HIPAA Breach News

US Fertility Reports Ransomware Attack Involving Data Theft

Posted by HIPAA Journal

US Fertility has announced it suffered a ransomware attack on September 14, 2020 that affected some of its computer systems, including systems that contained sensitive protected health information. US Fertility is the largest operator of fertility clinics in the United States, running clinics at 55 locations in 10 states. Almost half of its locations are known to have been affected by the attack.

US Fertility responded immediately to the attack and determined that data had been encrypted on a number of its servers and workstations connected to its domain. Those devices were immediately taken offline while the attack was investigated. Third-party security and forensic experts were retained to assist with the investigation and the recovery of data on the affected workstations and servers. USF said it successfully restored all affected devices and reconnected them to the network on September 20, 2020. The attack has been reported to federal law enforcement and USF is assisting in the ongoing investigation.

USF said the forensic investigation has now been completed and data theft has been confirmed. The attackers first gained access to its network on August 12, 2020 and access remained possible until the attack was discovered on September 14, 2020. A review was conducted of all files accessible to the attackers, that that review was completed on November 13.

USF said unknown actors may have had access to files containing names, addresses, dates of birth, MPI numbers, and Social Security numbers. The types of data exposed varied from individual to individual and most patients did not have their Social Security number compromised.

While data theft was confirmed, there have been no reports received to indicate protected health information has been misused, but affected individuals have been advised to monitor their accounts and report any cases of suspected misuse of their protected health information.

USF has taken several steps to improve security since the attack, including fortification of its firewall, enhanced monitoring of networking activity, and further training has been provided to employees on data protection, computer security, and recognizing phishing emails.

The post US Fertility Reports Ransomware Attack Involving Data Theft appeared first on HIPAA Journal.

UVM Health Restores Electronic Health Record System One Month After Ransomware Attack

Posted by HIPAA Journal

University of Vermont Health Network has announced it has brought its electronic health record (EHR) system back online, a month after experiencing a ransomware attack. The ransomware attack occurred on October 25, 2020 and caused a massive outage across all six of its hospitals. For the past month, staff have been forced to record patient information, orders, and medications using pen and paper while its computer systems were out of action.

Care continued to be provided to patients during the attack and recovery process, but the recovery of its EHR will greatly improve efficiency. The attack caused major disruption, especially at University of Vermont Medical Center in Burlington, but the attack affected its entire network. Without access to essential patient data, many elective procedures had to be rescheduled and the radiology department on the main campus experienced major delays, and was only open on a limited basis.

In a November 24, 2020 update, UVM Health announced it had achieved a major milestone in the recovery process, having brought its Epic EHR system back online for its inpatient and outpatient sites, including UVM Medical Center and the ambulatory clinics at Central Vermont Medical Center, Champlain Valley Physicians Hospital, and Porter Medical Center.

While electronic patient data is now available and staff can record patient data electronically, the recovery process is far from over and a great deal of work still needs to be done. “Our teams continue to work around the clock towards full restoration as quickly and safely as possible,” explained UVM Health.

The phone system has been restored, but patients are still unable to use the MyChart patient portal so will not be able to access their health information online. There are hundreds of other applications used across the health network to deliver care to patients, and many of those systems remain offline. UVM Health is working hard at restoring those systems and they will be systematically restored over time, with the main focus being patient-facing systems.

Several other healthcare networks were attacked with ransomware around the same time as the attack on UVM Health. St Lawrence Health System in New York was able to restore its electronic health record systems within two weeks, but Sky Lakes Medical Center has been forced to replace the majority of its networks and workstations as a result of its ransomware attack.

Ashtabula County Medical Center (ACMC) in Ohio was particularly badly affected. ACMC was attacked with ransomware on September 24, 2020, with the attack affecting the medical center and 5 of its health centers. The EHR has still not been restored two months after the attack, and a full recovery is not expected until the end of the year.

