HIPAA Breach News

6,000 Patients Notified About Email Security Breach at Beaumont Health

Posted by HIPAA Journal

Beaumont Health, the largest healthcare provider in Michigan, has started notifying approximately 6,000 patients that some of their protected health information has potentially been accessed by unauthorized individuals.

On June 5, 2020, Beaumont Health learned that email accounts accessed by unauthorized individuals between January 3, 2020 and January 29, 2020 contained the protected health information including names, dates of birth, diagnoses, diagnosis codes, procedure and treatment information, type of treatment provided, prescription information, patient account numbers, and medical record numbers.

While the email accounts were accessed by unauthorized individuals, no evidence was found to suggest emails or email attachments in the accounts were viewed or copied by the attackers and no reports have been received that suggest patient data has been misused.

This is the second phishing-related breach to be announced by Beaumont Health this year. In April, Beaumont Health started notifying 112,211 individuals that some of their PHI was contained in email accounts that were breached in late 2019.

Beaumont Health has taken steps to improve its internal procedures to allow it to identify and remediate threats more rapidly in the future and additional safeguards have been implemented to improve email security, including the use of multi-factor authentication. Further training has also been provided to employees on the identification and handling of malicious emails.

Medical Files Southcare Minute Clinic

Southcare Minute Clinic in Wilmington, NC, is being investigated by the North Carolina Department of Health and Human Services over the improper disposal of medical files. The Wilmington Police Department responded to a call advising them that sensitive documents and hazardous waste had been disposed of in a regular dumpster behind the former Southcare Minute Clinic at 1506 Market St.

The dumpster was found to contain paperwork that included patient information, used needles, and other hazardous waste. The police confirmed that HIPAA Rules had been violated but determined no crime had been committed. The dumpster has since been removed and there is no longer any threat to public safety. The North Carolina Department of Health and Human Services will determine whether a financial penalty is appropriate.

Samaritan Medical Center Investigating Potential Security Breach

Samaritan Medical Center in Watertown, NY has announced it has experienced a security incident that has forced it to take its computer systems offline. Staff have switched to pen and paper while the attack is remediated and while care is still being provided to patients. No patients have been transferred to other facilities, but the decision was taken to cancel some non-urgent appointments. No further information on the exact nature of the security breach has been released at this stage.

The post 6,000 Patients Notified About Email Security Breach at Beaumont Health appeared first on HIPAA Journal.

PHI Compromised in CVS Pharmacy and Walgreens Break-ins

Posted by HIPAA Journal

CVS Pharmacy is alerting certain patients that some of their personal and protected health information has been lost following several incidents at its pharmacies between May 27, 2020 and June 8, 2020. During that time frame, several of its pharmacies were affected by looting and vandalism incidents. Unauthorized individuals gained access to several of its stores and stole filled prescriptions from pharmacy waiting bins. Vaccine consent forms and paper prescriptions were also lost and potentially stolen in the incidents.

The types of information compromised include names, addresses, dates of birth, medication names, prescriber information, and primary care provider information. No reports have been received to date to indicate there has been any misuse of customer information.

CVS Pharmacy has reported the incidents to the HHS’ Office for Civil Rights collectively as affecting 21,289 individuals.

Walgreens Reports Series of Break-ins and Theft of PHI

Walgreens Pharmacy has reported similar incidents at its pharmacies over the same period. According to the breach notification sent to the California Attorney General’s office, various groups of individuals broke into Walgreens stores in several locations between May 26, 2020 and June 5, 2020. The individuals stole many items from the stores, some of which contained the personal and protected health information of its customers.

These included a limited number of hard drives that were connected to cash registers, an automation device used for printing prescription labels, filled prescriptions that were awaiting collection, and some paper records.  Social Security numbers and financial information were not compromised.

The information obtained by unauthorized individuals varied from customer to customer and may have included the following types of information: First and last name, address, phone number, date of birth/age, prescription number, prescriber name, health plan name and group number, vaccination information (including eligibility information), medication name (including strength, quantity, and description), email address, balance rewards number, photo ID number, driver’s license information, state ID number, military ID number, and passport (e.g. for customer purchasing drugs such as pseudoephedrine).

