HIPAA Breach News

Dominion National Discovers 9-Year PHI Breach

Dominion National, a Virginia-based insurer, health plan administrator, and administrator of dental and vision benefits, has experienced a data security incident involving the personal information of individuals connected to the services it provides. Hackers fist gained access to its servers in 2010.

Following an internal alert, Dominion National launched an internal investigation and determined that its systems had been breached.

A leading cybersecurity company performed a comprehensive forensic analysis and review of affected data and confirmed the sensitive information of current and former members of Dominion National and Avalon Vision plans may have been compromised.

Data relating to individuals affiliated with the organizations that the company administers dental and vision benefits for, plan producers, and participating healthcare providers were also potentially compromised. Unauthorized access to its systems first occurred on August 25, 2010, nine years before the investigation was completed. It is currently unclear when the Dominion National first became aware of the breach.

The investigation into the cyberattack concluded on April 24, 2019. All affected individuals have been notified and offered two years membership to credit monitoring and identity theft protection services. Dominion National has cleaned all affected servers and has enhanced its monitoring and alerting software.

The types of information involved varied from individual to individual but may have included names along with addresses, email addresses, dates of birth, Social Security numbers, bank account and routing numbers, taxpayer ID numbers, member ID numbers, group numbers, and subscriber numbers.

The breach has yet to appear on the HHS’ Office for Civil Rights Breach Portal and no announcement has yet been made about the number of individuals affected by the breach.

The post Dominion National Discovers 9-Year PHI Breach appeared first on HIPAA Journal.

Ransomware Attacks Reported by California and Illinois Clinics

Patients of Quantum Vision Centers and Eye Surgery Center in Illinois are being notified that some of their protected health information may have been compromised in an April 2019 ransomware attack.

An unauthorized individual gained access to certain Quantum systems and deployed ransomware on April 18, 2019. The ransomware encrypted files, some of which contained information such as names, dates of birth, addresses, health insurance information, and Social Security numbers.

A third-party computer forensics firm has been hired to help determine the nature and scope of the attack. The investigation is ongoing, but it is believed that the malware was not used to steal any patient information. The sole purpose of the attack appears to have been to extort money from the business.

Encrypted files are now being recovered and backup measures have been implemented to ensure services can continue to be provided to patients, albeit with some disruption.

It is currently unclear exactly how many patients have been affected. Affected individuals have been offered one year of credit monitoring services.

Marin Community Clinics Recovers from Ransomware Attack

Marin Community Clinics in California has experienced a ransomware attack that caused considerable disruption to its IT systems last week.

The attack occurred between 9pm and 10pm on Wednesday, June 19 and resulted in widespread file encryption. A ransom demand was issued and, after consulting with its network operator, Marin Community Clinics paid an undisclosed percentage of the ransom demand.

Computer systems were taken out of action as a result of the attack. Even with the keys to unlock the encrypted files, recovery has taken several days. All computer systems are expected to be brought back online by Saturday 22, June.

Medical services continued to be provided to patients while computer systems were down and the hospital was operating in emergency mode. Patient information was recorded on paper and will be transferred when systems are brought back online. The data recovery process is progressing and major data loss is not anticipated.

Marin Community Clinics’ CEO Mitesh Popat told the Marin Independent Journal that no patient data was compromised and major data loss is not expected; however, there may be minor data loss for certain patients as a result of the data recovery process.

It is currently unclear how the ransomware was introduced and for how long the hackers had access to its systems prior to the deployment of ransomware.

The post Ransomware Attacks Reported by California and Illinois Clinics appeared first on HIPAA Journal.

Phishing Attacks Reported by Broome County, NY and UMassMemorial Community Healthlink

Broome County in New York has started notifying 7,048 individuals that some of their protected health information (PHI) was compromised in a phishing attack on county employees.

Broome County officials learned about the attack on January 2, 2019 when it was discovered that an employee’s direct deposit account information had been changed. An investigation was immediately launched which revealed ‘numerous’ Broome County email accounts had been compromised as a result of responses to phishing emails. Further, an unauthorized individual had also gained access to employees’ PeopleSoft accounts.

A computer forensics expert was hired to assist with the investigation and determine how and when access to the accounts was first gained. That investigation revealed the first accounts were compromised on November 20, 2018 and further accounts were compromised up to January 2, 2019.

