Healthcare Data Privacy

November 2018 Healthcare Data Breach Report

Posted December 20, 2018 by HIPAA Journal

For the second consecutive month there has been an increase in both the number of reported healthcare data breaches and the number of records exposed, stolen, or impermissibly disclosed.

November was the worst month of the year to date for healthcare data breaches in terms of the number of exposed healthcare records. 3,230,063 records were exposed, stolen, or impermissibly disclosed in the breaches reported in November.

To put that figure into perspective, that’s more records than were exposed in all 180 data breaches reported to the HHS’ Office for Civil Rights (OCR) in the first half of 2018.

There were 34 healthcare data breaches reported to OCR in November, making it the second worst month of the year to date for breaches, behind June when 41 breaches were reported.

Largest Healthcare Data Breaches in November 2018

The largest healthcare data breach of 2018 was reported in November by Accudoc Solutions, a business associate of Atrium Health that provides healthcare billing services. That single breach resulted in the exposure of more than 2.65 million healthcare records.

AccuDoc Solutions discovered hackers had gained access to some of its databases for a week in September 2018. According to AccuDoc, the information in the databases could only be viewed, not downloaded.

Rank	Name of Covered Entity	Covered Entity Type	Individuals Affected	Type of Breach
1	AccuDoc Solutions, Inc.	Business Associate	2652537	Hacking/IT Incident
2	HealthEquity, Inc.	Business Associate	165800	Hacking/IT Incident
3	New York Oncology Hematology, P.C.	Healthcare Provider	128400	Hacking/IT Incident
4	Baylor Scott & White Medical Center – Frisco	Healthcare Provider	47984	Hacking/IT Incident
5	Cancer Treatment Centers of America (CTCA) at Western Regional Medical Center	Healthcare Provider	41948	Hacking/IT Incident
6	Oprex Surgery (Baytown), L.P. d/b/a Altus Baytown Hospital	Healthcare Provider	40000	Hacking/IT Incident
7	Center for Vitreo-Retinal Diseases	Healthcare Provider	20371	Unauthorized Access/Disclosure
8	Veterans Health Administration	Healthcare Provider	19254	Unauthorized Access/Disclosure
9	Steward Medical Group	Healthcare Provider	16276	Hacking/IT Incident
10	Mind and Motion, LLC	Healthcare Provider	16000	Hacking/IT Incident

Main Causes of November 2018 Healthcare Data Breaches

As was the case in October, hacking/IT incidents accounted for the highest number of data breaches and the most exposed/stolen healthcare records. There were 18 hacking/IT incidents reported in November. Those breaches impacted 3,138,657 individuals.

There were 11 breaches classified as unauthorized access/disclosure incidents which impacted 65,143 individuals, and 4 loss/theft incidents that resulted in the exposure of 22,333 healthcare records. One improper disposal incident exposed 3,930 healthcare records.

Location of Breached Protected Health Information

Email breaches continue to be a major problem in healthcare. These breaches include phishing attacks, unauthorized accessing of email accounts, and misdirected emails. There were 11 email-related breaches of PHI in November. Up until December 19, 2018, 111 email-related healthcare data breaches have been reported to OCR. Those breaches involved more than 3.4 million healthcare records.

Technical solutions can be implemented to reduce the number of email related breaches. Spam filters will prevent the majority of phishing emails from reaching inboxes, but no technical solution will be 100% effective so employees need to be trained how to recognize phishing attacks and other email threats.

All individuals in an organization from the CEO down should receive regular security awareness training with a particular emphasis on phishing. In addition to regular training sessions, phishing simulation exercises should be conducted. Through phishing simulations, healthcare organizations can assess their security awareness training programs and find out which employees require further training.

Data Breaches by Covered-Entity Type

Healthcare providers were the covered entities worst affected by healthcare data breaches in November 2018 with 29 reported incidents.

Business associates of HIPAA-covered entities reported 5 breaches and there were a further five breaches reported by healthcare providers that had some business associate involvement – Twice the number of breaches involving business associates (to some degree) as October.

There were no health plan data breaches reported in November.

Healthcare Data Breaches by State

Texas was the state worst affected by healthcare data breaches in November with 8 reported breaches. New York experienced three healthcare data breaches and there were two breaches reported in each of Georgia, Iowa, Illinois, Missouri, North Carolina, Utah, and Virginia.

One healthcare data breach was reported in Arizona, California, District of Columbia, Massachusetts, Maryland, Nebraska, New Jersey, Pennsylvania, and Washington.

