Author Archives: HIPAA Journal

HIPAA Business Associate Data Breach Impacts 21,856 Individuals

The importance of reviewing system activity logs has been underscored by recent HIPAA business associate data breach.

Nebraska-based CBS Consolidated Inc., doing business as Cornerstone Business & Management Solutions, conducted a routine review of system logs on July 10, 2017 and discovered an unfamiliar account on the server. Closer examination of that account revealed it was being used to download sensitive data from the server, including the protected health information of patients that used its medical supplies.

21,856 patients who received durable medical supplies from the company through their Medicare coverage have potentially been affected. The types of data obtained by the hacker included names, addresses, dates of birth, insurance details, and Social Security numbers. While personal information was exposed, the hacker was not able to obtain details of any medical conditions suffered by patients, nor details of any items purchased or financial information.

It is currently unclear how the account was created, although an investigation into the incident is ongoing. CBS says following the discovery of unauthorized access, the server was isolated and access to data was blocked. Since the incident was discovered, CBS has been carefully monitoring its systems and has uncovered no further evidence of unauthorized access or data theft.

Due to the sensitive nature of data stolen by the hacker, all individuals impacted by the breach have been offered 12 months of credit monitoring and identity theft protection services without charge. CBS is also reviewing its security protections and will be introducing new administrative safeguards, providing additional training to staff members on security, as well as improving technical safeguards to prevent future incidents from occurring.

This is the second worst data breach reported by a HIPAA business associate so far in 2017, behind the 56,000-record breach reported by Enterprise Services LLC in June.

The post HIPAA Business Associate Data Breach Impacts 21,856 Individuals appeared first on HIPAA Journal.

Fall in Healthcare Data Breaches in August: Rise in Breach Severity

Healthcare data breaches have fallen for the second month in a row, according to the latest installment of the Breach Barometer report from Protenus/ In August, there were 33 reported healthcare data breaches, down from 36 incidents in July and 56 in June. While the reduction in data breaches is encouraging, that is still more than one healthcare data breach per day.

August may have been the second best month of the year to date in terms of the number of reported incidents, but it was the third worst in terms of the number of individuals impacted. 575,142 individuals were impacted by healthcare data breaches in July, with the figure rising to 673,934 individuals in August. That figure will rise further still, since two incidents were not included in that total since it is not yet known how many individuals have been affected.

The worst incident of the month was reported by Pacific Alliance Medical Center – A ransomware attack that impacted 266,133 patients – one of the worst ransomware incidents of the year to date.

Throughout the year, insider incidents have dominated the breach reports, although in July hacking was the biggest cause of PHI breaches. That trend has continued in August with hackers responsible for 54.5% of all reported data breaches. Those incidents accounted for 95% of all breached patient records in the month. The hacking totals also include phishing and ransomware incidents. There were at least five reported data breaches in August that involved ransomware.

In August, insiders were responsible for 9 incidents – 27.3% of the total – seven of which were insider errors, with two incidents due to insider wrongdoing. 15.2% of breaches were the result of the loss or theft of unencrypted devices containing PHI.

While breaches of electronic protected health information dominated the breach reports, there were six incidents reported that involved physical records, including two mailings in which PHI was visible through the clear plastic windows of the envelopes.

Protenus notes that while healthcare organizations appear to be getting better at discovering data breaches more quickly, the figures for the past two months may be misleading. Alongside the decrease in time taken to identify breaches there has been an increase in hacking incidents, which tend to be discovered faster than insider breaches.

Protenus explains, “For the month of August, time to discover a hacking incident took an average of 26 days (median = 22.5 days), while insider incidents took an average of 209.8 days (median = 115 days),” demonstrating the difficulty healthcare organizations have in detecting insider breaches.

Organizations are reporting breaches to HHS and notifying patients within 60 days of the discovery of a breach on the whole, with only three organizations exceeding the deadline. One of those entities took 177 days from the discovery of the breach to report the incident to HHS. The average time was 53 days and the median time was 58 days.

The breach reports followed a similar pattern to most months, with healthcare providers experiencing the majority of breaches (72%), followed by health plans (18.2%). Business associates reported 3% of breaches and 6% were reported by other entities, including a pharmacy and a private school. Texas was the worst affected state in August with five breaches, followed by California with four, and Ohio and New York with three apiece.

The post Fall in Healthcare Data Breaches in August: Rise in Breach Severity appeared first on HIPAA Journal.

