HIPAA Breach News

$85,000 Penalty for Korunda Medical for HIPAA Right of Access Failures

The Department of Health and Human Services’ Office for Civil Rights has announced its second enforcement action under its HIPAA Right of Access Initiative. Florida-based Korunda Medical has agreed to settle potential violations of the HIPAA Right of Access and will adopt a corrective action plan and bring its policies and procedures in line with the requirements of the HIPAA Privacy Rule.

In March 2019, OCR received a complaint from a patient who alleged she had not been provided with a copy of her medical records in the requested electronic format despite making repeated requests. The complainant alleged that Korunda Medical refused to send an electronic copy of her medical records to a third party and was overcharging patients for providing copies of their medical records. Under HIPAA, covered entities are only permitted to charge a reasonable, cost-based fee for providing access to patients’ protected health information.

The initial complaint was filed with OCR on March 6, 2019. On March 18, 2019, OCR provided technical assistance to Korunda Medical on the HIPAA Right of Access and closed the complaint. Four days later, a second complaint was received which demonstrated continued noncompliance with the HIPAA Right of Access. On May 8, 2019, OCR advised Korunda Medical that a compliance investigation had been launched. As a result of OCR’s intervention, the complainant was provided with a copy of her medical records free of charge. Continued noncompliance with the HIPAA Right of Access resulted in a $85,000 financial penalty for Korunda Medical.

“For too long, healthcare providers have slow-walked their duty to provide patients their medical records out of a sleepy bureaucratic inertia. We hope our shift to the imposition of corrective actions and settlements under our Right of Access Initiative will finally wake up healthcare providers to their obligations under the law,” said OCR Director, Roger Severino.

The HIPAA Right of Action Initiative is a HIPAA enforcement drive to ensure HIPAA-covered entities are providing patients with copies of their medical records in a timely manner, in the format of their choosing, and without being overcharged. The first enforcement action under this initiative was announced in September 2019. Bayfront Health St Petersburg was also required to pay a financial penalty of $85,000 to resolve HIPAA Right of Access failures.

This is the ninth HIPAA enforcement action of 2019. OCR has settled 8 HIPAA violation cases this year and has issued one civil monetary penalty, with the financial penalties ranging from $10,000 to $3 million. So far in 2019, $12,209,000 has been paid to OCR to resolve HIPAA violations.

The post $85,000 Penalty for Korunda Medical for HIPAA Right of Access Failures appeared first on HIPAA Journal.

Ransomware Attack on The Cancer Center of Hawaii Delayed Radiation Therapy for Patients

On November 5, 2019 The Cancer Center of Hawaii in Oahu was attacked with ransomware. The attack forced the Cancer Center to shut down its network servers, which meant it was temporarily prevented from providing radiation therapy to patients at Pali Momi Medical Center and St. Francis’ hospital in Liliha.

While patient services experienced some disruption, no patient information is believed to have been accessed by the attackers. The forensic investigation into the breach is ongoing but all data stored on its radiology machines has been recovered and its network is now fully operational.

It is unclear for how long its network was down and no information has been released so far on the types of patient information that may have been accessed.

The Cancer Center has notified the FBI about the breach and will report the incident to appropriate authorities, if the forensic investigators confirm that patient data may have been accessed.

The breach was confined to the Cancer Center’s systems. Pali Momi Medical Center and St. Francis’ hospital were unaffected by the attack as their patient data and systems are isolated from the Cancer Center.

Zuckerberg San Francisco General Hospital Alerts Patients to Improper Disposal Incident

1,174 patients of Zuckerberg San Francisco General Hospital are being notified that meal tickets containing a limited amount of their protected health information have been disposed of in an improper manner.

The meal tickets contained patients’ full names, their bed/unit in the hospital, birth month, dietary information, and the menu they received. The tickets should have been disposed of in confidential waste bins but were accidentally disposed of with regular trash.

The breach was due to an employee being unaware that the meal tickets needed to be sent for shredded. The San Francisco Department of Health learned about the improper disposal incident on November 15, 2019. The employee had been disposing of the meal tickets in regular trash bins between June 18 and November 4. The employee has since been advised of the correct procedures for the disposable of sensitive information.

The post Ransomware Attack on The Cancer Center of Hawaii Delayed Radiation Therapy for Patients appeared first on HIPAA Journal.

Patients Notified of Phishing Attack at Cheyenne Regional Medical Center

Cheyenne Regional Medical Center in Wyoming has recently learned that patient information may have been compromised as a result of a phishing attack discovered in April.

