Resource Anesthesiology Associates (RAA) of California has started notifying certain patients of Dignity Health’s Mercy Hospital Downtown and Mercy Hospital Southwest that some of their protected health information was stored on a laptop computer that has been stolen.

RAA of California provides anesthesiology services at the Dignity Health hospitals, which requires access to patient data. On July 8, the laptop was stolen from an RAA of California administrator. The theft was reported to law enforcement, but the device has not been recovered.

RAA of California conducted an investigation to determine which patient information was stored on the device and could potentially be accessed. The review confirmed the following types of information were stored on the device: Names, addresses, dates of birth, provider names, dates of service, diagnoses and treatment information, health insurance information, and other information related to patients’ medical care.

The laptop computer was protected with a password, which provides a degree of protection against unauthorized access. However, passwords can be cracked, so there is a risk that information on the laptop could be viewed by unauthorized individuals. RAA of California said to date there has been no evidence found which indicates any of the information stored on the laptop computer has been accessed or misused.

RAA of California believes the risk of misuse of patient data is low but, out of an abundance of caution, is offering affected individuals a complimentary membership to identity theft protection services through IDX. Patients will receive 12 months of CyberScan monitoring and will be protected by a $1 million identity theft insurance policy, which includes fully managed identity theft recovery services.

The post Stolen Laptop Contained the PHI of Dignity Health Patients appeared first on HIPAA Journal.

The Department of State Hospitals – Coalinga (DSH-C) in California has notified 1,738 patients that some of their protected health information has been impermissibly disclosed by a DSH-C employee.

The United States District Court, Eastern District of California had made a request to be provided with DSH-C patient rosters in order to determine whether patients were eligible for a waiver of filing fees when filing a lawsuit. Those rosters were provided to a District Court Clerk by a DSH-C employee.

The patient rosters contained information about patients that had not filed a lawsuit, and the rosters contained more information than was required by the District Court Clerk to determine eligibility for a waiver. The disclosure was therefore in violation of the HIPAA Rules.

The rosters contained the following data elements: name, case number, birth date, legal commitment, admission date, unit number, and gender. DSH-C said it has no reason to believe the information was used for any reason other than for an eligibility determination for a public benefit provided by the Court.

Upon discovery of the breach, the District Court Clerk was contacted and instructed to destroy all DSH-C patient rosters that were provided to the District Court. Staff members are being provided with further training on data protection and policies and procedures are being reviewed and revised to ensure greater clarity on allowable uses and disclosures of patient information.

The post 1,738 Patients of Coalinga State Hospitals Notified About Improper Disclosure of PHI appeared first on HIPAA Journal.

Austin Cancer Centers is alerting 36,503 patients about a security incident discovered on August 4, 2021 in which some of their protected health information was exposed.

Unauthorized individuals were discovered to have gained access to computer systems and installed malware. To prevent further unauthorized access, computer systems were immediately shut down and law enforcement was notified. Since then, Austin Cancer Centers has worked with cybersecurity experts to learn about the exact nature and scope of the incident. Austin Cancer Centers said the malware has now been removed, systems have been restored and secured, and its facilities are open.

The forensic investigation into the security breach confirmed hackers first gained access to its computer systems on July 21, and access remained possible until the breach was discovered on August 4. A comprehensive review was conducted to identify all files on the network that could possibly have been accessed in the attack. Those files were found to contain patient information such as names, addresses, dates of birth, insurance carrier names, and medical notes. The Social Security numbers of certain patients were also exposed, as were the credit card numbers of a limited number of patients.

Austin Cancer Centers does not believe the attackers had access to its entire network, but the decision was taken to send notifications to 36,500 patients out of an abundance of caution. Since the attackers no longer had access to its network from August 4, new patients who received medical services after that date were definitely not affected.

Austin Cancer Centers said the attackers took steps to avoid detection and hide their activities, which is why it took around two weeks to discover the security breach. Throughout the investigation the priority was to ensure systems were secured and patient data were protected, so notifications were delayed until it was certain that appropriate safety measures were in place.