Penalties for HIPAA Violations in November 2018

The Department of Health and Human Services’ Office for Civil Rights settled one HIPAA violation case with a healthcare provider in November.

Allergy Associates of Hartford was fined $125,000 over a physician’s impermissible disclosure of PHI to a TV reporter. The disclosure occurred after the physicians was instructed by the Allergy Associates of Hartford Privacy Officer not to respond to the reporter’s request for information about a patient, or to reply with ‘no comment’. Allergy Associates of Hartford failed to take any action against the physician over the HIPAA violation.

New Jersey also issued a financial penalty to a HIPAA-covered entity in November to resolve a HIPAA violation case. Best Transcription Medical was fined $200,000 for exposing the electronic protected health information of patients over the Internet. The breach affected 1,650 New Jersey residents.

The post November 2018 Healthcare Data Breach Report appeared first on HIPAA Journal.

27% of Healthcare Organizations Have Experienced a Ransomware Attack in the Past Year

Posted December 19, 2018 by HIPAA Journal

According to a new report from Kaspersky Lab, 27% of healthcare employees said their organization had experienced at least one ransomware attack in the past five years and 33% said their organization had experienced multiple ransomware attacks.

In its report – Cyber Pulse: The State of Cybersecurity in Healthcare – Kaspersky lab explained that up until January 1, 2018, the U.S. Department of Health and Human Services’ Office for Civil Rights has been notified of more than 110 hacking/IT-related data breaches that have affected more than 500 individuals.

The impact of those breaches can be serious for the organizations concerned. Not only can breaches result in millions of dollars in costs, they can permanently damage the reputation of a healthcare organization and can result in harm being caused to patients.

To investigate the state of cybersecurity in healthcare, Kaspersky Lab commissioned market research firm Opinion Matters to conduct a survey of healthcare employees in the United States and Canada to explore the perceptions of healthcare employees regarding cybersecurity in their organization. 1,758 U.S. and Canadian healthcare employees were surveyed.

81% of small healthcare organizations (1-49 employees), 83% of medium-sized healthcare organizations (50-249 employees), and 81% of large healthcare organizations (250+ employees) said they had experienced between 1 and 4 ransomware attacks.

The cost of mitigating ransomware and malware attacks is considerable. According to the Ponemon Institute/IBM Security’s 2018 Cost of a Data Breach Report, the average cost of a data breach has now risen to $3.86 million. Kaspersky Lab’s 2018 Cost of a Data Breach Report places the average cost at $1.23 million for enterprises and $120,000 for SMBs.

While cybersecurity is important for reducing financial risk, 71% of healthcare employees said it was important for cybersecurity measures to be implemented to protect patients and 60% said it was important to have appropriate cybersecurity solutions in place to protect people and companies they work with.

Even though healthcare organizations have invested heavily in cybersecurity, many employees lack confidence in their organization’s cybersecurity strategy. Only 50% of healthcare IT workers were confident in they cybersecurity strategy, that fell to 29% for management and doctors, 21% for nurses, 23% for finance department employees, and 13% for the HR department.

Many healthcare employees appear to have a false sense of security. Even though healthcare data breaches are being reported on a daily basis, 21% of respondents had total faith in their organization’s ability to prevent cyberattacks and did not believe they would suffer a data breach in the forthcoming year.

While 73% of surveyed employees said they would inform their security team if they received an email from an unknown individual requesting PHI or login credentials, 17% of employees said they would do nothing if they received such a request. 17% of employees also admitted to having received an email request from a third-party vendor for ePHI and provided the ePHI as requested.

“Healthcare companies have become a major target for cybercriminals due to the successes they’ve had, and repeatedly have, in attacking these businesses. As organizations look to improve their cybersecurity strategies to justify employee confidence, they must examine their approach,” explained Rob Cataldo, VP of enterprise sales at Kaspersky Lab. “Business leaders and IT personnel need to work together to create a balance of training, education, and security solutions strong enough to manage the risk.”

The post 27% of Healthcare Organizations Have Experienced a Ransomware Attack in the Past Year appeared first on HIPAA Journal.

Vulnerability Identified in Medtronic Encore and Carelink Programmers

Posted December 18, 2018 by HIPAA Journal

ICS-CERT has issued an advisory about a vulnerability that has been identified in certain Medtronic CareLink and Encore Programmers. Some personally identifiable information (PII) and protected health information (PHI) stored on the devices could potentially be accessed due to a lack of encryption for data at rest.