The medical center was alerted to a potential security breach following the detection of suspicious activity related to employee payroll accounts on or around April 5, 2019. Around a week later, the medical center leared that employee email accounts had been compromised.

The investigation revealed the attackers had gained access to employee email accounts between March 27, 2019 and April 8, 2019. The aim of the attack appears to have been to access employee payroll information, although patient information contained in email accounts may also have been accessed.

The types of information potentially accessed varied from patient to patient and may have included names, dates of birth, Social Security numbers, driver’s license numbers, dates of service, provider names, medical record numbers, patient identification numbers, medical information, diagnoses, treatment information, and health insurance information. A very small percentage of patients also had financial information or credit card numbers exposed.

The forensic investigation confirmed on August 21, 2019 that patient information was potentially accessed by the hackers, although at that stage of the investigation the full extent of the attack was not known. It took until November 1, 2019 before the medical center obtained a full list of affected patients.

There was a further delay sending notifications as up to date contact information was not held on a significant number of patients. Finding that information took time.

The medical center explained that most patient information is stored in its electronic medical record system, but information is securely exchanged between staff members via email for administrative purposes and for consultations.

Affected patients have now been notified by mail and have been offered complimentary credit monitoring and identity theft protection services through Kroll.

Cheyenne Regional Medical Center should be commended for its thorough explanation of the breach and investigation, and the reason for the 8-month delay sending notifications. All patients want to be notified of any exposure of their personal and health information quickly but will be unaware of the work involved in a breach investigation and how long it can take to find the information necessary to issue notifications. Such a detailed explanation will help patients to understand why it has taken so long to learn about the breach.

The post Patients Notified of Phishing Attack at Cheyenne Regional Medical Center appeared first on HIPAA Journal.

Phishing Attacks Reported by Sunrise Community Health and Katherine Shaw Bethea Hospital

Evans, CO-based Sunrise Community Health has discovered the email accounts of several employees were compromised as a result of employees responding to phishing emails. The email accounts were accessed by unauthorized individuals between September 11, 2019 and November 22, 2019.

Assisted by third party computer forensics experts, Sunrise Community Health determined on November 5, 2019 that the compromised email accounts contained the protected health information of certain patients. The types of data present in the email accounts varied from patient to patient and may have included names, dates of birth, Sunrise patient ID numbers, Sunrise provider names, dates of service, types of clinical examinations performed, the results of those examinations, diagnoses, medication names, and names of health insurance carriers.

Sunrise Community Health does not believe the aim of the attack was to obtain patient information, but the possibility of unauthorized data access and data theft could not be ruled out. The attackers appeared to be targeting invoice and payroll information.

The investigation into the attack is continuing but breach notification letters have now been sent to affected individuals. Sunrise Community Health is offering affected patients complimentary credit monitoring and identity theft restoration services.

1,486 Katherine Shaw Bethea Hospital Patients Impacted by Phishing Attack

Katherine Shaw Bethea Hospital in Dixon, IL has discovered an unauthorized individual has gained access to the email account of an employee and potentially obtained a spreadsheet containing the protected health information of 1,486 patients.

The spreadsheet contained names, dates of birth, phone numbers, health insurance carrier names, diagnoses, and clinical information of patients under 18 years of age who had visited the emergency department between November 1, 2018 and May 1, 2019.

Katherine Shaw Bethea Hospital has implemented additional measures to improve email security and all staff members have been provided with further cybersecurity training to help them identify phishing scams.

NYC Health + Hospitals Alerts Patients to Improper Disclosure Incident

NYC Health + Hospitals is alerting patients who received treatment following a motor vehicle accident that some of their protected health information may have been impermissibly disclosed to third parties by an employee.

NYC Health + Hospitals was notified on October 3, 2019 that one of its employees had disclosed patient information to third parties such as law firms between 2016 and November 2019.

NYC Health + Hospitals is assuming that all patients who received treatment at its hospitals and clinics following a motor vehicle accident may have been affected. The investigation into the incident is ongoing and appropriate disciplinary action is being taken against the employee concerned.

The post Phishing Attacks Reported by Sunrise Community Health and Katherine Shaw Bethea Hospital appeared first on HIPAA Journal.

Ransomware Attack on Managed Service Provider Impacts More than 100 Dental Practices

A Colorado IT firm that specializes in providing managed IT services to dental offices has been attacked with ransomware. Through the firm’s systems, more than 100 dental practices have also been attacked and have had ransomware deployed.

