Healthcare Data Privacy

North Dakota Department of Human Services Notifies 2,452 Medicaid Recipients of PHI Exposure

Posted by HIPAA Journal

The North Dakota Department of Human Services (NDDHS) is alerting 2,452 Medicaid recipients that some of their protected health information has been exposed when documents were improperly disposed of in a Bismarck dumpster.

The HIPAA breach was discovered on May 19, 2017 when a member of the public saw documents containing sensitive information in a dumpster. The citizen contacted NDDHS about the discovery and an investigation was immediately launched. NDDHS arranged to collect the documents the same day.

The documents were Medicaid worksheets dated 2015. The worksheets did not contain Social Security numbers, financial information or Medicaid recipients’ addresses; however, detailed on the sheets were Medicaid recipients’ first and last names, the first two characters of their Medicaid provider name, Medicaid provider numbers, Medicaid ID numbers, a two-digit code representing the county of residence, an internal NDDHS ID number, dates of service, amounts covered by insurance, amounts billed and allowed, diagnosis codes, coding modifiers and quantity and tooth and surface detail relating to dental work. The information exposed varied for each patient.

The internal investigation into the privacy breach revealed one individual was responsible for dumping the documents and the improper disposal involved no malicious intent. The records were dumped on May 8, 2017, two days prior to them being found by a member of the public.

Since there is a possibility that the documents have been viewed by others, individuals affected by the incident have been offered complimentary credit monitoring and identity theft protection services. However, the potential for re-disclosure of information is believed to be low as all documents have now been recovered and secured. NDDHS said in its press release that no evidence has been uncovered to suggest any information in the documents has been used improperly or further disclosed and that “appropriate disciplinary action has been taken.”

Training had already been provided to staff members on information security and HIPAA Rules. NDDHS is now working with its staff to prevent future incidents of this nature from occurring. The incident has also prompted NDDHS to conduct a review of its policies and procedures for safeguarding the protected health information of Medicaid recipients.

The post North Dakota Department of Human Services Notifies 2,452 Medicaid Recipients of PHI Exposure appeared first on HIPAA Journal.

MDLive Privacy Lawsuit Voluntarily Dismissed

Posted by HIPAA Journal

The MDLive privacy lawsuit filed by law firm Edelson PC on behalf of plaintiff Joan Richards over alleged privacy violations has been voluntarily dropped without any settlement paid.

The lawsuit was filed after following an alleged discovery that screenshots were repeatedly taken by MDLive and were passed to third-party Israeli firm Test Fairy. Test Fairy had been contracted to perform quality control checks and debugging services. However, the plaintiff alleged that the sending of screenshots, which contained sensitive information entered by users of MDLive, was a violation of patient privacy.

Following the filing of the lawsuit on April 18, 2017, MDLive published a fact sheet explaining its relationship with the Israeli firm, stating the allegations were false, that there had not been a data breach and no HIPAA Rules had been violated.

MDLive also said in the fact sheet that no data had been shared with unauthorized third parties. Some data had been disclosed to authorized third parties, although those firms were bound by contractual obligations and had agreed only to use data for the specific purposes for which the information was disclosed.

MDLive pointed out that the use of the Test Fairy tool was consistent with its disclosed privacy policy and said Test Fairy did not have access to patient data from patient-physician consultations. MDLive also said all members are advised in its privacy policy that personal information may be disclosed to its contracted third parties to support its business.

A recent press release issued by MDLive has confirmed the lawsuit has been dismissed “in response to arguments by MDLive that the suit lacked any legal or factual basis.” MDLive filed a motion to dismiss the lawsuit and the plaintiff responded with a notice of non-opposition, but requested additional time to file an amended complaint. However, as the deadline for filing the complaint approached, the plaintiff made the decision to dismiss the entire lawsuit.

In the press release, MDLive said all claims in the lawsuit have been voluntarily dismissed without prejudice by the plaintiff. There was no payment of any settlement or other consideration by MDLive or its management in connection with the lawsuit.