The post UVM Health Restores Electronic Health Record System One Month After Ransomware Attack appeared first on HIPAA Journal.

Phishing Incidents Reported by Connecticut Department of Social Services, Mercy Iowa City and LSU Care Services

Posted by HIPAA Journal

Connecticut Department of Social Services (DSS) has reported a potential breach of the protected health information of 37,000 individuals as a result of a series of phishing attacks that occurred between July and December 2019.

Several email accounts were compromised and were used to send spam emails to several DSS employees, the investigation of which confirmed the phishing attacks. A comprehensive investigation was conducted using state information technology resources and a third-party forensic IT firm, but no evidence was found to indicate the attackers had accessed patient information in the email accounts. According to the DSS breach notice, “Due to the large volume of emails involved and the nature of the phishing attack, the forensic efforts could not determine with certainty that the hackers did not access personal information.”

Identity theft protection services have been offered to affected individuals as a precaution and steps have been taken to improve email security and better protect against phishing attacks in the future.

More Than 92,000 Individuals Affected by Mercy Iowa City Phishing Attack

Mercy Iowa City has started notifying 92,795 individuals that some of their protected health information was potentially compromised in a phishing attack. The attack involved a single email account which was accessed by an unauthorized individual between May 15, 2020 and June 24, 2020. The email account was used to send spam and phishing emails.

A review of the compromised account revealed it contained names, dates of birth, Social Security numbers, driver’s license numbers, treatment information, and health insurance information. Individuals whose driver’s license number or Social Security number were potentially compromised have been offered complimentary credent monitoring services for 12 months.

Mercy Iowa City has implemented additional safeguards to prevent further attacks, including multi-factor authentication on email accounts.

LSU Health Care Services Suffers Phishing Attack

The Louisiana State University (LSU) Health New Orleans Health Care Services Division has announced that an unauthorized individual has accessed the email account of an employee and potentially viewed or obtained the information of patients of several hospitals in Louisiana.

The email account was breached on September 15, 2020. The attack was discovered on September 18 and the email account was immediately disabled. An investigation was launched but no evidence was found to indicate patient information in the emails and attachments was accessed or obtained by the individual responsible.

A review of the breached email account revealed it contained the protected health information of patients of the following hospitals:

  • University Medical Center in Lafayette
  • Lallie Kemp Regional Medical Center in Independence
  • Leonard J. Chabert Medical Center in Houma
  • O. Moss Regional Medical Center in Lake Charles
  • Bogalusa Medical Center in Bogalusa
  • Interim LSU Hospital in New Orleans.
  • Earl K. Long Medical Center in Baton Rouge

The types of information potentially compromised varied from patient to patient and medical center to medical center, but may have included names, phone numbers, addresses, medical record numbers, account numbers, dates of birth, Social Security numbers, dates of service, types of services received, insurance ID numbers, and a limited number of financial account information and health information. The investigation into the breach is continuing, but so far “thousands” of patients are known to have had their information exposed.

LSU Health is currently evaluating additional security measures to better protect against further attacks and additional information security training has been provided to employees.

The post Phishing Incidents Reported by Connecticut Department of Social Services, Mercy Iowa City and LSU Care Services appeared first on HIPAA Journal.

Three More Healthcare Providers Suffer Cyberattacks Involving Ransom Demands

Posted by HIPAA Journal

Three healthcare providers in New York, Florida, and Georgia have started notifying patients that some of their protected health information was potentially compromised in recent cyberattacks, two of which involved ransomware and one involving an unspecified computer virus.

Four Winds Hospital, NY

Four Winds Hospital in Katonah, NY, discovered files had been encrypted by ransomware on or around September 1, 2020. The attack prevented the hospital from accessing its computer systems and resulted in downtime of around two weeks while the attack was mitigated.

Upon discovery of the attack, steps were immediately taken to prevent any further unauthorized system access and third-party cybersecurity experts were engaged to help identify the scope of the attack and whether patient data had been compromised.

