Author Archives: HIPAA Journal

Vulnerability Identified in Philips HealthSuite Health Android App

The Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has issued a medical advisory about a vulnerability that has been identified in the Philips HealthSuite Health Android App.

The Philips HealthSuite Health Android App records body measurements and health data to allow users to track activities to help them achieve their health goals. The app is used by individuals in the United States, Netherlands, Germany and the United Kingdom.

User data stored by the app is encrypted to prevent unauthorized access; however, a security researcher discovered the method used to encrypt data is too simplistic and does not offer a sufficiently high level of protection.

As a result, an attacker with physical access to the app could exploit the vulnerability to gain access to a user’s data. The vulnerability could not be exploited remotely so the risk to users is low. The vulnerability, tracked as CVE-2018-19001, has been assigned a CVSS v3 base score of 3.5.

Philips will be releasing a new version of the app in the first quarter of 2019 which will use a stronger method of encryption for user data. In the meantime, Philips recommends not using the app on rooted or jail-broken mobile devices as doing so would weaken security and increase risk.

The post Vulnerability Identified in Philips HealthSuite Health Android App appeared first on HIPAA Journal.

16,000 Redwood Eye Center Patients Impacted by MSP Breach

A managed service provider that hosts the electronic health records of Redwood Eye Center in Vallejo, CA has experienced a security breach that has resulted in the exposure of 16,000 patients’ protected health information.

IT Lighthouse provides computer support and application hosting services, including the hosting of electronic health records. During the evening of September 19, 2018, hackers succeeded in installing ransomware on a server that was hosting the electronic health records of patients of Redwood Eye Center. Redwood Eye Center was notified about the security breach on September 20, 2018.

A third-party computer forensics firm was hired by IT Lighthouse to assist with the investigation and a specialized medical software vendor was consulted and helped Redwood Eye Center recover the affected data.

The types of data that were potentially accessed by the attackers included patients’ names, addresses, birth dates, health insurance information, and medical treatment information. The investigation did not uncover any evidence to suggest the attackers accessed the PHI of Redwood Eye Center patients, but notification letters were sent out of an abundance of caution on December 6, 2018.

The breach notification letter sent to the California attorney general indicates 16,055 California residents have had their protected health information exposed.

Email Privacy Breach Reported by Butler County

Butler County, OH, is notifying approximately 1,350 employees that some of their protected health information has been exposed as a result of an email error. The county’s wellness coordinator sent an email in September about health insurance which included a spreadsheet that contained the wellness information of employees.

The spreadsheet had hidden columns which contained information such as names, insurance ID numbers, and information about the employees’ participation in the county wellness program. Highly sensitive information such as Social Security numbers and passwords were not exposed. Affected individuals have been advised to take steps to prevent the fraudulent use of their insurance information.

Butler County sought legal advice about the breach and was advised to report the incident to the Department of Health and Services which is investigating.

Coding Error Resulted in Disclosure of Thielen Student Health Center Patient Data

599 patients of Thielen Student Health Center in Ames, IA, are being notified that some of their protected health information has been impermissibly disclosed to other patients.

Thielen Student Health Center uses software to send satisfaction surveys to patients. In a recent survey run, a coding error occurred when patient information was put into the system. As a result of the error, names of patients, appointment dates, and providers’ names were incorrectly added to the surveys. Individuals affected had the above information disclosed to one other patient.

The error was rapidly identified and the health center was able to recall many of the surveys before they were seen. All affected individuals have now been notified and changes have now been made to remove personally identifiable information from future surveys.

The post 16,000 Redwood Eye Center Patients Impacted by MSP Breach appeared first on HIPAA Journal.

First Hospital GDPR Violation Penalty Issued: Portuguese Hospital to Pay €400,000 GDPR Fine

The first hospital GDPR violation penalty has been issued in Portugal. The Portugal supervisory authority, Comissão Nacional de Protecção de Dados (CNPD), took action against the Barreiro Montijo hospital near Lisbon for failing to restrict access to patient data stored in its patient management system.

Concerns were raised about the lack of data access controls in April 2018. Medical workers in the southern zone discovered non-clinical staff were using medical profiles to access the patient management system.

CNPD conducted an audit of the hospital and discovered 985 hospital employees had access rights to sensitive patient health information when there were only 296 physicians employed by the hospital. Only medical doctors at the hospital should have been able to access that level of detailed information about patients. CNPD also discovered a test profile had been set up with full, unrestricted administrator-level access to patient data and nine social workers had been granted access to confidential patient data.

