HIPAA Breach News

5 Healthcare Providers Have Started Notifying Patients About Recent Phishing Attacks

Posted by HIPAA Journal

A round up of healthcare phishing attacks that have been publicly disclosed in the past few days.

2,254 Patients Affected by Leonard J. Chabert Medical Center Email Account Breach

Leonard J. Chabert Medical Center has been notified that the protected health information of some of its patients has been compromised in a phishing attack on LSU Health New Orleans Health Care Services Division (LSU HCSD).

LSU HCSD announced the breach publicly on November 20, 2020 but discovered on November 24, 2020 that some patient data from Leonard J. Chabert Medical Center, its partner hospital, had also potentially been compromised.

Leonard J. Chabert Medical Center was provided with information related to the breach on December 3, 2020, the analysis of which revealed the protected health information of 2,254 patients had been exposed between September 15, 2020 to September 18, 2020.

For most patients, the exposed data was limited to names, phone numbers, addresses, medical record numbers, dates of birth, account numbers, dates of service, types of services received, and health insurance identification numbers. A small subset of patients also had their bank account number and/or limited health information such as diagnoses exposed.

LSU HCSD is reviewing its email security measures, which will be enhanced to prevent similar breaches in the future and additional security awareness training is being provided to employees.

PHI of 1,800 Patients Potentially Compromised in Lynn Community Health Center Phishing Attack

Lynn Community Health Center (LCHC) in Massachusetts discovered an employee’s email account was accessed by an unauthorized individual following a response to a phishing email. The phishing attack was discovered on November 25, 2020 and the email account was immediately secured. Assisted by a digital forensics company, LCHC determined that a maximum of 4 email accounts may have been compromised in the attack.

A review of the potentially breached accounts revealed they contained patient names in combination with one or more of the following data elements: Date of birth, mailing address, phone number, insurance information, medical record number, diagnoses, and other clinical information. A subset of patients also had their Social Security number exposed.

The investigation, which is ongoing, has not uncovered any evidence to suggest patient data was stolen or misused but as a precautionary measure, individuals whose Social Security number was potentially compromised have been offered complimentary credit monitoring and identity theft protection services.

Additional safeguards and security measures are being implemented to prevent further email security breaches, information protocols are being revised, and employee security awareness training has been reinforced.

1,440 Individuals Affected by Montgomery Hospice Phishing Attack

Montgomery Hospice, Inc. in Rockville, MD has learned that an unauthorized individual gained access to the email account of an employee on August 20, 2020. The breach was detected on November 16, 2020 and the email account was immediately secured.

A third-party cybersecurity firm was engaged to assist with the investigation, but it was not possible to determine which, if any, of the emails in the account were viewed or copied. A review of the email account confirmed the protected health information of 1,440 patients had been exposed, including names, medical record numbers, dates of birth, Social Security numbers, health insurance information, and limited medical information.

Affected individuals started to be notified about the breach on January 15, 2021. Only a limited number of patients had their Social Security numbers exposed and those individuals have been offered complimentary credit monitoring and identity protection services.

The hospice has since taken steps to improve email security and enhance its security infrastructure.  Further training has also been provided to the workforce on how to identify and avoid phishing emails.

Auris Health Notifies Patient About March 2020 Email Account Breach

Redwood City, CA-based Auris Health has started notifying certain patients that some of their protected health information has potentially been accessed by an unauthorized individual who gained access to the email account of an employee in March 2020.

Upon discovery of the breach, access to the account was terminated and an investigation was conducted to determine the nature and scope of the breach. The investigation into the attack is ongoing, but Auris Health has determined that the compromised email account included patient names in combination with one or more of the following data elements: Social Security Number, tax identification number, passport number, health insurance number, health information, payment card information, and financial account number(s).

Auris Health is implementing additional security measures to prevent further breaches in the future, including enhancing its email authentication measures. Affected individuals have been offered a 2-year complimentary membership to credit and identity theft monitoring services.

The post 5 Healthcare Providers Have Started Notifying Patients About Recent Phishing Attacks appeared first on HIPAA Journal.

Montefiore Medical Center and Bethesda Hospital Fire Employees for HIPAA Breaches

Posted by HIPAA Journal

Baptist Health’s Bethesda Hospital in Boynton Beach, FL has fired an employee for impermissibly accessing a patient’s protected health information and altering a home health order which was used to provide a patient with home care services.

The HIPAA breach was identified on December 1, 2020, prompting an internal investigation. The employee has now been terminated and the incident reported to law enforcement.

The investigation revealed other patient records may also have been accessed by the former employee between June 1, 2019 and December 2, 2020. The types of information potentially viewed included names, dates of birth, addresses, health insurance information, Social Security numbers, and clinical documentation.

All affected individuals have been notified and offered complimentary identity theft protection and credit monitoring services and Baptist Health is exploring ways to further safeguard patients’ protected health information and prevent similar breaches in the future.

The incident has yet to be listed on the HHS’ Office for Civil Rights’ website so it is currently unclear how many patients have been affected.

Montefiore Medical Center Fires Employee for Unauthorized Medical Record Access

Montefiore Medical Center in New York has discovered an employee accessed the protected health information of patients without authorization over a period of 5 months in 2020. Upon discovery of the unauthorized access, Montefiore immediately deactivated the employee’s access to the electronic medical record system and an investigation was launched to determine the extent of the HIPAA violations.

After a thorough investigation, the employee was terminated and the matter was reported to law enforcement for possible criminal prosecution. The types of information viewed by the former employee varied from patient to patient and may have included first and last names, addresses, dates of birth, medical record numbers, clinical information such as test results, diagnoses, and visit histories and the last four digits of Social Security numbers.

No reason was provided as to why the information was accessed, but no evidence was found to indicate patient information has been used for identity theft or fraud. All affected patients have now been notified and offered complimentary identity theft protection services.

This is the second incident involving improper medical record access to be announced by Montefiore Medical Center in the past 5 months. In September 2020, the medical center announced a former employee had stolen the PHI of approximately 4,000 patients between January 2018 and July 2020.

