Author Archives: HIPAA Journal

Centrelake Medical Group Discovers Servers Compromised and Virus Deployed

Centrelake Medical Group, a network of 8 medical imaging and oncology centers in California, is notifying certain patients that some of their protected health information has been exposed as a result of a computer virus.

The computer virus was discovered in February 2019 when it prevented the medical group from accessing its files. The virus appears to be a form of ransomware, although no mention of ransomware or a ransom demand was made in the media notice issued by Centrelake.

Centrelake retained a computer forensics company to assist with the investigation to determine the scope of the attack and whether any files containing protected health information had been accessed or copied.

The investigation revealed an unauthorized individual had gained access to its servers on January 9, 2019. Prior to deploying the virus on February 19, 2019, the unauthorized individual was able to access the servers undetected.

It is not unusual for ransomware to be installed on systems after hackers have breached security defenses. In some cases, ransomware is deployed after the system has been investigated and all valuable data has been exfiltrated. In this case, the computer forensics company did not uncover any evidence to suggest patient information was accessed or copied during the time that system access was possible, and no reports have been received to suggest any attempted or actual misuse of data has occurred.

The servers accessed by the unauthorized third party contained software applications and files that may have contained the following types of patient information: Names, phone numbers, addresses, Social Security numbers, health insurance information, diagnoses, services performed, dates of service, medical record numbers, referring provider information, and driver’s license numbers.

Centrelake Medical Group has told patients to be alert to the possibility of data misuse and suggests patients should monitor their financial accounts, credit reports, and explanation of benefits statements for any sign of fraudulent activity. A toll-free number has been set up for patients to obtain further information, but it does not appear that patients are being provided with credit monitoring and identity theft protection services.

The incident has yet to appear on the Department of Health and Human Services’ Office for Civil Rights breach portal, so it is currently unclear exactly how many patients have been affected.

The post Centrelake Medical Group Discovers Servers Compromised and Virus Deployed appeared first on HIPAA Journal.

11,639 Individuals Impacted by Riverplace Counseling Center Malware Attack

Riverplace Counseling Center in Anoka, MN, has discovered malware has been installed on its systems which may have allowed unauthorized individuals to gain access to patients’ protected health information.

The malware infection was discovered on January 20, 2019. The counseling center engaged an IT firm to conduct a forensic analysis, remove the malware, and restore its systems from backups. The analysis was completed on February 18, 2019.

The IT firm did not find evidence that suggested patient information had been subjected to unauthorized access or had been copied, but data access and PHI theft could not be totally ruled out.

The types on information stored on the affected systems included names, addresses, dates of birth, health insurance information, Social Security numbers, and treatment information.

Affected individuals were notified about the data breach on April 11, 2019 and have been offered identity theft monitoring services via Kroll for 12 months at no cost. No reports have been received to date to suggest any patients’ PHI has been misused.

Riverplace Counseling Center has not publicly disclosed what type of malware was involved, nor how the malware was installed on its systems.

To improve security and reduce the risk of further malware attacks, Riverplace Counseling Center has installed spam filters, upgraded its antivirus software and firewalls, and has provided further training to employees to help them identify unauthorized access.

The counseling center has also consulted with a cybersecurity firm which is providing recommendations on new system-wide policies and procedures to further enhance security.

According to the breach summary on the on the Department of Health and Human Services’ Office for Civil Rights website, up to 11,639 patients’ PHI was potentially compromised.

The post 11,639 Individuals Impacted by Riverplace Counseling Center Malware Attack appeared first on HIPAA Journal.

Clearway Pain Solutions Institute Discovers Unauthorized EMR System Access

Gulf Coast Pain Consultants, dba Clearway Pain Solutions Institute, has discovered its EMR system has been accessed by an unauthorized individual.

An investigation was launched following the discovery of the breach on February 20, 2019. The investigation revealed the individual accessed a range of patient information.

The types of information that were accessed included patients’ names, telephone numbers, home addresses, email addresses, dates of birth, Social Security numbers, health insurance information, name of referring provider, and demographic information. Clinical information contained in medical records could not be accessed and no financial information was exposed.

Unauthorized access to the system has now been blocked, a full review of all EMR accounts has been conducted, and access levels and EMR system activity has been validated for all user accounts. A review of policies and procedures is being conducted with regards to the accessing of patient information and updates will be made as appropriate.

All patients affected by the breach are now being notified and are being offered 12 months of membership to Experian IdentityWorks at no cost.

The incident has yet to appear on the HHS’ Office for Civil Rights breach portal so it is unclear exactly how many patients have been affected.

Questcare Medical Services Discovers Email Account Breach

Questcare Medical Services, a Dallas, TX-based physician group, has announced the email account of an employee was compromised on February 13, 2019 as a result of a phishing attack. An investigation was immediately launched which revealed the compromised account contained protected health information. Affected patients were notified about the breach on April 12, 2019.

