered HIPAA violations that contributed to the cause of a breach of 9,497 patient health records. The investigation revealed that North Memorial had overlooked “Two major cornerstones of the HIPAA Rules,” according to OCR Director Jocelyn Samuels. The data breach involved the theft of a laptop computer from a business associate of North Memorial. The laptop was stolen from the employee’s vehicle, and while the device was password-protected, the ePHI stored on the device had not been encrypted. The business associate, Accretive Health, Inc., had been contracted to perform a number of payment and healthcare operations on behalf of North Memorial. Those operations required Accretive Health to be...

Read More
Stolen Premier Healthcare Laptop Returned: No PHI Accessed Says Pondurance
Mar16

Stolen Premier Healthcare Laptop Returned: No PHI Accessed Says Pondurance

When a healthcare laptop is stolen it is exceptionally rare for the device to be recovered. However, Premier Healthcare LLC., has reported that the laptop computer stolen from its billing department on December 31, 2015 has now been recovered. Initially, it was unclear how many patients had been affected by the breach, although an analysis revealed that the laptop computer contained the records of 205,748 individuals. The laptop computer was protected with a password but the data stored on the device were not encrypted. PDF files, spreadsheets, and screenshots containing the protected health information of patients were all potentially accessible. The laptop computer was last seen in the billing department and was believed to have been stolen on December 31; however, more than two months after the device went missing it arrived in the mail. Premier Healthcare reported the device was received in the mail on or before March 7, 2016. It would appear that the individual who took the laptop had second thoughts and returned the device anonymously. However, a data breach may still have...

Read More
Laborers Funds Administrative Office of Northern California Reports HIPAA Breach
Mar16

Laborers Funds Administrative Office of Northern California Reports HIPAA Breach

The Laborers Funds Administrative Office of Northern California has announced it has experienced a HIPAA security incident that has resulted in the protected health information of participants being disclosed to other individuals. The Laborers Funds Administrative Office of Northern California, which manages Northern California Laborers Trust Funds, conducted a mailing on February 17, 2016 to alert participants that they were not responsible for tax or penalty under the Patient Protection and Affordable Care Act as they had the required minimum level of coverage from the fund. However, a computer error occurred when mailing IRS 1095-B forms to participants which resulted in some individuals receiving correspondence containing data relating to other fund participants and their dependents. The data detailed on the 1095-B forms included Social Security numbers and health plan coverage information along with the full names of other participants and their dependents. In accordance with HIPAA and state regulations, all affected individuals have been sent breach notification letters to...

Read More
St. Joseph Health Settles Class Action Data Breach Lawsuit
Mar15

St. Joseph Health Settles Class Action Data Breach Lawsuit

St. Joseph Health System has settled a class action lawsuit filed by two plaintiffs for the breach of 31,800 patient health records that took place in 2012. A settlement of $15 million will be split between patients and attorneys, with $7.5 million going to patients and $7.5 million covering attorneys’ fees and legal costs. All patients affected by the breach will receive a check for $242. A $3 million fund has also been set up to cover Identity theft losses that resulted from the exposure of patient health data. Each patient can potentially claim up to $25,000 if they can demonstrate they have suffered losses as a result of the data breach. The data breach in question lasted almost a year and affected patients from a number of hospitals and medical centers run by St. Joseph Health, including Queen of the Valley Medical Center in Napa, Santa Rosa Memorial Hospital, Petaluma Valley Hospital; St. Jude Medical Center in Fullerton, the Auxiliary of Mission Hospital in Mission Viejo and Laguna Beach, Redwood Memorial Hospital of Fortuna, Saint Joseph Hospital of Orange and Eureka. Full...

Read More
Lost Flash Drive Exposes Data of Karmanos Cancer Center Patients
Mar14

Lost Flash Drive Exposes Data of Karmanos Cancer Center Patients

An unencrypted flash drive containing the protected health information of 2,808 patients of the Barbara Ann Karmanos Cancer Center has been declared lost. The flash drive had been mailed to Barbara Ann Karmanos Cancer Center but when the package arrived, the flash drive was discovered to be missing. The portable storage device was placed in an envelope and was mailed, which was the last time the device was seen. The hospital has reported that efforts are being made to try to locate the flash drive although the device appears to have been lost in the mail. The flash drive was used to store data as part of a system upgrade. An investigation into the potential privacy breach was launched when the device was discovered to be missing to determine which patients had been affected, and the nature of the data stored on the device. The portable storage device was found to only contain a limited amount of administrative data which included the names of patients, their treating physicians, the name of the hospital where treatment was provided, and unique patient identifiers. No financial...

Read More
Almost 13000 Affected by Recent Pharmacy Data Breaches
Mar09

Almost 13000 Affected by Recent Pharmacy Data Breaches

Three data breaches have been reported by pharmacy stores in the past two months, resulting in the PHI of almost 13,000 pharmacy customers being exposed or disclosed to unauthorized individuals. Walmart Reports Breach of 4,800 Patients’ Data   Walmart stores recently announced that some of its online pharmacy customers may have had their names, addresses, date of births, and prescription histories exposed as a result of a coding error that was made while the company was migrating data between servers. Between February 15 and February 18, 2015, online customers who logged into the company’s online pharmacy may have been able to view the data of other customers who logged in at the exact same time. No Social Security numbers or financial data were exposed as a result of the coding error. Dan Toporek, a spokesperson for Walmart, said a few thousand individuals had been affected, although this is a small percentage of the number of individuals who used the company’s online pharmacy during the four-day stretch. The data breach has now been reported to the Department of Health and...

Read More
Ponemon: 48% of Healthcare Organizations Suffered a PHI Breach in the Past Year
Mar09

Ponemon: 48% of Healthcare Organizations Suffered a PHI Breach in the Past Year

A study recently published by the Ponemon Institute has revealed that almost half of healthcare organizations (48%) have experienced a data breach in the past 12 months that has resulted in the loss or exposure of the protected health information of patients. The survey, conducted on behalf of software security firm ESET, asked 535 IT security professionals questions about cyberattacks on their organizations, the consequences of those data breaches, and cybersecurity concerns. The survey provides an insight into the current state of healthcare cybersecurity, the effect data breaches are having on healthcare organizations, and the seriousness of the current threat level. Cyberattacks on healthcare organizations are now taking place at a rate of one every month. Hackers were able to evade intrusion prevention systems (IPS) at 49% of organization surveyed, while 37% of respondents said cyberattackers had evaded detection by their antivirus protections and other traditional security measures. A quarter said they were unsure if that was the case. Protections against advanced persistent...

