HIPAA Breach News

Quest Health Systems Discovers Additional Patients Impacted by 2018 Phishing Attack

Health Quest, now part of Nuvance Health, has discovered the phishing attack it experienced in July 2018 was more extensive than previously thought.

Several employees were tricked into disclosing their email credentials by phishing emails, which allowed unauthorized individuals to access their accounts. A leading cybersecurity firm was engaged to assist with the investigation and determine whether any patient information had been compromised.

In May 2019, Quest Health learned that the protected health information of 28,910 patients was contained in emails and attachments in the affected accounts and notification letters were sent to those individuals. The compromised accounts contained patient names, contact information, claims information, and some health data.

A secondary investigation of the breach revealed on October 25, 2019 that another employee’s email account was compromised which contained protected health information. According to the substitute breach notification on the Quest Health website, the compromised information varied from patient to patient, but may have included one or more of the following data elements in addition to names:

Dates of birth, Social Security numbers, driver’s license numbers, Medicare Health Insurance Claim Numbers (HICNs), provider name(s), dates of treatment, treatment and diagnosis information, health insurance plan member and group numbers, health insurance claims information, financial account information with PIN/security code, and payment card information.

No evidence of unauthorized viewing of patient data was uncovered and no reports have been received to indicate any patient information was misused. Out of an abundance of caution additional letters were mailed to patients on January 10, 2020.

Quest Health is now using multi-factor authentication on its email accounts and has strengthened security processes and provided additional training to its HQ employees on phishing and other cybersecurity issues.

It is currently unclear how many additional patients have been affected. At the time of posting, the breach report on the HHS’ Office for Civil Rights breach portal still states 28,910 individuals were impacted.

The post Quest Health Systems Discovers Additional Patients Impacted by 2018 Phishing Attack appeared first on HIPAA Journal.

44,000 Patients Impacted by Phishing Attacks on InterMed and Spectrum Healthcare Partners

The Portland, ME-based healthcare provider InterMed is notifying 33,000 patients that some of their protected health information has potentially been compromised as a result of a phishing attack.

The attack was detected on September 6, 2019. An internal investigation confirmed that the account was compromised on September 4 and the attackers had access to the account until September 6, 2019.

A leading national computer forensic firm was engaged to investigate the breach and discovered a further three email accounts had also been compromised between September 7 and September 10, 2019.

A comprehensive review of the affected email accounts was conducted but it was not possible to determine what emails or attachments, if any, had been viewed by the attackers.

The types of information in the compromised accounts varied from patient to patient and may have included patients’ names, dates of birth, health insurance information, and some clinical information. A “very limited” number of patients also had their Social Security number exposed.

InterMed started mailing breach notification letters to affected patients on November 5, 2019. Complimentary credit monitoring and identity protection services have been offered to patients whose Social Security number was exposed.

Steps have now been taken to improve email security and training has been reinforced to ensure employees adhere to email security best practices.

Phishing Attack Impacts 11,308 Patients of Central Maine Orthopaedics

11,308 patients of Central Maine Orthopaedics, part of Spectrum Healthcare Partners, are being notified that some of their protected health information has potentially been viewed by an unauthorized individual who gained access to the email account of one of its employees.

Spectrum Healthcare Partners discovered the unauthorized access on November 14, 2019 and immediately secured the affected account. The investigation revealed the account had been breached on November 5, 2019. A review of the emails and attachments in the account revealed they contained patients’ names, dates of birth, addresses, health insurance information, clinical and treatment information, and amounts owed to Central Maine Orthopaedics.

While it was confirmed that the attacker remotely accessed the account, no evidence was uncovered to suggest patient information was obtained or misused.

Affected patients were notified out of an abundance of caution on January 13, 2020 and have been advised to monitor their explanation of benefits and account statements for any sign of fraudulent use of their information.

Spectrum Healthcare Partners has strengthened its technical controls and is providing more stringent security training to employees.

4,564-Record Breach Reported by Children’s Hope Alliance

The Barium Springs, NC-based child welfare agency, Children’s Hope Alliance, has announced that a laptop computer containing sensitive information has been stolen.

According to the substitute breach notice on the Children’s Hope Alliance website, the laptop was stolen on October 7, 2019. A digital forensic firm was engaged to determine whether the laptop contained any sensitive information. The investigation is ongoing, but the initial finding show documents on the device contained information such as names, addresses, Social Security numbers, tax identification numbers, dates of birth, usernames and passwords, and medication and dosage information.