The programmers are used in hospitals to program and manage Medtronic cardiac devices and may store reports containing patients’ PII/PHI. An attacker with physical access to one of the vulnerable programmers could access the reports and view patients PII/PHI. The vulnerability would require a low level of skill to exploit.

The vulnerability, tracked as CVE-2018-18984 (CWE-311), was identified by security researchers Billy Rios and Jonathan Butts of Whitescope LLC who discovered encryption was either missing or stored PII/PHI was not sufficiently encrypted. The vulnerability has been assigned a CVSS V3 base score of 4.6.

The vulnerability is present in all versions of CareLink 2090 Programmers, CareLink 9790 Programmers, and the 29901 Encore Programmers.

Medtronic has advised all hospitals to stop using CareLink 9790 Programmers for any purpose as they have reached end-of-life and are no longer supported.

Users of CareLink 2090 and 29901 Encore Programmers should ensure that PII/PHI is stored on the Programmers for the shortest possible time. The devices are only intended to be used to store PII/PHI for short periods of time until the information can be transferred to other medical systems or printed to paper reports.

All affected programmers allow reports containing PII/PHI to be manually deleted when they are no longer required. Users of all vulnerable Programmers should ensure that all PII/PHI is deleted from the devices before they are decommissioned.

Medtronic has also advised users to ensure physical control of the Programmers is maintained at all times to prevent unauthorized access and only to use legitimately obtained Programmers and not to use any that are supplied by a third party.

The post Vulnerability Identified in Medtronic Encore and Carelink Programmers appeared first on HIPAA Journal.

Federal GDPR-Style Data Privacy Bill Introduced

Posted December 17, 2018 by HIPAA Journal

Data privacy laws have been implemented at the state level, but currently there is no federal data privacy law covering all 50 states; however, that could soon change. On Wednesday December 12, 2018, a group of 15 U.S. senators, led by Brian Schatz, (D-Hawai’i), introduced the Data Care Act.

The Data Care Act would require all companies that collect personal data of users to take reasonable steps to ensure that information is safeguarded and protected from unauthorized access. Additionally, companies would be required to only use personal data for specific purposes and not in any way that could result in consumers coming to harm.

The bill was introduced almost 7 months after the E.U. introduced the General Data Protection Regulation (GDPR). While the Data Care Act does not go as far as GDPR, it does include several GDPR-like provisions.

As with GDPR, the bill places limits on the use, collection, and sharing of personal information and introduces new rights for individuals to allow them to access, correct, delete, and port their personal data.

The bill would also require companies to disclose the names of the persons or companies to whom users’ personal data have been sold to and individuals/companies that have been licensed to use personal data.

There are notable differences between GDPR and the Data Care Act. The latter does not include the right to restrict or object to the processing of personal information, there are no data breach notification requirements, a Data Protection Officer does not need to be appointed, and there is no requirement for risk assessments related to high-risk processing activities.

If passed, the Data Care Act will be enforced by the Federal Trade Commission which will be given the authority to issue financial penalties to companies that fail to comply. State attorneys general will also be authorized to bring civil actions against firms for noncompliance.

GDPR failures can attract a maximum penalty of €20 million or 4% of global annual turnover, whichever is greater. The maximum penalty for Data Care Act violations is $16,500 per covered person.

The bill is primarily concerned with currently unregulated online companies, ISPs and FCC common carriers, although it also has implications for regulated industries such as the financial services and healthcare.

Health data will be covered by the Data Care Act in three categories: Health data related to the provision of medical services related to the physical and mental health of an individual; Health data processed in relation to the provision of health and wellness services; and health data that is derived from medical tests, including genetic and biological samples. The FTC will have the authority to further define the types of information classed as health data.

Individuals will be given the right to dispute the completeness of their personal health information, although according to the bill, “[The Data Care Act] does not preempt laws that address the collection, use, or disclosure of health information covered by the Health Insurance Portability and Accountability Act or financial information covered by Gramm-Leach-Bliley Act.”

“People have a basic expectation that the personal information they provide to websites and apps is well-protected and won’t be used against them. Just as doctors and lawyers are expected to protect and responsibly use the personal data they hold, online companies should be required to do the same. Our bill will help make sure that when people give online companies their information, it won’t be exploited,” explained Senator Schatz.

