HIPAA Breach News

Ransomware Attacks Reported by Monterey Health Center and Magnolia Pediatrics

Monterey Health Center in Milwaukie, OR, has experienced a ransomware attack that encrypted its electronic medical records system. The attack commenced on August 12, 2019 and prevented patient data from being accessed.

Assisted by a third-party vendor, the health center successfully restored all patient data quickly and was able to continue providing care to its patients. It is unclear whether the medical records were restored from backups or if the ransom demand was paid.

Third party forensic investigators were retained to investigate the attack and determine whether patient data had been copied by the attackers. The investigation found no evidence of data exfiltration, although unauthorized data access could not be totally ruled out. To date, no reports have been received about any misuse of patient information.

The following information was potentially compromised: Names, addresses, dates of birth, Social Security numbers, driver’s license numbers, medical histories, diagnoses, lab test results, treatment information, medications, health insurance information, claims information, and financial account information.

All individuals affected by the breach have been notified and steps have been taken to improve security. The health center will continue to work with third-party experts to ensure its systems remain secure and patients’ health and personal information is protected from unauthorized access.

Ransomware Attack Impacts Magnolia Pediatrics Patients

Magnolia Pediatrics in Prairieville, LA, experienced a ransomware attack on August 23, 2019 that resulted in the encryption of files containing patients’ protected health information.

Assisted by a third-party computer forensics firm, the pediatric practice determined that patient information had not been removed from its systems during the attack. While data theft is not suspected, unauthorized data access and/or data theft could not be totally ruled out.

The encrypted computer system contained patient data such as names, addresses, telephone numbers, medical record numbers, Social Security numbers, clinical information, diagnoses, lab test results, diagnoses, medications, medical histories, insurance information, treating physicians’ names, and dates of service.

The incident has been reported to the Federal Bureau of Investigations and the FBI investigation of the attack is ongoing. Steps are being taken to improve security to prevent similar attacks in the future and all affected patients have now been notified.

The post Ransomware Attacks Reported by Monterey Health Center and Magnolia Pediatrics appeared first on HIPAA Journal.

Malicious Code on Mission Health E-Commerce Websites Potentially Stole Financial Data for 3 Years

Mission Health in Western North Carolina has discovered malicious code has been installed on its e-commerce websites that were used by patients to purchase health products. The malicious code was capable of capturing payment information as it was entered on the websites. That information was then sent to an unauthorized third party.

The breach was discovered by Mission Health in June 2019. The breach investigation revealed the malicious code had been inserted into the genuine code of the website three years previously in March 2016. The affected websites were taken offline and are being rebuilt. At the time of writing, those websites are not operational.

Only limited information about the breach has been released and there is currently no substitute breach notification letter on the Mission Health website. It is unclear how the breach was discovered. Typically, when credit card information is stolen, credit card firms trace fraudulent activity back to a specific retailer or website and advise the company that their systems have been compromised. In such cases, the fraudulent activity is identified relatively quickly. It is unclear in this instance whether that occurred and why the breach took almost three years to detect.

The malicious code did not give the attackers access to any health information or medical records, only financial information such as credit card numbers, expiry dates, and CVV codes along with cardholders’ names and addresses. The breach only affected individuals who had purchased items on the e-commerce sites store.mission-health.org and shopmissionhealth.org. The main website used by the healthcare provider – missionhealth.org – was not affected by the breach.

Mission Health has reviewed all transactions that occurred during the period of time that the malicious code was present and notification letters were sent on October 11, 2019 to all individuals who made purchases on the affected websites. Those individuals have been provided with information on the steps they should take to secure their accounts and have been advised to monitor their accounts for signs of fraudulent activity. All affected individuals have been offered free membership to credit monitoring services for 12 months.

The breach has yet to appear on the HHS’ Office for Civil Rights’ breach portal. It is currently unclear exactly how many individuals have been affected.

