HIPAA Breach News

OCR Announces 9th Financial Penalty under its HIPAA Right of Access Initiative

Posted by HIPAA Journal

The HHS’ Office for Civil Rights (OCR) is continuing its crackdown on healthcare providers that are not fully complying with the HIPAA right of access. Last week, OCR announced its ninth enforcement action against a HIPAA-covered entity for the failure to provide patients with timely access to their medical records at a reasonable cost.

HIPAA gives patients the right to view or receive a copy of their medical records. When a request is made for access to medical records, HIPAA-covered entities must provide access or supply a copy of the requested medical records as soon as possible, but no later than 30 days after the request is received.

By obtaining a copy of their medical records, patients can share those records with other providers, research organizations, or individuals of their choosing. Patients can check their medical records for errors and submit requests to correct any mistakes. In the event of a ransomware attack that renders medical records inaccessible, patients who have a copy of their records ensure that their health histories are never lost.

Under the OCR HIPAA Right of Access Initiative, complaints from individuals who have been denied access to their medical records or have faced delays in receiving a copy of their records are investigated. When violations of the HIPAA right of access are uncovered, financial penalties are issued. The aim of penalties is to encourage compliance by making noncompliance very costly.

The latest financial penalty was imposed on NY Spine, a private medical practice with offices in New York and Miami that specializes in neurology and pain management. OCR received a complaint from a patient in July 2019 who claimed to have sent multiple requests to NY Spine in June 2019 requesting a copy of her protected health information.

NY Spine responded to the requests and provided some of her records but failed to provide the diagnostic films that she had specifically requested. It took intervention from OCR for NY Spine to provide those records. The patient was finally provided with a complete copy of all the requested records in October 2020, 16 months after the first request was submitted.

NY Spine and OCR agreed to settle the case for $100,000. NY Spine is also required to adopt a corrective action plan and will be monitored by OCR for compliance for 2 years.

“No one should have to wait over a year to get copies of their medical records.  HIPAA entitles patients to timely access to their records and we will continue our stepped up enforcement of the right of access until covered entities get the message,” said Roger Severino, OCR Director.

The post OCR Announces 9th Financial Penalty under its HIPAA Right of Access Initiative appeared first on HIPAA Journal.

Community Health Systems Pays $5 Million to Settle Multi-State Breach Investigation

Posted by HIPAA Journal

Franklin, TN-based Community Health Systems and its subsidiary CHSPCS LLC have settled a multi-state action with 28 state attorneys general for $5 million.

A joint investigation, led by Tennessee Attorney General Herbert H. Slatery III, was launched following a breach of the protected health information (PHI) of 6.1 million individuals in 2014. At the time of the breach, Community Health Systems owned, leased, or operated 206 affiliated hospitals. According to a 2014 8-K filing with the U.S. Securities and Exchange Commission, the health system was hacked by a Chinese advanced persistent threat group which installed malware on its systems that was used to steal data. PHI stolen by the hackers included names, phone numbers, addresses, dates of birth, sex, ethnicity, Social Security numbers, and emergency contact information.

The same breach was investigated by the HHS’ Office for Civil Rights, which announced late last month that a settlement had been reached with CHSPCS over the breach and a $2.3 million penalty had been paid to resolve potential HIPAA violations discovered during the breach investigation. In addition to the financial penalty, CHSPCS agreed to adopt a robust corrective action plan to address privacy and security failures discovered by OCR’s investigators.

Victims of the breach took legal action against CHS over the theft of their PHI and CHS settled the class action lawsuit in 2019 for $3.1 million. The latest settlement means CHS and its affiliates have paid $10.4 million in settlements over the breach.

“A patient’s personal information—especially health information—deserves the highest level of protection,” said Attorney General Slatery. “This settlement will require CHS to provide that moving forward.”

CHS and its affiliates were found to have failed to implement reasonable and appropriate security measures to ensure the confidentiality, integrity, and availability of protected health information on its systems. “The terms of this settlement will help ensure that patient information will be protected from unlawful use or disclosure,” said Iowa Attorney General Tom Miller.