Following the break-ins, Walgreens immediately took steps to prevent fraud, such as closing out and re-entering impacted prescriptions and reversing insurance claims for filled prescriptions. It is currently unclear how many individuals have been affected.

The post PHI Compromised in CVS Pharmacy and Walgreens Break-ins appeared first on HIPAA Journal.

OCR Imposes $1 Million HIPAA Penalty on Lifespan for Lack of Encryption and Other HIPAA Failures

Posted by HIPAA Journal

The HHS’ Office for Civil Rights has imposed a $1,040,000 HIPAA penalty on Lifespan Health System Affiliated Covered Entity (Lifespan ACE) following the discovery of systemic noncompliance with the HIPAA Rules.

Lifespan is a not-for-profit health system based in Rhode Island that has many healthcare provider affiliates in the state. On April 21, 2017, a breach report was filed with OCR by Lifespan Corporation, the parent company and business associate of Lifespan ACE, about the theft of an unencrypted laptop computer on February 25, 2017.

The laptop had been left in the vehicle of an employee in a public parking lot and was broken into. A laptop was stolen that contained information such as patient names, medical record numbers, medication information, and demographic data of 20,431 patients of its healthcare provider affiliates.

OCR investigated the breach and discovered systemic noncompliance with the HIPAA Rules. Lifespan ACE uses a variety of mobile devices and had conducted a risk analysis to identify potential risks to the confidentiality, integrity, and availability of ePHI. Through the risk analysis, Lifespan ACE determined that the use of encryption on mobile devices such as laptops was reasonable and appropriate given the level of risk but failed to implement encryption. The lack of encryption was a violation of 45 C.F .R. § I 64.312(a)(2)(iv).

OCR also discovered Lifespan ACE had not implemented policies and procedures that required the tracking of portable devices with access to a network containing ePHI, nor was there a comprehensive inventory of those devices, in violation of 45 C.F.R. § 164.310(d)(1).

Lifespan Corporation was a business associate of Lifespan ACE, but both entities had failed to enter into a business associate agreement with each other. Lifespan ACE had also not obtained a signed business associate agreement from its healthcare provider affiliates, in violation of 45 C.F.R. § 164.502(e).

As a result of the compliance failures, Lifespan ACE was responsible for the impermissible disclosure of the ePHI of 20,431 individuals when the laptop was stolen – See 45 C.F.R. § 164.502(a).

Lifespan ACE agreed to settle the case, pay the financial penalty, and adopt a comprehensive corrective action plan (CAP). The CAP requires Lifespan ACE to enter into business associate agreements with its affiliates and parent company, create an inventory of all electronic devices, implement encryption and configure access controls, and review and revise its policies and procedures with respect to device and media controls. Those policies and procedures must be distributed to the workforce and training must be provided on the new policies. Lifespan ACE’s compliance efforts will be scrutinized by OCR for the duration of the two-year CAP.

“Laptops, cellphones, and other mobile devices are stolen every day, that’s the hard reality.  Covered entities can best protect their patients’ data by encrypting mobile devices to thwart identity thieves,” said Roger Severino, OCR Director.

This is the second HIPAA penalty to be announced by OCR in the past week. On July 23, 2020, OCR announced Metropolitan Community Health Services dba Agape Health Services had been fined $25,000 for longstanding, systemic noncompliance with the HIPAA Security Rule.

The post OCR Imposes $1 Million HIPAA Penalty on Lifespan for Lack of Encryption and Other HIPAA Failures appeared first on HIPAA Journal.

University of Utah Reports Phishing Attack Involving the PHI of Up to 10,000 Patients

Posted by HIPAA Journal

The University of Utah has experienced a phishing attack that has potentially involved the protected health information of up to 10,000 patients. This is the 4th data breach to be reported to the Department of Health and Human Services by the University of Utah in 2020. All four incidents are listed as hacking/IT incidents involving email. The previous breach reports were submitted on June 8, 2020 (1,909 individuals), April 3, 2020 (5,000 individuals), and March 21, 2020 (3,670 individuals).

