HIPAA Breach News

Two Florida Healthcare Providers Attacked with Ransomware

Posted by HIPAA Journal

The Tampa, FL-based Agency for Community Treatment Services, Inc. (ACTS) is alerting certain patients that some of their protected health information has potentially been compromised in an October 21, 2020 cyberattack.

The security breach was detected on October 23 when ransomware was deployed. The hackers gained access to parts of the ACTS server and data infrastructure and encrypted files to prevent access. Systems were taken offline to prevent further unauthorized access and third-party computer forensic experts were engaged to assist with the investigation and determine the scope of the breach.

While unauthorized data access was possible, the investigation did not uncover any specific evidence to indicate patient data had been accessed or exfiltrated. ACTS explained that this was due to the extensive efforts made by the attackers to conceal their malicious activity. The attackers may therefore have accessed or stolen information stored on the breached systems.

The review of the compromised systems revealed they contained patient names, dates of birth, Social Security numbers, and medical records containing information such as diagnoses, treatment information, and health insurance information related to the services provided to patients between 2000 and 2013.

ACTS was able to restore the encrypted data from backups and did not pay the ransom and steps have been taken post-breach to strengthen security and prevent further attacks. Since patient data may have been compromised, ACTS is providing complimentary credit monitoring and identity theft protection services to all affected individuals.

Leon Medical Centers Attacked with Conti Ransomware

Leon Medical Centers, a network of 8 medical centers in Miami and Hialeah in Florida, experienced a Conti ransomware attack in which the protected health information of patients was allegedly stolen. The attackers issued a ransom demand and threatened to publish the records of patients stolen prior to the deployment of ransomware.

The attackers claimed the data stolen included patient names, addresses, Social Security numbers, diagnoses, treatment information, health insurance information, and patient photographs. They claim to have obtained the PHI of more than 1 million patients, although that claim has been refuted by Leon Medical Centers, which maintains the amount of data stolen has been grossly overstated.

The attack occurred prior to December 22, 2020 and Leon Medical Centers is still investigating the breach. At this stage it is unclear exactly what information was stolen and how many patients have been impacted.

Proliance Surgeons Announce Corporate Website Breach

Proliance Surgeons, a Seattle, WA-based surgical practice, has suffered a breach of its corporate website in which payment card information may have been stolen. In a December 23, 2020 breach notice, the practice explained that its investigation revealed the attackers had access to the website between November 13, 2019 and June 24, 2020. During that time, the attackers potentially accessed and obtained cardholder names, card numbers, expiry dates, and zip codes. No other protected health information was involved. The breach was limited to individuals who paid for services online, not individuals who paid over the phone or in person.

The cause of the breach has been identified and addressed and a new website with a different payment platform has been implemented, which has superior security protections.  Proliance has coordinated with the major payment card providers to prevent unauthorized charges on the affected cards. Individuals affected by the breach have been advised to check their statements carefully and to report any unauthorized charges to their card provider.

The post Two Florida Healthcare Providers Attacked with Ransomware appeared first on HIPAA Journal.

484,000 Aetna Members Impacted by EyeMed Phishing Incident

Posted by HIPAA Journal

Aetna has announced more than 484,000 of its members have been impacted by a data breach at a business associate that provides services for members of its vision benefits plans. In July 2020, an unauthorized individual gained access to an email account of an employee of Cincinnati-based EyeMed and used the email account to send further phishing emails to individuals in the address book of the mailbox.

EyeMed investigated the breach and determined the mailbox contained the protected health information of 484,157 Aetna members, 60,545 members of Tufts Health Plan, and around 1,300 members of Blue Cross Blue Shield of Tennessee.  No evidence of data theft or misuse of PHI was identified, although it was not possible to rule out data theft with a high degree of certainty. Affected health plans were notified about the breach in September.

The compromised email account contained information such as members’ names, dates of birth, vision insurance ID numbers, health insurance ID numbers and, for a limited number of individuals, Social Security numbers, birth certificates, diagnoses, and financial information. The breach only impacted current and former members of the above health plans who received vision benefits through EyeMed.

A spokesperson for EyeMed said, “To help prevent something like this from happening again, we have taken prompt action to enhance the protections that were already in place before the incident, including additional network security measures and security awareness training.”