The states participating in the action were Alaska, Arkansas, Connecticut, Florida, Illinois, Indiana, Iowa, Kentucky, Louisiana, Massachusetts, Michigan, Mississippi, Missouri, Nebraska, Nevada, New Jersey, North Carolina, Ohio, Oregon, Pennsylvania, Rhode Island, South Carolina, Tennessee, Texas, Utah, Vermont, Washington, and West Virginia.

In addition to paying the financial penalty, CHS and its affiliates have agreed to adopt a corrective action plan and implement additional security measures to ensure the security of its systems. Those measures include developing a written incident response plan, providing security awareness and privacy training to all personnel with access to PHI, limiting unnecessary or inappropriate access to systems containing PHI, implementing policies and procedures for its business associates, and conducting regular audits of all business associates.

CHS must also conduct an annual risk assessment, implement and maintain a risk-based penetration testing program, implement and maintain intrusion detection systems, data loss protection measures, and email filtering and anti-phishing solutions. All system activity must be logged, and those logs must be regularly reviewed for suspicious activity.

“Community Health Systems is pleased to have resolved this six-year old matter,” said a spokesperson for CHS in a statement about the settlement. “The company had robust risk controls in place at the time of the attack and worked closely with the FBI and consistently with its recommendations after becoming aware of the attack.”

The post Community Health Systems Pays $5 Million to Settle Multi-State Breach Investigation appeared first on HIPAA Journal.

Former Mayo Clinic Employee Accessed Medical Records of 1,600 Patients Without Authorization

Posted by HIPAA Journal

Mayo Clinic has started notifying more than 1,600 patients that some of their protected health information has been viewed by a former employee without authorization.

Mayo Clinic confirmed on August 5, 2020 that a licensed health care professional had accessed the records of patients when there was no legitimate reason for doing so. The employee was ending their employment with Mayo Clinic when the privacy breach was discovered and the individual no longer works at Mayo Clinic.

The reason for accessing the medical records is not known and Mayo Clinic has not disclosed when the privacy breach occurred. Mayo Clinic explained that the access was limited in duration and no evidence was found to suggest any information was printed or retained by the employee.

The types of information accessed included names, dates of birth, demographic information, medical record numbers, medical images, and clinical notes. No financial information or Social Security numbers were viewed. Mayo Clinic has reported the unauthorized access to the Rochester Police Department and the FBI, and the privacy breach is being investigated.

Mayo Clinic said there was a delay in issuing notifications as the investigation into the privacy breach took time to complete. Affected individuals have now been notified, but the nature of data accessed means they do not need to take any action in relation to the breach.

UMMA Community Clinic Discovers Insider Breach

University Muslim Medical Association (UMMA) Community Clinic in Los Angeles has discovered a former employee sent a secured file containing patients’ protected health information to a personal email account. The incident was discovered on July 1, 2020, two days after the file was emailed.

UMMA has received written confirmation from the former employee that the file has been securely deleted and UMMA is unaware of any further disclosures or misuse of the information in the file.

UMMA has implemented additional policies and procedures to prevent similar privacy breaches in the future. It is currently clear how many individuals have been affected or the types of protected health information contained in the secured file.

AAA Ambulance Service Notifies Patients About Attempted Ransomware Attack

AAA Ambulance Service in Mississippi is notifying patients about an attempted ransomware attack that occurred on or about July 1, 2020. Prompt action was taken to prevent the encryption of data on its systems and an internal investigation was launched to determine the extent of the security breach. Assisted by third-party computer forensics experts, AAA Ambulance Service determined on August 26, 2020 that patient data may have been accessed or exfiltrated by the attackers prior to the deployment of ransomware.

The types of data potentially compromised include patients’ names in combination with one or more of the following data elements: Social Security number, driver’s license number, date of birth, financial account number, diagnosis information, treatment information, patient account number, prescription information, medical record number and/or health insurance information.