The post Malicious Code on Mission Health E-Commerce Websites Potentially Stole Financial Data for 3 Years appeared first on HIPAA Journal.

Roger Severino Gives Update on OCR HIPAA Enforcement Priorities

Roger Severino, Director of the HHS’ Office for Civil Rights, has given an update on OCR’s HIPAA enforcement priorities at the OCR/NIST 11th Annual HIPAA Conference in Washington D.C.

Severino confirmed that one of OCR’s top policy initiatives is still enforcing the rights of patients under the HIPAA Privacy Rule and ensuring they are given timely access to their health information at a reasonable cost.

Under HIPAA, patients have the right to view and check their medical records and obtain a copy of their health data, yet there are still healthcare organizations that are making this difficult. OCR has already agreed to settle one case this year with a HIPAA-covered entity that failed to provide a patient with a copy of her health information. OCR had to intervene before those records were provided to the patient. The entity in question, Bayfront Health St Petersburg, paid a financial penalty of $85,000 to resolve the HIPAA violation.

More financial penalties will be issued to covered entities that fail to comply with this important provision of HIPAA. Severino confirmed that Bayfront Health’s financial penalty was the first in a series of penalties for covered entities that are not providing patients with access to their health data within 30 days of the request being received.

OCR has issued guidance to help covered entities comply with this aspect of HIPAA, but now the time has come “for serious enforcement,” explained Severino.

Severino also explained that patients must be allowed to have their health data sent to health apps. The requests should only be denied if the app poses a security risk to the covered entity. Severino confirmed a covered entity is not liable for what happens to PHI after a disclosure to a health app at the patient’s request.

In many cases, patients are not being denied access to their medical records and requests for copies of medical records are being honored, but patients are being charged excessive amounts. In 2016, OCR issued guidance on the amounts that healthcare organizations can charge for providing copies of medical records and further clarification was also issued on the fee structures that can be adopted. Financial penalties for overcharging for copies of medical records can be expected.

The crackdown on patient access issues is part of the HHS Regulatory Sprint to Coordinated Care initiative and fits in with the Trump Administration’s drive to improve transparency of healthcare costs and the reduction of the cost of healthcare in the United States.

A prop is always useful for getting a point across. In this case Severino used a medical boot that he purchased to aid recovery from a torn Achilles tendon. Severino said he was advised by his doctor to purchase the boot and paid his doctor $430 for the treatment aid. He explained that he later looked online and found the exact same boot for sale on Amazon for $70, saying “This boot represents what’s wrong with price transparency.”

OCR is looking at how HIPAA can be updated to address this problem, such as requiring healthcare providers and health plans to provide information about the expected out-of-pocket costs for medical services or equipment before those items or services are provided to patients.

Contractors provide quotes for work in advance and banks provide customers with information on the costs of mortgages before providing the funds, but that doesn’t always happen in healthcare. That is something that needs to change.

Severino also touched on the issue of cybersecurity. Phishing and ransomware attacks cause a high percentage of healthcare data breaches and in many cases the attacks can be prevented by practicing good cybersecurity hygiene.

Ransomware is often installed through the exploitation of vulnerabilities in Remote Desktop Protocol. The failure to address those RDP vulnerabilities has led to several major healthcare ransomware attacks and data breaches.

Phishing attacks have been a major cause of healthcare data breaches for several years. It is not possible to prevent all attacks, but by complying with HIPAA, risk can be significantly reduced. HIPAA calls for covered entities to provide employees with training to help them identify and avoid phishing threats. Severino explained that training is critical, as is conducting phishing simulation exercises to find out how susceptible employees are to phishing.

Other cybersecurity failures that could prevent data breaches include the lack of multi-factor authentication, poor access controls, and the failure to promptly terminate access to systems when employees leave the company.

2019 may have only seen four OCR financial penalties issued to date to resolve HIPAA violations but the year is far from over. Further penalties will be announced this year, including one $2.1 million civil monetary penalty.

