HIPAA Breach News

HIPAA Business Associate Data Breach Impacts 21,856 Individuals

The importance of reviewing system activity logs has been underscored by recent HIPAA business associate data breach.

Nebraska-based CBS Consolidated Inc., doing business as Cornerstone Business & Management Solutions, conducted a routine review of system logs on July 10, 2017 and discovered an unfamiliar account on the server. Closer examination of that account revealed it was being used to download sensitive data from the server, including the protected health information of patients that used its medical supplies.

21,856 patients who received durable medical supplies from the company through their Medicare coverage have potentially been affected. The types of data obtained by the hacker included names, addresses, dates of birth, insurance details, and Social Security numbers. While personal information was exposed, the hacker was not able to obtain details of any medical conditions suffered by patients, nor details of any items purchased or financial information.

It is currently unclear how the account was created, although an investigation into the incident is ongoing. CBS says following the discovery of unauthorized access, the server was isolated and access to data was blocked. Since the incident was discovered, CBS has been carefully monitoring its systems and has uncovered no further evidence of unauthorized access or data theft.

Due to the sensitive nature of data stolen by the hacker, all individuals impacted by the breach have been offered 12 months of credit monitoring and identity theft protection services without charge. CBS is also reviewing its security protections and will be introducing new administrative safeguards, providing additional training to staff members on security, as well as improving technical safeguards to prevent future incidents from occurring.

This is the second worst data breach reported by a HIPAA business associate so far in 2017, behind the 56,000-record breach reported by Enterprise Services LLC in June.

The post HIPAA Business Associate Data Breach Impacts 21,856 Individuals appeared first on HIPAA Journal.

Fall in Healthcare Data Breaches in August: Rise in Breach Severity

Healthcare data breaches have fallen for the second month in a row, according to the latest installment of the Breach Barometer report from Protenus/Databreaches.net. In August, there were 33 reported healthcare data breaches, down from 36 incidents in July and 56 in June. While the reduction in data breaches is encouraging, that is still more than one healthcare data breach per day.

August may have been the second best month of the year to date in terms of the number of reported incidents, but it was the third worst in terms of the number of individuals impacted. 575,142 individuals were impacted by healthcare data breaches in July, with the figure rising to 673,934 individuals in August. That figure will rise further still, since two incidents were not included in that total since it is not yet known how many individuals have been affected.

The worst incident of the month was reported by Pacific Alliance Medical Center – A ransomware attack that impacted 266,133 patients – one of the worst ransomware incidents of the year to date.

Throughout the year, insider incidents have dominated the breach reports, although in July hacking was the biggest cause of PHI breaches. That trend has continued in August with hackers responsible for 54.5% of all reported data breaches. Those incidents accounted for 95% of all breached patient records in the month. The hacking totals also include phishing and ransomware incidents. There were at least five reported data breaches in August that involved ransomware.

In August, insiders were responsible for 9 incidents – 27.3% of the total – seven of which were insider errors, with two incidents due to insider wrongdoing. 15.2% of breaches were the result of the loss or theft of unencrypted devices containing PHI.

While breaches of electronic protected health information dominated the breach reports, there were six incidents reported that involved physical records, including two mailings in which PHI was visible through the clear plastic windows of the envelopes.

Protenus notes that while healthcare organizations appear to be getting better at discovering data breaches more quickly, the figures for the past two months may be misleading. Alongside the decrease in time taken to identify breaches there has been an increase in hacking incidents, which tend to be discovered faster than insider breaches.

Protenus explains, “For the month of August, time to discover a hacking incident took an average of 26 days (median = 22.5 days), while insider incidents took an average of 209.8 days (median = 115 days),” demonstrating the difficulty healthcare organizations have in detecting insider breaches.

Organizations are reporting breaches to HHS and notifying patients within 60 days of the discovery of a breach on the whole, with only three organizations exceeding the deadline. One of those entities took 177 days from the discovery of the breach to report the incident to HHS. The average time was 53 days and the median time was 58 days.

The breach reports followed a similar pattern to most months, with healthcare providers experiencing the majority of breaches (72%), followed by health plans (18.2%). Business associates reported 3% of breaches and 6% were reported by other entities, including a pharmacy and a private school. Texas was the worst affected state in August with five breaches, followed by California with four, and Ohio and New York with three apiece.