No evidence has been found to suggest any patient data has been misused, but out of an abundance of caution, affected individuals have been offered complimentary credit monitoring services. AAA Ambulance Service is implementing additional safeguards to prevent similar breaches in the future.

Seven Counties Services Suffers 13,375-Record Data Breach

Seven Counties Services in Kentucky is alerting 13,375 patients about a breach of their protected health information. Seven Counties Services was targeted in a phishing attack that saw the email accounts of 13 employees accessed by an unauthorized individual. The breach was detected by the Seven Counties’ IT department on July 28, 2020 and the compromised email accounts were immediately secured. The attack began on July 27, 2020 and continued until July 30, 2020.

A review of the compromised email accounts revealed they contained reports that included protected health information such as names, dates of birth, Social Security numbers, addresses, phone numbers, email addresses, diagnoses, and dates of service. It was not possible to determine if any emails in the accounts were opened, viewed, or downloaded by the attackers.

The Seven Counties Services IT department has improved access controls, implemented location-based multi-factor authentication, and the workforce has been re-educated on phishing and email spoofing attacks.

The post Former Mayo Clinic Employee Accessed Medical Records of 1,600 Patients Without Authorization appeared first on HIPAA Journal.

OCR Imposes $160,000 Penalty on Healthcare Provider for HIPAA Right of Access Failure

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights has announced its 12th HIPAA penalty of 2020 and its 8th under the HIPAA Right of Access enforcement initiative that was launched in 2019. The $160,000 settlement is the largest HIPAA penalty to date for a failure to provide an individual with timely access to their requested medical records.

On January 24, 2018, Dignity Health, doing business as St. Joseph’s Hospital and Medical Center (SJHMC), received a request from the mother of a patient who wanted a copy of her son’s medical records. The mother was acting as the personal representative of her son. After not receiving all of the requested records by April 25, 2018, the mother lodged a complaint with the Office for Civil Rights.

OCR investigated the potential HIPAA violation and determined the complainant had requested four specific sets of medical records from SJHMC. The first request was sent on January 24, 2018, and the same records were requested on March 22, April 3, and May 2, 2018.

SJHMC did respond to the requests and provided some, but not all, of the requested records. The mother made contact with SJHMC again on May 2, May 10 and May 15, 2018 to request the records that had not been provided. SJHMC responded and sent additional records, but not the specific records that had been requested. It took until December 19, 2019 for SJHMC to provide all the records she had requested – 22 months after the initial request had been sent.

SJHMC agreed to pay the $160,000 financial penalty to settle the case with no admission of liability. SJHMC will also adopt a corrective action plan to address all areas of noncompliance and will be monitored for compliance by OCR for two years.

“It shouldn’t take a federal investigation to secure access to patient medical records, but too often that’s what it takes when health care providers don’t take their HIPAA obligations seriously.  OCR has many right of access investigations open across the country, and will continue to vigorously enforce this right to better empower patients,” said Roger Severino, OCR Director.

The post OCR Imposes $160,000 Penalty on Healthcare Provider for HIPAA Right of Access Failure appeared first on HIPAA Journal.

Magnolia Pediatrics and Accents on Health Suffer Ransomware Attacks

Posted by HIPAA Journal

Prairieville, LA-based Magnolia Pediatrics is notifying 12,861 patients that some of their protected health information has potentially been compromised in a ransomware attack that occurred on or around March 26, 2020.

The ransomware attack was investigated by its IT vendor, LaCompuTech, which determined only its master boot record had been affected and patient information had not been accessed, encrypted or exported by the attackers. The IT vendor determined a HIPAA breach had not occurred and the incident therefore did not need to be reported to the HHS’ Office for Civil Rights and notification letters to patients were not warranted.

However, OCR informed Magnolia Pediatrics on September 11, 2020 that the incident was a reportable data breach and patient notification letters were required. OCR explained that any hacker who was able to access the master boot record must have had full control of the server and therefore had access to any protected health information stored on that server.

