HIPAA Breach News

Email Error Results in Impermissible Disclosure of the PHI of 900 Campbell County Health Patients

Posted by HIPAA Journal

An email error by an employee of Campbell County Health (CCH) has resulted in the impermissible disclosure of the protected health information of 900 individuals. The Gillette, WY-based health system discovered on February 5, 2021 that an employee sent an email to a patient and attached an incorrect file.

The file contained patient names, account numbers, and their type of insurance. The email error was discovered within an hour of the email being sent and the recipient was immediately contacted and was told to securely delete the attachment. CCH officials provided instructions on how to ensure that the file was permanently deleted from the email account and all devices, and CCH has received satisfactory assurances that the file has now been permanently deleted and no further disclosures were made.

Affected individuals have been notified about the incident and internal policies are being revised to prevent similar incidents in the future. CCH has also provided further training to employees on best practices for protecting patient data.

UT Southwestern Medical Center Alerts Patients About Impermissible PHI Disclosure

UT Southwestern Medical Center in Dallas, TX is notifying 3,640 patients about an inappropriate disclosure of their names and email addresses to a third-party vendor.  The information was shared with the third-party vendor in order to send invitations to a Kidney Cancer Program event. No other information was disclosed. All affected patients had previously received medical services through the UTSW Kidney Cancer Program.

The information was not further disclosed or compromised, but the sharing of the patient information was not permitted under HIPAA, hence the need to notify patients. UTSW Medical Center said, “UT Southwestern considers the protection of our patients’ privacy of utmost importance, and we deeply regret the occurrence of this incident and any worry, distress, or difficulty that it may cause.”

The post Email Error Results in Impermissible Disclosure of the PHI of 900 Campbell County Health Patients appeared first on HIPAA Journal.

21st Century Oncology Data Breach Settlement Receives Preliminary Approval

Posted by HIPAA Journal

A settlement proposed by 21st Century Oncology to resolve a November 2020 class action lawsuit has received preliminary approval from the court. The class action lawsuit was filed in District Court for the Middle District of Florida on behalf of victims of a 2015 cyberattack that potentially affected 2.2 million individuals.

21st Century Oncology was notified about a breach of its systems by the Federal Bureau of Investigation on November 13, 2015. An unauthorized individual had gained access to its network and may have accessed or obtained one of its databases on October 3, 2015. The database contained patients’ names, diagnoses, treatment information, Social Security numbers, and insurance information. Notifications to affected individuals were delayed at the request of the FBI so as not to interfere with the investigation. Patients affected by the breach started to be notified in March 2016.

The Department of Health and Human Services’ Office for Civil Rights launched an investigation into the breach and found potential HIPAA violations. 21st Century Oncology settled the case in December 2017 with no admission of liability and agreed to pay a $2.3 million penalty.

The class action lawsuit sought compensation for breach victims who suffered losses as a result of the breach, including reimbursement of out-of-pocket expenses, time spent attempting to remedy issues, and losses to identity theft and fraud.

Under the terms of the proposed settlement, all victims of the breach will be entitled to claim two years of credit monitoring and identity theft protection services through Total Identity, which may be deferred for up to two years.

In addition, the 21st Century Oncology settlement will see breach victims reimbursed for default time spent remedying issues fairly traceable to the data breach, which is based on two hours at $20 per hour up to a maximum of $40. Alternatively, a claim can be made for documented time spent, up to 13 hours at $20 per hour to a maximum of $260.

Any individual who can provide proof of out-of-pocket expenses incurred as a result of the breach or documented fraud will be entitled to submit a claim up to $10,000.

All individuals notified about the breach in or around March 2016 are covered by the settlement and can submit a claim. The deadline for claiming is May 10, 2021. Any class member who wishes to object or exclude themselves from the settlement have until March 9, 2021 to do so.

While the court has granted preliminary approval of the settlement, final approval has not yet been granted. A fairness hearing has been scheduled for June 15, 2021.

The post 21st Century Oncology Data Breach Settlement Receives Preliminary Approval appeared first on HIPAA Journal.

Sharp HealthCare Pays $70,000 to Resolve HIPAA Right of Access Violation

Posted by HIPAA Journal

The HHS’ Office for Civil Rights (OCR) has fined Sharp HealthCare $70,000 for failing to provide a patient with timely access to his medical records. This is the sixteenth financial penalty to be agreed with OCR under the HIPAA Right of Access enforcement initiative that was launched in late 2019.