According to Four Winds Hospital’s substitute breach notice, “[The cybersecurity experts] obtained evidence that the cybercriminals deleted any files in their possession, although that evidence cannot be independently verified.” That suggest a ransom was paid, although that has not been confirmed by Four Winds Hospital.

The attack did not involve the electronic medical record system, cloud environment, email, or encrypted data fields. The investigation revealed password protected files were accessed and patient lists from 1983 to present could potentially have been viewed. Those lists included names and medical record numbers, with around 100 records containing Social Security numbers. Miscellaneous files containing patient data from 2013 to present may also have been accessed. Those files included names, treatment information, and the Social Security numbers of Medicare patients admitted prior to 2019.

The breach has yet to appear on the HHS’ Office for Civil Rights breach portal so it is unclear how many patients have been affected.

Advanced Urgent Care of Florida Keys

Advanced Urgent Care of Florida Keys started issuing notifications to patients on November 6, 2020 about a ransomware attack that occurred on March 1, 2020. While not stated in the breach notice, Databreaches.net previously reported (on March 14, 2020) that patient data was stolen in the attack and was dumped online when the ransom demand was not paid.

According to the Advanced Urgent Care breach notice, an investigation was launched following the attack which took until September 11, 2020 to determine patient data had been compromised. The attack saw files on a backup drive encrypted which contained protected health information including names, dates of birth, health insurance information, medical treatment information, medical diagnostic information, lab results, medical record numbers, Medicare or Medicaid beneficiary numbers, medical billing information, bank account information, credit or debit card information, CHAMPUS ID numbers, Military and/or Veterans Administration numbers, driver’s license numbers, signatures, and Social Security numbers.

Complimentary credit monitoring services have been offered to patients whose Social Security number was compromised and steps have been taken to improve security to prevent further attacks and to identify and remediate future threats.

Galstan & Ward Family and Cosmetic Dentistry, GA

Galstan & Ward Family and Cosmetic Dentistry in Suwanee, GA, has reported a ransom event involving a computer virus on one of its servers. In contrast to ransomware attacks where files are encrypted and a ransom note is placed on infected computers, Galstan & Ward said the practice was contacted by telephone and told that a computer server had been infected with a virus. A ransom was then demanded over the telephone.

Galstan & Ward had previously detected suspicious activity on the server and had arranged for a third-party vendor to wipe the server and restore data from a backup. No ransom was paid, and Galstan & Ward reports no significant disruption to services or data loss. However, on September 11, 2020, Galstan & Ward discovered files had been stolen and published online on a dark web website, although those files did not contain any patient information.

The contracted IT firm confirmed that the malware had been removed and found no evidence to indicate patient information in its dental practice software was accessed. Additional investigations similarly found no evidence to indicate patient data was accessed or acquired.

Notifications were issued to patients out of an abundance of caution since it was not possible to rule out the possibility of unauthorized PHI access. If the attackers accessed the dental software system, they could have viewed names, dates of birth, addresses, Social Security numbers, and dental records.

In its comprehensive substitute breach notice, Galstan & Ward said cryptographic technology is now used to protect patient data and additional data security measures have been implemented on its web server infrastructure. Affected individuals have been offered complimentary identity theft protection services through IDX.

The post Three More Healthcare Providers Suffer Cyberattacks Involving Ransom Demands appeared first on HIPAA Journal.

October 2020 Healthcare Data Breach Report

Posted by HIPAA Journal

October saw well above average numbers of data breaches reported the HHS’ Office for Civil Rights. There were 63 reported breaches of 500 or more records, which is a 33.68% reduction from September but still 41.82% more breaches than the monthly average over the last 12 months. The elevated numbers of breaches can be partly explained by continued reports from healthcare organizations that were impacted by the ransomware attack on the cloud software firm Blackbaud.

Healthcare data breaches Sept 2019 to Oct 2020

The protected health information of more than 2.5 million individuals were exposed or compromised in those 63 breaches, which is 74.08% fewer records than September, but still 26.81% more than the monthly average number of breached records over the past 12 months.

