HIPAA Breach News

Overlake Hospital Medical Center Proposes Settlement to Resolve Data Breach Case

Posted by HIPAA Journal

Overlake Hospital Medical Center in Bellevue, WA has proposed a settlement to resolve a class action lawsuit filed by victims of a December 2019 data breach that exposed patients’ demographic information, health insurance information, and health data.

The breach in question was a phishing attack that was discovered on December 9, 2019. The investigation revealed unauthorized individuals gained access to the email accounts of several employees, with one of the email accounts compromised between December 6, 2019 and December 9, 2019, and the others compromised for several hours on December 9.

The investigation did not uncover evidence of data theft or misuse of patient data, but it was not possible to rule unauthorized access to protected health information (PHI) and the exfiltration of data. The PHI of up to 109,000 patients was contained in the compromised email accounts.

Affected individuals were notified starting on February 4, 2020 and Overlake Hospital Medical Center took several steps to improve security, including implementing multi-factor authentication, changing email retention policies, and providing further training to employees. Overlake Hospital Medical Center has spent $148,590 on improvements to bolster security since the breach and has committed to further enhancements totalling $168,000 per year for the next 3 years.

The lawsuit – Richardson V. Overlake Hospital Medical Center – was filed in the Superior Court of King County in Washington, and alleged Overlake Hospital was negligent for failing to prevent unauthorized individuals from gaining access to its systems. The lawsuit also alleged intrusion upon seclusion/invasion of privacy, breach of fiduciary duty, breach of confidence, breach of express contract, and breach of implied contract. While 109,000 individuals were notified about the breach, only 24,000 individuals are included in the class as all other patients did not have their PHI exposed.

The lawsuit alleged the hospital failed to implement reasonable safeguards to ensure the privacy of HIPAA-covered data and failed to provide adequate notice about the data breach. Overlake Hospital Medical Center has denied all claims made in the lawsuit and all charges of wrongdoing. The decision was made to settle the lawsuit with no admission of liability.

Under the terms of the settlement, two types of claims can be submitted. Class members are entitled to claim up to $250 for certain out-of-pocket expenses incurred as a result of the breach, including bank fees, phone calls, postage costs, fuel for local travel, and up to three hours of documented time at $20 per hour, provided at least one full hour was spent on mitigations. It is also possible to recover the cost of credit report fees, and credit monitoring and identity theft protection services taken out between February 4, 2020 and the date of the Court’s preliminary approval of the settlement.

Claims for extraordinary expense reimbursement may be submitted for up to $2,500. These claims must include evidence of losses that were more likely than not suffered as a result of the breach between December 1, 2019 and the end of the claim period.

A fairness hearing has been scheduled for Sept. 10, 2021.

The post Overlake Hospital Medical Center Proposes Settlement to Resolve Data Breach Case appeared first on HIPAA Journal.

Paperwork Containing PHI of Oklahoma Heart Hospital Patients Accidentally Donated to Charity

Posted by HIPAA Journal

Oklahoma Heart Hospital has started notifying certain patients about a privacy incident in which paperwork containing limited patient information was accidentally donated to charity.

A former employee had made handwritten notes which contained the protected health information of a limited number of patients during the course of that individual’s employment at Oklahoma Heart Hospital between 2011 and 2014.

Some of the former employee’s personal possessions were donated to charity in May 2021, with the handwritten notes accidentally included in the donated items. Oklahoma Heart Hospital was contacted by the individual who found the notes and arrangements were immediately made to collect the paperwork. The documents were then cataloged to identify the patients involved and the types of information that had been exposed.

The notes included information such as patients’ names, medical record numbers, OHH visit numbers, dates of birth, ages, admit dates, genders, and clinical information consisting of diagnosis, lab results, medications and/or treatment information. No information was exposed that would have provided unauthorized individuals with access to patient record systems.

While the protected health information of some patients was viewed by an individual not authorized to view the information, Oklahoma Heart Hospital has not uncovered any evidence to suggest any patient data has been further disclosed or misused; however, out of an abundance of caution, all affected individuals have been notified by mail and advised to monitor their account and explanation of benefits statements for signs of fraudulent activity.

The privacy breach has been reported to the Department of Health and Human Services’ Office for Civil Rights as affecting 1,038 patients.