The exact nature of the malware attack, including whether ransomware was involved, has not been released as the investigation into the security breach is ongoing. Austin Cancer Centers said further information about the incident will be shared with affected individuals via its website when it is deemed appropriate for the information to be released.

Since the breach occurred, Austin Cancer Centers has implemented additional technical safeguards to further enhance security, and rigorous privacy and security training has been provided for the entire staff.

Affected patients have been provided with a complimentary 1-yuear membership to the Equifax Credit Watch Gold credit monitoring service, which includes automatic fraud alerts and cover through a $1,000,000 identity theft insurance policy.

“We are deeply saddened and frustrated by this incident.  Caring for our patients during medically stressful times in their life, is our core business,” said Austin Cancer Center CEO, Laurie East. “We apologize to our family of patients for any concern this may create, and we will do everything we can to remedy the situation and help them through necessary steps to ensure their safety.”

The post 36,500 Patients of Austin Cancer Centers Notified About PHI Exposure appeared first on HIPAA Journal.

Queen Creek, AZ-based Desert Wells Family Medicine has started notifying 35,000 patients that their protected health information has been compromised in a recent ransomware attack. The attack occurred on May 21, 2021 and resulted in the encryption of data, including its electronic health record (EHR) system.

All data had been backed up prior to the attack, but in addition to encrypting files, the attacker corrupted backup files which means all data contained in its EHR system prior to May 21 cannot be recovered. The types of data in the system, which may also have been obtained by the hackers in the incident, included patient names, addresses, dates of birth, billing account numbers, Social Security numbers, medical record numbers, and treatment information.

Desert Wells said it has not found any evidence that suggests there has been any attempted or actual misuse of patient data, and the third-party computer forensics investigators found no evidence that patient data had been exfiltrated prior to file encryption, although it was not possible to rule out data theft with a high degree of certainty. Consequently, the decision was taken to offer affected patients complimentary identity theft protection and credit monitoring services.

“Upon discovering the extent of the damage, we engaged additional forensics and recovery services as part of our exhaustive efforts to do everything we could to try and recover the data. Unfortunately, these efforts to date have been unsuccessful and patient electronic records before May 21, 2021, are unrecoverable,” said Daniel Hoag, MD, a family medicine physician at Desert Wells.

Desert Wells is constructing a new EHR system and is attempting to populate patient records with data obtained from other sources, which includes hospitals, pharmacies, laboratories, and medical imaging centers; however, it is likely that some patient data have been permanently lost.

“We recognize this is an upsetting situation and, from my family to yours, sincerely apologize for any concern this may cause,” said Hoag. “I’m sure many of you have been reading about other healthcare providers in the community, and around the country, that have been impacted by cybersecurity events. For our part, we are continuing to take steps to enhance the security of our systems and the data entrusted to us, including by implementing enhanced endpoint detection and 24/7 threat monitoring, and providing additional training and education to our staff.”

The post Desert Wells Family Medicine Ransomware Attack Causes Permanent Loss of EHR Data appeared first on HIPAA Journal.

The protected health information (PHI) of 116,898 patients of Waterville, MA-based HealthReach Community Health Centers has been exposed and potentially compromised.

HealthReach Community Health Centers, which operates 11 community health centers in Central and Western Maine, discovered a worker at a third-party data storage facility had improperly disposed of hard drives that contained the data of patients.

Under HIPAA, all electronic devices that contain PHI must be disposed of in a manner that ensures data on the devices cannot be read or reconstructed. This typically involves clearing (using software or hardware products to overwrite media with non-sensitive data), purging (degaussing or exposing the media to a strong magnetic field), or destroying the media via disintegration, pulverization, melting, incineration, or shredding.

In a data breach notice sent to the Maine Attorney General, HealthReach said patient data had been exposed on April 7 and it was notified about the improper disposal incident on May 7.  Upon discovery of the incident, HealthReach launched an investigation to determine what information was stored on the drives and which individuals had been affected.