OCR received a complaint from a patient on June 11, 2019 that alleged Sharp Healthcare, doing business as Sharp Rees-Stealy Medical Centers (SRMC), failed to provide him with a copy of his medical records within 30 days, as is required by the HIPAA Privacy Rule.

The patient claimed to have made a request in writing on April 2, 2019 but had not been provided with the requested records after waiting more than 2 months. OCR investigated and provided technical assistance to SRMC on the HIPAA Right of Access provision of the HIPAA Privacy Rule and the requirement to send medical records to a third party if requested by a patient. OCR closed the complaint on June 25, 2019.

The same patient filed a second complaint with OCR on August 19, 2019 when the requested medical records had still not been provided. The complainant finally received the requested records on October 15, 2019, more than 6 months after the record request was initially made.

OCR determined the long delay in providing the requested records was in violation of 45 C.F.R. § 164.524 and the HIPAA violation warranted a financial penalty. Had the records been provided in a timely manner after receiving technical assistance, a financial penalty could have been avoided.

In addition to paying the $70,000 penalty, Sharp HealthCare has agreed to adopt a corrective action plan and will be monitored closely for compliance by OCR for 2 years. The corrective action plan requires Sharp HealthCare to develop, maintain, and revise, as necessary, policies and procedures covering patient requests for access to their medical records and training must be provided to the workforce on individuals’ right to access their own PHI.

In an announcement about the latest settlement, Acting OCR Director Robinsue Frohboese said, “Patients are entitled to timely access to their medical records. OCR created the Right of Access Initiative to enforce and support this critical right.”

The post Sharp HealthCare Pays $70,000 to Resolve HIPAA Right of Access Violation appeared first on HIPAA Journal.

Ransomware Gang Dumps Data Stolen from Two U.S. Healthcare Providers

Posted by HIPAA Journal

The Conti ransomware gang has dumped a large batch of healthcare data online that was allegedly stolen from Leon Medical Centers in Florida and Nocona General Hospital in Texas.

Leon Medical Centers suffered a Conti ransomware attack in early November 2020, which was initially reported to the HHS’ Office for Civil Rights on January 8, 2021 as affecting 500 individuals. Leon Medical Centers explained in its substitute breach notice that the incident involved the use of malware and the investigation confirmed the attackers accessed the personal and protected health information of certain patients.

It is unclear when the ransomware attack on Nocona General Hospital occurred, as notification letters do not appear to have been sent to affected individuals, no breach notice has been posted on its website, and the incident is not listed on the HHS’ Office for Civil Rights breach portal.

According to NBC, which spoke with an attorney representing the hospital, none of its systems appeared to have been breached, files were apparently not encrypted, and no ransom note had been identified by the hospital. The Conti leak site had around 20 files uploaded on February 3, 2021 which contained patient information and Databreaches.net reports that the site included more than 1,760 leaked files on February 10, most of which appeared to be old data. Databreaches.net was contacted by the hospital’s attorney who confirmed that the current systems used by the hospital had not been compromised, instead an old server was compromised that held files relating to patient or patient data transfers. The incident is still under investigation.

The theft of patient data prior to file encryption, often called double extortion, is now commonplace. According to the New Zealand cybersecurity firm Emsisoft, at the start of 2020 only one ransomware group was exfiltrating data prior to file encryption, but by the end of the year at least 17 ransomware groups were exfiltrating data prior to deploying ransomware.

This tactic increases the probability of the ransom being paid. Healthcare organizations may be able to recover files from backups, but they would need to pay the ransom to prevent the stolen data from being dumped on leak sites or sold to other threat actors.

There are signs, however, that this tactic is now proving to be less effective. A recent report by Coveware suggests trust has been eroded and more victims are choosing not to pay the ransom when they can recover their data from backups as there is no guarantee that stolen data will be deleted if the ransom is paid.

Coveware attributed the dramatic reduction in ransom payments in Q4, 2020 to victims choosing not to pay due to a lack of trust that in the attackers. “Coveware continues to witness signs that stolen data is not deleted or purged after payment. Moreover, we are seeing groups take measures to fabricate data exfiltration in cases where it did not occur,” explained Coveware, in its Q4 Ransomware Report.

The post Ransomware Gang Dumps Data Stolen from Two U.S. Healthcare Providers appeared first on HIPAA Journal.

Renown Health Pays $75,000 to Settle HIPAA Right of Access Case

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights (OCR) is continuing to crackdown on noncompliance with the HIPAA Right of Access. This week, OCR announced its fifteenth settlement to resolve a HIPAA Right of Access enforcement action.