Read More
Patients Warned of PHI Exposure After Premier Healthcare Laptop Theft
Mar08

Patients Warned of PHI Exposure After Premier Healthcare Laptop Theft

More than 200,000 patients have been warned that their protected health information has potentially been accessed after an unencrypted laptop computer was stolen from Premier Healthcare in Bloomington, Indiana. The laptop computer was protected with a password and is not believed to have been stolen for the data stored on the device. Those data include the names of patients, Social Security numbers, and “other confidential information,” including demographic data, dates of birth, addresses, financial information, insurance details, medical record numbers, and clinical information. Documents stored on the device included PDF files, spreadsheets, and screenshot images used by the billing department. In total,  205,748 patients have potentially been affected.   Passwords offer a degree of security but they can be cracked. There is a possibility that the data stored on the device could potentially be accessed. Consequently, Premier Healthcare has sent breach notification letters to all affected patients. Under HIPAA Rules, covered entities must issue breach notification letters to...

Read More
21st Century Oncology Advises 2.2M Patients of Hacking Incident
Mar07

21st Century Oncology Advises 2.2M Patients of Hacking Incident

In October, a hacker gained access to a patient database at 21st Century Oncology containing insurance data and Social Security numbers of patients. The incident is not of the order of the breaches at Anthem, Excellus BCBS, or Primera Blue Cross, but it does rank as one of the largest healthcare data breaches of 2015. On March 4, 2016, a regulatory filing was issued to the United States Securities and Exchange Commission indicating 2.2 million current and former patients were affected and potentially had their data copied and stolen. 21st Century Oncology, which operates 145 cancer treatment centers in the United States, was alerted to the hacking incident on November 13, 2015., by the Federal Bureau of Investigation. An internal investigation into the data breach was immediately launched by 21st Century Oncology; however, the FBI requested that patient notification letters be delayed so as not to interfere with its investigation. The investigation is ongoing, although the requested period of delay has now expired. Patients are now being sent notification letters to advise them of...

Read More
Nursing Home Residents’ PHI Accidentally Disclosed by Iowa DHS
Mar07

Nursing Home Residents’ PHI Accidentally Disclosed by Iowa DHS

Protected health information of 425 nursing home patients has been accidentally mailed to 12 nursing home facilities by the Iowa Department of Human Services. The HIPAA breach occurred in December 2015, although it was not discovered by Iowa DHS until January 22, 2016. Last month, all affected patients were sent a breach notification letter alerting them to the accidental disclosure of their data. According to Iowa DHS, it is unlikely that any patient data have been used inappropriately as they were sent to another HIPAA covered entity. The privacy breach occurred when Iowa DHS’ Medicaid Enterprise Medical Services department sent roster reports to the nursing homes. Those reports contained the names, Medicaid identification numbers, insurance or government program information, and the facility where each patient currently resides. Upon discovery of the breach, Iowa DHS contacted all 12 nursing facilities and instructed them to shred the data they had received. All facilities have now confirmed that the data have been securely destroyed. Medicaid Director Mikki Stier issued a...

Read More
Staff Email Accounts Compromised in City of Hope Hospital Phishing Attack
Mar07

Staff Email Accounts Compromised in City of Hope Hospital Phishing Attack

A phishing attack on California’s City of Hope Hospital has resulted in four staff email accounts being compromised. Three out of the four compromised email accounts contained a limited amount of protected health information, although the hospital does not believe the attack took place with a view to obtaining patient data. A press release from the Duarte hospital indicates the attack was most probably conducted in order to obtain contact information to use to send spam emails. A forensic data analysis organized by the hospital revealed that, in the majority of cases, patients only had their name and medical record number exposed. Some patients had more data exposed, including their date of birth, email address, telephone number, home address, dates of service, test results, and medical diagnoses. Only one Social Security number was exposed. The City of Hope Hospital phishing attack took place between January 18, and January 24, 2016. It is not clear how long it took security staff at the hospital to discover the attack, although prompt action was taken once the intrusion was...

Read More
Data Breach Discovered by the Eye Institute of Corpus Christi
Mar03

Data Breach Discovered by the Eye Institute of Corpus Christi

The Eye Institute of Corpus Christi, a full service eye care, diagnosis, and treatment clinic in Texas, has discovered that individuals gained access to the records of all of its patients, downloaded their protected health information from the EHR, copied those data, and provided them to two physicians formerly employed by the eye clinic. The disclosed data include the names of patients, their addresses, contact telephone numbers, Social Security numbers, dates of birth, medical diagnoses, details of treatment, and health insurance details. The Eye Institute became aware of the patient privacy breach on January 6, 2016., and has since discovered that data provided to the physicians have been used to contact patients in an attempt to solicit business. The physicians in question had been employed at The Eye Institute of Corpus Christi until recently. The Eye Institute of Corpus Christi has been in touch with the physicians concerned and has instructed them to return the stolen data. It is not clear from the breach report whether the data have been returned and are now secured. While...

Read More
FHN Memorial Hospital Announces Hard Drive Theft and PHI Exposure
Mar03

FHN Memorial Hospital Announces Hard Drive Theft and PHI Exposure

FHN Memorial Hospital in Freeport, IL., has announced that a computer hard drive was stolen from the hospital in December, 2015. Spreadsheets and internal reports were stored on the drive which contained the protected health information of many of its patients. No medical records were stored on the drive although a considerable amount of PHI was detailed in the reports and spreadsheets. Those data include patients’ name, address, telephone number, ethnicity, date of birth, medical record number, patient encounter number, patient ID number, dates of service, medical diagnoses, details of procedures and examinations performed at the hospital, prescription information, referring physician name, insurance details, and discharge date. Patients are in the process of being notified of the exposure of their PHI and are being advised of the procedures they can follow to reduce the risk of harm or loss as a result of the data exposure. It is not clear at this stage how many patients have been affected or if credit monitoring and identity theft protection services are to be offered to...