The types of information on the stored drives varied from patient to patient and included patient names in addition to some or all of the following types of information: addresses, dates of birth, Social Security numbers, medical record numbers, health insurance information, lab test results, treatment records, and financial account information.

Notification letters were mailed to affected individuals on September 9, 2021. Individuals who had their Social Security number or financial information exposed have been offered complimentary identity theft protection and credit monitoring services for one year. At the time of issuing notification letters, HealthReach had not received any reports of attempted or actual misuse of patient data.

HealthReach said it is working with its data storage vendors to ensure similar breaches do not occur in the future, including providing further training for the workforce.

The post HealthReach Community Health Centers Reports Improper Disposal Incident Affecting Almost 117,000 Patients appeared first on HIPAA Journal.

Jackson Health has launched an investigation into a nurse social media violation after photographs of a baby with a birth defect were posted on Facebook.

A nurse who worked in the neonatal intensive care unit at Jackson Memorial Hospital posted two photographs on Facebook of a baby with gastroschisis – a rare birth defect of the abdominal wall that can cause the intestines to protrude from the body. The photos were accompanied with the captions, “My night was going great then boom!” and “Your intestines posed (sic) to be inside not outside baby! #gastroschisis.” The disturbing images were posted on accounts belonging to Sierra Samuels.

The posting of images of patients on social media without first obtaining authorization is a serious breach of patient privacy. Photographs of patients are classed as protected health information and posting images on social media platforms, even in closed Facebook groups, is a violation of the Health Insurance Portability and Accountability Act (HIPAA) unless prior authorization is obtained from the patient.

HIPAA requires healthcare providers to provide privacy policy training to staff members. Training must be provided within a reasonable time after an employee joins a covered entity’s workforce and training must be regularly reinforced. The best practice is to provide refresher HIPAA privacy training annually. A sanctions policy must also be developed and implemented that clearly states the sanctions employees will face if they violate the HIPAA Rules.

After being alerted to the social media posts Jackson Health launched an investigation into the privacy violation and immediately placed the nurse on administrative leave pending the outcome of the investigation. “Protecting the privacy of our patients is always a top priority at Jackson Health System. Any potential privacy breach is taken seriously and thoroughly investigated,” said a spokesperson for Jackson Health. Jackson Health also confirmed that when employees violate patient privacy, despite being educated, they will be subject to disciplinary action which may involve suspension or termination.

The post Jackson Health Investigating Nurse Social Media HIPAA Violation appeared first on HIPAA Journal.

The Wedge Recovery Centers, a mental health service provider based in Philadelphia, Pennsylvania, discovered suspicious activity within the computer network on June 25, 2021 which indicated unauthorized individuals had breached the security defenses. Steps were immediately taken to block further access and an investigation was launched to determine the nature and scope of the breach.

The investigation confirmed an unauthorized actor had gained access to its network on June 25, 2021; however, no evidence was uncovered during the course of the investigation to suggest any individual’s information had been subjected to actual or attempted misuse as a result of the security breach.

A comprehensive review was conducted of all data potentially affected and that process is ongoing; however, it has now been confirmed that the following types of information were stored in files on parts of the network that were compromised: Name, address, date of birth, Social Security number, and treatment and health insurance information.

The Wedge Recovery Centers have implemented additional technical security safeguards to prevent further incidents of this nature and policies and procedures are being reviewed and enhanced to further improve privacy and security.

All individuals affected by the security breach are being notified by mail and have been advised to remain vigilant against identity theft and fraud and to review their account statements, explanation of benefits statements, and free credit reports for signs of suspicious activity or errors.

The breach has recently been reported to the Department of Health and Human Services’ Office for Civil Rights as affecting 29,000 individuals.

The post Philadelphia Mental Health Service Provider Breach Affects 29,000 Patients appeared first on HIPAA Journal.