HIPAA Breach News

Healthcare Data Breach Report: April 2018

April was a particularly bad month for healthcare data breaches with both the number of breaches and the number of individuals impacted by breaches both substantially higher than in March.

There were 41 healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights in April. Those breaches resulted in the theft/exposure of 894,874 healthcare records.

Healthcare Data Breach Trends

For the past four months, the number of healthcare data breaches reported to OCR has increased month over month.

Healthcare data breaches by month

For the third consecutive month, the number of records exposed in healthcare data breaches has increased.

HEalthcare records exposed by month

Causes of Healthcare Data Breaches in April 2018

The healthcare industry may be a big target for hackers, but the biggest cause of healthcare data breaches in April was unauthorized access/disclosure incidents. While cybersecurity defences have been improved to make it harder for hackers to gain access to healthcare data, there is still a major problem preventing accidental data breaches by insiders and malicious acts by healthcare employees.

Causes of Healthcare Data Breaches in April 2018

Records exposed by breach type (April 2018)

Largest Healthcare Data Breaches in April 2018

More than half of the healthcare records exposed in April were the result of a single security incident at the California Department of Developmental Services. Thieves broke into California Department of Developmental Services offices, stole electronic equipment, and started a fire. Digital copies of PHI on the stolen equipment were encrypted and were therefore not exposed. Most of the PHI was in physical form and it does not appear any paperwork was taken by the burglars.

While hacking usually results in the highest number of exposed/stolen records, in April the most serious breaches in terms of the number of individuals affected, were unauthorised access/disclosure incidents. In April there were 11 major breaches involving the theft/exposure of more than 10,000 records.

Covered Entity Entity Type Records Exposed Breach Type
CA Department of Developmental Services Health Plan 582,174 Unauthorized Access/Disclosure
Center for Orthopaedic Specialists – Providence Medical Institute (PMI) Healthcare Provider 81,550 Hacking/IT Incident
MedWatch LLC Business Associate 40,621 Unauthorized Access/Disclosure
Inogen, Inc. Healthcare Provider 29,528 Hacking/IT Incident
Capital Digestive Care, Inc. Healthcare Provider 17,639 Unauthorized Access/Disclosure
Iowa Health System d/b/a UnityPoint Health Business Associate 16,429 Hacking/IT Incident
Knoxville Heart Group, Inc. Healthcare Provider 15,995 Hacking/IT Incident
Athens Heart Center, P.C. Healthcare Provider 12,158 Hacking/IT Incident
Fondren Orthopedic Group L.L.P. Healthcare Provider 11,552 Unauthorized Access/Disclosure
Kansas Department for Aging and Disability Services Healthcare Provider 11,000 Unauthorized Access/Disclosure
Carolina Digestive Health Associates, PA Healthcare Provider 10,988 Unauthorized Access/Disclosure

Location of Breached PHI

One of the main causes of healthcare breaches in April was phishing attacks. There were nine data breaches involving the hacking of email accounts in April. The high number of phishing attacks highlights the need for healthcare organizations to invest in technology to prevent malicious emails from being delivered to employees’ inboxes and to improve security awareness of the workforce.

Location of Breached PHI (April 2018)

Data Breaches by Covered Entity

The majority of breaches in April were reported by healthcare providers, followed by health plans and business associates. While five breaches were reported by business associates, there was business associate involvement in at least 11 incidents in April.

Data Breaches by Covered Entity (April 2018)

Healthcare Data Breaches by State

California is the most populated state and often tops the list for healthcare data breaches, although in April Illinois was the worst affected state with 6 reported breaches. California was second worst with 5 breaches, followed by Texas with 3 breaches.

Florida, Iowa, Kansas, Louisiana, Maryland, Minnesota, North Carolina, New Jersey, Virginia, and Wisconsin each has two breaches reported, while Georgia, Kentucky, Montana, Nebraska, New York, Pennsylvania, and Tennessee each had one reported breach in April.

Financial Penalties for HIPAA Covered Entities

The HHS’ Office for Civil Rights has only issued two financial penalties for HIPAA violations so far in 2018, with no cases resolved since February.

There was one HIPAA violation case resolved by a state attorney general in April. Virtua Medical Group agreed to resolve violations of state and HIPAA laws with the New Jersey attorney general’s office for $417,816.

The breach that triggered the investigation exposed the names, diagnoses, and prescription information of 1,654 New Jersey residents. The information was accessible over the Internet as a result of a misconfigured server.