Read More
Cost of the Excellus BlueCross BlueShield Data Breach Reaches $17.3M
Mar03

Cost of the Excellus BlueCross BlueShield Data Breach Reaches $17.3M

The cost of the Excellus BlueCross BlueShield data breach has reached $17.3 million, according to its latest financial filings. The Rochester-based health insurer suffered the third largest healthcare data breach of last year; more than twice the size of the largest reported healthcare data before the Anthem cyberattack was discovered. More than 10 million plan member and vendor records were exposed in the cyberattack discovered on September 9, 2015. The bulk of the initial cost has gone on providing all affected members with credit monitoring and protection services. That cost the insurer $13.5 million in the final quarter of 2015. All affected individuals were offered two years of complimentary credit monitoring and identity theft protection services following the exposure of their PHI. The data breach exposed highly sensitive data including Social Security numbers, medical data, and financial information. It has now been over 5 months since the discovery of the cyberattack, although Excellus has yet to uncover any evidence to suggest that the hackers responsible for the attack...

Read More
HIPAA-Breaching Email Exposed BJC HealthCare Patients’ Data
Mar01

HIPAA-Breaching Email Exposed BJC HealthCare Patients’ Data

BJC HealthCare, a not-for-profit health system based in St. Louis, MO., has started notifying 2,393 of its patients that some of their protected health information has been exposed as a result of an email error that occurred on December 30, 2015. An email containing sensitive data covered by HIPAA was emailed to another medical group. While HIPAA permits the sharing of healthcare data for certain healthcare operations, the Security Rule requires any shared data to be protected in transit. If ePHI is to be shared electronically with another covered entity or business associate, it must be adequately protected to prevent unauthorized access and to protect the integrity of those data. Controls to protect the integrity of ePHI are addressable issued under 45 CFR § 164.312(e). In this case, the data were not encrypted to the standards required by the Security Rule, and consequently the data could potentially have been intercepted in transit. HIPAA requires covered entities to notify individuals when their PHI has been exposed or viewed by a third party to allow them to take precautions...

Read More
Privacy Breach Reported by Bay Area Chiropractic Center
Feb28

Privacy Breach Reported by Bay Area Chiropractic Center

In December, Bay Area Chiropractic Center LLC was advised that a substitute doctor who had worked at the Coos Bay facility had used a patient list that he compiled while employed by the company to drum up business for his own private practice. The physician was employed by Bay Area Chiropractic Center between June 1 and August 31, 2015. While employed at the company, the physician compiled a patient list which included patient names, addresses and contact telephone numbers. The data were taken from patient’s charts supplied to him in order for treatment to be provided to patients. The physician was not given permission to store the data, remove them from the company facilities, or to contact patients. The data were apparently stored in a Word document on a zip drive and were also stored on a mobile phone used by the physician. According to a breach notice sent to the Oregon Department of Justice, the physician is no longer in possession of the phone. It is unclear whether the data stored on the phone were securely erased before the device was disposed of. Bay Area Chiropractic...

Read More
Valley Hope Association Notifies Patients of Unencrypted Laptop Theft
Feb27

Valley Hope Association Notifies Patients of Unencrypted Laptop Theft

Valley Hope Association, a Kansas-based provider of drug and alcohol treatment services, has started notifying patients about the theft of an unencrypted laptop computer which resulted in the exposure of patients’ protected health information. The laptop computer was stolen from an employee’s vehicle on December 30, 2015. The highly sensitive data stored on the laptop include full names of patients along with some of the following data elements: Home addresses, phone numbers, Social Security numbers, driver’s license numbers, health insurance information, financial information, state identification numbers, medical record numbers, patient record numbers, disability codes, details of medication, clinical data, medical diagnoses, treatment location, types of treatment received, referring physician names, and usernames and passwords. The device was being used to store the protected health information of patients, but those data were not encrypted. The laptop was protected with a password, so there is a possibility that the data have not been viewed. However, since passwords can be...

Read More
Mississippi’s Magnolia Health Fires Employee for PHI Disclosure
Feb24

Mississippi’s Magnolia Health Fires Employee for PHI Disclosure

Magnolia Health, a health insurance company serving Mississippi’s Medicaid population, has announced it has fired an employee for inappropriately accessing the protected health information (PHI) of “numerous Magnolia Health members” and disclosing those data to a relative. The disclosure of PHI was against company regulations and the now former employee has not received authorization from the company or patients to share their data. The disclosure happened on two occasions: October 28, 2015., and November 8, 2015. The data were emailed from the employee’s work email account to a personal account and email account of a relative. Upon discovery of the privacy breaches the Centene Corporation subsidiary conducted an investigation which resulted in the termination of the employment contract of the employee in question. Written statements were obtained from the employee and the recipient of the PHI stating they had not disclosed the data to any other individuals. Magnolia Health also viewed the personal email accounts of both individuals to confirm that all copies of the data had been...

Read More
480,000 Patients Notified of Radiology Regional Center PHI Exposure
Feb19

480,000 Patients Notified of Radiology Regional Center PHI Exposure

In December, Radiology Regional Center, PA., was alerted to a privacy breach by Lee County Solid Waste Division following the accidental release of medical documents in the street. The privacy breach occurred on December 19, 2015. Medical documents were being transported by Lee County Solid Waste Division for secure disposal. The paper files were due to be incinerated in accordance with Health Insurance Portability and Accountability Act Rules, but were accidentally released during transportation. The failure to secure the records resulted in them falling off the vehicle used to transport them. The documents containing highly sensitive medical data were strewn across the street and found their way into doorways, driveways, canals, and were blown all over the sidewalk. Patients Have Now Been Notified of the Privacy Breach   Patients were notified of the breach of their private and confidential medical data on February 12, 2016, the same date that Office for Civil Rights received a HIPAA data breach report. Initially it was unclear exactly how many patients had been affected....

Read More
Man Indicted for 5 Year Identity Theft Spree Used Memphis Neurology Data
Feb18

Man Indicted for 5 Year Identity Theft Spree Used Memphis Neurology Data

A Memphis man has been indicted on charges of identity theft and is alleged to have defrauded banks out of close to $1.7 million over a period of five years. According to a statement issued by a spokesperson for Edward L. Stanton III, U.S. Attorney for the Western District of Tennessee, Jeremy Jones, 37, of Memphis is alleged to have stolen the identities of 146 patients and employees of Memphis Neurology, as well as car dealers and his acquaintances. The fraud spree first occurred in 2011, continued in 2012, and identities also stolen in 2015.  The majority of the identities that were used to defraud banks came from patients of Memphis Neurology. Jones managed to obtain personal information of patients of Memphis Neurology through a contact who was employed by the healthcare provider in 2012. Patient information was reportedly stolen on request by this co-conspirator who gained access to the patient database and recorded the personal information of patients. The stolen data was used to open bank accounts in the names of the victims and apply for loans and credit. Jones allegedly...