MDLive CEO Scott Decker said, “Privacy and patient confidentiality are at the heart of everything we do, and MDLIVE will continue to rigorously review and evolve our technology and processes to safeguard member information and build trust in the telehealth industry.” Decker welcomed the dismissal of the lawsuit, saying, “We are thrilled this lawsuit was appropriately dismissed as we continue pursuing MDLIVE’s goal of enabling 24/7/365 access to affordable virtual healthcare for consumers, employers, health plans and health systems across the US.”

The post MDLive Privacy Lawsuit Voluntarily Dismissed appeared first on HIPAA Journal.

Recent Employee Snooping Incidents Highlight Need for Access Controls and Alerts

Posted by HIPAA Journal

Ransomware, malware and unaddressed software vulnerabilities threaten the confidentiality, integrity and availability of PHI, although healthcare organizations should take steps to deal with the threat from within. This year has seen numerous cases of employees snooping and accessing medical records without authorization.

The HIPAA Security Rule 45 CFR §164.312(b) requires covered entities to “Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information,” while 45 CFR §164.308(a)(1)(ii)(D) requires covered entities to “Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.”

Logs create an audit trail that can be followed in the event of a data breach or privacy incident. Those logs can be checked to discover which records have been accessed without authorization.

If those logs are monitored continuously, privacy breaches can be identified quickly and action taken to limit harm. However, recent incidents have shown that while access logs are kept, they are not being regularly checked. There have been numerous recent examples of employees who have improperly accessed patients’ medical records over a period of several years.

A few days ago, Beacon Health announced an employee had been discovered to have improperly accessed the medical records of 1,200 patients without any legitimate work reason for doing so. That employee had been snooping on medical records for three years.

In March, Chadron Community Hospital and Health Services in Nevada discovered an employee had accessed the medical records of 700 patients over a period of five years and St. Charles Health System in central Oregon discovered an employee had accessed medical records without authorization over a 27 month period.

Also in March, Trios Health discovered an employee had improperly accessed the medical records of 570 patients. The improper access occurred over a period of 41 months.

Rapid detection of internal privacy breaches is essential. Even when snooping is discovered relatively quickly, the privacy of many thousands of patients may have already been violated. In January, Covenant HealthCare notified 6,197 patients of a privacy breach after an employee was discovered to have improperly accessed medical records over a period of 9 months, while a Berkeley Medical Center employee accessed the ePHI of 7,400 patients over a period of 10 months.

Healthcare organizations may not feel it is appropriate to restrict access to patients’ PHI, but a system can be implemented that will alert staff to improper access promptly. Software solutions can be used to detect improper access and alert appropriate members of staff in near real-time. If such systems are not implemented, regular audits of ePHI access logs should be conducted. Regular checks of ePHI access logs will allow organizations to prevent large-scale breaches, reduce legal liability and reduce the harm caused by rogue employees.

The post Recent Employee Snooping Incidents Highlight Need for Access Controls and Alerts appeared first on HIPAA Journal.

Plastic Surgery Clinic Employee Suspected of Stealing 15,000 Patient Records

Posted by HIPAA Journal

A former employee of a Californian plastic surgery clinic is suspected of stealing the medical records of around 15,000 patients.

The employee worked at the Rodeo Drive clinic in Beverly Hills run by Dr. Zain Kadri. The employee had been employed as a driver and translator since September 2016, but had subsequently been given other duties such as data entry. Allegedly, she quit the practice on May 13 after being accused of embezzlement.

The employee was later discovered to have taken photographs of patients before and during surgical procedures and uploaded those pictures to the image sharing site Snapchat.

Further data theft was uncovered in May while the clinic was transferring paper records to digital files. As part of that process, the clinic checked a company phone used by the former employee. Images were discovered on the device including photographs of patients, but also photographs of patient IDs, usernames and passwords, copies of checks and credit and debit card information. Conversations were also reportedly recorded by the employee. It is unclear how much of that information was shared on social media or was stolen.

The clinic has performed surgeries on several celebrities, many of whom have had their privacy violated. The patients affected by the incident come from 16 U.S. states and four countries. The potential harm from misuse of the information is considerable.

