HIPAA Breach News

16-Month Malware Infection at Florida Pulmonary & Sleep Medicine Center Impacts 42,000 Patients

AdventHealth Medical Group’s Pulmonary & Sleep Medicine in Tavares, FL, formerly known as Lake Pulmonary Critical Care, has discovered hackers gained access to its systems and may have viewed or obtained the protected health information of up to 42,161 patients.

Hackers first gained access to the Pulmonary & Sleep Medicine center’s systems in August 2017 as a result of the installation of malware. The malware infection was not discovered until December 27, 2018.

The malware was removed and its systems were secured and an investigation was launched to determine the extent of the breach and which patients had been affected.

The investigation revealed the hackers gained access to parts of its system where patients’ protected health information was stored. The information that was potentially accessed included names, addresses, email addresses, telephone numbers, dates of birth, health insurance information, Social Security numbers, medical histories, and the race, gender, weight, and height of patients.

It is unclear how the malware was installed and why it took 16 months to discover the malicious software. AdventHealth has since implemented additional system safeguards to prevent future cyberattacks and has enhanced system audits to ensure that any future breaches are detected more rapidly.

AdventHealth started sending breach notification letters to affected patients on January 25, 2019. All patients whose protected health information was exposed have been offered complimentary credit monitoring, fraud consultation, and identity theft restoration services through Kroll for 12 months. Patients have been advised to monitor their explanation of benefits statements from their insurers for any signs of misuse of their insurance information.

The post 16-Month Malware Infection at Florida Pulmonary & Sleep Medicine Center Impacts 42,000 Patients appeared first on HIPAA Journal.

Anesthesia Associates of Kansas City Discovers Theft of Patient Schedules

Paperwork containing patient information has been stolen from an employee of Anesthesia Associates of Kansas City.

The incident occurred on December 14, 2018. The employee had left a bag containing patient schedules in his vehicle. Thieves broke into the vehicle and stole the bag and paperwork.

Anesthesia Associates of Kansas City learned of the incident on December 16, 2018 and launched an investigation to determine what paperwork had been stolen.

It was not possible to determine with a high degree of certainty exactly which schedules were in the stolen bag. Consequently, the decision was taken to issue notification letters to all patients who had undergone surgical treatment between April 4, 2018 and December 14, 2018.

The types of information listed in patient schedules includes names, birth dates, types of surgical procedures, dates of surgery, and the name of the surgeon. Schedules do not contain sensitive information such as addresses, Social Security numbers, insurance information, and financial information.

The theft was reported to law enforcement but neither the bag nor the paperwork have been recovered. All patients whose protected health information was potentially detailed in the patient schedules were informed about the breach by mail on February 1, 2019.

All affected patients have been advised to monitor their accounts and explanation of benefits statements for any sign of fraudulent activity.

The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates up to 3,472 patients’ protected health information may have been compromised.

To prevent further data breaches of this nature in the future, Anesthesia Associates of Kansas City has reinforced its policy of prohibiting the non-essential removal of patient information from its clinics. New policies and procedures have also been developed and implemented to further safeguard patient information when it is necessary to remove it from its facilities.

The post Anesthesia Associates of Kansas City Discovers Theft of Patient Schedules appeared first on HIPAA Journal.

United Hospital District Phishing Attack Impacts 2,143 Patients

Blue Earth, MN-based United Hospital District has discovered patient information was exposed and potentially accessed by an unauthorized individual as a result of a June 2018 phishing attack.

The phishing incident resulted in the compromise of a single email account, the credentials to which were obtained as a result of an employee responding to a phishing email. The substitute breach notice on the healthcare provider’s website indicates the account was compromised between June 10, 2018 and June 27, 2018.

An in-depth analysis of the compromised account was conducted by third-party cybersecurity professionals who determined on December 12, 2018, that patient information had potentially been accessed. Emails and file attachments in the account were found to contain the protected health information of 2,143 patients.

The types of information contained in the email account varied from patient to patient and may have included names, addresses, internal patient identification numbers, health insurance information and, for a limited number of affected patients, diagnoses, treatment information, and/or Social Security numbers.

While data access was possible it was not confirmed. No reports have been received that suggest there has been any misuse of patient information.

All patients affected by the breach have been notified by mail. Individuals whose Social Security number was exposed have been offered a free 12-month subscription to credit monitoring and identity theft restoration services.

In response to the breach, additional email security measures have been implemented and employees have been given further security awareness training.

The post United Hospital District Phishing Attack Impacts 2,143 Patients appeared first on HIPAA Journal.

2019 Data Breach Barometer Report Shows Massive Increase in Exposed Healthcare Records

Protenus has released its 2019 Breach Barometer report: An analysis of healthcare data breaches reported in 2018.

