HIPAA Breach News

EmblemHealth Pays $100,000 HIPAA Violation Penalty to New Jersey for 2016 Data Breach

The health insurance provider EmblemHealth has been fined $100,000 by New Jersey for a 2016 data breach that exposed the protected health information (PHI) of more than 6,000 New Jersey plan members.

On October 3, 2016, EmblemHealth sent Medicare Part D Prescription Drug Plan Evidence of Coverage documents to its members.

The mailing labels included beneficiary identification codes and Medicare Health Insurance Claim Numbers (HCIN), which mirror Social Security numbers. The documents were sent to more than 81,000 policy members, 6,443 of whom were New Jersey residents.

The New Jersey Division of Consumer Affairs investigated the breach and identified policy, procedural, and training failures. Previous mailings of Evidence of Coverage documents were handled by a trained employee, but when that individual left EmblemHealth, mailing duties were handed to a team manager who had only been given minimal task-specific training and worked unsupervised.

That individual sent a data file to EmblemHealth’s mailing vendor without first removing HCINs, which resulted in the HCINs being printed on mailing labels: A violation of HIPAA, the New Jersey Identity Theft Prevention Act, and the New Jersey Consumer Fraud Act.

“Health insurers entrusted with their customers’ sensitive personal information have a duty to avoid improper disclosures,” said New Jersey Attorney General Gurbir S. Grewal. “EmblemHealth fell short of its obligations to its customers in this case, and I am pleased that our settlement includes measures designed to prevent similar breaches at this company in the future.”

In addition to the financial penalty, EmblemHealth has agreed to make changes to its policies and procedures to prevent further breaches of plan members’ PHI. Those measures include the use of unique patient identifiers for mailings rather than HCINs or Medicare Beneficiary Identifiers.

EmblemHealth will also ensure that a formal transfer process takes place when the responsibilities of outgoing staff are passed on to other EmblemHealth employees or third parties, and that all necessary training will be provided.

All incoming employees will also be required to complete additional privacy and security training modules and refresher training sessions will be conducted annually. The New Jersey Division of Consumer Affairs will be monitoring EmblemHealth over the next three years and must be informed of any further breaches of the PHI of New Jersey customers.

“This settlement should serve as a reminder that we are committed to safeguarding consumer privacy, and will hold accountable any businesses that are careless in the handling of such personal data,” said Paul R. Rodríguez, Acting Director of the Division of Consumer Affairs.

New Jersey has been highly active as an enforcer of HIPAA Rules and has agreed four settlements in 2018 to resolve violations of HIPAA Rules. In addition to the EmblemHealth HIPAA fine, New Jersey has settled HIPAA violations with Best Transcription Medical ($200,000), Aetna ($365,211.59), and Virtua Medical Group ($417,816) in 2018.

The post EmblemHealth Pays $100,000 HIPAA Violation Penalty to New Jersey for 2016 Data Breach appeared first on HIPAA Journal.

48,000 Patients of Frisco Medical Center Notified of Breach of Payment Information

Baylor Scott & White Medical Center in Frisco, TX, has discovered the payment information of almost 48,000 patients and guarantors may have been compromised.

The medical center, which is jointly managed by United Surgical Partners International (USPI) and Baylor Scott & White Health, discovered an issue with the credit card processing system of one of its vendors. The investigation revealed there had been a week-long computer intrusion between September 22 and September 29. Upon discovery of the issue, the medical center informed the vendor and stopped all credit card processing through the vendor’s system.

Baylor Scott & White Health did not uncover evidence to suggest any patient/guarantor information had been further disclosed or misused; however, as a precaution, all individuals affected by the incident have been offered one year of complimentary credit monitoring services through TransUnion Interactive.

The security breach was limited to the third-party vendor’s system. Hospital information and clinical systems remained secure at all times. No health information or Social Security numbers were exposed. Only the Frisco medical center was affected by the breach.

The information that was exposed and potentially accessed by an unauthorized individual was limited to: Names, addresses, dates of service, medical record numbers, health insurance provider information, account numbers, the last four digits of credit card numbers, CCV numbers, type of credit card used, recurring payment dates, account balances, invoice numbers, and transaction statuses.

All individuals affected by the breach have been notified by mail. The data security incident was reported to the Department of Health and Human Services’ Office for Civil Rights on November 26, 2018. The OCR breach portal indicates 47,948 individuals have been affected.