Healthcare records breaches in the past 12 months

Largest Healthcare Data Breaches Reported in October 2020

Name of Covered Entity Covered Entity Type Type of Breach Individuals Affected Breach Cause
Luxottica of America Inc. Business Associate Hacking/IT Incident 829,454 Ransomware Attack
AdventHealth Orlando Healthcare Provider Hacking/IT Incident 315,811 Blackbaud Ransomware
Presbyterian Healthcare Services Healthcare Provider Hacking/IT Incident 193,223 Phishing Attack
Sisters of Charity of St. Augustine Health System Healthcare Provider Hacking/IT Incident 118,874 Blackbaud Ransomware
Timberline Billing Service, LLC Business Associate Hacking/IT Incident 116,131 Ransomware Attack
Greenwich Hospital Healthcare Provider Hacking/IT Incident 95,000 Blackbaud Ransomware
OSF HealthCare System Healthcare Provider Hacking/IT Incident 94,171 Blackbaud Ransomware
Geisinger Healthcare Provider Hacking/IT Incident 86,412 Blackbaud Ransomware
CCPOA Benefit Trust Fund Health Plan Hacking/IT Incident 80,000 Ransomware Attack
Ascend Clinical, LLC Healthcare Provider Hacking/IT Incident 77,443 Phishing and Ransomware Attack
Centerstone of Tennessee, Inc. Healthcare Provider Hacking/IT Incident 50,965 Phishing Attack
Georgia Department of Human Services Healthcare Clearing House Hacking/IT Incident 45,732 Phishing Attack
Connecticut Department of Social Services Health Plan Hacking/IT Incident 37,000 Phishing Attack
State of North Dakota Healthcare Provider Hacking/IT Incident 35,416 Phishing Attack
AdventHealth Shawnee Mission Healthcare Provider Hacking/IT Incident 28,766 Blackbaud Ransomware

Causes of October 2020 Healthcare Data Breaches

As the above table shows, the healthcare industry in the United States has faced a barrage of ransomware attacks. Two thirds of the largest 15 data breaches reported in October involved ransomware. CISA, the FBI, and the HHS issued a joint alert in October after credible evidence emerged indicating the Ryuk ransomware gang was targeting the healthcare industry, although that is not the only ransomware gang that is conducting attacks on the healthcare sector.

Phishing attacks continue to plague the healthcare industry. Phishing emails are often used to deliver Trojans such as Emotet and TrickBot, along with the Bazar Backdoor, which act as ransomware downloaders.

Phishing and ransomware attacks are classed as hacking/IT incidents on the HHS breach portal. In total there were 46 hacking/IT incidents reported to the HHS’ Office for Civil Rights in October – 73% of all reported breaches in October – and 2,450,645 records were breached in those incidents – 97.39% of all records breached in the month. The mean breach size was 53,275 records and the median breach size was 13,069 records.

There were 12 unauthorized access/disclosure incidents reported in October involving 54,862 healthcare records. The mean breach size was 4,572 records and the median breach size was 1,731 records. There were 4 reported cases of theft of paperwork or electronic devices containing PHI. The mean breach size was 4,290 records and the median breach size was 1,293 records. One incident was reported that involved the improper disposal of computer equipment that contained the ePHI of 4,290 individuals.

causes of October 2020 Healthcare Data Breaches

The graph below shows where the breached records were located. The high number of network server incidents shows the extent to which malware and ransomware was used in attacks. Almost a third of the attacks involved ePHI stored in email accounts, most of which were phishing attacks. Several breaches involved ePHI stored in more than one location.

Location of PHI in October 2020 Healthcare Data Breaches

Healthcare Data Breaches by Covered Entity Type

Healthcare providers were the worst affected covered entity type in October with 54 breaches reported, followed by health plans with 3 breaches and one breach at a healthcare clearinghouse. While there were only 5 data breaches reported by business associates of covered entities, business associates were involved in 23 data breaches in October, with 18 of the incidents being reported by the affected covered entity.