The Compliancy Group Helps Imperial Valley Family Care Medical Group Pass HIPAA Audit

The Department of Health and Human Services’ Office for Civil Rights commenced the second round of HIPAA compliance audits late last year. The audit program consists of desk-based audits of HIPAA-covered entities and business associates, followed by a round of in-depth audits involving site visits. The desk audits have been completed, with the site audits put on hold and expected to commence in early 2018.

Only a small number of covered entities have been selected to be audited as part of the second phase of compliance audits; however, covered entities that have escaped an audit may still be required to demonstrate they are in compliance with HIPAA Rules.

In addition to the audit program, any HIPAA-covered entities that experiences a breach of more than 500 records will be investigated by OCR to determine whether the breach was the result of violations of HIPAA Rules. OCR also investigates complaints submitted through the HHS website.

The first round of HIPAA compliance audits in 2011/2012 did not result in any financial penalties being issued, but that may not be the case for the second round of audits. Also, the past two years as seen an increase in financial penalties for noncompliance with HIPAA Rules that was discovered during investigations of complaints and data breaches.

There is now an elevated risk of an audit or investigation and OCR is issuing more fines for noncompliance. Consequently, covered entities cannot afford to take chances. Many healthcare organizations are turning to HIPAA compliance software and are seeking assistance from compliance experts to ensure their compliance programs are comprehensive and financial penalties are avoided.

Imperial Valley Family Care Medical Group Calls in HIPAA Compliance Experts

Imperial Valley Family Care Medical Group is a multi-specialty physician’s group with 16 facilities spread throughout California. IVFCMG was not selected for a desk audit, although following the theft of a laptop computer, OCR investigated the breach. IVFCMG was required to demonstrate compliance with HIPAA Rules and provide documentation to show the breach was not caused by the failure to follow HIPAA Rules.

Covered entities may fear a comprehensive HIPAA audit, but investigations into data breaches are also comprehensive. OCR often requires considerable documentation to be provided to assess compliance following any breach of protected health information. In the case of IVFCMG, OCR’s investigation was comprehensive.

Responding to OCR’s comprehensive questions in a timely manner was essential. IVFCMG, like many covered entities that are investigated or selected for an audit must be careful how they respond and all questions must be answered promptly and backed up with appropriate documentation.

As we have already seen this year, if HIPAA Rules are not followed to the letter after a data breach is experienced, fines can follow. Presense Health was fined $475,000 by OCR for potential violations of the HIPAA Breach Notification Rule following a breach of PHI.

Following the breach, IVFCMG turned to a third-party firm for assistance and contacted the Compliancy Group. By using the firm’s Breach Response Program, IVFCMG was able to ensure all of the required actions were completed, in the right time frame, and all of those processes were accurately documented.

The Breach Response Program is part of the Compliancy Group’s “The Guard” HIPAA compliance software platform. Compliancy Group simplifies HIPAA compliance, allowing healthcare professionals to confidently run their practice while meeting all the requirements of the HIPAA Privacy, Security and Breach Notification Rules. The Guard uses the “Achieve, Illustrate, and Maintain” methodology to ensure continued compliance, with covered entities guided by HIPAA compliance experts all the way.

IVFCMG’s Chief Strategic Officer, Don Caudill, said “Their experts provided us with a full report and documentation proving that our HIPAA compliance program satisfied the law – which ultimately helped us avoid hundreds of thousands of dollars in fines.” When OCR responded to the initial breach report asking questions about another aspect of HIPAA Rules, IVFCMG was able to respond in a timely fashion and provide the evidence to prove it was in compliance.

HIPAA compliance software helps covered entities pass a HIPAA audit, respond appropriately when OCR investigates data breaches and complaints, and avoid fines for non-compliance. OCR has increased its enforcement activity over the past two years and healthcare data breaches are on the rise. Non-compliance with HIPAA Rules is therefore much more likely to be discovered and result in financial penalties.

Small to medium sized HIPAA-covered entities with limited resources to dedicate to HIPAA compliance can benefit the most from using HIPAA compliance software and receiving external assistance from HIPAA compliance experts.

“Responding to a HIPAA audit requires sensitivity and expertise,” Bob Grant, Chief Compliance Officer of Compliancy Group, told HIPAA Journal. “As a former auditor, I’ve developed The Guard and our Audit Response Program to satisfy the full extent of the HIPAA regulatory requirements. Giving federal auditors everything they need to assess the compliance of your organization is our number one goal. Our Audit Response Program is the only program in the industry to give health care professionals the power to illustrate their compliance so they can get back to running their business in the aftermath of a HIPAA audit.”