Midwest Geriatric Management BEC Attack Impacts 4,800 Individuals

Midwest Geriatric Management (MGM) Healthcare has notified 4,814 individuals that some of their protected health information was potentially compromised in a business email compromise attack. A fraudster impersonated the CFO and sent an email to an MGM employee requesting a spreadsheet be sent via email. Believing the request to be genuine, the employee responded and sent the spreadsheet as requested.

Email security features were in place that should block attacks such as this, but in this case those security features were circumvented. The spreadsheet contained names, account balances, and the name of the relevant facility. No other information was compromised.

MGM’s investigation revealed this was an isolated incident and no other systems were compromised. Further training has been provided to employees on email security and, out of an abundance of caution, all affected individuals have been offered a complimentary membership to myTrueIdentity identity theft protection services.

TennCare Mailing Vendor Breach Impacts 3,300 Members

Tennessee’s state Medicaid health plan, TennCare, has announced that an error at a mailing vendor has exposed a limited amount of the protected health information of approximately 3,300 of its members.

Gainwell, which runs TennCare’s Medicaid Management Information System, discovered mailings sent to TennCare members by its mailing vendor Axis Direct in late 2019 and 2020 were misaddressed and sent to incorrect addresses.

TennCare was notified about the breach on October 23, 2020. Gainwell has provided assurances that the cause of the error has been identified and steps have been taken to ensure similar incidents do not occur in the future. Affected individuals have been offered complimentary membership to credit monitoring services.

PHI of Premier Kids Care, Inc. of Georgia Patients Compromised

Premier Kids Care, Inc. (PKC) of Georgia has discovered an unauthorized individual gained access to its systems and obtained a limited amount of patient data.  The breach was initially discovered on April 6, 2020. It is unclear why it took 8 months for breach notifications to be issued.

The types of information stored on the compromised computer included names, addresses, telephone numbers, dates of birth, treatment information, and health insurance information. Affected individuals have been offered a complimentary 12-month membership to identity theft protection and credit monitoring services.

The post 484,000 Aetna Members Impacted by EyeMed Phishing Incident appeared first on HIPAA Journal.

Former GenRx Pharmacy Patients’ PHI Potentially Compromised in Ransomware Attack

Posted by HIPAA Journal

Scottsdale, AZ-based GenRx Pharmacy is alerting certain patients that some of their protected health information has potentially been compromised in a ransomware attack. The attack was detected on September 28, 2020 and the IT team acted quickly and terminated the attacker’s access to its systems the same day. The investigation confirmed ransomware was deployed on 27 September and prior to the use of ransomware a small number of files containing protected health information were exfiltrated by the attackers.

A review of the stolen files revealed they contained protected health information such as names, addresses, dates of birth, gender, allergy information, patient IDs, prescription transaction IDs, medication lists, health plan information, and prescription information. Social Security numbers are not collected by the pharmacies and financial information is not retained, so that information could not have been compromised. GenRx Pharmacy had valid backups that were used to restore the encrypted data and no ransom was paid.

While the number of individuals affected is currently unclear, GenRx Pharmacy said fewer than 5% of former patients have been affected. Since the attack, GenRx has upgraded its firewall, improved its anti-virus software, implemented a web filter, enhanced network monitoring, added multi-factor authentication, and installed a real-time intrusion detection system. Employees have also received additional training and internal policies and procedures have been updated. Further controls and measures are also being considered to enhance security.

Nebraska Methodist Health System and Texas Tech University Health Sciences Center Impacted by Blackbaud Ransomware Attack

Two further victims of the ransomware attack on the cloud service provider Blackbaud have announced they have been affected by the incident.

Nebraska Methodist Health System has confirmed that 39,912 individuals have had some of their personal and protected health information compromised in the attack and Texas Tech University Health Sciences Center has reported the breach as affecting 37,000 individuals.

Blackbaud provided both entities with customer relationship management and financial services tools which were used for fundraising purposes. Between February 7, 2020 and May 20, 2020, hackers had access to Blackbaud’s systems and may have acquired backup copies of customer databases before deploying ransomware. Blackbaud paid the ransom and received assurances that the stolen data had been deleted.

Nebraska Methodist Health System said the following information was compromised: Names, demographic and contact information, medical record numbers, reasons for visits, treating physicians, treating facilities, and encounter types (i.e. inpatient, outpatient surgery, observation, or emergency outpatient).

The Texas Tech University Health Sciences Center database contained names, mailing addresses, telephone numbers, email addresses, dates of birth, TTUHSC medical record numbers, physician names and specialty.

