HIPAA Breach News

Lawmakers Accuse Oklahoma Department of Veteran Affairs of Violating HIPAA Rules

The Oklahoma Department of Veteran Affairs has been accused of violating Health Insurance Portability and Accountability Act (HIPAA) Rules by three Democrat lawmakers, who have also called for two top Oklahoma VA officials to be fired over the incident.

The alleged HIPAA violation occurred during a scheduled internet outage, during which VA medical aides were prevented from gaining access to veterans’ medical records. The outage had potential to cause major disruption and prevent “hundreds” of veterans from being issued with their medications. To avoid this, the Oklahoma Department of Veteran Affairs allowed medical aides to access electronic medical records using their personal smartphones.

In a letter to Oklahoma Governor Mary Fallin, Reps. Brian Renegar, Chuck Hoskin, and David Perryman called for the VA Executive Director Doug Elliot and the clinical compliance director Tina Williams to be fired over the alleged HIPAA violation.

They claimed Elliot and Williams “have little regard for, and knowledge of, health care,” and allowing medical aides to access electronic medical records via personal smartphones was “a direct violation of HIPAA” and potentially placed millions of dollars of federal funding in jeopardy.

State CISO Mark Gower is adamant that HIPAA Rules were not violated. He explained that only a limited number of medical aides were allowed to access electronic health records using their smartphones, and access was only granted for a limited period of time until the problem was resolved. When the issue was over, access to medical records via smartphones was blocked. It was just a case of temporarily swapping a laptop or desktop computer for a smartphone.

Gower explained that accessing medical records using a smartphone did not result in medical records being copied to the devices. The medical records system does not create a cache or store any information locally. Gower also said that the records system and the smartphones met the VA’s security requirements.

The three lawmakers do not believe Gower’s explanation and claim that during the outage, employees at all seven of the state’s care centers were allowed to copy medical records onto their personal cellphones.

Doug Elliot said the medical aides were “the best and brightest” and that it was “Unfathomable that any of the med aides have disclosed that information to a third party.” He also said it was “unconscionable” for the legislators to suggest that VA employees had violated HIPAA Rules and patient privacy.

While Elliot does not believe the allegations have any merit, they are being taken seriously. Elliot has reported the matter to the state’s IT security team which will be conducting a full investigation. The Office of Management and Enterprise Services, which oversees IT for state agencies, is also looking into the allegations.

The legislators are not happy with the matter being investigated by a state agency and believe that this incident can only be impartially investigated by the federal government. The legislators have also reported the matter to the Department of Health and Human Services, the Department of Veteran Affairs, and U.S. Attorney Robert Troester.

“The federal government’s going to be the one to determine this, not some state agency helping another state agency wash their hands of what they did,” said Rep. Renegar.

The post Lawmakers Accuse Oklahoma Department of Veteran Affairs of Violating HIPAA Rules appeared first on HIPAA Journal.

MedSpring Urgent Care Breach Impacts 13,034 Patients

MedSpring Urgent Care, a network of urgent care clinics in Atlanta, Chicago, Austin, Dallas, Fort Worth, and Houston, has discovered an unauthorized individual has gained access to an email account as a result of an employee being duped by a phishing email.

The email account was compromised on May 8, 2018 but the security breach was not detected until May 17. Upon discovery of the breach, the email account was secured to prevent further unauthorized access and a leading cybersecurity forensics firm was contracted to conduct an investigation into the breach and assist with the breach response.

MedSpring discovered on May 22, 2018 that the attacker potentially gained access to the protected health information of patients through the emails and email attachments. The breach was limited to a single email account and no other systems were compromised.

A full review of all messages in the account was conducted to determine which patients had been affected and the types of information that had been exposed. MedSpring says the breach was limited to patients who had previously visited its urgent care clinics in Illinois.