The post Paperwork Containing PHI of Oklahoma Heart Hospital Patients Accidentally Donated to Charity appeared first on HIPAA Journal.

UNC Health and Nebraska DHHS Report Phishing Attacks

Posted by HIPAA Journal

The Nebraska Department of Health and Human Services has announced a security incident involving the protected health information of clients of Aging Partners, a department of the City of Lincoln.

The breach was discovered by the Lincoln Information Services Department on May 25, 2021. Employees had responded to phishing emails and disclosed credentials to their email accounts, which contained more than 46,000 emails. Assisted by a computer forensics company, it was determined that the email account was accessed by an unauthorized individual between May 18 and May 21.

A review of the emails in the account confirmed some contained patient information such as names, addresses, dates of birth, phone numbers, Social Security numbers, dates of service, type/amount of service, and some health information such as diagnoses, care assessments, and medication lists. Emails also contained bank account numbers or other financial information of a limited number of individuals. 6,600 of the emails included the PHI of Aging Partners’ clients, although only 1,513 individuals have been affected. For the majority of affected individuals, only names were included in the email accounts.

All affected individuals are now being notified and credit monitoring and identity theft protection services are being offered to individuals whose financial information was present in the compromised email accounts.

UNC Health Reports Phishing Attack

UNC Health has announced that an email account containing the protected health information of patients of University of North Carolina at Chapel Hill School of Medicine (SOM) and the University of North Carolina Hospitals (UNC Hospitals) has been accessed by an unauthorized individual.

On May 20, 2021, UNC Health discovered the email account of a SOM faculty member had been compromised. That individual provided clinical services at UNC Hospitals. The email account was immediately secured, and an investigation was launched to determine the extent of the breach. Assisted by a third-party cybersecurity firm, UNC Health determined that the email account breach was isolated to April 20, 2021 and no other email accounts or systems were involved.

A review of the account revealed the following types of information could potentially have been compromised: Patients’ names, dates of birth, diagnosis and treatment information, and/or information about a research study patients may have been involved in or have been eligible for at UNC Hospitals/SOM. The email account contained the health insurance information of fewer than 30 patients and the Social Security numbers of fewer than 10 patients. There have been no reported cases of misuse of patient data.

Additional email security measures are being implemented and employees are being provided with further training to help them identify phishing emails.

The post UNC Health and Nebraska DHHS Report Phishing Attacks appeared first on HIPAA Journal.

Former Scripps Health Worker Charged Over HIPAA Violation in COVID-19 Unemployment Benefit Fraud Case

Posted by HIPAA Journal

The Department of Justice has announced nine San Diego residents have been charged in two separate indictments in connection with the theft of patients’ protected information and the submission of fraudulent pandemic unemployment insurance claims.

Under the Coronavirus Aid, Relief, and Economic Security (CARES) Act of 2020, new unemployment benefits were offered to individuals affected by the COVID-19 pandemic, who would not, under normal circumstances, qualify for payments.

In one of the cases, Matthew Lombardo, a former Scripps Health employee, was charged with felony HIPAA violations for obtaining and disclosing the protected health information of patients to his alleged co-conspirators. Lombardo was also charged with conspiracy to commit wire fraud, along with three alleged co-conspirators – Konrad Piekos, Ryan Genetti, and Dobrila Milosavljevic. Piekos, Genetti, and Milosavljevic were also charged with aggravated identity theft and are alleged to have used the stolen information to submit fraudulent pandemic unemployment insurance claims.

The San Diego Sheriff’s’ Department had initiated a traffic stop on Konrad Piekos for driving without a license plate. When police officers approached the vehicle, they saw an assault rifle in plain sight in his vehicle. Piekos admitted possessing an unregistered assault rifle, and the subsequent vehicle search revealed several loaded firearms and ammunition. A warrant was obtained to search Piekos’ properties and police officers found several other firearms and ammunition, quantities of heroin and fentanyl, and mobile phones. After obtaining warrants to search the phones, detectives identified text messages between Piekos, Genetti, and Lombardo discussing the illicit distribution of narcotics, firearms, and a scheme to obtain unemployment benefits using other persons’ personal identifying information (PII).