The post Former GenRx Pharmacy Patients’ PHI Potentially Compromised in Ransomware Attack appeared first on HIPAA Journal.

OCR Announces its 19th HIPAA Penalty of 2020

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights (OCR) has settled a HIPAA Right of Access compliance case with Peter Wrobel, M.D., P.C., doing business as Elite Primary Care.

Elite Primary Care is a provider of primary health services in Georgia. OCR launched a compliance investigation following receipt of a compliant from an Elite Primary Care patient on April 22, 2019 who alleged he had been denied access to his health records. OCR contacted the practice and provided technical assistance on the HIPAA Right of Access on May 2, 2019. OCR advised the practice to review the facts of the request and provide access to the requested records if the request met the requirements of the HIPAA Privacy Rule.

The patient subsequently submitted a request for access in writing which was received by the practice on June 5, 2019. The patient filed a second complaint with OCR on October 9, 2019, as the practice continued to deny him access to his requested records.

Elite Primary Care sent the patient’s medical records to his new healthcare provider on November 21, 2019 and provided the patient with a copy of those records on May 8, 2020.

OCR concluded the delay in providing the patient with a copy of his requested records was in violation of the HIPAA Right of Access (45 C.F.R. § 164.524).

Under the terms of the settlement, Elite Primary Care will pay a financial penalty of $36,000 and adopt a corrective action plan that includes developing, implementing, maintaining, and revising, as necessary, written policies and procedures related to the HIPAA Right of Access provision of the HIPAA Privacy Rule. Once those policies and procedures have been checked by OCR, training will be provided to relevant members of its workforce.

The settlement was agreed with no admission of liability. OCR will monitor Elite Primary Care for 2 years to ensure continued compliance.

This is the thirteenth settlement to be announced by OCR under its HIPAA Right of Access enforcement initiative and the nineteenth HIPAA financial penalty to be announced in 2020.

“OCR created the Right of Access Initiative to address the many instances where patients have not been given timely access to their medical records.  Health care providers, large and small, must ensure that individuals get timely access to their health records, and for a reasonable cost-based fee,” said OCR Director Roger Severino.

The post OCR Announces its 19th HIPAA Penalty of 2020 appeared first on HIPAA Journal.

November 2020 Healthcare Data Breach Report

Posted by HIPAA Journal

For the second successive month, the number of reported healthcare data breaches has fallen; however, it should be noted that the number of breaches reported in October 2020 was almost three times the average monthly number due, in a large part, to the ransomware attack on the cloud service provider Blackbaud.

November saw 47 data breaches of 500 or more healthcare records reported to the HHS’ Office for Civil Rights by HIPAA-covered entities and business associates, 25.39% fewer than October. Even with that reduction, breaches are still well above the 12-month average of 41 data breaches a month (Median = 38 breaches).

 

The number of healthcare records exposed in healthcare data breaches similarly fell for the second successive month. In November, 1,139,151 healthcare records were exposed or impermissibly disclosed, a 54.73% fall from October. The average number of monthly breached healthcare records over the past 12 months is 1,885,959 records and the median is 1,101,902 records.

Exposed healthcare records past 12 months

Largest Healthcare Data Breaches Reported in November 2020

Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach Cause
AspenPointe, Inc. CO Healthcare Provider 295,617 Hacking/IT Incident Ransomware attack
Lawrence General Hospital MA Healthcare Provider 176,587 Hacking/IT Incident Unspecified data security incident
Alamance Skin Center NC Healthcare Provider 100,000 Loss Ransomware attack
Mercy Iowa City IA Healthcare Provider 92,795 Hacking/IT Incident Phishing
Bayhealth Medical Center, Inc. DE Healthcare Provider 78,006 Hacking/IT Incident Blackbaud ransomware attack
Tufts Health Plan MA Health Plan 60,545 Hacking/IT Incident Phishing attack on vendor
Bruce L. Boros, M.D., P.A. DBA Advanced Urgent Care FL Healthcare Provider 58,823 Unauthorized Access/Disclosure Ransomware attack
Methodist Hospital of Southern California CA Healthcare Provider 39,881 Hacking/IT Incident Blackbaud ransomware attack
One Touch Point WI Business Associate 28,658 Unauthorized Access/Disclosure unknown
People Incorporated MN Healthcare Provider 27,500 Hacking/IT Incident phishing
Chesapeake Regional Healthcare VA Healthcare Provider 24,000 Hacking/IT Incident Blackbaud ransomware attack
Seeley Enterprises Company OH Healthcare Provider 16,196 Hacking/IT Incident Ransomware attack
Golden Gate Regional Center CA Business Associate 11,315 Hacking/IT Incident Ransomware attack
Galstan & Ward Family and Cosmetic Dentistry VA Healthcare Provider 10,759 Hacking/IT Incident Ransomware attack
Kaiser Foundation Health Plan of Georgia, Inc. GA Health Plan 10,205 Unauthorized Access/Disclosure Unknown