Protected health information stored on the server included patients’ names, addresses, telephone numbers, dates of birth, Social Security numbers, health insurance information, medical record numbers, and clinical information, including diagnoses, lab test results, treating physicians’ names, medications, medical histories, and dates of service.

Magnolia Pediatrics said the investigation uncovered no evidence to suggest any patient data was exfiltrated and no patient information was encrypted in the attack. Magnolia Pediatrics is taking several steps to improve security, including the use of multi-factor authentication on its servers and systems, improved filtering for email and traffic, multiple intrusion prevention and detection systems, and a systematic risk analysis and remediation process has been implemented for its computer systems. Further cybersecurity awareness training has been provided to the workforce and the dark web is being monitored for any email addresses associated with Magnolia Pediatrics.

Magnolia Pediatrics has terminated its relationship with LaCompuTech and has engaged a leading information technology and security provider to oversee the security of its computer systems.

This is the second ransomware attack to have affected Magnolia Pediatrics in the past 14 months. The earlier attack occurred on August 23, 2019 and impacted 11,100 patients.

Accents on Health Suffers Ransomware Attack

The Lone Tree, CO-based chiropractor, Accents on Health, suffered a ransomware attack on August 5, 2020 which encrypted data on its computer systems. Cybersecurity forensics specialists were engaged to investigate the breach and determine whether patient data had been accessed or exfiltrated by the attackers.

No evidence was found to suggest patient information was exfiltrated prior to the attack, but data theft could not be ruled out. The affected computer systems contained the protected health information of 2,000 patients, including full names, addresses, dates of birth, account numbers, Social security numbers, medical information, diagnosis codes, and insurance information.

No reports have been received to suggest protected health information has been misused. Accents on Health is now reviewing its software, systems, policies, and procedures and will implement additional safeguards to prevent further cyberattacks.

The post Magnolia Pediatrics and Accents on Health Suffer Ransomware Attacks appeared first on HIPAA Journal.

Clinical Trial Software Provider Hit with Ransomware Attack

Posted by HIPAA Journal

Philadelphia-based eResearchTechnology, a company that sells software that is used in clinical trials, including clinical trials of Covid-19 vaccines, was hit with a ransomware attack that has affected several of its clients, including at least one company running Covid-19 vaccine trials. The attack occurred on September 20, 2020 and forced some clinical trial researchers to switch to pen and paper to track their patients. While patient safety was never put at risk, the attack has had an effect on clinical trials and has slowed progress.

IQVIA, the research organization running AstraZeneca’s Covid-19 vaccine trial was one of the organizations affected by the attack, although it is unclear to what extent, if any, the attack affected its Covid-19 vaccine trial. Bristol Myers Squibb, which is leading efforts to develop a rapid test for the virus, was also affected by the ransomware attack. Both firms explained that the effect was limited as they had backups which could be used to recover data. IQVIA issued a statement saying it was unaware of any confidential data related to clinical trials being exfiltrated prior to the use of ransomware to encrypt files.

Following the attack, eResearchTechnology powered down its computer systems and third-party cybersecurity experts were engaged to assist with the investigation and recovery. The Federal Bureau of Investigation was also notified and is investigating the attack. Certain systems have been offline for around 2 weeks, and started to be brought back online on Friday, according to the New York Times. The remainder of its systems are expected to be brought back online in the next few days.

It is unclear which threat group conducted the attack, what ransomware variant was used, and whether the ransom demand was paid for the keys to decrypt files.

eResearchTechnology’s software is extensively used in clinical trials. Last year, around three quarters of all clinical trials that resulted in drug approvals used eResearchTechnology software.

The attack was announced just a few days after Universal Health Services experienced a suspected ransomware attack that affected all of its U.S. locations and forced it to take its systems offline and redirect patients to alternative healthcare providers. Figures from Emsisoft suggest there have been at least 53 ransomware attacks on healthcare providers in the United States so far in 2020. More than 500 hospitals and clinics have been affected by those attacks.

The post Clinical Trial Software Provider Hit with Ransomware Attack appeared first on HIPAA Journal.