Employee direct deposit information has been checked and all emails and email attachments in the compromised accounts have been analyzed.

Broome County says multiple county departments were affected, including the Department of Health. The Willow Point Nursing Home and Rehabilitation & Nursing Center were also affected.

The types of information in the emails varied from individual to individual, but may have included names, contact information, Social Security numbers, bank account numbers, other financial information, dates of birth, medical record numbers, patient identification numbers, health insurance information, claims information, and medical and clinical information such as diagnoses and treatment information.

Broome County will implement additional safeguards to protect against any future attempted cyberattacks, including multi-factor authentication, and additional training will be provided to staff.

Community Health Link Phishing Attack Impacts 4,598 Patients

UMass Memorial Community Healthlink, a provider of behavioral health, addiction, and homeless services throughout central Massachusetts, has discovered the email accounts of two employees have been accessed by an unauthorized individual.

The breach was detected on April 18, 2019 and the accounts were secured. The breach investigation revealed the accounts were first accessed the same day and information in the compromised email accounts was only available for a limited time period.

No evidence was found to suggest emails had been viewed or copied; however, the following information may have been subjected to unauthorized access: Names, dates of birth, client identification numbers, diagnosis and treatment information, health insurance information, and in limited instances, Social Security numbers.

In response to the breach, passwords were reset, rules were strengthened to prevent email accounts from being accessed from external domains, automatic alerts have been increased, and defenses have been strengthened against email impersonation attacks. Further training has also been provided to employees.

The post Phishing Attacks Reported by Broome County, NY and UMassMemorial Community Healthlink appeared first on HIPAA Journal.

Ransomware Attack Affects More than 60 Assisted Living Facilities

A provider of software for assisted living communities has experienced a ransomware attack that has affected more than 60 facilities that use the software.

Tenx Systems, doing business as ResiDex Software, said the attack occurred on April 9, 2019 and affected its server infrastructure.

Rapid action was taken to move the servers to a new hosting provider and files were seamlessly recovered from backups the same day as the attack. No ransom was paid.

A forensic investigation was launched to determine whether any files had been accessed or other malicious actions had been performed by the attackers. The investigation revealed its servers were first compromised on April 2, 2019, 7 days prior to the deployment of ransomware.

While extortion through file encryption may have been the main aim of the attack, it is possible that the attackers gained access to names, Social Security numbers, and medical records contained in the ResiDex system.

It was not possible to establish which, if any, records were subjected to unauthorized access due to the complexity of the attack and the steps taken by the attackers to conceal their activities.

Notifications are now being sent to all affected individuals, which are spread across Massachusetts, Minnesota, Missouri and Tennessee.

The number of individuals affected has not been publicly disclosed and the incident has yet to appear on the HHS’ Office for Civil Rights Breach Portal.

Prescription Information of 78,000 U.S. Patients Exposed Online

Security researchers at vpnMentor have discovered a freely accessible database of patient prescription information that contains records relating to more than 78,000 U.S. patients who use the prescription medication Vascepa.

Vascepa is a drug used to lower triglycerides for individuals on low-cholesterol and low fat diets. The MongoDB database had been left unprotected allowing the following information to be viewed without authentication: Names, addresses, telephone numbers, email addresses, pharmacy information, prescribing doctor, NPI number, NABP E-profile number, and other personally identifiable data.

The records appeared to have come from a company called PSKW, which provides patient and provider messaging, co-pay, and assistance programs for healthcare organizations via a service named ConnectiveRX.

vpnMentor has reported the breach PSKW, although it is currently unclear to whom the database belongs.

The post Ransomware Attack Affects More than 60 Assisted Living Facilities appeared first on HIPAA Journal.

May 2019 Healthcare Data Breach Report

In April, more healthcare data breaches were reported than in any other month to date. The high level of data breaches has continued in May, with 44 data breaches reported. Those breaches resulted in the exposure of almost 2 million individuals’ protected health information.

Healthcare data breaches by month 2014-2019

On average, 2018 saw 29.5 healthcare data breaches reported to the HHS’ Office for Civil Rights each month – a rate of more than one a day.

From January 2019 to May 2019, an average of 37.2 breaches have been reported each month. Up until May 31, 2019, 186 healthcare data breaches had been reported to OCR, which is more than half (52%) the number of breaches reported last year.

It remains to be seen whether the increase in data breaches is just a temporary blip or whether 40+ healthcare data breaches a month will become the new norm.