Causes of November 2020 Healthcare Data Breaches

Hacking/IT incidents continue to dominate the breach reports, both in terms of the number of breaches and the number of breached records. There were 23 hacking/IT incidents reported in November – 48.94% of all breaches reported in the month. 867,983 records were exposed or stolen in those breaches – 76.2% of all records breached in November. The average breach size was 37,738 records and the median breach size was 8,000 records.

There were 19 data breaches classed as unauthorized access/disclosure incidents – 40.43% of the month’s data breaches. 166,115 healthcare records were improperly accessed or impermissibly disclosed in those incidents – 14.58% of the breached records in November. The average breach size was 8,723 records and the median breach size was 3,557 records.

There were 4 loss/theft incidents (2/2) reported in November involving 103,053 records – 8.51% of the month’s breaches and 103,053 healthcare records were exposed or stolen in those incidents – 9.05% of records breached in November. The average breach size was 25,763 records and the median breach size was 1,265 records. There was one incident involving the improper disposal of paperwork that contained the PHI of an estimated 2,000 individuals.

 

The chart below shows the location of breached protected health information. Up until September 2020, email was the most common location of breached patient data, with the majority of those breaches the result of phishing attacks. That changed in September due to the ransomware attack on Blackbaud. Entities impacted by that data breach continue to submit breach reports, albeit at a low level, with network server incidents remaining high due to the healthcare industry continuing to be targeted by ransomware gangs. Phishing attacks continue to be a problem in healthcare, with 13 large data breaches reported involving PHI stored in email accounts.

Healthcare Data Breaches by Covered Entity Type

Healthcare providers were the worst affected covered entity in November. 34 healthcare providers reported data breaches and 6 data breaches were reported by health plans.

7 data breaches were reported by business associates of HIPAA covered entities; however, 16 breaches in total had some business associate involvement, with 9 of those breaches reported by the covered entity.

Healthcare Data Breaches by State

The November data breaches were reported by HIPAA-covered entities and business associates in 23 states and the District of Columbia. Ohio was the worst affected state with 5 breaches reported, followed by Georgia and Maine with 4, and California, Florida, and Texas with 3 breaches.

Two healthcare data breaches of 500 or more records were reported by entities based in Arkansas, Delaware, Illinois, Kentucky, Maryland, Michigan, and Virginia. One breach was reported in each of Alabama, Colorado, Iowa, Idaho, Louisiana, Minnesota, North Carolina, New Mexico, Pennsylvania, Wisconsin, and the District of Columbia.

HIPAA Enforcement Activity in November 2020

There were three HIPAA enforcement actions announced by the HHS’ Office for Civil Rights in November, all of which were part of its HIPAA Right of Access enforcement initiative. OCR announced the new enforcement initiative in 2019 to crack down on healthcare providers that fail to provide patients with timely access to their health records for a reasonable cost-based fee.

In all three cases, the healthcare providers did not provide a copy of the requested records within the 30-day time frame demanded by the HIPAA Privacy Rule.

University of Cincinnati Medical Center settled with OCR and paid a $65,000 penalty, Riverside Psychiatric Medical Group paid a $25,000 penalty, and Dr. Rajendra Bhayani paid a $15,000 penalty. Under this enforcement initiative, OCR has imposed 12 financial penalties on covered entities, 10 of which have been in 2020.

The post November 2020 Healthcare Data Breach Report appeared first on HIPAA Journal.

OCR HIPAA Audits Industry Report Identifies Common Areas of Noncompliance with the HIPAA Rules

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights has published its 2016-2017 HIPAA Audits Industry Report, highlighting areas where HIPAA-covered entities and their business associates are complying or failing to comply with the requirements of the Health Insurance Portability and Accountability Act.