Severino did not confirm the reason for the penalty or provide any details, other than saying a final determination has been reached and the penalty will be announced by the department soon.

The post Roger Severino Gives Update on OCR HIPAA Enforcement Priorities appeared first on HIPAA Journal.

Hunt Regional Healthcare Revises May 2018 Data Breach Total

Texas-based Hunt Regional Healthcare has discovered a May 2018 cyberattack was much more extensive than previously thought. On May 14, 2019, Hunt Regional was informed by the FBI that its systems had been the subject of a sophisticated, targeted cyberattack in May 2018 and that a small subset of its patients had had their protected health information (PHI) exposed. Those individuals had previously received medical services at Hunt Regional Medical Center.

The PHI was stored in a limited area of the network to which the hackers had gained access and those individuals were notified about the breach in July 2019. A more detailed investigation was then conducted with assistance provided by third-party computer forensics experts, who discovered the hackers had gained access to other parts of the network that were not initially thought to have been compromised.

These additional parts of the network contained the PHI of patients of other facilities in the network: Hunt Regional Medical Center in Greenville, Hunt Regional Emergency Medical Center – Commerce, Hunt Regional Emergency Medical Center – Quinlan, Hunt Regional Home Care, Hunt Regional Lab Solutions, Hunt Regional Open Imaging – Greenville, Hunt Regional Open Imaging – Rockwall, Hunt Regional Outpatient Behavioral Health, Hunt Regional Infusion Center, and Texas Oncology Greenville.

Medical records were potentially compromised which included personal information such as names, contact telephone numbers, dates of birth, race, religious preferences, and Social Security numbers.

It was not possible to determine exactly which records were accessed or copied by the attackers so the decision was taken to send notification letters to the entire database of patients to make sure all individuals were made aware of the possibility that their information had been compromised. All individuals have been offered credit monitoring and identity theft protection services and through IDCare, which includes a $1 million identity theft insurance policy.

Hunt Regional had implemented appropriate safeguards prior to the attack to prevent the unauthorized accessing of patient information. Assisted by third party cybersecurity professionals, Hunt Regional has implemented further safeguards to strengthen data security.

The initial breach report submitted to the HHS’ Office for Civil Rights in July 2019 indicated 3,700 patients had been affected. The breach summary has yet to be updated with the new total.

The post Hunt Regional Healthcare Revises May 2018 Data Breach Total appeared first on HIPAA Journal.

Philadelphia Department of Public Health Data Breach Exposed PHI of Hepatitis Patients

The Philadelphia Department of Public Health (PDPH) has discovered sensitive information of patients with hepatitis B and hepatitis C has been exposed over the internet and could be accessed by anyone without the need for authentication. The breach came to light on Friday October 12, 2019 following notification from a reporter from The Philadelphia Inquirer.

The issue was corrected within minutes of the hospital being notified of the breach. An investigation has now been launched to determine the nature, cause, and extent of the breach.

New cases of hepatitis B and hepatitis C must be reported to PDPH by medical providers to enable tracking and monitoring of the disease. Both diseases can be transmitted through contact with bodily fluids of an infected person. New cases are often the result of sharing of needles by intravenous drug users. New cases of both forms of hepatitis are monitored as part of the PDPH opioids initiative.

The data supplied by healthcare providers had been uploaded to a website tool that allows aggregated data to be visualized through charts using Tableau software. Tableau dashboards are created to allow data to be aggregated and easily displayed in an understandable format. The creators of Tableau dashboards must ensure security controls are implemented to prevent backend data from being accessed. If those controls are not applied, raw data can be viewed and downloaded.

According to The Philadelphia Inquirer, the breach could have affected tens of thousands of patients. The newspaper found data on around 23,000 patients who had contracted hepatitis C.