The email account contained information such as names, medical record numbers, account numbers, dates of services, and other information related to the medical services provided to patients. The investigation did not uncover any evidence to suggest that emails in the account were viewed and MedSpring has not been informed of any cases of misuse of patient information to date.

All patients potentially affected by the phishing attack have now been notified by mail and 12 months of complimentary credit monitoring, identity protection and fraud resolution services have been provided through Experian.

As is required under HIPAA Rules, the Department of Health and Human Services’ Office for Civil Rights has been notified about the breach. The breach report indicates 13,034 patients have been affected.

The post MedSpring Urgent Care Breach Impacts 13,034 Patients appeared first on HIPAA Journal.

At Least 3.14 Million Healthcare Records Were Exposed in Q2, 2018

In total, there were 143 data breaches reported to the media or the Department of Health and Human Services’ Office for Civil Rights (OCR) in Q2, 2018 and the healthcare records of at least 3,143,642 patients were exposed, impermissibly disclosed, or stolen. Almost three times as many healthcare records were exposed or stolen in Q2, 2018 as Q1, 2018.

The figures come from the Q2 2018 Breach Barometer Report from Protenus. The data for the report came from OCR data breach reports, data collected and collated by Databreaches.net, and proprietary data collected through the Protenus compliance and analytics platform, which monitors the tens of trillions of EHR access attempts by its healthcare clients.

Q2 2018 Healthcare Data Breaches

Month Data Breaches Records Exposed
April 45 919,395
May 50 1,870,699
June 47 353,548


Q2, 2018 saw five of the top six breaches of 2018 reported. The largest breach reported – and largest breach of 2018 to date – was the 582,174-record breach at the California Department of Developmental Services – a burglary.

It is unclear if any healthcare records were stolen in the breach although data theft could not be ruled out. Many physical records were damaged by a fire started by the burglars which activated the sprinkler system which caused water damage. Electronic equipment was taken although it was encrypted.

The second largest data breach of 2018 was reported by MSK Group in May. The orthopedic group detected unauthorized access of parts of its network that contained the protected health information of 566,236 patients.

The third largest breach of 2018 involved the exposure and potential theft of 538,127 records from LifeBridge Health. Malware had been installed on a server on which billing information and medical records were stored.

The fifth and sixth largest breaches of the year to date were reported in June. Oklahoma State University Center for Health Sciences experienced a 279,865-record breach when its computer network was hacked and Med Associates, Inc., discovered a desktop computer had been hacked resulting in the exposure of 276,057 patients’ PHI.

The Threat from Within

Protenus has drawn attention to the threat from insider breaches and the importance of detecting privacy breaches promptly. When medical records are accessed by employees without authorization, there is a 30% chance of an employee violating patient privacy again within 3 months and a 66% chance they will do so again within 6 months. One of the main problems for hospitals is the time taken to investigate and respond to insider threats. On average, one investigator monitors the ePHI access attempts of 4,000 employees across an average of 2.5 hospitals – a significant burden.

Out of every 1,000 healthcare employees, Protenus determined than 9 will breach patient privacy, most commonly by snooping on the medical records of family members.  In Q2, 2018 71.4% of breaches involved employees snooping on family members’ medical records.

30.99% of breaches (44) reported to the Office for Civil Rights in Q2 were insider breaches, and out of the 27 incidents for which details have been disclosed, the records of 421,180 patients were known to have been compromised. There were 25 incidents involving insider error and 18 incidents involving insider wrongdoing.

Healthcare Hacking Incidents Increased in Q2 2018

The biggest cause of healthcare data breaches in Q2, 2018 was hacking/IT incidents which accounted for 36.6% of all reported breaches in the quarter. There were 52 hacking/IT incidents reported in Q2, compared to 30 in Q1 – a 73% increase. Those breaches resulted in the exposure/theft of at least 2,065,813 healthcare records.

Details were available for 44 breaches, ten of which were phishing-related breaches, 7 involved ransomware or malware, and one involved another form of extortion.