The Health Information Technology for Economic and Clinical Health (HITECH) Act requires the HHS to conduct periodic audits of HIPAA covered entities and business associates to assess compliance with the HIPAA Rules. Between 2016 and 2017, the HHS conducted its second phase of compliance audits on 166 covered entities and 41 business associates to assess compliance with certain provisions of the HIPAA Privacy, Security, and Breach Notification Rules.

The 2016/2017 HIPAA compliance audits were conducted on a geographically representative, broad cross-section of covered entities and business associates and consisted of desk audits – remote reviews of HIPAA documentation – rather than on-site audits. All entities have since been notified of the findings of their individual audits.

The 2016-2017 HIPAA Audits Industry Report details the overall findings of the audits, including key aspects of HIPAA compliance that are proving problematic for covered entities and business associates.

In the report, OCR gives each audited entity a rating based on their level of compliance with each specific provision of the HIPAA Rules under assessment. A rating of 1 indicates the covered entity or business associate was fully compliant with the goals and objectives of the selected standards and implementation specifications. A rating of 2 means the entity substantially met the criteria and maintained adequate policies and procedures and could supply documentation or other evidence of compliance.

A rating of 3 means the entity minimally addressed the audited requirements and had made some attempt to comply, although had failed to comply fully or had misunderstood the HIPAA requirements. A rating of 4 means the entity made negligible efforts to comply, such as supplying policies and procedures for review that were copied directly from an association template or providing poor or generic documentation as evidence of training.  A rating of 5 means OCR was not provided with evidence of a serious attempt to comply with the HIPAA Rules.

The table below summarizes the audit results on key provisions of the HIPAA Rules. The blue and red figures indicate the most common rating in each category, with blue corresponding to mostly ratings of 1 or 2 (compliant) and red indicating implementation was inadequate, negligible, or absent.

The table clearly shows that most audited entities largely failed to successfully implement the HIPAA Rules requirements.

OCR 2016-2017 HIPAA Audits Industry ReportMost covered entities complied with the requirement of the Breach Notification Rule to send timely notifications in the event of a data breach. HIPAA requires those notifications to be sent within 60 days of the discovery of a data breach; however, most covered entities failed to include all the required information in their breach notifications.The audits revealed widespread compliance with the requirement to create and prominently post a Notice of Privacy Practices on their website. The Notice of Privacy Practices gives a clear, user friendly explanation of individuals’ rights with respect to their personal health information and details the organization’s privacy practices. However, most audited entities failed to include all the required content in their Notice of Privacy Practices.

The individual right of access is an important provision of the HIPAA Privacy Rule. Individuals have the right to obtain and inspect their health information. Most covered entities failed to properly implement the requirements of the HIPAA Right of Access, which includes providing access to or a copy of the PHI held within 30 days of receiving a request and only charging a reasonable cost-based fee for access.

The first phase of HIPAA compliance audits conducted by OCR in 2012 revealed widespread noncompliance with the requirement to conduct a comprehensive, organization-wide risk analysis to identify vulnerabilities and risks to the confidentiality, integrity, and availability of protected health information. In its enforcement activities over the past 11 years, a risk analysis failure is the most commonly cited HIPAA violation.

HIPAA covered entities are still failing in this important provision of the HIPAA Security Rule, with the latest round of audits revealing most audited entities failed to implement the HIPAA Security Rule requirements for risk analysis and risk management.

“The audit results confirm the wisdom of OCR’s increased enforcement focus on hacking and OCR’s Right of Access initiative,” said OCR Director Roger Severino. “We will continue our HIPAA enforcement initiatives until health care entities get serious about identifying security risks to health information in their custody and fulfilling their duty to provide patients with timely and reasonable, cost-based access to their medical records.”

You can view the full 2016-2017 HIPAA Audits Industry Report on this link: https://www.hhs.gov/sites/default/files/hipaa-audits-industry-report.pdf.

The post OCR HIPAA Audits Industry Report Identifies Common Areas of Noncompliance with the HIPAA Rules appeared first on HIPAA Journal.

FTC Settles 2019 Consumer Data Breach Case with SkyMed

Posted by HIPAA Journal

The Nevada-based emergency services provider SkyMed has reached a settlement with the Federal Trade Commission (FTC) following an audit of its information security practices in the wake of a 2019 data breach that exposed consumers’ personal information.