The post Montefiore Medical Center and Bethesda Hospital Fire Employees for HIPAA Breaches appeared first on HIPAA Journal.

Failure to Patch Results in 7-Year Breach of Florida Medicaid Applicants’ PHI

Posted by HIPAA Journal

The Tallahassee, FL-based Medicaid health plan, Florida Healthy Kids Corporation, has discovered its web hosting provider failed to patch vulnerabilities which were exploited by cybercriminals to gain access to its website and the protected health information of applicants for benefits for the past 7 years.

Florida Healthy Kids used Jelly Bean Communications Design, LLC. for hosting its website. The website included an online application that recorded information about individuals when they applied for Florida KidCare benefits or renewed their health or dental coverage online.

On December 9, 2020, Jelly Bean Communications notified Florida Healthy Kids that unauthorized individuals had gained access to the website and tampered with the addresses of several thousand applicants. Florida Healthy Kids engaged cybersecurity experts to conduct an investigation to determine the scope and severity of the breach.

Florida Healthy Kids temporarily shut down the website while the breach was investigated to prevent any further unauthorized access. The review of the hosted website platform and databases that supported the Florida KidCare application revealed several vulnerabilities were present from November 2013 to December 2020, and that the vulnerabilities had been exploited to gain access to the website.

While evidence was found showing applicant addresses had been tampered with, it is also possible that the attackers exfiltrated patient data, although evidence of data theft was not found.

The types of information exposed to the hackers included full names, birth dates, email addresses, telephone numbers, physical and mailing addresses, Social Security numbers, financial information, family relationships of individuals included in the application, and secondary insurance information.

The Florida KidCare online application remains offline while a new web hosting vendor is found. Affected individuals started to be notified on January 27, 2020 and have been advised to take steps to protect their identities, including setting up fraud alerts and security freezes. It is currently unclear exactly how many individuals have been affected.

The post Failure to Patch Results in 7-Year Breach of Florida Medicaid Applicants’ PHI appeared first on HIPAA Journal.

Almost 190,000 Patients Affected by Roper St. Francis Healthcare Phishing Attack

Posted by HIPAA Journal

Roper St. Francis Healthcare has notified 189,761 patients that some of their protected health information was contained in employee email accounts that were accessed by an unauthorized individual. The email security breach was detected in late October 2020, and the subsequent investigation revealed three email accounts were compromised between October 14 and October 29, 2020.

A review off the email accounts was conducted to determine the information that was potentially accessed. It was not possible to tell if patient information was viewed or exfiltrated, although the attacker would have been able to access names, medical record numbers, patient account numbers, dates of birth, and limited treatment and clinical information, such as dates of service, locations of service, providers’ names, and billing information. The email accounts also contained the health insurance information and Social Security numbers of a limited number of patients.

Roper St. Francis Healthcare has offered complimentary credit monitoring and identity theft protection services to individuals whose Social Security number was potentially compromised. Steps have been taken to improve email security and employees have been provided with further training on email protection.

Einstein Healthcare Network Sends Additional Notifications About August 2020 Email Security Incident

Einstein Healthcare Network is notifying patients about a phishing attack that was discovered in the summer of 2020. The Pennsylvania-based healthcare provider, which operates medical centers in Philadelphia, Elkins Park, and East Norriton, identified unusual email account activity on August 10, 2020. The incident was investigated and it was determined that multiple employee email accounts had been accessed by an unauthorized individual between August 5, 2020 and August 17, 2020.

A review of the compromised email accounts was conducted to determine whether they contained any patient information. The review revealed emails and attachments contained the following types of patient data: Names, dates of birth, medical record numbers, patient account numbers, diagnoses, medications, provider names, types of treatment, and treatment locations. The types of information in the accounts varied from patient to patient, which for some patients also included Social Security numbers and health insurance information.

It was not possible to determine whether the unauthorized individual viewed or exfiltrated patient data while access to the email accounts was possible. Einstein Healthcare Network sent out a batch of breach notification letters to individuals potentially affected by the incident starting on October 9,2020. The breach was reported to the HHS’ Office for Civil Rights the same day. The OCR breach portal lists the incident as affecting 1,821 patients.

According to Einstein Healthcare Network’s substitute breach notice, “We continued our investigation, which concluded on November 16, 2020, and additional letters are mailing between January 21, 2021 and February 8, 2021.”

Email Incident Report by New York Center for Alternative Sentencing and Employment Services

The Center for Alternative Sentencing and Employment Services (CASES) in New York has discovered the email accounts of certain employees have been compromised. Hackers had access to the email accounts between July 6 and October 4, 2020.

An investigation of the breach revealed the hackers exfiltrated emails from the accounts that included patient data. For most patients, the stolen information was limited to name, date of birth, medical record/client ID number, and some clinical information related to the care provided by CASES. Some clients also had their Social Security number, driver’s license number, and/or health insurance information stolen. Those individuals have been offered complimentary credit monitoring and identity theft protection services.

Steps have since been taken to improve email security and the workforce has received further security awareness training.

The post Almost 190,000 Patients Affected by Roper St. Francis Healthcare Phishing Attack appeared first on HIPAA Journal.

Rady Children’s Hospital Facing Class Action Lawsuit over Blackbaud Ransomware Attack

Posted by HIPAA Journal

In May 2020, the cloud software company Blackbaud suffered a ransomware attack. As is common in human operated ransomware attacks, data was exfiltrated prior to file encryption. Some of the stolen data included the fundraising databases of its healthcare clients.

One of the affected healthcare providers was Rady Children’s Hospital-San Diego, the largest children’s hospital in California in terms of admissions. A class action lawsuit has been proposed that alleges Rady was negligent for failing to protect the sensitive information of 19,788 individuals which was obtained by the hackers through Blackbaud’s donor management software solution.

The lawsuit alleges Rady failed to implement adequate security measures and failed to ensure Blackbaud had adequate security measures in place to protect ePHI and ensure it remained private and confidential. The lawsuit alleges individuals affected by the breach now face “imminent, immediate, substantial and continuing increased risk” of identity theft and fraud as a result of the breach and Rady’s negligence.