The post Fall in Healthcare Data Breaches in August: Rise in Breach Severity appeared first on HIPAA Journal.

The Compliancy Group Helps Imperial Valley Family Care Medical Group Pass HIPAA Audit

The Department of Health and Human Services’ Office for Civil Rights commenced the second round of HIPAA compliance audits late last year. The audit program consists of desk-based audits of HIPAA-covered entities and business associates, followed by a round of in-depth audits involving site visits. The desk audits have been completed, with the site audits put on hold and expected to commence in early 2018.

Only a small number of covered entities have been selected to be audited as part of the second phase of compliance audits; however, covered entities that have escaped an audit may still be required to demonstrate they are in compliance with HIPAA Rules.

In addition to the audit program, any HIPAA-covered entities that experiences a breach of more than 500 records will be investigated by OCR to determine whether the breach was the result of violations of HIPAA Rules. OCR also investigates complaints submitted through the HHS website.

The first round of HIPAA compliance audits in 2011/2012 did not result in any financial penalties being issued, but that may not be the case for the second round of audits. Also, the past two years as seen an increase in financial penalties for noncompliance with HIPAA Rules that was discovered during investigations of complaints and data breaches.

There is now an elevated risk of an audit or investigation and OCR is issuing more fines for noncompliance. Consequently, covered entities cannot afford to take chances. Many healthcare organizations are turning to HIPAA compliance software and are seeking assistance from compliance experts to ensure their compliance programs are comprehensive and financial penalties are avoided.

Imperial Valley Family Care Medical Group Calls in HIPAA Compliance Experts

Imperial Valley Family Care Medical Group is a multi-specialty physician’s group with 16 facilities spread throughout California. IVFCMG was not selected for a desk audit, although following the theft of a laptop computer, OCR investigated the breach. IVFCMG was required to demonstrate compliance with HIPAA Rules and provide documentation to show the breach was not caused by the failure to follow HIPAA Rules.

Covered entities may fear a comprehensive HIPAA audit, but investigations into data breaches are also comprehensive. OCR often requires considerable documentation to be provided to assess compliance following any breach of protected health information. In the case of IVFCMG, OCR’s investigation was comprehensive.

Responding to OCR’s comprehensive questions in a timely manner was essential. IVFCMG, like many covered entities that are investigated or selected for an audit must be careful how they respond and all questions must be answered promptly and backed up with appropriate documentation.

As we have already seen this year, if HIPAA Rules are not followed to the letter after a data breach is experienced, fines can follow. Presense Health was fined $475,000 by OCR for potential violations of the HIPAA Breach Notification Rule following a breach of PHI.

Following the breach, IVFCMG turned to a third-party firm for assistance and contacted the Compliancy Group. By using the firm’s Breach Response Program, IVFCMG was able to ensure all of the required actions were completed, in the right time frame, and all of those processes were accurately documented.

The Breach Response Program is part of the Compliancy Group’s “The Guard” HIPAA compliance software platform. Compliancy Group simplifies HIPAA compliance, allowing healthcare professionals to confidently run their practice while meeting all the requirements of the HIPAA Privacy, Security and Breach Notification Rules. The Guard uses the “Achieve, Illustrate, and Maintain” methodology to ensure continued compliance, with covered entities guided by HIPAA compliance experts all the way.

IVFCMG’s Chief Strategic Officer, Don Caudill, said “Their experts provided us with a full report and documentation proving that our HIPAA compliance program satisfied the law – which ultimately helped us avoid hundreds of thousands of dollars in fines.” When OCR responded to the initial breach report asking questions about another aspect of HIPAA Rules, IVFCMG was able to respond in a timely fashion and provide the evidence to prove it was in compliance.

HIPAA compliance software helps covered entities pass a HIPAA audit, respond appropriately when OCR investigates data breaches and complaints, and avoid fines for non-compliance. OCR has increased its enforcement activity over the past two years and healthcare data breaches are on the rise. Non-compliance with HIPAA Rules is therefore much more likely to be discovered and result in financial penalties.

Small to medium sized HIPAA-covered entities with limited resources to dedicate to HIPAA compliance can benefit the most from using HIPAA compliance software and receiving external assistance from HIPAA compliance experts.