Renown Health, a not-for-profit healthcare network in Northern Nevada, agreed to settle its HIPAA case with OCR to resolve potential violations of the HIPAA Right of Access and has agreed to pay a financial penalty of $75,000.

OCR launched an investigation after receiving a complaint from a Renown Health patient who had not been provided with an electronic copy of her protected health information. In January 2019, the patient submitted a request to Renown Health and asked for her medical and billing records to be sent to her attorney. After waiting more than a month for the records to be provided, the patient filed a complaint with OCR. It took Renown Health until December 27, 2019 to provide the requested records, almost a year after the initial request was made.

The HIPAA Privacy Rule (45 C.F.R. § 164.524) requires medical records to be provided to individuals within 30 days of a request being made. OCR determined that the delay in providing the requested records was in violation of this Privacy Rule provision.

In addition to paying the financial penalty, Renown Health has agreed to adopt a corrective action plan that requires written policies and procedures to be developed, maintained, and revised, as necessary, covering the HIPAA Right of Access. Training must be provided to the workforce on the policies and procedures, and a sanctions policy must be implemented and applied when workforce members fail to comply with the policies and procedures. OCR will monitor Renown Health for compliance with the HIPAA Right of Access for 2 years.

“Access to one’s health records is an essential HIPAA right and health care providers have a legal obligation to their patients to provide access to their health information on a timely basis,” said Acting OCR Director Robinsue Frohboese.

The settlement is the third to be announced by OCR in 2021 and follows a $200,000 settlement with Banner Health for similar HIPAA Right of Access violations and a $5,100,000 settlement with Excellus Health Plan to resolve multiple HIPAA violations that contributed to a 2015 data breach of 9,358,891 records.

The post Renown Health Pays $75,000 to Settle HIPAA Right of Access Case appeared first on HIPAA Journal.

Nebraska Medicine Notifies 219,000 Patients About September 2020 Malware Attack

Posted by HIPAA Journal

Nebraska Medicine has started notifying approximately 219,000 patients about a malware attack that allowed an unauthorized individual to view and obtain patient information.

Nebraska Medicine identified unusual activity in some of its systems on September 20, 2020. All affected devices were isolated to contain the breach and impacted systems were shut down to prevent any further unauthorized access. Independent computer forensics experts were engaged to conduct an investigation and determine the nature and scope of the security breach.

The investigation confirmed that an unauthorized individual first gained access to the network on August 27, 2020 and deployed malware. Between August 27 and September 20, that individual copied certain files, some of which contained patient information.

The files contained information about patients who received medical services at The Nebraska Medical Center or University of Nebraska Medical Center, as well as a limited number of patients who visited Faith Regional Health Services, Great Plains Health, or Mary Lanning Healthcare.

The protected health information obtained in the attack included one or more of the following data elements: Name, address, date of birth, medical record number, health insurance information, physician notes, laboratory results, imaging, diagnosis information, treatment information, and/or prescription information, and a limited number of Social Security numbers and driver’s license numbers.

Affected individuals were notified about the breach on February 5, 2021. Individuals whose Social Security or driver’s license number was compromised have been offered complimentary credit monitoring and identity theft protection services. Nebraska Medicine continues to monitor its IT environment for potential breaches and network monitoring tools have been enhanced.

Phishing Attack Affects 2,500 Hackley Community Care Patients

Hackley Community Care in Muskegon, MI is alerting approximately 2,5000 patients that some of their protected health information has been exposed and may have been viewed by unauthorized individuals.

In September 2020, a phishing email was sent to several staff members that contained a link to a malicious website. One employee clicked the link and entered their login credentials which were captured and used by the attacker to remotely access the employee’s email account between September 7 and September 24, 2020.

The investigation into the incident confirmed only one email account had been compromised and no evidence was found to indicate any emails in the account were opened. A review of the compromised email account was completed on December 18, 2020 and all individuals are now being notified if they have been affected.

For most of the affected individuals, the breach was limited to names and addresses. Individuals who had more sensitive data exposed have been offered complimentary credit monitoring services through TransUnion. Hackley Community Care is implementing additional security measures to prevent similar incidents in the future.

The post Nebraska Medicine Notifies 219,000 Patients About September 2020 Malware Attack appeared first on HIPAA Journal.