The post 48,000 Patients of Frisco Medical Center Notified of Breach of Payment Information appeared first on HIPAA Journal.

6,450 Prairie Fields Family Medicine Patients Notified About Email-Related Privacy Breach

Prairie Fields Family Medicine in Fremont, NE, is alerting 6,450 patients that some of their protected health information was contained in an unencrypted spreadsheet that was inadvertently sent to the wrong email recipient.

The email was sent on October 1, 2018, and the error was discovered the same day. Prairie Fields Family Medicine has made multiple attempts to contact the owner of the email account to ensure the spreadsheet is securely deleted but, so far, no response has been received.

The lack of contact has led Prairie Fields Family Medicine to believe the email account is no longer in use and has been abandoned, although the possibility remains that the spreadsheet has been opened and patient information has been compromised.

The spreadsheet did not contain any financial data or health information typically contained in medical records. The breach was limited to patients’ first and last names, birth date, telephone number, first language spoken, sex, race, and, for certain patients, primary and secondary health insurer information, including providers’ names and account numbers.

All affected patients have been notified of the breach by mail and the Department of Health and Human Services’ Office for Civil Rights has been informed.

Prairie Fields Family Medicine has not received any information to suggest any patient health information has been accessed or misused, but since insurance information has potentially been compromised, affected patients have been advised to check their explanation of benefits statements for suspicious activity.

The privacy breach has prompted Prairie Fields Family Medicine to put additional controls in place to prevent further impermissible disclosures of patients’ protected health information.

The post 6,450 Prairie Fields Family Medicine Patients Notified About Email-Related Privacy Breach appeared first on HIPAA Journal.

16,000 Redwood Eye Center Patients Impacted by MSP Breach

A managed service provider that hosts the electronic health records of Redwood Eye Center in Vallejo, CA has experienced a security breach that has resulted in the exposure of 16,000 patients’ protected health information.

IT Lighthouse provides computer support and application hosting services, including the hosting of electronic health records. During the evening of September 19, 2018, hackers succeeded in installing ransomware on a server that was hosting the electronic health records of patients of Redwood Eye Center. Redwood Eye Center was notified about the security breach on September 20, 2018.

A third-party computer forensics firm was hired by IT Lighthouse to assist with the investigation and a specialized medical software vendor was consulted and helped Redwood Eye Center recover the affected data.

The types of data that were potentially accessed by the attackers included patients’ names, addresses, birth dates, health insurance information, and medical treatment information. The investigation did not uncover any evidence to suggest the attackers accessed the PHI of Redwood Eye Center patients, but notification letters were sent out of an abundance of caution on December 6, 2018.

The breach notification letter sent to the California attorney general indicates 16,055 California residents have had their protected health information exposed.

Email Privacy Breach Reported by Butler County

Butler County, OH, is notifying approximately 1,350 employees that some of their protected health information has been exposed as a result of an email error. The county’s wellness coordinator sent an email in September about health insurance which included a spreadsheet that contained the wellness information of employees.

The spreadsheet had hidden columns which contained information such as names, insurance ID numbers, and information about the employees’ participation in the county wellness program. Highly sensitive information such as Social Security numbers and passwords were not exposed. Affected individuals have been advised to take steps to prevent the fraudulent use of their insurance information.

Butler County sought legal advice about the breach and was advised to report the incident to the Department of Health and Services which is investigating.

Coding Error Resulted in Disclosure of Thielen Student Health Center Patient Data

599 patients of Thielen Student Health Center in Ames, IA, are being notified that some of their protected health information has been impermissibly disclosed to other patients.

Thielen Student Health Center uses software to send satisfaction surveys to patients. In a recent survey run, a coding error occurred when patient information was put into the system. As a result of the error, names of patients, appointment dates, and providers’ names were incorrectly added to the surveys. Individuals affected had the above information disclosed to one other patient.

The error was rapidly identified and the health center was able to recall many of the surveys before they were seen. All affected individuals have now been notified and changes have now been made to remove personally identifiable information from future surveys.

The post 16,000 Redwood Eye Center Patients Impacted by MSP Breach appeared first on HIPAA Journal.

PHI of 41,000 Patients of Cancer Centers of America Potentially Compromised in Phishing Attack

Cancer Centers of America’s Western Regional Medical Center in Bullhead City, AZ, has discovered the email account of one of its employees has been compromised as a result of a response to a phishing email.