There were 23 reported cases of theft of physical or electronic records and a further 23 breaches that did not include enough information for them to be categorized.  Overall, 84% of breaches involved electronic records and 16% involved paper records.

Healthcare providers were the worst hit with 76.37% of reported breaches, following by health plans on 10.91%, business associates on 5.45%, and other entities on 7.27%.

The average time to discover a breach was 204 days and the median time was 18 days. The detection times ranged from one day to 1,587 days. From the available data, the average time to disclose breaches to the Office for Civil Rights was 71 days and the median time was 59 days. The maximum time frame under HIPAA for disclosing breaches is 60 days. California was the worst hit state with 20 incidents followed by Texas on 13.

The Protenus Q2 2018 healthcare data breach report can be downloaded on this link (PDF).

The post At Least 3.14 Million Healthcare Records Were Exposed in Q2, 2018 appeared first on HIPAA Journal.

The High Cost of SamSam Ransomware Attacks: $17 Million for the City of Atlanta

The SamSam ransomware attack on the City of Atlanta was initially expected to cost around $6 million to resolve: Substantially more than the $51,000 ransom demand that was issued. However, city officials now believe the final cost could be around $11 million higher, according to a “confidential and privileged” document obtained by The Atlanta Journal-Constitution.

The attack has prompted a complete overhaul of the city’s software and systems, including system upgrades, new software, and the purchasing of new security services, computers, tablets, laptops, and mobile phones.

The Colorado Department of Transportation was also attacked with SamSam ransomware this year and was issued with a similar ransom demand. As with the City of Atlanta, the ransom was not paid. In its case, the cleanup is expected to cost around $2 million.

When faced with extensive disruption and a massive clean up bill it is no surprise that many victims choose to pay the ransom. Now new figures have been released that confirm just how many victims have paid to recover their files and regain control of their computer systems.

223 SamSam Ransoms Paid: Almost $6 Million Generated

A recent analysis of the cryptocurrency wallets used by the threat actor behind the SamSam ransomware has shown there have been 223 ransom payments made by victims in the two and a half years since the release of the first SamSam ransomware variant. The payments almost total $6 million, more that six times the amount previously thought to have been earned by the threat actor behind the attacks.

The figures come from Sophos, which has recently teamed up with a leading cryptocurrency tracking firm, to investigate the attacks.

It was initially thought that the attacks were primarily being conducted on healthcare organizations, educational institutions, and government agencies, although the recent analysis has shown the private sector has attracted the majority of attacks. Healthcare organizations are obliged to report the attacks under HIPAA Rules, which is why it seemed like they were extensively targeted.

26% of all attacks have been on healthcare firms. The majority of attacks have been on private companies and have not been reported. Many attacked firms have chosen to quietly pay the ransom demand.

No Sign of SamSam Ransomware Attacks Slowing Down

Several cybersecurity firms have reported a slowdown in ransomware attacks as threat actors switch to spreading cryptocurrency mining malware due to the higher potential for profits. However, there has not been any slowdown in SamSam ransomware attacks.

On average, one SamSam ransomware attack is conducted a day and the attacks have a high success rate. With ransom demands of around $50,000 issued for each infection, and an average of $187,500 earned each month, it is unlikely that the attacks will stop any time soon.

SamSam ransomware infections do not occur via spam or phishing emails, instead companies are attacked through the exploitation of vulnerabilities and recently through brute force attacks on remote desktop protocol connections.

Access is gained to the network and the attacker manually moves laterally using standard administration tools rather than NSA exploits. The malicious payload is deployed on as many computers and servers as possible before the encryption routine is started. The attacks tend to take place at night when there is less chance of them being detected and blocked.

This quiet, stealthy method of attack ensures a high rate of success compared to the noisy spam-delivered campaigns. Sophos believes the attacks are the work of a single individual.