The post The Compliancy Group Helps Imperial Valley Family Care Medical Group Pass HIPAA Audit appeared first on HIPAA Journal.

1,081 St. Louis Patients Alerted About Improper PHI Disclosure

1,081 patients of the MS Center of Saint Louis and Mercy Clinic Neurology Town and Country are being informed that they may be contacted for marketing and research purposes by pharmaceutical companies and other third-parties, even though they may not have given their permission to be contacted.

HIPAA Rules do not permit patients to be contacted for marketing or research purposes unless consent to do so has first been obtained. However, an error has resulted in patients’ information being disclosed to third parties in error and patients may be contacted by telephone, mail or email as a result.

The MS Center and Mercy Clinic Neurology Town and Country report that medication onboarding forms were accidentally provided to pharmaceutical companies, even though the forms had not been signed by patients. The error also means patients’ protected health information has been impermissibly disclosed.

Protected health information detailed on the forms includes names, email addresses, telephone numbers, home addresses, health insurance information, and in some cases, treatment and prescription information and Social Security numbers.

Due to the sensitive nature of the information disclosed, there is a possibility that the information could be used inappropriately, although MS Center and Mercy Clinic Neurology Town and Country believe the information has not been used for any other purpose other than marketing and research. However, out of an abundance of caution, all affected individuals have been given the opportunity to register for 12 months of credit monitoring and identity theft protection services without charge.

Upon discovery of the error, an internal investigation was launched and staff potentially involved were interviewed about the incident. Policies and procedures have now been changed to prevent similar incidents from occurring in the future.

The post 1,081 St. Louis Patients Alerted About Improper PHI Disclosure appeared first on HIPAA Journal.

Florida Healthy Kids Corporation Announces 2,000 Patients’ Impacted by Phishing Scam

Reports of phishing attacks on healthcare organizations are arriving thick and fast. The latest HIPAA-covered entity to announce it has fallen victim to a phishing scam is Florida Healthy Kids Corporation, an administrator of the Florida KidCare program.

On July 25, 2017, phishing emails started to arrive in the inboxes of members of staff, some of whom responded and inadvertently gave the attackers access to the sensitive information of members of the KidCare program. The phishing attack was identified the following day and access to the compromised email accounts was immediately blocked. While the incident was mitigated promptly, the attackers had access to email accounts and data contained in those accounts for approximately 24 hours.

During that time, it is possible that the emails were accessed and sensitive information copied, although no reports of abuse of that information have been received and it is not clear whether any information was actually stolen.

An analysis of the compromised email accounts revealed the personal information of 2,000 individuals was potentially accessed. On September 7, 2017, 1,700 individuals were notified by mail that their information had potentially been compromised. The remaining 300 could not be contacted as no valid contact information was held. A substitute breach notice has been uploaded to the website, and a notice added to all online accounts to alert affected individuals when they next login to their accounts.

The types of information exposed includes names, addresses, phone numbers, family account numbers, and Social Security numbers. Since passwords were not exposed, Florida KidCare online family accounts could not be accessed by the attackers. Individuals impacted by the breach have been offered credit monitoring services for 12 months without charge through LifeLock.

Florida Healthy Kids Corporation said policies and procedures will be updated to prevent similar breaches from occurring in the future.

The post Florida Healthy Kids Corporation Announces 2,000 Patients’ Impacted by Phishing Scam appeared first on HIPAA Journal.

PhishMe Report Shows Organizations Are Struggling to Prevent Phishing Attacks

Organizations are struggling to prevent phishing attacks, according to a recently published survey by PhishMe.

The survey, conducted on 200 IT executives from a wide range of industries, revealed 90% of IT executives are most concerned about email-related threats, which is not surprising given the frequency and sophisticated nature of attacks. When attacks do occur, many organizations struggle to identify phishing emails promptly and are hampered by an inefficient phishing response.

When asked about how good their organization’s phishing response is, 43% of respondents rated it between totally ineffective and mediocre. Two thirds of respondents said they have had to deal with a security incident resulting from a deceptive email.

The survey highlighted several areas where organizations are struggling to prevent phishing attacks and respond quickly when phishing emails make it past their defenses.