Class Action Lawsuit Filed Against US Fertility Over September 2020 Ransomware Attack

Posted by HIPAA Journal

US Fertility is facing a class action lawsuit over a September 2020 ransomware attack and data breach that affected 878,550 individuals.

US Fertility provides IT platforms and administrative, clinical, and business information services, and is one of the largest providers of support services to infertility clinics in the United States. On September 14, 2020, US Fertility discovered ransomware had been used to encrypt files on its network. The investigation revealed the threat actors behind the attack exfiltrated files between August 12 and September 14, 2020, some of which contained protected health information.

The types of data obtained by the hackers included names, addresses, dates of birth, driver’s license and state ID numbers, passport numbers, medical treatment/diagnosis information, medical record information, health insurance and claims information, credit and debit card information, and financial account information.

The class action lawsuit, brought by Plaintiffs Alec Vinsant and Marla Vinsant, alleges US Fertility failed to implement adequate data security measures which caused them to suffer irreparable harm and placed them at an increased risk of identity theft and fraud.

The harm suffered by the breach victims that the lawsuit seeks to address includes the theft of personal data and its exposure to cybercriminals, unauthorized charges on credit/debit card accounts, costs associated with the detection and prevention of identity theft and unauthorized use of financial accounts, damages due to accounts being suspended or rendered unusable, inability to withdraw funds, costs and time associated with mitigating the breach and preventing future negative consequences, and imminent and impending injury from potential fraud and identity theft as a result of personal information being sold on the dark web.

Class action lawsuits often allege harm, although in many cases the lawsuits fail as the plaintiffs are unable to provide evidence of injuries or losses sustained as a direct result of the data breach. That was the case with the proposed class action lawsuit against Brandywine Urology, which was recently dismissed by the Delaware Superior Court. Whether the lawsuit succeeds is likely to depend to a large extent on whether the plaintiffs can provide sufficient evidence that they have suffered actual harm due to the ransomware attack and data breach.

Plaintiff Alec Vinsant alleges someone used his Social Security number to fraudulently apply for unemployment benefits in Nevada one month after the data breach occurred and plaintiff Marla Vinsant said her credit score had unexpectedly fallen by 50 points following the attack.

The lawsuit alleges US Fertility was on notice that the healthcare industry was being targeted by ransomware gangs and was aware of the need to encrypt data, yet failed to do so, and US Fertility failed to comply with Federal Trade Commission requirements for data security. The lawsuit alleges negligence, breach of implied contract, unjust enrichment, and violations of the Nevada Deceptive Trade Practices Act.

The lawsuit seeks class action status, a jury trial, damages for plaintiffs and class members, reimbursement of out-of-pocket expenses and legal costs, and other relief. The lawsuit also requires US Fertility to implement proper data security policies and practices including encryption of sensitive data, deletion or destruction of class members PII, proper network segmentation, penetration tests, to provide further security awareness training for the entire workforce, and to undergo third-party security audits, database scanning, and firewall tests.

The post Class Action Lawsuit Filed Against US Fertility Over September 2020 Ransomware Attack appeared first on HIPAA Journal.

Email Account Breach at Law Firm Affects More Than 36,000 UPMC Patients

Posted by HIPAA Journal

University of Pittsburgh Medical Center (UPMC) has announced the protected health information of more than 36,000 patients has potentially been accessed by unauthorized individuals following a cyberattack on a company that provides billing-related legal services to UPMC.

In June 2020, Charles J. Hilton & Associates P.C. (CJH) discovered suspicious activity in its employee email system and launched an investigation. On July 21, 2020, CJH determined that hackers had gained access to the email accounts of several of its employees between April 1, 2020 and June 25, 2020.

Computer forensics specialists conducted an extensive investigation into the incident to determine which information was accessed or obtained by the hackers. UPMC said it received a notification about the breach in December 2020 confirming patient information may have been accessed by the hackers. Notification letters are now being sent by CJH to all patients potentially affected by the breach. UPMC said none of its systems, including its electronic medical record system, were affected, and the only information involved was patient information provided to CJH to provide its contracted billing-related legal services.

CJH said the compromised accounts contained names, dates of birth, Social Security numbers, bank or financial account numbers, driver’s license numbers, state identification card numbers, electronic signatures, medical record numbers, patient account numbers, patient control numbers, visit numbers, trip numbers, Medicare or Medicaid identification numbers, individual health insurance or subscriber numbers, group health insurance or subscriber numbers, medical benefits and entitlement information, disability access and accommodation, and information related to occupational-health, diagnosis, symptoms, treatment, prescription or medications, drug tests, billing or claims, and/or disability.