Unauthorized individuals gained access to employee email accounts between January 22, 2020 and May 22, 2020, according to the substitute breach notice on the University of Utah Health website. It is unclear at this stage if the latest breach report also involved access to employee email accounts in the same time frame.

Kathy Wilets, Director of Public Relations at University of Utah Health provided a statement to databreaches.net in which she explained that the phishing incidents were being treated as separate incidents but may have been part of a coordinated campaign. She said the latest incident potentially involved access to a limited amount of patient information and the number of individuals affected – 10,000 – is an estimate. The investigation may reveal fewer individuals were affected. Steps have since been taken to improve email security, including the implementation of 2-factor authentication.

Highpoint Foot and Ankle Center Ransomware Attack Impacts 25,554 Patients

Highpoint Foot and Ankle Center in New Britain Township, PA suffered a ransomware attack in May 2020 in which patient information was encrypted and potentially accessed or exfiltrated by the attackers. Highpoint Foot and Ankle discovered the attack on May 20, 2020 when staff were prevented from accessing certain files on the network.

An investigation was launched which revealed an unauthorized individual had remotely installed ransomware on its computer systems. No evidence was found to suggest patient data was accessed by the attacker prior to file encryption nor have any reports been received that indicate patient information has been misused.

A third-party computer forensics firm was hired to assist with the investigation and determined files containing the protected health information of 25,554 patients were potentially compromised. The files contained names, addresses, dates of birth, social security numbers, diagnoses, treatment information, and release states.

Additional safeguards have now been implemented to protect patient records and all patients affected by the breach have been notified by mail.

The post University of Utah Reports Phishing Attack Involving the PHI of Up to 10,000 Patients appeared first on HIPAA Journal.

June 2020 Healthcare Data Breach Report

Posted by HIPAA Journal

The sharp drop in healthcare data breaches seen in May proved to be short lived, with June seeing a major increase in data breaches. In June, 52 breaches were reported by HIPAA covered entities and business associates. That represents an 85.71% month-over-month increase in reported breaches.

The number of individuals impacted by healthcare data breaches changed little despite the large increase in breaches, with a month-over-month fall of 1.65% to 1,047,015 records, which is well above the 2020 monthly average of 896,374 breached records.

Largest Healthcare Data Breaches in June 2020

The largest healthcare data breach reported by a single entity in June affected the Texas billing and collections agency, Benefit Recovery Specialists, Inc. (BRS) Malware was detected on its systems that potentially gave unauthorized individuals access to the protected health information of more than a quarter of a million people.

There was, however, a much larger data breach reported in June that affected more than 365,000 individuals but was reported individually by each entity affected by the breach. Magellan Health suffered a ransomware attack that also affected at least 9 healthcare providers, health plans, and business associates, specifically Merit Health Insurance Company, Magellan Complete Care of Florida, the University of Florida Health Jacksonville, Magellan Healthcare in Maryland, Magellan Rx Pharmacy, National Imaging Associates, UF Health Shands, UF Health, and Magellan Complete Care of Virginia. The ransomware attack ranks as the the third largest healthcare data breach so far in 2020.

Name of Covered Entity Covered Entity Type Type of Breach Individuals Affected
Benefit Recovery Specialists, Inc. Business Associate Hacking/IT Incident 274,837
Merit Health Insurance Company Health Plan Hacking/IT Incident 102,748
Magellan Complete Care of Florida Health Plan Hacking/IT Incident 76,236
Healthcare Fiscal Management Inc. Business Associate Hacking/IT Incident 58,000
UF Health Jacksonville Healthcare Provider Hacking/IT Incident 54,002
Magellan Healthcare Business Associate Hacking/IT Incident 50,410
Providence Health Plan Health Plan Unauthorized Access/Disclosure 49,511
American Medical Technologies Healthcare Provider Hacking/IT Incident 47,767
Oral and Maxillofacial Surgery Associates, P.A. Healthcare Provider Hacking/IT Incident 35,498
City of Philadelphia Health Plan Hacking/IT Incident 33,376
Magellan Rx Pharmacy Healthcare Provider Hacking/IT Incident 33,040
Cano Health Healthcare Provider Hacking/IT Incident 28,268
National Imaging Associates Business Associate Hacking/IT Incident 22,560
Legacy Community Health Services Healthcare Provider Hacking/IT Incident 19,000
Human Affairs International of California Business Associate Hacking/IT Incident 15,843
UF Health Shands Healthcare Provider Hacking/IT Incident 13,146
North Shore Pain Management Healthcare Provider Hacking/IT Incident 12,472
Choice Health Management Services, LLC Business Associate Hacking/IT Incident 11,650
Iowa Total Care, Inc. Health Plan Unauthorized Access/Disclosure 11,581
The Kroger Co., for itself and its affiliates and subsidiaries Healthcare Provider Hacking/IT Incident 10,974