How to Block SamSam Ransomware Attacks

Vulnerability scans and penetration testing can help to identify vulnerabilities before they are exploited and prompt patching is essential. Multi-factor authentication should be implemented, intrusion detection systems deployed and correctly configured, access logs should be routinely checked, admin privileges should be limited, and regular backups should be made with at least one copy stored off-site and offline.

Access to RDP needs to be restricted and remote connections should ideally only be made through VPNs, which also need to be kept up to date. If RDP is not required it should be disabled.

If RDP is enabled, rate limiting should be used to lock out users after a set number of failed attempts to block brute force attempts to gain access. Naturally practicing good password hygiene is also important, default passwords should be changed, strong passwords or passphrases used, and passwords should be changed at regular intervals.

It is also wise to change RDP connections from the standard TCP/3389 port and it is similarly advisable not to have RDP connections public-facing to the internet.

Sophos notes that the nature of SamSam ransomware attacks mean that simply backing up files is not enough to ensure a quick recovery. SamSam ransomware not only encrypts files, but also application configuration files. Even if files are restored it is likely that applications will fail to work.

The only way of ensuring a full recovery apart from paying the ransom is to rebuild affected machines. It is therefore important that companies have a plan for such an eventuality if they are to avoid having to pay the ransom.

The post The High Cost of SamSam Ransomware Attacks: $17 Million for the City of Atlanta appeared first on HIPAA Journal.

Protected Health Information of Three Hundred Thousand SSM Health Patients Exposed

SSM Health St. Mary’s Hospital in Jefferson City, Missouri is informing hundreds of thousands of patients that some of their protected health information has been left unprotected and could potentially have been viewed by unauthorized individuals.

On November 16, 2014, St. Mary’s Hospital moved to new premises and all patients’ medical records were transferred to the new facility and were secured at all times. However, on June 1, 2018, the hospital discovered many documents containing protected health information had been left behind.

The documents were mostly administrative and operational supporting documents and contained only a limited amount of protected health information. For the majority of patients, the only information that was exposed was their name and medical record number. Some patients also had some clinical data, demographic information, and financial information exposed.

Due to the number of documents involved, the hospital has retained a document services firm to catalogue all the documents and determine which patients have had some of their PHI exposed. It has taken some time for that process to be completed and for St. Mary’s to be provided with a reliable figure of the number of patients affected. The breach report submitted to the Department of Health and Human Services Office for Civil Rights indicates 301,000 patients have had some of their PHI exposed.

Security safeguards and deterrents were in place at the old facility, although after investigating, SSM Health determined that those safeguards were insufficient to ensure the security of patient information and it was not possible to say, with absolute confidence, that the documents were not viewed by unauthorized individuals during the three and a half years when they were inadequately protected.

While the incident constitutes a data breach and warrants notifications to be sent to patients, SSM Health does not believe patients face a significant risk of misuse of their information due to the limited amount of PHI that was exposed and the age of the data.

The hospital has now taken steps to ensure that further privacy breaches do not occur including reviewing and revising policies and procedures for record storage, retention, and destruction.

The post Protected Health Information of Three Hundred Thousand SSM Health Patients Exposed appeared first on HIPAA Journal.

Hacktivist Convicted for DDoS Attack on Children’s Mercy Hospital

A hacktivist who conducted a Distributed Denial of Service (DDoS) attack on Boston’s Children’s Mercy Hospital in 2014 has been convicted on two counts – conspiracy to intentionally damage protected computers and damaging protected computers – by a jury in the U.S. District Court in Boston.

Martin Gottesfeld, 32, of Somerville, MA, conducted the DDoS attacks in March and April of 2014. He first conducted a DDoS attack on Wayside Youth and Family Support Network in Framingham, MA. The attack crippled its systems and took them out of action for more than a week. The attack cost the healthcare facility $18,000 to resolve.

Following that attack, Gottesfeld conducted a much larger attack on Boston Children’s Hospital using 40,000 malware-infected network routers that he controlled from his home computer. The attack was planned for a week and occurred on April 19, 2014.