SkyMed was notified by security researcher Jeremiah Fowler in 2019 that it had a misconfigured Elasticsearch database that was leaking patient information. The lack of protection meant the records of 136,995 patients could be accessed over the internet without the need for any authentication. The database could be accessed using any Internet browser and personal information in the database could be downloaded, edited, or even deleted.

The database contained information such as patient names, addresses, email addresses, dates of birth, membership account numbers, and health information, according to Fowler. Fowler also identified artifacts related to ransomware in the database. When notified about the exposed database, SkyMed launched an investigation but found no evidence to indicate any information in the database had been misused.

It its breach notification, SkyMed explained, “Our investigation learned that some old data may have been exposed temporarily as we migrated data from an old system to a new system. At this time, the exposed data has been removed and appears to be limited to only a portion of our information and was restricted to names, street and email addresses, phone and membership ID numbers. There was no medical or payment-related information visible and no indication that the information has been misused.”

The FTC investigated the breach and conducted an audit to determine whether there had been a breach of the FTC Act. The FTC found multiple security and breach response failures. The FTC alleged SkyMed had not investigated whether the database had been accessed by unauthorized individuals during the time protections were not in place, and that the company failed to adequately review the database to determine what information it contained. SkyMed was therefore unable to determine whether any health information had potentially been compromised. When SkyMed confirmed that the database had been exposed, the company deleted the database to prevent any unauthorized access. SkyMed also failed to identify the individuals affected by the breach.

The FTC said every page of the SkyMed website displayed a “HIPAA Compliance” seal, which gave the impression that SkyMed’s privacy and security policies were in compliance with the standards demanded by the Health Insurance Portability and Accountability Act, yet the company had not undergone a third-party audit of its information security practices and no government agency had reviewed the HIPAA compliance claims. The FTC alleged SkyMed had deceived customers for more than 5 years by displaying the HIPAA Compliance seal on its company website.

“People who bought travel protection services trusted SkyMed with their personal health information, and SkyMed had an obligation to keep that information secure,” Andrew Smith, director of the FTC Bureau of Consumer Protection. The company’s security practices did not meet the required standards and those expected by its customers.

The FTC said “reasonable measures” to secure the personal information of individuals who signed up for its emergency services had not been implemented. SkyMed had not used any data loss prevention tools, there was a lack of access controls, and a failure to implement authentication for its networks. When a security breach occurred and a database containing personal information was exposed, SkyMed failed to detect the exposed database for 5 months, and only then because it was found by a security researcher.

The nature of the information exposed “has caused or is likely to cause substantial injury to customers,” explained the FTC. “[SkyMed] could have prevented or mitigated these information security failures through readily available, and relatively low-cost, measures.”

The FTC alleged SkyMed had engaged in unfair and/or deceptive acts or practices under Section 5 of the FTC Act, which included two counts of deception about HIPAA compliance and its breach response. SkyMed was also determined to have engaged in unfair information security practices.

Under the terms of the settlement, SkyMed is prohibited from misrepresenting its data security practices, data breach response, and how the company protects the privacy, security, integrity, and confidentiality of the personal information, and participation in any privacy or security program sponsored by a government or any third party, including any self-regulatory or standard setting organization.

SkyMed must send breach notifications to all impacted consumers and provide information about any information that has potentially been exposed. An information security program must be implemented, which must be coordinated by a designated, qualified employee. The program must include an organization-wide risk assessment to identify potential internal and external risks, and safeguards must be implemented to ensure those risks are mitigated and personal information is protected.

Logs of database access must be created and monitored, and data encryption must be implemented for sensitive data such as financial account information, passport numbers, and health information.  Access controls are required for all data repositories containing personal data and restrictions must be put in place to limit access to sensitive data. SkyMed is also required to certify annually that it is in compliance with the requirements detailed in the FTC settlement.

The post FTC Settles 2019 Consumer Data Breach Case with SkyMed appeared first on HIPAA Journal.

Lost Storage Device Contained Unencrypted PHI of Cedar Springs Hospital Patients

Posted by HIPAA Journal

Cedar Springs Hospital in Colorado Springs, CO is notifying certain patients that some of their protected health information was stored on a portable storage device that was lost in October 2020. The Colorado Department of Public Health and Environment had sent a request to the hospital to provide a copy of certain patient records on an external storage device as part of a survey. The information was provided, but the storage device was misplaced by a Colorado health department surveyor.