The phishing email appeared to have been sent from the email account of a Cancer Treatment Centers of America executive and used social engineering techniques to fool the employee into disclosing login credentials to the account.

The attacker was able to access the account, but only for a limited time as the account compromise was detected by IT staff and the user ‘s account password was reset. However, during the time that the email account was accessible it is possible that some messages containing patients’ protected health information (PHI) was accessed.

Cancer Treatment Centers of America called in a nationally recognized computer forensics firm to assist with the investigation. While it was not possible to tell which, if any, emails were accessed, it was discovered that the compromised email account contained the PHI of 41,948 patients.

The information in the emails varied from patient to patient and may have included: Name, address, email address, date of birth, medical record number, treatment dates, facility visited, physician name, type of cancer, and health insurance information. A small number of Social Security numbers were exposed but the emails did not include any financial information.

Free credit monitoring and identity theft protection services have been offered to all patients whose Social Security number was exposed. Cancer Treatment Centers of America has since provided further training to employees to help them identify suspicious emails.

The breach occurred on May 2, 2018 and the CTCA Information Technology Department quickly took action to reset the account; however, the Cancer Treatment Centers of America website breach notice states that CTCA only became aware of the breach of PHI on September 26, 2018.

The breach was reported to the Department of Health and Human Services’ Office for Civil Rights on November 26, 2018.

The post PHI of 41,000 Patients of Cancer Centers of America Potentially Compromised in Phishing Attack appeared first on HIPAA Journal.

Ransomware Attacks Reported by Healthcare Providers in Illinois and Rhode Island

A roundup of recent healthcare ransomware attacks, privacy breaches, and security incidents that have been announced in the past few days.

Center for Vitreo-Retinal Diseases Ransomware Attack Impacts 20,371 Patients

The Center for Vitreo-Retinal Diseases in Libertyville, IL, experienced a ransomware attack that resulted in the encryption of data on its servers. The attack was detected on September 18, 2018. The investigation into the breach suggests the attacker may have gained access to the protected health information of 20,371 patients that was stored on the affected servers.

The attack appeared to have been conducted with the intention of extorting money from the practice. While it is possible that patient information was accessed by the attacker, no evidence of unauthorized data access, data theft, or misuse of patient information has been discovered.

The information that was potentially compromised included names, addresses, telephone numbers, birth dates, health insurance information, health data, and the Social Security numbers of Medicare patients.

The Center for Vitreo-Retinal Diseases has since reviewed its security protections and has taken steps to prevent similar security breaches from occurring in the future.

Rhode Island Health Center Experiences Ransomware Attack

Woonsocket, RI-based Thundermist Medical Center experienced a ransomware attack on the evening of Thursday, November 28 which took some of its computer systems out of action. Fast action was taken to secure patient information and unaffected systems were isolated to prevent widespread file encryption.

The health center implemented its emergency protocols and was able to continue providing medical services. There was minimal impact on patients although certain appointments were cancelled out of safety concerns due to the inability to access medical records. Thundermist Medical Center does not believe any patient information was compromised in the attack.

Mailing Error by Vendor of OrthoTexas Physicians and Surgeons Caused Patient Name Disclosure

OrthoTexas Physicians and Surgeons, a network of orthopedic and sports medicine practices in Texas, has discovered an error was made on an October 5, 2018 mass mailing which resulted in the accidental disclosure of patient information to other patients.

The letters were notifications that a physician had joined the practice and would be treating patients at its facilities in Frisco and Plano. The letters, which were incorrectly dated August 27, 2018, were placed in incorrect envelopes by the practice’s mailing vendor.

The mailing was sent to 2,172 patients and resulted in the name of one patient being disclosed to another patient. No other patient information was included in the mailing.

San Mateo Medical Center Discovers Improper Disposal of 500 Patients’ PHI

San Mateo Medical Center in Daly City, CA, has discovered the medical records of up to 500 patients have been accidentally exposed as a result of an improper disposal incident.

The paper records had been left overnight in a box under an employee’s desk and temporary cleaning staff mistook the box for recycling and disposed the documents in a recycling bin that was only intended to be used for non-confidential paperwork. San Mateo Medical Center has separate recycling bins for paperwork containing confidential information which is sent for shredding prior to disposal.

The paperwork relates to patients who visited its Daly City facility on November 5-6 inclusive. Since the documents have not been recovered it was not possible to tell exactly which patients have been affected, and neither the exact information that was recorded on the documents.