Such was the scale of the attack that the hospital and several others in the Longwood medical area were knocked off the internet. 65,000 IP addresses used by the hospital and other healthcare facilities in the area were prevented from being available for legitimate communications. The attack affected the hospitals’ ability to communicate, use the internet, and even provide care to certain patients.

The attack disrupted operations at Boston Children’s Hospital for two weeks and cost an estimated $300,000. A further $300,000 was lost donations as its fundraising portal was also taken offline as a result of the attack.

Gottesfeld claimed he conducted the DDoS attacks on behalf of the hacktivist group Anonymous in response to the way the hospital had behaved over a child custody case.

The custody case in question received national media attention and resulted in the parents of Connecticut teenager Justina Pelletier losing custody of their daughter. Children’s Mercy Hospital alleged Justina’s parents were medically abusing their daughter and custody was passed over to the commonwealth of Massachusetts.

Justina was receiving treatment for mitochondrial disease at Boston’s New England Medical Center but was transferred to Children’s Mercy Hospital where she was diagnosed as having somatoform disorder. Justina’s parents disagreed with the diagnosis and attempted to get their daughter discharged. The hospital refused, and in the subsequent legal battle, Justina’s parents lost custody of their child.

Gottesfeld was suspected of conducting the DDoS attacks and his home was searched by federal law enforcement officers in October 2014. Several servers, computers and hard drives were seized although Gottesfeld was not officially charged at the time.

Gottesfeld went missing in February 2016 but was found after getting into difficulty when sailing in a small boat. He was rescued off the coast of Cuba by a passing cruise ship and was arrested when the cruise ship docked in Miami. The FBI claimed Gottesfeld was attempting to flee the United States.

Gottesfeld will be sentenced on Nov. 14, 2018 and potentially faces a fine of up to $500,000, plus restitution, and up to 15 years in jail – A maximum of 5 years for the conspiracy charge and up to 10 years for the criminal damage charge, with a further 3 years of supervised release.

The post Hacktivist Convicted for DDoS Attack on Children’s Mercy Hospital appeared first on HIPAA Journal.

Phishing Attack, Lost Devices, and System Error Exposed PHI of 9,400 Patients

A round up of data breaches recently disclosed to the media and the Department of Health and Human Services’ Office for Civil Rights

System Error Exposed Data at Pennsylvania Department of Human Services

Pennsylvania Department of Human Services has discovered a system error in its Compass system allowed certain individuals to view the protected health information of others who, at some point, were part of the same benefit household but are now part of a different active case record.

The types of information that could have been viewed included names, citizenship, date of birth, and all information reported about employment, although not Social Security numbers. No reports have been received to date to suggest any of the information was accessed and misused. The system glitch was detected on May 23, 2018 and has now been corrected. All 2,130 individuals potentially impacted have been notified of the breach by mail.

Lost Laptop Exposes PHI of Ambercare Patients

The Ambercare Corporation, a provider of hospice and home care services in New Mexico, has announced that an unencrypted laptop computer containing the protected health information of 2,284 patients has been lost and possibly stolen.

The laptop, which had been issued to an Ambercare employee, was discovered to be missing on May 30, 2018. The laptop was password-protected, but not encrypted. The protected health information stored on the device was required by the employee to perform work functions and included names, addresses, dates of birth, diagnostic information, clinical information, and Social Security numbers.

The loss/theft has been reported to law enforcement and employees have received further training on physical security. Since Social Security numbers were exposed, affected patients have been offered complimentary credit monitoring services through Experian for 12 months.

Email Account Compromise Discovered by San Francisco Institute on Aging

The San Francisco, CA-based Institute on Aging has discovered an unauthorized individual has gained access to the email accounts of some of its employees. The breach was discovered on May 28, 2018, although it is currently unclear for how long the email accounts were compromised.

