HIPAA Breach News

Montefiore Medical Center and Geisinger Fire Employees for Improper PHI Access

Montefiore Medical Center in Bronx, NY has fired an employee over the alleged theft of the protected health information of approximately 4,000 patients. Montefiore became aware of a potential internal data breach in July 2020 and launched an investigation into unauthorized medical record access.

Montefiore had implemented a technology solution that monitors EHRs for inappropriate access, which identified the employee. The investigation confirmed that the employee had accessed medical records without any legitimate work reason between January 2018 and July 2020.

Accessing the medical records of patients when there is no legitimate reason for doing so is a violation of HIPAA and hospital policies. Montefiore said criminal background checks are performed on all employees prior to being given a position at the medical center and Montefiore provides HIPAA training to all employees. The employee in question had received significant privacy and security training but had chosen to violate internal policies and HIPAA Rules.

The investigation into the breach is ongoing and the matter has been reported to NYPD, which has launched a criminal investigation.

“Montefiore deeply regrets this incident and will not tolerate any violation of patient privacy,” said a spokesperson for the medical center. “In support of all HIPAA guidance and laws, we view this activity to be criminal in nature and are fully cooperating with law enforcement as the case moves forward.”

The types of information accessed by the former employee included names, addresses, dates of birth, and Social Security numbers. Affected patients have been offered complimentary identity theft protection services for 12 months and are protected against financial loss by a $1,000,000 identity theft insurance policy.

Montefiore Medical Center is now expanding its monitoring capabilities and employee training programs.

Geisinger Fires Employee for Unauthorized Medical Record Access

Geisinger has fired an employee for improper medical record access.  A member of the workforce alerted the Geisinger Privacy Office about an employee who was suspected of accessing the medical records of patients when there was no legitimate work reason for doing so.

The report was received on June 3, 2020 and an investigation into unauthorized access was immediately launched. The investigation was concluded on September 8, 2020. The employee in question worked at a Geisinger Clinic and was authorized to access patient records, but the investigation revealed the records of around 700 patients had been accessed without any work reason for doing so. The unauthorized access started in June 2019 and continued until June 2020.

The types of information that could be viewed included names, dates of birth, medical record numbers, dates of service, social security numbers, addresses, phone numbers, medical conditions, diagnoses, medications, treatment information and other clinical notes. A review of the employee’s network activity uncovered no evidence to suggest information had been stolen but, out of an abundance of caution, all affected patients have been offered complimentary credit monitoring and identity theft protection services.

“At Geisinger, protecting our patients’ and members’ privacy is of the utmost importance and we are constantly working on safeguards and protocols to identify incidents such as these so we can prevent such occurrences in the future,” said Geisinger Chief Privacy Officer, Jonathan Friesen.

The post Montefiore Medical Center and Geisinger Fire Employees for Improper PHI Access appeared first on HIPAA Journal.

August 2020 Healthcare Data Breach Report

37 healthcare data breaches of 500 or more records were reported to the HHS’ Office for Civil Rights in August 2020, one more than July 2020 and one below the 12-month average.

The number of breaches remained fairly constant month-over-month, but there was a 63.9% increase in breached records in August. 2,167,179 records were exposed, stolen, or impermissibly disclosed in August. The average breach size of 58,572 records and the median breach size was 3,736 records.

 

 

Largest Healthcare Data Breaches Reported in August 2020

 