Blackbaud discovered the ransomware attack in May 2020. The company’s investigation revealed the hackers had access to the fundraising databases of its healthcare clients between February 7 and June 4, 2020. Blackbaud said the hackers were expelled from the network as soon as the breach was discovered but had discovered a subset of client data had been obtained by the attackers.

Blackbaud took the decision to pay the ransom to ensure the stolen data was deleted. Assurances were received from the attackers that the data had been permanently destroyed. In its breach notification letters, Rady explained that the types of information potentially obtained by the hackers included patients’ names, addresses, dates of birth, physicians’ names, and the department where medical services were provided.

The lawsuit alleges Rady cannot reasonably maintain that the hackers destroyed the plaintiffs’ personal information. According to the complaint, “On information and belief, Blackbaud has not provided verification or further details regarding the disposition of the data to confirm that the stolen data has been destroyed.” The lawsuit also alleges neither Rady nor Blackbaud are aware how the hackers exfiltrated data, and whether it was transmitted in a secure manner and could not have been intercepted by other individuals.

According to the lawsuit, Rady had the necessary resources to protect patient data but neglected to implement appropriate security. The plaintiffs seek compensation, long -term protection against identity theft and fraud, and a court order to enforce changes to Rady’s security policies to ensure breaches such as this, and several others cited in the report, do not happen again.

Blackbaud is also facing multiple class action lawsuits over the breach. At least 23 putative class action lawsuits have filed against Blackbaud according to its 2020 Q3 Quarterly Filing with the U.S. Securities and Exchange Commission. The lawsuits have been filed in 17 federal courts, 4 state courts, and 2 Canadian courts.  Each alleges victims of the breach have suffered harm as a result of the theft of their personal data.

Blackbaud also said more than 160 claims have been received from its customers and their attorneys in the U.S., U.K., and Canada. Blackbaud is also being investigated by government agencies and regulators, including 43 state Attorneys General and the District of Columbia, the Department of Health and Human Services, Federal Trade Commission, Office of the Privacy Commissioner of Canada, and the U.K GDPR data protection authority, the Information Commissioner’s Office.

The post Rady Children’s Hospital Facing Class Action Lawsuit over Blackbaud Ransomware Attack appeared first on HIPAA Journal.

HIPAA Enforcement by State Attorneys General

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights is the main enforcer of HIPAA compliance; however, state Attorneys General also play a role in enforcing compliance with the Rules of the Health Insurance Portability and Accountability Act (HIPAA).

The Health Information Technology for Clinical and Economic Health (HITECH) Act gave state attorneys general the authority to bring civil actions on behalf of state residents who have been impacted by violations of the HIPAA Privacy and Security Rules and they can obtain damages on behalf of state residents. The Connecticut Attorney General was the first to exercise this right in 2010 against Health Net Inc. for the loss of an unencrypted hard drive containing the electronic protected health information of 1.5 million individuals and for delayed breach notifications. The case was settled for $250,000. The Vermont Attorney General followed suit with a similar action against Health Net in 2011 that was settled for $55,000, and Indiana brought a civil action against Wellpoint Inc. in 2011 that was settled for $100,000.

State attorneys general HIPAA cases were relatively rare occurrences, with only 11 settlements reached with HIPAA-covered entities and business associates to resolve HIPAA violations between 2010 and 2015. HIPAA enforcement by state attorneys general was stepped up in 2017 with 5 settlements and again in 2018 when 12 cases resulted in financial penalties for violations of the HIPAA Rules.

In 2019 and 2020, a total of just 5 cases resulted in financial penalties, although those penalties were sizeable, with four of the five cases being multistate actions against HIPAA-covered entities and business associates where several state attorneys general participated in the actions. These multistate actions allow state attorneys general to pool their resources and investigate potential violations of HIPAA and state laws more efficiently.

2023 was a busy year in terms of enforcement, with 16 enforcement actions to resolve violations of the HIPAA Rules and state consumer protection and breach notification laws. Cases were resolved by the Attorneys General in California, Colorado, Indiana, New York, Ohio, and Pennsylvania and there were three multistate investigations resolved, including a 49-state action against Blackbaud, a 32-stat action against Personal Touch Home Care, and a 4-state action against EyeMed Vision Care. The case against Blackbaud over its 5.5 million-record breach resulted in a penalty of $49.5 million.

When civil actions are brought against covered entities or business associates by state Attorneys General, they are separate from any Office for Civil Rights actions which may also choose to investigate and impose its own fins and penalties. Several data breaches have resulted in settlements being reached at both the federal and state level. Community Health Systems/CHSPSC, Anthem Inc., Premera Blue Cross, Aetna, Cottage Health System, University of Rochester Medical Center, and Medical Informatics Engineering have all settled cases with OCR and separate cases with state attorneys general to resolve potential HIPAA violations.

In many of the state AG enforcement actions below, the financial penalties resolve violations of federal (HIPAA) and/or state laws. Over the years there have been several cases where HIPAA Rules have been violated, but the decision was taken to bring actions for violations of the equivalent provisions in state laws. The cases detailed below include cases where the HIPAA Rules have been violated, but action has been taken for the violation of state laws.

HIPAA Enforcement by State Attorneys General in 2024

Year State Entity Amount Individuals Affected Reason for Investigation Findings
2024 New York Refuah Health Center $450,000 and invest $1.2 million in cybersecurity 260,740 May 2021 ransomware attack Multiple violations of the HIPAA Security Rule, a violation of the HIPAA Breach Notification Rule, and violations of New York Business Law.

HIPAA Enforcement by State Attorneys General in 2023

State attorneys general have imposed three financial penalties for HIPAA violations or equivalent violations of state laws.

