Healthcare Data Privacy

Patients’ PHI Accidentally Sent to Media Outlets by Mecklenburg County

A spreadsheet containing the protected health information of more than 1,200 patients has been accidentally sent to two media outlets by a worker at Mecklenburg County, NC.

The spreadsheet was emailed to the media outlets in response to a freedom of information request. That request was made following the discovery that 185 female patients had not been notified of abnormal Pap smear results. The spreadsheet had been created for state officials who were conducting an audit.

County officials discovered the HIPAA breach on Monday and immediately launched an investigation to determine how such an error could have been made. County officials are furious about the privacy breach. Commissioner Vilma Leake said she wanted “to fire everybody on the health department.” County Manager Dena Diorio said “I am absolutely speechless with anger about how something like this could happen.”

This is the second HIPAA breach in a month to be discovered by Meklenburg County. WSOCTV said it had previously been sent information that contained the name of an individual that should not have been released. A request was received to return that information.

The latest mistake was allegedly made while a county worker was attempting to resolve the first privacy violation. County Commissioner Jim Puckett told WSOCTV Channel 9 “We had a relatively small problem that has escalated into a large one.”

The latest incident has prompted the County to implement new policies and procedures to prevent HIPAA breaches of this nature from occurring in the future.

Those policies will include prohibiting the inclusion of any protected health information in spreadsheets. ‘Gap measures’ have also been put in place to reduce the potential for a repeat HIPAA breach. Those measures include signing off any information coming out of the health department by two employees. A long-term solution is also being developed to ensure that public information requests are processed correctly without violating individuals’ privacy.

The Department of Health and Human Services’ Office for Civil Rights and affected patients will be notified of the privacy breach in the next 60 in accordance with HIPAA Rules.

Healthcare organizations should have policies in place to ensure responses to information requests are checked by multiple members of staff before they are released outside an organization.

All workers can make mistakes, but policies should be in place to prevent an error by a single employee resulting in a HIPAA violation and potentially, a significant HIPAA violation penalty. This incident shows how easy it is for a HIPAA breach to occur if adequate checks are not conducted.

The post Patients’ PHI Accidentally Sent to Media Outlets by Mecklenburg County appeared first on HIPAA Journal.

Former Employee Accused of Stealing PHI of up to 160,000 Med Center Health Patients

The Kentucky-based 6-hospital health system Med Center Health has reported a data breach affecting approximately 160,000 patients. Med Center Health believes a former employee may have stolen patients’ protected health information (PHI) prior to leaving employment.

The former employee has been accused of stealing PHI including names, addresses, health insurance information, Social Security numbers, procedure codes and billing information. Medical records were not compromised at any point.

The FBI has been notified and is also investigating along with other federal agencies. Med Center health is in the process of notifying patients of the breach, although the process is expected to take a couple of weeks due to the number of individuals that have been impacted.

While the breach has only recently been announced, the data theft incidents date back to 2014 and 2015. The former employee is understood to have taken an encrypted CD and encrypted portable storage device in August 2014 and February 2015. There was no legitimate work reason for ePHI to have been taken, although on both occasions the former employee claimed the data were needed for word-related duties.

The Bowling Green Daily News suggests Med Center Health discovered the breach several months ago, although notifications were delayed. A spokesperson for Med Center Health told Bowling Green Daily News “Med Center Health informed patients as expeditiously as possible. It is important to understand that the information leading Med Center Health to report the incident pursuant to HIPAA developed over time during an intensive internal investigation.”

Patients affected by the breach had received medical services at one of six Med Center Health facilities between 2011 and 2014: Cal Turner Rehab and Specialty Care, Medical Center EMS, the Commonwealth Regional Specialty Hospital, the Medical Center at Bowling Green, the Medical Center at Franklin and the Medical Center at Scottsville.

Patients impacted by the breach have been offered 12 months of credit monitoring and identity theft protection services without charge. Med Center Health has not uncovered any evidence to suggest that any of the stolen information was used to commit fraud, although the possibility cannot be ruled out.

The post Former Employee Accused of Stealing PHI of up to 160,000 Med Center Health Patients appeared first on HIPAA Journal.

UNC Health Care Reports Exposure of 1300 Prenatal Patients’ PHI

Prenatal patients who visited certain obstetric clinics operated by UNC Health Care are being notified that some of their protected health information has been disclosed to local health departments by mistake.