All individuals impacted by the breach had received medical services from Questcare in the Dallas, Fort Worth, or Arlington regions of Texas. The information potentially accessed by the attacker was limited to names, dates of birth and some clinical information. No sensitive financial information or Social Security numbers were exposed.

Questcare has provided further training to staff to improve security awareness and regular reminders about phishing will be sent to staff. Microsoft’s Advanced Threat Protection has also been implemented to provide enhanced protection against phishing attacks.

The number of individuals impacted by the breach has not yet been publicly disclosed.

RS Medical Experiences Phishing Attack

Vancouver, WA- based pain relief device manufacturer RS Medical has experienced a phishing attack that resulted in the email account of an employee being accessed by an unauthorized individual. The purpose of the attack appears to have been to gain access to a company account to send phishing emails rather than obtain sensitive patient information.

After gaining access to the account, the attacker sent around 10,000 phishing emails which alerted the company to the account breach. The breach was detected within 2 hours of the account being accessed.

While PHI access is not suspected, it could not be ruled out with a high degree of certainty. Notification letters have been sent to approximately 250 individuals whose PHI was included in the account.

The exposed PHI was limited to names, dates of birth, phone numbers, home addresses, diagnosis codes, and details of the medical equipment and supplies that had been provided by RS Medical.

The post Clearway Pain Solutions Institute Discovers Unauthorized EMR System Access appeared first on HIPAA Journal.

Blue Cross of Idaho Website Hacked and Attempts Made to Reroute Payments

Blue of Cross of Idaho has discovered its website has been hacked and an unauthorized individual gained access to its member portal and viewed the protected health information of some of its members.

Blue of Cross of Idaho is one of the largest health insurers in the state and serves approximately 560,000 Idahoans. Blue of Cross of Idaho’s executive vice president Paul Zurlo said the breach affected around 1% of its members – around 5,600 individuals.

The website security breach occurred on March 21, 2019 and was discovered the following day. During the time that portal access was possible, the hacker accessed provider remittance documents and attempted to reroute provider financial transactions.

Upon discovery of the breach, Blue of Cross of Idaho terminated the unauthorized access and secured its portal to prevent financial fraud and further accessing of documents. The incident was reported to the FBI and the investigation remains open. The health insurer is working with internal and external cybersecurity consultants and financial experts to assess the security of the patient portal and financial transactions that have taken place. All transactions going through the system are being monitored to ensure they are legitimate.

The remittance documents that were accessed did not contain Social Security numbers, driver’s license numbers, bank account information or debit/credit card numbers. The compromised information was limited to names, enrollee numbers, patient account numbers, claims numbers, payment data, procedure codes, provider names, and dates of service.

Members impacted by the breach have been advised to carefully monitor their bank account, credit card, and other financial statements for any sign of fraudulent activity as a precaution, even though financial information was not exposed. Explanation of benefits statements should also be checked for any services listed that have not been provided.

Following the exposure of sensitive information, it is customary to offer free access to credit monitoring and identity theft protection services. If Social Security numbers, financial information, or driver’s license numbers are exposed in a data breach, those services are usually provided for 12 months at no cost.

Even though highly sensitive information was not exposed and there does not appear to have been any attempts to misuse PHI, Blue of Cross of Idaho is offering credit monitoring and identity theft protection services to affected members for three years.

Blue of Cross of Idaho will also be sending new ID cards with different membership ID numbers to all affected individuals in the next few weeks and will continue to monitor the security of its system to ensure that members’ personal information is safe and secure.

The post Blue Cross of Idaho Website Hacked and Attempts Made to Reroute Payments appeared first on HIPAA Journal.

Metrocare Services Suffers Second Phishing Attack in Two Months

Metrocare Services, a provider of mental health services in North Texas, has experienced a phishing attack which saw the email accounts of several employees accessed by an unauthorized individual.

The breach was detected on February 6, 2019 and the affected email accounts were rapidly blocked to prevent further access. The investigation revealed the accounts were first compromised in January 2019.

An analysis of the affected accounts revealed they contained the protected health information of 5,290 patients. Patients were notified on April 5, 2019 that the following information could potentially have been accessed as a result of the attack: Name, date of birth, driver’s license information, health insurance information, health information related to the services provided by Metrocare, and for certain patients, Social Security numbers.

The breach investigation did not uncover any evidence to suggest emails containing ePHI had been accessed or copied, but ePHI access and theft could not be ruled out. Individuals whose Social Security number was exposed have been offered free access to identity theft protection and credit monitoring services for 12 months.