Causes of June 2020 Healthcare Data Breaches

There were 37 reported hacking/IT incidents in June, which accounted for 71.15% of the month’s breaches and 91.14% of records breached in June. 957,082 records were exposed or stolen in those breaches. The average breach size was 25,867 records and the median breach size was 9,271 records.

There were 11 unauthorized access/disclosure incidents reported in June that impacted 85,580 individuals. The average breach size was 7,780 records and the median breach size was 1,650 records. There were 4 loss/theft incidents reported that impacted 4,353 individuals. The average breach size was 1,088 records and the median breach size was 910 records.

The most common location of breached protected health information was email. 63.46% of the month’s breaches involved ePHI stored in emails and email attachments, with 36.53% of breaches involving network servers. The majority of the email breaches were due to phishing attacks, with the network server breaches mostly involving malware and ransomware.

June 2020 Healthcare Data Breaches by State

Data breaches of 500 or more record were reported by HIPAA-covered entities and business associates in 21 states. California was the worst affected state with 9 breaches, followed by Florida with 7, Texas with 5, Maryland and New York with 4, and three in Illinois.

There were two breaches in each of Arkansas, North Carolina, Ohio, Oregon, and Pennsylvania, and one breach in each of Colorado, Connecticut, Iowa, Kentucky, Massachusetts, Michigan, Missouri, South Carolina, Tennessee, and Utah.

Healthcare Data Breaches by Covered Entity Type

Healthcare providers were the worst affected covered entity in June with 33 reported data breaches. There was an increase in health plan data breaches with 9 reported incidents, and also an increase in business associate breaches. While there were 10 breaches reported by business associates, a further 7 breaches involved business associates but were reported by the covered entity.

HIPAA Enforcement in June 2020

There were no HIPAA enforcement actions announced by state attorneys general or the HHS’ Office for Civil Rights in June 2020.  The HHS has stated that it is prepared to be flexible with HIPAA investigations during the pandemic, so the lack of enforcement actions so far in 2020 may not be due to any reduction in enforcement, there may just be a delay in imposing penalties until the COVID-19 pandemic is brought under control.

On July 23, 2020, the Secretary of the Department of Health and Human Services, Alex Azar, announced that the nationwide public health emergency has been renewed for a further 90 days so OCR’s Notices of Enforcement Discretion covering good faith uses and disclosures of PHI in relation to telehealth and the operation of COVID-19 testing centers, and the waivers under Section 1135(b)(7) of the Social Security Act remain in effect.

The post June 2020 Healthcare Data Breach Report appeared first on HIPAA Journal.

Small North Carolina Healthcare Provider Fined $25,000 for HIPAA Security Rule Noncompliance

Posted by HIPAA Journal

The HHS’ Office for Civil Rights (OCR) has announced a $25,000 settlement has been reached with Metropolitan Community Health Services to resolve violations of the HIPAA Security Rule.

Washington, NC-based Metropolitan Community Health Services is a Federally Qualified Health Center that provides integrated medical, dental, behavioral health & pharmacy services for adults and children. Operating as Agape Health Services, Metro provides discounted medical services to the underserved population in rural North Carolina. Metropolitan Community Health Services has around 43 employees and serves 3,100 patients each year.

