HIPAA Breach News

Second Unencrypted Laptop Stolen from Rocky Mountain Health Care Services

Rocky Mountain Health Care Services of Colorado Springs has discovered an unencrypted laptop has been stolen from one of its employees. This is the second such incident to be discovered in the space of three months.

The latest incident was discovered on September 28. The laptop computer was discovered to contain the protected health information of a limited number of patients. The types of information stored on the device included first and last names, addresses, dates of birth, health insurance information, Medicare numbers, and limited treatment information.

The incident has been reported to law enforcement and patients impacted by the incident have been notified by mail.

Rocky Mountain Health Care Services, which also operates as Rocky Mountain PACE, BrainCare, HealthRide, and Rocky Mountain Options for Long Term Care, also discovered on June 18, 2017 that a mobile phone and laptop computer were stolen from a former employee. The devices contained names, dates of birth, addresses, limited treatment information, and health insurance details.

To date, only one of those incidents has appeared on the Department of Health and Human Services’ Office for Civil Rights breach portal. That incident, reported on November 16, indicates 909 patients were impacted. It is unclear whether this is the first or second laptop theft.

In response to the breaches, Rocky Mountain Health Care Services has been reviewing its policies and procedures with respect to the security of patient information and portable electronic devices, and is considering incorporating mobile device management technologies and data encryption for its portable electronic devices.

As the Office for Civil Rights breach portal shows, the loss and theft of unencrypted portable electronic devices is still a major cause of healthcare data breaches, and one that the use of data encryption technologies can easily prevent. So far in 2017, there have been 31 breaches reported by covered entities and business associates that have involved the loss or theft of unencrypted laptop computers and other portable electronic devices.

The post Second Unencrypted Laptop Stolen from Rocky Mountain Health Care Services appeared first on HIPAA Journal.

9,500 Patients Impacted by Medical College of Wisconsin Phishing Attack

A Medical College of Wisconsin phishing attack has resulted in the exposure of approximately 9,500 patients’ protected health information. The attackers managed to gain access to several employees’ email accounts, which contained a range of sensitive information of patients and some faculty staff.

The types of information in the compromised email accounts included names, addresses, medical record numbers, dates of birth, health insurance details, medical diagnoses, treatment information, surgical information, and dates of service. A very limited number of individuals also had their Social Security numbers and bank account information exposed.

The incident occurred over the space of a week in the summer between July 21 and July 28 when spear phishing emails were sent to specific individuals at the Medical College of Wisconsin. Responding to those emails resulted in the attackers gaining access to email login credentials.

Medical College of Wisconsin brought in a computer forensics firm to conduct an investigation into the phishing attack, and while that investigation established that access to the email accounts was gained by unauthorized individuals, it was not possible to determine whether emails containing protected health information had been accessed or viewed, or if any sensitive information was stolen. Since the attack occurred, no reports of misuse of patient information have been received.

To protect individuals against identity theft and fraud, credit monitoring and identity theft restoration services have been offered to breach victims free of charge, but only to those individuals whose Social Security numbers were compromised.

Medical College of Wisconsin reports that in addition to some faculty staff and Medical College of Wisconsin patients, some individuals who received treatment at Children’s Hospital of Wisconsin and Froedtert Health have also been impacted by the breach.

The latest Medical College of Wisconsin phishing attack comes just 10 months after a similar incident resulted in the exposure of 3,200 patients’ protected health information.

The post 9,500 Patients Impacted by Medical College of Wisconsin Phishing Attack appeared first on HIPAA Journal.

November Healthcare Breach Barometer Report Highlights Seriousness of Insider Data Breaches

Protenus has released its November 2017 healthcare Breach Barometer Report. After a particularly bad September, healthcare data breach incidents fell to more typical levels, with 37 breaches tracked in October.

The monthly summary of healthcare data breaches includes incidents reported to the Department of Health and Human Services’ Office for Civil Rights (OCR), and incidents announced via the media and tracked by databreaches.net.

Those incidents include several breaches that have yet to be reported to OCR, including a major breach that has impacted at least 150,000 individuals – The actual number of individuals impacted will not be known until the investigation has been completed. The numbers of individuals impacted by 8 breaches have not yet been disclosed.

Including the 150,000 individuals impacted by largest breach of the month, there were 246,246 victims of healthcare data breaches in October 2017 – the lowest monthly total since May 2017.

The healthcare industry has historically recorded a higher than average number of data breaches due to insiders, although over the past few months hacking has been the leading cause of breaches. That trend has continued in October. Hacking was behind 35.1% of all incidents, insider incidents accounted for 29.7% of the total, with the loss and theft of devices behind 16.2% of incidents. The causes of the remaining 18.9% of breaches is not yet known.

While hacking incidents usually result in more records being exposed or stolen, in October insider errors exposed more healthcare data. 65% of all breached records involved insider errors.