Piekos and Genetti had conspired together to fraudulently obtain PUA benefits in July 2020, with Lombardo joining the scheme in August 2020. Lombardo is alleged to have used his position as a patient financial service representative to access patients’ PII, which he then distributed to Piekos, Genetti, and Milosavljevic starting on August 15,2020, according to the indictment. Scripps Health terminated Lombardo on April 14, 2021.

In a separate case, Genetti and three other defendants – Lindsay Renee Henning, Garrett Carl Tuggle, and Salvatore Compilati – were charged with conspiracy to commit wire fraud. Henning and Tuggle were also charged with aggravated identity theft, and Henning, Tuggle, and a fourth defendant, Juan Landon, were charged with possession of methamphetamine, cocaine, and heroin with intent to distribute. The defendants had submitted more than 108 separate claims for PUB benefits, totaling $1,615,000.

Lombardo faces a maximum jail term of 10 years in prison for the HIPAA violation along with a fine and penalty assessment. The conspiracy to commit wire fraud charges carry a maximum jail term of 20 years in prison with a fine and penalty assessment, and there is a mandatory minimum 2-year jail term for the aggravated identity theft charges, with the aggravated identity theft jail term consecutive to any other sentences.

“Pandemic unemployment insurance programs are a critical part of our safety net designed to support hardworking citizens who are suffering during an unprecedented economic downturn,” said Acting U.S. Attorney Randy Grossman. “Our office and our law enforcement partners will investigate and prosecute individuals who attempt to steal from these programs designed to assist deserving recipients.”

The post Former Scripps Health Worker Charged Over HIPAA Violation in COVID-19 Unemployment Benefit Fraud Case appeared first on HIPAA Journal.

June 2021 Healthcare Data Breach Report

Posted by HIPAA Journal

For the third consecutive month, the number of reported healthcare data breaches of 500 or more records increased. June saw an 11% increase in reported breaches from the previous month with 70 data breaches of 500 or more records reported to the HHS’ Office for Civil Rights – the highest monthly total since September 2020 and well above the average of 56 breaches per month over the past year.

United States healthcare data breaches in the past 12 months

While the number of reported breaches increased, there was a substantial fall in the number of breached healthcare records, which decreased 80.24% from the previous month to 1,290,991 breached records. That equates to more than 43,000 breached records a day in June.

records Exposed in U.S. healthcare data breaches in the past 12 months

More than 40 million healthcare records have been exposed or impermissibly disclosed over the past 12 months across 674 reported breaches. On average, between July 2020 and June 2021, an average of 3,343,448 healthcare records were breached each month.

Largest Healthcare Data Breaches in June 2021

There were 19 healthcare data breaches of 10,000 or more records reported in June. Ransomware continues to pose problems for healthcare organizations, with 6 of the top 10 breaches confirmed as ransomware attacks. Several healthcare organizations reported ransomware attacks in June that occurred at third-party vendors, with the number of healthcare providers confirmed as being affected by the ransomware attacks on vendors Elekta, Netgain Technologies, and CaptureRx continuing to grow.

The largest healthcare data breach to be reported in June was a phishing attack on the medical payment billing service provider MultiPlan. A threat actor gained access to an email account containing the protected health information of 214,956 individuals.

Northwestern Memorial HealthCare and Renown Health were affected by the ransomware attack on the Swedish radiation therapy and radiosurgery solution provider Elekta Inc., That attack is known to have affected a total of 42 healthcare providers in the United States.