The data theft has been reported to the Los Angeles County Sheriff’s Department and the incident is being investigated. All patients affected by the breach are now being notified that their information may have been stolen. At this stage, it is unclear whether charges will be filed against the former employee.

The post Plastic Surgery Clinic Employee Suspected of Stealing 15,000 Patient Records appeared first on HIPAA Journal.

Study Uncovers More Than 8,000 Security Flaws in Pacemakers from Four Major Manufacturers

Posted by HIPAA Journal

Over the past 12 months, security vulnerabilities in implantable medical devices have attracted considerable attention due to the potential threat to patient safety.

Last year, MedSec conducted an analysis of pacemaker systems which revealed security vulnerabilities in the Merlin@home transmitter and the associated implantable cardiac devices manufactured by St. Jude Medical. Those vulnerabilities could potentially be exploited to cause device batteries to drain prematurely and the devices to malfunction.

A recent study of the pacemaker ecosystem has uncovered a plethora of security flaws in devices made by other major manufacturers. Those flaws could potentially be exploited to gain access to sensitive data and cause devices to malfunction.

Billy Rios and Jonathan Butts, PhD., of security research firm WhiteScope has recently published a white paper detailing the findings of the study.

The pair conducted an analysis of seven cardiac devices from four major device manufacturers. The researchers evaluated home monitoring devices, implantable cardiac devices and physician programmers, with most effort concentrated on four programmers with RF capabilities.

All of the devices under study were obtained from auction sites such as eBay, even though the devices are supposed to be controlled and returned to the manufacturer or hospital when no longer required. The report explained that all of the manufacturers under test had home monitoring equipment listed for sale on public auction sites. The researchers found security flaws existed on all pacemaker systems under study.

The filesystems used by the pacemaker systems were unencrypted, with data stored on removable media. Some of the devices stored highly sensitive data such as medical histories and Social Security numbers, yet the data were not encrypted to prevent unauthorized access.

The pacemaker systems allowed physicians to reprogram the devices without authentication and pacemaker programmers did not authenticate with pacemaker devices. The researchers explained that any pacemaker programmer could be used to reprogram any pacemaker from the same manufacturer.

The software used by the pacemaker systems was discovered to contain more than 8,000 known vulnerabilities in third-party libraries across all the devices. One vendor had 3,715 vulnerabilities in its third-party libraries. The researchers said it was clear there was “an industry wide issue associated with software security updates.”

The study also revealed firmware used by the devices was not cryptographically signed, therefore it would be possible to replace firmware with a custom firmware.

Rios and Butt said, “The findings are relatively consistent across the different vendors,” and recommended “vendors evaluate their respective implementations and validate that effective security controls are in place to protect against identified deficiencies that may lead to potential system compromise.”

The researchers did not disclose the specifics of the vulnerabilities, although they were passed to the Department of Homeland Security’s ICS-CERT, while a report has been submitted to “the appropriate agency” about the discovery of Social Security numbers and other sensitive data from a patient of a prominent east coast hospital.

The researchers now plan to evaluate the home monitoring systems associated with implantable cardiac devices.

The report – Security Evaluation of the Implantable Cardiac Device Ecosystem Architecture and Implementation Interdependenciescan viewed on this link.

The post Study Uncovers More Than 8,000 Security Flaws in Pacemakers from Four Major Manufacturers appeared first on HIPAA Journal.

Molina Healthcare Patient Portal Discovered to Have Exposed Patient Data

Posted by HIPAA Journal

Earlier this month, security researcher Brian Krebs was alerted to a flaw in a patient portal used by True Health Group that allowed patients’ test results to be viewed by other patients. While patients were required to login to the patient portal before viewing their test results, a security flaw allowed then to also view other patients’ results.

Now, the Medicaid and Affordable Care Act Insurer Molina Healthcare is investigating a similar flaw in its patient portal that has allowed the sensitive medical information of patients to be accessed by unauthorized individuals. In the case of Molina Healthcare, patients’ medical claims could be accessed without authentication.

Brian Krebs contacted Molina Healthcare to alert the company to the flaw. An investigation was conducted and its patient portal was shut down while the issue was resolved.