The state health department has a policy that requires data on external storage devices to be encrypted; however, Cedar Springs Hospital learned on October 28, 2020 that the device was not encrypted. Consequently, protected health information such as names, addresses, dates of birth, Social Security numbers, medical record numbers, patient ID numbers, diagnoses, treatment information, dates of treatment, treatment location, treating physician and prescription information could potentially be accessed by unauthorized individuals.

A review of the data on the device was completed on November 9, 2020 and affected individuals are now being notified. Additional safeguards are being implemented to prevent any further incidents of this nature from exposing patient information.

Konikoff Dental Associates Discover Unauthorized Network Access

Konikoff Dental Associates, d/b/a Konikoff Dental Associates Harbour View, has discovered an unauthorized individual gained access to its computer network and potentially viewed or obtained patient information.

Suspicious activity was identified on its network on October 11, 2020 and an investigation was immediately launched to determine the extent and nature of the breach. Assisted by third-party forensic specialists, it was determined that unauthorized individuals had accessed certain files on the network that contained patient information.

The investigation confirmed the breach occurred between September 18, 2020 and October 13, 2020. A review of the files revealed they contained individuals’ names, addresses, dental diagnoses and treatment information, patient account numbers, billing information, dentists’ names, bank account numbers, and health insurance information.

No reports have been received that suggest patient data has been misused, and while files were accessed, no specific evidence was found to indicate patient information was actually viewed or obtained.

Staff training on data security has now been enhanced and a review of system security is being conducted. Additional safeguards will be implemented, as appropriate, to improve security.

Central Health Investigates Travis County Health District Cyberattack

Central Health in Texas is investigating a cyberattack that has affected Travis County Health District. A security incident was detected on December 4 involving unauthorized access on a computer server. An investigation is currently underway to determine the extent and scope of the breach, and whether protected health information has been compromised.

Forensic specialists have been engaged to analyze the software, hardware, and data affected. At this stage in the investigation, it does not appear that employee or patient data has been compromised. Further information on the breach will be shared at the conclusion of the investigation.

The post Lost Storage Device Contained Unencrypted PHI of Cedar Springs Hospital Patients appeared first on HIPAA Journal.

Email Account Breaches Reported by Meharry Medical College and MEDNAX Services

Posted by HIPAA Journal

Meharry Medical College in Nashville, TN, has discovered an email account breach may have resulted in unauthorized individuals viewing or acquiring the protected health information of up to 20,983 patients.

The email account breach was detected and blocked around July 28, 2020. Third-party technical experts were engaged to investigate the breach and confirmed that the incident was limited to a single email account. On September 1, 2020, Meharry Medical College was informed that the nature of the breach meant it was possible that the contents of the email account may have been copied, most likely inadvertently during the standard email synchronization process.

A review of the content of the email account was performed and it was determined the email account contained patients’ full names, dates of birth, diagnoses/diagnostic codes, internal patient account numbers, provider names, and other health information. A limited number of patients also had their Social Security numbers, Medicare/Medicaid numbers, and health insurance information compromised.

Individuals whose Social Security number was potentially compromised have been offered complimentary membership to identity theft protection services.

PHI Potentially Compromised in Phishing Attack on MedNAX Services Inc.

Sunrise, FL-based MEDNAX Services Inc, a provider of revenue cycle management and other administrative services to its affiliated physician practice groups, discovered on June 19, 2020 that unauthorized individuals had gained access to its Microsoft Office 365-hosted email system after employees responded to phishing emails.

Assisted by a national forensic firm, MEDNAX determined multiple busines email accounts had been compromised between June 17, 2020 and June 22, 2020. A review of the accounts, which were separate from MEDNAX’s internal network and systems, revealed they contained patient names, guarantor names, email addresses, addresses, dates of birth, Social Security numbers, driver’s license numbers, state ID numbers, financial account information, health insurance information, Medicare/Medicaid numbers, medical and treatment information, and billing and claims information. It was not possible to determine what patient information, if any, was accessed by unauthorized individuals.

Affected individuals have been offered a complimentary 12-month membership to identity monitoring services. MEDNAX has conducted a review of its security controls and steps will be taken to enhance security to prevent similar breaches in the future.

The post Email Account Breaches Reported by Meharry Medical College and MEDNAX Services appeared first on HIPAA Journal.