The Institute on Aging employed expert data security response professionals to secure its systems and manage the breach response. Messages in the compromised email accounts were checked and found to contain the protected health information of 3,907 patients. Information contained in emails and email attachments included the names of patients and employees along with email addresses, birth dates, financial records, diagnoses, treatment information, and medical payment information.

Affected individuals were notified on July 20 and were offered 12 months credit monitoring and identity theft protection services without charge.

Lost Laptop Sees PHI of Rocky Mountain Health Care Services Patients Exposed

Colorado Springs-based Rocky Mountain Health Care Services has discovered an unencrypted laptop computer issued to an employee has been stolen. The laptop contained the protected health information of 1,087 patients.

The laptop computer was stolen on May 15, 2018, prompting an immediate investigation to determine the types of information stored on the device. The investigation determined the breach was limited to names, addresses, birth dates, Social Security numbers, diagnoses, treatment plans, and prescription information. Affected individuals have been offered credit monitoring and identity theft restoration services for 12 months without charge.

This is the third laptop theft experienced by Rocky Mountain Health Care Services in the past 12 months. A laptop was discovered to have been stolen on September 28, 2017 and a mobile phone and laptop were discovered to have been stolen on June 18, 2017.

Rocky Mountain Health Care Services has now reviewed its policies and procedures on information security, has incorporated mobile device security controls, and is now encrypting data on all company laptops.

The post Phishing Attack, Lost Devices, and System Error Exposed PHI of 9,400 Patients appeared first on HIPAA Journal.

Email Account Compromises Continue Relentless Rise

There has been a steady rise in the number of reported email data breaches over the past year. According to the July edition of the Beazley Breach Insights Report, email compromises accounted for 23% of all breaches reported to Beazley Breach Response (BBR) Services in Q2, 2018.

In Q2, 2018 there were 184 reported cases of email compromises, an increase from the 173 in Q1, 2018 and 120 in Q4, 2017. There were 45 such breaches in Q1, 2017, and each quarter has seen the number of email compromise breaches increase.

In Q2, 2018, the email account compromises were broadly distributed across a range of industry sectors, although the healthcare industry experienced more than its fair share.

Healthcare email accounts often contain a treasure trove of sensitive data that can be used for identity theft, medical identity theft, and other types of fraud. The accounts can contain the protected health information of thousands of patients. The recently discovered phishing attack on Boys Town National Research Hospital resulted in the attackers gaining access to the PHI of more than 105,000 patients.

Email Accounts Used for Further Attacks on an Organization

If hackers gain access to an email account, not only do they have access to the data stored in that mailbox, the account provides the hacker with a platform for conducting further attacks. The email account can be used to send messages to other employees, and since the messages are sent internally, they are unlikely to be flagged as malicious by email security solutions.

These internal emails are carefully crafted based on information gathered from the compromised mailbox. Rather than just sending a standard phishing email from the compromised account to other employees, targets are identified through reconnaissance, the account holder’s message style is copied, and messages are crafted based on past conversations between the account holder and the targets. This allows the attacker to conduct highly convincing spear phishing campaigns that are much more likely to be successful.

Once access to a single account is gained, it is difficult to prevent further email accounts from being compromised, although it is relatively easy to prevent the initial attack. Spam filtering solutions are a must, as they will block the vast majority of malicious messages and prevent them from reaching inboxes. Security awareness training is also essential for preparing employees for attacks and training them how to recognize phishing emails and other email threats. If two-factor authentication is used, an additional form of authentication is required in order for the account to be accessed remotely.

Beazley notes that organizations that use Office 365 are more susceptible to email account compromises. Microsoft’s PowerShell is often exploited and used to login to email accounts for reconnaissance, and if an email account is compromised with the right administrative privileges, the attacker could potentially be able to search every single inbox in an organization.

Beazley also recommends preventing third-party applications from accessing Office 365, as this can reduce the potential for PowerShell to be used for reconnaissance.