The attack on Englewood, CO-based Complete Technology Solutions (CTS) commenced on November 25, 2019. According to a report on KrebsonSecurity, CTS was issued with a ransom demand of $700,000 for the keys to unlock the encryption. The decision was taken not to pay the ransom.

In order to provide IT services to the dental practices, CTS is able to logon to their systems using a remote access tool. That tool appears to have been abused by the attackers, who used it to access the systems of all its clients and deploy Sodinokibi ransomware.

Some of the dental practices impacted by the attack have been able to recover data from backups, specifically, dental practices that had a copy of their backup data stored securely offsite. Many dental practices are still without access to their data or systems and are turning patients away due to ongoing system outages.

KrebsonSecurity reports that some of those practices are trying to negotiate with the attackers to obtain keys to unlock their own data.

Recovery has been complicated in some cases due to multiple ransom notes and file extensions, which has meant it has only been possible to recover some of their encrypted data after paying the ransom demand. That has meant paying again for further keys to unlock the encrypted files. Black Talon Security told KrebsonSecurity that one dental practice had 50 devices encrypted and received more than 20 ransom notes. Multiple payments had to be made to recover records.

The attack is similar to the one that was conducted on the Wisconsin firm PerCSoft, through which around 400 dental offices were attacked with ransomware in August 2019. PerCSoft provides digital data backup services for dental offices. Sodinokibi ransomware was also used in that attack.

It is becoming increasingly common for ransomware gangs to target managed service providers. A single attack on a managed service provider can allow the attackers to attack hundreds of other companies, making the returns far higher.

A recent report by Kaspersky Lab also confirmed that ransomware attackers are targeting backups and Network Attached Storage (NAS) devices to make it much harder for victims to recover their files for free without paying the ransom.

The latest attack shows just how important it is not only to ensure that backups of all critical data are made, but why it is essential for at least one copy of a backup to be stored securely off site, on a non-networked device that is not accessible over the internet.

The post Ransomware Attack on Managed Service Provider Impacts More than 100 Dental Practices appeared first on HIPAA Journal.

Southeastern Minnesota Oral & Maxillofacial Surgery Ransomware Attack Impacts 80,000 Patients

Southeastern Minnesota Oral & Maxillofacial Surgery (SEMOMS) has announced it has been attacked with ransomware and that the protected health information of up to 80,000 patients was potentially compromised in the attack.

The attack was detected on September 23, 2019. The IT team responded and isolated the affected server and took steps to restore the encrypted data. It is unclear whether the ransom was paid or if the IT team was able to restore the server from backups.

Assisted by computer forensics experts, SEMOMS determined that the affected server contained names and X-ray images and that the server had been accessed by an unauthorized individual. No evidence was uncovered to suggest any patient information was accessed or exfiltrated by the attackers, but the possibility of unauthorized ePHI access and data theft could not be discounted. Consequently, notification letters have been sent to all individuals whose protected health information was potentially compromised.

Healthcare Administrative Partners Phishing Attack Impacts 17,693 Patients

Healthcare Administrative Partners (HAP), a Media, PA-based provider of medical billing and coding services to healthcare organizations, has discovered the email account of one of its employees was accessed by an unauthorized individual following a response to a phishing email.

The phishing attack was detected on June 26, 2019 when suspicious activity was identified in the employee’s email account. On September 26, 2019, HAP determined that the protected health information of certain clients was present in the email account.

A third-party computer forensics firm was engaged to assist with the breach investigation. It was not possible to determine whether emails and email attachments containing ePHI had been accessed, but the possibility could not be ruled out.

The account contained patients’ names, addresses, dates of birth, medical record numbers, physicians’ names, prescriptions, medical diagnoses, and limited treatment information. HAP notified all affected providers on October 4, 2019.

Steps have now been taken to improve email security. All passwords for email were reset, all external emails are now labelled as external, employees are being provided with additional security awareness training, and mailbox size restrictions and email archiving have been implemented to reduce data exposure in the event of a further attack. HAP is also investigating multi-factor authentication options.

Elizabeth Family Health Notifies 28,375 Patients About Data Exposure

The Elizabeth, CO-based healthcare provider, Elizabeth Family Health, is notifying 28,375 patients that some of their protected health information has been exposed.