The failure to implement appropriate access controls is a violation of the EU’s General Data Protection Regulation (GDPR) which came into force on May 25, 2018.

The hospital has been fined €400,000 ($455,050) for the GDPR violations – €300,000 for the failure to limit access to patient data and €100,000 for the failure to ensure the confidentiality, integrity, and availability of treatment systems and services. The hospital is taking legal action over the GDPR penalty.

This is the first GDPR violation fine to be issued in Portugal and one of the first fines since GDPR started to be enforced in May 2018. The financial penalty is well below the maximum fine that can be issued for a GDPR violation, which is up to €20 million ($22.74 million) or 4% of global annual turnover, whichever is greater.

In November, the supervisory authority in Germany, Baden-Württemberg Data Protection Authority, issued a financial penalty to the chat platform Knuddels.de for the failure to secure the personal information of EU residents. Knuddels.de suffered a data breach that exposed the email addresses of 808,000 users and 1.8 million usernames and passwords. The investigation revealed sensitive information such as passwords were stored in plain text.

Knuddels.de was fined €20,000 ($22,750). The relatively low fine was due to the level of transparency over the breach, exemplary cooperation with the data protection authority, and the speed at which security upgrades were applied.

The post First Hospital GDPR Violation Penalty Issued: Portuguese Hospital to Pay €400,000 GDPR Fine appeared first on HIPAA Journal.

AMIA and AHIMA Call for Changes to HIPAA to Improve Access and Portability of Health Data

The American Medical Informatics Association (AMIA) and the American Health Information Management Association (AHIMA) have called for changes to HIPAA to be made to improve patients’ access to their health information, make health data more portable, and to better protect health data in the app ecosystem.

At a Wednesday, December 5, 2018, Capitol Hill briefing session, titled “Unlocking Patient Data – Pulling the Linchpin of Data Exchange and Patient Empowerment,” leaders from AMIA and AHIMA joined other industry experts in a discussion about the impact federal policies are having on the ability of patients to access and use their health information.

Currently, consumers have access to their personal information and integrate and use that information to book travel, find out about prices of products and services from different providers, and conduct reviews and comparisons. However, while many industries have improved access to consumer information, the healthcare industry is behind the times and has so far failed to implement a comparable, patient-centric system.

“Congress has long prioritized patients’ right to access their data as a key lever to improve care, enable research, and empower patients to live healthy lifestyles,” said AMIA President and CEO Douglas B. Fridsma. “But enacting these policies into regulations and translating these regulations to practice has proven more difficult than Congress imagined.”

AHIMA CEO Wylecia Wiggs Harris said, “AHIMA’s members are most aware of patient challenges in accessing their data as they operationalize the process for access across the healthcare landscape… the language in HIPAA complicates these efforts in an electronic world.”

The P in HIPAA does stand for portability, yet patients are still struggling to obtain their health data in a usable form that allows them to share that information with other entities. Health data should be portable, as is the case with other types of consumer information. Changes to HIPAA legislation will help the healthcare sector catch up with other industries.

Changes to HIPAA Required to Support Access and Portability of Health Data

Both AMIA and AHIMA suggest HIPAA needs to be modernized to improve patient access to health data and two options were suggested. One option is the establishment of a new term – “Health Data Set” – that incorporates all data about a patient that is held by a HIPAA-covered entity or business associate, including clinical, biomedical, and claims information.

Alternatively, the definition of a Designated Record Set that is currently used in HIPAA legislation could be updated and for certified health IT to be required to provide that data set in electronic form and in a way that allows patients to use and reuse their data.

Both options would serve as a solution to the problem – The former would support a patient’s right to access their health data and also support the development of the ONC’s certification program in the future to allow patients to view, download, and electronically transmit their health data to third parties through an Application programming interface (API). The update to current record set definition would help to clarify rules for both providers and patients.

HIPAA Right of Access Should be Extended

AMIA and AHIMA also support the extension of the HIPAA individual right of access and amendment to entities that are not covered by HIPAA but manage individual health data: Entities such as companies that develop mHealth apps and health social media applications.

Similar data is created, stored, and transmitted by HIPAA-covered and non-HIPAA-covered entities, yet data access policies differ for both groups. There should be greater uniformity of data access, regardless of what type of entity collects and stores health data.