The exposed data included a patient’s name, along with their gender, address, test results, and in some cases, Social Security number. The data covered new cases of Hepatitis B and Hepatitis C reported to PDPH between 2013 and 2018. It is currently unclear for how long the data was accessible via the PDPH website, how many patients have been affected, and how many unauthorized individuals accessed the information during the time it was exposed.

The post Philadelphia Department of Public Health Data Breach Exposed PHI of Hepatitis Patients appeared first on HIPAA Journal.

68,000 Patients of Methodist Hospitals Impacted by Phishing Attack

In June 2019, Gary, Indiana-based Methodist Hospitals discovered an unauthorized individual had gained access to the email account of one of its employees following the detection of suspicious activity in the employee’s email account.

An investigation was immediately launched and third-party computer forensics experts were called in to determine the extent of the breach and whether any patient information had been accessed or copied by the attacker. The investigation revealed two email accounts had been compromised as a result of employees responding to phishing emails.

It took until August 7, 2019 for the forensic investigators to determine that a breach had occurred and patient information had been compromised. One of the compromised email accounts was discovered to have been accessed by an unauthorized individual from March 13, 2019 to June 12, 2019, and the second account was subjected to unauthorized access on June 12, 2019 and from July 1 to July 8.

As is typical in forensic investigations, it was not possible to determine whether the attacker viewed or copied patient information contained in emails and email attachments, but it was also not possible to rule out the possibility. At the time of issuing breach notification letters in October, no reports had been received to suggest patient information had been misused.

The types of information potentially compromised in the phishing attacks varied from patient to patient. In addition to patient names, the following information may have been compromised: Address, date of birth, Social Security number, driver’s license number, state ID number, passport number, medical record number, CSN number, HAR number, Medicare number, Medicaid number, diagnosis information, treatment information, health insurance subscriber, group, and/or plan number, group identification number, financial account number, payment card information, electronic signature, username and password.

Methodist Hospitals is reviewing its policies and procedures and will be implementing additional safeguards to improve defenses against phishing attacks in the future.

Affected individual have been advised to monitor their account statements and explanation of benefit statements for signs of fraudulent activity. The substitute breach notification letter on the Methodist Hospitals website makes no mention of credit monitoring and identity theft protection services for breach victims.

The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates up to 68,039 patients have been affected by the breach.

The post 68,000 Patients of Methodist Hospitals Impacted by Phishing Attack appeared first on HIPAA Journal.

CHI Health Ransomware Attack Impacts 48,000 Lakeside Patients

The Omaha, NE-based 14-hospital health system, CHI Health, has experienced a ransomware attack in which the protected health information of approximately 48,000 patients has potentially been compromised.

The attack was discovered on August 1, 2019 and affected an old electronic health record system that contained the medical records patients who had received medical services at CHI Health’s Lakeside Orthopedic Clinic prior to April 2016.

The investigation confirmed that a database used by the medical record system had been encrypted in the attack. A full investigation into the attack was launched and while it is possible that patient information was accessed or copied by the attackers, no evidence of unauthorized data access or data exfiltration was discovered and there have been no reports of misuse of patient information. The attack appears to have been conduced solely with the aim of extorting money from CHI Health.

The types of information contained in the database included patient names, addresses, contact telephone numbers, dates of birth, Social Security numbers, diagnoses, treatment information, and other medical information.

Affected individuals have been notified about the breach by mail and the incident has been reported to the Department of Health and Human Services’ Office for Civil Rights and other appropriate authorities.

Out of an abundance of caution, all affected individuals have been offered a 12-month complimentary subscription to credit monitoring and identity theft protection services. CHI Health has also taken steps to reduce the likelihood of similar breaches occurring in the future.

The post CHI Health Ransomware Attack Impacts 48,000 Lakeside Patients appeared first on HIPAA Journal.

Cancer Treatment Centers of America Experiences Another Phishing Attack

Cancer Treatment Centers of America (CTCA) is notifying certain patients that some of their protected health information (PHI) has been exposed as a result of a phishing-related email security breach that occurred in July 2019 at its Southeastern Regional Medical Center.