Year State Entity Amount Individuals Affected Reason for Investigation Findings
2023 New York New York Presbyterian Hospital $300,000 54,396 Use of pixels and other tracking tools on website Violation of the HIPAA Privacy Rule and New York Executive Law for impermissibly disclosing PHI to third parties.
2023 New York Healthplex $400,000 89,955 (62,922 in New York) Phishing attack Violation of New York’s data security and consumer protection laws (data retention/logging, MFA, data security assessments)
2023 Indiana CarePointe ENT $120,000 48,742 Ransomware attack and data breach Failure to address known vulnerabilities, business associate agreement failure, violations of the Indiana Disclosure of Security Breach Act and Indiana Deceptive Consumer Sales Act
2023 New York U.S. Radiology Specialists Inc. $450,000 198,260, including 92,540 New York residents Cyberattack and data breach Failure to upgrade hardware in a reasonable time frame to address a known vulnerability.
2023 New York Personal Touch Holding Corp $350,000 753,107 Ransomware attack Only had an informal information security program, insufficient access controls, no continuous monitoring system, lack of encryption, and inadequate staff training.
2023 Multistate (32 states and PR) Inmediata $1.4 million 1,565,338 Unsecured server exposed PHI online, breach notifications Failure to implement appropriate safeguards to ensure data security and breach response failures, which violated the HIPAA Security Rule, Breach Notification Rule, and state breach notification laws
2023 Multistate (49 states and DC) Blackbaud $49.5 million 5,500,000 Ransomware attack Violations of the HIPAA Rules regarding safeguards and breach response, and violations of state consumer data protection laws
2023 Colorado Broomfield Skilled Nursing and Rehabilitation Center $60,000 ($25,000 suspended if full compliance with corrective measures) 677 individuals 2 compromised email accounts Violations of the HIPAA Security Rule, state data protection laws, including the Colorado Consumer Protection Act (CCPA)
2023 Indiana Schneck Medical Center $250,000 89,707 individuals Ransomware attack and data breach Violations of the HIPAA Privacy, Security, and Breach Notification Rules. Violations of the Indiana Disclosure of Security Breach Act and the Indiana Deceptive Consumer Sales Act
2023 California Kaiser Foundation Health Plan Foundation Inc. and Kaiser Foundation Hospitals $49,000,000 7,700 individuals Improper disposal of hazardous waste, medical waste, and protected health information Violations of HIPAA, California’s Hazardous Waste Control Law, Medical Waste Management Act, Confidentiality of Medical Information Act, Customer Records Law, and Unfair Competition Law.
2023 California Kaiser Permanente $450,000 up to 167,095 individuals Mailing error and PHI disclosure California Confidentiality of Medical Information Act (CMIA) violations – impermissible disclosure of PHI and negligent maintenance or disposal of PHI
2023 New York Practicefirst Medical Management Solutions (Professional Business Systems Inc.) $550,000 1.2 million Ransomware attack and data breach Failure to patch a critical firewall vulnerability for 22 months. No penetration testing or vulnerability scanning, and a lack of encryption for sensitive health data.
2023 Multi-state: Oregon, New Jersey, Florida & Pennsylvania EyeMed Vision Care $2,500,000 2.1 million Ransomware attack and data breach Insufficient password complexity requirements, insufficient locking of accounts after failed password attempts, no multifactor authentication on a browser-accessible email account containing large amounts of PHI, inadequate logging and monitoring of email accounts, and storing unnecessary amounts of PHI in email accounts.
2023 New York Heidell, Pittoni, Murphy & Bach LLP $200,000 61,438 Ransomware attack and data breach Violation of 17 provisions of the HIPAA Privacy and Security Rules
2023 Pennsylvania DNA Diagnostics Center $200,000 33,000 Stolen database containing 2.1 million records Lack of safeguards, failure to update asset inventory, failure to remove assets not used for business purposes.
2023 Ohio DNA Diagnostics Center $200,000 12,600 Stolen database containing 2.1 million records Lack of safeguards, failure to update asset inventory, failure to remove assets not used for business purposes.

This article will be updated as and when new fines, settlements, and other resolutions are announced to resolve violations of HIPAA and state laws.

HIPAA Enforcement by State Attorneys General in 2022

Year State Entity Amount Individuals Affected Reason for Investigation Findings
2022 Oregon and Utah Avalon Healthcare $200,000 14,500 10 Month delay in notifying individuals about a phishing attack and data breach The investigation determined the 10-month delay violated HIPAA (60-day reporting deadline) and Oregon law (45-day reporting deadline), email security practices were found to be insufficient, with the settlement including several data security requirements including the appointment of an individual responsible for developing, implementing, and maintaining a comprehensive data security program to ensure compliance with Consumer Protection Laws and HIPAA, including email filtering, security awareness training, and multifactor authentication.
2022 Aveanna Healthcare Massachusetts $425,000 166,000 Phishing attack and data breach The Massachusetts Attorney General determined there was a lack of appropriate safeguards to prevent phishing attacks, such as multifactor authentication and security awareness training for its workforce. The security measures implemented did not meet the minimum level for compliance with the Standards for the Protection of Personal Information of Residents of the Commonwealth of Massachusetts or the HIPAA Security Rule.
2022 New York EyeMed Vision Care $600,000 2.1 million Phishing attack and data breach Insufficient password complexity requirements, insufficient locking of accounts after failed password attempts, no multifactor authentication on a browser-accessible email account containing large amounts of PHI, inadequate logging and monitoring of email accounts, and storing unnecessary amounts of PHI in email accounts.

HIPAA Enforcement by State Attorneys General in 2021

New Jersey was particularly active in HIPAA enforcement in 2021 and was the only state to initiate its own investigations and issue financial penalties to resolve HIPAA violations in 2021. New Jersey also participated in a joint investigation into the data breach at American Medical Collection Agency (AMCA) – One of the largest ever breaches of healthcare data. The AMCA HIPAA case saw a $21 million financial penalty imposed; however, due to the huge costs incurred as a result of the breach, AMCA filed for bankruptcy protection. Due to the financial position of the company, the financial penalty was suspended and will only need to be paid if AMCA defaults on the terms of the settlement agreement.