October 2020 Healthcare Data Breaches by Covered Entity Type

Healthcare Data Breaches by State

October’s 63 data breaches were spread across 27 states. Connecticut was the worst affected state with 7 breaches, followed by California and Texas with 5 each, Florida, Ohio, Pennsylvania, and Virginia with 4 apiece, Iowa and Washington with 3, and Arkansas, Michigan, New Mexico, New York, Tennessee, and Wisconsin with 2. A single breach was reported in each of Georgia, Hawaii, Illinois, Indiana, Kansas, Louisiana, Maine, Minnesota, Missouri, North Dakota, New Jersey, and South Carolina.

HIPAA Enforcement Activity in October 2020

2020 has seen more financial penalties imposed on covered entities and business associates than any other year since the HIPAA Enforcement Rule gave OCR the authority to issue financial penalties for noncompliance.  Up to October 30, 2020, OCR has announced 15 settlements to resolve HIPAA violation cases, including 4 financial penalties in October.

The health insurer Aetna paid a $1,000,000 penalty to resolve multiple HIPAA violations that contributed to the exposure of HIV medication information in a mailing. OCR investigators found issues with the technical and nontechnical evaluation in response to environmental or operational changes affecting the security of PHI, an identity check failure, a minimum necessary information failure, insufficient administrative, technical, and physical safeguards, and an impermissible disclosure of the PhI of 18,849 individuals.

The City of New Haven, CT paid a $202,400 penalty to resolve its HIPAA case with OCR that stemmed from a failure to promptly restrict access to systems containing ePHI following the termination of an employee. That failure resulted in an impermissible disclosure of the ePHI of 498 individuals. OCR also determined there had been a risk analysis failure and a failure to issue unique IDs to allow system activity to be tracked.

Two of the penalties were issued as part of OCR’s HIPAA Right of Access enforcement initiative, with the fines imposed for the failure to provide patients with timely access to their medical records at a reasonable cost. Dignity Health, dba St. Joseph’s Hospital and Medical Center, settled its case with OCR and paid a $160,000 penalty and NY Spine settled for $100,000.

State attorneys general also play a role in the enforcement of HIPAA compliance. October saw Franklin, TN-based Community Health Systems and its subsidiary CHSPCS LLC settle a multi-state action related to a breach of the ePHI of 6.1 million individuals in 2014. The investigators determined there had been a failure to implement and maintain reasonable security practices. The case was settled for $5 million.

The post October 2020 Healthcare Data Breach Report appeared first on HIPAA Journal.

HIPAA Right of Access Failure Results in $65,000 Fine for University of Cincinnati Medical Center

Posted by HIPAA Journal

The HHS’ Office for Civil Rights has announced its 18th HIPAA financial penalty of the year with the 12th fine under its HIPAA Right of Access enforcement initiative.

In 2019, OCR announced a new drive to ensure individuals are given timely access to their health records, at a reasonable cost, as mandated by the HIPAA Privacy Rule. It had become clear to OCR that healthcare providers were not always fully complying with this important HIPAA Privacy Rule provision and some patients were having trouble obtaining a copy of their medical records.

The latest financial penalty of $65,000 was imposed on the University of Cincinnati Medical Center, LLC (UCMC) and stemmed from a complaint received by OCR on May 30, 2019 from a patient who had sent a request to UCMC on February 22, 2019 asking for an electronic copy of the medical records maintained in UCMC’s electronic health record system to be sent to her lawyer.

The HIPAA Right of Access requires copies of medical records to be provided, on request, no later than 30 days after receipt of the request. 45 C.F.R. § 164.524 also states that an individual is permitted to have the requested records sent to a nominated third party, should they so wish.

The complaint was filed with OCR more than 13 weeks after the patient’s request. OCR intervened and UCMC finally provided the lawyer with the requested records on August 7, 2019, more than 5 months after the initial request was received.

