HIPAA Breach News

M.D. Anderson Cancer Center Has $4.3 Million OCR HIPAA Fine Overturned on Appeal

Posted by HIPAA Journal

The U.S. Court of Appeals for the Fifth Circuit has overturned a $4,348,000 HIPAA violation penalty imposed on University of Texas M.D. Anderson Cancer Center by the Department of Health and Human Services’ Office for Civil Rights.

The Civil Monetary Penalty was imposed on M.D. Anderson in 2018 following an investigation of three data breaches that were reported to the Office for Civil Rights between 2013 and 2014 that involved the loss/theft of unencrypted devices between 2012 and 2013. Two unencrypted flash drives containing the ePHI of 2,264 and 3,598 patients were lost, and an unencrypted laptop computer containing the ePHI of 29,021 patients was stolen.

The Office for Civil Rights investigation concluded that M.D. Anderson was in violation of two provisions of the HIPAA Rules. The first violation was the failure to implement encryption or adopt an alternative and equivalent method to limit access to ePHI stored on electronic devices, and the second prohibits unauthorized disclosures of ePHI.

HIPAA penalties are tiered and are based on the level of culpability, with the Office for Civil Rights determining M.D. Anderson had reasonable cause to know it was in violation of the HIPAA Rules. OCR calculated the appropriate penalties to be $1,348,000 for the of lack of encryption and $1.5 million per year for the impermissible disclosures of ePHI.

M.D. Anderson contested the financial penalties and after two unsuccessful reviews, OCR imposed the civil monetary penalties on the Texas healthcare provider in June 2018. M.D. Anderson then petitioned the 5th Circuit Court of Appeals to review the ruling in April 2019.

M.D. Anderson maintained that the HHS’ Office for Civil Rights is a federal agency and exceeded its authority by imposing the civil monetary penalties, since M.D. Anderson is a state agency and is therefore not a ‘person’ covered by the Enforcement Provision of the Health Insurance Portability and Accountability Act. M.D. Anderson also alleged the financial penalty was excessive. At the time it was the third largest HIPAA penalty to be imposed on a single covered entity for violations of the HIPAA Rules.

The two failed reviews resulted in the case going before an Administrative Law Judge (ALJ) who refused to rule on whether HIPAA, the HITECH Act, any other statute applied, nor whether the civil monetary penalty was arbitrary or capricious.

The 5th Circuit explained, “For the sake of today’s decision, we assume that M.D. Anderson is such a “person” and that the enforcement provision therefore applies. The petition for review nonetheless must be granted for an independent reason: the CMP violates the Administrative Procedure Act (“APA”).”

After reviewing the financial penalty, the Court of Appeals ruled that the Office for Civil Rights had acted arbitrarily, and its decision was capricious and contrary to law for at least four independent reasons. As required by HIPAA, M.D. Anderson had implemented a mechanism for encryption as early as 2006, but the Office for Civil Rights failed to demonstrate that M.D. Anderson had not done enough to secure the ePHI of its patients. It was only possible to demonstrate that three employees had failed to abide by M.D. Anderson’s encryption policies.

The Court of Appeals also found issue with the impermissible disclosure aspect of the decision. The HIPAA definition of disclosure suggests an affirmative act rather than a passive loss of information, and also that ePHI would need to be disclosed to someone outside the covered entity, when that could not be determined in this case.

The Court of Appeals also found the decision to fine some covered entities for loss/theft incidents and not others was inconsistent. Regarding the penalty amount, under the “reasonable cause” penalty tier, the maximum fine for violations of an identical provision during a calendar year may not exceed $100,000. The ALJ and the Departmental Appeals Board nevertheless determined that the per-year statutory cap was $1,500,000.

Following the petition to the Court of Appeals, the HHS’ Office for Civil Rights conceded that the $4,348,000 financial penalty could not be justified and asked the Court of Appeals to reduce the fine by a factor of ten to $450,000.

The Court of Appeals concluded that the Government had offered no lawful basis for the civil monetary penalties, vacated the CMP order, and remanded the matter for further proceedings consistent with the court’s opinion.

The post M.D. Anderson Cancer Center Has $4.3 Million OCR HIPAA Fine Overturned on Appeal appeared first on HIPAA Journal.

2020-2021 HIPAA Violation Cases and Penalties

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights (OCR) settled 19 HIPAA violation cases in 2020. More financial penalties were issued in 2020 than in any other year since the Department of Health and Human Services was given the authority to enforce HIPAA compliance. $13,554,900 was paid to OCR to settle the HIPAA violation cases. 2021 saw a slight reduction in the number of settlements and fines for HIPAA violations, with 14 enforcement actions announced by OCR. Even so, 2021 had the second-highest number of HIPAA fines of any year since OCR started enforcing compliance with the HIPAA Rules.