Name of Covered Entity Covered Entity Type Individuals Affected Breach Cause Business Associate Involvement
MultiPlan Business Associate 214,956 Phishing attack Yes
Northwestern Memorial HealthCare Healthcare Provider 201,197 Elekta ransomware attack Yes
Scripps Health Healthcare Provider 147,267 Ransomware attack No
San Juan Regional Medical Center Healthcare Provider 68,792 Unspecified hacking and data exfiltration incident No
Renown Health Healthcare Provider 65,181 Elekta ransomware attack Yes
Minnesota Community Care Healthcare Provider 64,855 Netgain ransomware attack Yes
Francisco J. Pabalan MD, INC Healthcare Provider 50,000 Hacking/IT Incident (Unknown) No
Prominence Health Plan Health Plan 45,000 Ransomware attack No
NYC Health + Hospitals Healthcare Provider 43,727 CaptureRx ransomware attack Yes
UofL Health, Inc. Healthcare Provider 42,465 Misdirected email No
Peoples Community Health Clinic Healthcare Provider 40,084 Phishing attack No
Reproductive Biology Associates, LLC and its affiliate My Egg Bank, LLC Healthcare Provider 38,000 Ransomware attack No
Hawaii Independent Physicians Association Business Associate 18,770 Phishing attack Yes
UW Medicine Healthcare Provider 18,389 Hacking/IT Incident (Unknown) Yes
Cancer Care Center Healthcare Provider 18,000 Hacking/IT Incident (Unknown) Yes
Temple University Hospital, Inc. Healthcare Provider 16,356 Hacking/IT Incident (Unknown) Yes
Walmart Inc. Healthcare Provider 14,532 Loss of paper/films No
Discovery Practice Management, Inc. Business Associate 13,611 Phishing attack Yes
Jawonio Healthcare Provider 13,313 Phishing attack No

Causes of June 2021 Healthcare Data Breaches

Hacking/IT incidents dominated the breach reports in June 2021, with ransomware attacks accounting for a large percentage of those breaches. There were 58 reported hacking/IT incidents, in which the protected health information of 1,190,867 individuals was exposed or compromised – 92.24% of all breached records in June. The mean breach size was 20,532 records and the median breach size was 2,938 records.

Causes of June 2021 Healthcare data breaches

There were 9 unauthorized access/disclosure incidents reported that involved the impermissible disclosure of the PHI of 81,764 individuals. The mean breach size was 9,085 records and the median breach size was 5,509 records.

There was one incident reported involving the loss of paperwork containing the PHI of 14,532 individuals, one portable electronic device theft affecting 1,166 patients, and 1 incident involving the improper disposal of 2,662 physical records.

42 hacking incidents involved PHI stored on network servers, most of which were data access and exfiltration incidents involving ransomware. There were 19 email security breaches involving PHI stored in email accounts, most of which were phishing incidents.

Location of breached PHI in June 2021 data breaches

Covered Entities Reporting Data Breaches in June

The breach reports show healthcare providers were the worst affected covered entity type with 53 data breaches. 9 breaches were reported by health plans, and 8 by business associates of HIPAA covered entities. HIPAA-covered entities often report breaches at third party vendors, which can mask the extent to which business associates are being targeted by hackers. Adjusted figures taking this into account show the extent to which business associates are suffering data breaches. There were 36 data breaches reported that involved business associates, as shown in the pie chart below.

June 2021 healthcare data breaches by covered entity type

June 2021 Healthcare Data Breaches by State

There were large healthcare data breaches reported by HIPAA covered entities and business associates based in 32 states. California was the worst affected state with 8 reported breaches, followed by New York with 6.

State No. Data Breaches
California 8
New York 6
Illinois, Pennsylvania, Washington 4
Georgia, New Jersey, Ohio, Oregon, Texas 3
Arkansas, Kentucky, Michigan, Mississippi, Nevada, Tennessee, Wisconsin 2
Alaska, Arizona, Colorado, Connecticut, Florida, Hawaii, Iowa, Maryland, Massachusetts, Minnesota, Montana, New Mexico, Oklahoma, Rhode Island, South Carolina 1

HIPAA Enforcement Activity in June 2021

The HHS’ Office for Civil Rights announced one HIPAA enforcement action in June under its HIPAA Right of Access enforcement initiative. The Diabetes, Endocrinology & Lipidology Center, Inc. in Martinsburg, West Virginia was ordered to pay a financial penalty of $5,000 to resolve its HIPAA Right of Access case and agreed to adopt a robust corrective action plan to ensure that patients will be provided with timely access to their medical records. There were no confirmed HIPAA enforcement actions by state Attorneys General in June.

The post June 2021 Healthcare Data Breach Report appeared first on HIPAA Journal.

Email Account Breaches Reported by MultiPlan and Hawaii Independent Physicians Association

Posted by HIPAA Journal

The medical payment billing service provider MultiPlan has announced a breach of its email environment. On January 27, 2021, suspicious activity was identified in the email account of one of its employees. Action was immediately taken to terminate unauthorized access and the employee’s email credentials were changed.