Financial information and SSNs Potentially Accessed in Blackbaud Ransomware Attack

Posted by HIPAA Journal

On Wednesday, Blackbaud filed a Form 8-K with the U.S. Securities and Exchange Commission (SEC) that provides further information on the ransomware attack the company suffered in May 2020. Blackbaud explained that the forensic investigation into the breach has revealed further information was potentially compromised in the breach. For certain customers, unencrypted fields that were intended for Social Security numbers, bank account information, and usernames and passwords may also have been accessed by the hackers.

Most of the customers affected by the breach did not have this additional information exposed, as the fields for sensitive information were encrypted and any data included in those fields would have been unreadable to the attackers. Blackbaud explained that any customers who may have had sensitive information exposed are being contacted and notified and additional support is being provided.

Blackbaud explained in the SEC filing that the company was able to prevent the attackers from fully encrypting certain files but confirmed that prior to encryption a subset of data was removed from Blackbaud’s private hosted cloud.

Blackbaud previously explained that the ransom demand had been paid to ensure that data stolen in the attack did not get sold or released publicly. Assurances were received that the stolen data had been deleted after the ransom demand was paid. There is no mention in the SEC filing about how much the company paid for the keys to decrypt files and to have the data deleted.

Blackbaud is confident that the data have not been released publicly or further disclosed; however, there is always a risk when paying cybercriminals that have just conducted an attack, stolen data, and encrypted files, that they may not be true to their word and could still have a copy of the stolen data. Blackbaud is taking precautions and has retained a cybersecurity company to monitor the dark web and hacking forums for any release of data stolen in the attack.

Blackbaud sent notifications about the breach on July 16 and HIPAA covered entities have 60 days to report the breach. Throughout August and September, the number of breaches listed on the HHS’ Office for Civil Rights breach portal has steadily grown. At least 58 healthcare organizations in the United States have publicly stated that they have been affected and more than 3 dozen breaches are currently listed on the OCR breach portal.

The worst affected entity so far is Trinity Health, which is listed as having had the protected health information of 3,320,726 individuals exposed in the breach. Inova Health System has reported a breach of 1,045,270 individuals’ PHI, and Northern Light Health says the PHI of 657,392 individuals was exposed. Many other healthcare providers have reported breaches affected hundreds of thousands of individuals. So far, the protected health information of almost 10 million individuals is known to have been exposed.

Blackbaud is working closely with security firms and law enforcement and investigations into the breach are continuing.

The post Financial information and SSNs Potentially Accessed in Blackbaud Ransomware Attack appeared first on HIPAA Journal.

Anthem Inc. Settles State Attorneys General Data Breach Investigations and Pays $48.2 Million in Penalties

Posted by HIPAA Journal

The Indianapolis, IN-based health insurer Anthem Inc. has settled multi-state actions by state attorneys general over its 78.8 million record data breach in 2014. One settlement was agreed with Attorneys General in 41 states and Washington D.C for $39.5 million and a separate settlement was reached with the California Attorney General for $8.7 million.  The settlements resolve violations of Federal and state laws that contributed to the data breach – the largest ever breach of healthcare data in the United States.

The cyberattack on Anthem occurred in 2014. Hackers targeted the health insurer with phishing emails, the responses to which gave them the foothold in the network they needed. From there, the hackers spent months exploring Anthem’s network and exfiltrating data from its customer databases. Data stolen in the attack included the names, contact information, dates of birth, health insurance ID numbers, and Social Security numbers of current and former health plan members and employees. And was announced by Anthem in February 2015. A Chinese national and an unnamed accomplice were charged in connection with the cyberattack in May 2019.

A breach on that scale naturally attracted the attention of the HHS’ Office for Civil Rights (OCR), which investigated the breach and discovered multiple potential violations of the HIPAA Rules. Anthem settled the HIPAA violation case with OCR for $16 million in October 2018. The HIPAA violation penalty was, and still is, the largest ever financial penalty imposed on a covered entity or business associate for violations of the HIPAA Rules.