Healthcare records exposed by month 2017-2019

May saw a 186% increase in the number of exposed records compared to April. Across the 44 breaches, 1,988,376 healthcare records were exposed or compromised in May. So far this year, more than 6 million healthcare records have been exposed, which is more than half of the number of records exposed in 2018.

Healthcare records exposed by year 2014-2019

In terms of the number of records exposed, May would have been similar to April were it not for a massive data breach at the healthcare clearinghouse Inmediata Health Group. The breach was the largest of the year to date and resulted in the exposure of 1,565,338 records.

A web page which was supposed to only be accessible internally had been misconfigured and the page could be accessed by anyone over the internet.

 

Rank Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach
1 Inmediata Health Group, Corp. Healthcare Clearing House 1,565,338 Unauthorized Access/Disclosure
2 Talley Medical Surgical Eyecare Associates, PC Healthcare Provider 106,000 Unauthorized Access/Disclosure
3 The Union Labor Life Insurance Company Health Plan 87,400 Hacking/IT Incident
4 Encompass Family and internal medicine group Healthcare Provider 26,000 Unauthorized Access/Disclosure
5 The Southeastern Council on Alcoholism and Drug Dependence Healthcare Provider 25,148 Hacking/IT Incident
6 Cancer Treatment Centers of America® (CTCA) at Southeastern Regional Medical Center Healthcare Provider 16,819 Hacking/IT Incident
7 Takai, Hoover, and Hsu, P.A. Healthcare Provider 16,542 Unauthorized Access/Disclosure
8 Hematology Oncology Associates, PC Healthcare Provider 16,073 Hacking/IT Incident
9 Acadia Montana Treatment Center Healthcare Provider 14,794 Hacking/IT Incident
10 American Baptist Homes of the Midwest Healthcare Provider 10,993 Hacking/IT Incident

Causes of May 2019 Healthcare Data Breaches

Hacking/IT incidents were the most numerous in May with 22 reported incidents. In total, 225,671 records were compromised in those breaches. The average breach size was 10,258 records with a median of 4,375 records.

There were 18 unauthorized access/disclosure incidents in May, which resulted in the exposure of 1,752,188 healthcare records. The average breach size was 97,344 records and the median size was 2,418 records.

8,624 records were stolen in three theft incidents. The average breach size 2,875 records and the median size was 3,578 records. There was one loss incident involving 1,893 records.

causes of May 2019 healthcare data breaches

Location of Breached PHI

Email continues to be the most common location of breached PHI. 50% of the month’s breaches involved at least some PHI stored in email accounts. The main cause of these types of breaches is phishing attacks.

Network servers were the second most common location of PHI. They were involved in 11 breaches, which included hacks, malware infections and ransomware attacks.  Electronic medical records were involved in 7 breaches, most of which were unauthorized access/disclosure breaches.

Location of breached PHi (may 2019)

May 2019 Healthcare Data Breaches by Covered Entity Type

Healthcare providers were the worst affected covered entity type in May with 34 breaches. 5 breaches were reported by health plans and 4 breaches were reported by business associates of HIPAA-covered entities. A further two breaches had some business associate involvement. One breach involved a healthcare clearinghouse.

May 2019 healthcare data breaches by covered entity type

May 2019 Healthcare Data Breaches by State

May saw healthcare data breaches reported by entities in 17 states.  Texas was the worst affected state in May with 7 reported breaches. There were 4 breaches reported by covered entities and business associates in California and 3 breaches were reported in each of Indiana and New York.

2 breaches were reported by entities base in Connecticut, Florida, Georgia, Maryland, Minnesota, North Carolina, Ohio, Oregon, Washington, and Puerto Rico. One breach was reported in each of Colorado, Illinois, Kentucky, Michigan, Missouri, Montana, and Pennsylvania.

HIPAA Enforcement Actions in May 2019

OCR agreed two settlements with HIPAA covered entities in May and closed the month with fines totaling $3,100,000.

Touchstone Medical Imaging agreed to settle its HIPAA violation case for $3,000,000. The Franklin, TN-based diagnostic medical imaging services company was investigated after it was discovered that an FTP server was accessible over the internet in 2014.

The settlement resolves 8 alleged HIPAA violations including the lack of a BAA, insufficient access rights, a risk analysis failure, the failure to respond to a security incident, a breach notification failure, a media notification failure, and the impermissible disclosure of the PHI of 307,839 individuals.