Read More
Healthcare Ransomware Infection Removed After $17K Ransom Paid
Feb18

Healthcare Ransomware Infection Removed After $17K Ransom Paid

Healthcare ransomware infections can cause major disruption and can have a negative impact on patient health. This week, Hollywood Presbyterian Medical Center took the decision to give into a ransom demand and paid cybercriminals nearly $17,000 for a security key to unlock its EHR. What is Ransomware? Just as healthcare providers take the decision to use data encryption to prevent criminals from gaining access to patient data on laptop computers and portable storage media, encryption can also be used against healthcare providers. Ransomware locks computer files with powerful encryption. To unlock the data a security key must be used. However, the key needed to unlock the data is held by the cybercriminals behind the ransomware attack. The security key cannot be cracked like a password. The only way to recover from a healthcare ransomware infection is to pay the ransom or restore all encrypted data from a backup. This is not always straightforward. Backups are not conducted every second, so some data loss is inevitable. Restoring data from backup files is also not always successful...

Read More
California Attorney General Publishes 4-Year Data Breach Report
Feb17

California Attorney General Publishes 4-Year Data Breach Report

California Attorney General Kamala D. Harris has released a new data breach report on the security incidents reported to her office over the past four years. She criticizes organizations that have allowed the privacy of Californians to be violated. She points out that in almost all cases the data breaches reported to her office since 2012 occurred as a result of tardiness in the application of patches to address known security vulnerabilities. She also said that in the majority of cases patches to address exploited vulnerabilities had been available for more than a year. The Majority of Data Breaches Could Easily Have Been Prevented Harris is under no illusions that the threat of attack from skilled cybercriminals and foreign-government backed hacking groups is greater than ever before and security risk cannot be reduced to zero. However, she points out that companies doing business in California must do more to protect the privacy of state residents.  She wrote, “It is clear that many organizations need to sharpen their security skills, trainings, practices, and procedures to...

Read More
Alliance Health Reports 30-Month Health Data Exposure
Feb17

Alliance Health Reports 30-Month Health Data Exposure

Alliance Health has discovered one of its patient databases had been misconfigured and left accessible via the Internet, resulting in the protected health information of 40,000 patients being exposed for a period of 30 months. A database configuration error was discovered on December 17, 2015., which had left it unsecured and potentially accessible by the public, although an investigation did not uncover any evidence to suggest that patient data were accessed during the time the database was unsecured. Upon discovery of the error the database was taken offline and secured and unauthorized access is no longer possible. The investigation revealed that patient data were accessible between July 2013 and December 17, 2015. No Social Security numbers or financial data were stored in the database, although patient names, telephone numbers, addresses, and email addresses could potentially have been accessed. A limited amount of clinical information including the medications that had been prescribed to patients were also stored in the database. The only patients affected are those who...

Read More
Magnolia Health Victim of Spoofed Email Scam
Feb15

Magnolia Health Victim of Spoofed Email Scam

Magnolia Health Corporation is the latest healthcare provider to report a data breach caused by an employee responding to a spoofed email, which appeared to have been sent by the CEO. The data breach affects employees of Magnolia Health Corporation as well as those employed at facilities managed by MHC subsidiaries Kaweah Manor, Inc., Merritt Manor, Inc., Porterville Convalescent Inc., Twin Oaks Assisted Living, Inc., and Twin Oaks Rehabilitation and Nursing Center Inc. No patients have reportedly been affected, although all active employees have had their personal information compromised. The exposed data include the full names of employees, their a0ddress, employee number, date of birth, gender, hire date, seniority date, Social Security number, salary and hourly rate, job title, department, and last date. Employee Falls for Email Request for Employee Data   An employee responded to an email that appeared to have been sent by Magnolia Health CEO Kenny Moyle and sent a spreadsheet containing the details of active employees on February 3, 2015., as requested. However, a week...

Read More
911 Dispatcher Fired for Privacy Violation
Feb14

911 Dispatcher Fired for Privacy Violation

The unauthorized sharing of private health information on Facebook has resulted in a 911 dispatcher losing her job, but that may not be the end of it. The patient whose privacy was violated believes loss of employment is not punishment enough for the privacy violation, and wants criminal charges to be filed for the privacy breach. Any information provided over the telephone by a patient to a 911 dispatcher should be treated as confidential,  The information must be entered into the dispatch database, and while that information should be shared for the purpose of providing treatment, or for other healthcare functions, the privacy of patients must be respected. The the incident in question involved a 60-year old Catoosa County resident who called 911 reporting a blood clot that had come loose. The 911 dispatcher recorded the clients name, address, and details of the medical problem as was required by the job. However, 911 dispatcher Holly Dowis took a photograph of the dispatch screen using her mobile phone and sent the image to family members via a private chat on Facebook. The...

Read More
OHSU Hard Drive Stolen: PHI of Neonatal Patients Exposed
Feb13

OHSU Hard Drive Stolen: PHI of Neonatal Patients Exposed

Oregon Health & Science University (OHSU) has reported the theft of a computer hard drive containing the protected health information of neonatal intensive care unit patients. The hard drive was stolen from the vehicle of a research student on December 6, 2015. Contact information was not stored on the hard drive, only patients’ names, dates of birth, medical record identification numbers, physicians’ names, medical diagnoses, and clinical data relating to the research study the patients were participating in. The data were being used for a study on the potential effect of aminoglycoside antibiotics on hearing. The patients affected were those who enrolled in the study in 2013. Since no Social Security numbers, insurance information, or financial data were stored on the laptop, OHSU does not believe there is a risk of financial harm being suffered by either the patients or their families. OHSU has not announced how many individuals have been affected by the hard drive theft and the incident has yet to be posted on the Office for Civil Rights breach portal. A substitute breach...

Read More
Rogue Employee Steals 24000 Jackson Health System Patient Records
Feb11

Rogue Employee Steals 24000 Jackson Health System Patient Records

A Jackson Health System employee stands accused of stealing around 24,000 patient records over a period of 5 years. The hospital unit secretary has been placed on administrative leave pending the conclusion of an internal investigation into the extended HIPAA breach. The suspected theft of patient information has also been reported to law enforcement. Interestingly, the employee has been named but not yet fired. This suggests that the evidence already collected against the individual is substantial. The employee in question is Evelina Reid. She has been employed by Jackson Health since 2005 as a hospital unit secretary for the main operating room in the Miami-Dade public hospital network. An initial review of the privacy breaches indicates Reid accessed 24,188 patient health records over a period of 5 years without a legitimate reason for doing so. Reid is understood to have inappropriately accessed and viewed patient data including names, dates of birth, addresses, and Social Security numbers. South Florida is well known for identity theft and has had more than double the number...