The High Cost of Email Account Compromises

BBR Services often discovers that organizations are only aware of half the inboxes that are compromised in an attack, and that it is not uncommon for hundreds of inboxes to have been compromised in a single phishing campaign.

These breaches can be extremely costly to resolve, as each message must be checked to determine whether it contains PHI or PHI. Even a small-scale email breach may cost $100,000 to resolve, while larger breached can easily cost in excess of $2 million. “Business email compromise attacks are among the more expensive data breaches we see,” said Katherine Keefe, head of BBR Services.

A case study was included in the report detailing the high cost of healthcare phishing attacks. An employee received a phishing email with a link to a website that appeared official, which required that person to enter their email account credentials. That gave the attacker access to that individual’s email account, which was then used in further attacks on the organization.

A forensic investigation revealed the attacker gained access to 20 email accounts and that the method used would have allowed all 20 of those mailboxes to have been downloaded. The messages were programmatically searched for PHI, although 350,000 documents in the email accounts could not be searched and required a manual check. The cost of paying a vendor to search those documents cost $800,000. A further $150,000 was spent on notifications and credit monitoring services.

Main Causes of Data Breaches in Q2, 2018

Across all industry sectors, the main causes of data breaches were hacks and malware attacks (39%) and accidental disclosures (22%). Even though the number of email attacks increased, hacks and malware attacks decreased by 3% compared to Q1, 2018. The decline was attributed to a fall in ransomware attacks.

The Beazley report shows the main cause of healthcare data breaches was accidental disclosures, which accounted for 38% of all breaches reported to BBR Services in Q2, 2018. That represents an increase of 29% since Q1, 2018. Hacking and malware attacks accounted for 26% of healthcare data breaches. 14% of breaches were insider incidents, 7% involved loss of physical PHI, 6% were due to the loss/theft of portable devices and 4% were due to social engineering attacks.

The post Email Account Compromises Continue Relentless Rise appeared first on HIPAA Journal.

Orlando Orthopaedic Center Suffers 19,000-Record Breach Due to Business Associate Error

An error made by a transcription service provider during a software upgrade on a server has resulted in the exposure of more than 19,000 patients’ protected health information (PHI).

Patients affected by the breach had received medical services at Orlando Orthopaedic Center clinics in Orlando, Florida prior to January 2018.

The software upgrade took place in December 2017 and throughout the month, PHI stored on the server became accessible over the Internet without any need for authentication. Orlando Orthopaedic Center only became aware of the exposure of patients’ PHI in February 2018.

The discovery of the breach prompted a full investigation, which revealed names, dates of birth, insurance information, employer details, and treatment types were accessible. A limited number of patients also had their Social Security numbers exposed.

It is unclear whether any PHI was accessed by unauthorized individuals during the time that the protections were removed. Orlando Orthopaedic Center said it has not received any reports from patients that indicate PHI has been misused and no evidence of unauthorized access or data theft has been uncovered; however, data theft and unauthorized access could not be ruled out.

Credit monitoring and identity theft protection services have been offered to all patients whose Social Security number was exposed. All patients have been advised to monitor their accounts and Explanation of Benefits Statements for any sign of fraudulent use of their PHI and have now been notified of the breach by mail.

Orlando Orthopaedic Center stated in a new release that its vendor has corrected the issue and all PHI has been secured. Ongoing cybersecurity awareness training is provided to all Orlando Orthopaedic Center staff and its own security solutions are regularly updated to ensure all PHI stored on its servers and endpoints remains secure.

The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights on July 20, 2018 indicates 19,101 patients had their PHI exposed.

It is unclear why it took 5 months from the discovery of the breach to issuing notifications and informing OCR when HIPAA requires notifications to be issued within 60 days of the discovery of a breach.

The post Orlando Orthopaedic Center Suffers 19,000-Record Breach Due to Business Associate Error appeared first on HIPAA Journal.