AMIA and AHIMA also suggest federal regulators should clarify current guidance related to third-party legal requests. “Health Information management (HIM) professionals continue to struggle with the existing Office for Civil Rights guidance that enables third-party attorneys to request a patient’s PHI,” explained AHIMA’s Wylecia Wiggs Harris. “AHIMA members increasingly face instances in which an attorney forwards a request for PHI on behalf of the patient but lacks the information required to validate the identity of the patient. As a result, the HIM professional is challenged as to whether to treat it as an authorization or patient access request, which has HIPAA enforcement implications.”

The post AMIA and AHIMA Call for Changes to HIPAA to Improve Access and Portability of Health Data appeared first on HIPAA Journal.

PHI of 41,000 Patients of Cancer Centers of America Potentially Compromised in Phishing Attack

Cancer Centers of America’s Western Regional Medical Center in Bullhead City, AZ, has discovered the email account of one of its employees has been compromised as a result of a response to a phishing email.

The phishing email appeared to have been sent from the email account of a Cancer Treatment Centers of America executive and used social engineering techniques to fool the employee into disclosing login credentials to the account.

The attacker was able to access the account, but only for a limited time as the account compromise was detected by IT staff and the user ‘s account password was reset. However, during the time that the email account was accessible it is possible that some messages containing patients’ protected health information (PHI) was accessed.

Cancer Treatment Centers of America called in a nationally recognized computer forensics firm to assist with the investigation. While it was not possible to tell which, if any, emails were accessed, it was discovered that the compromised email account contained the PHI of 41,948 patients.

The information in the emails varied from patient to patient and may have included: Name, address, email address, date of birth, medical record number, treatment dates, facility visited, physician name, type of cancer, and health insurance information. A small number of Social Security numbers were exposed but the emails did not include any financial information.

Free credit monitoring and identity theft protection services have been offered to all patients whose Social Security number was exposed. Cancer Treatment Centers of America has since provided further training to employees to help them identify suspicious emails.

The breach occurred on May 2, 2018 and the CTCA Information Technology Department quickly took action to reset the account; however, the Cancer Treatment Centers of America website breach notice states that CTCA only became aware of the breach of PHI on September 26, 2018.

The breach was reported to the Department of Health and Human Services’ Office for Civil Rights on November 26, 2018.

The post PHI of 41,000 Patients of Cancer Centers of America Potentially Compromised in Phishing Attack appeared first on HIPAA Journal.

Ransomware Attacks Reported by Healthcare Providers in Illinois and Rhode Island

A roundup of recent healthcare ransomware attacks, privacy breaches, and security incidents that have been announced in the past few days.

Center for Vitreo-Retinal Diseases Ransomware Attack Impacts 20,371 Patients

The Center for Vitreo-Retinal Diseases in Libertyville, IL, experienced a ransomware attack that resulted in the encryption of data on its servers. The attack was detected on September 18, 2018. The investigation into the breach suggests the attacker may have gained access to the protected health information of 20,371 patients that was stored on the affected servers.

The attack appeared to have been conducted with the intention of extorting money from the practice. While it is possible that patient information was accessed by the attacker, no evidence of unauthorized data access, data theft, or misuse of patient information has been discovered.

The information that was potentially compromised included names, addresses, telephone numbers, birth dates, health insurance information, health data, and the Social Security numbers of Medicare patients.

The Center for Vitreo-Retinal Diseases has since reviewed its security protections and has taken steps to prevent similar security breaches from occurring in the future.

Rhode Island Health Center Experiences Ransomware Attack

Woonsocket, RI-based Thundermist Medical Center experienced a ransomware attack on the evening of Thursday, November 28 which took some of its computer systems out of action. Fast action was taken to secure patient information and unaffected systems were isolated to prevent widespread file encryption.

The health center implemented its emergency protocols and was able to continue providing medical services. There was minimal impact on patients although certain appointments were cancelled out of safety concerns due to the inability to access medical records. Thundermist Medical Center does not believe any patient information was compromised in the attack.

Mailing Error by Vendor of OrthoTexas Physicians and Surgeons Caused Patient Name Disclosure

OrthoTexas Physicians and Surgeons, a network of orthopedic and sports medicine practices in Texas, has discovered an error was made on an October 5, 2018 mass mailing which resulted in the accidental disclosure of patient information to other patients.

The letters were notifications that a physician had joined the practice and would be treating patients at its facilities in Frisco and Plano. The letters, which were incorrectly dated August 27, 2018, were placed in incorrect envelopes by the practice’s mailing vendor.