While the number of penalties was still high in 2021, there was a sizeable reduction in penalty amounts which totaled $5,982,150 for the year, and $5,100,000 of that total came from just one enforcement action. The reason for this is that most of the penalties were for violations of the HIPAA Right of Access, and were in response to investigations of complaints filed by patients who had not been provided with timely access to their medical records, rather than penalties for violations of multiple HIPAA Rules that impacted large numbers of individuals. The $5,100,000 penalty, imposed on Excellus Health Plan, was so large because there were multiple violations of the HIPAA Rules, over multiple years, that led to a breach of the ePHI of 9,358,891 individuals.

Penalties for Noncompliance with the HIPAA Right of Access

In late 2019, OCR announced a new HIPAA enforcement initiative to tackle non-compliance with the Right of Access standard of the HIPAA Privacy Rule. Since then, OCR has been rigorously enforcing compliance with the HIPAA Right of Access and as of December 2021, has imposed 25 penalties for HIPAA Right of Access violations totaling $1,564,650. The fines range from $3,500 to $200,000. There have been 24 settlements and one civil monetary penalty, with many of the fines imposed on small healthcare providers.

The HIPAA Right of Access standard – 45 C.F.R. § 164.524(a) – gives patients the right to access, inspect, and obtain a copy of their own protected health information in a designated record set.  When a request is received from an individual or their personal representative, the records must be provided within 30 days. A reasonable, cost-based fee may be charged for providing a copy of the requested records. A request for access to an individual’s health records may be denied, but only in very limited circumstances.

OCR investigates complaints from individuals who allege they have been denied access to their health records, have not received records within 30 days, or have been charged excessive amounts for copies of their records. The financial penalties imposed by OCR in 2020 for HIPAA Right of Access violations ranged from $15,000 to $160,000 and stemmed from refusals to provide copies of records or long delays. In many cases, records were only provided after OCR intervened.

2021 HIPAA Right of Access Enforcement Actions

Covered Entity Penalty Outcome
Banner Health 200,000 Settlement
Rainrock Treatment Center LLC (dba monte Nido Rainrock) 160,000 Settlement
Dr. Robert Glaser 100,000 Civil Monetary Penalty
Children’s Hospital & Medical Center 80,000 Settlement
Renown Health 75,000 Settlement
Sharpe Healthcare 70,000 Settlement
Arbour Hospital 65,000 Settlement
Advanced Spine & Pain Management 32,150 Settlement
Denver Retina Center 30,000 Settlement
Village Plastic Surgery 30,000 Settlement
Wake Health Medical Group 10,000 Settlement

Other 2021 HIPAA Violation Penalties

Covered Entity Penalty Outcome
Excellus Health Plan $5,100,000 Settlement
AEON Clinical Laboratories (Peachstate) $25,000 Settlement

Only two HIPAA enforcement actions in 2021 were not the result of HIPAA Right of Acess violations.

Excellus Health Plan

Rochester, New York-based Excellus Health Plan, a member of the Blue Cross Blue Shield Association, was investigated to identify potential HIPAA compliance issues following a report of a data breach of 9,358,891 records in 2015. It was one of three mega data breaches to be reported by health plans that year, Anthem Inc and Premera Blue Cross being the other two, both of which had settled their cases and paid sizeable penalties.

Excellus discovered the breach in August 2015, with its investigation revealing hackers had access to its systems between December 23, 2013, and May 11, 2015. The breach was reported to OCR on September 9, 2015. Malware had been installed which allowed the hackers to exfiltrate the data of around 7 million Excellus Health Plan members and approximately 2.5 million members of Lifetime Healthcare, its non-BlueCross subsidiary, which included names, contact information, dates of birth, Social Security numbers, health plan ID numbers, claims data, financial account information, and clinical treatment information.

OCR’s investigation uncovered multiple HIPAA violations, including the failure to conduct an accurate and thorough organization-wide risk analysis, the failure to reduce risks and vulnerabilities to ePHI to a reasonable and appropriate level, and a lack of technical policies and procedures to limit data access to authorized persons and software programs. Excellus chose to settle the case and paid a $5,100,000 penalty and agreed to implement a comprehensive Corrective Action Plan to address all areas of non-compliance.

Peachstate Health Management LLC, dba AEON Clinical Laboratories

The enforcement action against Peachstate Health Management is notable because this was the first OCR investigation to result in a financial penalty for HIPAA violations identified in a company that was not the initial subject of the investigation.

OCR launched an investigation after receiving a report from the Department of Veteran Affairs in 2015 about a data breach involving its business associate, Authentidate Holding Corporation (AHC). AHC managed the VA’s Telehealth Services Program and suffered a data breach. While investigating, OCR learned that AHC had entered into a reverse merger with Peachstate Health Management on January 27, 2016, which saw Peachstate acquired by AHC. Peachstate is a CLIA-certified laboratory that provides clinical and genetic testing services through its publicly traded parent company, AEON Global Health Corporation (AGHC).

OCR then launched an investigation of Peachstate to assess HIPAA Privacy and Security Rule compliance and found multiple violations of the HIPAA Rules. OCR identified multiple HIPAA Security Rule failures, including risk assessment, risk management, audit controls failures, as well as the failure to maintain documentation of HIPAA Security Rule policies and procedures. The case was settled for $25,000, and a corrective action plan was agreed to resolve the HIPAA violations.