Year State Entity Amount Individuals Affected Reason for Investigation Findings
2021 New Jersey Regional Cancer Care Associates (Regional Cancer Care Associates LLC, RCCA MSO LLC, and RCCA MD LLC) $425,000 105,000 Phishing attack and data breach Failure to ensure the confidentiality, integrity, and availability of PHI, failure to protect against reasonably anticipated threats, failure to implement security measures to reduce risks, failure to conduct an accurate risk assessment, lack of a security awareness and training program.
2021 New Jersey Command Marketing Innovations, LLC and Strategic Content Imaging LLC $130,000 (Plus $65,000 suspended) 55,715 Printing and mismailing incident Failure to ensure the confidentiality of PHI, lack of PHI safeguards, failure to review security measures following changes to procedures
2021 New Jersey Diamond Institute for Infertility and Menopause $495,000 14,663 Hacking incident and data breach Multiple Privacy Rule and Security Rule failures, and violations of the Consumer Fraud Act
2021 Multi-state (41 state attorneys general) American Medical Collection Agency $21 million (suspended) 21 million Hacking incident and data breach Security failures including failure to detect a data breach

HIPAA Enforcement by State Attorneys General in 2020

Year State Entity Amount Individuals affected Reason for Investigation Findings
2020 Multistate (28 states) Community Health Systems / CHSPSC LLC $5,000,000 6.1 million Hacked by Chinese APT group Failure to implement and maintain reasonable security practices
2020 Multistate (43 states) Anthem Inc $39.5 million 78.8 million Phishing attack and major data breach Multiple violations of HIPAA and state laws
2020 California Anthem Inc $8.7 million 78.8 million Phishing attack and major data breach Multiple violations of HIPAA and state laws

HIPAA Enforcement by State Attorneys General in 2019

Year State Entity Amount Individuals affected Reason for Investigation Findings
2019 Multistate (30 states) Premera Blue Cross $10,000,000 10.4 million Hacking incident and major data breach Multiple violations of HIPAA and state laws
2019 Multistate (16 states) Medical Informatics Engineering $900,000 3.5 million Breach of NoMoreClipboard data Multiple violations of HIPAA and state laws
2019 California Aetna $935,000 1,991 2 mailings exposed PHI (Afib, HIV) Impermissible disclosure of sensitive health information

HIPAA Enforcement by State Attorneys General in 2018

Year State Entity Amount Individuals affected Reason for Investigation Findings
2018 Massachusetts McLean Hospital $75,000 1,500 Loss of backup tapes Insufficient risk assessment, failure to encrypt data, delayed breach notifications
2018 New Jersey EmblemHealth $100,000 6,443 (81,000) Mailing error exposed SSNs Impermissible disclosure of PHI, lack of staff training
2018 New Jersey Best Transcription Medical $200,000 1,650 Exposure of ePHI in Internet Risk assessment and risk management failure, breach notification failure
2018 Multistate (CT, NJ, DC) Aetna 640170.59 13,160 2 mailings exposed PHI (Afib, HIV) Impermissible disclosure of sensitive health information
2018 Massachusetts UMass Memorial Medical Group / UMass Memorial Medical Center $230,000 15,000 Multiple data breaches Failure to secure ePHI
2018 New York Arc of Erie County $200,000 3,751 Exposure of ePHI on the Internet Failure to secure ePHI
2018 New Jersey Virtua Medical Group $417,816 1,654 Exposure of ePHI on the Internet Multiple violations of the HIPAA Rules
2018 New York EmblemHealth $575,000 81,122 Mailing error exposed SSNs Impermissible disclosure of PHI, lack of staff training
2018 New York Aetna $1,150,000 12,000 2 mailings exposed PHI (Afib, HIV) Impermissible disclosure of sensitive health information

HIPAA Enforcement by State Attorneys General in 2017

Year State Entity Amount Individuals affected Reason for Investigation Findings
2017 California Cottage Health System $2,000,000 More than 54,000 Exposure of PHI on the Internet Failure to safeguard personal information
2017 Massachusetts Multi-State Billing Services $100,000 2,600 Theft of unencrypted laptop computer Failure to safeguard personal information
2017 New Jersey Horizon Healthcare Services Inc $1,100,000 3.7 million Theft of 2 unencrypted laptop computers Failure to safeguard personal information
2017 Vermont SAManage USA, Inc. $264,000 660 Exposure of PHI on the Internet Failure to secure ePHI, breach notification failure
2017 New York CoPilot Provider Support Services, Inc $130,000 221,178 Delayed breach notification Violation of breach notification requirements

HIPAA Enforcement by State Attorneys General (2010-2016)

Year State Entity Amount Individuals affected Reason for Investigation Findings
2015 New York University of Rochester Medical Center $15,000 3,403 List of patients provided to nurse who took it to a new employer Impermissible disclosure of ePHI
2015 Connecticut Hartford Hospital/ EMC Corporation $90,000 8,883 Theft of unencrypted laptop containing PHI Lack of Business Associate Agreement, failure to encrypt ePHI
2014 Massachusetts Women & Infants Hospital of Rhode Island $150,000 12,000 Loss of backup tapes containing PHI Failure to safeguard ePHI, lack of staff training
2014 Massachusetts Boston Children’s Hospital $40,000 2,159 Loss of laptop containing PHI Failure to encrypt ePHI
2014 Massachusetts Beth Israel Deaconess Medical Center $100,000 3,796 Loss of laptop containing PHI Failure to encrypt ePHI
2013 Massachusetts Goldthwait Associates $140,000 67,000 Mishandling of PHI Improper disposal of PHI
2012 Minnesota Accretive Health $2,500,000 24,000 Mishandling of PHI Failure to safeguard PHI
2012 Massachusetts South Shore Hospital $750,000 800,000 Loss of backup tapes containing PHI Failure to safeguard PHI
2011 Vermont Health Net Inc. $55,000 1,500,000 Loss of unencrypted hard drive/delayed breach notifications Failure to safeguard PHI, violation of breach notification requirements
2011 Indiana WellPoint Inc. $100,000 32,000 Failure to report breach in a reasonable timeframe Violation of breach notification requirements
2010 Connecticut Health Net Inc. $250,000 1,500,000 Loss of unencrypted hard drive Failure to safeguard PHI, violation of breach notification requirements

The post HIPAA Enforcement by State Attorneys General appeared first on HIPAA Journal.