The mailing was sent to 2,172 patients and resulted in the name of one patient being disclosed to another patient. No other patient information was included in the mailing.

San Mateo Medical Center Discovers Improper Disposal of 500 Patients’ PHI

San Mateo Medical Center in Daly City, CA, has discovered the medical records of up to 500 patients have been accidentally exposed as a result of an improper disposal incident.

The paper records had been left overnight in a box under an employee’s desk and temporary cleaning staff mistook the box for recycling and disposed the documents in a recycling bin that was only intended to be used for non-confidential paperwork. San Mateo Medical Center has separate recycling bins for paperwork containing confidential information which is sent for shredding prior to disposal.

The paperwork relates to patients who visited its Daly City facility on November 5-6 inclusive. Since the documents have not been recovered it was not possible to tell exactly which patients have been affected, and neither the exact information that was recorded on the documents.

San Mateo Medical Center believes the patients affected by the incident have had the following information exposed: Name, birth date, medical record number, service date, patient account number, gender, age, provider or resource name, and insurance code.

San Mateo Medical Center has reinforced its policies on the correct way to dispose of sensitive information and the Daly City clinic manager has instructed staff not to leave confidential information out overnight and to place confidential documents in shredding bins immediately when they are no longer required.

The post Ransomware Attacks Reported by Healthcare Providers in Illinois and Rhode Island appeared first on HIPAA Journal.

12 State Attorneys General File HIPAA Breach Lawsuit Against Medical Informatics Engineering

A multi-state federal lawsuit has been filed against Medical Informatics Engineering and NoMoreClipboard over the 2015 data breach that exposed the data of 3.9 million individuals.

Indiana Attorney General Curtis Hill is leading the lawsuit and 11 other states are participating – Arizona, Arkansas, Florida, Iowa, Kansas, Kentucky, Louisiana, Minnesota, Nebraska, North Carolina and Wisconsin.

This is the first time that state attorneys general have joined forces in a federal lawsuit over a data breach caused by violations of the Health Insurance Portability and Accountability Act. The lawsuit seeks a financial judgement, civil penalties, and the adoption of a corrective action plan to address all compliance failures.

A Failure to Implement Adequate Security Controls

The lawsuit alleges Medical Informatics Engineering failed to implement appropriate security to protect its computer systems and sensitive patient data and, as a result of those failures, a preventable data breach occurred. According to the lawsuit, “Defendants failed to implement basic industry-accepted data security measures to protect individual’s health information from unauthorized access.”

The breach in question occurred between May 7 and May 26, 2015. Hackers were able to gain access to its WebChart electronic health record system and highly sensitive patient information – The exact types of data sought by identity thieves – Names, addresses, dates of birth, Social Security numbers, and health information.

Known Vulnerabilities Were Not Corrected

Medical Informatics Engineering had set two ‘tester’ accounts, one of which could be accessed with the username and password ‘tester’ and the other with the username and password ‘testing.’ Both accounts could be accessed remotely without the need for any further identification. The lawsuit alleges Medical Informatics Engineering was aware of the security issue as the accounts were identified as high risk by a third-party penetration testing firm, Digital Defense, in January 2015. Even though the accounts were high risk, Medical Informatics Engineering continued to use the accounts. The accounts were set up to enable one of its healthcare provider clients to login without having to use unique usernames and passwords.

While those accounts did not have privileged access, they did allow the hackers to gain a foothold in the network. Through those accounts the attackers conducted an SQL injection attack, which allowed them to gain access to other accounts with administrative privileges that were used to exfiltrate data.

Post-Breach Response Failures

While the initial attack and data exfiltration went unnoticed, a further attempt to exfiltrate data using malware caused network performance to slow to such an extent that an alarm was generated, alerting Medical Informatics Engineering that its systems had been compromised. While investigating the malware attack the attackers were still able to exfiltrate further data through SQL queries demonstrating the company’s post-breach response was “inadequate and ineffective.”

No Encryption or Employee Security Awareness Training

No encryption had been used to protect stored data and no security system had been implemented to alert Medical Informatics Engineering about possible hacking attempts. Had such a system been implemented, it would have been easy to identify unauthorized access as two of the IP addresses used by the attackers originated in Germany.

The lawsuit also alleges Medical Informatics Engineering had no documentation to confirm security awareness training had been provided to its employees prior to the data breach.

In addition to violations of HIPAA Rules, the lawsuit alleges Medical Informatics Engineering violated several state statutes relating to the protection of personal information, unfair and deceptive practices, and data breach notifications.