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Location of Breached PHI Incident
Northern Light Health Business Associate 657,392 Hacking/IT Incident Network Server, Other Blackbaud ransomware attack
Saint Luke’s Foundation Healthcare Provider 360,212 Hacking/IT Incident Network Server Blackbaud ransomware attack
Assured Imaging Healthcare Provider 244,813 Hacking/IT Incident Network Server Ransomware attack
MultiCare Health System Healthcare Provider 179,189 Hacking/IT Incident Network Server Blackbaud ransomware attack
Imperium Health LLC Business Associate 139,114 Hacking/IT Incident Email Phishing attack
University of Florida Health Healthcare Provider 135,959 Hacking/IT Incident Network Server Blackbaud ransomware attack
Utah Pathology Services, Inc. Healthcare Provider 112,124 Hacking/IT Incident Email Phishing attack
Dynasplint Systems, Inc. Healthcare Provider 102,800 Hacking/IT Incident Network Server Ransomware attack
Main Line Health Healthcare Provider 60,595 Hacking/IT Incident Network Server Blackbaud ransomware attack
Northwestern Memorial HealthCare Healthcare Provider 55,983 Hacking/IT Incident Network Server Blackbaud ransomware attack
Richard J. Caron Foundation Healthcare Provider 22,718 Hacking/IT Incident Network Server Blackbaud ransomware attack
UT Southwestern Medical Center Healthcare Provider 15,958 Unauthorized Access/Disclosure Other Unconfirmed
City of Lafayette Fire Department Healthcare Provider 15,000 Hacking/IT Incident Network Server Ransomware attack
Hamilton Health Center, Inc. Healthcare Provider 10,393 Unauthorized Access/Disclosure Email Misdirected Email

 

Causes of August 2020 Healthcare Data Breaches

Hacking/IT incidents dominated the breach reports in August, with the 24 reported incidents making up 64.9% of the month’s data breaches. 2,127,070 records were compromised in those breaches, which is 98.15% of all records breached in August. The average breach size was 88,628 records and the median breach size was 11,550 records.

There were 8 unauthorized/access disclosure incidents involving 32,205 records. The average breach size was 4,026 records and the median breach size was 992 records. There were 5 loss (2) and theft (3) incidents reported. The average breach size was 1,581 records and the median breach size was 1,768 records.

While phishing attacks usually dominate the healthcare data breach reports, in August, attacks on network servers were more common. The increase in network server attacks is largely due to ransomware attacks, notably, an attack on Blackbaud, a business associate of many healthcare organizations in the United States. Blackbaud offers a range of services to healthcare providers, including patient engagement and digital data storage related to donors and philanthropy.

Between February 7, 2020 and May 20, 2020, hackers had access to Blackbaud’s systems and obtained backups of several of its clients’ databases before deploying ransomware. Blackbaud paid the ransom to ensure data stolen in the attack were destroyed.

Only a small percentage of its clients were affected by the attack, but so far at least 52 healthcare organizations have confirmed that their donor data were compromised in the attack. We have data for 17 of those attacks and so far, more than 3 million individuals are known to have been affected. That number is likely to grow significantly over the next few weeks now the deadline for reporting the breach is approaching.

There were also two major phishing incidents reported in August. Imperium Health suffered an attack in which the records of 139, 114 individuals were potentially compromised, and Utah Pathology Services suffered an attack involving the records of 112,124 individuals.

Healthcare Data Breaches by Covered Entity Type

Healthcare providers were the worst affected covered entity with 24 data breaches reported in August. Three breaches were reported by health plans and five breaches were reported by business associates; however, a further 9 breaches had some business associate involvement.

States Affected by August 2020 Data Breaches

Data breaches were reported by entities in 24 states in August. Pennsylvania was the worst affected state with 6 breaches of 500 or more healthcare records, followed by Kentucky with 4, Texas with 3, and Arizona, Ohio, and Washington with 2.  One breach was reported in each of Arkansas, California, Colorado, Connecticut, Florida, Iowa, Idaho, Illinois, Indiana, Maryland, Maine, Michigan, Missouri, New York, Oklahoma, South Carolina, Utah, and Wisconsin.

HIPAA Enforcement Activity in August 2020

There were no HIPAA enforcement actions announced in August by either the HHS Office for Civil Rights or state attorneys general.

The post August 2020 Healthcare Data Breach Report appeared first on HIPAA Journal.

Systemic Noncompliance with HIPAA Results in $1.5 Million Financial Penalty for Athens Orthopedic Clinic

The HHS’ Office for Civil Rights has announced a settlement has been reached with Athens Orthopedic Clinic PA to resolve multiple violations of the Health Insurance Portability and Accountability Act (HIPAA) Rules.