“Responding to a HIPAA audit requires sensitivity and expertise,” Bob Grant, Chief Compliance Officer of Compliancy Group, told HIPAA Journal. “As a former auditor, I’ve developed The Guard and our Audit Response Program to satisfy the full extent of the HIPAA regulatory requirements. Giving federal auditors everything they need to assess the compliance of your organization is our number one goal. Our Audit Response Program is the only program in the industry to give health care professionals the power to illustrate their compliance so they can get back to running their business in the aftermath of a HIPAA audit.”

The post The Compliancy Group Helps Imperial Valley Family Care Medical Group Pass HIPAA Audit appeared first on HIPAA Journal.

1,081 St. Louis Patients Alerted About Improper PHI Disclosure

1,081 patients of the MS Center of Saint Louis and Mercy Clinic Neurology Town and Country are being informed that they may be contacted for marketing and research purposes by pharmaceutical companies and other third-parties, even though they may not have given their permission to be contacted.

HIPAA Rules do not permit patients to be contacted for marketing or research purposes unless consent to do so has first been obtained. However, an error has resulted in patients’ information being disclosed to third parties in error and patients may be contacted by telephone, mail or email as a result.

The MS Center and Mercy Clinic Neurology Town and Country report that medication onboarding forms were accidentally provided to pharmaceutical companies, even though the forms had not been signed by patients. The error also means patients’ protected health information has been impermissibly disclosed.

Protected health information detailed on the forms includes names, email addresses, telephone numbers, home addresses, health insurance information, and in some cases, treatment and prescription information and Social Security numbers.

Due to the sensitive nature of the information disclosed, there is a possibility that the information could be used inappropriately, although MS Center and Mercy Clinic Neurology Town and Country believe the information has not been used for any other purpose other than marketing and research. However, out of an abundance of caution, all affected individuals have been given the opportunity to register for 12 months of credit monitoring and identity theft protection services without charge.

Upon discovery of the error, an internal investigation was launched and staff potentially involved were interviewed about the incident. Policies and procedures have now been changed to prevent similar incidents from occurring in the future.

The post 1,081 St. Louis Patients Alerted About Improper PHI Disclosure appeared first on HIPAA Journal.

Florida Healthy Kids Corporation Announces 2,000 Patients’ Impacted by Phishing Scam

Reports of phishing attacks on healthcare organizations are arriving thick and fast. The latest HIPAA-covered entity to announce it has fallen victim to a phishing scam is Florida Healthy Kids Corporation, an administrator of the Florida KidCare program.

On July 25, 2017, phishing emails started to arrive in the inboxes of members of staff, some of whom responded and inadvertently gave the attackers access to the sensitive information of members of the KidCare program. The phishing attack was identified the following day and access to the compromised email accounts was immediately blocked. While the incident was mitigated promptly, the attackers had access to email accounts and data contained in those accounts for approximately 24 hours.

During that time, it is possible that the emails were accessed and sensitive information copied, although no reports of abuse of that information have been received and it is not clear whether any information was actually stolen.

An analysis of the compromised email accounts revealed the personal information of 2,000 individuals was potentially accessed. On September 7, 2017, 1,700 individuals were notified by mail that their information had potentially been compromised. The remaining 300 could not be contacted as no valid contact information was held. A substitute breach notice has been uploaded to the healthykids.org website, and a notice added to all online accounts to alert affected individuals when they next login to their accounts.

The types of information exposed includes names, addresses, phone numbers, family account numbers, and Social Security numbers. Since passwords were not exposed, Florida KidCare online family accounts could not be accessed by the attackers. Individuals impacted by the breach have been offered credit monitoring services for 12 months without charge through LifeLock.

Florida Healthy Kids Corporation said policies and procedures will be updated to prevent similar breaches from occurring in the future.

The post Florida Healthy Kids Corporation Announces 2,000 Patients’ Impacted by Phishing Scam appeared first on HIPAA Journal.

Augusta University Medical Center Phishing Attack Took Three Months to Discover

An Augusta University Medical Center phishing attack has resulted in an unauthorized individual gaining access to the email accounts of two employees.

It is unclear when the phishing attack was discovered, although an investigation into the breach was concluded on July 18, 2017. That investigation confirmed access to the employees’ email accounts was gained between April 20-21, 2017.

Upon discovery of the breach, access to the email accounts was disabled and passwords were reset. The investigation did not confirm whether any of the information in the accounts had been accessed or copied by the attackers.