Pregnancy Home Risk Screening Forms of Medicaid-eligible patients are sent to local health departments to ensure those individuals are connected with appropriate support services. However, UNC Health Care has discovered that in addition to Medicaid-eligible patients, forms relating to patients who were not eligible for Medicaid were also sent to local health departments. In total, around 1,300 patients have been affected.

The privacy breach affects women who had prenatal appointments at the UNC Maternal-Fetal Medicine at Rex Hospital or the Women’s Clinic at the North Carolina Women’s Hospital between April 2014 and February 2017.

Pregnancy Home Risk Screening Forms contain patients’ names and addresses, race and ethnicity, Social Security numbers, health and mental health histories, details of patients’ HIV status, any sexually transmitted diseases contracted, medical diagnoses related to the pregnancy or past pregnancies, details of drug and alcohol use and whether the patients were smokers.

Patients whose privacy has been violated were informed of the breach by mail on March 20, 2017. Patients have been advised that the health departments that have been sent the information are covered by state and federal laws put in place to protect patient privacy. Those health departments must have appropriate administrative, technical and physical safeguards in place to protect all protected health information that is received and stored.

Consequently, the risk of any sensitive information being used inappropriately is believed to be low, although as a precaution, all individuals affected by the breach have been offered fraud resolution services in case any experience identity theft or fraud as a result of the incident.

To prevent future breaches of this nature from occurring, UNC Health Care has updated its policies and procedures covering patients who complete the Pregnancy Home Risk Screening Form and all staff members have been trained on the new procedures. In future, only forms completed by Medicaid-eligible individuals will be sent to county health departments.

UNC Health Care has requested all county health departments purge any information relating to non-Medicaid-patients from their databases.

The post UNC Health Care Reports Exposure of 1300 Prenatal Patients’ PHI appeared first on HIPAA Journal.

Snapshot of Healthcare Data Breaches in February 2017

The Protenus Breach Barometer healthcare data breach report for February includes some good news. Healthcare data breaches have not risen month on month, with both January and February seeing 31 data breaches reported.

The report offers some further good news. Healthcare hacking incidents fell in February, accounting for just 12% of the total number of breaches reported during the month. There was also a major fall in the number of healthcare records exposed or stolen. In January, 388,207 healthcare records were reported as being exposed or stolen. In February, the number fell to 206,151 – a 47% drop in exposed and stolen records. However, February was far from a good month for the healthcare industry.

IT security professionals have long been concerned about the threat from within, and last month clearly showed those fears are grounded in reality. February saw a major increase in the number of incidents caused by insiders. Insider breaches in February accounted for 58% of the total number of incidents reported for which the cause was known; double the number reported the previous month.

Insider wrong-doing was behind eight of the 18 incidents caused by insiders and nine were the result of errors by employees. One of the incidents could not be classified due to a lack of information about the exact nature of the breach.

Preventing insider breaches can be a major challenge for healthcare organizations, as can detecting breaches when they occur. Small to mid-sized organizations often do not have the resources to allow them to continuously monitor for the inappropriate accessing of healthcare records by employees. However, if continuous monitoring is not possible, covered entities must ensure that regular audits of access logs take place. Fast detection of improper access can greatly reduce the harm that those incidents cause. Regular reviews of access logs will also reduce the risk of a OCR HIPAA fine or settlement

HIPAA requires covered entities to maintain access logs and regularly check for inappropriate ePHI access, although the frequency of those checks and audits is left to the discretion of the covered entity. The frequency of audits should be dictated by the results of an organization’s risk analysis.

Last month showed that while some healthcare organizations are complying with 45 CFR § 164.308(a)(5)(ii)(C) – log-in monitoring – and 45 CFR § 164.312(b) – Audit controls – and are keeping logs, they are failing on Section 45 CFR § 164.308(a)(1)(ii)(D) by not regularly conducting information system activity reviews.

One incident reported in February involved an employee improperly accessing ePHI for more than five years (2,103 days) before the improper access was detected. HIPAA Rules may not stipulate how frequently access logs should be checked, but it would be difficult to argue that a check every five years constituted ‘regular’.

That was not the only long delay in detecting a breach. A second incident was also reported in February that took more than five years to detect (1,952 days). In that case the incident involved a system glitch that left ePHI exposed.