2020 HIPAA Right of Access Enforcement Actions

Covered Entity Penalty Outcome
Dignity Health, dba St. Joseph’s Hospital and Medical Center $160,000 Settlement
NY Spine $100,000 Settlement
Beth Israel Lahey Health Behavioral Services $70,000 Settlement
University of Cincinnati Medical Center $65,000 Settlement
Housing Works, Inc. $38,000 Settlement
Peter Wrobel, M.D., P.C., dba Elite Primary Care $36,000 Settlement
Riverside Psychiatric Medical Group $25,000 Settlement
Dr. Rajendra Bhayani $15,000 Settlement
All Inclusive Medical Services, Inc. $15,000 Settlement
Wise Psychiatry, PC $10,000 Settlement
King MD $3,500 Settlement

Other 2020 HIPAA Violation Penalties

The remaining HIPAA violation penalties issued in 2020 were issued for non-compliance with several provisions of the HIPAA Rules. The penalty amounts reflect the seriousness of the violations, the harm caused, the number of individuals affected, the level of cooperation with OCR, the voluntary actions taken to address the violations, and the ability of the entity to pay. In each of the HIPAA violation cases below, OCR discovered multiple violations of the HIPAA Rules.

Covered Entity Amount Outcome
Premera Blue Cross $6,850,000 Settlement
CHSPSC LLC $2,300,000 Settlement
Athens Orthopedic Clinic $1,500,000 Settlement
Lifespan Health System Affiliated Covered Entity $1,040,000 Settlement
Aetna $1,000,000 Settlement
City of New Haven, CT $202,400 Settlement
Steven A. Porter, M.D $100,000 Settlement
Metropolitan Community Health Services dba Agape Health Services $25,000 Settlement

Second Largest HIPAA Violation Penalty for Premera Blue Cross

The largest HIPAA violation penalty of 2020 was imposed on the health insurer Premera Blue Cross. Premera Blue Cross was investigated over a data breach in which the protected health information of 10,466,692 individuals was obtained by hackers.

During the investigation, OCR discovered multiple potential violations of the HIPAA Security Rule. Premera Blue Cross had failed to conduct a comprehensive risk analysis, had not reduced risks to the confidentiality, integrity, and availability of ePHI to a reasonable and appropriate level, and had implemented insufficient hardware and software controls.

Premera Blue Cross agreed to pay a financial penalty of $6,850,000 to resolve the case and adopted a corrective action plan to address all areas of noncompliance.

In addition to the OCR penalty, Premera Blue Cross settled a multi-state action for $10 million and a class action lawsuit filed on behalf of victims of the breach for $74 million.

The financial penalty was the second-largest ever to be issued by OCR. The largest HIPAA violation penalty – $16 million – was paid by Anthem Inc. in 2018 and resolved an investigation into its 78.8 million record data breach that was discovered in 2015. Following on from that settlement, in 2020 Anthem Inc settled a multi-state action and paid $48.2 million in penalties. Anthem also settled a class action lawsuit filed on behalf of victims of the breach in 2018 for $115 million.

CHSPSC LLC

CHSPSC LLC, a Tennessee-based management company that provides services to many subsidiary hospital operator companies and other affiliates of Community Health Systems, suffered a cyberattack in April 2014 in which compromised admin credentials were used by hackers to gain access to its systems. The hackers stole the ePHI of 6,121,158 individuals.

OCR investigated and found systemic noncompliance with the HIPAA Security Rule. CHSPSC had failed to conduct a comprehensive risk analysis, was not conducting information system activity reviews, and had implemented insufficient access controls and security incident response procedures. When notified about the cyberattack by the FBI, it took CHSPSC two months to respond.

CHSPSC LLC settled the case, paid a $2,300,000 penalty, and adopted a corrective action plan to address all areas of noncompliance. Community Health Systems and CHSPSC LLC also settled a multi-state action with 28 state Attorneys General over the breach for $5,000,000.

Athens Orthopedic Clinic

The Athens, GA-based healthcare provider Athens Orthopedic Clinic suffered a cyberattack in 2016 in which a hacker stole a database containing the PHI of 208,557 patients and demanded payment not to release the stolen data. When payment was not received the database was published.

OCR’s investigation into the breach uncovered systemic noncompliance with the HIPAA Rules. Athens Orthopedic Clinic had failed to conduct a comprehensive risk analysis, had not implemented security procedures to reduce risks to ePHI to a reasonable and appropriate level, had failed to implement appropriate hardware, software, and procedures for recording and analyzing information system activity, and did not implement HIPAA policies until August 2016.

OCR also found the clinic had not entered into business associate agreements with three vendors and did not provide HIPAA Privacy Rule training to the entire workforce until January 15, 2018.