OCR conducted an investigation into a data breach reported by the Athens, GA-based healthcare provider on July 29, 2016.  Athens Orthopedic Clinic had been notified by Dissent of Databreaches.net on June 26, 2026 that a database containing the electronic protected health information (ePHI) of Athens Orthopedic Clinic patients had been listed for sale online by a hacking group known as The Dark Overlord. The hackers are known for infiltrating systems, stealing data, and issuing ransom demands, payment of which are required to prevent the publication/sale of data.

Athens Orthopedic Clinic investigated the breach and determined that the hackers gained access to its systems on June 14, 2016 using vendor credentials and exfiltrated data from its EHR system. The records of 208,557 patients were stolen in the attack, including names, dates of birth, Social Security numbers, procedures performed, test results, clinical information, billing information, and health insurance details.

OCR accepts that it is not possible to prevent all cyberattacks, but when data breaches occur as a result of the failure to comply with the HIPAA Rules, financial penalties are appropriate.

“Hacking is the number one source of large health care data breaches. Health care providers that fail to follow the HIPAA Security Rule make their patients’ health data a tempting target for hackers,” said OCR Director Roger Severino.

The OCR investigation into the breach revealed systemic noncompliance with the HIPAA Rules. Athens Orthopedic Clinic had not conducted an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI, in violation of 45 C.F.R. § 164.308(a)(1)(ii)(B).

Security procedures had not been implemented to reduce the potential risks to ePHI to a reasonable and appropriate level, in violation of 45 C.F.R. § 164.308(a)(1)(ii)(A).

From September 30, 2015 to December 15, 2016, Athens Orthopedic Clinic failed to implement appropriate hardware, software, and procedures for recording and analyzing information system activity, in violation of 45 C.F.R. §§ 164.312(b).

It took until August 2016 for HIPAA policies and procedures to be maintained, in violation of 45 C.F.R. § 164.530(i) and (j), and prior to August 7, 2016, the clinic had not entered into business associate agreements with three of its vendors, in violation of 45 C.F.R. § 164.308(b)(3).

Prior to January 15, 2018, Athens Orthopedic Clinic had not provided HIPAA Privacy Rule training to the entire workforce, in violation of 45 C.F.R. § 164.530(b).

As a result of the compliance failures, Athens Orthopedic Clinic failed to prevent unauthorized access to the ePHI of 208,557 patients, in violation of 45 C.F.R. §164.502(a)).

In addition to the financial penalty, Athens Orthopedic Clinic has agreed to adopt a corrective action plan covering all aspects of noncompliance discovered during the OCR investigation. The clinic settled the case with no admission of liability.

This is the sixth HIPAA settlement to be announced by OCR in September and the 9th HIPAA penalty of 2020. Earlier this month, OCR announced five settlements had been reached with HIPAA-covered entities under its HIPAA Right of Access initiative for failing to provide patients with a copy of their health information.

The post Systemic Noncompliance with HIPAA Results in $1.5 Million Financial Penalty for Athens Orthopedic Clinic appeared first on HIPAA Journal.

HIPAA Right of Access Failures Result in Five OCR HIPAA Fines

The Department of Health and Human Services’ Office for Civil Rights has announced five settlements have been reached to resolve HIPAA violations discovered during the investigation of complaints from patients who had experienced problems obtaining a copy of their health records.

The HIPAA Privacy Rule gives individuals the right to have timely access to their health records at a reasonable cost. If an individual chooses to exercise their rights under HIPAA and submit a request for a copy of their health records, a healthcare provider must provide those records without reasonable delay and within 30 days of receiving the request.

After receiving multiple complaints from individuals who had been prevented from obtaining a copy of their health records, OCR launched its HIPAA right of access initiative in 2019 and made compliance with the HIPAA right of access one of its enforcement priorities.

Two settlements were reached with HIPAA covered entities in 2019 over HIPAA right of access failures. Bayfront Health St Petersburg and Korunda Medical, LLC were each ordered to pay a financial penalty of $85,000 to settle the case and adopt a corrective action plan to ensure that access requests were processed in a timely manner in the future.