MultiPlan immediately launched an investigation to determine the nature and scope of the breach, with assistance provided by forensics experts. The investigation confirmed that the main purpose of the attack was to divert wire transfers from MultiPlan customers looking to pay invoices. The email account was compromised and used by the attacker to communicate with those customers regarding billing, and to attempt to divert payments to an account under their control.

While protected health information does not appear to have been targeted in the attack, the compromised email account was found to contain the protected health information of 214,956 individuals. That information could have been viewed or obtained by the attacker between December 23, 2020 and January 27, 2021.

The types of information in the account included full names, addresses, email addresses, dates of birth, healthcare provider names, medical record numbers, date/cost of healthcare services, claims identifiers, health insurance ID numbers, member IDs, group IDs, and Social Security numbers.

MultiPlan has notified all affected individuals and will be covering the cost of two years of credit monitoring. Additional protocols and processes have now been implemented to prevent further email breaches in the future.

Hawaii Independent Physicians Association Reports Email Account Breach

Hawaii Independent Physicians Association (HIPA) is notifying 18,770 patients about a security incident involving the email account of a subcontractor.

On February 4, 2021, HIPA determined an unauthorized individual had accessed the email account. External access to the account was immediately blocked and all HIPA users were required to change their login credentials for their system and email accounts and as a precaution. Assisted by a third-party cybersecurity firm, HIPA determined the breach was limited to a single email account which contained the protected health information of patients of its physicians.

The types of information in the compromised account included full names, dates of birth, home addresses, and information about the general health condition of patients. No evidence of unauthorized data access was found, but the possibility that PHI was viewed or obtained could not be ruled out.

The cybersecurity firm investigating the breach made recommendations to improve email security and HIPA is in the process of implementing the suggested changes.

The post Email Account Breaches Reported by MultiPlan and Hawaii Independent Physicians Association appeared first on HIPAA Journal.

Advocate Aurora Health, Jefferson Health, and Intermountain Healthcare Affected by Elekta Ransomware Attack

Posted by HIPAA Journal

Three more healthcare providers have announced they have been affected by the recent ransomware attack on the Swedish radiation therapy and radiosurgery solution provider Elekta Inc.

Elekta provides a cloud-based mobile application called SmartClinic, which is used by healthcare providers to access patient information for cancer treatments. Cybercriminals gained access to Elekta’s systems between April 2, 2021 and April 20, 2021 exfiltrated the SmartClinic database prior to deploying ransomware and encrypting files. The database contained the personal and protected health information (PHI) of patients of 42 healthcare systems in the United States. Elekta notified affected customers in May 2021.

Advocate Aurora Health has recently announced that 68,000 of its patients across 7 sites in Illinois have been affected by the attack. The following types of PHI were acquired by the ransomware gang: names, addresses, dates of birth, height and weight measurements, Social Security numbers, driver’s license numbers, diagnosis information, treatment information, and appointment confirmations.

Advocate Aurora Health said no evidence has been found to suggest information obtained in the attack has been misused, but complimentary credit monitoring, fraud consultation, and identity theft restoration services have been offered to affected individuals as a precaution. Advocate Aurora Health said it has been working with Elekta to ensure steps are taken to prevent similar events in the future.

Philadelphia, PA-based Jefferson Health said the database contained the PHI of cancer patients who received treatment at its Sidney Kimmel Cancer Center. Patient names, dates of birth, medical record numbers, physician names, department, date(s) of service, treatment plans, diagnosis and/or prescription information were compromised. For some patients, a Social Security number was also included in the database. Patients are being notified by mail and have been offered complimentary credit monitoring and identity theft protection services. Jefferson Health said it is now re-evaluating its relationship with Elekta. Jefferson Health has not yet disclosed how many patients were affected.

Intermountain Healthcare in Salt Lake City, UT said patient names and scanned image files were potentially compromised. The image files included data such as medical intake forms and medical images, which may have included dates of birth, demographic information, insurance cards, other identification cards, and Social Security numbers. Intermountain Healthcare has been working with Elekta to implement additional safeguards, including migrating its data to a new-generation Elekta cloud system. The 28,628 affected patients have been offered complimentary credit monitoring services.