It is unclear for how long the flaw existed, whether medical claims had been viewed by unauthorized individuals, and if so, how many patients had their privacy violated. Potentially, the flaw resulted in the exposure of all customers’ medical claims. Molina Healthcare serves 4.8 million individuals in 12 states and Puerto Rico.

The individuals who identified the flaw and reported the issue to Brian Krebs was able to demonstrate it was possible to access other patients’ names, addresses, birthdates, medical procedure codes, prescribed medications and other sensitive data related to health complaints. Anyone with a link to a medical claim could change a digit in the URL and view other individuals’ medical claims.

In contrast to the security flaw at True Health, Brian Krebs said anyone with a link to a medical claim would be able to access the URL without any authentication required. The link could be clicked and the medical claim could be viewed.

On Friday last week, Molina Healthcare issued a statement saying “We are in the process of conducting an internal investigation to determine the impact, if any, to our customers’ information and will provide any applicable notifications to customers and/or regulatory authorities.”

Molina Healthcare has also engaged the services of Mandiant to improve its system security. Molina Healthcare says the security vulnerability in the patient portal has now been remediated.

The post Molina Healthcare Patient Portal Discovered to Have Exposed Patient Data appeared first on HIPAA Journal.

Children’s Mercy Hospital Discovers Unauthorized Website Exposed 5,500 Patients’ PHI

Posted by HIPAA Journal

A website created by a physician at Children’s Mercy Hospital in Kansas City, MO has recently been discovered to lack appropriate security protections, potentially allowing the protected health information of 5,511 patients to be viewed by unauthorized individuals.

The physician created the website with good intentions and used the site as an educational resource. Data uploaded to the website was protected with a password to prevent unauthorized access. However, the protections in place to prevent unauthorized ePHI access did not meet the hospital’s security standards.

The lack of security controls on the website meant information uploaded to the website could have been accessed by unauthorized individuals.

Contact information (addresses and telephone numbers), Social Security numbers, financial information, health insurance details, photos and other images were not uploaded to the site. However, the website did contain information such as patients’ first and last names, gender, age, medical record number, encounter number, dates of service, admission and discharge dates, birthdates, procedure dates, procedure and diagnostic codes, brief notes on the patient and their height, weight and body mass index.

The types of information uploaded to the website would not typically allow unauthorized individuals to defraud patients or commit identity theft, but as a precaution, all patients impacted by the incident have been offered identity theft protection services free of charge through AllClear.

The physician who created the website believed the information uploaded to the website had been appropriately secured and was inaccessible by unauthorized individuals. Children’s Mercy Hospital said the website was unauthorized, was not owned by the hospital, and that the creation of the website and uploading of ePHI was a violation of hospital policies. The website has now been taken down.

The incident has prompted Children’s Mercy Hospital to reeducate key staff members on compliance to prevent future incidents of this nature from occurring. Children’s Mercy Hospital has not received any reports to suggest information uploaded to the website has been misused in any way.

The post Children’s Mercy Hospital Discovers Unauthorized Website Exposed 5,500 Patients’ PHI appeared first on HIPAA Journal.

Beacon Health Employee Improperly Accessed 1,200 Patient Records Over 3 Year Period

Posted by HIPAA Journal

A former Beacon Health System employee has been discovered to have accessed the medical records of approximately 1,200 patients without authorization over a period of three years.

The privacy breach was uncovered during a routine audit of ePHI access logs, with the unauthorized access discovered on March 30, 2017. The employee in question was permitted to access patient records to perform work duties, although access rights were abused and the records of other patients were viewed even though there was no legitimate work reason for doing so.

Upon discovery of the unauthorized access, Beacon Health conducted a full review with assistance from an external computer forensics firm and determined the inappropriate access started in March 2014. The employee was interviewed and claimed the records were accessed out of curiosity only and confirmed no information was copied or disclosed to other individuals. The medical records were accessed after patients visited the Emergency Room for treatment.

The types of information in the records included patients’ names, ages, room numbers, chief medical complaint and the acuity of their illness. Social Security numbers, health insurance information and financial account information were also potentially viewed by the employee.

