Highmark BCBS of Delaware Investigates Data Breach Affecting 19,000 Individuals

Highmark BlueCross BlueShield of Delaware is investigating a breach of 19,000 beneficiaries of employer-paid health plans. The data breach involves two subcontractors of Highmark BCBS – Summit Reinsurance Services and BCS Financial Corporation.

Karen Kane, Highmark BSBC director of privacy and information management, issued a statement saying 16 current and former Highmark self-insured customers have been impacted.

Affected individuals have now been notified of the breach by mail. The breach notification letters were sent by Summit Reinsurance Services (SummitRe). In the letters, consumers were informed that some of their highly sensitive protected health information had potentially been accessed by unauthorized individuals.

A ransomware infection was discovered by SummitRe on August 5, 2016, although a forensic analysis of the cyberattack revealed that access to Summit’s systems was first gained on March 12, 2016. SummitRe stated in the letters that the forensic investigation into the breach is ongoing, although no direct evidence has been uncovered to suggest that any ePHI stored on the affected server has been used inappropriately.

The types of data that could potentially have been accessed include names, Social Security numbers, details of health insurance, providers’ names, medical records relating to insurance claims – including medical diagnoses, and some clinical information.

Patients affected by the breach have been offered a year of credit monitoring and identity restoration services to protect them against identity theft and fraud.

Details of the nature of the cyberattack are being kept under wraps for the time being while the investigation continues. One of the questions that is likely to be asked is what happened during the five months between the initial intrusion and the ransomware infection.

Hackers are known to install ransomware after they no longer require access to infiltrated systems. Often after all valuable information has been obtained. In this case, it is unclear whether any data were exfiltrated during those five months.

SummitRe has been criticized for the letter sent to affected individuals, as it was not abundantly clear who the company was. Affected individuals would have been unlikely to have any dealings with the company in the past as insurance plans were provided through their employers.

Trinidad Navarro, Insurance Commissioner for the State of Delaware, said the letter “appears as if it is A) and Ad, or B) a scam.” Navarro also said, “Unfortunately, we fear that many may have misinterpreted or inadvertently discarded the letter.”

One of the data breach notification letters was provided to NBC 10 reporters by an affected patient. The letter was dated January 4, 2016. It is unclear why it took five months for patients to be notified of the breach – almost 10 months after the server was inappropriately accessed.

HIPAA Breach Notification Rule Requirements for Notifying Individuals of Data Breaches

The HIPAA Breach Notification Rule requires covered entities to notify individuals of a suspected ePHI breach within 60 days of discovery of the breach. Last week, the Department of Health and Human Services’ Office for Civil Rights sent a strong message to covered entities about the importance of issuing timely breach notifications. Presence Health of Illinois agreed to settle potential violations of the HIPAA Breach Notification Rule after OCR investigators became aware that it had delayed breach notifications for 3 months following a 2013 security incident affecting 836 individuals. Presense Health will pay OCR $475,000 as part of the settlement deal.

The post Highmark BCBS of Delaware Investigates Data Breach Affecting 19,000 Individuals appeared first on HIPAA Journal.

Foot-Dragging On HIPAA Breach Notice Costs Illinois Health System – Mondaq News Alerts (registration)

Foot-Dragging On HIPAA Breach Notice Costs Illinois Health System
Mondaq News Alerts (registration)
Failing to notify the OCR of a data breach in a timely fashion may not be among the most serious of HIPAA violations, but failing to notify affected individuals within 60 days can be a major problem, Eric Fader, a health-care attorney with Day Pitney ...

Brandywine Pediatrics Alerts 27,000 to Potential ePHI Breach

Wilmington, DE-based healthcare provider Brandywine Pediatrics, P.A. has informed tens of thousands of its patients that some of their protected health information has potentially been accessed by an unknown individual. The security breach involved a computer virus, which was discovered on one of the organization’s file servers.