The latest 5 settlements were agreed with Beth Israel Lahey Health Behavioral Services, Housing Works, Inc., All Inclusive Medical Services, Inc., King MD, and Wise Psychiatry, PC. The financial penalties ranged from $3,500 to $70,000, with OCR considering several factors when determining an appropriate penalty.

The settlements are intended to send a message to healthcare organizations that compliance with the HIPAA right of access is not optional. When complaints are received alleging non-compliance, they will be investigated, and a financial penalty may be deemed appropriate.

“Patients can’t take charge of their health care decisions, without timely access to their own medical information,” said OCR Director Roger Severino. “Today’s announcement is about empowering patients and holding health care providers accountable for failing to take their HIPAA obligations seriously enough.”

Beth Israel Lahey Health Behavioral Services

Beth Israel Lahey Health Behavioral Services (BILHBS) is the largest provider of mental health and substance use disorder services in eastern Massachusetts. In April 2019, OCR received a complaint alleging BILHBS had failed to respond to a request from a personal representative seeking a copy of her father’s medical records. The complainant requested the records in February 2019, but they had still not been provided two months later.

In response to the OCR investigation, the patient received her father’s medical records in October 2019. OCR determined there had potentially been a violation of the HIPAA Right of Access. BILHBS agreed to settle the case for $70,000 and has adopted a corrective action plan and will be monitored by OCR for one year.

Housing Works

Housing Works, Inc. is a New York City based non-profit healthcare organization that provides healthcare, homeless services, advocacy, job training, re-entry services, and legal aid support for people living with and affected by HIV/AIDS.

In June 2019, a patient requested a copy of his medical records from Housing Works, Inc. In July 2019, a complaint was filed with OCR alleging Housing Works had not provided those records. OCR investigated and provided technical assistance on the HIPAA right of access and closed the case. However, the complainant was still not provided with a copy of his medical records and filed a second complaint with OCR in August 2019.

OCR reopened the investigation and determined that the failure to provide those records was in violation of the HIPAA right of access and a financial penalty was warranted. Housing Works provided the complainant with his medical records in November 2019. The case was settled for $38,000 and Housing Works agreed to adopt a corrective action plan. OCR will monitor Housing Works for one year.

All Inclusive Medical Services, Inc.

All Inclusive Medical Services, Inc. (AIMS) is a Carmichael, CA-based multi-specialty family medicine clinic that provides a range of services including internal medicine, pain management, and rehabilitation.

In January 2018, a patient requested a copy of her medical records, but AIMS allegedly refused to provide those records. The patient sent a complaint to OCR in April 2018 and an investigation was launched. OCR determined the failure to allow the patient to inspect and receive a copy of her medical records was in violation of the HIPAA right of access. The patient was sent a copy of her records in August 2020.

AIMS was ordered to pay OCR $15,000 to settle the case and adopt a corrective action plan. OCR will monitor AIMS for compliance for 2 years.

King MD

King MD is a small provider of psychiatric services in Virginia. OCR received a complaint in October 2018 from a patient who had not been provided with a copy of her medical records within two months of submitting the request. OCR contacted King MD and provided technical assistance on the HIPAA right of access; however, in February 2019, OCR received a second complaint as King MD had still not provided the patient with her medical records. Those records were finally provided in July 2020.

OCR agreed to settle the case for $3,500. King MD has adopted a corrective action plan and will be monitored by OCR for two years.

Wise Psychiatry, PC.

Wise Psychiatry is a small provider of psychiatric services in Colorado.  In November 2017, a personal representative submitted a request for a copy of her minor son’s medical records. Those records had still not been provided by February 2018 and a complaint was filed with OCR. OCR investigated and provided technical assistance on the HIPAA right of access and closed the case.

A second complaint was received in October 2018 from the same individual who still had not been provided with her son’s records. Those records were finally provided in May 2019 as a result of the OCR investigation. The case was settled for $10,000 and Wise Psychiatry agreed to adopt a corrective action plan and will be monitored by OCR for one year.

The post HIPAA Right of Access Failures Result in Five OCR HIPAA Fines appeared first on HIPAA Journal.

