HIPAA Breach News

Centrelake Medical Group Discovers Servers Compromised and Virus Deployed

Centrelake Medical Group, a network of 8 medical imaging and oncology centers in California, is notifying certain patients that some of their protected health information has been exposed as a result of a computer virus.

The computer virus was discovered in February 2019 when it prevented the medical group from accessing its files. The virus appears to be a form of ransomware, although no mention of ransomware or a ransom demand was made in the media notice issued by Centrelake.

Centrelake retained a computer forensics company to assist with the investigation to determine the scope of the attack and whether any files containing protected health information had been accessed or copied.

The investigation revealed an unauthorized individual had gained access to its servers on January 9, 2019. Prior to deploying the virus on February 19, 2019, the unauthorized individual was able to access the servers undetected.

It is not unusual for ransomware to be installed on systems after hackers have breached security defenses. In some cases, ransomware is deployed after the system has been investigated and all valuable data has been exfiltrated. In this case, the computer forensics company did not uncover any evidence to suggest patient information was accessed or copied during the time that system access was possible, and no reports have been received to suggest any attempted or actual misuse of data has occurred.

The servers accessed by the unauthorized third party contained software applications and files that may have contained the following types of patient information: Names, phone numbers, addresses, Social Security numbers, health insurance information, diagnoses, services performed, dates of service, medical record numbers, referring provider information, and driver’s license numbers.

Centrelake Medical Group has told patients to be alert to the possibility of data misuse and suggests patients should monitor their financial accounts, credit reports, and explanation of benefits statements for any sign of fraudulent activity. A toll-free number has been set up for patients to obtain further information, but it does not appear that patients are being provided with credit monitoring and identity theft protection services.

The incident has yet to appear on the Department of Health and Human Services’ Office for Civil Rights breach portal, so it is currently unclear exactly how many patients have been affected.

The post Centrelake Medical Group Discovers Servers Compromised and Virus Deployed appeared first on HIPAA Journal.

11,639 Individuals Impacted by Riverplace Counseling Center Malware Attack

Riverplace Counseling Center in Anoka, MN, has discovered malware has been installed on its systems which may have allowed unauthorized individuals to gain access to patients’ protected health information.

The malware infection was discovered on January 20, 2019. The counseling center engaged an IT firm to conduct a forensic analysis, remove the malware, and restore its systems from backups. The analysis was completed on February 18, 2019.

The IT firm did not find evidence that suggested patient information had been subjected to unauthorized access or had been copied, but data access and PHI theft could not be totally ruled out.

The types on information stored on the affected systems included names, addresses, dates of birth, health insurance information, Social Security numbers, and treatment information.

Affected individuals were notified about the data breach on April 11, 2019 and have been offered identity theft monitoring services via Kroll for 12 months at no cost. No reports have been received to date to suggest any patients’ PHI has been misused.

Riverplace Counseling Center has not publicly disclosed what type of malware was involved, nor how the malware was installed on its systems.

To improve security and reduce the risk of further malware attacks, Riverplace Counseling Center has installed spam filters, upgraded its antivirus software and firewalls, and has provided further training to employees to help them identify unauthorized access.

The counseling center has also consulted with a cybersecurity firm which is providing recommendations on new system-wide policies and procedures to further enhance security.

According to the breach summary on the on the Department of Health and Human Services’ Office for Civil Rights website, up to 11,639 patients’ PHI was potentially compromised.

The post 11,639 Individuals Impacted by Riverplace Counseling Center Malware Attack appeared first on HIPAA Journal.

Clearway Pain Solutions Institute Discovers Unauthorized EMR System Access

Gulf Coast Pain Consultants, dba Clearway Pain Solutions Institute, has discovered its EMR system has been accessed by an unauthorized individual.

An investigation was launched following the discovery of the breach on February 20, 2019. The investigation revealed the individual accessed a range of patient information.

The types of information that were accessed included patients’ names, telephone numbers, home addresses, email addresses, dates of birth, Social Security numbers, health insurance information, name of referring provider, and demographic information. Clinical information contained in medical records could not be accessed and no financial information was exposed.

Unauthorized access to the system has now been blocked, a full review of all EMR accounts has been conducted, and access levels and EMR system activity has been validated for all user accounts. A review of policies and procedures is being conducted with regards to the accessing of patient information and updates will be made as appropriate.