The post 12 State Attorneys General File HIPAA Breach Lawsuit Against Medical Informatics Engineering appeared first on HIPAA Journal.

OCR Fines Florida Contractor Physicians’ Group $500,000 for Multiple HIPAA Compliance Failures

An HHS’ Office for Civil Rights (OCR) investigation into an impermissible disclosure of PHI by a business associate of a HIPAA-covered entity revealed serious HIPAA compliance failures.

Advanced Care Hospitalists (ACH) is a Lakeland, FL-based contractor physicians’ group that provides internal medicine physicians to nursing homes and hospitals in West Florida. ACH falls under the definition of a HIPAA-covered entity and is required to comply with the HIPAA Privacy, Security, and Breach Notification Rules. ACH serves approximately 20,000 patients a year and employed between 39 and 46 staff members per year during the time frame under investigation.

Between November 2011 and June 2012, ACH engaged the services of an individual who claimed to be a representative of Doctor’s First Choice billings Inc., a Florida-based provider of medical billing services. That individual used First Choice’s company name and website, but according to the owner of First Choice, those services were provided without the knowledge or permission of First Choice.

A local hospital notified ACH on February 11, 2014 that some patient information – including names, birth dates, Social Security numbers, and some clinical information – was viewable on the First Choice website. The website was shut down the following day.

In April 2014, ACH submitted a breach report to OCR about the impermissible disclosure of patients’ protected health information (PHI). Its breach report stated the PHI of 400 patients had been impermissibly disclosed, but later amended the breach report after it was discovered a further 8,855 patients’ PHI had also been impermissibly disclosed.

OCR investigated the breach and discovered that despite having been in operation since 2005, ACH did not implement any HIPAA Privacy, Security, and Breach Notification Rule policies and procedures before April 1, 2014, and had failed to implement appropriate security measures. ACH also failed to conduct a risk analysis until March 4, 2014.

Even though PHI had been disclosed to the individual providing medical billing services, ACH failed to enter into a business associate agreement with that individual. As a result of the lack of a BAA, ACH impermissibly disclosed the PHI of 9,255 patients to a third party for billing processing services – PHI that was subsequently exposed online.

In addition to paying the $500,000 fine, ACH has agreed to implement a robust corrective action plan to correct all HIPAA compliance failures.

“This case is especially troubling because the practice allowed the names and social security numbers of thousands of its patients to be exposed on the Internet after it failed to follow basic security requirements under HIPAA,” said OCR Director Roger Severino.

The latest settlement is the ninth OCR HIPAA compliance penalty of 2018. $25,572,000 has been paid to OCR in 2018 to resolve compliance failures.

The post OCR Fines Florida Contractor Physicians’ Group $500,000 for Multiple HIPAA Compliance Failures appeared first on HIPAA Journal.

Webinar: DNS-Based Web Filtering for Healthcare Organizations

Healthcare organizations have an opportunity to find out more about DNS-based web filtering in a Wednesday, December 5, 2018 webinar.

The webinar, jointly hosted by Celestix Networks and TitanHQ, explores DNS-based web filtering and introduces Celestix WebFilter Cloud: A 100% cloud-based web filtering solution that protects against web-based threats and allows organizations to implement policy-based Internet controls.

Celestix Networks was formed in 1999 and has delivered more than 25,000 security appliances worldwide and now serves more than 5,000 customers. As IT services have moved beyond the data center, Celestix has developed more flexible cloud-based security solutions, including a cloud-based web filter.

Celestix WebFilter Cloud is powered by TitanHQ’s WebTitan technology. Since 1999, TitanHQ has been developing virtual appliances and cloud-based cybersecurity solutions to protect businesses from email and web-based threats. TitanHQ’s WebTitan technology protects more than 7,500 businesses from malware, ransomware, botnets, spyware, viruses, C2 callbacks, and phishing threats.

TitanHQ’s EVP of Strategic Alliances, Rocco Donnino, and Senior Sales Engineer, Derek Higgins, will explain the technology powering Celestix WebFilter Cloud, how it protects against web-based threats, and how healthcare organizations can carefully control employee and guest Internet access.

Webinar Details:

Topic:  DNS-Based Web Filtering

Date:   Wednesday December 5, 2018

Time:   10:00 AM U.S. Pacific Time

You can register for the webinar on this link.

The post Webinar: DNS-Based Web Filtering for Healthcare Organizations appeared first on HIPAA Journal.