Read More
HIPAA Business Associate Reports 31K Record Data Breach
Feb10

HIPAA Business Associate Reports 31K Record Data Breach

Omaha-based Seim Johnson, a business associate of a number of healthcare providers in Nebraska and beyond, has announced that one of its laptop computers was stolen in Nashville, Tennessee, exposing nearly 31,000 healthcare patient records. The laptop computer contained the protected health information (PHI) of 30,972 healthcare patients, 4,200 of whom were patients of Community Hospital in McCook, Nebraska. It is not clear which other healthcare providers were working with Seim Johnson and have been impacted by the data breach. The types of PHI exposed varied from patient to patient, although many had their name, patient identification number, medical record number, or a visit number exposed. In a limited number of cases, Social Security numbers were compromised, although no financial information was stored on the laptop. Patients are in the process of being informed of the privacy breach. If a Social Security number was stored on the laptop, patients will have been specifically informed of this in their breach notification letter. It is company policy at Seim Johnson to encrypt...

Read More
Apple Health HIPAA Breach Affects 91K Medicaid Recipients
Feb10

Apple Health HIPAA Breach Affects 91K Medicaid Recipients

The protected health information of 91,000 Apple Health Medicaid program clients has been compromised by a Washington State Health Care Authority (HCA) employee over a period of almost 3 years, according to a statement issued by HCA risk manager, Steve Dotson. All affected individuals are in the process of being notified that their name, date of birth, Apple Health ID number, Social Security number, and private health information were improperly disclosed between early 2013 and late 2015. The repeated privacy breaches involved two state department employees who exchanged emails containing the highly sensitive data. A woman working as a medical assistance specialist for the HCA regularly sent spreadsheets containing patient health information and Social Security numbers to her brother, who worked as an Internet technician for the Department of Social and Health Services (DSHS). The unauthorized sharing of patient data is a breach of Health Insurance Portability and Accountability Act rules and warrants the sending of breach notification letters. Those letters were dispatched on...

Read More
Oceans Acquisitions Announces Laptop Theft and Data Breach
Feb09

Oceans Acquisitions Announces Laptop Theft and Data Breach

The theft of a laptop computer from the vehicle of an Oceans Acquisitions employee has resulted in the protected health information of 659 patients from the Abilene region of Texas being exposed. In May 2015, Oceans Acquisitions confirmed that all portable devices, including laptop computers, had sensitive data encrypted. In the event of theft or loss of a device, all PHI stored on that device would be protected. The encryption would prevent any unauthorized individual from being able to access stored data. However, the laptop theft occurred on April 9, 2015, a month before Oceans Acquisitions ascertained that all devices were protected. While the healthcare provider believed the laptop computer theft did not place any data at risk of exposure, this has turned out not to be the case. According to a substitute breach notice issued on February 2, 2016, Oceans Acquisitions determined that the laptop in question did contain the PHI of 659 individuals, and that those patients potentially had their PHI exposed. This came to light during an unrelated systems review, which was not linked...

Read More
Two Employees Fired for Jason Pierre-Paul HIPAA Breach
Feb09

Two Employees Fired for Jason Pierre-Paul HIPAA Breach

Back in July 2015, New York Giants football player Jason Pierre-Paul visited Miami’s Jackson Memorial Hospital for treatment after a fireworks accident. News reports emerged soon after confirming Pierre-Paul had suffered a major hand injury. At the time of the accident, the football player was negotiating a new $60 million contract with the Giants. ESPN’s Adam Schefter managed to get hold of Pierre-Paul’s medical records and posted details of the injury on Twitter, confirming Pierre-Paul had had the middle finger of his right hand amputated. There was much debate at the time about the legality of Schefter’s disclosure, with many claiming HIPAA had been violated. Of course, journalists and news reporters are not HIPAA-covered entities, and as such are not obliged to abide by HIPAA rules. While Schefter could not have violated HIPAA, the medical information could only have come from the hospital where Pierre-Paul was being treated. HIPAA Rules did appear to have been violated, just not by Schefter. Jackson Memorial Hospital conducted an internal investigation into the potential...

Read More
OIG Publishes Findings of Utah Department of Health Security Audit
Feb08

OIG Publishes Findings of Utah Department of Health Security Audit

The Department of Health and Human Services’ Office of Inspector General has published the findings of a security audit of the Utah Department of Health. OIG discovered 39 “high-impact” security vulnerabilities and “a pattern of inadequate security management.” The Utah Department of Health suffered two data breaches between 2012 and 2013, the first of which occurred in March 2012., and resulted in the protected health information (PHI) of 780,000 Medicaid recipients and Children’s Health Insurance Plan recipients being obtained by hackers. The data was stored on a server maintained by the Utah Department of Technology Services (DTS), which was accessed by Eastern European hackers. The second data breach occurred in January 2013., and was the result of the loss of an unencrypted USB drive by an employee of a business associate of the Dept. of Health. The USB drive contained the PHI of 6,000 individuals. The security breaches prompted OIG to conduct a review of information systems general controls at the Utah DOH, which took place in March 2013. The initial review was...

Read More
Borgess Rheumatology Informs 700 Patients of Mailing Error
Feb08

Borgess Rheumatology Informs 700 Patients of Mailing Error

Borgess Rheumatology has announced that 700 of its patients have been impacted by a mailing error that occurred on December 9, 2015., that exposed their PHI. While no Social Security numbers or other highly sensitive data have been disclosed, affected patients have had their name and the fact that they receive medical services at Borgess Rheumatology disclosed to another patient. In each case, a single patient will have been made aware of the name of another patient who receives treatment at Borgess Rheumatology and that prescription medications were used by that individual. No health information or sensitive data such as Social Security numbers or Insurance details were detailed in the letters. While affected patients have had their privacy violated, due to the very limited data that was inadvertently disclosed, patients are unlikely to face any risk of identity theft as a result of the mailing mistake. In a statement issued to West Michigan News Channel 3, Borgess Rheumatology said the error occurred on December 9, 2015, and that the mistake was discovered the following day....