Athens Orthopedic Clinic agreed to settle the case, paid a $1.5 million penalty, and adopted a corrective action plan to address all areas of noncompliance.

Lifespan Health System Affiliated Covered Entity

Lifespan Health System Affiliated Covered Entity is a Rhode Island not-for-profit health system with many healthcare provider affiliates in the state. In February 2017, an unencrypted laptop computer was stolen from an employee’s vehicle. The laptop contained the ePHI of 20,431 patients.

OCR investigated the breach and discovered systemic noncompliance with the HIPAA Rules. Lifespan had conducted a risk analysis and determined encryption was required for its mobile devices due to the high risk of data exposure but failed to implement encryption on mobile devices. The movement of the devices in and out of its facilities was not tracked and there was no comprehensive inventory of mobile devices. OCR also found that there was no business associate agreement between Lifespan Corporation and Lifespan ACE.

Lifespan ACE agreed to settle the case, paid a $1,040,000 penalty, and adopted a corrective action plan to address all areas of noncompliance.

Aetna

Aetna Life Insurance Company and its affiliated covered entity (Aetna) were investigated by OCR after reporting three data breaches in 2017. The first breach involved the exposure of the protected health information of 5,002 plan members over the Internet, and the other two breaches involved mailings in which sensitive PHI could be viewed through the windows of the envelopes. In the first mailing to 11,887 individuals the words ‘HIV medication’ could be viewed through the windows of the envelopes. In the second mailing to 1,600 individuals, the name and logo of an atrial fibrillation study could be viewed.

OCR determined Aetna had not performed periodic technical and non-technical evaluations of operational changes affecting the security of their ePHI, procedures had not been implemented to verify the identity of individuals or entities looking to access their ePHI, disclosures of ePHI had not been limited to the minimum necessary information to achieve the purpose for the disclosures, and there was a lack of appropriate administrative, technical, and physical safeguards to ensure the privacy of ePHI.

Aetna agreed to settle the case, paid a $1 million penalty, and agreed to adopt a corrective action plan to address all areas of noncompliance.

Other penalties related to be breach include a $1.15 million settlement with the New York Attorney General, a $935,000 settlement with the California Attorney General, and similar settlements with Connecticut ($99,959), the District of Columbia ($175,000), and New Jersey ($365,211.59). A class action lawsuit filed on behalf of victims of the breach was settled for $17.2 million.

City of New Haven, CT

In January 2017, the City of New Haven in Connecticut reported a data breach of the ePHI of 498 individuals to OCR. The city had terminated an employee in 2016 during her probationary period. The former employee returned to the New Haven Health Department with her union representative after she had been terminated, used her work key to access her old office, and locked herself inside. She used her login credentials to access a work computer and copied data onto a USB drive before leaving.

In addition to failing to terminate the former employee’s access rights, OCR discovered a comprehensive risk analysis had not been performed, the city had failed to implement HIPAA Privacy Rule policies, and had not issued unique IDs to allow system activity to be tracked.

The City of New Haven settled the case, paid a $202,400 financial penalty, and agreed to adopt a corrective action plan to address all areas of noncompliance.

Steven A. Porter, M.D

The medical practice of Steven A. Porter, M.D in Ogden, UT provides gastroenterological services to more than 3,000 patients. On November 13, 2013, OCR received a breach notification alleging Dr. Porter’s electronic medical record company was impermissibly using patients’ electronic medical records by blocking the practice’s access to ePHI until a $50,000 bill was paid.

OCR investigated and found serious violations of the HIPAA Security Rule at the practice. At the time of the investigation, a risk analysis had never been performed and risks to the confidentiality, integrity, and availability of ePHI had not been managed and reduced to a reasonable and acceptable level. The practice had also allowed Dr. Porter’s EHR company to create, receive, maintain, or transmit ePHI on behalf of the practice, without entering into a business associate agreement.

Dr. Porter settled the case, paid a $100,00 financial penalty, and agreed to adopt a corrective action plan to address all areas of noncompliance.

Metropolitan Community Health Services / Agape Health Services

Metropolitan Community Health Services is a Washington, NC-based Federally Qualified Health Center that provides integrated medical, dental, behavioral health & pharmacy services for adults and children. Operating as Agape Health Services, Metro provides discounted medical services to the underserved population in rural North Carolina.

In June 2011, Metro notified OCR about a breach of the PHI of 1,263 patients. OCR conducted a compliance review and identified longstanding, systemic noncompliance with the HIPAA Security Rule.

Prior to the breach, Metro had not implemented HIPAA Security Rule policies and procedures, had failed to conduct an accurate risk analysis, and had not provided security awareness training to its workforce for more than 16 years.

Metro settled the case, paid a $25,000 penalty, and agreed to adopt a corrective action plan to address all areas of noncompliance.

Further information on HIPAA Penalties

You can view a summary of the HIPAA violation penalties in previous years on this link.

The post 2020-2021 HIPAA Violation Cases and Penalties appeared first on HIPAA Journal.