Department of Veteran Affairs Reports Breach of Payment System and Potential Theft of Veterans’ SSNs

The U.S. Department of Veteran Affairs (VA) has experienced a data breach involving the personal information of around 46,000 veterans.

Hackers gained access to an online application used by the VA Financial Services Center (FSC) and attempted to divert payments sent by the VA to community care providers to pay for veterans’ medical care. Social engineering tactics were used, and authentication protocols were exploited to gain access to the application and change bank account information.

Upon discovery of the breach, the FSC took the payment processing application offline to prevent any further payments from being sent. It is unclear how many payments were sent before the cyberattack was discovered and whether the attack was detected in time to block fraudulent transfers. The FSC said the breached payment processing application will remain offline until the Office of Information Technology has performed a comprehensive security review.

The main purpose of the cyberattack appears to have been to divert payments; however, the personally identifiable information and Social Security numbers of around 46,000 veterans were stolen in the attack and could potentially be used for fraudulent purposes.

All veterans whose information was potentially compromised in the attack have now been notified by mail and have been offered complimentary credit monitoring services. They have also ben provided with information on the steps they can take to protect against fraudulent use of their information.

The VA is currently undergoing a major update of its financial services system; however, there have been several delays and the project is not expected to be completed until 2030. The FTC recently issued a request for information seeking cybersecurity audit services. The cybersecurity audit is intended to address compliance, strategy, and sustainment, and as part of the audit, the contractor is required to “provide a gap analysis on which cybersecurity tools, processes, and controls the government should employ and provide recommendations of methods to improve visibility as well as incident response time following VA best practices.”

The post Department of Veteran Affairs Reports Breach of Payment System and Potential Theft of Veterans’ SSNs appeared first on HIPAA Journal.

Starling Physicians Email Breach Impacts 7,777 Patients

Rocky Hill, CT-based Starling Physicians has started notifying 7,777 patients that some of their protected health information was stored in email accounts that were found to have been accessed by an unauthorized individual.

A breach of its email environment was detected on or around July 7, 2020. A comprehensive review was conducted to determine the extent of the breach and whether any patient data had been accessed. While evidence of PHI access was not found, it was not possible to rule out unauthorized data access.

Emails and email attachments were found to include names along with some of the following data elements: Dates of birth, medical record numbers, patient account numbers, diagnostic information, healthcare provider information, prescription information, and treatment information. A small number of affected individuals also had their address, social security number, and/or Medicare/Medicaid ID number exposed.

Starling Physicians is strengthening its cybersecurity defenses to prevent similar data security events in the future.

Advocate Aurora Health Notifies 2,979 Patients About PHI Exposure

Advocate Aurora Health has discovered paper and other hard copy files were exposed at Aurora Medical Center – Bay Area in Wisconsin during preparations to sell the facility and may have been accessed by unauthorized individuals.

A review of the files revealed they contained the personal and protected health information of 2,979 patients. The facility had not been used as a hospital since August 2018, but there were limited public uses of the building after that date, during which information may have been viewed.

The exposed files contained patients’ first and/or last names, date of birth; phone number; address; emergency contact information, Social Security number, medical record number, gender, height and weight, dates of service, exam or lab results, diagnoses, medications, employer information, and/or health insurance information.

The files have now been secured and affected individuals have been notified and offered a 12-month complimentary membership to Experian’s IdentityWorksSM service.

Moffitt Cancer Center Patients Notified about Theft of Unencrypted Storage Devices

  1. Lee Moffitt Cancer Center and Research Institute in Tampa is notifying 4,056 patients that two unencrypted storage devices and paperwork containing protected health information have been stolen.

The USB devices and paperwork were in a briefcase which was stolen from the vehicle of a physician on July 2, 2020. A review of the devices and paperwork confirmed they contained limited protected health information such as patient names, dates of birth, medical record numbers and/or information about the services received at Moffitt.

Staff have been re-educated on securing patient data, the use of USB devices is being reviewed, and auto-encryption processes are being refined to ensure all patient information is secured. Moffitt Cancer Center is unaware of any attempted misuse of patient data.