In response to the breach, Metrocare Services will be implementing additional security measures and will be strengthening the security of its email system. Multifactor authentication will also be implemented to prevent accounts from being accessed in the event that credentials are compromised in future attacks.

This is not the first phishing attack that Metrocare Services has experienced. Two months previously, in November 2018, the PHI of 1,800 patients was compromised in a similar attack. After that attack Metrocare Services said it was strengthening the security of its email system and had provided additional training to employees to help them identify potential phishing attacks.

Those measures were clearly not sufficient to prevent further attacks. Had multifactor authentication been implemented after the first phishing attack, the second, larger breach could potentially have been prevented.

The post Metrocare Services Suffers Second Phishing Attack in Two Months appeared first on HIPAA Journal.

Metrocare Services Suffers Second Phishing Attack in Two Months

Metrocare Services, a provider of mental health services in North Texas, has experienced a phishing attack which saw the email accounts of several employees accessed by an unauthorized individual.

The breach was detected on February 6, 2019 and the affected email accounts were rapidly blocked to prevent further access. The investigation revealed the accounts were first compromised in January 2019.

An analysis of the affected accounts revealed they contained the protected health information of 5,290 patients. Patients were notified on April 5, 2019 that the following information could potentially have been accessed as a result of the attack: Name, date of birth, driver’s license information, health insurance information, health information related to the services provided by Metrocare, and for certain patients, Social Security numbers.

The breach investigation did not uncover any evidence to suggest emails containing ePHI had been accessed or copied, but ePHI access and theft could not be ruled out. Individuals whose Social Security number was exposed have been offered free access to identity theft protection and credit monitoring services for 12 months.

In response to the breach, Metrocare Services will be implementing additional security measures and will be strengthening the security of its email system. Multifactor authentication will also be implemented to prevent accounts from being accessed in the event that credentials are compromised in future attacks.

This is not the first phishing attack that Metrocare Services has experienced. Two months previously, in November 2018, the PHI of 1,800 patients was compromised in a similar attack. After that attack Metrocare Services said it was strengthening the security of its email system and had provided additional training to employees to help them identify potential phishing attacks.

Those measures were clearly not sufficient to prevent further attacks. Had multifactor authentication been implemented after the first phishing attack, the second, larger breach could potentially have been prevented.

The post Metrocare Services Suffers Second Phishing Attack in Two Months appeared first on HIPAA Journal.

Healthcare Organizations Found Not to be In Conformance with NIST CSF and HIPAA Rules

A recent study conducted by the consultancy firm CynergisTek has revealed healthcare organizations are not in conformance with NIST Cybersecurity Framework (CSF) controls and the HIPAA Privacy and Security Rules.

For the study, CynergisTek analyzed the results of assessments at almost 600 healthcare organizations against NIST CSF and the HIPAA Privacy and Security Rules.

The NIST CSF is a voluntary framework, but the standards and best practices help organizations manage cyber risks. Healthcare organizations that are not in conformance with CSF controls face a higher risk of experiencing a cyberattack or data breach. On average, healthcare organizations were only in conformance with 47% of NIST CSF controls. Conformance has only increased by 2% in the past year.

Assisted living organizations had the highest level of conformance with NIST CSF (95%), followed by payers (86%), and accountable care organizations (73%). Business associates of HIPAA covered entities only had an average conformance level of 48%. Physician groups had the lowest level of conformance (36%).

Out of the five core functions of the NIST CSF – Identify, detect, protect, respond, and recover – conformance was lowest for detect.

Even though conformance with the HIPAA Security Rule has been mandatory for the past 14 years, many healthcare organizations were found to be falling short. On average, healthcare organizations were found to be in conformance with 72% of HIPAA Security Rule requirements, which was 2% lower than last year. Critical access hospitals fared the worst with an average of 67% conformance.

Even when organizations were complying with HIPAA Rules, significant security gaps were identified, which clearly demonstrated compliance does not necessarily equate to security.

Compliance with the requirements of the HIPAA Privacy Rule was better, but there is still significant room for improvement. On average, healthcare organizations were complying with 77% of HIPAA Privacy Rule provisions. Many organizations had missing policies and procedures and improper postings. More than 60% of assessments revealed gaps in the maintenance of written policies and procedures related to the use and release of protected health information.

Conformance with the HIPAA Privacy Rule increased year over year for payers and physician groups, but declined for hospitals and health systems, falling from 94% in 2017 to 72% in 2018. CynergisTek explained this fall as most likely being due to higher numbers of assessments being performed on hospitals and health systems in 2018.

CynergisTek also found that insider breaches continue to be a major challenge for healthcare organizations. Insiders were responsible for 28% of healthcare data breaches in 2018 and, on average, those breaches took 255 days to detect. 74% of cases involved employees accessing the health records of household members, 10% involved accessing the records of VIPs that were treated at the hospital. 8% of cases involved accessing the health records of co-workers and 8% involved accessing neighbors’ health records.