OCR Continues HIPAA Right of Access Crackdown with $200,000 Fine

Posted by HIPAA Journal

The HHS’ Office for Civil Rights (OCR) is continuing to crackdown on healthcare providers that are not providing patients with timely access to their medical records. Yesterday, OCR announced a settlement had been agreed with Banner Health to resolve a HIPAA Right of Access investigation. Banner Health agreed to pay $200,000 to settle the case.

The HIPAA Privacy Rule gives individuals the right to access, inspect, and obtain a copy of their own protected health information. When a request is received, HIPAA-covered entities are required to provide a copy of the requested records within 30 days.

In late 2019, OCR announced it was cracking down on noncompliance with this important provision of HIPAA. Since then, 14 financial penalties have been imposed on covered entities that have failed to provide patients with timely access to their medical records.

Phoenix, AZ-based Banner Health is one of the largest health care systems in the United States. The non-profit health system operates 30 hospitals and many primary care, urgent care, and specialty care facilities.

OCR received two complaints from patients of Banner Health affiliated covered entities alleging long delays receiving copies of medical records. The first patient submitted a request to Banner Estrella Medical Center in December 2017 and was not provided with the requested records until May 2018. A second complaint was received alleging another patient had to wait 5 months for an electronic copy of his records. The request was submitted to Banner Gateway Medical Center in September 2019 and he did not receive the records until February 2020.

The $200,000 financial penalty is the largest HIPAA fine imposed on a HIPAA-covered entity by OCR under its HIPAA Right of Access enforcement initiative. In addition to paying the financial penalty, Banner Health has agreed to adopt a corrective action plan that includes reviewing and revising written policies on health record access, implementing those policies, and providing training to staff on the new policies.  OCR will monitor Banner Health for 2 years to ensure compliance.

“This first resolution of the year signals that our Right of Access Initiative is still going strong and that providers of all sizes need to respect the right of patients to have timely access to their medical records,” said OCR Director Roger Severino.

The post OCR Continues HIPAA Right of Access Crackdown with $200,000 Fine appeared first on HIPAA Journal.

LSU Health Discovers Further Hospital Affected by September 2020 Email Account Breach

Posted by HIPAA Journal

The protected health information of certain patients of LSU Health University Medical Center-New Orleans has potentially been compromised in an email security breach.

LSU Health New Orleans Health Care Services Division previously announced on November 20, 2020 that it has suffered a security breach involving the email account of an employee in September 2020. At the time, it appeared that the breach only affected certain patients who had received medical services at Lallie Kemp Regional Medical Center in Independence; Leonard J. Chabert Medical Center in Houma; W. O. Moss Regional Medical Center in Lake Charles; and the former Earl K. Long Medical Center in Baton Rouge; Bogalusa Medical Center in Bogalusa; University Medical Center in Lafayette; or Interim LSU Hospital in New Orleans.

LSU Health’s ongoing investigation revealed the data of certain patients of its partner hospital, University Medical Center-New Orleans, was also stored in the compromised email account.

The breach occurred on September 15, 2020 and was discovered on September 18.  While the email account was accessed by an unauthorized individual, no specific evidence of PHI access or misuse has been discovered.

The types of information in the account varied from patient to patient and may have included patients’ names, phone numbers, addresses, medical record numbers, account numbers, Social Security numbers, dates of birth, dates of service, types of services received, and health insurance information. A small percentage of patients may have had their bank account number and health information exposed.

Beebe Medical Foundation Affected by Blackbaud Ransomware Attack

Lewes, DE-based Beebe Medical Foundation has announced it has been affected by the ransomware attack on Blackbaud Inc. In a December 28, 2020 breach notice, Beebe Medical Foundation explained that it received notification from Blackbaud on July 16, 2020 about the ransomware attack which saw Blackbaud’s systems compromised between February 7, 2020 and May 20, 2020.

It only became apparent that Beebe data was affected in November 2020. After conducting a review of the actual data involved, Beebe confirmed on December 2, 2020 that the personal information of 56,953 individuals had been obtained by the attackers. The stolen data included names, dates of birth; clinician names; dates of screening; visit dates; and the department related to medical services provided.

Blackbaud paid the ransom and received assurances that the stolen data has now been deleted; however, out of an abundance of caution, Beebe is issuing notifications to affected individuals.

The post LSU Health Discovers Further Hospital Affected by September 2020 Email Account Breach appeared first on HIPAA Journal.

Lake Region Healthcare Recovering from Ransomware Attack

Posted by HIPAA Journal

Lake Region Healthcare in Fergus Falls, Minnesota is investigating a ransomware attack that was first detected on December 22, 2020. The attack impacted several of the healthcare provider’s systems and caused some disruption to normal operations at its locations in Fergus Falls, Battle Lake, Ashby, and Barnesville. Emergency procedures had been developed prior to the attack which were immediately implemented, and care continued to be provided to patients while the attack was investigated and remediated.

Third-party cybersecurity experts were engaged to assist with the investigation and determine the scope of the attack, and while the investigation is ongoing, most of the systems impacted by the attack have been restored and services are operating as usual, largely due to working off alternative systems.