Data Breaches Reported by Gainwell Technologies, TaylorMade Diagnostics, and Mattapan Community Health Center

Posted by HIPAA Journal

Gainwell Technologies has discovered unauthorized individuals have potentially accessed the information of certain participants of Wisconsin’s Medicaid program, which was stored in emails and email attachments in a compromised account.

Access to the email account was first gained on October 29, 2020 and continued until November 16, 2020. The account contained information such as names, member ID numbers, and billing codes for services. Approximately 1,200 Wisconsin Medicaid members have been affected. Affected individuals have been offered a 1-year complimentary membership to credit monitoring services.

Gainwell provides fiscal-agent services for the Wisconsin Department of Health Services (DHS) Medicaid Program. Since the breach occurred, the DHS and Gainwell have worked together to prevent similar breaches in the future.

This is the second incident to be reported as having affected Gainwell in recent weeks. Gainwell operates the Medicaid Management Information System used by the Tennessee state Medicaid health plan, TennCare. Gainwell discovered an error at a mailing vendor resulted in mailings being sent to incorrect addresses between 2019 and 2020. The two incidents are not related.

Email Account Breach Reported by Mattapan Community Health Center

Mattapan Community Health Center (MCHC) is notifying 4,075 patients that some of their protected health information was contained in an email account that was accessed by unauthorized individuals.

Unusual email account activity was detected on October 16, 2020. Assisted by a third-party computer forensics firm, MCHC determined the email account was compromised on July 28, 2020. Through a manual and programmatic review of the email account, MCHC determined the following information may have been accessed by unauthorized individuals: Names, Social Security numbers, medical diagnoses, treatment information, provider information, health insurance information, and/or medical record numbers.

Additional security measures have now been implemented to prevent further email security breaches.

Conti Ransomware Gang Leaks Data Stolen in Attack on TaylorMade Diagnostics

Chesapeake, VA-based TaylorMade Diagnostics, an operator of occupational health clinics used by transportation companies and government agencies, has suffered a ransomware attack that has resulted in workers’ health data being leaked online.

Approximately 3,000 files stolen by the ransomware gang prior to file encryption have been published on a darknet leak site operated by the Conti ransomware gang. The leaked data relates to employees of Taylor Made Diagnostics clients, including the United Parcel Service and Norfolk Southern Railroad. The leaked data includes details of medical examinations, drug and alcohol testing reports, and full names, Social Security numbers, and scans of driver’s licenses.

Hendrick Health Provides Update on November 2020 Ransomware Attack

Hendrick Health has provided further information on a ransomware attack that forced it to adopt EHR downtime procedures in November 2020. The attack was detected on November 20, 2020 and steps were immediately taken to contain the attack. The investigation into the incident has revealed the attackers first gained access to its systems on October 10, 2020 and potentially viewed or obtained patient information between that date and November 9, 2020.

The types of data that may have been accessed included patients’ names, Social Security numbers, demographic data, and other information related to the care provided by Hendrick Health. The incident only affected patients who had previously received medical services at Hendrick Medical Center or the Hendrick Clinic. The locations at Hendrick Medical Center Brownwood and Hendrick Medical Center South were not affected.

The ePHI of 640,436 patients was stored on the compromised systems. Data security measures and system monitoring have now been strengthened and new features have now been added to its security alert software.

The post Data Breaches Reported by Gainwell Technologies, TaylorMade Diagnostics, and Mattapan Community Health Center appeared first on HIPAA Journal.

At Least 560 U.S. Healthcare Facilities Were Impacted by Ransomware Attacks in 2020

Posted by HIPAA Journal

Ransomware attacks have had a massive impact on businesses and organizations in the United States, and 2020 was a particularly bad year. The healthcare industry, education sector, and federal, state, and municipal governments and agencies have been targeted by ransomware gangs and there were at least 2,354 attacks on these sectors in 2020, according to the latest State of Ransomware report from the New Zealand-based cybersecurity firm Emsisoft.

The number of ransomware attacks increased sharply toward the end of 2019, and while the attacks slowed in the first half of 2020, a major coordinated campaign was launched in September when attacks dramatically increased and continued to occur in large numbers throughout the rest of the year.

In 2020 there were at least 113 ransomware attacks on federal, state, and municipal governments and agencies, 560 attacks on healthcare facilities in 80 separate incidents, and 1,681 attacks on schools, colleges, and universities.

These attacks have caused significant financial harm and in some cases the disruption has had life threatening consequences. Healthcare services have had to be suspended, ambulances have been redirected to alternative facilities, 911 services have been interrupted, medical appointments have been postponed and test results have been delayed. “The fact that there were no ransomware-related deaths in the US last year was simply due to good luck. Security needs to bolstered across the public sector before that luck runs out and lives are lost,” said Fabian Wosar, CTO, Emsisoft.

One of the most damaging attacks was on Universal Health Services, a health system that operates more than 400 hospitals and healthcare facilities in the United States. The attack affected all its locations and caused considerable disruption. An attack on the University of Vermont Health Network forced systems offline, including its EHR system. Several hospital systems remained out of action for several weeks after the attack. The ransomware attack cost the health system around $1.5 million a day in additional expenses and lost revenue while it recovered. “Statistics let us know that the average ransomware incident costs $8.1 million and 287 days to recover,” said Gus Genter, CIO, Winnebago County, who was quoted in the report.

It has become increasingly common for ransomware threat actors to steal sensitive data prior to file encryption and for threats to be issued to publish or sell the stolen data if the ransom is not paid. This tactic was first adopted by the Maze ransomware gang, but many other threat groups have now adopted the same tactic. Emsisoft said only the Maze ransomware gang was exfiltrating data prior to file encryption at the start of 2020, but now at least 17 other threat groups are stealing data and publishing it on leak sites if the ransom is not paid.

In some cases, even payment of the ransom does not guarantee the stolen data will be deleted. Several ransomware gangs, including Sodinokibi (REvil), Netwalker, and Mespinoza are known to have leaked stolen data even after the ransom was paid.