The data for the report came from Databreaches.net, which tracks data breaches reported in the media as well as breach notifications sent to the Department of Health and Human Services’ Office for Civil Rights and state attorneys general.

The report shows there was a small annual increase in the number of healthcare data breaches but a tripling of the number of healthcare records exposed in data breaches.

According to the report, there were 503 healthcare data breaches reported in 2018, up from 477 in 2017. 2017 was a relatively good year in terms of the number of healthcare records exposed – 5,579,438 – but the number rose to 15,085,302 exposed healthcare records in 2018.

In 2017, March was the worst month of the year in terms of the number of records exposed and there was a general downward trend in exposed records throughout the rest of the year. In 2018, there was a general increase in exposed records as the year progressed. The number of exposed records increased each quarter, from 1,175,804 records in Q1 to 6,281,470 healthcare records in Q4.

The largest data breach of the year was a hacking incident at a business associate of a North Carolina health system. Over the space of a week, the hackers gained access to the health records of 2.65 million individuals.

Healthcare hacking incidents have increased steadily since 2016 and were the biggest cause of breaches in 2018, accounting for 44.22% of all tracked data breaches. There were 222 hacking incidents in 2018 compared to 178 in 2017. Data was only available for 180 of those breaches, which combined, resulted in the theft/exposure of 11,335,514 patient records. The hacking-related breaches in 2017 resulted in the theft/exposure of 3,436,742 records. While it was not possible to categorize many of the hacking incidents due to a lack of data, phishing attacks and ransomware/malware incidents were both common.

Insiders were behind 28.09% of breaches, loss/theft incidents accounted for 14.34%, and the cause of 13.35% of breaches was unknown.

Insider breaches included human error and insider wrongdoing. These breaches accounted for a lower percentage of the total than in 2017 when 37% of breaches were attributed to insiders. Information was available for 106 insider-related breaches in 2018. 2,793,607 records were exposed in those breaches – 19% of exposed records for the year. While the total number of insider incidents fell from 176 to 139 year over year, there was a significant increase in the number of records exposed in insider breaches in 2018.

Insider errors resulted in the exposure of 785,281 records in 2017 and 2,056,138 records in 2018. Insider wrongdoing incidents resulted in the exposure of 893,978 records in 2017 and 386,469 records in 2018.

Without the proper tools in place, insider breaches can be difficult to detect. In one case, it took a healthcare provider 15 years to discover that an employee was snooping on patient records. Several incidents took over four years to discover.

Snooping by family members was the most common cause of insider breaches, accounting for 67.38% of the total. Snooping co-workers accounted for 15.81% of insider breaches. Protenus notes that there is a high chance of repeat insider offenses. 51% of cases involved repeat offenders.

Overall, it took an average of 255 days for a breach of any type to be discovered and an average of 73 days for breaches to be reported after they were discovered.

Healthcare providers were the worst affected group with 353 data breaches – 70% of all reporting entities. 62 breaches were reported by health plans (12%) and 39 (8%) were reported by other entities. It was a particularly bad year for business associates of HIPAA covered entities with 49 incidents (10%) reported by business associates. A further 102 incidents (20%) had some business associate involvement.

Protenus expects to trend of more than 1 breach per day to continue in 2019, as has been the case every year since 2016.

The post 2019 Data Breach Barometer Report Shows Massive Increase in Exposed Healthcare Records appeared first on HIPAA Journal.

7,000 Patients Notified About Pawnee County Memorial Hospital Malware Attack

Pawnee County Memorial Hospital in Pawnee City, Nebraska, is alerting 7,038 patients that some of their protected health information has potentially been accessed by a hacker.

On November 29, 2018, the hospital learned that malware had been installed which allowed an unauthorized individual to gain access to its email system.

Malware was injected into the hospital’s email system when an employee opened a malicious email attachment. According to Pawnee County Memorial Hospital’s substitute breach notice, the email appeared to have been sent from a trusted source and the email attachment seemed genuine.

Assisted by a third-party computer forensics expert, the hospital determined that the email attachment had been opened on November 16, 2018. The hacker was able to access employees’ email accounts from November 16 to November 24.

The compromised email accounts contained a range of business reports, clinical reports, clinical summaries, and other internal documents. Those documents contained patients’ full names along with one or more of the following data elements: Date of birth, address, diagnosis, lab test results, medical record number, insurance information, state ID number, driver’s license number and, for a limited number of patients, Social Security number.

While PHI access was possible, it is unclear whether the hacker viewed or obtained any patient information. The hospital believes the attack was financially motivated and was not conducted with the aim of stealing patient information.