All patients affected by the breach are now being notified and are being offered 12 months of membership to Experian IdentityWorks at no cost.

The incident has yet to appear on the HHS’ Office for Civil Rights breach portal so it is unclear exactly how many patients have been affected.

Questcare Medical Services Discovers Email Account Breach

Questcare Medical Services, a Dallas, TX-based physician group, has announced the email account of an employee was compromised on February 13, 2019 as a result of a phishing attack. An investigation was immediately launched which revealed the compromised account contained protected health information. Affected patients were notified about the breach on April 12, 2019.

All individuals impacted by the breach had received medical services from Questcare in the Dallas, Fort Worth, or Arlington regions of Texas. The information potentially accessed by the attacker was limited to names, dates of birth and some clinical information. No sensitive financial information or Social Security numbers were exposed.

Questcare has provided further training to staff to improve security awareness and regular reminders about phishing will be sent to staff. Microsoft’s Advanced Threat Protection has also been implemented to provide enhanced protection against phishing attacks.

The number of individuals impacted by the breach has not yet been publicly disclosed.

RS Medical Experiences Phishing Attack

Vancouver, WA- based pain relief device manufacturer RS Medical has experienced a phishing attack that resulted in the email account of an employee being accessed by an unauthorized individual. The purpose of the attack appears to have been to gain access to a company account to send phishing emails rather than obtain sensitive patient information.

After gaining access to the account, the attacker sent around 10,000 phishing emails which alerted the company to the account breach. The breach was detected within 2 hours of the account being accessed.

While PHI access is not suspected, it could not be ruled out with a high degree of certainty. Notification letters have been sent to approximately 250 individuals whose PHI was included in the account.

The exposed PHI was limited to names, dates of birth, phone numbers, home addresses, diagnosis codes, and details of the medical equipment and supplies that had been provided by RS Medical.

The post Clearway Pain Solutions Institute Discovers Unauthorized EMR System Access appeared first on HIPAA Journal.

Blue Cross of Idaho Website Hacked and Attempts Made to Reroute Payments

Blue of Cross of Idaho has discovered its website has been hacked and an unauthorized individual gained access to its member portal and viewed the protected health information of some of its members.

Blue of Cross of Idaho is one of the largest health insurers in the state and serves approximately 560,000 Idahoans. Blue of Cross of Idaho’s executive vice president Paul Zurlo said the breach affected around 1% of its members – around 5,600 individuals.

The website security breach occurred on March 21, 2019 and was discovered the following day. During the time that portal access was possible, the hacker accessed provider remittance documents and attempted to reroute provider financial transactions.

Upon discovery of the breach, Blue of Cross of Idaho terminated the unauthorized access and secured its portal to prevent financial fraud and further accessing of documents. The incident was reported to the FBI and the investigation remains open. The health insurer is working with internal and external cybersecurity consultants and financial experts to assess the security of the patient portal and financial transactions that have taken place. All transactions going through the system are being monitored to ensure they are legitimate.

The remittance documents that were accessed did not contain Social Security numbers, driver’s license numbers, bank account information or debit/credit card numbers. The compromised information was limited to names, enrollee numbers, patient account numbers, claims numbers, payment data, procedure codes, provider names, and dates of service.

Members impacted by the breach have been advised to carefully monitor their bank account, credit card, and other financial statements for any sign of fraudulent activity as a precaution, even though financial information was not exposed. Explanation of benefits statements should also be checked for any services listed that have not been provided.

Following the exposure of sensitive information, it is customary to offer free access to credit monitoring and identity theft protection services. If Social Security numbers, financial information, or driver’s license numbers are exposed in a data breach, those services are usually provided for 12 months at no cost.

Even though highly sensitive information was not exposed and there does not appear to have been any attempts to misuse PHI, Blue of Cross of Idaho is offering credit monitoring and identity theft protection services to affected members for three years.

Blue of Cross of Idaho will also be sending new ID cards with different membership ID numbers to all affected individuals in the next few weeks and will continue to monitor the security of its system to ensure that members’ personal information is safe and secure.