Overall, the breaches and security incidents reported in February took far longer to identify than those reported in January. It took an average of 478 days from the date the incident occurred to the date OCR was notified of the breach; that said, the average time was increased considerably by the two 5-year+ delays in detection. In January, the average time from the initial event to reporting was 174 days.

Breaches of electronic protected health information made up the bulk of incidents, although a third of incidents involved paper records, highlighting the importance of implementing physical controls to keep physical PHI secured.

While California usually tops the list for the number of incidents reported each month, this month Texas earned the title of the worst hit state with 4 reported breaches. California, Arizona, and New York shared second place with three incidents apiece.

Healthcare providers were the worst affected in February, accounting for 77% of the month’s incidents. Health plans reported 13% of breaches and business associates and vendors accounted for 3%. The remaining 3% were reported by other organizations.

The post Snapshot of Healthcare Data Breaches in February 2017 appeared first on HIPAA Journal.

Alleged Social Media Retaliation by Doctor Breached HIPAA Privacy Rule

A physician at the Dr. O Medical and Wellness Center in San Antonio, Texas allegedly retaliated against a patient by posting a video of the individual clad only in underwear on Facebook and YouTube. The doctor’s actions, which appear to be a clear violation of the HIPAA Privacy Rule, have resulted in her being sanctioned by the Texas Medical Board following a complaint by the patient.

The patient, Clara Aragon-Delk, underwent a series of cosmetic surgery procedures starting in 2015. Non-invasive laser treatments were performed by Dr. Tinuade Olusegun-Gbadehan, and while consent was provided by the patient to have photographs and videos taken, authorization was only given for ‘anonymous use for the purposes of medical audit, education, and promotion.’

The images and video contained full face shots of the patient. Rather than protecting the patient’s privacy by pixelating the patient’s face, a video was posted to Olusegun-Gbadehan’s Facebook page without any attempt to protect the patient’s privacy.

From the video, it would appear that the patient was happy with the treatment, although around a month later the patient had changed her mind. The patient replied to the Facebook post saying “OK, I’ll make my Comment! Beware! Send me a personal message, and I’ll share my experience with this crap!”

There were subsequent email exchanges between the Dr. Olusegun-Gbadehan and the patient in which Aragon-Delk claims Dr. Olusegun-Gbadehan acted in an abusive and threatening manner.

Aragon-Delk claims Dr. Olusegun-Gbadehan said in one email, “I will damage your professional and you will be humiliated!” Olusegun-Gbadehan also said, others “will see your glowing testimonial and your body, enjoy your Hi-Def video. Enjoy as others will do the same.”

In the complaint filed with the Texas Medical Board, the patient claimed she suffered burns during the first procedure. She also claimed to have been overbilled. In response to the overbilling, the patient contacted a merchant processing company called Stripe regarding the disputed charges.

Two weeks ago, the Texas Medical Board ruled that Dr. Olusegun-Gbadehan had violated the patient’s privacy and acted in an unprofessional manner.

The Texas Medical Board said the posting of the video was a HIPAA violation and was unprofessional. The Board also ruled that an email containing the link to a posting of the video that was sent to the patient in an unsecured format was also a confidentiality breach and was unprofessional. Dr. Olusegun-Gbadehan also sent the video to the merchant processing company in response to the billing dispute as evidence that the patient initially appeared to be happy with the treatment, but this too was a violation of the patient’s privacy.

Dr. Olusegun-Gbadehan neither admits or denies the allegations, but the Texas Medical Board’s order was agreed to by Dr. Olusegun-Gbadehan to avoid a contested hearing, according to the San Antonio Express News.

The order requires Dr. Olusegun-Gbadehan to retake the Texas Medical Jurisprudence Examination within the next 12 months.

While the matter would appear to have been settled, the patient has now sued Dr. Olusegun-Gbadehan for mental anguish, physical pain, and suffering. Patients are not permitted to sue physicians for HIPAA violations as there is no private cause of action. Consequently, a health care liability claim has been filed under state law, claiming the publication of the video and subsequent correspondence via email were intended to damage the patient’s personal and professional reputation.

The post Alleged Social Media Retaliation by Doctor Breached HIPAA Privacy Rule appeared first on HIPAA Journal.

New Mexico Data Breach Notification Bill Moves to Senate Judiciary Committee

A new data breach notification bill has been unanimously passed by the New Mexico House of Representatives bringing the legislation one step closer to being written into state law. The bill (House Bill 15) – also known as the Data Breach Notification Act – was sponsored by Republican Rep. William R. Rehm of Bernalillo. The bill will now move on to the Senate Judiciary Committee.