Read More
Louisiana Healthcare Connections Breach Affects 13K Medicaid Recipients
Feb05

Louisiana Healthcare Connections Breach Affects 13K Medicaid Recipients

Louisiana Healthcare Connections (LHCC) is notifying approximately 13,000 Medicaid recipients that some of their protected health information has been stolen by a former employee and disclosed to a third party. The data breach affects individuals who have enrolled in LHCC in the Acadiana Region of Louisiana. LHCC became aware of the data breach on December 3, 2015, after being notified of a potential security breach by the Louisiana Attorney General’s Medicaid Fraud Control Unit. The fraud control unit was conducting an investigation into Medicaid fraud that involved data taken from LHCC. LHCC was informed that an individual had fraudulently gained access to LHCC’s provider website and had downloaded a list of patients. The individual in question worked at a physician’s office, and had used the login credentials of another person to gain access to patient data and had downloaded a list of approximately 13,000 patients. That list was subsequently provided to another individual who was not authorized to view the data. The patient list was unlawfully downloaded on March 3, 2015. The...

Read More
Another Tampa General Hospital Employee Indicted for PHI Theft and Fraud
Feb05

Another Tampa General Hospital Employee Indicted for PHI Theft and Fraud

This week, another former employee of Tampa General Hospital has been indicted on charges of tax refund fraud, aggravated identity theft, and wrongful disclosure of health information. This is the second former employee of the hospital who has been accused of stealing patient data with a view to committing tax fraud. The first case concerned a former records clerk, Tigi Moore, who stole the protected health information of patients in 2012 and used the information to file false tax returns. Moore and her co-conspirators managed to obtain $671,022.99 in fraudulent tax refunds before being apprehended. The trio had actually filed tax returns requesting around $1.8 million. In 2014, Moore pleaded guilty to charges of aggravated identity theft, theft of government property, and conspiracy and was sentenced to serve 4 years in jail. The latest case concerns Shakania Benton, 37, who worked as a unit coordinator at Tampa General Hospital between February 2007 and August 2014, when she was fired for stealing patient data from the hospital. The data theft was not discovered by the hospital,...

Read More
Medicap Pharmacy Warns Des Moines Customers of Potential Data Breach
Feb05

Medicap Pharmacy Warns Des Moines Customers of Potential Data Breach

The Medicap Pharmacy, a franchise of pharmacy stores operating in 28 U.S. states, has announced a data breach that impacts customers who visited one of its pharmacies in Des Moines. Customers who filled prescriptions between June 2014., and November 3, 2015., at the Medicap Pharmacy located at 2804 Beaver Ave, Des Moines, Iowa, may have had some of their protected health information exposed. Affected individuals are being notified by mail of the data breach, which exposed customer names, home addresses, contact telephone numbers, dates of birth, Social Security numbers, insurance information, prescribed medications, cost of those medications, and prescriber information. The data were stored on a portable external hard drive which was accidentally disposed of on November, 5, 2015. While it was known that the hard drive contained sensitive information of some of its customers, the pharmacy initially thought that those data had been encrypted. While that appears to have been the case for some customers, not all data stored on the drive were protected with encryption. Medicap Pharmacy...

Read More
Lincare Inc to Pay $239,800 CMP for HIPAA Violation
Feb03

Lincare Inc to Pay $239,800 CMP for HIPAA Violation

For only the second time in its history, OCR has ordered a HIPAA-covered entity to pay civil monetary penalties for HIPAA violations. Lincare Inc., is required to pay $239,800 for violations of the HIPAA Privacy Rule which were discovered during the investigation of a complaint about a breach of 278 patient records. The Privacy Rule violation – 45 C.F.R. § 164.530(i) – was recently confirmed by a U.S. Department of Health and Human Services Administrative Law Judge and the motion for summary judgement was granted and the decision to issue civil monetary penalties was sustained. HIPAA Privacy Rule Violation Uncovered by OCR Lincare Inc., doing business as United Medical, operates more than 850 medical centers throughout the United States, providing respiratory care and medical equipment to patients at its facilities, and via medical services delivered in-home. A complaint was filed with OCR about an Lincare employee who left documents containing the PHI of 278 patients at one of the locations where medical services were provided. The investigation by OCR confirmed that PHI had...

Read More
Prime Healthcare Services Hit with Privacy Breach Lawsuit
Feb03

Prime Healthcare Services Hit with Privacy Breach Lawsuit

Prime Healthcare Services has been hit with a lawsuit for repeatedly violating the privacy of a former patient of the Shasta Regional Medical Center. The lawsuit was filed in the Shasta County Superior Court last month by Medicare patient Darlene Courtois, 64. The plaintiff claims that her confidential medical files were shared with 785 employees of the Shasta Regional Medical Center in 2011 without her authorization. The medical information was allegedly emailed to medical center employees by the CEO of the medical center in what is believed by Courtois to be an attempt to discredit a news story published by California Watch. The story covered the healthcare chain’s “unusual and lucrative billing practices.” Reporters from California Watch investigated the unusually high number of Kwashiorkor cases dealt with by the hospital in 2009 and 2010. Kwashiorkor is a relatively rare form of protein malnutrition. Each year, fewer than 20,000 individuals are diagnosed with the condition in the United States. Kwashiorkor is more commonly associated with areas hit by famine, and is associated...

Read More
Hawai‘i Medical Service Association Privacy Breach Affects 10,800
Feb03

Hawai‘i Medical Service Association Privacy Breach Affects 10,800

Independent Blue Cross Blue Shield licensee Hawai‘i Medical Service Association (HMSA) has started sending breach notification letters to 10,800 members alerting them to a privacy breach that resulted in one member’s medical condition being disclosed to another HMSA member. The privacy breach was caused by an error made with the mailing of care management letters to members, which resulted in letters being sent to incorrect individuals. The incorrectly routed care management letters contained the name of an HMSA member along with information to help that individual manage a specific health conduction, such as asthma, diabetes, or health and lung disease. According to a substitute breach notice placed on the HMSA website, no financial information, membership ID numbers, Social Security numbers, or other sensitive personal information were included in the letters. Individuals affected by the privacy breach do not therefore face a risk of identity theft as a result of the accidental disclosure of PHI. As well as notifying affected individuals by mail, HMSA is contacting all recipients...

Read More
How to Retain Patients After a Data Breach
Feb02

How to Retain Patients After a Data Breach

Last year, 1 in 3 Americans had their healthcare data exposed. Many Americans will have had their personal information exposed more than once. While no one wants to have their personal or healthcare information exposed in a data breach, these days it is inevitable that an individual will be affected by a data breach if they allow their data to be stored by a third party such as a healthcare provider or retailer. Sooner or later someone employed by that company will make a mistake that results in data being exposed, or a determined cybercriminal will break through security defenses and steal their sensitive information. According to a survey recently conducted by data privacy and security firm Morrison and Foerster, American consumers are becoming used to their data being exposed. While they are still very concerned about their privacy, many now understand that no company is perfect. Fewer people are now changing company after a data breach has been suffered, but a significant percentage of individuals will do just that. What is the Likelihood of Losing Patients/Customers after a...