The post Blue Cross of Idaho Website Hacked and Attempts Made to Reroute Payments appeared first on HIPAA Journal.

Metrocare Services Suffers Second Phishing Attack in Two Months

Metrocare Services, a provider of mental health services in North Texas, has experienced a phishing attack which saw the email accounts of several employees accessed by an unauthorized individual.

The breach was detected on February 6, 2019 and the affected email accounts were rapidly blocked to prevent further access. The investigation revealed the accounts were first compromised in January 2019.

An analysis of the affected accounts revealed they contained the protected health information of 5,290 patients. Patients were notified on April 5, 2019 that the following information could potentially have been accessed as a result of the attack: Name, date of birth, driver’s license information, health insurance information, health information related to the services provided by Metrocare, and for certain patients, Social Security numbers.

The breach investigation did not uncover any evidence to suggest emails containing ePHI had been accessed or copied, but ePHI access and theft could not be ruled out. Individuals whose Social Security number was exposed have been offered free access to identity theft protection and credit monitoring services for 12 months.

In response to the breach, Metrocare Services will be implementing additional security measures and will be strengthening the security of its email system. Multifactor authentication will also be implemented to prevent accounts from being accessed in the event that credentials are compromised in future attacks.

This is not the first phishing attack that Metrocare Services has experienced. Two months previously, in November 2018, the PHI of 1,800 patients was compromised in a similar attack. After that attack Metrocare Services said it was strengthening the security of its email system and had provided additional training to employees to help them identify potential phishing attacks.

Those measures were clearly not sufficient to prevent further attacks. Had multifactor authentication been implemented after the first phishing attack, the second, larger breach could potentially have been prevented.

The post Metrocare Services Suffers Second Phishing Attack in Two Months appeared first on HIPAA Journal.

Metrocare Services Suffers Second Phishing Attack in Two Months

Metrocare Services, a provider of mental health services in North Texas, has experienced a phishing attack which saw the email accounts of several employees accessed by an unauthorized individual.

The breach was detected on February 6, 2019 and the affected email accounts were rapidly blocked to prevent further access. The investigation revealed the accounts were first compromised in January 2019.

An analysis of the affected accounts revealed they contained the protected health information of 5,290 patients. Patients were notified on April 5, 2019 that the following information could potentially have been accessed as a result of the attack: Name, date of birth, driver’s license information, health insurance information, health information related to the services provided by Metrocare, and for certain patients, Social Security numbers.

The breach investigation did not uncover any evidence to suggest emails containing ePHI had been accessed or copied, but ePHI access and theft could not be ruled out. Individuals whose Social Security number was exposed have been offered free access to identity theft protection and credit monitoring services for 12 months.

In response to the breach, Metrocare Services will be implementing additional security measures and will be strengthening the security of its email system. Multifactor authentication will also be implemented to prevent accounts from being accessed in the event that credentials are compromised in future attacks.

This is not the first phishing attack that Metrocare Services has experienced. Two months previously, in November 2018, the PHI of 1,800 patients was compromised in a similar attack. After that attack Metrocare Services said it was strengthening the security of its email system and had provided additional training to employees to help them identify potential phishing attacks.

Those measures were clearly not sufficient to prevent further attacks. Had multifactor authentication been implemented after the first phishing attack, the second, larger breach could potentially have been prevented.

The post Metrocare Services Suffers Second Phishing Attack in Two Months appeared first on HIPAA Journal.

Health Recovery Services Notifies 20,485 Patients About Potential PHI Breach

Health Recovery Services, an Athens, OH-based provider of alcohol and drug addiction services, is notifying 20,485 patients that some of their protected health information may have been accessed by an unauthorized individual.

On February 5, 2019, Health Recovery Services discovered an unauthorized IP address had remotely accessed its computer network. Network and information systems were taken offline to prevent further access and a forensic expert was retained to conduct an investigation to determine the nature and scope of the breach.

On March 15, 2019, the forensic investigator determined that the IP address first accessed the network on November 14, 2018 and access remained possible until February 5. No evidence was uncovered to suggest any patient information was accessed or copied, although the possibility of data access and theft could not be totally ruled out. Patients whose protected health information was exposed have been notified by mail ‘out of an abundance of caution’.