Lost Hard Drive Contained the PHI of INTEGRIS Baptist Medical Center Patients

INTEGRIS is notifying certain patients that some of their protected health information was stored on a portable hard drive that was lost during an on-campus office move. The hard drive was discovered to be missing on October 17, 2029. A thorough search was conducted but the hard drive could not be located.

A backup copy of the data on the hard drive was located and analyzed and was found to contain the information of certain patients who had previously received medical services at INTEGRIS Baptist Medical Center Portland Avenue in Oklahoma City, formerly known as Deaconess Hospital. The data on the drive was limited to patients’ names, Social Security numbers, and limited clinical information.

Affected individuals have been offered a complimentary one-year membership of Experian’s IdentityWorksSM Credit 3B service.

The post Starling Physicians Email Breach Impacts 7,777 Patients appeared first on HIPAA Journal.

Inova Health System Says 1.05 Million Individuals Impacted by Blackbaud Ransomware Attack

Falls Church, VA-based Inova Health System is one of the latest healthcare providers to confirm that it has been affected by the ransomware attack on Blackbaud. A backup of its donor database contained the information of 1,045,270 donors, patients, and prospective donors, which takes the total number of healthcare victims in the United States past 2.99 million. That total is also likely to grow as the deadline for reporting the breach to the HHS has not yet been reached.

On July 16, 2020, Blackbaud issued notifications to its clients that it had suffered a ransomware attack. Unauthorized individuals gained access to its systems on February 7, 2020, with access possible until May 20, 2020 when the attack was detected when ransomware was deployed. Prior to the deployment of ransomware, certain data were exfiltrated from Blackbaud’s servers. While not all clients were affected, the attackers were able to obtain backups of fundraising databases of many of the firm’s clients.

For most organizations, the breached data were limited to donor names, addresses, dates of birth, contact information, and giving history and, for patients, also provider names, dates of service, and hospital departments where treatment was provided. Blackbaud said credit card information, bank account information, and Social Security numbers were not compromised.

Blackbaud agreed to pay the ransom demand and was provided with the keys to decrypt files encrypted in the attack and arrangements were made with the attackers to have the data stolen permanently deleted. Blackbaud is satisfied that all data stolen in the attack have been permanently deleted and were not further disclosed by the attackers. Blackbaud also confirmed that the vulnerability that was exploited by the attackers to gain access to its systems has now been fixed.

No evidence has been found that suggests there have been further disclosures of data stolen in the attack, Blackbaud has seen evidence indicating the data were deleted, and the firm is using a third-party to monitor the dark web to ensure that no copies are offered up for sale or are publicly disclosed.

U.S. Healthcare Organizations Affected by the Blackbaud Ransomware Attack

The HIPAA Breach Notification Rule allows a maximum of 60 days from the discovery of a data breach to issue notifications. Since notifications were issued to affected clients on July 16, 2020, there may still be some healthcare providers affected by the breach that have yet to report.

The list below is not comprehensive but includes entities that are known to have been affected by the breach, together with the number of individuals potentially affected, where known.

Breached Entity Individuals Affected
Inova Health System 1,045,270
Northern Light Health 657,392
Saint Luke’s Foundation 360,212
MultiCare Health System 179,189
University of Kentucky HealthCare 163,000
University of Florida Health 135,959
The Guthrie Clinic 92,064
Main Line Health 60,595
Aveanna Healthcare 166,000
Northwestern Memorial HealthCare 55,593
Spectrum Health 52,711
Richard J. Caron Foundation 22,718
SCL Health Unconfirmed
University of Detroit Mercy Unconfirmed
Children’s Hospital of Pittsburgh Foundation Unconfirmed
Atrium Health Unconfirmed
NorthShore University Health System Unconfirmed
Cancer Research Institute (NYC) Unconfirmed
Prostate Cancer Foundation. Unconfirmed
Total: 2,990,703

The post Inova Health System Says 1.05 Million Individuals Impacted by Blackbaud Ransomware Attack appeared first on HIPAA Journal.