Patients impacted by the breach have now been notified – five months after the breach occurred. Patients have been informed that the compromised email accounts contained sensitive information such as names, addresses, dates of birth, driver’s license numbers, financial account information, prescription details, diagnoses, treatment information, medical record numbers and Social Security numbers. The amount of information exposed varied for each patient.

It is currently unclear how many patients have been impacted, although a spokesperson for AU Medical Center said the breach impacted fewer than 1% of its patients. Credit monitoring and identity theft protection services are being offered to all patients whose Social Security number was compromised.

This is not the first time that employees at Augusta University have fallen for phishing scams. A similar breach occurred between September 7-9, 2016, resulting in similar data being exposed. In that case, “a small number” of employees responded to phishing emails and divulged their email logins.

While that breach was identified promptly – News Channel 6 reported that all AU employees were required to reset their passwords due to a significant risk following the phishing attack – the Augusta Chronicle reported in May that the investigation into the breach was only completed on March 29, 2017 – more than six months after the attack took place. Individuals impacted by the breach were notified within 60 days of the breach investigation being completed. The breach was reported to the HHS’ Office for Civil Rights on May 26,2017.

The Health Insurance Portability and Accountability Act’s Breach Notification Rule allows HIPAA-covered entities up to 60 days following the discovery of a breach to issue breach notification letters to patients and to alert OCR of the breach.

It should be noted that while HIPAA allows up to 60-days to report data breaches, covered entities must report incidents ‘without unreasonable delay’.  Failure to report incidents promptly can easily result in a HIPAA penalty, as Presense Health discovered earlier this year. In that case, breach notifications were issued three months after the breach was discovered, resulting in a settlement of $475,000.

This latest breach was announced five months after the email accounts were compromised, with the investigation concluding three months after the initial breach. The earlier phishing attack appeared to take 6 months to investigate and report, with notifications sent to patients eight months after the breach.

Why the investigations took so long to conduct and why reporting the incidents was delayed is something of a mystery. According to OCR’s breach reporting portal, the September phishing attack is still under investigation. The latest incident has yet to appear on the OCR breach portal.

The post Augusta University Medical Center Phishing Attack Took Three Months to Discover appeared first on HIPAA Journal.

Phishing Attack Results in the Exposure of PHI at Morehead Memorial Hospital

Morehead Memorial Hospital in Eden, NC has announced two employees have fallen victim to a phishing attack that resulted in an unauthorized individual gaining access to their email accounts. Those accounts contained the protected health information of patients and sensitive information on employees.

Upon discovery of the breach, access to the email accounts was blocked and the hospital performed a network-wide password reset. Leading computer forensics experts were hired to assist with the investigation and determine the extent of the breach. The investigation confirmed that access to the accounts was possible and sensitive patient and employee information could have been accessed.

While no reports have been received to suggest any information in the accounts has been misused, the possibility of data access and data theft could not be ruled out. The types of information exposed includes names, health insurance payment summaries, health insurance information, treatment overviews, and a limited number of Social Security numbers.

Phishing attacks such as this are common. Emails are sent to healthcare employees that appear to be legitimate communications. The emails typically include hyperlinks that, when clicked, require login details to email accounts to be entered. Entering in that information provides the credentials to the attackers, who then use the information to remotely login to email accounts.

Preventing phishing attacks requires a combination of spam filtering technology to prevent phishing emails from reaching inboxes and education to teach employees about the risk from phishing and how to identify phishing attacks.

In response to the breach, Morehead Memorial Hospital is providing staff members with additional training to help them identify fraudulent communications. An internal webpage has also been created to communicate further information about phishing and email attacks to keep staff better informed.

The incident has been reported to the FBI, Department of Homeland Security and Office for Civil Rights. Patients were notified of the breach by mail on Friday last week and all have been offered identity theft monitoring services for 12 months without charge.

Morehead Memorial Hospital has not disclosed how many patients and employees have been impacted by the breach.

The post Phishing Attack Results in the Exposure of PHI at Morehead Memorial Hospital appeared first on HIPAA Journal.

Hospital Employee Fired Over 26,000-Record Arkansas DHS Privacy Breach

A former employee of the Arkansas Department of Human Services (DHS) has been fired from her new position at the state hospital for emailing spreadsheets containing the protected health information of patients to a personal email account.