Read More
Wayne Memorial Hospital Fires Nurse Aide for Inappropriate PHI Access
Feb01

Wayne Memorial Hospital Fires Nurse Aide for Inappropriate PHI Access

390 patients of Wayne Memorial Hospital, Honesdale, Penn., are in the process of being notified of a breach of their protected health information after it was discovered a nurse aide had accessed patient health records without authorization. The information accessed included personally identifiable information along with Social Security numbers, insurance information, and medical diagnoses. The incident was brought to the attention of hospital managers on December 8, 2015, when a member of staff came forward and reported patient health information may have been accessed by the nurse aide. An investigation was immediately launched, which involved a forensic review of file access attempts, to determine whether data had been inappropriately viewed. After determining restricted data had been inappropriately viewed, the nurse aide was fired and the incident was reported to law enforcement. The former employee had received training on the HIPAA Privacy and Security Rules, and was fully aware that data access was not permitted unless necessary as part of the provision of patient care....

Read More
98 Percent of Compromised Healthcare Records Due to Hacking
Jan29

98 Percent of Compromised Healthcare Records Due to Hacking

2015 was the worst ever year for healthcare data breaches. The top three largest data healthcare data breaches were all discovered in 2015, including the massive cyberattack on Anthem Inc., that exposed a staggering 78.8 million healthcare records. The mega data breach at Anthem made the breaches at Premera Blue Cross and Excellus look small by comparison, yet they too were larger than any healthcare data breach previously reported to Office for Civil Rights. Just those three data breaches alone exposed almost 100 million healthcare records. Add in the 4.5 million-record data breach at UCLA Health, the 3.9 million-record breach at Medical Informatics Engineering and the one suffered by CareFirst BlueCross BlueShield and the total number of breached records rises to 110 million. Something all the major healthcare data breaches of 2015 had in common was they were the result of the actions of hackers. Human error may have played a part in the exposure of data, and the majority of breaches reported to OCR last year involved errors of judgement or negligence (loss of devices, theft of...

Read More
Community Mercy Health Partners Notifies Patients of November Data Breach
Jan27

Community Mercy Health Partners Notifies Patients of November Data Breach

In late November, a member of the public discovered a number of documents at a recycling center that appeared to have come from hospitals run by Community Mercy Health Partners. The documents contained detailed information about patients who had received medical services between 2005-2013. The information in the documents included patient names, accession numbers, guarantor information, types of study they were involved in, medical diagnoses, health insurance details, physician names, as well as driver’s license details, Social Security numbers, and some clinical information. LeRoy Clouser discovered the files in a number of dumpsters and alerted the Springfield Police of his find. Community Mercy Health Partners was subsequently advised by law enforcement officers about the dumped records and sent staff to retrieve the documents. The matter was reported in the media at the time, although it has taken some time for an investigation to be conducted and for all patients to be identified. That investigation is now complete and patients started being notified of the data breach on...

Read More
St. Luke’s Cornwall Hospital Notifies 29K Patients of Data Exposure
Jan27

St. Luke’s Cornwall Hospital Notifies 29K Patients of Data Exposure

St. Luke’s Cornwall Hospital has issued a media announcement providing further information on the 29,156-record data breach that occurred on October 31, 2015. The hospital has explained that the breach occurred when an unidentified individual entered a restricted area of the hospital and stole a thumb drive containing a limited amount of patient data. The device was unencrypted and contained patient names, medical record numbers, details of imaging services provided, and the dates of patient visits. Some administration information was also stored on the thumb drive, although no financial information, insurance details, health information, or Social Security numbers were compromised. While the incident was discovered quickly, the hospital had to conduct an investigation to determine the exact data that were stored on the thumb drive and which patients were affected. The investigation has now been completed and patients have been notified by mail of the breach of their protected health information. The Department of Health and Human Services’ Office for Civil Rights was informed of...

Read More
Six Missing Hard Drives Reported by Centene: 950,000 Members Affected
Jan26

Six Missing Hard Drives Reported by Centene: 950,000 Members Affected

Wisconsin-based health insurer, Centene Corporation, has announced the loss of six unencrypted computer hard drives containing the protected health information of approximately 950,000 of its members. The hard drives were being used for a project to improve the health outcomes of plan members. The individuals impacted by the security breach had all received laboratory services between 2009 and 2015. The data stored on the devices included names, addresses, dates of birth, member ID numbers, Social Security numbers, and laboratory test results. An initial search was conducted after it was discovered that the devices were missing, although a more comprehensive search of Centene facilities in now being conducted. That search is ongoing according to the company’s breach notice. It is possible that the hard drives will be found, although Centene has now taken the step of alerting its members to the potential exposure of their PHI out of an abundance of caution. Also out of an abundance of caution, all 950,000 members have been offered a year of credit monitoring services without charge....

Read More
Patients of Alaska Orthopedic Specialists Advised of PHI Breach
Jan25

Patients of Alaska Orthopedic Specialists Advised of PHI Breach

Anchorage-based healthcare provider, Alaska Orthopedic Specialists, has alerted 553 patients about a breach of their protected health information. The healthcare provider is no longer in business, having closed its doors in March 2015. While closing the business, it was discovered that a former non-physician member of staff had emailed the data of 553 patients to a personal email account, against company policy and without authorization. According to the defunct company’s breach notice, efforts have been made to secure the stolen data. It is not clear whether those data have now been securely, and permanently deleted. The theft of data was reported to the Department of Health and Human Services’ Office for Civil Rights on November 19, 2015., although it has not been made public exactly what data were stolen or when the email was sent. The data were presumably emailed to the personal email account prior to the closure of the business. The breach notice states that no evidence of disclosure of the data has been found and neither any evidence that those data have been used...