A Division of Consumer Affairs investigation alleged Virtua Medical Group had failed to conduct a thorough risk analysis and did not implement appropriate security measures to reduce risk to a reasonable and acceptable level.

The post Healthcare Data Breach Report: April 2018 appeared first on HIPAA Journal.

Former Employee of Nuance Communications Stole PHI of 45,000 Patients

In a recent filing with the U.S. Securities and Exchange Commission, Burlington, MA-based Nuance Communications disclosed it experienced a data breach involving the protected health information of 45,000 individuals in December 2017.

Nuance Communications stated in its May 10, 2018 SEC filing that a third party accessed certain reports hosted on a single Nuance transcription platform, which was promptly shut down when unauthorized access was discovered. The filing states law enforcement was notified about the breach and assisted with the investigation and apprehended the individual responsible.

There is no mention of when the breach was discovered, although the company has notified all customers who used the platform to allow them to issue notifications to affected individuals.

One of those customers, The San Francisco Health Network, published a substitute breach notice on its website on May 11 providing further information on the breach.

The breach notice explains that the protected health information of 895 patients who received medical services at Zuckerberg San Francisco General Hospital or Laguna Honda Hospital was accessed between November 20 and December 9, 2017.

The types of information accessed includes names, birth dates, medical record numbers, patient numbers, and dictated notes. The notes included providers’ assessments of patients, diagnoses, dates of service, and treatment and care plans.

The law enforcement investigation uncovered the identity of the individual – a former employee of Nuance Communications – and determined that individual accessed a transcription platform without authorization. The Justice Department told the San Francisco Health Network that all stolen data have been recovered and no evidence has been found to suggest the PHI was disclosed to other individuals or used for any purpose.

The FBI and the U.S. Department of Justice requested notifications be delayed while the criminal investigation into the breach was conducted. It is unclear whether criminal charges have been filed against the individual responsible.

The SEC filing also includes details of the cost of the NotPetya wiper attack on Nuance Communications in June 2017. Most of the costs associated with the attack were covered in fiscal year 2017, which included a loss of $68 million in revenues primarily due to service disruption and reserves established for customer refund credits. The remediation and restoration efforts also cost an additional $24 million.

There attack also contributed to “a year-over-year decline in the annualized line run-rate in our on-demand healthcare solutions and in the estimated three-year value of on-demand contracts; a year-over-year decline in hosted revenue and an increase in restructuring and other charges.” Nuance Communications expects to have to cover additional costs throughout the remainder of fiscal year 2018 to enhance and upgrade its information security protections to prevent future cyberattacks.

The post Former Employee of Nuance Communications Stole PHI of 45,000 Patients appeared first on HIPAA Journal.

Eye Care Surgery Center Data Breach Impacts 2,553 Patients

A laptop computer containing the protected health information of 2,553 patients of Eye Care Surgery Center, Inc., of Baton Rouge, LA has been stolen.

The theft was discovered by Eye Care Surgery Center on February 26, 2018. While there is no mention of where the device was stolen from in the company’s substitute breach notice, the actions taken following the breach suggest the device was taken from its facilities rather than the vehicle of an employee.

The theft prompted Eye Care Surgery Center to install a new multi-camera system at its facilities, both inside and outside buildings. The decision has also been taken to use encryption on most of the portable electronic devices used by Eye Care Surgery Center to prevent any future theft incidents from exposing any protected health information.

An investigation was conducted to determine the types of information stored on the device and the patients affected by the incident. Highly sensitive information such as health insurance information, Social Security numbers, and financial information were not stored on the device. The breach was limited to names, birth dates, and diagnosis information. No reports have been received to suggest any of the information stored on the device have been misused.

Affected individuals have now been notified of the breach by mail and the incident has been reported to the Department of Health and Human Services’ Office for Civil Rights.

The post Eye Care Surgery Center Data Breach Impacts 2,553 Patients appeared first on HIPAA Journal.

8,300 Cerebral Palsy Research Foundation of Kansas Patients Informed of 10-Month Exposure of PHI

An oversight has caused a database used by Cerebral Palsy Research Foundation of Kansas (CPRF) to have its security protections removed for a period of 10 months, exposing the protected health information (PHI) of 8,300 patients.

The vulnerable demographic database was discovered on March 10, 2018 and was immediately secured. The investigation into the breach determined that while the database had been created on a secure subdomain in early 2000, when CPRF switched its servers in 2017 the database was not identified resulting in the accidental removal of security protections. During the time that the database was vulnerable it is possible that personal and health information was accessed by unauthorized individuals.