The incident has prompted Beacon Health System to introduce new procedures to reduce the likelihood of further privacy breaches of this nature from occurring. A review of the Beacon Health training curriculum is also taking place and training programs will be updated accordingly.

While the breach notice does not explicitly state that the employee was terminated as a direct result of this incident, Beacon Health System said the individual is no longer employed.

Even though further disclosures of patients’ ePHI are not believed to have occurred, the sensitive nature of the ePHI that was accessed by the employee prompted Beacon Health to offer all affected patients 12 months of identity theft and identity restoration services without charge.

The post Beacon Health Employee Improperly Accessed 1,200 Patient Records Over 3 Year Period appeared first on HIPAA Journal.

Medical Device Security Testing Only Performed by One in Twenty Hospitals

Posted by HIPAA Journal

The security of medical devices has attracted a lot of attention in recent months due to fears of device vulnerabilities being exploited by cybercriminals to cause harm to patients, gain access to healthcare networks and steal patient data.

Cybercriminals have extensively targeted the healthcare industry due to the high value of patient data on the black market, combined with relatively poor cybersecurity defenses. While there have been no reported cyberattacks on medical devices with the specific aim of causing harm to patients, there are fears it is only a matter of time before such an attack occurs.

Even if harming patients is not the goal of cybercriminals, ransomware attacks – which take essential computer systems out of action – can place patient safety at risk. Those attacks are already occurring. Some healthcare providers experienced medical device downtime as a result of the recent WannaCry ransomware attacks.

Much attention has focused on device manufacturers for failing to incorporate appropriate security protections to prevent cyberattacks and not considering security for the life cycle of the devices. However, a recent Synopsis-sponsored survey conducted by the Ponemon Institute suggests healthcare delivery organizations may be equally at fault.

The report on the survey – Medical Device Security: An Industry Under Attack and Unprepared to Defend –  shows that both device manufacturers and healthcare organizations are concerned that medical device attacks will occur. 67% of medical device manufacturers and 56% of healthcare delivery organizations believe a cyberattack on a medical device at their organization is likely to occur in the next 12 months.

Even though manufacturers and HDOs are aware of the risks of cyberattacks on medical devices, and one third are aware that those attacks could have an adverse effect on patients, only 17% of device manufacturers and 15% of HDOs are taking action to reduce the risk of cyberattacks on medical devices used by their organizations.

One of the biggest challenges is incorporating security controls into the devices. 80% of device manufacturers said medical devices are very difficult to secure, with a lack of knowledge about how to secure the devices cited as a major issue along with accidental coding errors and pressure to meet product delivery deadlines.

Identifying potential vulnerabilities does not appear to be a major priority. 53% of HDOs and 43% of device manufacturers said they do not perform any medical device security tests, while just 9% of device manufacturers and 5% of HDOs conduct device security tests on an annual basis.

There is also a lack of accountability for medical device security. One third of manufacturers and HDOs said there is no one person in their organization with overall responsibility for medical device security.

The U.S. Food and Drug Administration (FDA) has been conducting workshops with device manufacturers and industry stakeholders to try to determine how medical devices can best be protected; however, the survey suggests that FDA guidance would not be sufficient in itself. Only 51% of manufacturers and 44% of HDOs said they follow current FDA guidance on mitigating medical device security risks.

Ponemon Institute Chairman and founder, Larry Ponemon, said “According to the findings of the research, attacks on devices are likely and can put patients at risk. Consequently, it is urgent that the medical device industry makes the security of its devices a high priority.”

 

Mike Ahmadi, global director of critical systems security for Synopsys’ Software Integrity Group explained the need for urgent change, saying “The industry needs to undergo a fundamental shift, building security into the software development lifecycle and across the software supply chain to ensure medical devices are not only safe, but also secure.”

The survey was conducted in two parts on 550 individuals in North America who had a direct role in the security of medical devices and/or networking equipment and mobile medical apps related to medical devices.

The post Medical Device Security Testing Only Performed by One in Twenty Hospitals appeared first on HIPAA Journal.