On September 23, 2019, Elizabeth Family Health suffered a break-in and its facilities were vandalized. The perpetrator removed several items from its facilities, including server backup tape cartridges. Those cartridges contained the protected health information of patients, including names, demographic information, and Social Security numbers.

Elizabeth Family Health has not received any reports of misuse of patient information but has mailed affected individuals as a precaution and has provided information on the steps that can be taken to prevent their personal information from being misused.

The post Southeastern Minnesota Oral & Maxillofacial Surgery Ransomware Attack Impacts 80,000 Patients appeared first on HIPAA Journal.

Kalispell Regional Healthcare Sued Over 130,000-Record Data Breach

Kalispell Regional Healthcare in Montana is being sued over a phishing attack in which hackers gained access to employee email accounts containing the protected health information of almost 130,000 patients.

The compromised email accounts contained patient information such as names, contact information, medical bill account numbers, medical histories, and health insurance information. Approximately 250 individuals also had their Social Security number exposed.

The phishing attack occurred in May 2019, but it was not initially clear which, if any, patients had been affected. It took until August for forensic investigators to determine that patient information had potentially been compromised.

All affected patients were notified, and the health system offered 12 months of free credit monitoring and identity theft protection services to patients whose Social Security numbers had potentially been compromised.

One of the patients whose personal and health information was compromised has now taken legal action over the data breach. The lawsuit was filed in Cascade County District Court in Great Falls, MT on November 25 by attorney John Heenan. Heenan is seeking class action status for the lawsuit.

The lawsuit alleges Kalispell Regional Healthcare failed to take the necessary steps to keep patients’ personal and health information private and confidential, it did not abide by best practices and industry standards for securing patient data, and that the health system failed to notify patients about the breach in a timely manner. As a result of the alleged failures, it the lawsuit alleges patients have been placed at risk of identity theft and fraud.

It does not appear that Henderson’s personal and health information has been misused at the time the lawsuit was filed; however, he claims that he is at risk of identity theft and fraud, which could occur at any time now that his information is in the hands of hackers.

Patients cannot sue healthcare providers for damages under HIPAA as there is no private cause of action, but it is possible to take legal action in many states over healthcare data breaches, as is the case in Montana.

The Montana Uniform Health Care Information Act allows victims of healthcare data breaches to sue healthcare providers for violations of the Act. The lawsuit alleges Kalispell Regional Healthcare is in violation of the Act.

After it was learned that patient information had potentially been compromised, the health system issued notifications to affected patients and reported the breach local media outlets.  in the areas

Kalispell Regional Healthcare’s director of information technology, Melanie Swenson, explained that “This wasn’t your everyday, average hacker. They were very sophisticated at disguising their tracks.” She also explained that protecting the privacy of patients is a key priority for the health system and that email security solutions had been implemented prior to the attack to block spam and phishing emails. The security solutions were blocking around 50,000 inbound email threats each day. She also stated that CynergisTec had conducted an audit of the health system in 2018 and found it to be in the top 9% of healthcare industry organizations for cybersecurity compliance.

Since the attack, email security has been improved and the health system has increased training for employees to help them recognize phishing attacks and other email threats.

The post Kalispell Regional Healthcare Sued Over 130,000-Record Data Breach appeared first on HIPAA Journal.

Nebraska Medicine Discovers Insider Data Breach

Nebraska Medicine has discovered an employee has accessed the medical records of patients without any legitimate work reason for doing so over a period of almost three months.

The privacy violation was discovered during a routine audit of its medical record system. The audit revealed the employee had first accessed patient records on July 11, 2019 and continued to do so until October 1, 2019 when the privacy violations were discovered.

Upon discovery, steps were taken to prevent further unauthorized access while the matter was investigated. The employee in question was fired the day after the privacy violations were discovered.

According to a statement released by Nebraska Medicine, affected individuals have been notified by mail and any individual whose Social Security number was potentially viewed has been offered complimentary credit monitoring services for 12 months as a precaution.

Nebraska Medicine does not have any reason to believe that any sensitive information has been or will be misused, suggesting the employee was accessing the records out of curiosity. It is unclear how many individuals have been affected at this stage.

According to the breach notification letter sent to affected patients, the types of information in the records that were accessed includes names, addresses, dates of birth, Social Security numbers, medical record numbers, driver’s license numbers, clinical information, physicians’ notes, lab test results and medical images.

Presbyterian Healthcare Services Discovers Phishing Attack Was More Extensive than Initially Thought

In August 2019, Presbyterian Healthcare Services announced that the email accounts of several employees had been compromised as a result of a phishing attack.