PhishMe also notes that many first line IT support staff have not received insufficient training or lack the skills to identify phishing emails. Consequently, many fail to escalate threats or block access to malicious links through the firewall or web filter.

The biggest challenge was too many threats and too few responders, according to 50% of respondents. Approximately one third of respondents said they have to deal with more than 500 suspicious emails a week. 21% said they have more than 1,000 emails reported as suspicious each week.

Dealing with those emails and finding the real threats among the spam takes a considerable amount of time. When asked how the phishing response could be improved, number one on the wish list was a solution that could automatically analyze phishing emails to sort the real threats from spam.

Due to time pressures and a lack of human resources, potential phishing attacks are often not dealt with rapidly. Many organizations have an inefficient and ineffective phishing response which makes rapid mitigation difficult.

Part of the problem is how suspicious emails are reported. 55% of organizations have potentially suspicious emails routed to the helpdesk and do not have a dedicated inbox for phishing emails. Mixing reports of potential phishing attacks with other IT issues increases the probability of serious threats being overlooked and invariably leads to delays in implementing the phishing response.

The survey showed companies are heavily reliant on technology to prevent phishing attacks, although most have correctly chosen to implement layered defenses. That said, 42% of respondents said multiple layers of security solutions was a problem when managing phishing attempts.

The most common defense against phishing attacks is email gateway filtering, although 15% of organizations still do not use email filtering technology and 20% do not use an anti-malware solution. There are also clear gaps in employee training. 34% of organizations do not provide computer-based training for employees to improve awareness of phishing and teach employees how to identify phishing emails.

Technology can only go so far. Email gateway solutions are effective at blocking phishing threats, although they are not 100% effective. Malicious emails will make it past email filters so it is essential that staff are trained to identify threats.

PhishMe accepts there are limits to training. “Are all employees going to “get it?” every time? Probably not. But they don’t have to if the rest of the organization is ready to recognize and report suspicious emails. It only takes one to report it so the incident response team can substantially reduce the impact of phishing attacks.”

The post PhishMe Report Shows Organizations Are Struggling to Prevent Phishing Attacks appeared first on HIPAA Journal.

Augusta University Medical Center Phishing Attack Took Three Months to Discover

An Augusta University Medical Center phishing attack has resulted in an unauthorized individual gaining access to the email accounts of two employees.

It is unclear when the phishing attack was discovered, although an investigation into the breach was concluded on July 18, 2017. That investigation confirmed access to the employees’ email accounts was gained between April 20-21, 2017.

Upon discovery of the breach, access to the email accounts was disabled and passwords were reset. The investigation did not confirm whether any of the information in the accounts had been accessed or copied by the attackers.

Patients impacted by the breach have now been notified – five months after the breach occurred. Patients have been informed that the compromised email accounts contained sensitive information such as names, addresses, dates of birth, driver’s license numbers, financial account information, prescription details, diagnoses, treatment information, medical record numbers and Social Security numbers. The amount of information exposed varied for each patient.

It is currently unclear how many patients have been impacted, although a spokesperson for AU Medical Center said the breach impacted fewer than 1% of its patients. Credit monitoring and identity theft protection services are being offered to all patients whose Social Security number was compromised.

This is not the first time that employees at Augusta University have fallen for phishing scams. A similar breach occurred between September 7-9, 2016, resulting in similar data being exposed. In that case, “a small number” of employees responded to phishing emails and divulged their email logins.

While that breach was identified promptly – News Channel 6 reported that all AU employees were required to reset their passwords due to a significant risk following the phishing attack – the Augusta Chronicle reported in May that the investigation into the breach was only completed on March 29, 2017 – more than six months after the attack took place. Individuals impacted by the breach were notified within 60 days of the breach investigation being completed. The breach was reported to the HHS’ Office for Civil Rights on May 26,2017.

The Health Insurance Portability and Accountability Act’s Breach Notification Rule allows HIPAA-covered entities up to 60 days following the discovery of a breach to issue breach notification letters to patients and to alert OCR of the breach.

It should be noted that while HIPAA allows up to 60-days to report data breaches, covered entities must report incidents ‘without unreasonable delay’.  Failure to report incidents promptly can easily result in a HIPAA penalty, as Presense Health discovered earlier this year. In that case, breach notifications were issued three months after the breach was discovered, resulting in a settlement of $475,000.