On June 9, 2011, Metropolitan Community Health Services filed a report with OCR over a breach of the protected health information of 1,263 patients. OCR conducted a compliance review to establish whether the breach was the direct result of noncompliance with the HIPAA Rules. The OCR investigation uncovered longstanding, systemic noncompliance with the HIPAA Security Rule.

Prior to the breach, Metropolitan Community Health Service had failed to implement HIPAA Security Rule policies and procedures, in violation of 45 C.F.R. §164.316, and an accurate and thorough assessment of the potential risks to the confidentiality, integrity, and availability of ePHI had not been conducted, in violation of 45 C.F.R. § 164.308(a)(l )(ii)(A). Despite being in business since 1999, no HIPAA security awareness and training had been provided to the workforce prior to June 30, 2016, in violation of 45 C.F.R. §164.308(a)(5).

When deciding on an appropriate settlement, OCR took the size of the organization and several other factors into account.  In addition to paying a financial penalty of $25,000 to resolve the HIPAA violations, Metropolitan Community Health Services has agreed to adopt a robust corrective action plan and will ensure policies and procedures are implemented to the standards required by HIPAA.  Metropolitan Community Health Services will be monitored for compliance with the corrective action plan for a period of two years.

This is the second HIPAA violation penalty to be imposed on a HIPAA covered entity in 2020 to resolve violations of HIPAA Rules, the first being a $100,000 financial penalty in March 2020 for Steven A. Porter, M.D for risk analysis and risk management failures.

The fine confirms that healthcare providers, large and small, are required to comply with HIPAA Rules. “Health care providers owe it to their patients to comply with the HIPAA Rules.  When informed of potential HIPAA violations, providers owe it to their patients to quickly address problem areas to safeguard individuals’ health information,” said Roger Severino, OCR Director.

The post Small North Carolina Healthcare Provider Fined $25,000 for HIPAA Security Rule Noncompliance appeared first on HIPAA Journal.

Ransomware Data Breach Lawsuit Against Sarrell Regional Dental Center Tossed by Federal Judge

Posted by HIPAA Journal

A lawsuit filed against Sarrell Regional Dental Center for Public Health Inc. over a July 2019 ransomware attack has been dismissed by a Federal judge due to a lack of standing.

Sarrell was able to recover from the attack and restore its computer systems and data without paying the ransom, although the dental center was forced to close for two weeks while its systems were restored. No evidence was found to indicate patient data was accessed or downloaded from its systems, although it was not possible to rule out a data breach with 100% certainty so notification letters were sent to the 391,000 patients whose personal and protected health information (PHI) was potentially compromised.

A lawsuit was filed against Sarrell in 2019 on behalf of patients affected by the attack. The lawsuit sought class action status and damages for patients whose PHI was potentially compromised in the attack. The lawsuit alleged patients faced a higher risk of identity theft as a result of the attack and had to cover the cost of credit monitoring services.

Judge R. Austin Huffaker Jr. stated in his ruling that while the extent and depth of the breach were “murky”, Sarrell had conducted an investigation into the attack and found no evidence that files containing protected health information had been accessed or exfiltrated by the attackers and there was no evidence patient information had been misused in any way.

The lawsuit alleged the ransomware attack was a direct result of the failure of Sarrell to implement reasonable cybersecurity procedures and protocols and patients’ personal and protected health information was now likely in the hands of identity thieves. Consequently, patients affected by the breach had to spend time and money protecting themselves against identity theft and fraud. However, Judge Austin Huffaker viewed the claims as speculative, since the plaintiffs failed to provide “at least some plausible specific allegation of actual or likely misuse of data.”

Since the plaintiffs and putative class members failed to allege they had suffered identity theft or fraud as a result of the ransomware attack, there were insufficient grounds to sue Sarrell for the security breach. “The fact that the breach occurred cannot, in and of itself, be enough, in the absence of any imminent or likely misuse of protected data, to provide plaintiffs with standing to sue,” wrote Judge Austin Huffaker. “The plaintiffs fail to allege that they or members of the putative class have suffered actual identity theft. Instead, their pleading speaks of ‘possibilities’ and traffics in ‘maybes’.”