The post Advocate Aurora Health, Jefferson Health, and Intermountain Healthcare Affected by Elekta Ransomware Attack appeared first on HIPAA Journal.

Sierra Nevada Primary Care Physicians Alerts Patients About Theft of PHI

Posted by HIPAA Journal

Sierra Nevada Primary Care Physicians in California is alerting 1,717 patients about an incident involving the theft of some of their protected health information, including names and credit card information.

On May 20, 2021, Sierra Nevada Primary Care Physicians was notified by the District Attorney’s office that two envelopes containing receipts from the practice had been found in the vehicle of a suspect.

The receipts were for payments made by patients between January 1, 2019 and March 20, 2019. For individuals who paid in person at the front desk using a debit or credit card, the receipts contained the individual’s name, name of the practice, amount charged, and the last four digits of the card number. Receipts for payments made by individuals using a debit card or credit card by mail or over the phone included that individual’s name, debit/credit card number, expiry date, CVV code, signature, practice name, and amount charged.

The District Attorney confirmed that the two envelopes and receipts were recovered and the perpetrators were arrested. Sierra Nevada Primary Care Physicians has offered affected individuals 12 months of complimentary credit monitoring services but believes misuse of information is unlikely. Steps have since been taken to improve security, including keeping receipts in a locked room that only two individuals can access, and all receipts now have the credit card information blacked out.

University of Maryland, Baltimore Impacted by Accellion Cyberattack

University of Maryland, Baltimore has announced the protected health information of 30,468 individuals was compromised in a cyberattack on its Accellion File Transfer Appliance (FTA) in December 2020.

Hackers gained access to the system, exfiltrated data, and issued a ransom demand for the safe return of the stolen data. Some of that information was subsequently published on the hacker’s data leak site.

University of Maryland said the system was used by students and faculty staff and was rigorously monitored and patches to fix security issues were promptly applied; however, in this instance, a vulnerability was exploited for which a patch had not yet been released by Accellion.

A plan had already been formed to replace the system with a newer, more secure system prior to learning about the breach. The plan was executed in February 2021 and the legacy Accellion FTA appliance has now been replaced. Complimentary credit monitoring services have been offered to affected individuals.

The post Sierra Nevada Primary Care Physicians Alerts Patients About Theft of PHI appeared first on HIPAA Journal.

Lake County Health Department Notifies 25,000 Patients About Two Data Breaches

Posted by HIPAA Journal

The Lake County Health Department in Illinois has announced it has suffered two data breaches that potentially involved the personal and protected health information of around 25,000 patients.

The first breach occurred in 2019 when a Lake County Health employee sent an unencrypted email from their work email account to an internal employee’s personal email account. The email had an attached spreadsheet of medical record requests dating from December 2016 to June 2019. The requests had been made through a third-party company which handled release of information requests for the Lake County Health Department. The spreadsheet included the names of 24,241 patients along with dates relevant to the vendor.

Lake County Health discovered the breach on July 22, 2019; however, it took until July 2021 for notification letters to be sent to affected patients. The reason for the delay of almost two years was due to Lake County Health officials not believing notification letters were required, as no personal health information had been compromised; however, the Department of Health and Human Services disagreed with that assessment and required notification letters to be issued as personal health information may have been compromised.

A second data breach was discovered on May 14, 2021 which involved a Google spreadsheet containing names, dates of birth, email addresses, phone numbers, and the COVID-19 vaccination status of 705 individuals. The spreadsheet was saved in the personal Google Drive account of an employee. While Google Drive can be a HIPAA compliant solution for use in healthcare along with other G Suite services, personal accounts are not. Google can access information in personal Google accounts and uses that information to deliver tailored services and advertisements. All affected individuals were seniors who had sought information on COVID-19 vaccinations. Those individuals have now been notified.

While both privacy incidents resulted in patient data being exposed, Lake County Health said internal risk assessments were conducted and no evidence was found to indicate any of the exposed information had been acquired by unauthorized individuals or misused.

The Lake County Health Department has since implemented solutions to prevent any similar breaches in the future, including encryption of all email and enhanced monitoring.

The post Lake County Health Department Notifies 25,000 Patients About Two Data Breaches appeared first on HIPAA Journal.