The types of patient information contained in files on the compromised server included names, addresses, contact telephone numbers, and dates of birth. Patients who received treatment at Health Recovery Services after 2014 also had medical information, health insurance information, diagnoses, treatment information, and Social Security numbers exposed.

Health Recovery Services rebuilt its entire network to ensure that it was totally secure and free from any security threats. Policies, procedures, and cybersecurity measures were reviewed and will be enhanced to prevent further data breaches. Steps will also be taken to limit the harm that can be caused should a further network server breach be experienced in the future.

The post Health Recovery Services Notifies 20,485 Patients About Potential PHI Breach appeared first on HIPAA Journal.

March 2019 Healthcare Data Breach Report

In March 2019, healthcare data breaches continued to be reported at a rate of almost one a day. 30 healthcare data breaches were reported to the HHS’ Office for Civil Rights by HIPAA-covered entities and their business associates. The March total is 11% higher than the average of the past 60 months.

HEalthcare data breaches by month

The number of reported breaches fell by 6.67% month over month and there was a 58% decrease in the number of breached healthcare records. March saw the healthcare records of 883,759 individuals exposed, impermissibly disclosed, or stolen as a result of healthcare data breaches.

healthcare records exposed by month

Causes of March 2019 Healthcare Data Breaches

The HHS’ Office for Civil Rights groups together hacking and other IT incidents such as malware and ransomware attacks. This category dominated the breach reports in March with 19 incidents reported. Hacking/IT incidents accounted for 83.69% of all compromised records (739,635 records).

There were 8 unauthorized access/disclosure incidents reported in March. 81,904 healthcare records were impermissibly accessed or disclosed. There were also four theft incidents reported, which involved a total of 23,960 records.

The biggest data breach was reported by Navicent Health – A phishing attack in which the records of 278,016 patients were potentially accessed and copied by the attackers. A similarly sized data breach was reported by ZOLL Services, which impacted 277,319 individuals. The ZOLL Services breach occurred at one of its business associates. It’s email archiving company accidentally removed protections in its network server. It is unclear whether those records were accessed by unauthorized individuals during the time the information was accessible.

Causes of March 2019 healthcare data breaches

Largest Healthcare Data Breaches Reported in March 2019

Rank Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Location of Breached Information
1 Navicent Health, Inc. Healthcare Provider 278,016 Hacking/IT Incident Email
2 ZOLL Services LLC Healthcare Provider 277,319 Hacking/IT Incident Network Server
3 LCP Transportation, Inc Business Associate 54,528 Unauthorized Access/Disclosure Email
4 Superior Dental Care Alliance Business Associate 38,260 Hacking/IT Incident Email
5 Superior Dental Care Health Plan 38,260 Hacking/IT Incident Email
6 St. Francis Physician Services Healthcare Provider 32,178 Hacking/IT Incident Network Server
7 Palmetto Health Healthcare Provider 23,811 Hacking/IT Incident Email
8 Gulfport Anesthesia Services, PA Healthcare Provider 20,000 Theft Other
9 Women’s Health USA, Inc. Business Associate 17,531 Hacking/IT Incident Desktop Computer, Email
10 Verity Medical Foundation Healthcare Provider 14,894 Hacking/IT Incident Email

 

Location of Breached Protected Health Information

Email incidents dominated the March 2019 healthcare data breach reports with 12 incidents reported that involved ePHI stored in emails and/or email attachments. The vast majority of those email breaches were phishing attacks. There were 7 hacking/IT incidents involving network servers – A combination of ransomware attacks, hacks, and the accidental deactivation of security solutions.

causes of march 2019 healthcare data breaches

March 2019 Healthcare Data Breaches by Covered Entity

Healthcare providers reported the most healthcare data breaches in March with 21 reported incidents. 4 breaches were reported by health plans and there were 5 data breaches reported by HIPAA business associates.  A further three breaches had some business associate involvement.

March 2019 healthcare data breaches by covered entity type

Healthcare Data Breaches by State

Healthcare organizations/business associates based in 18 state reported data breaches in March 2019. Three data breaches were reported in each of California, Ohio, and Pennsylvania. Two breaches were reported in each of Arizona, Idaho, Maryland, Massachusetts, Minnesota, Oregon, and South Carolina. One breach was reported in each of Arizona, Connecticut, Florida, Georgia, Indiana, Mississippi, New York, and Oklahoma.