While it is common for data to be stolen prior to the deployment of ransomware, no evidence has been found to indicate that was the case with this attack. Patient care continues to be provided, but patients have been advised to contact the hospital to confirm their appointments. Further announcements will be made as the investigation progresses and all systems are brought back online.

University of Vermont Health Network Ransomware Attack Delays EHR Rollout

The ransomware attack on the Burlington, VT-based University of Vermont Health Network on October 28, 2020 caused major disruption.

The recovery process has taken many weeks, and while most systems have now been brought back online, the attack is continuing to cause various impacts. Some applications have still not been brought back online and delays continue to be experienced in some departments such as radiology. Following the attack, the health systems said it was costing around $1.5 million per day in lost revenue.

The disruption caused by the attack has also resulted in a delay in the planned enterprise-wide rollout of the next phase of its new Epic EHR system. The new EHR system is due to replace a patchwork of applications within and between hospitals in the network that are currently not fully integrated.

“In 2020, our network, like those across the world, experienced tremendous challenges due to the COVID-19 pandemic, only to be further encumbered by a ransomware attack,” said UVM president and CEO, John Brumsted, M.D.  The health network has delayed the new EHR implementations at several of its inpatient and outpatient units by between 4 and 8 months.

The post Lake Region Healthcare Recovering from Ransomware Attack appeared first on HIPAA Journal.

Email Breaches Reported by Mattapan Community Health Center and Prestera Center for Mental Health Services

Posted by HIPAA Journal

Prestera Center for Mental Health Services, the largest behavioral health services provider in West Virginia, has discovered an unauthorized individual potentially accessed the protected health information of a small percentage of its current and former patients.

An unauthorized individual gained access to Prestera Center’s business email environment which contained protected health information such as patient names, dates of birth, medical record numbers, patient account numbers, diagnostic information, prescription information, treatment information, and healthcare provider information. The email system also contained a limited number of patient addresses, Social Security numbers, and Medicare/Medicaid numbers.

A third-party vendor was engaged to assist with the investigation and determine whether any PHI was viewed or obtained during the data security incident. Prestera Center said the investigation did not uncover any evidence of attempted or actual misuse of patient information, but since PHI may have been viewed or acquired, affected individuals have been offered complimentary identity theft restoration and credit monitoring services.

Prestera Center has taken steps to enhance security including implementing multi-factor authentication on all accounts, strengthening its cybersecurity infrastructure, replacing and strengthening the firewall, revising policies and procedures, and implementing an intensive training program for employees.

Mattapan Community Health Center Email Breach

Mattapan Community Health Center (MCHC) in Massachusetts is notifying certain patients that some of their protected health information has potentially been viewed by an unauthorized individual who gained access to an employee’s email account.

Unusual email activity was detected on October 16, 2020 within an employee’s email account. Assisted by a third-party security firm, MCHC determined that the email account was accessed between July 28, 2020 and October 15, 2020. A review of the account revealed it contained sensitive data that may have been viewed or acquired.

The information in the account varied from individual to individual and may have included patient names, Social Security numbers, medical diagnoses, treatment information, provider information, health insurance information and/or medical record numbers.

MCHC said no evidence was found to indicate any actual or attempted misuse of patient data. MCHC has since implemented additional security measures to prevent further breaches.

The post Email Breaches Reported by Mattapan Community Health Center and Prestera Center for Mental Health Services appeared first on HIPAA Journal.

Breaches Reported by Northwestern Memorial Hospital, Apex Laboratory, and Five Points Eye Care

Posted by HIPAA Journal

Northwestern Memorial Hospital in Chicago discovered a former temporary worker may have inappropriately viewed the medical records of certain patients while employed at the hospital.

The unauthorized access was detected on December 2, 2020. A review of access logs revealed the individual viewed patient records without a work-related purpose for doing so between October 27, 2020 and December 2, 2020.  The information potentially viewed was limited to patient names, addresses, and treatment information. The worker did not have access to financial information or Social Security numbers.

Northwestern Memorial Hospital issued a statement about the privacy breach confirming the records of 682 patients may have been viewed and confirmed that the temporary worker is no longer employed by the hospital. It is unclear why the records were accessed. All affected patients are being notified about the privacy breach by mail and the incident has been reported to appropriate authorities.

Apex Laboratory Victim of DoppelPaymer Ransomware Attack

Apex Laboratory, a provider of home laboratory services in the New York metropolitan area and South Florida, was the victim of a DoppelPaymer ransomware attack in July 2020. Thousands of files have recently been uploaded to the data leak site of the DoppelPaymer ransomware gang, many of which contained the protected health information of patients and sensitive employee data.

Databreaches.net reports that after contacting Apex Laboratory about the breach, the dumped data was removed from the DoppelPaymer leak site. In a December 31, 2020 breach notice posted on the Apex Laboratory website, the laboratory confirmed that it suffered a ransomware attack on July 25, 2020 and that the encrypted data was restored on July 27, 2020.