Hennepin County Medical Center Faces Possible Legal Action Over Snooping on George Floyd’s Medical Records

Hennepin County Medical Center in Minneapolis is potentially facing legal action over snooping on George Floyd’s medical records by multiple employees. Attorney Antonio Romanucci of Chicago-based law firm Romanucci & Blandin said he was informed that several employees of Hennepin County Medical Center had accessed George Floyd’s medical records on multiple occasions when there was no legitimate reason for doing so, in clear violation of hospital policies and the Health Insurance Portability and Accountability Act (HIPAA).

Attorneys representing Hennepin County Medical Center notified the family of George Floyd that certain records relating to George Floyd had been inappropriately accessed by certain employees. Details about the types of records viewed by the employees, the individuals involved, and their positions at Hennepin County Medical Center were not disclosed.

Antonio Romanucci and the family’s legal team issued a statement to the Star Tribune saying they are currently “exploring all remedies” to “make this right and make the family whole for this incredible intrusion of privacy…  The security of medical records and personal information is of critical importance in Minnesota and across the country.”

George Floyd’s family have yet to decide whether to take legal action against the medical center. At this stage, no subpoenas have been issued to obtain further information from Hennepin County Medical Center about the number of individuals involved and the types of information they accessed.

Hennepin Healthcare was contacted for further information about the privacy breach and said, “Any breach of patient confidentiality is taken seriously and thoroughly investigated,” but also said they could not comment on the privacy breach due to patient confidentiality. Hennepin Healthcare did confirm that the individuals who accessed George Floyd’s protected health information are no longer employed by Hennepin County Medical Center. It is unclear if those individuals were terminated or if they voluntarily resigned from their positions.

The post Hennepin County Medical Center Faces Possible Legal Action Over Snooping on George Floyd’s Medical Records appeared first on HIPAA Journal.

Up to 308,000 Patients Potentially Affected by Baton Rouge Clinic Ransomware Attack

The Baton Rouge Clinic in Louisiana experienced a cyberattack in early July that took its email and phone system out of action and limited its lab and radiology services. The cyberattack, which involved ransomware, took certain systems out of action for several weeks. It is now two months after the attack and the external email system is still not working.

The clinic’s medical record system was not breached, so the data potentially viewed and/or obtained were limited. The attack was performed by an overseas adversary, according to a statement issued by the clinic. It is unclear whether the ransom was paid. The clinic said, “We followed the recommendations our cybersecurity firm made to us in consultation with the FBI.”

The investigation into the breach confirmed that the attackers potentially accessed the protected health information of 85 patients, all of whom have now been notified. The types of information involved were EMR data downloaded in order to send claims to insurance companies.

Separate breach notification letters were also sent to 308,000 patients. Those individuals are not believed to be at risk but have been advised to be vigilant and to look out for suspicious emails.

NorthShore University Health System, UK HealthCare, & Main Line Health Victims of Blackbaud Ransomware Attack

NorthShore University Health System, University of Kentucky (UK) HealthCare, and Main Line Health have recently announced that they have been affected by the ransomware attack on their business associate, Blackbaud.

The attacker gained access to Blackbaud’s systems between February 7 and May 20, 2020 and backups of databases were stolen by the attackers prior to the deployment of ransomware. Blackbaud paid the ransom and obtained the keys to decrypt files and received assurances that all information stolen in the attack has been securely and permanently deleted.

NorthShore University Health System, based in Evanston, IL, confirmed the data of 348,000 patients were compromised in the attack. The compromised data were limited to names, dates of birth, and limited clinical information. The risk to affected individuals is believed to be low.

UK HealthCare said the data of approximately 163,000 donors who had previously been patients were compromised in the attack. The breached information was limited to names, addresses, dates of birth, medical record numbers, admission dates, area of service and attending doctors.

The attack also involved the donor database of Main Line Health. The database contained patient donors’ or prospective donors’ names, ages, genders, dates of birth, medical record numbers, date(s) of treatment, department(s) of service and treating physicians. 60,595 individuals are known to have been affected.

The post Up to 308,000 Patients Potentially Affected by Baton Rouge Clinic Ransomware Attack appeared first on HIPAA Journal.