CJH is offering complimentary membership to credit monitoring and identity theft protection services to affected individuals.

UPMC Health Plan Phishing Incident Impacts 19,000 Members

19,000 members of UPMC Health Plan are being notified that some of their protected health information has potentially been compromised. An email account of a UPMC Health Plan employee was accessed by an unauthorized individual on December 8, 2020. UPMC Health Plan was notified about the breach the following day.

The information stored in the compromised email account only included names, dates of birth, parent/guardian names, and limited clinical information, including dental provider and procedure information. No evidence was found to indicate any plan member information has been misused.

This phishing attack does not appear to be in any way connected to the phishing attack at Charles J. Hilton & Associates P.C.

Nevada Health Centers Alerts Patients About Email Account Breach

Nevada Health Centers has announced that the protected health information of some of its patients has potentially been compromised. Between November 20 and December 7, 2020, an unauthorized individual remotely logged into an employee’s email account that contained patient information.

The person who logged into the account appeared to be based overseas, with one of the login attempts made using a South African IP address. The attack appears to have been conducted to obtain financial information about Nevada Health Centers rather than patient health data, although it is possible that patient information was viewed or obtained in the attack. Nevada Health Centers said no evidence of PHI access or theft has been found.

The compromised email account was discovered to contain patient names in combination with one or more of the following types of information: Address, phone number, date of birth, gender, ethnicity, race, insurance information, appointment information, medical record number, provider name, service location(s). It is currently unclear how many patients have been affected by the breach.

The post Email Account Breach at Law Firm Affects More Than 36,000 UPMC Patients appeared first on HIPAA Journal.

Ramsey County and Crisp Regional Health Services Affected by Ransomware Attacks

Posted by HIPAA Journal

The County Manager’s Office of Ramsey County, MN has started notifying 8,700 clients of its Family Health Division that some of their personal information has potentially been accessed by unauthorized individuals in a ransomware attack on one of its vendors.

St. Cloud-based Netgain Technology LLC provides technology services to Ramsey County, including an application used by the Family Health Division for documenting home visits. Data within that application was potentially accessed and exfiltrated by threat actors prior to the deployment of ransomware.  The application contained information such as names, addresses, dates of birth, dates of service, telephone numbers, account numbers, health insurance information, medical information and, for a small number of individuals, Social Security numbers.

The attack appears to have been conducted with the sole purpose of extorting money from Netgain rather than to gain access to personal information; however, it was not possible to rule out unauthorized access or data theft.

Ramsey County was notified about the attack on December 2, 2020 and immediately stopped using Netgain’s services and applications and switched to backup processes. The attack has been reported to the law enforcement and steps are being taken to harden security to prevent further attacks.

Crisp Regional Health Services Hit with Ransomware Attack

Cordele, GA-based Crisp Regional Health Services has suffered a ransomware attack on January 27, 2020 that has forced certain systems offline. The attack disabled the hospital’s telephone system and staff had to resort to radios for internal communication. Patients and their family members were advised to make contact via social media while the phone system was down.

Steps were immediately taken to secure information and contain the attack and third-party cybersecurity professionals have been engaged to assist with the investigation and determine the extent and scope of the breach, and whether the attackers accessed or exfiltrated patient data.

Crisp Regional Health Services’ community relations and foundation director, Brooke Marshall, said “Workflow was never compromised, patient care was never compromised.”

The investigation is ongoing and further information will be released as and when it becomes available.

Vulnerability in Vaccine Scheduling Tool Allowed Individuals to Cut in Line and Book Vaccination Appointments

Beaumont Health in Michigan experienced a breach of its Epic COVID-19 vaccine scheduling application over the weekend of January 30/31. An unauthorized individual exploited a vulnerability in the platform and publicly shared an unauthorized scheduling pathway. That pathway was subsequently used by 2,700 individuals to book COVID-19 vaccination appointments.

Beaumont Health notified Epic about the incident on January 31, 2020 and both worked together to address the issue. All 2,700 individuals who cut in line have had their vaccination appointment cancelled. Individuals who met the eligibility criteria and booked legitimate appointments for a COVID-19 vaccination have not been affected.

Epic issued a statement confirming that the incident did not result in any unauthorized individuals gaining access to patients medical or hospital records.

The post Ramsey County and Crisp Regional Health Services Affected by Ransomware Attacks appeared first on HIPAA Journal.