The attack was identified on July 29, 2019 when suspicious activity was detected in the email account of a CTCA staff member. The breach investigation revealed the attacker had gained access to the account for a period of around 7 days from July 22.

Upon detection of the breach, the user’s email account was secured to prevent further unauthorized access. The investigation did not uncover any evidence to suggest patient information in emails and email attachments were accessed or copied by the attacker, but the possibility could not be ruled out.

The types of information potentially accessed included names along with addresses, phone numbers, dates of birth, health insurance information, medical information, and medical record numbers, and other patient identifiers.

No Social Security numbers were exposed in the breach, so credit monitoring and identity theft protection services are not being provided. Affected patients have been advised to monitor their explanation of benefits statements and report any suspected fraudulent activity to their insurers.

The breach report submitted to the HHS’ Office for Civil Rights indicates up to 3,290 patients have been affected by the latest breach.

In total, five breaches have been reported to OCR by CTCA since late November 2018. The first, reported to OCR on November 6, 2018, affected 41,948 patients of Western Regional Medical Center in Arizona. 3,904 patients of Eastern Regional Medical Center in Pennsylvania and 3,904 patients of Southeastern Regional Medical Center were affected by phishing attacks reported to OCR on July 12. A further 16,819 patients of Southeastern Regional Medical Center were affected by a phishing attack reported to OCR on May 10, 2019.

Humana Notifies Lafayette Customers of Employee-Related Data Breach

A former Humana employee who was terminated in December 2018 for emailing a customer list to a personal email account is believed to have disclosed that information to another individual.

The list contained the details of approximately 500 customers in the Lafayette, LA area. This list contained member names, addresses, email addresses, telephone numbers, dates of birth, Humana ID numbers, and plan numbers.

The breach was investigated internally and as part of that investigation, the former employee’s wife confirmed that she and her husband used the list to contact Humana customers between April and May 2019 in an attempt to try to solicit business for their own insurance brokerage firm. Humana has been assured that the list was not disclosed to anyone else.

Affected individuals have now been notified and have been told to contact Humana if they believe there has been any fraudulent use of their information.

The post Cancer Treatment Centers of America Experiences Another Phishing Attack appeared first on HIPAA Journal.

UAB Medicine Phishing Attack Impacts 19,000 Patients

UAB Medicine is alerting patients about an August 7, 2019 phishing attack that resulted in the email accounts of several employees of UAB Medical Center in Birmingham, AL being accessed by the attackers.

Upon discovery of the breach, the passwords on affected email accounts were changed to prevent further unauthorized access and UAB Medicine engaged a leading cybersecurity firm to investigate the breach.

An analysis of the compromised email accounts revealed they contained the protected health information (PHI) of 19,557 patients, including names and one or more of the following data elements: Medical record number, date of birth, dates of service, location of service, diagnoses, and treatment information. A limited number of patients also had their Social Security number exposed.

UAB Medicine provides security awareness training to its workforce and has taught employees how to identify phishing emails. In this instance, despite that training, several employees responded to the emails and disclosed their email account credentials. Those credentials were used to gain access to email accounts and the payroll system. The health system said the email used in the attack was a fake business survey that appeared to have been sent internally from an executive’s email account.

The aim of the attack appears to have been to gain access to the payroll system to divert employees’ payroll deposits. The attack was detected and blocked before any payroll deposits were redirected. While it is possible that the attackers viewed/copied patient information, no evidence of unauthorized PHI access or data exfiltration was identified and there have been no reports of misuse of patients’ PHI.

Affected individuals have been advised to monitor their accounts and explanation of benefits statements for signs of fraudulent activity and have been offered 12 months’ subscription to credit monitoring and identity theft protection services at no cost. Steps are being taken to improve email security to prevent similar breaches from occurring in the future.

The post UAB Medicine Phishing Attack Impacts 19,000 Patients appeared first on HIPAA Journal.