Emsisoft notes that in the first half of 2020, only one of the 60 ransomware attacks on federal, state, county, and municipal governments and agencies resulted in stolen data being leaked; however, in the second half of the year, 23 out of the 53 attacks saw stolen data released on leak sites. At least 12 healthcare organizations that were attacked with ransomware had sensitive data stolen and leaked online.

2020 was clearly a bad year, but there is little to suggest 2021 will be any better. Ransomware attacks are likely to continue at pace and may even increase. “Unless significant action is taken, we anticipate 2021 being another banner year for cybercriminals,” explained Emsisoft in the report.

The post At Least 560 U.S. Healthcare Facilities Were Impacted by Ransomware Attacks in 2020 appeared first on HIPAA Journal.

2020 Healthcare Data Breach Report: 25% Increase in Breaches in 2020

Posted by HIPAA Journal

More large healthcare data breaches were reported in 2020 than in any other year since the HITECH Act called for the U.S. Department of Health and Human Services’ Office for Civil Rights to start publishing healthcare data breach figures on its website.

In 2020, healthcare data breaches of 500 or more records were reported at a rate of more than 1.76 per day. 2020 saw 642 large data breaches reported by healthcare providers, health plans, healthcare clearing houses and business associates of those entities – 25% more than 2019, which was also a record-breaking year.

More than twice the number of data breaches are now being reported than 6 years ago and three times the number of data breaches that occurred in 2010.

Key Takeaways

  • 25% year-over-year increase in healthcare data breaches.
  • Healthcare data breaches have doubled since 2014.
  • 642 healthcare data breaches of 500 or more records were reported in 2020.
  • 76 data breaches of 500 or more healthcare records were reported each day in 2020.
  • 2020 saw more than 29 million healthcare records breached.
  • One breach involved more than 10 million records and 63 saw more than 100K records breached.
  • Hacking/IT incidents accounted for 67% of data breaches and 92% of breached records.
  • 3,705 data breaches of 500 or more records have been reported since October 2009.
  • 78 million healthcare records have been breached since October 2009.

U.S. Healthcare Data Breaches 2009 to 2020

2020 was the third worst year in terms of the number of breached healthcare records, with 29,298,012 records reported as having been exposed or impermissibly disclosed in 2020. While that is an alarming number of records, it is 29.71% fewer than in 2019. 266.78 million healthcare records have been breached since October 2009 across 3,705 reported data breaches of 500 or more records.

U.S. Healthcare data breaches - exposed records 2009-2020

The Largest Healthcare Data Breaches in 2020

The largest healthcare data breach of 2020 was a ransomware attack on the cloud service provider Blackbaud Inc. The actual number of records exposed and obtained by the hackers has not been made public, but more than 100 of Blackbaud’s healthcare clients were affected and more than 10 million records are known to have been compromised. The breach does not appear on the OCR breach portal, as each entity affected has reported the breach separately.

Prior to deploying ransomware, the hackers stole the fundraising and donor databases of many of its clients which included information such as names, contact information, dates of birth, and some clinical information. Victims included Trinity Health (3.3 million records), Inova Health System (1 million records), and Northern Light Health Foundation (657,392 records).

The Florida-based business associate MEDNAX Services Inc, a provider of revenue cycle management and other administrative services to its affiliated physician practice groups, experienced the largest phishing attack of the year. Hackers gained access to its Office 365 environment and potentially obtained the ePHI of 1,670 individuals, including Social Security numbers, driver’s license numbers, and health insurance and financial information.

Magellan Health’s million-record data breach also started with a phishing email but and ended with ransomware being deployed. The breach affected several of its affiliated entities and potentially saw patient information stolen.

Dental Care Alliance, a dental support organization with more than 320 affiliated dental practices across 20 states, had its systems hacked and the dental records of more than 1 million individuals were potentially stolen.

63 security incidents were reported in 2020 by HIPAA-covered entities and business associates that involved 100,000 or more healthcare records.

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach
Trinity Health Business Associate 3,320,726 Hacking/IT Incident
MEDNAX Services, Inc. Business Associate 1,290,670 Hacking/IT Incident
Inova Health System Healthcare Provider 1,045,270 Hacking/IT Incident
Magellan Health Inc. Health Plan 1,013,956 Hacking/IT Incident
Dental Care Alliance, LLC Business Associate 1,004,304 Hacking/IT Incident
Luxottica of America Inc. Business Associate 829,454 Hacking/IT Incident
Northern Light Health Business Associate 657,392 Hacking/IT Incident
Health Share of Oregon Health Plan 654,362 Theft
Florida Orthopaedic Institute Healthcare Provider 640,000 Hacking/IT Incident
Elkhart Emergency Physicians, Inc. Healthcare Provider 550,000 Improper Disposal
Aetna ACE Health Plan 484,157 Hacking/IT Incident
Saint Luke’s Foundation Healthcare Provider 360,212 Hacking/IT Incident
NorthShore University HealthSystem Healthcare Provider 348,746 Hacking/IT Incident
SCL Health – Colorado Healthcare Provider 343,493 Hacking/IT Incident
AdventHealth Healthcare Provider 315,811 Hacking/IT Incident
Nuvance Health Healthcare Provider 314,829 Hacking/IT Incident
Magellan Rx Management Business Associate 314,704 Hacking/IT Incident
The Baton Rouge Clinic Healthcare Provider 308,169 Hacking/IT Incident
Allegheny Health Network Healthcare Provider 299,507 Hacking/IT Incident
Northeast Radiology Healthcare Provider 298,532 Hacking/IT Incident

Main Causes of 2020 Healthcare Data Breaches

Hacking and other IT incidents dominated the healthcare data breach reports in 2020. 429 hacking/IT-related data breaches were reported in 2020, which account for 66.82% of all reported breaches and 91.99% of all breached records. These incidents include exploitation of vulnerabilities and phishing, malware, and ransomware attacks, with the latter having increased considerably in recent months.

causes of 2020 healthcare data breaches

A recent report from Check Point revealed there was a 71% increase in ransomware attacks on healthcare providers in October, and a further 45% increase in healthcare cyberattacks in the last two months of 2020. Some of the year’s largest and most damaging breaches to affect the healthcare industry in 2020 involved ransomware. In many cases, systems were taken out of action for weeks and patient services were affected. Ryuk, Sodinokibi (REvil), Conti, and Egregor ransomware have been the main culprits, with the healthcare industry heavily targeted during the pandemic.