HIPAA Enforcement in March 2019

The HHS’ Office for Civil Rights did not agree any fines or settlements in March 2019; however, the Texas Department of Aging and Disability Services has agreed to a financial penalty over a 2015 data breach.

Texas approved a settlement of $1.6 million to resolve alleged HIPAA violations discovered during the investigation of an 8-year data breach that was reported in June 2015. OCR has yet to confirm the settlement publicly.

There were no HIPAA-related financial penalties agreed with state attorneys general in March 2019.

The post March 2019 Healthcare Data Breach Report appeared first on HIPAA Journal.

Minnesota DHS Suffers Another Phishing Attack: State IT Services Struggling to Cope with Barrage of Attacks

The Minnesota Department of Human Services (DHS) has discovered another employee email account has been compromised as a result of a phishing attack. The latest incident has only just been reported, although the breach occurred on or before March 26, 2018.

Three Phishing Attacks: 31,800 Records Exposed

The breach is in addition to two other phishing attacks that saw email accounts compromised in June and July of 2018. Those attacks were announced in October 2018 and resulted in the exposure of 20,800 Minnesotans’ PHI. The March 26 email account compromise saw the PHI of 11,000 Minnesotans exposed.

The March phishing attack allowed the attacker to gain access to the email account of an employee of the Direct care and Treatment Administration. Emails were then sent from that account to co-workers requesting wire transfers be made. The email requests were flagged as suspicious and were reported to MNIT, which secured the account. No wire transfers were made.

During the time that the account was accessible, the attacker potentially accessed emails in the account which included protected health information. MNIT was unable to determine whether any PHI had been viewed or copied. The account contained information such as names, contact information, dates of birth, treatment data, legal histories, and two Social Security numbers. No reports of misuse of PHI have been received.

Minnesota IT Services (MNIT) reported the breach to the FBI and, on April 9, 2019, DHS notified the Department of Health and Human Services’ Office for Civil Rights, the Office of the Legislative Auditor, credit reporting agencies, the media, and state senate and house representatives. Individual notices have also been sent to all individuals affected by the breach.

Since being notified about the breach, DHS hired a contractor to assess the contents of the email account to check for protected health information. Due to the number of emails in the account, that process took some time to complete. DHS says the account review was completed on March 21, 2019.

It is unclear from the DHS breach notification letter when the breach was discovered. DHS said MNIT provided details of the breach investigation on February 15, 2019. While breach notifications were issued to affected individuals within 60 days of DHS discovering the breach, in compliance with HIPAA, there was a major delay in the breach being reported to DHS by MNIT.

It took four months before notifications were issued to alert individuals about the previous two phishing attacks, and more than a year for individuals affected by this phishing attack to be notified.

State Government Agencies Suffer 700 Security Incidents in 10 Months

A senate hearing took place in October last year following the announcement of the other two phishing attacks. At the hearing it was made clear that MNIT was simply not prepared for the volume of cyberattacks and lacked the resources to deal with them.

MNIT explained at the hearing that more than 700 security incidents involving state government agencies had to be dealt with by MNIT up to October 2018, including 150 phishing attacks. On average, state employees were sent an average of 22 phishing emails a day.

Up to October, the state government had experienced 80 cyberattacks that required manual analysis and 240 sets of employee credentials had been compromised. At the hearing, MNIT CISO Aaron Call explained that “the frequency and profitability of attacks are increasing, and the cybercriminals are getting more funding.”

Since receiving notification about the latest breach, DHS has implemented additional security measures to prevent further phishing attacks. These include a tool that blocks links and email attachments in emails sent to state employees. DHS says the tool would have prevented this and past breaches from occurring.

Policies and procedures have also been revised at DHS and MNIT has said it is now immediately reporting breaches to agency data practices or privacy staff to allow them to analyze the incidents to determine whether data have been exploited. DHS has said it is continuing to provide employees with training to help them identify increasingly sophisticated cyberattacks against DHS.

The post Minnesota DHS Suffers Another Phishing Attack: State IT Services Struggling to Cope with Barrage of Attacks appeared first on HIPAA Journal.