157,737 individuals had their PHI exposed due to insider errors and insider wrongdoing, while hacks resulted in the theft of 56,837 individuals’ PHI. Protenus notes that three incidents were due to the hacking group TheDarkOverlord.

In total, there were 11 breaches that were the result of insiders – five  due to errors and six due to insider wrongdoing. The biggest breach involving insider error was the failure to secure an AWS S3 bucket, resulting in the exposure of 316,363 PDF reports – containing the PHI of at least 150,000 individuals: One of two such incidents reported in October that involved unsecured AWS S3 buckets.

Another insider incident involved the mailing of flyers to individuals where PHI was visible through the envelope – A major incident that potentially caused considerable harm, as the information viewable related to patients’ HIV status.

The average time taken from breach to discovery was 448 days in October. The median time was 304 days, showing healthcare organizations are still struggling to detect data breaches rapidly.

Two HIPAA-covered entities reported breaches to OCR well outside the 60-day deadline stipulated in the HIPAA Breach Notification Rule. One of those incidents was reported three years after the breach was detected. In that case, the breach involved a nurse who was stealing patient records and using the information to file false tax returns. The median time from discovery to reporting was 59 days.

Healthcare providers reported 29 incidents, there were 7 incidents reported by health plans, one breach was reported by a school. Four incidents were known to involve a business associate.

California and Florida were the worst hit states in October with four incidents apiece, followed by Texas and New York.

The post November Healthcare Breach Barometer Report Highlights Seriousness of Insider Data Breaches appeared first on HIPAA Journal.

Suspected Phishing Attack on UPMC Susquehanna Exposes 1,200 Patients’ PHI

UPMC Susquehanna, a network of hospitals and medical centers in Williamsport, Wellsboro, and Muncy in Pennsylvania, has announced that the protected health information of 1,200 patients has potentially been accessed by unauthorized individuals. Access to patient information is believed to have been gained after an employee responded to a phishing email.

While details of the breach date have not been released, UPMC Susquehanna says it discovered the breach on September 21, when an employee reported suspicious activity on their computer. An investigation was launched, which revealed unauthorized individuals had gained access to that individual’s device.

It is not known whether the attacker viewed, stole, or misused any patient information, but the possibility of data access and misuse could not be ruled out. The information potentially accessed includes names, contact information, dates of birth, and Social Security numbers.

The individuals potentially impacted by the incident had previously received treatment at various UPMC Susquehanna hospitals including Muncy Valley Hospital, UPMC Susquehanna Lock Haven, Sunbury Community Hospital, Soldiers and Sailors Memorial Hospital in Wellsboro, Williamsport Regional Medical Center and Divine Providence Hospital in Williamsport.

UPMC Susquehanna responded quickly to the breach, terminating unauthorized access. Staff have also been provided with “intensive retraining” on hospital policies and appropriate federal and state laws to prevent any recurrence. UPMC Susquehanna stated this training was in addition to the annual training sessions already provided to all staff members on the privacy and confidentiality of patient health information. UPMC Susquehanna has also conducted a complete review of its policies and procedures for keeping patient information secure.

All patients impacted by the incident have been offered complimentary identity theft protection services and have now received notifications in the mail. Patients have also received instructions on the steps they can take to protect their accounts and credit in case their information is misused.

The post Suspected Phishing Attack on UPMC Susquehanna Exposes 1,200 Patients’ PHI appeared first on HIPAA Journal.

Florida Blue Data Breach Impacts 939 Individuals

Blue Cross and Blue Shield of Florida, dba Florida Blue, has announced that the personally identifiable information of a limited number of insurance applicants has been exposed online.

Florida Blue was alerted to the exposure of patient data in late August and immediately launched an investigation. Florida Blue reports that the investigation revealed 475 insurance applications had been backed up to the cloud by an unaffiliated insurance agent, Real Time Health Quotes (RTHQ).

The data backup included agency files and copies of health, dental, and life insurance applications from 2009 to 2014. Those files were left vulnerable as an unsecured cloud server was used to store the backup files. Consequently, those files could have been accessed by the public via the Internet.

While data access and theft of personally identifiable information remains a possibility, Florida Blue has received no reports that any of the exposed information has been used for malicious purposes.

The files contained information such as the names of applicants, dates of birth, demographic information, medical histories, Social Security numbers, and limited banking and payment information. Following the discovery that information had been left unsecured, RTHQ took steps to address the vulnerability and the information is no longer accessible by unauthorized individuals.

The incident was discovered by Florida Blue on August 30, 2017, and patients were notified of the breach by mail in late October. Even though Florida Blue was not responsible for the breach, and has no affiliation with RTHQ, affected applicants have been contacted and offered two years of identity theft protection services without charge. Florida Blue said it is still investigating the incident, and is trying to find out how RTHQ acquired the application information and why the information was stored on an unsecured cloud server.