After investigating the complaint, OCR determined UCMC had failed to respond to the patient’s request for a copy of her medical records in a timely manner and a financial penalty was deemed appropriate.

In addition to the financial penalty, UCMC is required to adopt a corrective action plan that includes developing, maintaining, and revising, as necessary, written policies and procedures to ensure compliance with 45 C.F.R. Part 160 and Subparts A and E of Part 164 of the HIPAA Privacy Rule. Those policies must be reviewed by OCR and implemented within 30 days of OCR’s approval.

The policies must be distributed to all members of the workforce and appropriate business associates and the policies must be reviewed and updated, as necessary, at least annually. Training materials must also be created and supplied to OCR for approval, and training provided to appropriate members of the workforce on the new policies.

UCMC is required to provide OCR with details of all business associates and/or vendors that receive, provide, bill for, or deny access to copies or inspection of records along with copies of business associate agreements, and UCMC must report all instances where requests for records have been denied. OCR will monitor UCMC closely for compliance for 2 years from the date of the resolution agreement.

“OCR is committed to enforcing patients’ right to access their medical records, including the right to direct electronic copies to a third party of their choice. HIPAA covered entities should review their policies and training programs to ensure they know and can fulfill all their HIPAA obligations whenever a patient seeks access to his or her records,” said Roger Severino, OCR Director, in a statement.

The post HIPAA Right of Access Failure Results in $65,000 Fine for University of Cincinnati Medical Center appeared first on HIPAA Journal.

PHI Potentially Compromised in Security Incidents at People Incorporated and My Choice HouseCalls

Posted by HIPAA Journal

People Incorporated Mental Health Services, a provider of integrated behavioral and mental health services in Minnesota, is notifying 27,500 patients that some of their protected health information was exposed in an email account breach between April 28, 2020 and May 4, 2020.

Prompt action was taken to block further access to the email accounts and an investigation was launched to determine the nature and scope of the breach. Assisted by third-party cybersecurity experts, and after conducting a manual document review, People Incorporated discovered on September 8, 2020 that the email accounts contained patients’ personal and protected health information. While third party access to the email accounts had occurred, no evidence was found to indicate any information was stolen or has been misused.

The PHI in the compromised accounts included names, dates of birth, addresses, treatment information, insurance information, and medical record numbers and, for a limited number of individuals, Social Security numbers, financial account information, health insurance information, and driver’s license or state identification numbers. Credit monitoring services have been offered to individuals whose Social Security number was potentially compromised.

People Incorporated has taken steps to ensure threats are identified and remediated more rapidly in the future, additional technical security measures have been implemented, and further training has been provided to employees on the identification and handling of malicious messages.

PHI Potentially Compromised in My Choice Housecalls Burglary

My Choice HouseCalls, an in-home primary care provider in Jacksonville, Florida, experienced a break-in at its administrative offices on or around September 3, 2020 and several computers were stolen. The theft was reported to law enforcement, but the stolen equipment has not been recovered.

A forensic examination confirmed the computers contained the following types of patient information: Names, addresses, provider names, provider routes, facilities where patients are located, patient profile pictures, types of visits, medical histories, diagnoses,  durable medical equipment supplier names, the companies providing home health services and their notes, insurance information and patient and provider contact information.

My Choice HouseCalls is now implementing whole drive encryption to prevent the exposure of patient information in the event of another burglary. The breach report submitted to the HHS’ Office for Civil Rights shows 3,370 patients have been affected.

The post PHI Potentially Compromised in Security Incidents at People Incorporated and My Choice HouseCalls appeared first on HIPAA Journal.

Ransomware Attacks Impact First Impressions Orthodontics, Kids First Dentistry & Orthodontics, and Hendrick Health Patients

Posted by HIPAA Journal

First Impressions Orthodontics, a subsidiary of Professional Dental Alliance of Connecticut PLLC, experienced a ransomware attack on September 28, 2020 that potentially saw the protected health information of 23,000 patients accessed by the attackers.