Read More
Californian Oncologist Announces PHI Theft
Jan25

Californian Oncologist Announces PHI Theft

In November, 2015, the offices of Californian oncologist/hematologist, Michael S. Benjamin, M.D., were burgled. The thieves stole a number of paper charts which contained a limited amount of protected health information of his patients. Patients have now been notified of the data breach by mail, and the Department of Health and Human Services’ Office for Civil Rights (OCR) was alerted to the security breach on December 28, 2015. The breach report listed on the OCR breach portal indicates 1,300 individuals were impacted by the breach. When a data breach is suffered that impacts more than 500 individuals, in addition to issuing individual breach notification letters to the victims, HIPAA-covered entities are obliged to provide a notice to “prominent media outlets serving the State or jurisdiction.” As with the issuing of the individual notices, covered entities have up to 60 days following the discovery of a breach in order to do this. According to the media notice, a number of data were contained in the charts, which included names of patients, dates of birth, addresses, phone...

Read More
Snapchat Video Posting Gets Nursing Assistant Fired
Jan20

Snapchat Video Posting Gets Nursing Assistant Fired

A nursing assistant from the Parkside Manor assisted-living facility in Kenosha, WI., has been fired for taking a video of a virtually naked 93-year-old Alzheimer’s patient and sharing the file on Snapchat. In recent months an unsavory trend has emerged involving nurses taking photographs and videos of elderly patients and sharing the files on social media networks. The images and videos show patients in various states of undress, performing degrading acts, or posing in compromising positions. An investigation conducted last year by ProPublica revealed the extent to which this is happening across the United States. Reporters discovered 35 separate cases had been reported, although numerous others have more than likely taken place. Snapchat was found to be the most popular site for image and video sharing, although it is far from the only social media network used for sharing degrading and demeaning images and videos of patients. The latest case involved a video of an Alzheimer’s patient who was recorded sitting on her bed wearing only a bra. Grace Riedlinger, 21, admitted taking...

Read More
Phishing Attack Suffered by Brigham and Women’s Hospital
Jan20

Phishing Attack Suffered by Brigham and Women’s Hospital

Boston’s Brigham and Women’s Hospital has alerted patients to a security breach after a phishing attack compromised the email account of a hospital employee. 1,009 patients have been affected by the cyberattack. Phishing Attack Suffered by Brigham and Women’s and Brigham and Women’s Faulkner Hospitals   Late last year, a Brigham and Women’s Hospital employee fell victim to a phishing attack that resulted in the login credentials of an email account being divulged to the attacker. The email account contained a limited amount of PHI of a small percentage of patients of both the Brigham and Women’s and Brigham and Women’s Faulkner Hospitals in Boston. According to a breach notice posted on the Brigham and Women’s Hospital website, only one email account was compromised and the electronic health record system was unaffected. Financial account information, Social Security numbers and health insurance numbers were not compromised in the attack, although affected patients have potentially had the following information disclosed: Name, medical record number, date of birth, date of service,...

Read More
Department of Veteran Affairs 2015 Privacy Violations
Jan18

Department of Veteran Affairs 2015 Privacy Violations

The U.S. Department of Veteran Affairs (VA) is the largest integrated health system in the United States, operating 1,700 hospitals, clinics, domiciliaries, counselling centers, and community living centers. Those facilities include 1,203 outpatient sites, 300 Vet Centers, and 144 hospitals, with the VA serving approximately 5.8 million patients each year. Each month, the VA submits a report to congress containing a summary of privacy and security violations that have been suffered by VA hospitals and clinics. The VA has come under increasing criticism in recent months for the number of privacy violations and security incidents it suffers. In 2015, an average of 833 veterans had their privacy violated each month. The privacy and security incidents were often serious enough to warrant the provision of credit monitoring services to address risk. On average, 452 veterans are offered these services each month to protect their identities and credit after errors have been made by VA staff. 2015 has been a bad year for privacy violations, with almost 10,000 veterans affected by security...

Read More
VA Reports Fall in Privacy Breach Victims in December
Jan17

VA Reports Fall in Privacy Breach Victims in December

The Department of Veteran Affairs has released its monthly report to congress summarizing the information security incidents suffered by VA hospitals and clinics in December 2015. December 2015 VA Information Security Report September 2015 was a bad month for the Department of Veteran Affairs (VA), with 1,135 veterans affected by privacy breaches. The total fell substantially in October 2015, with 648 affected veterans, although that figure rose to 693 in November. The figures for December 2015 show a marked improvement month on month with only 394 veterans affected. That makes December the best month for the VA since March 2015, and the fourth best month of the year for privacy violations in terms of the number of individuals affected. While the victim count improved last month, the number of privacy and security incidents suffered actually increased. Fewer Lost PIV Cards but More Mishandled and Mis-mailed Incidents The number of lost and stolen device incidents was unchanged month on month, with 47 incidents reported in both November and December. December saw the number of lost...

Read More
MaineGeneral Discovers Additional PHI Was Exposed in November Data Breach
Jan16

MaineGeneral Discovers Additional PHI Was Exposed in November Data Breach

Last month, MaineGeneral announced it had suffered a cyberattack in which a limited amount of patient data had been exfiltrated and placed on an external website by an unknown individual.  The data was not accessible to the public, but had been viewed by an unauthorized party. In accordance with HIPAA Rules, MaineGeneral immediately started an investigation and shortly thereafter issued breach notification letters to affected patients to alert them to the exposure of their PHI. An external security firm was also brought in to assist with a forensic investigation. The FBI was also investigating the data breach, and advised MaineGeneral about the data it had discovered on the third party website. The FBI determined that only patients’ dates of birth, emergency contact numbers, telephone numbers, addresses, and referring physician names had been copied. This was confirmed by MaineGeneral’s initial investigation findings. The investigation has been ongoing and is now almost at an end; however, it has since come to light that other Protected Health Information was exposed in the data...

Read More
25K Affected by New West Health Services Data Breach
Jan16

25K Affected by New West Health Services Data Breach

New West Health Services has started notifying 25,000 patients about the loss of an unencrypted, password-protected laptop containing extensive Protected Health Information. New West Health Services Data Breach Affects 25,000 Patients   New West Health Services, a Helena, MT., based not-for-profit provider of sponsored health plans, including Medicare Advantage and Medicare Supplement plans, has reported the theft of one of its laptop computers. New West, doing business as New West Medicare, announced on January 15, 2016., that the laptop computer contained the records of approximately 25,000 plan members. The device was password protected but this is not sufficient protection to prevent PHI from being accessed, as passwords can all too easily be cracked. Had the laptop computer been encrypted, no patient health information would have been exposed and it would not have been necessary for breach notices to have been issued. However, since there is a possibility that the PHI of patients could be accessed and used inappropriately, HIPAA requires a breach notice to be issued to all...

Read More