The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates 939 individuals have been impacted by the incident.

The post Florida Blue Data Breach Impacts 939 Individuals appeared first on HIPAA Journal.

Boxes of Medical Records Stolen from New Jersey Medical Practice

Otolaryngology Associates of Central Jersey is alerting patients to a breach of their protected health information, following a burglary at an off-site storage facility in East Brunswick, NJ.

The thieves took 13 boxes of paper medical records from the facility, which included information such as names, addresses, health insurance account numbers, birth dates, dates of military service, and the names of treating physicians. A limited number of driver’s license numbers and Social Security numbers were also included in the stolen records.

The burglary was quickly identified and law enforcement was notified. An internal investigation was launched, and steps were taken to reduce the likelihood of similar breaches occurring in the future.

The medical records were being stored in accordance with state and federal laws, and related to past patients that had received treatment at either of Otolaryngology Associates of Central Jersey’s two facilities in East Brunswick and Franklin townships. All affected individuals have now been notified of the breach.

While the perpetrators of many burglaries are never caught, a suspect is now in custody. That individual, Fernando Rios, 33, of Sayreville, was arrested in connection with the burglary after law enforcement received a tip off after Rios attempted to sell the records. The person who Rios offered the records to contacted the U.S Department of Homeland Security and the records were handed over.

Since the stolen records were promptly recovered, Otolaryngology Associates of Central Jersey believes the risk of patient data being used inappropriately is low.

Rios has been charged with second degree trafficking in personally identifiable information, second degree identity theft, and third-degree burglary. Rios faces a minimum jail term of 5 years.

The incident has been reported to the Department of Health and Human Services’ Office for Civil Rights, but has yet to appear on the OCR breach portal. Mycentraljersey.com claims the boxes of files contained approximately 1,000 patient records.

The post Boxes of Medical Records Stolen from New Jersey Medical Practice appeared first on HIPAA Journal.

October 2017 Healthcare Data Breaches

In October 2017, there were 27 healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights. Those data breaches resulted in the theft/exposure of 71,377 patient and plan member records. October saw a significant fall in the number of reported breaches compared to September, and a major fall in the number of records exposed.

Healthcare data breaches by month (July-October 2017)

October saw a major reduction in the number of breached records, with the monthly total almost 85% lower than September and almost 88% lower than the average number of records breached over the preceding three months.

healthcare records breached July-October 2017

Healthcare providers were the worst hit in October with 19 reported data breaches. There were six data breaches reported by health plans and at least two incidents involved business associates of HIPAA-covered entities.

October 2017 Healthcare Data Breaches by Covered Entity Type

October 2017 healthcare data breaches by covered entity type

Main Causes of October 2017 Healthcare Data Breaches

Unauthorized access/disclosures were the biggest causes of healthcare data breaches in October. There were 14 breaches reported involving unauthorized access/disclosures, 8 hacking incidents, four cases of theft, and one unencrypted laptop computer was lost.

cause of october 2017 healthcare data breaches

Unauthorized access/disclosures were the leading causes of October 2017 healthcare data breaches, although hacking/IT incidents exposed more records – Over twice the number of records exposed by unauthorized access/disclosures and hacking/IT incidents exposed more records than all other breach types combined.

october 2017 healthcare data breaches - records exposed

Location of Exposed and Stolen Protected Health Information

Email was the most common location of breached PHI in October. Five of the nine incidents involving email were the result of hacking/IT incidents such as phishing. The remaining four incidents were unauthorized access/disclosures such as healthcare employees sending emails containing PHI to incorrect recipients. Five incidents involved paper records, highlighting the importance of securing physical records as well as electronic protected health information.

october 2017 healthcare data breaches - location of breached PHI

October 2017 Healthcare Data Breaches by State

In October, healthcare organizations based in 22 states reported data breaches. The state that experienced the most data breaches was Florida, with 3 reported breaches. Maryland, Massachusetts, and New York each had two breaches.

Alabama, Arizona, California, Connecticut, Georgia, Iowa, Illinois, Kansas, Kentucky, Louisiana, Missouri, North Carolina, Ohio, Rhode Island, Tennessee, Texas, Virginia, and Washington each had one reported breach.