While it has not been explicitly stated that the virus was ransomware, Brandywine Pediatrics has informed patients that the virus rendered ePHI inaccessible. In order to regain access to files it was necessary to restore files from data backups.

The virus infection was discovered on October 25, 2016, sparking a full investigation. A third-party computer forensics expert was contracted to conduct an investigation. That investigation revealed that a number of practice files containing ePHI had potentially been accessed. Sensitive data in the files included names, addresses, medical information, and health insurance details of patients. Brandywine Pediatrics has confirmed that Social Security numbers, credit card/debit card numbers and financial data were not accessed or exposed at any point.

While data access was possible, no evidence was uncovered to suggest that files had actually been copied by the attacker, and no reports of unauthorized use or misuse have been received as of December 23.

Breach notification letters were mailed to affected patients in late December. At the time, it was unclear exactly how many individuals had been impacted by the breach as this was not stated in the breach notice. The security incident has now been added to the Department of Health and Human Services’ Office for Civil Rights Breach portal. The breach summary indicates 26,873 patients were affected.

Brandywine Pediatrics has advised patients how they can minimize risk and action has been taken to prevent similar malware and ransomware infections in the future. Policies and procedures have been reviewed and updated, and Brandywine Pediatrics is reviewing the security of its systems and improvements will be made, as appropriate.

The post Brandywine Pediatrics Alerts 27,000 to Potential ePHI Breach appeared first on HIPAA Journal.

OCR Reminds CEs of HIPAA Audit Control Requirements to Identify Inappropriate ePHI Access

In the past few weeks, a number of HIPAA-covered entities have announced that employees have been discovered to have inappropriately accessed the medical records/protected health information of patients.

Two of the recent cases were discovered when covered entities performed routine audits of access logs. In both instances, the employees were discovered to have inappropriately accessed the electronic protected health information (ePHI) of patients over a period of more than 12 months. Once case involved the viewing of a celebrity’s medical records by multiple staff members.

Late last week, OCR released its January Cyber Awareness Newsletter which covered the importance of implementing audit controls and periodically reviewing application, user, and system-level audit trails. NIST defines audit logs as records of events based on applications, system or users, while audit trails are audit logs of applications, system or users.

Most information systems include options for logging user activity, including access and failed access attempts, the devices that have been used to log on, and the duration of login periods, and whether data have been viewed.

Audit trails are particularly useful when security incidents occur as they can be used to determine whether ePHI access has occurred and which individuals have been affected. Logs can be used to track unauthorized disclosures, potential intrusions, attempted intrusions, and in forensic analyses of data breaches and cyberattacks. Covered entities can also use logs and trails to review the performance of applications and to help identify potential flaws.

OCR confirmed that recording data such as these, and reviewing audit logs and audit trails is a requirement of the HIPAA Security Rule. (45 C.F.R. § 164.312(b)).

The HIPAA Security Rule requires covered entities to record audit logs and audit trails for review, although the types of data that should be collected are not specified by the legislation. The greater the range of information collected, the more thoroughly security incidents can be investigated. However, covered entities should carefully assess and decide on which data elements are stored in logs. It will be quicker and easier to review audit logs and trails if they only contain relevant information.

The HIPAA Security Rule does not specify how often covered entities should conduct reviews of user activities, instead this is left to the discretion of the covered entity. Information gathered from audit logs and trails should be reviewed ‘regularly’.

A covered entity should determine the frequency of reviews based on the results of their risk analyses. Organizations should also consider organizational factors such as their technical infrastructure and hardware/software capabilities when determining the review period.

OCR also points out that a review of audit logs and trails should take place after any security incident, such as a suspected breach, although reviews should also be conducted during real-time operations. Due to the potential for audit log tampering, OCR reminds covered entities that “Access to audit trails should be strictly restricted, and should be provided only to authorized personnel.”

The post OCR Reminds CEs of HIPAA Audit Control Requirements to Identify Inappropriate ePHI Access appeared first on HIPAA Journal.