Presbyterian Healthcare Services learned about the breach on June 9 and the investigation indicated the affected accounts contained the protected health information of 183,370 patients. Notifications were issued, but the breach investigation has continued. Presbyterian Healthcare Services has now learned that the beach was more extensive than previously thought and the compromised accounts contained the PHI of 276,000 patients.

Further notification letters were sent to patients on November 25 in which it was stressed that no evidence was found to indicate any PHI in the accounts was accessed, downloaded or appears to have been misused in any way. It was also confirmed that only the email system was affected. The attackers did not have access to medical records or its billing system.

The post Nebraska Medicine Discovers Insider Data Breach appeared first on HIPAA Journal.

Solara Medical Supplies Sued Over 114,000-Record Data Breach

Solara Medical Supplies is facing legal action over a June 2019 data breach that saw the protected health information of more than 114,000 customers exposed and potentially stolen by an unauthorized individual who gained access to its email system.

Solara Medical Supplies, a supplier of medical devices and disposable medical products, discovered the breach on June 28, 2019. While initially believed to involve one email account, an investigation revealed several Office 365 email accounts had been compromised for a period of around 6 weeks, starting on April 2, 2019.

The types of information exposed as a result of the attack included names, addresses, birth dates, employee ID numbers, Social Security numbers, health insurance information, financial information, credit card/debit card numbers, passport details, state ID numbers, driver’s license numbers, password/PIN or account login information, claims data, billing information, and Medicare/Medicaid IDs.

Customers affected by the breach were notified in November and were offered complimentary credit monitoring and identity theft protection services; however, that was not enough to prevent legal action being taken over the exposure of customers’ sensitive information.

Multiple law firms are now seeking clients who have had their sensitive information exposed as a result of the phishing attack and one lawsuit has already been filed with the U.S District Court of the Southern District of California.

The plaintiff, Juan Maldonado, is a customer of Solara Medical Supplies who uses products supplied by the company to help manage his medical condition. The lawsuit states that the sensitive, personal information of Maldonado is now in the hands of cybercriminals which has placed him at considerable risk of identity theft and fraud and alleges Solara Medical Supplies was negligent for failing to protect the sensitive data of its customers.

While the lawsuit cites HIPAA, there is no private right of action under HIPAA so individuals affected by a data breach do not have the right to sue a HIPAA-covered entity for the exposure of their data or for any HIPAA violations that are believed to have occurred. Legal action can only be taken against covered entities by the HHS’ Office for Civil Rights and state attorneys general. The lawsuit alleges Solara Medical Supplies has violated state laws, including the California Consumer Privacy Act.

The lawsuit alleges Solara Medical Supplies did not have adequate computer systems and security practices in place to safeguard customers’ personal and medical information, did not have systems in place to allow data breaches to be detected promptly, and that the company failed to notify affected customers in a timely manner

It took more than 7 months from the date of the initial email account compromise for affected individuals to be notified, and more than 4 months after the breach was first detected. The lawsuit claims that Solara made no efforts during that time to warn customers about the risks they faced from the exposure of their data. During those four months, the lawsuit states that the attackers had ample opportunity to defraud its customers.

Solara found no evidence to suggest any data was stolen by the attackers and, at the time of issuing notifications, no reports had been received to indicate any customer information had been misused.

The lawsuit seeks class action status and appropriate monetary relief, injunctive relief, actual damages, punitive damages, attorneys’ fees, and payment for extended credit monitoring and identity theft protection services.

The lawsuit raises an important issue about breach notifications to individuals whose protected health information has been exposed or stolen. It is now common for HIPAA-covered entities to wait until they have completed the investigation of a breach before notifications are issued.

The HIPAA Breach Notification Rule states that notifications must be issued without undue delay and no later than 60 days after the discovery of a breach. Despite the HHS’ Office for Civil Rights having previously issued guidance on breach notifications, many covered entities are interpreting the notification requirement as 60 days from the date when they are informed by the forensics company they engaged to investigate the breach that patient information could have been accessed. That date can be several months after the breach was initially discovered.

Even then, notifications are often delayed further, with covered entities waiting up to 60 more days before notifications are sent to affected individuals. By taking this approach, covered entities are risking regulatory fines for unnecessary delaying breach notifications.

The post Solara Medical Supplies Sued Over 114,000-Record Data Breach appeared first on HIPAA Journal.