Business associates were found to be a major security risk. They were involved in 20% of healthcare data breaches in 2018. CynergisTek found that in many cases, healthcare organizations were not proactively assessing their vendors, even those that are medium to high risk. The most common business associate failures were related to risk assessments, governance, and access management.

The post Healthcare Organizations Found Not to be In Conformance with NIST CSF and HIPAA Rules appeared first on HIPAA Journal.

Health Recovery Services Notifies 20,485 Patients About Potential PHI Breach

Health Recovery Services, an Athens, OH-based provider of alcohol and drug addiction services, is notifying 20,485 patients that some of their protected health information may have been accessed by an unauthorized individual.

On February 5, 2019, Health Recovery Services discovered an unauthorized IP address had remotely accessed its computer network. Network and information systems were taken offline to prevent further access and a forensic expert was retained to conduct an investigation to determine the nature and scope of the breach.

On March 15, 2019, the forensic investigator determined that the IP address first accessed the network on November 14, 2018 and access remained possible until February 5. No evidence was uncovered to suggest any patient information was accessed or copied, although the possibility of data access and theft could not be totally ruled out. Patients whose protected health information was exposed have been notified by mail ‘out of an abundance of caution’.

The types of patient information contained in files on the compromised server included names, addresses, contact telephone numbers, and dates of birth. Patients who received treatment at Health Recovery Services after 2014 also had medical information, health insurance information, diagnoses, treatment information, and Social Security numbers exposed.

Health Recovery Services rebuilt its entire network to ensure that it was totally secure and free from any security threats. Policies, procedures, and cybersecurity measures were reviewed and will be enhanced to prevent further data breaches. Steps will also be taken to limit the harm that can be caused should a further network server breach be experienced in the future.

The post Health Recovery Services Notifies 20,485 Patients About Potential PHI Breach appeared first on HIPAA Journal.

HHS Slow to Implement GAO Health IT and Cybersecurity Recommendations

The U.S. Department of Health and Human Services has been slow to implement recommendations made by the Government Accountability Office. In total. 392 recommendations have yet to be addressed, including 42 which GAO rated as high priority.

Over the past four years, GAO has made hundreds of recommendations, but the HHS has only addressed 75% of them, 2% less than other government agencies.

The poor implementation rate was outlined in a March 28, 2019 letter from the GAO to HHS secretary Alex Azar.

GAO explained that healthcare is part of the nation’s critical infrastructure and relies heavily on computerized systems and electronic data to function. Those systems are regularly targeted by a diverse range of threat actors, so it is essential they are secured and protected from unauthorized access.

GAO drew attention to four high priority recommendations covering health IT and cybersecurity that are still outstanding.

“The four open priority recommendations within this area outline steps to ensure HHS can effectively monitor the effect of electronic health records programs and progress made toward goals; encourage adoption of important cybersecurity processes and procedures among healthcare entities; protect Medicare beneficiary data accessed by external entities; and ensure progress is made toward the implementation of IT enhancements needed to establish the electronic public health situation awareness network,” wrote GAO in the letter.

GAO explained that in March 2018, it recommended that the administrator of Centers for Medicare and Medicaid Services (CMS) should develop and implement policies and procedures to ensure entities that use claims data should evaluate the performance of Medicare service and equipment providers and ensure they have implemented appropriate security controls.

While CMS has agreed to engage a contractor to review the current data security framework and provide recommendations on specific controls and implementation requirements, GAO notes that CMS must also develop appropriate processes and procedures for implementing those controls.

Three other high priority health IT and cybersecurity recommendations have yet to be implemented.

The HHS has yet to develop performance measures that allow it to assess whether the Meaningful use program (now the Promoting Interoperability Program) is actually improving outcomes and patient safety.

GAO recommended in 2018 that the HHS and the Secretary of Agriculture should collaborate with the Department of Homeland Security and NIST and develop methods for determining the level and type of cybersecurity framework adoption required to improve the critical infrastructure of the healthcare industry. While some work has been completed in this area, GAO wrote that the HHS is still trying to identify applicable methods 12 months on.

GAO also recommended that the HHS should instruct the Assistant Secretary for Preparedness and Response to conduct all IT management and oversight processes when establishing the network and should act under the leadership of the HHS CIO. GAO notes that little has been done to enhance national public health situational awareness network capabilities that would allow officials to view real-time information about emerging health threats.

GAO explained that it is essential for these and other recommendations to be implemented promptly. Further, GAO believes that fully implementing all of its recommendations will significantly improve HHS operations.

The post HHS Slow to Implement GAO Health IT and Cybersecurity Recommendations appeared first on HIPAA Journal.