Medical Informatics Engineering settled its case with OCR and agreed to pay a financial penalty of $100,000 to resolve alleged HIPAA violations uncovered during the investigation of its 2015 breach of 3.5 million patient records. Hackers had gained access to MIE servers for 19 days in May 2015.

OCR determined there had been a failure to conduct a comprehensive risk analysis and, as a result of that failure, there was an impermissible disclosure of 3.5 million individuals’ PHI.

It did not end there for MIE. MIE also settled a multi-state lawsuit filed by 16 state attorneys general. A multi-state investigation uncovered several HIPAA violations. MIE agreed to pay a penalty of $900,000 to resolve the case.

The post May 2019 Healthcare Data Breach Report appeared first on HIPAA Journal.

Oregon Department of Human Services Notifies 645,000 Clients of Phishing Breach

The Oregon Department of Human Services (ODHS) is notifying 645,000 clients that some of their personal information has potentially been compromised as a result of a phishing attack.

The targeted attack started on January 9, 2019 and resulted in 9 ODHS employees following links in emails and disclosing their login credentials.

ODHS and the Department of Administrative Services Enterprise Security Office discovered the breach on January 28 following reports from employees who believed their email accounts had been accessed. All affected email accounts were rapidly identified and remote access to the accounts was blocked the same day.

An investigation was launched into the breach to determine what protected health information may have been viewed and who had been affected. That process has taken some time to complete as it involved checking around 2 million emails.

The attackers accessed the compromised accounts and were able to access emails in the accounts for a period of 19 days. ODHS has confirmed that no malware was installed by the attackers but they may have viewed or obtained PHI such as names, contact information, Social Security numbers, case numbers, and sensitive health information.

On March 21, when it became clear that PHI was involved, ODHS uploaded a substitute breach notice to its website and created a call center where affected individuals could find out more about the breach. However, individual breach notifications were not sent until June 21.

ODHS oversees programs related to child welfare, individuals with disabilities, and seniors and deals with some of the most vulnerable individuals in the state. To protect those individuals from harm, ODHS has covered the cost of a $1 million identity theft reimbursement insurance policy and is offering all affected individuals 12 months of complimentary credit monitoring and identity theft recovery services.

ODHS spokesperson Robert Oakes said this was an “extremely sophisticated email attack.” ODHS has since closed access to the email web application that was breached and will continue to conduct internal security audits to vulnerabilities and will subject those vulnerabilities to a HIPAA-compliant risk management process. Training is already provided to staff on security awareness and efforts will continue to educate the workforce about the dangers from phishing.

The post Oregon Department of Human Services Notifies 645,000 Clients of Phishing Breach appeared first on HIPAA Journal.

Potential Breach at Meditab Software Impacts 2 Maryland Healthcare Providers

Two healthcare providers in Maryland have been affected by a potential breach at their business associate, Meditab Software Inc.

Meditab provides EMR and practice management software to healthcare providers and its systems contain patient information. In March 2019, Meditab discovered some protected health information (PHI) had been left unprotected.

Meditab had created a portal to view statistics for its Fax Cloud services. Statistics were maintained on all faxes, but no images were stored directly on the fax server. When faxes were transmitted, a link to the fax image on a separate and secure server was temporarily available until the fax was confirmed as having been received. When receipt was confirmed, the link is no longer available.

Usernames and passwords were required to gain access to the portal; however, in January, a Meditab programmer deactivated authentication without authorization. While authentication was disabled, a limited number of faxes containing medical information were discoverable between January 9 and March 14, 2019.

The exposed information may have included names, addresses, phone numbers, dates of birth, and medical records and treatment notes, which may include diagnoses and treatment information.

The firm recently informed Capitol Cardiology Associates (CCA) and Southern Maryland Medical Group (SMMG) that the PHI of some of their patients had been exposed.

Meditab said at no point could its analytics portal be searched or crawled by search engines, so discovering the portal would not have been easy. However, if the portal was located, an unauthorized individual could have opened the fax messages individually and had the option of downloading or printing those faxes. Meditab believes the risk of harm to patients is low.

According to the breach reports submitted to the HHS’ Office for Civil Rights, 1,980 CCA patients and 1,400 SMMG patients have been affected.

It is currently unclear whether any other healthcare providers have been affected by the breach.