“For too long, Americans’ digital privacy has been far from guaranteed, and it is time for Congress to pass legislation providing comprehensive protections for personal information,” wrote the Center for Democracy and Technology in a press release announcing the publication of a discussion draft of the bill.

In addition to Senator Schatz, the bill has been co-sponsored by Senators Maggie Hassan (D-N.H.), Michael Bennet (D-Colo.), Tammy Duckworth (D-Ill.), Amy Klobuchar (D-Minn.), Patty Murray (D-Wash.), Cory Booker (D-N.J.), Catherine Cortez Masto (D-Nev.), Martin Heinrich (D-N.M.), Ed Markey (D-Mass.), Sherrod Brown (D-Ohio), Tammy Baldwin (D-Wis.), Doug Jones (D-Ala.), Joe Manchin (D-W.Va.), and Dick Durbin (D-Ill.).

The discussion draft of the bill can be downloaded from the Center for Democracy and Technology on this link.

The post Federal GDPR-Style Data Privacy Bill Introduced appeared first on HIPAA Journal.

EmblemHealth Pays $100,000 HIPAA Violation Penalty to New Jersey for 2016 Data Breach

Posted December 11, 2018 by HIPAA Journal

The health insurance provider EmblemHealth has been fined $100,000 by New Jersey for a 2016 data breach that exposed the protected health information (PHI) of more than 6,000 New Jersey plan members.

On October 3, 2016, EmblemHealth sent Medicare Part D Prescription Drug Plan Evidence of Coverage documents to its members.

The mailing labels included beneficiary identification codes and Medicare Health Insurance Claim Numbers (HCIN), which mirror Social Security numbers. The documents were sent to more than 81,000 policy members, 6,443 of whom were New Jersey residents.

The New Jersey Division of Consumer Affairs investigated the breach and identified policy, procedural, and training failures. Previous mailings of Evidence of Coverage documents were handled by a trained employee, but when that individual left EmblemHealth, mailing duties were handed to a team manager who had only been given minimal task-specific training and worked unsupervised.

That individual sent a data file to EmblemHealth’s mailing vendor without first removing HCINs, which resulted in the HCINs being printed on mailing labels: A violation of HIPAA, the New Jersey Identity Theft Prevention Act, and the New Jersey Consumer Fraud Act.

“Health insurers entrusted with their customers’ sensitive personal information have a duty to avoid improper disclosures,” said New Jersey Attorney General Gurbir S. Grewal. “EmblemHealth fell short of its obligations to its customers in this case, and I am pleased that our settlement includes measures designed to prevent similar breaches at this company in the future.”

In addition to the financial penalty, EmblemHealth has agreed to make changes to its policies and procedures to prevent further breaches of plan members’ PHI. Those measures include the use of unique patient identifiers for mailings rather than HCINs or Medicare Beneficiary Identifiers.

EmblemHealth will also ensure that a formal transfer process takes place when the responsibilities of outgoing staff are passed on to other EmblemHealth employees or third parties, and that all necessary training will be provided.

All incoming employees will also be required to complete additional privacy and security training modules and refresher training sessions will be conducted annually. The New Jersey Division of Consumer Affairs will be monitoring EmblemHealth over the next three years and must be informed of any further breaches of the PHI of New Jersey customers.

“This settlement should serve as a reminder that we are committed to safeguarding consumer privacy, and will hold accountable any businesses that are careless in the handling of such personal data,” said Paul R. Rodríguez, Acting Director of the Division of Consumer Affairs.

New Jersey has been highly active as an enforcer of HIPAA Rules and has agreed four settlements in 2018 to resolve violations of HIPAA Rules. In addition to the EmblemHealth HIPAA fine, New Jersey has settled HIPAA violations with Best Transcription Medical ($200,000), Aetna ($365,211.59), and Virtua Medical Group ($417,816) in 2018.

The post EmblemHealth Pays $100,000 HIPAA Violation Penalty to New Jersey for 2016 Data Breach appeared first on HIPAA Journal.

Vulnerability Identified in Philips HealthSuite Health Android App

Posted December 7, 2018 by HIPAA Journal

The Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has issued a medical advisory about a vulnerability that has been identified in the Philips HealthSuite Health Android App.

The Philips HealthSuite Health Android App records body measurements and health data to allow users to track activities to help them achieve their health goals. The app is used by individuals in the United States, Netherlands, Germany and the United Kingdom.