In response to the breach, the hospital reset all passwords on employee email accounts and additional technology safeguards are being implemented to improve email security.

The hospital has sent breach notification letters to all patients whose PHI was exposed and has offered complimentary enrollment in the MyTrueIdentity online credit monitoring service for 12 months.

The post 7,000 Patients Notified About Pawnee County Memorial Hospital Malware Attack appeared first on HIPAA Journal.

EyeSouth Partners Email Account Breach Impacts 24,000 Patients of Georgia Eye Associates

EyeSouth Partners has announced that a hacker has gained access to an employee’s email account and has potentially viewed/obtained the electronic protected health information (ePHI) of as many as 24,000 patients.

EyeSouth Partners is a business associate of Georgia Eye Associates, South Georgia Eye Partners, Cobb Eye Center, and Georgia Ophthalmology Associates. On October 25, 2018, EyeSouth Partners became aware that an unauthorized individual had gained access to the email account of one of its employees.

Prompt action was taken to secure the email account and assess the security of its systems. Procedures were also implemented to enhance information security safeguards to prevent any further email account breaches.

The breach investigation revealed the hacker first gained access to the email account on September 11, 2018. Access remained possible until October 25.

Third-party computer forensics experts were hired to assist with the investigation and determine which patients had had their ePHI exposed. On December 19, 2018, EyeSouth Partners was informed that the hacker had potentially accessed emails that contained the ePHI of patients of Georgia Eye Associates.

The information contained in emails and email attachments differed from patient to patient but may have included names, addresses, contact telephone numbers, email addresses, insurance provider names, type of insurance carrier, payment histories, account balances, summaries of charges, summaries of services and procedures, and internal patient ID numbers. A small number of patients also had their Social Security number exposed.

All patients affected by the breach have now been notified by mail and offered complimentary credit monitoring services.

The post EyeSouth Partners Email Account Breach Impacts 24,000 Patients of Georgia Eye Associates appeared first on HIPAA Journal.

EyeSouth Partners Email Account Breach Impacts 24,000 Patients of Georgia Eye Associates

EyeSouth Partners has announced that a hacker has gained access to an employee’s email account and has potentially viewed/obtained the electronic protected health information (ePHI) of as many as 24,000 patients.

EyeSouth Partners is a business associate of Georgia Eye Associates, South Georgia Eye Partners, Cobb Eye Center, and Georgia Ophthalmology Associates. On October 25, 2018, EyeSouth Partners became aware that an unauthorized individual had gained access to the email account of one of its employees.

Prompt action was taken to secure the email account and assess the security of its systems. Procedures were also implemented to enhance information security safeguards to prevent any further email account breaches.

The breach investigation revealed the hacker first gained access to the email account on September 11, 2018. Access remained possible until October 25.

Third-party computer forensics experts were hired to assist with the investigation and determine which patients had had their ePHI exposed. On December 19, 2018, EyeSouth Partners was informed that the hacker had potentially accessed emails that contained the ePHI of patients of Georgia Eye Associates.

The information contained in emails and email attachments differed from patient to patient but may have included names, addresses, contact telephone numbers, email addresses, insurance provider names, type of insurance carrier, payment histories, account balances, summaries of charges, summaries of services and procedures, and internal patient ID numbers. A small number of patients also had their Social Security number exposed.

All patients affected by the breach have now been notified by mail and offered complimentary credit monitoring services.

The post EyeSouth Partners Email Account Breach Impacts 24,000 Patients of Georgia Eye Associates appeared first on HIPAA Journal.

OCR Settles Cottage Health HIPAA Violation Case for $3 Million

The Department of Health and Human Services’ Office for Civil Rights (OCR) has agreed to settle a HIPAA violation case with the Santa Barbara, CA-based healthcare provider Cottage Health for $3,000,000.

Cottage Health operates four hospitals in California – Santa Barbara Cottage Hospital, Santa Ynez Cottage Hospital, Goleta Valley Cottage Hospital and Cottage Rehabilitation Hospital.

In 2013 and 2015, Cottage Health experienced two security incidents that resulted in the exposure of the electronic protected health information (ePHI) of 62,500 patients.

In 2013, Cottage Health discovered a server containing patients’ ePHI had not been properly secured. Files containing patients’ ePHI could be accessed over the internet without the need for a username or password. Files on the server contained patient names, addresses, dates of birth, diagnoses, conditions, lab test results and other treatment information.

Another server misconfiguration was discovered in 2015. After responding to a troubleshooting ticket, the IT team removed protection on a server which similarly exposed patients’ ePHI over the internet. Patient names, addresses, dates of birth, social security numbers, diagnoses, conditions, and other treatment information could all be accessed without a username or password.