The breach was limited to personal information and personal health information relating to the type of disability suffered by patients. No financial information or donor information was exposed. Individuals affected by the breach had received services from CPRF between 2001 and 2010.

It is unclear whether any of the exposed information was accessed by unauthorized individuals during the time that the database was left unsecured. Out of an abundance of caution, CPRF is offering all affected individuals one year of credit monitoring and identity theft protection services free of charge.

As part of its investigation and vulnerability remediation efforts, CPRF performed a complete audit of all domains, subdomains, and databases and discovered no further vulnerabilities existed. Data security policies have now been reinforced as have policies and procedures related to employee transitions to prevent future errors which could potentially lead to the exposure of PHI. CPRF has also contracted a third-party to perform regular vulnerability scans and penetration tests.

All affected individuals have been notified of the privacy breach by mail and a breach report has been submitted to the Department of Health and Human Services’ Office for Civil Rights.

The post 8,300 Cerebral Palsy Research Foundation of Kansas Patients Informed of 10-Month Exposure of PHI appeared first on HIPAA Journal.

Spate of Phishing Attacks on Healthcare Organizations Sees 90,000 Records Exposed

The past few weeks have seen a significant rise in successful phishing attacks on healthcare organizations. In a little over four weeks there have been 10 major email hacking incidents reported to the Department of Health and Human Services’ Office for Civil Rights, each of which has resulted in the exposure and potential theft of more than 500 healthcare records. Those ten incidents alone have seen almost 90,000 healthcare records compromised.

Recent Email Hacking and Phishing Attacks on Healthcare Organizations

HIPAA-Covered Entity Records Exposed
Inogen Inc. 29,529
Knoxville Heart Group 15,995
USACS Management Group Ltd 15,552
UnityPoint Health 16,429
Texas Health Physicians Group 3,808
Scenic Bluffs Health Center 2,889
ATI Holdings LLC 1,776
Worldwide Insurance Services 1,692
Billings Clinic 949
Diagnostic Radiology & Imaging, LLC 800
The Oregon Clinic Undisclosed


So far this year there have been three data breaches involving the hacking of email accounts that have exposed more than 30,000 records. Agency for Health Care Administration suffered a 30,000-record breach in January, ATI Holdings, LLC experienced a breach in March that resulted in the exposure of 35,136 records, and the largest email hacking incident of the year affected Onco360/CareMed Specialty Pharmacy and impacted 53,173 patients.

Wombat Security’s 2018 State of the Phish Report revealed three quarters of organizations experienced phishing attacks in 2017 and 53% experienced a targeted attack. The Verizon 2017 Data Breach Investigations Report, released in May, revealed 43% of data breaches involved phishing, and a 2017 survey conducted by HIMSS Analytics on behalf of Mimecast revealed 78% of U.S healthcare providers have experienced a successful email-related cyberattack.

How Healthcare Organizations Can Improve Phishing Defenses

Phishing targets the weakest link in an organization: Employees. It therefore stands to reason that one of the best defenses against phishing is improving security awareness of employees and training the workforce how to recognize phishing attempts.

Security awareness training is a requirement under HIPAA (45 C.F.R. § 164.308(a)(5)(i)). All members of the workforce, including management, must be trained on security threats and the risk they pose to the organization.

“An organization’s training program should be an ongoing, evolving process and flexible enough to educate workforce members on new cybersecurity threats and how to respond to them,” suggested OCR in its July 2017 cybersecurity newsletter.

HIPAA does not specify how frequently security awareness training should be provided, although ongoing programs including a range of training methods should be considered. OCR indicates many healthcare organizations have opted for bi-annual training accompanied by monthly security updates and newsletters, although more frequent training sessions may be appropriate depending on the level of risk faced by an organization.

A combination of classroom-based sessions, CBT training, newsletters, email alerts, posters, team discussions, quizzes, and other training techniques can help an organization develop a security culture and greatly reduce susceptibility to phishing attacks.

The threat landscape is constantly changing. To keep abreast of new threats and scams, healthcare organizations should consider signing up with threat intelligence services. Alerts about new techniques that are being used to distribute malicious software and the latest social engineering ploys and phishing scams can be communicated to employees to raise awareness of new threats.

In addition to training, technological safeguards should be implemented to reduce risk. Advance antivirus solutions and anti-malware defences should be deployed to detect the installation of malicious software, while intrusion detection systems can be used to rapidly identify suspicious network activity.

Email security solutions such as spam filters should be used to limit the number of potentially malicious emails that are delivered to end users’ inboxes. Solutions should analyze inbound email attachments using multiple AV engines, and be configured to quarantine emails containing potentially harmful file types.