The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates 4,564 individuals have been impacted. The breach summary states that this was a hacking/IT incident involving email. It is unclear at this stage whether this is an error, a separate breach, or if the laptop was used to hack into the employee’s email account.

The post 44,000 Patients Impacted by Phishing Attacks on InterMed and Spectrum Healthcare Partners appeared first on HIPAA Journal.

Phishing Attack on SouthEast Eye Specialist Group Impacts 13,000 Patients

SouthEast Eye Specialist (SEES) Group in Franklin, TN, is notifying 13,000 patients that some of their protected health information has been exposed as a result of a recent phishing attack.

It is unclear from the SEES Group’s substitute breach notice when the phishing attack occurred, but on November 1, 2019, SEES Group determined patient information was contained in email accounts that were accessed by unknown individuals.

The breach was discovered when the IT department identified suspicious activity in some employee email accounts. A third-party computer forensics company was retained to assist with the investigation and determine whether any emails or email attachments containing patient information had been viewed or copied by the attackers.

The investigation uncovered no evidence to suggest that patient information was viewed or obtained by unauthorized individuals, but it was not possible to rule out the possibility that patient information had been compromised.

A painstaking analysis of all emails in the affected accounts revealed they contained information on patients including names, treatment information, and Social Security numbers.

SEES Group is now reviewing its information security policies and procedures and email security will be augmented to prevent similar incidents from occurring in the future.

2,008 Patients Notified About btyDental Ransomware Attack

btyDental, a network of dental practices in Anchorage, AK, is notifying 2,008 patients about a ransomware attack that involved some of their protected health information.

Ransomware was installed on some of its servers on or around November 17, 2019. The servers contained patients’ X-ray images along with their names. The servers contained no other protected health information, which was stored in systems unaffected by the attack.

Steps were immediately taken to restore the affected servers and third-party IT consultants were retained to assist with the investigation. No evidence was found to suggest any patient images were accessed or obtained by the attackers.

btyDental has reviewed its security policies and procedures and has taken steps to prevent similar attacks from occurring in the future and will continue to evaluate the security of its systems and implement the most up-to-date security measures.

The post Phishing Attack on SouthEast Eye Specialist Group Impacts 13,000 Patients appeared first on HIPAA Journal.

Enloe Medical Center Continues to Experience EMR Downtime Due to Ransomware Attack

A California healthcare provider was attacked with ransomware and two weeks on and its medical record system is still out of action.

Enloe Medical Center in Chico, CA, discovered the attack on January 2, 2020. Its entire network was encrypted, including its electronic medical record (EMR) system, which prevented staff from accessing patient information. Emergency protocols were immediately implemented to ensure care could still be provided to patients and only a limited number of elective medical procedures had to be rescheduled.

The attack also affected the telephone system which was taken out of action on the day of the attack. The telephone system was restored the following day but its EMR system is still out of action and employees are continuing to rely on pen and paper for recording patient data.

While there were some cancelled appointments in the first week after the attack, Enloe Medical Center says care is being provided to patients without delay while work continues to restore its systems. No information has been released on the type of ransomware involved, but the initial findings of the investigation suggest patient data has not been compromised.

“Upon learning of this incident, we immediately took steps to restore critical operating systems and ensure the security of our network. At this point in time, we have no indication or evidence that suggests patient medical data has been compromised,” said Kevin Woodward, Enloe’s chief financial officer. The ransomware attack has been reported to local and federal law enforcement agencies and the investigation is continuing.

Ransomware attacks have been increasing throughout 2019 and there are no signs of the attacks abating. In addition to file encryption, several ransomware gangs have adopted a new tactic to increase the probability of the ransom being paid. Prior to the deployment of ransomware, sensitive data is being stolen.

Recent attacks involving the MegaCortex, LockerGoGa, Maze, and Sodinokibi ransomware variants have seen data stolen prior to the deployment of ransomware. The threat actors using Maze and Sodinokibi ransomware have issued threats to expose the stolen data if the ransom is not paid. Both have followed through on those promises and have published sensitive data when the decision was taken not to pay the ransom.

The post Enloe Medical Center Continues to Experience EMR Downtime Due to Ransomware Attack appeared first on HIPAA Journal.

Ransomware Attacks Reported by Florida and Texas Healthcare Providers

It is becoming increasingly common for threat actors to use ransomware to encrypt files to prevent data access, but also to steal data and threaten to publish or sell on the stolen data if the ransom is not paid. This new tactic is intended to increase the likelihood of victims paying the ransom.