Largest Healthcare Data Breaches in October 2017

 

Breached Entity Entity Type Breach Type Individuals Affected
Chase Brexton Health Care Healthcare Provider Hacking/IT Incident 16,562
East Central Kansas Area Agency on Aging Business Associate Hacking/IT Incident 8,750
Brevard Physician Associates Healthcare Provider Theft 7,976
MHC Coalition for Health and Wellness Healthcare Provider Theft 5,806
Catholic Charities of the Diocese of Albany Healthcare Provider Hacking/IT Incident 4,624
MGA Home Healthcare Colorado, Inc. Healthcare Provider Hacking/IT Incident 2,898
Orthopedics NY, LLP Healthcare Provider Unauthorized Access/Disclosure 2,493
Mann-Grandstaff VA Medical Center Healthcare Provider Theft 1,915
Arch City Dental, LLC Healthcare Provider Unauthorized Access/Disclosure 1,716
John Hancock Life Insurance Company (U.S.A.) Health Plan Unauthorized Access/Disclosure 1,715

The post October 2017 Healthcare Data Breaches appeared first on HIPAA Journal.

MongoDB and AWS Incorporate New Security Controls to Prevent Data Breaches

Amazon has announced that new safeguards have been incorporated into its cloud server that will make it much harder for users to misconfigure their S3 buckets and accidentally leave their data unsecured.

While Amazon will sign a business associate agreement with HIPAA-covered entities, and has implemented appropriate controls to ensure data can be stored securely, but user errors can all too easily lead to data exposure and breaches. Those breaches show that even HIPAA-compliant cloud services have potential to leak data.

This year has seen many organizations accidentally leave their S3 data exposed online, including several healthcare organizations. Two such breaches were reported by Accenture and Patient Home Monitoring. Accenture was using four unsecured cloud-based storage servers that stored more than 137 GB of data including 40,000 plain-text passwords. The Patient Home Monitoring AWS S3 misconfiguration resulted in the exposure of 150,000 patients’ PHI.

In response to multiple breaches, Amazon has announced that new safeguards have been implemented to alert users to exposed data. While there are reasons why organizations would want their Amazon S3 buckets accessible over the Internet without the need for authentication, in most cases stored data should be protected.

To reduce the potential for data exposure, Amazon is implementing a warning system that will alert users when authentication controls are not active. A bright orange button will now appear throughout the AWS console to alert users when their S3 buckets are accessible without the need for authentication. Administrators will be able to control the privacy settings of each S3 bucket using an access control list, and publicly available buckets will be clearly displayed. Daily and weekly reports will also highlight which buckets are secure, and which are accessible by the public.

MongoDB Update Makes Databases Secure by Default

In addition to the data breaches resulting from exposed Amazon S3 buckets, many organizations have reported breaches involving unsecured MongoDB databases this year. Worldwide, more than 27,000 organizations had their databases accessed, data stolen, and their databases deleted. The attackers issued demands for payment to return the stolen data.

While MongoDB incorporates all the necessary safeguards to prevent unauthorized accessing of databases, those safeguards must be activated. Many organizations failed to realize that the default configuration was not secure.

MongoDB has responded to the breaches and has taken the decision to implement default security controls for the new version of the database platform, which is scheduled to be released next month. MongoDB 3.6 will only have localhost enabled by default. Users that require their databases to be accessible over the internet will be required to switch on that feature. Doing so will make the databases accessible by anyone, so to restrict access, authentication controls will need to be manually switched on. The new secure default configuration will make it harder for data to be accidentally exposed online.

The post MongoDB and AWS Incorporate New Security Controls to Prevent Data Breaches appeared first on HIPAA Journal.

Cook County Health and Hospitals System Patients Impacted by Experian Health Breach

Cook County Health and Hospitals System, a health system comprising two hospitals and more than a dozen community health centers in Cook County Illinois, has alerted patients to a breach of their protected health information.

The breach occurred at Experian Health, a business associate of Cook County Health and Hospitals System. Experian Health is contracted to determine insurance eligibility and limited patient information is disclosed to the business associate for this purpose.

The breach occurred in March 2017 during an upgrade of Experian Health’s computer system. The protected health information of 727 patients was accidentally sent to other healthcare systems. The PHI disclosed was limited and did not include the types of information sought by cybercriminals to commit identity theft.

Due to the limited disclosure of PHI, and the fact that the information was sent to organizations covered by HIPAA Rules, the risk to patients is believed to be low. To date, Experian Health has not been notified of any unauthorized uses of the disclosed information. The breach was limited to patients’ names, medical record numbers, dates of birth, and account numbers.

Following discovery of the breach, Experian Health took steps to recover and secure the disclosed information and steps have been taken to prevent similar incidents from exposing the PHI of patients. Cook County Health and Hospitals System also reviewed the breach and is satisfied with the actions taken by Experian Health to prevent similar breaches from occurring in the future.

Cook County Health and Hospitals System was notified of the breach on August 1, 2017 and a substitute breach notice was posed on the health system’s website on October 2, 2017. All patients impacted by the breach have now been notified by mail and a breach report has been submitted to the Department of Health and Human Services’ Office for Civil Rights.

The post Cook County Health and Hospitals System Patients Impacted by Experian Health Breach appeared first on HIPAA Journal.