Embedded URLs should be checked at the point when a user clicks. Attempts to access known malicious websites should be blocked and an analysis of unknown URLs should be performed before access to a webpage is permitted.

Phishing is highly profitable, attacks are often successful, and it remains one of the easiest ways to gain a foothold in a network and gain access to PHI. As such, phishing will remain one of the biggest threats to the confidentiality, integrity, and availability of PHI. It is up to healthcare organizations to make it as difficult as possible for the attacks to succeed.

The post Spate of Phishing Attacks on Healthcare Organizations Sees 90,000 Records Exposed appeared first on HIPAA Journal.

Class Action Lawsuit Claims UnityPoint Health Mislead Patients over Severity of Phishing Attack

A class action lawsuit has been filed in response to a data breach at UnityPoint Health that saw the protected health information (PHI) of 16,429 patients exposed and potentially obtained by unauthorized individuals.

As with many other healthcare data breaches, PHI was exposed as a result of employees falling for phishing emails. UnityPoint Health discovered the security breach on February 15, 2018 and sent breach notification letters to affected patients two months later, on or around April 16, 2018.

HIPAA-covered entities have up to 60 days following the discovery of a data breach to issue notifications to patients. Many healthcare organizations wait before issuing breach notifications and submitting reports of the incident to the Department of Health and Human Services’ Office for Civil Rights.

Waiting for two months to issue notifications to breach victims could be viewed as a violation of HIPAA Rules. While the maximum time limit for reporting was not exceeded, the HIPAA Breach Notification Rule requires notifications to be sent ‘without unnecessary delay.’ The HHS’ Office for Civil Rights has taken action over delayed breach notifications in the past, although no penalties have been issued when notification letters have been sent within 60 days of the discovery of a breach.

The notification letters explained to patients that some of their health information had been exposed. The substitute breach notice posted on the UnityPoint Health website in April said the types of information potentially accessed by the attackers included “patient names and one or more of the following: dates of birth, medical record numbers, treatment information, surgical information, diagnoses, lab results, medications, providers, dates of service and/or insurance information. For a limited number of impacted individuals, information that may have been viewed included Social Security Numbers or other financial information.”

UnityPoint Health told patients no reports had been received to suggest that their PHI had been accessed, stolen, or misused.

Patients were encouraged to “remain vigilant in reviewing your account statements for fraudulent or irregular activity”, although the burden of protecting against identity theft and fraud was passed on to patients. Affected individuals were not offered credit monitoring and identity theft protection services nor were they protected by an insurance policy covering misuse of their data.

The lawsuit was filed on May 4 by attorney Robert Teel against Iowa Health Systems Inc., the company that runs UnityPoint Health. Yvonne Mart Fox, of Middleton, WI, lead plaintiff in the class action lawsuit, has accused UnityPoint Health of delaying reporting the breach to regulators and patients. She also alleges UnityPoint Health “misrepresented the nature, breadth, scope, harm, and cost of the privacy breach.”

Fox claims she has suffered sleep deprivation as a direct result of the breach and experiences daily anger. She also claims to have had an increase in the number of automated calls to her cellphone and landline in 2018 and an increase in marketing and other spam emails, which have been attributed to the theft of her contact information.

Fox and other class members are seeking compensatory, punitive, and other damages.

The post Class Action Lawsuit Claims UnityPoint Health Mislead Patients over Severity of Phishing Attack appeared first on HIPAA Journal.

Capital Digestive Care Notifies 17,639 Individuals of PHI Exposure

The Silver Spring, MD-based gastroenterology group Capital Digestive Care has discovered one of its business associates uploaded files to a commercial cloud server that lacked appropriate security controls, exposing the protected health information of up to 17,639 patients.

The availability of sensitive patient data over the Internet was brought to the attention of Capital Digestive Care on February 23, 2018 and action was promptly taken to secure the files and prevent further unauthorized access.

An investigation into the privacy breach was launched to determine the types of information that had been exposed and the number of patients impacted.

The investigation confirmed some sensitive data had been exposed, although the breach was limited to individuals that had visited its website and submitted information via the Schedule a Visit and Contact pages on the site.

The types of information exposed was limited to names, addresses, email addresses, telephone numbers, and birth dates. Patients may also have had a limited amount of health information exposed. The login page to the patient portal and the Pay a Bill pages were unaffected, so no financial information was exposed. No patient accounts were compromised and Social Security numbers and electronic health records remained secure at all times.

Capital Digestive Care has taken steps to prevent further breaches of PHI. All third-party vendors are now required to confirm compliance with HIPAA Security Rule provisions concerning the secure storage of personal data.