This latest breach was announced five months after the email accounts were compromised, with the investigation concluding three months after the initial breach. The earlier phishing attack appeared to take 6 months to investigate and report, with notifications sent to patients eight months after the breach.

Why the investigations took so long to conduct and why reporting the incidents was delayed is something of a mystery. According to OCR’s breach reporting portal, the September phishing attack is still under investigation. The latest incident has yet to appear on the OCR breach portal.

The post Augusta University Medical Center Phishing Attack Took Three Months to Discover appeared first on HIPAA Journal.

Phishing Attack Results in the Exposure of PHI at Morehead Memorial Hospital

Morehead Memorial Hospital in Eden, NC has announced two employees have fallen victim to a phishing attack that resulted in an unauthorized individual gaining access to their email accounts. Those accounts contained the protected health information of patients and sensitive information on employees.

Upon discovery of the breach, access to the email accounts was blocked and the hospital performed a network-wide password reset. Leading computer forensics experts were hired to assist with the investigation and determine the extent of the breach. The investigation confirmed that access to the accounts was possible and sensitive patient and employee information could have been accessed.

While no reports have been received to suggest any information in the accounts has been misused, the possibility of data access and data theft could not be ruled out. The types of information exposed includes names, health insurance payment summaries, health insurance information, treatment overviews, and a limited number of Social Security numbers.

Phishing attacks such as this are common. Emails are sent to healthcare employees that appear to be legitimate communications. The emails typically include hyperlinks that, when clicked, require login details to email accounts to be entered. Entering in that information provides the credentials to the attackers, who then use the information to remotely login to email accounts.

Preventing phishing attacks requires a combination of spam filtering technology to prevent phishing emails from reaching inboxes and education to teach employees about the risk from phishing and how to identify phishing attacks.

In response to the breach, Morehead Memorial Hospital is providing staff members with additional training to help them identify fraudulent communications. An internal webpage has also been created to communicate further information about phishing and email attacks to keep staff better informed.

The incident has been reported to the FBI, Department of Homeland Security and Office for Civil Rights. Patients were notified of the breach by mail on Friday last week and all have been offered identity theft monitoring services for 12 months without charge.

Morehead Memorial Hospital has not disclosed how many patients and employees have been impacted by the breach.

The post Phishing Attack Results in the Exposure of PHI at Morehead Memorial Hospital appeared first on HIPAA Journal.

Hospital Employee Fired Over 26,000-Record Arkansas DHS Privacy Breach

A former employee of the Arkansas Department of Human Services (DHS) has been fired from her new position at the state hospital for emailing spreadsheets containing the protected health information of patients to a personal email account.

Yolanda Farrar worked as a payment integrity coding analyst for the DHS, but was fired on March 24, 2017. According to a statement issued by DHS spokesperson Amy Webb, Farrar was fired for “violations of DHS policy on professionalism, teamwork and diligent and professional performance.”

The day previously, Farrar had spoken with her supervisor about issues relating to her performance and learned that she was about to be terminated. Within minutes of that conversation, Farrar emailed spreadsheets from her work email account to a personal email address.

Farrar decided to take legal action against DHS for unfair dismissal. Attorneys working for DHS were preparing to represent the agency in court and were checking emails sent by Farrar through her work email account. They discovered the emails and spreadsheets on August 7. The DHS privacy officer was immediately notified of the discovery and an internal investigation into the incident was launched.

The spreadsheets were found to contain a range of sensitive information of patients including names, birth dates, linked Medicaid identification numbers, diagnoses, codes for medical procedures, and some Social Security numbers. Each record in the spreadsheet was manually checked and after duplicates were removed, DHS determined that the protected health information of 26,044 patients had been emailed to the personal account.

By emailing the spreadsheets, Farrar breached DHS policies, state and federal laws. Farrar had since been employed at the state hospital; however, the discovery of the emails resulted in her being fired from that position. The investigation into the privacy breach is ongoing and the DHS intends to pursue criminal charges against Farrar.

The DHS already requires employees to undergo privacy training. All employees are required to pass a test on that training before they are allowed Internet access and are made aware that emailing confidential information outside the agency is prohibited.  A review of policies and procedures is being conducted to determine whether any further actions can be taken to reduce the potential for similar incidents from occurring in the future.

DHS has confirmed that all individuals impacted by the incident will be notified of the privacy breach by mail this week.

The post Hospital Employee Fired Over 26,000-Record Arkansas DHS Privacy Breach appeared first on HIPAA Journal.