Backups were regularly performed and stored securely, so patient data could be recovered without having to pay the ransom. In addition to the 23,000 First Impressions Orthodontics patients, 5,000 patients of Kids First Dentistry & Orthodontics who had x-rays performed at First Impressions Orthodontics were also impacted by the breach.

The types of data potentially compromised included names, addresses, telephone numbers, email addresses, contact telephone numbers, Social Security numbers, dental insurance numbers, dental records, dental images, service charge amounts, and payments received for services provided. Patients who only had their x-ray images compromised only had their name, date of birth, and insurance information exposed.

Affected individuals were notified in accordance with HIPAA requirements, but no evidence of data access, theft, or misuse were found. Out of an abundance of caution, affected individuals have been offered a complimentary 2-year membership to credit monitoring and identity theft protection services.

Suspected Ransomware Attack Forces Hendrick Health into EHR Downtime Procedures

Hendrick Health in Texas has experienced a cyberattack that has forced it to take its IT network and EHR offline while the threat is remediated. The suspected ransomware attack occurred on November 9, 2020 and affected Hendrick Health’s medical center on the main campus and some of its clinics. Hendrick Medical Center Brownwood and Hendrick Medical Center South were not affected by the attack.

Hendrick Health said patient care was not affected and inpatient services were continuing; however, some patients were redirected to alternative campuses for medical care while the attack was remediated, and some outpatient services had to be rescheduled.

Hendrick Health is working around the clock to restore its systems. In the meantime, staff have switched to pen and paper to record patient information.

The post Ransomware Attacks Impact First Impressions Orthodontics, Kids First Dentistry & Orthodontics, and Hendrick Health Patients appeared first on HIPAA Journal.

North Dakota and Delaware State Departments Report Breaches of PHI

Posted by HIPAA Journal

The North Dakota Department of Health, Department of Human Services, Cavalier County Health District, and other state agencies were impacted by a phishing attack that saw multiple employee email accounts compromised between November 23 and December 23, 2019.

The breach investigation did not uncover any evidence to suggest protected health information was stolen or misused or that the attack was conducted in order to obtain patient information. An analysis of the compromised accounts revealed they contained names, dates of birth, addresses, medical diagnoses and treatment information, driver’s license numbers and mothers’ maiden name and, for a limited number of individuals, Social Security numbers and/or financial information.

The breach report submitted to the HHS’ Office for Civil Rights indicates 35,416 individuals were affected by the breach. All individuals affected have been notified and those who had their Social Security number exposed have been offered free membership to credit monitoring services. North Dakota has since taken steps to improve email security to prevent attacks from succeeding in the future.

Delaware Division of Public Health Alerts 10,000 About Impermissible Disclosure of COVID-19 Test Results

The Delaware Division of Public Health has experienced a breach of protected health information that has affected approximately 10,000 individuals. A temporary member of staff sent two unencrypted emails containing COVID-19 test results to an unauthorized individual on August 13, 2020 and August 20, 2020. The first email contained the results of tests conducted between July 16, 2020 and August 10, 2020, and the second included results from tests taken on August 15, 2020.

The Delaware Division of Public Health discovered the HIPAA breach on September 16, 2020. The emails were meant for internal distribution to individuals who had assisted in obtaining the test results, but they were also sent to one unauthorized individual who reported receiving the email in error. The email and data have been deleted and the Division of Public Health has no reason to think there has been any further disclosure of the information. The file attachment contained names, dates of birth, phone numbers, test dates, test locations, and test results.

The Division of Public Health has reviewed its HIPAA-related policies and procedures, provided further HIPAA training to staff members, and has implemented additional training for temporary staff. The individual who made the error is no longer employed within the division of Public Health.

The post North Dakota and Delaware State Departments Report Breaches of PHI appeared first on HIPAA Journal.