San Mateo Medical Center believes the patients affected by the incident have had the following information exposed: Name, birth date, medical record number, service date, patient account number, gender, age, provider or resource name, and insurance code.

San Mateo Medical Center has reinforced its policies on the correct way to dispose of sensitive information and the Daly City clinic manager has instructed staff not to leave confidential information out overnight and to place confidential documents in shredding bins immediately when they are no longer required.

The post Ransomware Attacks Reported by Healthcare Providers in Illinois and Rhode Island appeared first on HIPAA Journal.

12 State Attorneys General File HIPAA Breach Lawsuit Against Medical Informatics Engineering

A multi-state federal lawsuit has been filed against Medical Informatics Engineering and NoMoreClipboard over the 2015 data breach that exposed the data of 3.9 million individuals.

Indiana Attorney General Curtis Hill is leading the lawsuit and 11 other states are participating – Arizona, Arkansas, Florida, Iowa, Kansas, Kentucky, Louisiana, Minnesota, Nebraska, North Carolina and Wisconsin.

This is the first time that state attorneys general have joined forces in a federal lawsuit over a data breach caused by violations of the Health Insurance Portability and Accountability Act. The lawsuit seeks a financial judgement, civil penalties, and the adoption of a corrective action plan to address all compliance failures.

A Failure to Implement Adequate Security Controls

The lawsuit alleges Medical Informatics Engineering failed to implement appropriate security to protect its computer systems and sensitive patient data and, as a result of those failures, a preventable data breach occurred. According to the lawsuit, “Defendants failed to implement basic industry-accepted data security measures to protect individual’s health information from unauthorized access.”

The breach in question occurred between May 7 and May 26, 2015. Hackers were able to gain access to its WebChart electronic health record system and highly sensitive patient information – The exact types of data sought by identity thieves – Names, addresses, dates of birth, Social Security numbers, and health information.

Known Vulnerabilities Were Not Corrected

Medical Informatics Engineering had set two ‘tester’ accounts, one of which could be accessed with the username and password ‘tester’ and the other with the username and password ‘testing.’ Both accounts could be accessed remotely without the need for any further identification. The lawsuit alleges Medical Informatics Engineering was aware of the security issue as the accounts were identified as high risk by a third-party penetration testing firm, Digital Defense, in January 2015. Even though the accounts were high risk, Medical Informatics Engineering continued to use the accounts. The accounts were set up to enable one of its healthcare provider clients to login without having to use unique usernames and passwords.

While those accounts did not have privileged access, they did allow the hackers to gain a foothold in the network. Through those accounts the attackers conducted an SQL injection attack, which allowed them to gain access to other accounts with administrative privileges that were used to exfiltrate data.

Post-Breach Response Failures

While the initial attack and data exfiltration went unnoticed, a further attempt to exfiltrate data using malware caused network performance to slow to such an extent that an alarm was generated, alerting Medical Informatics Engineering that its systems had been compromised. While investigating the malware attack the attackers were still able to exfiltrate further data through SQL queries demonstrating the company’s post-breach response was “inadequate and ineffective.”

No Encryption or Employee Security Awareness Training

No encryption had been used to protect stored data and no security system had been implemented to alert Medical Informatics Engineering about possible hacking attempts. Had such a system been implemented, it would have been easy to identify unauthorized access as two of the IP addresses used by the attackers originated in Germany.

The lawsuit also alleges Medical Informatics Engineering had no documentation to confirm security awareness training had been provided to its employees prior to the data breach.

In addition to violations of HIPAA Rules, the lawsuit alleges Medical Informatics Engineering violated several state statutes relating to the protection of personal information, unfair and deceptive practices, and data breach notifications.

The post 12 State Attorneys General File HIPAA Breach Lawsuit Against Medical Informatics Engineering appeared first on HIPAA Journal.

7,000 Patients Affected by Georgia Spine and Orthopaedics of Atlanta Phishing Attack

Georgia Spine and Orthopaedics of Atlanta (GSOA) is alerting thousands of its patients that some of their protected health information has been exposed, and potentially stolen, as a result of a phishing attack.

An investigation into the data breach revealed an unauthorized individual gained access to an email account as a result of the employee responding to a phishing email. That response allowed the attacker to obtain the employee’s email account password.