All patients impacted by the incident have been notified by mail and provided with information on monitoring and protecting their personal information.

It is unclear for how long patient data were exposed and how many unauthorized individuals viewed patient information.

Capital Digestive Care has not received any reports to suggest the exposed information has been obtained by unauthorized individuals or misused.

The post Capital Digestive Care Notifies 17,639 Individuals of PHI Exposure appeared first on HIPAA Journal.

3 University of Arkansas Medical Sciences Employees Fired for Violation of Patient Privacy

University of Arkansas Medical Sciences (UAMS) has fired three employees over alleged HIPAA violations that saw a patient’s protected health information impermissibly disclosed and published on Facebook.

UAMS provides training to all employees to make them aware of their responsibilities with respect to patient privacy and the requirements of HIPAA, yet despite that training, one employee violated the privacy of a patient by disclosing that individual’s name, age, HIV status, employment information, and surgical history to a colleague.

That employee shared the information with a friend who uploaded the PHI to Facebook. A third employee allegedly played no part in the violation but was aware of the disclosures yet failed to report the incident to the hospital.

The hospital took prompt action when the HIPAA violations were discovered and terminated all three employees for violating HIPAA Rules and the hospital’s code of conduct. The hospital is taking steps to ensure similar incidents are prevented and is working with the patient to resolve the privacy violation.

The motives of the employees are unclear, but their responsibilities to ensure patient privacy was protected had been clearly explained and there can be no doubt that they were aware that their actions were in breach of federal regulations.

In addition to losing their jobs, the matter has been referred to the U.S. attorney’s office and criminal charges for the HIPAA violation are being considered.

The privacy violation should serve as a warning to all healthcare employees about the potential repercussions of HIPAA violations, and also that the failure to report a HIPAA violation by a co-worker could also result in loss of employment.

If a HIPAA violation is discovered in the workplace, the incident should be reported to the organization’s privacy officer to ensure prompt action can be taken to limit the harm caused.

The post 3 University of Arkansas Medical Sciences Employees Fired for Violation of Patient Privacy appeared first on HIPAA Journal.

Protenus Report Highlights Extent of Insider Breaches in Healthcare

The quarterly breach barometer report from Proteuns provides interesting insights into the extent to which insiders are violating HIPAA Rules and snooping on patient health information.

The Breach Barometer report is compiled using breach data supplied by Databreaches.net and proprietary data collected through the artificial intelligence platform developed by Protenus that allows healthcare organizations to track and analyze employee HER activity.

Insider breaches are a major problem in healthcare, yet many insider breaches go undetected. When insider breaches are identified, it is often months after the breach has occurred. One healthcare employee was recently discovered to have been accessing medical records without authorization for 14 years.

1.13 Million Patient Records Exposed in Q1, 2018

The latest Breach Barometer report shows the records of 1,129,744 patients and health plan members has been viewed by unauthorized individuals, exposed, or stolen in the first quarter of 2018. Data breaches occurred at a rate of more than one per day, with 110 healthcare data breaches reported in Q1.

Data breaches are typically only announced publicly if they have affected more than 500 individuals. Smaller data breaches still need to be reported to the HHS’ Office for Civil Rights to comply with HIPAA Rules, although the information is not made available to the public.

An analysis of the data collected from the Protenus platform suggests only one thousandth of data breaches are actually disclosed to the public, and inappropriate accessing of medical records by healthcare employees is a major problem throughout the industry.

Most commonly, healthcare employees snoop on the medical records of family members. 77.10% of all insider snooping incidents in Q1, 2018 involved the unauthorized accessing of family members’ health records. In second place was inappropriate accessing of co-workers’ health records, followed by snooping on neighbors’ health information and VIPs’ medical records.

The Protenus report shows just how important it is to detect these incidents promptly to prevent further privacy violations. Data analyses by Protenus show there is a 20% chance that a healthcare employee will inappropriately view medical records again within three months of the first incident, and a 54% chance that they will repeat the violation at least once in the following 12 months. “Healthcare organizations accumulate risk that compounds over time when proper detection, reporting, and education do not occur,” said Kira Caban, Protenus Director of Public Relations.

Unfortunately, most healthcare providers lack visibility into who is accessing medical records and privacy violations take many months to detected. The average time take to identify a breach of patient privacy is 244 days.

The Quarterly Breach Barometer report can be downloaded on this link.

The post Protenus Report Highlights Extent of Insider Breaches in Healthcare appeared first on HIPAA Journal.