The Center for Facial Restoration in Miramar, FL, is one of the latest healthcare providers to experience such an attack. Richard E. Davis MD FACS of The Center for Facial Restoration received a ransom demand on November 8, 2019 informing him that his clinic’s server had been breached and data had been stolen. The attacker said the data could be publicly exposed or traded with third parties if the ransom was not paid.

Dr. Davis filed a complaint with the FBI’s Cyber Crimes Center and met with the FBI agents investigating the attack. After the attack occurred, Dr. Davis was contacted by around 15-20 patients who had also been contacted by the attacker and issued with a ransom demand. The patients were told that their photographs and personal data would be published if the ransom demand was not paid.

According to Dr. Davis’s substitute breach notice, the compromised server contained the data of approximately 3,600 patients. While it is possible the attackers stole the files of all patients, there are reasons to suspect only a very small number of patient photographs and personal data may have been stolen.

It has taken some time to determine which patients have been affected as much of the information held on patients was stored as scanned patient intake forms rather than a database. Each file had to be opened and checked manually and that was a painstakingly slow and labor intensive process.

The types of data exposed was limited to photocopies of driver’s licenses or passports, home addresses, email addresses, telephone numbers, insurance policy numbers, and credit card numbers, most of which only showed the last 4 digits.

All patients potentially affected by the attack have now been notified and steps have been taken to improve security, including replacing all hard drives and implementing new firewalls and anti-malware software. The ransom demand was not paid.

Children’s Choice Pediatrics Ransomware Attack Impacts 12,689 Patients

Children’s Choice Pediatrics in McKinney, TX, is notifying 12,689 patents that some of their protected health information may have been accessed by unauthorized individuals who used ransomware to try to extort money from the practice.

The attack occurred on or around October 27, 2019 and resulted in the encryption of data on its network. Children’s Choice had backed up all data and attempts were made to recover all files encrypted by the ransomware. That process has been completed, but it was not possible to restore all patient data. Some patient records could not be recovered.

Affected patients have been advised to be alert to the possibility of data misuse and to monitor their account statements for signs of fraudulent activity. No reports have been received to suggest any patient data was stolen or has been misused.  Children’s Choice has now strengthened security to prevent similar attacks from occurring in the future.

The post Ransomware Attacks Reported by Florida and Texas Healthcare Providers appeared first on HIPAA Journal.

Alomere Health Phishing Attack Impacts 49,351 Patients

Alomere Health in Alexandria, MN is notifying almost 50,000 patients that some of their protected health information was potentially accessed by unauthorized individuals as a result of a phishing attack.

Alomere Health learned about the phishing attack on November 6, 2019 and launched an internal investigation which confirmed the account was accessed by an unauthorized individual between October 31 and November 1, 2019.

A computer forensics company was engaged to assist with the investigation and discovered on November 10, 2019 that a second email account had been breached on November 6.

A comprehensive review of the compromised accounts revealed some emails and email attachments contained protected health information. The types of information potentially compromised in the attack varied from patient to patient and may have included the following data elements: Names, addresses, dates of birth, medical record numbers, health insurance information, treatment information, and/or diagnosis information. A limited number of Social Security numbers and driver’s license numbers were also found in the accounts.

Alomere Health was unable to confirm whether any emails or email attachments containing protected health information were accessed or copied by the attackers, but unauthorized PHI access and data theft could not be ruled out. On January 3, 2020, Alomere Health sent notifications to all 49,351 patients whose information was present in the email accounts.

Individuals whose Social Security number or driver’s license number were exposed have been offered complimentary credit monitoring and identity theft protection services for 12 months. No reports of misuse of patient information have been received to date.

Alomere Health has now added more layers to its cyber defenses and further security awareness training has been given to employees to help them identify phishing emails and other email-based threats.

The post Alomere Health Phishing Attack Impacts 49,351 Patients appeared first on HIPAA Journal.

Up to 25K Patients of the Native American Rehabilitation Association of the Northwest Affected by Malware Attack

Portland, OR-based Native American Rehabilitation Association of the Northwest, Inc., (NARA), a provider of education, physical and mental health services and substance abuse treatment services to native Americans, is alerting certain individuals about a malware infection that has potentially allowed unauthorized individuals to gain access to their protected health information.

NARA reports that the attack occurred on November 4, 2019. The malware initially bypassed security systems but was detected later that afternoon. The threat was contained by November 5, 2019 and all passwords on email accounts were reset by November 6.

The malware was determined to be the Emotet Trojan: A credential stealer that can also exfiltrate emails and email attachments. It is therefore possible that the attackers obtained emails and attachments in the compromised accounts, some of which included protected health information.