This is not the first time that a New Mexico data breach notification law has been sent to the Senate Judiciary Committee. Rehm previously sponsored a similar bill in 2015, yet on two occasions the Senate Judiciary Committee failed to pass the bill onto the senate.

The new data breach notification bill covers a range of sensitive data, although medical and insurance information are not included in the definition of personal information. Entities covered by the Health Insurance Portability and Accountability Act or the Gramm-Leach-Bliley Act will not be required to comply with the state law.

Should the legislation be passed by the senate, all other entities doing business in the state of New Mexico will be required to comply with the breach notification legislation. In the event of a breach of personal information, breach notifications will need to be issued to affected individuals ‘in the most expedient time possible’ but no later than 30 days following of the discovery of the breach. Notifications will also need to be sent to the state attorney general and major consumer reporting agencies.

In addition to security breaches that result in the exposure of personal information, the legislation covers improper disposal of sensitive information. The legislation calls for organizations to shred, erase or otherwise modify personal identifying information prior to disposal. As with HIPAA, the information must be rendered unreadable and undecipherable prior to disposal.

A breach of the Data Breach Notification Act could result in a $25,000 fine or in the case of failed notifications, $10 per instance up to a maximum of $150,000.

The types of information included in the definition of personal information are:

An individual’s full name, or first name or initial and last name, along with any of the following data elements:

  • Social Security number
  • Driver’s license number
  • Government Identification numbers
  • Bank account number or credit/debit card number along with a CVV code or other code or password that would enable access to be gained to a financial account
  • Unique biometric data

If passed, New Mexico will become the 48th state to introduce data breach notification legislation. The two remaining states that have yet to introduce data breach notification laws are Arkansas and South Dakota, both of which are currently working on new legislation to protect state residents.

The post New Mexico Data Breach Notification Bill Moves to Senate Judiciary Committee appeared first on HIPAA Journal.

68% of Healthcare Organizations Have Compromised Email Accounts

Evolve IP has published the results of a new study that has revealed the extent to which healthcare email credentials are being compromised and sold on the dark web.

Email credentials are highly valuable to cybercriminals. A compromised email account can be plundered to obtain highly sensitive data and an email account can be used to gain access to healthcare networks.

63% of data breaches in the United States occur as a result of compromised email credentials and healthcare email credentials are being sold freely on the dark web.

Evolve used its Dark Web ID analysis technology for the study and reviewed 1,000 HIPAA covered entities and business associates. Evolve discovered 68% of those organizations had employees with visibly compromised email accounts. 76% of those compromised accounts included actionable password information and that information was freely available on the dark web.

Depending on the industry segment, between 55.6% and 80.4% of organizations had compromised email accounts. Medical billing and collections organizations fared the best, with 55.6% of organizations having at least one compromised account, while regional healthcare plans the worst affected with 80.4% of organizations having compromised email accounts.

Evolve points out that in many cases the passwords associated with the email accounts were outdated, but explained that even outdated passwords are valuable to hackers.

Passwords are often recycled, so an old password could allow a hacker to gain access to other online accounts. Evolve also says “hackers can create a user profile and determine a person’s new password fairly accurately by using simple guessing or sophisticated automated algorithms.” Even when passwords are hashed, hackers can crack the hash, conduct brute force attacks and use lookup, reverse lookup, and rainbow tables to guess the passwords.

In the majority of cases, email accounts were compromised as a result of a data breach (55% of compromised accounts). While just 6% of compromised accounts were the result of a phishing attack, Evolve points out that equated to 450 separate email accounts that were compromised as a direct result of phishing attacks.

Preventing email compromise incidents is an essential part of any cybersecurity strategy. Evolve suggests three main methods that all healthcare organizations should embrace to reduce risk: Proactive threat intelligence, continuous security management, and rapid incident response and recovery.

By obtaining up to date threat intelligence, healthcare organizations can discover the latest vulnerabilities and threats before they are exploited by criminals. Continuous security management should involve real-time security analyses and infrastructure management, which will help healthcare organizations stay one step ahead of hackers.

Even if security best practices are adopted and the latest cybersecurity technologies are implemented, it will not be possible to prevent all security breaches. Organizations must therefore have the policies and procedures in place to ensure a quick recovery. Fast action following a security breach will limit the harm caused.