Yolanda Farrar worked as a payment integrity coding analyst for the DHS, but was fired on March 24, 2017. According to a statement issued by DHS spokesperson Amy Webb, Farrar was fired for “violations of DHS policy on professionalism, teamwork and diligent and professional performance.”

The day previously, Farrar had spoken with her supervisor about issues relating to her performance and learned that she was about to be terminated. Within minutes of that conversation, Farrar emailed spreadsheets from her work email account to a personal email address.

Farrar decided to take legal action against DHS for unfair dismissal. Attorneys working for DHS were preparing to represent the agency in court and were checking emails sent by Farrar through her work email account. They discovered the emails and spreadsheets on August 7. The DHS privacy officer was immediately notified of the discovery and an internal investigation into the incident was launched.

The spreadsheets were found to contain a range of sensitive information of patients including names, birth dates, linked Medicaid identification numbers, diagnoses, codes for medical procedures, and some Social Security numbers. Each record in the spreadsheet was manually checked and after duplicates were removed, DHS determined that the protected health information of 26,044 patients had been emailed to the personal account.

By emailing the spreadsheets, Farrar breached DHS policies, state and federal laws. Farrar had since been employed at the state hospital; however, the discovery of the emails resulted in her being fired from that position. The investigation into the privacy breach is ongoing and the DHS intends to pursue criminal charges against Farrar.

The DHS already requires employees to undergo privacy training. All employees are required to pass a test on that training before they are allowed Internet access and are made aware that emailing confidential information outside the agency is prohibited.  A review of policies and procedures is being conducted to determine whether any further actions can be taken to reduce the potential for similar incidents from occurring in the future.

DHS has confirmed that all individuals impacted by the incident will be notified of the privacy breach by mail this week.

The post Hospital Employee Fired Over 26,000-Record Arkansas DHS Privacy Breach appeared first on HIPAA Journal.

Hospital Staff Discovered to Have Taken and Shared Photographs of Patient’s Genital Injury

An investigation has been conducted into a privacy violation at the University of Pittsburgh Medical Center’s Bedford Memorial hospital, in which photographs and videos of a patient’s genitals were taken by hospital staff and in some cases, were shared with other individuals including non-hospital staff. The patient was admitted to the hospital in late December 2017, with photos/videos shared over the following few weeks.

The patient was admitted to the hospital on December 23, 2017 with a genital injury – a foreign object had been inserted into the patient’s penis and was protruding from the end. The bizarre injury attracted a lot of attention and several staff members not involved with the treatment of the patient were called into the operating room to view the injury. Multiple staff members took photographs and videos of the patient’s genitals while the patient was sedated and unconscious.

The privacy breach was reported by one hospital employee who alleged images/videos were being shared with other staff members not involved in the treatment of the patient. The complaint was investigated by the Pennsylvania Department of Health and Human Services on May 23, 2017.

While HIPAA violations appear to have occurred, the investigation only confirmed violations of the Social Security Act had occurred. According to the published report of the investigation, multiple areas of non-compliance with the Social Security Act – 42 CFR, Title 42, Part 482-Conditions of Participation for Hospitals were discovered: 482.13 – Patient rights; 482.22(c) Medical Staff Bylaws; 482.42 Infection Control; and 482.51 Surgical Services.

According to a statement obtained from a member of staff who was interviewed, a request was made for photographs to be taken of the patient’s injury for use in future medical lectures. That individual said, “We have a camera in the OR for that purpose, but it was reportedly broken and so personal phones were used. Initially, we thought there was only one picture taken but later we learned of others. We also had the camera checked out, it is working, it is just too complicated to use.”

One physician said, “At one point when I looked up, there were so many people it looked like a cheerleader type pyramid.”

The story was originally reported on Pennlive, which received an emailed statement from UPMC saying, “The behavior reported in this case is abhorrent and violates the mission of UPMC Bedford and the overall values of UPMC. Upon discovery, UPMC quickly self-reported the incident to the Pennsylvania Department of Health and took appropriate disciplinary action with the individuals involved.”

Those actions included suspensions and firings of staff who were discovered to have violated the patient’s privacy. The patient, who was not identified, has also been informed of the privacy breach.

The post Hospital Staff Discovered to Have Taken and Shared Photographs of Patient’s Genital Injury appeared first on HIPAA Journal.