The data uploaded to the leak site is presumed to have been obtained in the July cyberattack. Apex Laboratory confirmed that after being notified about the dumped records, steps were immediately taken to ensure the attackers removed the data from the leak site. The dumped data is believed to have included patient names, birth dates, test results, and a limited number of phone numbers and Social Security numbers. The investigation into the breach is ongoing and breach notification letters will be mailed to victims in the next few days.

Athens Optometrist Reports Potential Breach of Patient Data

Five Points Eye Care in Athens, GA has discovered an unauthorized individual gained access to its network and potentially viewed/obtained patient information. The breach occurred on October 27, 2020 and was detected and remediated the same day.

The breach was limited to the email system, which only contained correspondence sent to the optometrist from other treating physicians. Those emails contained names, dates of birth, Social Security numbers, addresses, medications, and treatment plans. A forensic investigation confirmed no other information could be accessed.

The security breach was reported to law enforcement and affected individuals have been notified by mail and offered a year of free credit monitoring services.

The post Breaches Reported by Northwestern Memorial Hospital, Apex Laboratory, and Five Points Eye Care appeared first on HIPAA Journal.

Largest Healthcare Data Breaches in 2020

Posted by HIPAA Journal

2020 was the worst ever year for healthcare industry data breaches. 616 data breaches of 500 or more records were reported to the HHS’ Office for Civil Rights. 28,756,445 healthcare records were exposed, compromised, or impermissibly disclosed in those breaches, which makes 2020 the third worst year in terms of the number of breached healthcare records.

The chart below clearly shows how healthcare industry data breaches have steadily increased over the past decade and the sharp rise in breaches in the past two years.

The Largest Healthcare Data Breaches in 2020

When a breach occurs at a business associate of a HIPAA-covered entity, it is often the covered entity that reports the breach rather than the business associate. In 2020, a massive data breach was experienced by the cloud service provider Blackbaud Inc. Hackers gained access to its systems and stole customer fundraising databases before deploying ransomware. Blackbaud was issued with a ransom demand and a threat that the stolen data would be released publicly if the ransom was not paid. Blackbaud decided to pay the ransom to prevent the exposure of client data. Blackbaud received assurances that the stolen data was permanently deleted and not been further disclosed.

The total victim count from the Blackbaud ransomware attack may never be known, but more than 6 dozen healthcare providers have reported being affected to date and over 8 million healthcare records have potentially been compromised. That breach clearly tops the list of the largest healthcare data breaches in 2020 and ranks as one of the largest healthcare data breaches of all time.

2020’s Largest Healthcare Data Breaches

The individual entities that reported data breaches in 2020 involving more than 300,000 healthcare records are listed below. In some cases, the actual data breach occurred prior to 2020, but was only discovered and reported in 2020.

Trinity Health – 3,320,726 Individuals

At more than 3.3 million records, Trinity Health was the worst affected healthcare victim of the ransomware attack on Blackbaud Inc. The hackers potentially obtained the philanthropy database of the Livonia, Michigan-based Catholic health system, which contained patient and donor information from 2000 to 2020.

MEDNAX Services, Inc. – 1,290,670 Individuals

Sunrise, FL-based MEDNAX Services Inc, a provider of revenue cycle management and other administrative services to its affiliated physician practice groups, suffered a breach of its Office 365 environment in June 2020 after employees responded to phishing emails. The breach was extensive, involving patient and guarantor information such as Social Security numbers, driver’s license numbers, and health insurance and financial information.

Inova Health System – 1,045,270 Individuals

Virginia-based Inova Health System was also a victim of the Blackbaud ransomware attack. The hackers gained access to Blackbaud’s systems on February 7, 2020 and the breach continued until May 20, 2020. Ransomware was deployed on May 14, 2020. Inova’s fundraising database was potentially compromised which contained patient and donor information.

Magellan Health Inc. 1,013,956 Individuals

Arizona-based Magellan Health was the victim of an April 2020 ransomware attack in which the protected health information of patients was potentially compromised. The attack ended with the deployment of ransomware but started with a spear phishing email. Several of its affiliated entities were also affected by the breach.

Dental Care Alliance – 1,004,304 Individuals

Sarasota, FL-based Dental Care Alliance, LLC, a dental support organization with more than 320 affiliated dental practices across 20 states, reported a breach of its systems in December. Few details have been released about the nature of the hacking incident as the investigation is still ongoing. The breach affected many of its affiliated dental practices.

Luxottica of America Inc. – 829,454 Individuals

Luxottica of America Inc., an operator of vision care facilities across the United States and owner of the eyewear brands Ray-Ban, Oakley, and Persol, experienced a cyberattack in August 2020 which saw hackers gain access to its web-based appointment scheduling system which contained the PHI of patients of its eye care partners.

Northern Light Health – 657,392 Individuals

The Maine health system Northern Light Health was also a victim of the ransomware attack on Blackbaud Inc. The hackers potentially gained access to its fundraising database which contained patient and donor information.