According to a NARA press release issued on January 3, 2020, the forensic investigation confirmed that the protected health information of 344 individuals was either accessed by the attackers or there was a high risk of the information being accessed. Another group of patients was also potentially affected. For this group, no evidence of unauthorized access was found.

The types of information contained in the email accounts varied from person to person and may have included names, home addresses, Social Security numbers, birth dates, and medical record or patient ID numbers. A limited number of individuals also had clinical information exposed, including diagnoses, services received, treatment information, and treatment dates.

In total, up to 25,187 individuals may have been affected, according to the HHS’ Office for Civil Rights’ Breach portal.

“It is sad that there are people in the world whose intent is to cause harm and distress to vulnerable populations such as our clients,” said Jacqueline Mercer, CEO of NARA NW. “Words cannot express how truly sorry we are that our clients and NARA NW have been subjected to this malware attack.”

A new endpoint protection solution has now been implemented on all computers which monitors for suspicious activity. Policies and procedures are being reviewed and will be updated as necessary and staff have been provided with further security awareness training.

Mercy Health Lorain Hospital Laboratory Patients Affected by Mailing Error

RCM Enterprise Services, Inc., a provider of patient billing services to Mercy Health Lorain Hospital Laboratory in Ohio, is alerting certain patients about an impermissible disclosure of some of their individually identifiable personal information.

An error was accidentally introduced in the invoice mailing process which allowed Social Security numbers to be viewable through the windows of envelopes used for a medical invoice mailing sent by RCM’s contracted mailing vendor on or around November 7, 2019.

The invoices should only have had name, street address, city, state, and zip code visible. The error resulted in an individual’s name and street address being visible along with that individual’s Social Security number instead of the city and zip code.

“We take this incident, as well as information privacy and security, very seriously, and have enhanced our procedures in order to prevent the occurrence of a similar incident,” said Barbara Shaub, Director, Revenue Cycle Management of RCM.

No reports have been received to suggest there has been any misuse of patient information. As a precaution, all affected individuals have been offered complimentary credit monitoring and identity theft protection services. It is currently unclear how many individuals have been affected.

The post Up to 25K Patients of the Native American Rehabilitation Association of the Northwest Affected by Malware Attack appeared first on HIPAA Journal.

HIPAA Enforcement in 2019

It has been another year of heavy enforcement of HIPAA compliance. HIPAA enforcement in 2019 by the Department of Health and Human Services’ Office for Civil Right (OCR) has resulted in 10 financial penalties. $12,274,000 has been paid to OCR in 2019 to resolve HIPAA violation cases.

2019 saw one civil monetary penalty issued and settlements were reached with 9 entities, one fewer than 2018. In 2019, the average financial penalty was $1,022,833.

HIPAA Enforcement in 2019 by the HHS' Office for Civil Rights

 

Particularly egregious violations will attract financial penalties, but some of the HIPAA settlements in 2019 provide insights into OCRs preferred method of dealing with noncompliance. Even when HIPAA violations are discovered, OCR prefers to settle cases through voluntary compliance and by providing technical assistance. When technical assistance is provided and covered entities fail to act on OCR’s advice, financial penalties are likely to be issued.

This was made clear in two of the most recent HIPAA enforcement actions. OCR launched compliance investigations into two covered entities after being notified about data breaches. OCR discovered in both cases that HIPAA Rules had been violated. OCR chose to provide technical assistance to both entities rather than issue financial penalties, but the covered entities failed to act on the guidance and a financial penalty was imposed.

Sentara Hospitals disagreed with the guidance provided by OCR and refused to update its breach report to reflect the actual number of patients affected. West Georgia Ambulance was issued with technical guidance and failed to take sufficient steps to address the areas of noncompliance identified by OCR.

If you are told by OCR that your interpretation of HIPAA is incorrect, or are otherwise issued with technical guidance, it pays to act on that guidance quickly. Refusing to take corrective action is a sure-fire way to guarantee a financial penalty, attract negative publicity, and still be required to change policies and procedures in line with the guidance.

There were two important HIPAA enforcement updates in 2019. OCR adopted a new interpretation of the Health Information Technology for Economic and Clinical Health (HITECH) Act’s requirements for HIPAA penalties and a new enforcement initiative was launched.

The HITECH Act of 2009 called for an increase in the penalties for HIPAA violations. On January 25, 2013, the HHS implemented an interim final rule and adopted a new penalty structure. At the time it was thought that there were inconsistencies in the language of the HITECH Act with respect to the penalty amounts. OCR determined that the most logical reading of the HITECH Act requirements was to apply the same maximum penalty of $1,500,000 per violation category, per calendar year to all four penalty tiers.