The EvolveIP Report can be found on this link.

The post 68% of Healthcare Organizations Have Compromised Email Accounts appeared first on HIPAA Journal.

Improper Disposal of PHI Discovered by Minneapolis Heart Institute

A member of a cleaning crew at the Minneapolis Heart Institute at Abbott Northwestern Hospital accidentally disposed of documents containing PHI with regular trash.

Minneapolis Heart Institute has policies and procedures in place that require all documents containing sensitive patient health information to be securely destroyed in accordance with HIPAA Rules. However, a member of the cleaning team was discovered to have emptied a trash container from a physician’s private office before documents could be securely shredded.

The incident was discovered on January 20, 2017, although not in time for the documents to be recovered and securely destroyed. The documents had been emptied into a bin bag which was placed in a regular recycling dumpster at the hospital.

It is unclear at this stage how many individuals have been impacted, although as a precaution, the Minneapolis Heart Institute is notifying all patients who were part of the physician’s service group between April 17, 2016 and January 17, 2017. Those individuals have been offered credit monitoring and identity theft protection services without charge for a period of 12 months, even though the risk of any PHI being accessed by unauthorized individuals is believed to be very low.

The documents contained PHI including names, addresses, birth dates, medical record numbers, clinical data, and health insurance information. Some health insurers use Social Security numbers as health plan identifiers; therefore, some Social Security numbers may also have been on the documents.

The incident shows that policies and procedures alone will not always prevent breaches of this nature from occurring. However, the action taken following the incident by Allina Health, which operates Abbott Northwestern Hospital, should prevent any further such incidents from occurring in the future.

Allina Health has removed all desk-side recycling bins and has replaced them with locked shredding bins. Now, all documents will be sent for shredding, irrespective of whether they contain sensitive data. An employee education program has also been conducted to advise employees of the need to shred all paperwork and Allina Health’s safeguards policy has also been reinforced, highlighting the importance of the correct disposal of documents.

The post Improper Disposal of PHI Discovered by Minneapolis Heart Institute appeared first on HIPAA Journal.

Healthcare Employee Accessed ePHI Without Authorization for 5 Years

Healthcare professionals must have access to the protected health information of patients in order to provide medical care and perform healthcare operations.

Since access to data can be abused by rogue employees, it is essential that controls are put in place to alert healthcare organizations rapidly when improper access occurs. Rapid identification of improper access can greatly reduce the harm caused.

In many cases, improper access is discovered during routine audits of access and application logs. When those audits are conducted on an annual basis, employees may be found to have been improperly accessing patient data for many months.

Last month, Chadron Community Hospital and Health Services in Nevada discovered that a rogue employee had been accessing ePHI without any legitimate work reason for doing so. What makes this incident stand out, is how long access had been allowed to continue before it was discovered.

An investigation conducted by the healthcare provider revealed that the improper access had gone unnoticed for more than 5 years. During that time, the records of more than 700 patients had been accessed by the employee. The report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates 702 individuals had their privacy violated by the employee.

Chadron Community Hospital and Health Services first learned of the privacy breach on January 3, 2017. The investigation into the employee’s activities showed medical records were first improperly accessed in September 2011 and that HIPAA-violating activity had continued until November 2016. The types of information accessed included names, addresses, dates of birth, demographic information, clinical information such as medical diagnoses, orders and physicians’ notes, some financial data and insurance information. No Social Security numbers are believed to have been viewed.

It is not clear why the employee accessed the information out of curiosity or if data were viewed with malicious intent. The individual is no longer employed by Chadron Community Hospital and Health Services. The dates of access suggest the employee had left the healthcare organization prior to the improper access being discovered.

Insider threats are a major concern for healthcare security staff. A recent Dimensional Research/Preempt survey showed that almost half of IT security professionals are more concerned about internal attacks than external threats. The network perimeter can be secured, although monitoring for improper access by employees can be a challenge.

HIPAA Rules require covered entities to maintain access logs and conduct periodic reviews of those logs to monitor for improper access. HIPAA does not state how often those logs must be checked, although it would be difficult to argue that regular, thorough checks were conducted if an employee was able to evade detection for more than 5 years. Such a long period of improper access is certain to attract the attention of Office for Civil Rights’ investigators.

The post Healthcare Employee Accessed ePHI Without Authorization for 5 Years appeared first on HIPAA Journal.