Health Share of Oregon – 654,362 Individuals

In May 2020, the Medicaid coordinated care organization Health Share of Oregon reported the theft of a laptop computer from its non-emergent medical transportation vendor. The laptop was stolen in November 2019 and was not encrypted, which potentially gave the thief access to patents’ contact information, Health Share ID numbers, and Social Security numbers.

Florida Orthopaedic Institute – 640,000 Individuals

Florida Orthopaedic Institute suffered a ransomware attack in April which saw patient information on its servers encrypted. Prior to the use of ransomware, patient data may have been viewed or obtained by the hackers.

Elkhart Emergency Physicians – 550,000 Individuals

Elkhart Emergency Physicians reported a breach in May 2020 involving the improper disposal of patient records by a third-party storage vendor – Central Files Inc. Elkhart Emergency Physicians was the worst affected entity, but several other clients of the vendor were also impacted by the breach. The records had been dumped without being shredded after the storage facility permanently closed.

Aetna ACE – 484,157 Individuals

Aetna reported a data breach in December which occurred at business associate EyeMed, which provides vision benefit services for its members. The breach occurred when an EyeMed employee responded to a phishing email, which allowed the attacker to gain access to email accounts containing PHI. Several EyeMed clients were affected by the breach.

Saint Luke’s Foundation – 360,212 Individuals

Kansas City, MO-based Saint Luke’s Foundation was also a victim of the ransomware attack on Blackbaud Inc. The hackers potentially gained access to its fundraising database which contained patient and donor information.

NorthShore University Health System – 348,746 Individuals

Evanston, IL-based NorthShore University Health System was also affected by the ransomware attack on Blackbaud Inc. The hackers potentially gained access to its fundraising database.

SCL Health Colorado – 343,493 Individuals

SCL Health Colorado was also a victim of the Blackbaud ransomware attack. The PHI of patients in its Colorado, Montana and Kansas locations was potentially accessed by the attackers.

AdventHealth – 315,811 Individuals

The Altamonte Springs, FL-based healthcare system AdventHealth was also a victim of the Blackbaud ransomware attack which saw the hackers gain access to its fundraising database.

Nuvance Health – 314,829 Individuals

Nuvance Health was a victim of the ransomware attack on Blackbaud Inc. The hackers potentially gained access to its fundraising database between February and May.

Magellan Rx Management – 314,704 Individuals

Magellan Rx Management was one of the victims of the ransomware attack on its parent company, Magellan Health, in April. The hackers potentially stole patient data prior to encrypting files.

The Baton Rouge Clinic – 308,169 Individuals

The Baton Rouge Clinic in Louisiana experienced a cyberattack in early July involving ransomware. The attackers potentially viewed or obtained patient data prior to the deployment of ransomware.

The post Largest Healthcare Data Breaches in 2020 appeared first on HIPAA Journal.

More Than 114,000 Patients Affected by Wilmington Surgical Associates Ransomware Attack

Posted by HIPAA Journal

In October 2020, the NetWalker ransomware gang claimed responsibility for a ransomware attack on the North Carolina-based surgical center, Wilmington Surgical Associates. The gang claimed to have stolen around 13GB of data prior to deploying NetWalker ransomware and encrypting files. The stolen batch of data included thousands of documents containing sensitive information.

HIPAA Journal has not yet been able to obtain a copy of the breach notification; however, the ransomware attack has now appeared on the HHS’ Office for Civil Rights breach portal and shows the PHI of 114,834 patients was compromised in the attack.

The NetWalker ransomware gang targets healthcare providers and the gang has stepped up its attacks in 2020. The gang was behind the ransomware attack on the University of California San Francisco and stole sensitive and valuable research data. The University felt it had no alternative other than to pay the $1.14 million ransom to recover the encrypted data.

Other healthcare providers attacked with NetWalker ransomware this year include the Crozer-Keystone Health System in Philadelphia, the Champaign-Urbana Public Health District in Illinois, and Brno University Hospital in the Czech Republic. The group also targets universities and was behind the 2020 ransomware attacks on Michigan State University and Columbia College of Chicago

According to a report released by the cybersecurity firm McAfee in August 2020, the NetWalker gang had been paid at least $29 million in ransom payments since March 2020, making it one of the most successful ransomware-as-a-service operations.

The group is known to attack large companies and high value targets, and this year started recruiting affiliates specialized in conducting targeted attacks on large enterprises, especially attacks on firewalls, Virtual Private Networks, web application interfaces, and Remote Desktop Protocol connections. As is the case with other manual ransomware threat groups, data is stolen prior to encryption and is released publicly on dark net sites if the ransom is not paid.

The increase in activity of the gang prompted the FBI to issue a flash alert in July 2020 warning healthcare organizations, educational institutions, private sector companies, and government agencies about the increased risk of attack.

The post More Than 114,000 Patients Affected by Wilmington Surgical Associates Ransomware Attack appeared first on HIPAA Journal.