Third-party computer forensics experts were contracted to conduct a detailed investigation into the attack to determine the extent of the breach and find out which patients had been affected. The investigation confirmed that a single email account had been compromised on July 11, 2018. An evaluation of GSOA’s technology systems was also conducted to ensure that they were secure.

In order to determine which patients had been affected, a painstaking manual analysis of all emails in the compromised account was performed to determine which messages had been accessed by the attacker.

GSOA reports that the way the email account was accessed would have allowed the attacker to view and save a desk copy of emails. GSOA said that if a copy of the data was obtained it was “likely unintentional,” but it is probable that a copy of the emails was retained by the attacker.

The manual review of emails in the account revealed they contained patients’ names and personal and medical information typically saved in medical records, although only a small number of the compromised emails contained patients’ Social Security and driver’s license numbers.

All patients whose protected health information was exposed/stolen have now been notified by mail. The breach report on the Department of Health and Human Services’ Office for Civil Rights website shows 7,012 patients have been affected by the breach.

The post 7,000 Patients Affected by Georgia Spine and Orthopaedics of Atlanta Phishing Attack appeared first on HIPAA Journal.

DOJ Indicts Two Iranian Hackers for Role in SamSam Ransomware Attacks

The U.S. Department of Justice has announced significant progress has been made in the investigation of the threat actors behind the SamSam ransomware attacks that have plagued the healthcare industry over the past couple of years.

The DOJ, assisted the Royal Canadian Mounted Police, Calgary Police Service, and the UK’s National Crime Agency and West Yorkshire Police, have identified two Iranians who are believed to be behind the SamSam ransomware attacks.

Both individuals – Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri – have been operating out of Iran since 2016 and have been indicted on four charges:

  • Conspiracy to commit fraud and related computer activity
  • Conspiracy to commit wire fraud
  • Intentional damage to a protected computer
  • Transmitting a demand in relation to damaging a protected computer

The DOJ reports that this is the first ever U.S. indictment against criminals over a for-profit ransomware, hacking, and extortion scheme.

In contrast to many threat actors who use ransomware for extortion, the SamSam ransomware group conducts targeted, manual attacks on organizations. Most ransomware gangs use spam email and other mass distribution techniques to infect as many individuals as possible.

The SamSam ransomware group exploits vulnerabilities and conducts brute force RDP attacks to gain access to systems, then investigates networks and moves laterally before manually deploying ransomware on as many computers as possible.

This method of attack allows the threat actors to inflict maximum damage. With a large percentage of an organization’s computers and systems taken out of action, the gang can issue large ransom demands. The ransoms demanded are typically in the range of $5,000 to $50,000, with the amount based on the number of devices that have been encrypted.

In the two years that the gang has been deploying SamSam ransomware, approximately $6,000,000 in ransom payments have been collected from around 200 victims. Many victims chose not to pay the ransom demands but still incurred significant costs mitigating the attacks. The DOJ estimates that in addition to the ransom payments, additional losses from downtime due to the attacks has exceed $30 million.

The gang’s list of victims is long and includes the cities of Newark, New Jersey and Atlanta, the Colorado Department of Transportation, and the Port of San Diego. Healthcare industry victims include Hancock Health, Adams Memorial Hospital, Kansas Heart Hospital, Allied Physicians of Michiana, Cass Regional Medical Center, Nebraska Orthopedic Hospital, LabCorp of America, Allscripts, and MedStar Health.

Research by Sophos indicates 26% of attacks were on the healthcare organizations, 13% were on government agencies, 11% were on educational institutions, and 50% were on private companies. The attacks have primarily been conducted on organizations in the United States, with other victims spread across Canada, the UK, and the Middle East.

The DOJ said the SamSam ransomware gang “engaged in an extreme form of 21st-century digital blackmail, attacking and extorting vulnerable victims like hospitals and schools, victims they knew would be willing and able to pay.”

The DOJ will continue to work with international law enforcement agencies to gather evidence and bring those responsible to justice.

The DOJ has also taken the opportunity to spread the message that all industry sectors are at risk of being attacked. “This indictment highlight[s] the need for businesses, healthcare institutions, universities, and other entities to emphasize cyber security, increase threat awareness, and harden their computer networks,” wrote the DOJ in a press release announcing the indictment.

The post DOJ Indicts Two Iranian Hackers for Role in SamSam Ransomware Attacks appeared first on HIPAA Journal.