User data stored by the app is encrypted to prevent unauthorized access; however, a security researcher discovered the method used to encrypt data is too simplistic and does not offer a sufficiently high level of protection.

As a result, an attacker with physical access to the app could exploit the vulnerability to gain access to a user’s data. The vulnerability could not be exploited remotely so the risk to users is low. The vulnerability, tracked as CVE-2018-19001, has been assigned a CVSS v3 base score of 3.5.

Philips will be releasing a new version of the app in the first quarter of 2019 which will use a stronger method of encryption for user data. In the meantime, Philips recommends not using the app on rooted or jail-broken mobile devices as doing so would weaken security and increase risk.

The post Vulnerability Identified in Philips HealthSuite Health Android App appeared first on HIPAA Journal.

First Hospital GDPR Violation Penalty Issued: Portuguese Hospital to Pay €400,000 GDPR Fine

Posted December 7, 2018 by HIPAA Journal

The first hospital GDPR violation penalty has been issued in Portugal. The Portugal supervisory authority, Comissão Nacional de Protecção de Dados (CNPD), took action against the Barreiro Montijo hospital near Lisbon for failing to restrict access to patient data stored in its patient management system.

Concerns were raised about the lack of data access controls in April 2018. Medical workers in the southern zone discovered non-clinical staff were using medical profiles to access the patient management system.

CNPD conducted an audit of the hospital and discovered 985 hospital employees had access rights to sensitive patient health information when there were only 296 physicians employed by the hospital. Only medical doctors at the hospital should have been able to access that level of detailed information about patients. CNPD also discovered a test profile had been set up with full, unrestricted administrator-level access to patient data and nine social workers had been granted access to confidential patient data.

The failure to implement appropriate access controls is a violation of the EU’s General Data Protection Regulation (GDPR) which came into force on May 25, 2018.

The hospital has been fined €400,000 ($455,050) for the GDPR violations – €300,000 for the failure to limit access to patient data and €100,000 for the failure to ensure the confidentiality, integrity, and availability of treatment systems and services. The hospital is taking legal action over the GDPR penalty.

This is the first GDPR violation fine to be issued in Portugal and one of the first fines since GDPR started to be enforced in May 2018. The financial penalty is well below the maximum fine that can be issued for a GDPR violation, which is up to €20 million ($22.74 million) or 4% of global annual turnover, whichever is greater.

In November, the supervisory authority in Germany, Baden-Württemberg Data Protection Authority, issued a financial penalty to the chat platform Knuddels.de for the failure to secure the personal information of EU residents. Knuddels.de suffered a data breach that exposed the email addresses of 808,000 users and 1.8 million usernames and passwords. The investigation revealed sensitive information such as passwords were stored in plain text.

Knuddels.de was fined €20,000 ($22,750). The relatively low fine was due to the level of transparency over the breach, exemplary cooperation with the data protection authority, and the speed at which security upgrades were applied.

The post First Hospital GDPR Violation Penalty Issued: Portuguese Hospital to Pay €400,000 GDPR Fine appeared first on HIPAA Journal.

UPMC Data Breach Lawsuit Reinstated by Pennsylvania Supreme Court

Posted November 28, 2018 by HIPAA Journal

A lawsuit filed by employees affected by a data breach at University of Pennsylvania Medical Center (UPMC) has been revived by the Pennsylvania Supreme Court.

The lawsuit was filed after hackers stole the information of approximately 62,000 current and former UPMC employees in a data breach discovered by UPMC in February 2014. The stolen information included names, addresses, Social Security numbers, tax information, and bank account numbers. The information was used to file fraudulent tax returns in employees’ names to receive tax refunds.

According the lawsuit, “As a result of UPMC’s negligence, employees incurred damages relating to fraudulently filed tax returns and are at an increased and imminent risk of becoming victims of identity theft crimes, fraud and abuse.”

UPMC argued that there is no cause of action for negligence as no property damage or physical injury was alleged by its employees. In Pennsylvania, no cause of action exists for negligence that solely results in economic losses.

The lawsuit was thrown out by two lower courts; however, last week the lawsuit was reinstated by the state’s high court. Justice Max Baer wrote in the opinion that UPMC had a responsibility to address risks that arise from the collection of sensitive data and had a legal duty to protect sensitive information provided by its employees. UPMC breached its common-law duty to exercise reasonable care and safeguard information stored on an Internet-accessible computer system. All six Supreme Court judges agreed that UPMC was responsible for protecting the sensitive data of its employees.