The post Potential Breach at Meditab Software Impacts 2 Maryland Healthcare Providers appeared first on HIPAA Journal.

AMCA Parent Company Files for Chapter 11 Protection

Following the massive data breach at American Medical Collection Agency (AMCA) which saw more than 20 million records compromised, AMCA’s parent company, Retrieval-Masters Creditors Bureau Inc., has filed for Chapter 11 protection.

The data breach affected individuals who had received medical testing services from Quest Diagnostics, LabCorp, or BioReference Laboratories. Hackers gained access to the web payment portal used by AMCA and accessed and stole the sensitive personal and financial data of patients. The hackers had access to its payment page for more than 7 months before the breach was detected.

The cost of recovering from a breach on this scale is considerable. So far, AMCA has mailed more than 7 million breach notification letters to affected individuals at a cost of $3.8 million. A further $400,000 has been spent on hiring IT consultants to assist with the breach response.

The data breach caused a cascade of events that led to the bankruptcy filing. Retrieval-Masters Creditors Bureau CEO Russell Fuchs lent AMCA $2.5 million to help cover the cost of mailing the breach notification letters. Fuchs explained in the court filing that the firm had incurred “enormous expenses that were beyond the ability of the debtor to bear.”

Retrieval-Masters was formed in 1977 by Russell Fuchs and was initially focused on small-dollar debt collections for direct mail marketers but has since moved into patient receivables. The company now helps companies recover non-medical and medical debt. Retrieval-Masters stated in the filing that it had reduced staff numbers from 113 to 25 at the end of 2018.

The Chapter 11 filing in the Southern District of New York stated the company is seeking to liquidate assets and liabilities as high as $10 million to cover the rising costs of the cyberattack.

The filing also sheds some light on how the breach was detected.

The breach was first reported on databreaches.net, which had been contacted by researchers at Gemini Advisory who had identified a batch of stolen credit cards and Social Security numbers on a darknet marketplace. Gemini Advisory analysts were able to tie the data to AMCA and issued a notification.

The filing stated AMCA learned about the breach after being notified that a large number of credit cards tied to its payment portal had been used to make fraudulent purchases.

There are still many questions that have not yet been answered related to how access was gained to the payment page and whether the breach was the result of cybersecurity failures. Several state attorneys general have written to AMCA demanding answers.

The post AMCA Parent Company Files for Chapter 11 Protection appeared first on HIPAA Journal.

Shingle Springs Health and Wellness Center Ransomware Attack Impacts 21,000 Patients

Shingle Springs Health and Wellness Center (SSHWC) in Placerville, CA, is notifying 21,513 patients that protected health information (PHI) was potentially compromised as a result of a recent ransomware attack.

SSHWC learned on April 7, 2019 that its server infrastructure had been compromised and ransomware had been deployed. As a result of the attack, all computer systems were rendered inoperable and access to patient data and essential files was blocked.

An investigation was immediately launched and the cyberattack was reported to the Federal Bureau of Investigation and the Indian Health Service. SSHWC has now installed new servers and is fast-tracking system upgrades and workstation updates across all departments.

The ransomware attack is believed to have been conducted to extort money from SSHWC; however, files containing PHI were involved in the breach and could potentially have been compromised. Those files contained names, addresses, telephone numbers, Social Security numbers, health insurance information, provider names, dates of service, amount paid or owed, and diagnosis codes.

SSHWC is offering all affected patients 12 months of complimentary credit monitoring services.

This is the third major healthcare ransomware attack to have been reported in the past few days. Estes Park Health experienced a ransomware attack on June 2, 2019, which prevented computer systems and patient data from being accessed. An undisclosed ransom was paid for the keys to decrypt files, but some files remained locked. The attackers demanded further payment to unlock the remaining files.

Boardman, OH-based N.E.O Urology has also recently announced it has suffered a ransomware attack. The decision was taken to pay the $75,000 ransom and all files have now been recovered.

These are just three of several ransomware attacks to have been reported by healthcare organizations in the past two months. As a recent report from Malwarebytes confirms, ransomware is proving popular with hackers once again. In Q1, 2019, ransomware attacks increased by 195% and healthcare organizations accounted for a large percentage of those attacks.

The post Shingle Springs Health and Wellness Center Ransomware Attack Impacts 21,000 Patients appeared first on HIPAA Journal.