Unauthorized access/disclosure incidents accounted for 22.27% of the year’s breaches and 2.69% of breached records. These incidents include the accessing of healthcare records my malicious insiders, snooping on medical records by healthcare workers, accidental disclosures of PHI to unauthorised individuals, and human error that exposes patient data.

Breach Type Number of breaches Records breached

Mean Records Breached

 Median Records Breached
Hacking/IT Incident 429 26,949,956 62,820 8,000
Unauthorized Access/Disclosure 143 787,015 5,504 1,713
Theft 39 806,552 20,681 1,319
Improper Disposal 16 584,980 36,561 1,038
Loss 15 169,509 11,301 2,298

Location of Breached Protected Health Information

The increased use of encryption and cloud services for storing data have helped to reduce the number of loss/theft incidents, which used to account for the majority of reported breaches. Phishing attacks are still a leading cause of data breaches in healthcare and are often the first step in a multi-stage attack that sees malware or ransomware deployed.

Email account breaches were reported at a rate of more than 1 every two days in 2020, but email-related breaches took second spot this year behind breaches of network servers. Network servers often store large amounts of patient data and are a prime target for hackers and ransomware gangs.

While the majority of healthcare data breaches have involved electronic protected health information, a significant percentage of breaches in 2020 involved paper/film copies of protected health information which were obtained by unauthorized individuals, lost, or disposed of in an insecure manner.

Location of compromised data in healthcare data breaches 2020

Which Entities Suffered the Most Data Breaches in 2020?

The pie chart below shows the breakdown of HIPAA covered entities affected by data breaches of 500 or more records in 2020. Healthcare providers suffered the most breaches with 497 reported incidents. Business associates reported 73 data breaches, but it should be noted that in many cases a breach was experienced at the business associate, but the incident was reported by the covered entities affected. In total, 258 of the year’s breaches had some business associate involvement, which is 40.19% of all breaches. There were 70 breaches reported by health plans, and 2 breaches reported by healthcare clearinghouses.

2020 healthcare data breaches in the United States by Entity type

2020 Healthcare Data Breaches by State

South Dakota, Vermont, Wyoming residents survived 2020 without experiencing any healthcare data breaches, but there were breaches reported by entities based in all other states and the District of Columbia.

California was the worst affected state with 51 breaches, followed by Florida and Texas with 44, New York with 43, and Pennsylvania with 39.

State No. Breaches State No. Breaches State No. Breaches State No. Breaches
California 51 Virginia 18 New Jersey 9 Kansas 3
Florida 44 Indiana 17 South Carolina 9 Nebraska 3
Texas 44 Massachusetts 17 Washington 9 West Virginia 3
New York 43 Maryland 16 Delaware 8 District of Columbia 2
Pennsylvania 39 North Carolina 16 Utah 8 Idaho 2
Ohio 27 Colorado 14 Louisiana 6 Nevada 2
Iowa 26 Missouri 14 Maine 6 Oklahoma 2
Michigan 21 Arizona 12 New Mexico 6 Mississippi 1
Georgia 20 Arkansas 12 Oregon 5 Montana 1
Illinois 20 Kentucky 12 Hawaii 4 New Hampshire 1
Minnesota 20 Wisconsin 12 Alabama 3 North Dakota 1
Connecticut 19 Tennessee 10 Alaska 3 Rhode Island 1

HHS HIPAA Enforcement in 2020

2020 was a busy year in terms of HIPAA enforcement. The HHS’ Office for Civil Rights, the main enforcer of HIPAA compliance, conducted 19 HIPAA compliance investigations that resulted in financial penalties. More penalties were agreed with HIPAA covered entities and business associates in 2020 than in any other year since OCR started enforcing HIPAA compliance.  $13,554,900 was paid in penalties across the 19 cases.

It can take several years from the start of an investigation before a financial penalty is levied. Some of the largest settlements of the year date back to breaches that were experienced in 2015 or earlier; however, the large increase in financial penalties in 2020 is largely due to a HIPAA enforcement drive launched by OCR in late 2019 to tackle noncompliance with the HIPAA Right of Access. There were 11 settlements reached with healthcare providers in 2020 to resolve cases where individuals were not provided with timely access to their medical records.

You can view a summary of OCR’s 2020 HIPAA enforcement actions in this post.

State AG HIPAA Enforcement in 2020

OCR is not the only enforcer of HIPAA compliance. State attorney generals also have the authority to take action against entities found not to be in compliance with the HIPAA Rules. There has been a trend for state attorneys general to work together and pool resources in their legal actions for noncompliance with the HIPAA Rules. In 2020, two multi-state actions were settled with HIPAA covered entities/business associates to resolve violations of the HIPAA Rules.

The health insurer Anthem Inc. settled a case that stemmed from its 78.8 million-record data breach in 2015 and paid financial penalties totalling $48.2 million to resolve multiple potential violations of HIPAA and state laws.

CHSPSC LLC, a Tennessee-based management company that provides services to subsidiary hospital operator companies and other affiliates of Community Health Systems, also settled a multi-state action and paid a financial penalty of $5 million to resolve alleged HIPAA violations. The case stemmed from a 2014 data breach that saw the ePHI of 6,121,158 individuals stolen by hackers.

About This Report

The Health Insurance Portability and Accountability Act (HIPAA) requires all healthcare data breaches to be reported to the HHS’ Office for Civil Rights. A summary of breaches of 500 or more records is published by the HHS Office for Civil Rights. This report was compiled using data on the HHS website on 01/19/21 and includes data breaches currently under investigation and archived cases.

The post 2020 Healthcare Data Breach Report: 25% Increase in Breaches in 2020 appeared first on HIPAA Journal.