In April 2019, OCR issued a notice of enforcement discretion regarding the penalties. A review of the language of the HITECH Act led to a reduction in the maximum penalties in three of the four tiers. The maximum penalties for HIPAA violations were changed to $25,000, $100,000, and $250,000 for penalty tiers, 1, 2, and 3. (subject to inflationary increases).

2019 saw the launch of a new HIPAA Right of Access enforcement initiative targeting organizations who were overcharging patients for copies of their medical records and were not providing copies of medical records in a timely manner in the format requested by the patient.

The extent of noncompliance was highlighted by a study conducted by Citizen Health, which found that 51% of healthcare organizations were not fully compliant with the HIPAA Right of Access. Delays providing copies of medical records, refusals to send patients’ PHI to their nominated representatives or their chosen health apps, not providing a copy of medical records in an electronic format, and overcharging for copies of health records are all common HIPAA Right of Access failures.

The two HIPAA Right of Action settlements reached so far under OCR’s enforcement initiative have both resulted in $85,000 fines. With these enforcement actions OCR is sending a clear message to healthcare providers that noncompliance with the HIPAA Right of Access will not be tolerated.

Right of Access violations aside, the same areas of noncompliance continue to attract financial penalties, especially the failure to conduct a comprehensive, organization-wide risk analysis. 2019 also saw an increase in the number of cited violations of the HIPAA Breach Notification Rule.

HIPAA Compliance Issues Cited in 2019 Enforcement Actions

Noncompliance Issue Number of Cases
Risk Analysis 5
Breach Notifications 3
Access Controls 2
Business Associate Agreements 2
HIPAA Right of Access 2
Security Rule Policies and Procedures 2
Device and Media Controls 1
Failure to Respond to a Security Incident 1
Information System Activity Monitoring 1
No Encryption 1
Notices of Privacy Practices 1
Privacy Rule Policies and Procedures 1
Risk Management 1
Security Awareness Training for Employees 1
Social Media Disclosures 1

OCR’s HIPAA enforcement in 2019 also clearly demonstrated that a data breach does not have occurred for a compliance investigation to be launched. OCR investigates all breaches of 500 or more records to determine whether noncompliance contributed to the cause of a breach, but complaints can also result in an investigation and compliance review. That was the case with both enforcement actions under the HIPAA Right of Access initiative.

 

The post HIPAA Enforcement in 2019 appeared first on HIPAA Journal.

North Ottawa Community Health System Discovers 3-Year Insider Breach

North Ottawa Community Health System (NOCH) has discovered an employee at North Ottawa Community Hospital in Grand Haven, MI, accessed the medical records of patients without authorization over a period of 3 years.

The matter was brought to the attention of the health system on October 15 by another employee. An investigation into the alleged inappropriate access was launched on October 17 and the employee was suspended pending the outcome of the investigation.

NOCH confirmed on November 25, 2019 that the employee had accessed the medical records of 4,013 patients without any legitimate work reason for doing so between May 2016 and October 2019. There appeared to be no discernible pattern to the unauthorized access. Patient records appeared to have been accessed at random.

No evidence was found to suggest that any patient information was stolen. NOCH believes the employee was accessing patient information out of curiosity.

The types of information potentially accessed included names, dates of birth, Social Security numbers, Medicare and Medicaid numbers, health insurance information, and some health information. Any patient whose Social Security number was viewable has been offered complimentary credit monitoring and identity theft protection services for 12 months.

Further training on NOCH policies covering medical record access have been provided to all staff members and employee access to patient records has been tightened.

The breach has been reported to the Department of Health and Human Services’ Office for Civil Rights. It is up to OCR to decide if any further action is taken against the employee over the HIPAA violation.

Cyberattack Forces Shutdown of Center for Health Care Services’ Computer Systems

The Center for Health Care Services (CHCS) in San Antonio, TX, experienced a cyberattack over the holiday period which forced it to shut down its computer systems.

CHCS provides healthcare services for individuals with mental health disorders, developmental disabilities, and substance abuse disorder and operates several walk-in clinics and outreach centers in San Antonio.

The CHCS IT team determined that a single server had been compromised after being alerted about the cyberattack by federal officials. The decision was taken to shut down its entire computer system as a precaution. The IT department has started restoring its computer systems and bringing them back online one by one, starting with the systems at its largest clinics. The process is expected to take several days.

The cyberattack was part of a larger attack that started before the holiday period. It is currently unclear how many other organizations have been affected.

The post North Ottawa Community Health System Discovers 3-Year Insider Breach appeared first on HIPAA Journal.