OCR investigated the breaches and Cottage Health’s HIPAA compliance efforts. OCR determined that Cottage Health had failed to conduct a comprehensive, organization-wide risk analysis to determine risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI, as required by 45 C.F.R. § 164.308(a)(l)(ii)(A).

Risks and vulnerabilities had not been reduced to a reasonable and acceptable level, as required by 45 C.F.R. § 164.308(a)(l )(ii)(B).

Periodic technical and non-technical evaluations following environmental or operational changes had not been conducted, which violated 45 C.F.R. § 164.308(a)(8).

OCR also discovered Cottage Health had not entered into a HIPAA-complaint business associate agreement (BAA) with a contractor that maintained ePHI: A violation of 45 C.F.R. § 164.308(b) and 164.502(e).

In addition to the financial penalty, Cottage Health has agreed to adopt a 3-year Corrective Action Plan (CAP). The CAP requires Cottage Health to conduct a comprehensive, organization-wide risk analysis to determine all risks to the confidentiality, integrity, and availability of ePHI. Cottage Health must also develop and implement a risk management plan to address all security risks and vulnerabilities identified during the risk analysis. The risk analysis must be reviewed annually and following any environmental or operational changes. A process for evaluating environmental or operational changes must also be implemented.

Cottage Health must also develop, implement, and distribute written policies and procedures covering the HIPAA Privacy and Security Rules and must train all staff on the new policies and procedures. Cottage Health must also report to OCR annually on the status of its CAP for the following three years.

“Our record year underscores the need for covered entities to be proactive about data security if they want to avoid being on the wrong end of an enforcement action,” said OCR Director Roger Severino. “The Cottage settlement reminds us that information security is a dynamic process and the risks to ePHI may arise before, during, and after implementation covered entity makes system changes.”

A Record Year for HIPAA Fines and Settlements

It has been a busy year of HIPAA enforcement for OCR. In 2018, 10 settlements have been agreed with HIPAA-covered entities and business associates in response to violations of HIPAA Rules and one civil monetary penalty has been issued. The 11 financial penalties totaled $28,683,400, which exceeded the previous record of $23,505,300 set in 2016 by 22%.

2018 also saw OCR agree the largest ever HIPAA settlement in history. Anthem Inc., settled alleged violations of HIPAA Rules for $16,000,000. The settlement was almost three times larger than the previous record – The $5.5 million settlement with Advocate Health Care Network in 2016.

Further Information: 2018 HIPAA Fines and Settlements

The post OCR Settles Cottage Health HIPAA Violation Case for $3 Million appeared first on HIPAA Journal.

Settlement Reached in Community Health Systems 4.5 Million-Record Data Breach Case

Community Health Systems’ (CHS) patients whose protected health information (PHI) was stolen in a cyberattack in 2014 have been offered compensation for the theft of their PHI.

Tennessee-based Community Health Systems operates over 200 hospitals, making it one of the largest healthcare systems in the U.S.

In 2014, CHS discovered malware had been installed on its network. The malware allowed unauthorized individuals to gain access to patient information between April and June 2014. The cyberattack is believed to have been conducted by threat actors based in China.

An advanced malware variant was used in the attack, which had the sole purpose of obtaining sensitive information. An investigation into the breach confirmed that patient data including names, addresses, phone numbers, dates of birth, and Social Security numbers had been exfiltrated. The PHI of 4.5 million patients was stolen by the attackers.

At the time it was the largest healthcare data breach to be reported to the Department of Health and Human Services’ Office for Civil Rights and still ranks as one of the top six healthcare data breaches of all time.

Following the breach, many lawsuits were filed by patients seeking compensation for the theft of their personal information. The lawsuits were consolidated into a single lawsuit, which survived attempts by CHS to have the case dismissed. A settlement has now been reached to resolve the lawsuit.

The settlement specifies two different payments for breach victims. Individuals who can prove they have incurred out-of-pocket expenses as a result of the breach and/or can show evidence of time lost securing their accounts, can claim up to $250 in compensation. Individuals who have suffered identity theft or fraud as a result of the breach can recover up to $5,000 in losses.

Legal fees totaling $900,000 have also been covered by the settlement agreement along with a payment of $3,500 for each representative class member.

In order to qualify for payment, a compensation claim must be submitted by August 1, 2019. Individuals who do not want to be included in the settlement and those who wish to file an objection, have until May 18 to notify CHS.

The settlement must still be assessed for fairness and approved by a judge. A hearing has been scheduled for August 13, 2019.

The post Settlement Reached in Community Health Systems 4.5 Million-Record Data Breach Case appeared first on HIPAA Journal.