Many lawsuits were filed on behalf of victims of the data breach over the theft of their protected health information. Anthem settled the consolidated class action lawsuit for in 2018 for $115 million.

State Attorneys General investigated the breach to determine whether HIPAA and state laws had been violated. The multi-state investigation has taken 5 years to come to a conclusion, but the settlements now draw a line under the breach. Anthem has now paid $179.2 million to settle lawsuits and legal actions over the 2014 cyberattack.

In addition to the $48.2 million financial penalty, Anthem agreed to take a number of corrective actions to improve data security practices. These include implementing a comprehensive information security program based on the principles of zero trust architecture. Regular security reports are now sent to the board of directors and significant security events are reported promptly to the CEO.

Anthem has implemented multi-factor authentication, network segmentation, access controls, data encryption, is logging and monitoring information system activity. Anthem is conducting regular security risk assessments and penetration tests and provides regular security awareness training to its workforce. The corrective action plan also includes the requirement to undergo third-party security audits and assessments for three years, and to provide the results of those audits to a third-party assessor.

Anthem issued a statement in relation to the settlements saying, “[Anthem] does not believe it violated the law in connection with its data security and is not admitting to any such violations,” and also said that there had been no evidence uncovered to indicate any information stolen in the attack has been used to commit fraud or identity theft.

“When consumers must disclose confidential personal information to health insurers, these companies owe their customers the duty to protect their private data,” said California Attorney General Xavier Becerra. “Anthem failed in that duty to its customers. Anthem’s lax security and oversight hit millions of Americans. Now Anthem gets hit with a penalty, in the millions, in return.”

The post Anthem Inc. Settles State Attorneys General Data Breach Investigations and Pays $48.2 Million in Penalties appeared first on HIPAA Journal.

PHI of 26,861 Patients Potentially Compromised in Oaklawn Hospital Phishing Attack

Posted by HIPAA Journal

Oaklawn Hospital in Marshall, MI, has started notifying 26,861 patients about a potential breach of their personal and health information.

It is unclear when the breach was detected, but the forensic investigation revealed on July 28, 2020 that the email accounts of certain employees had been accessed by unauthorized third parties between April 14 and April 15, 2020. Access to the accounts was gained after employees responded to phishing emails and disclosed their email credentials. The breach was detected when suspicious emails were found in several employee email accounts.

A comprehensive manual document review was conducted to identify any protected health information stored in the compromised email accounts. The compromised accounts were discovered to contain patient names along with dates of birth, medical information, and health insurance information. The Social Security numbers, driver’s license numbers, financial account information, and online login information of “a very limited” number of patients were also potentially compromised. The delay in issuing notification letters was due to the time-consuming manual document review process.

The phishing attack prompted Oaklawn Hospital to review its cybersecurity protections and significant measures have now been taken to improve technical security safeguards, including the use of multi-factor authentication software. Employees have also been provided with additional security awareness training.

All patients affected by the breach have been advised to monitor their explanation of benefits statements for any transactions related to care or services that they have not received and individuals whose Social Security number was potentially compromised have been offered complimentary credit monitoring services.

While unauthorized email account access was confirmed, the investigation did not uncover any evidence to suggest patient information was accessed or stolen by the attackers and no reports have been received indicating any misuse of patient data.

Mono County Discovers Breach of COVID-19 Statistics Database

Mono County in California has discovered an unauthorized individual gained access to its online COVID-19 statistics database between April 2 and July 24, 2020. The database included the protected health information of individuals who had been tested for COVID-19 prior to July 24, 2020.

The database contained individuals’ date of birth, gender, race, geographic region of residence in Mono County, and the result of their COVID-19 test. Names, addresses, and other identifying information were not included in the database. The database was secured on July 28, 2020 and external access is no longer possible.

The breach report submitted to the HHS’ Office for Civil Rights shows the PHI of 2,850 individuals was stored in the database.

The post PHI of 26,861 Patients Potentially Compromised in Oaklawn Hospital Phishing Attack appeared first on HIPAA Journal.