Baer confirmed that “Under Pennsylvania’s economic loss doctrine, recovery for purely pecuniary damages is permissible under a negligence theory provided that the plaintiff can establish the defendant’s breach of a legal duty arising under common law that is independent of any duty assumed pursuant to contract.”

The case will now return to the lower court for review. If UPMC is found to have been negligent, UPMC may be required to pay monetary damages to employees who suffered economic losses as a result of the data breach.

The post UPMC Data Breach Lawsuit Reinstated by Pennsylvania Supreme Court appeared first on HIPAA Journal.

2.65 Million Atrium Health Patients Impacted by Business Associate Data Breach

Posted November 28, 2018 by HIPAA Journal

A data breach has been reported by AccuDoc Solutions Inc., a provider of healthcare billing services, that resulted in the exposure of the protected health information of 2,650,000 patients of Atrium Health.

Morrisville, NC-based AccuDoc Solutions prepares bills for patients and operates the online payment system used by Atrium Health, a network of 44 hospitals throughout North Carolina, South Carolina and Georgia.

On October 1, 2018, AccuDoc Solutions notified Atrium Health that some of its databases had been compromised. The breach investigation revealed hackers had gained access to AccuDoc Solutions databases between September 22 and September 29, 2018.

An extensive forensic investigation into the attack confirmed that patient information had been compromised, but the information stored in its databases could only be viewed. No PHI was downloaded by the attackers nor distributed via other channels.

AccuDoc Solutions reports that the breach was due to a security vulnerability at a third-party vendor. The business relationship with that vendor has now been terminated. AccuDoc Systems has locked out the hackers and has enhanced its security measures to prevent future attacks.

Atrium Health said the information compromised in the attack was limited to patients’ names, addresses, invoice numbers, account balances, service dates, and health insurance information. Approximately 700,000 Social Security numbers were also compromised; however, no sensitive financial information or medical records were affected.

“We are notifying the patients and guarantors who may have been impacted by this incident. We take cybersecurity very seriously, and we’ve worked very hard to determine exactly what happened, and how to prevent it from happening again,” said a spokesperson for Atrium Health. “The fact that even one record was accessed is one too many. Our patients expect us to keep all of their information private, which is why we took action so quickly.”

Atrium Health is now notifying all affected patients and has offered credit monitoring and identity theft protection services to patients impacted by the breach.

AccuDoc serves approximately 50 other healthcare providers; however only one other client was affected by the breach: Baylor Medical Center in Frisco, TX. Approximately 40,000 Baylor Medical Center patients were affected.

Based on the estimated number of individuals affected, this is the largest healthcare data breach since the 3,466,120-record breach at Newkirk Products Inc., that was reported to OCR in September 2016. It is the eleventh largest healthcare data breach reported since OCR started publishing breach summaries in 2009.

Largest Ever Healthcare Data Breaches

Rank	Entity	Entity Type	Individuals Affected	Breach Type	Date
1	Anthem Inc.	Health Plan	78,800,000	Hacking/IT Incident	Feb-15
2	Premera Blue Cross	Health Plan	11,000,000	Hacking/IT Incident	Mar-15
3	Excellus Health Plan, Inc.	Health Plan	10,000,000	Hacking/IT Incident	Sep-15
4	Science Applications International Corporation	Business Associate	4,900,000	Loss	Nov-11
5	University of California, Los Angeles Health	Healthcare Provider	4,500,000	Hacking/IT Incident	Jul-15
6	Community Health Systems Professional Services Corporation	Business Associate	4,500,000	Hacking/IT Incident	Aug-14
7	Advocate Health and Hospitals Corporation, dba Advocate Medical Group	Healthcare Provider	4,029,530	Theft	Aug-13
8	Medical Informatics Engineering	Business Associate	3,900,000	Hacking/IT Incident	Jul-15
9	Banner Health	Healthcare Provider	3,620,000	Hacking/IT Incident	Aug-16
10	Newkirk Products, Inc.	Business Associate	3,466,120	Hacking/IT Incident	Aug-16
11	AccuDoc Solutions Inc.	Business Associate	2,650,000	Hacking/IT Incident	Nov-18
12	21st Century Oncology	Healthcare Provider	2,213,597	Hacking/IT Incident	Mar-16

The post 2.65 Million Atrium Health Patients Impacted by Business Associate Data Breach appeared first on HIPAA Journal.

Daily HIPAA News, HIPAA RSS Feeds, HIPAA Information