The post Ransomware Data Breach Lawsuit Against Sarrell Regional Dental Center Tossed by Federal Judge appeared first on HIPAA Journal.

47,754 Individuals Impacted by Lorien Health Services Ransomware Attack

Posted by HIPAA Journal

Ellicott City, MD-based Lorien Health Services, which runs 9 assisted living facilities in Maryland, has announced it was the victim of a ransomware attack on June 6, 2020.

Third party cybersecurity experts were retained to assist with the investigation and determine whether patient information had been accessed by the attackers. On June 10, 2020, it was confirmed that the attackers had accessed files containing residents’ names, addresses, dates of birth, diagnoses, treatment information, and Social Security numbers and some employee information. Some of that data was stolen in the attack.

The attack was conducted by the operators of Netwalker ransomware. When Lorien Health Services refused to pay the ransom, a sample of the stolen data was published online.

Lorien Health reported the breach to the FBI and the ransomware attack is being investigated. The breach report submitted to the Department of Health and Human Services indicates the compromised systems contained the protected health information of 47,754 individuals. Those individuals have been offered complimentary credit monitoring and identity theft protection services. Notification letters were sent to all impacted individuals on June 16, 2020, just 10 days after the attack.

Accu Copy of Greenville Security Breach Impacts 21,800 Patients

Accu Copy of Greenville, Incorporated, a NC-based company that provides printing and billing statement mailing services to businesses, has discovered unauthorized individuals gained access to one of its servers and may have accessed documents containing the protected health information of patients of Physicians East, a healthcare provider serving eastern North Carolina.

Accu Copy detected the breach on April 10, 2020 and promptly took steps to prevent any further unauthorized access. The investigation into the breach concluded the unauthorized individual first accessed the server on April 1, 2020. On May 15, 2020, Accu Copy confirmed patient data may have been accessed and a review of the files on the server was completed on June 26, 2020.

The server was discovered to contain billing statements for 21,800 patients. The statements related to a Physicians East office visit and contained names, addresses, diagnosis information, treatment information, provider name, and the cost of treatment.

Following the breach, all passwords were changed, and assistance was sought from a cybersecurity company to help improve security.

Coalinga Valley Health Clinics Discovers Improper PHI Access by Former Employee

A former employee of Coalinga Valley Health Clinics, Inc. is alleged to have removed documents from its offices that contained the protected health information of some of its patients.

The Coalinga, CA-based healthcare provider was notified about the alleged data theft by the Coalinga Police Department on April 17, 2020. The employee’s access to health records was immediately terminated and an investigation was launched to determine the extent of the unauthorized access. The Police Department recovered all documents that had been removed from the office and returned them to Coalinga Valley Health Clinics.

Coalinga Valley Health Clinics found no evidence to suggest the documents were taken by the employee in order to misuse patient data, but affected individuals have nonetheless been advised to be alert to the possibility data misuse and have been offered a complimentary 12-month membership to the myTrueIdentity identity theft prevention service.

Coalinga Valley Health Clinics has taken steps to prevent similar breaches in the future and the employee has been terminated.

Email Security Breach Reported by National Cardiovascular Partners

National Cardiovascular Partners, a division of Fresenius Medical Care North America, is alerting patients to a possible breach of their personal and protected health information.

On May 19, 2020, National Cardiovascular Partners discovered an unauthorized individual had gained access to the email account of an employee. The account was immediately secured and an investigation was launched. The investigation revealed the email account was breached on April 27, 2020. A review of the compromised account was completed on June 18, 2020 and confirmed the account contained patients’ protected health information.

National Cardiovascular Partners believes the attack was conducted with the aim of defrauding the company, rather than to obtain patient data. No evidence was found to suggest patient data was accessed or acquired by the attacker.

National Cardiovascular Partners has taken steps to improve email security and further email security training has been provided to its employees. Affected patients have been offered a 12-month complimentary membership to Experian’s IdentityWorks identity theft protection service.

The post 47,754 Individuals Impacted by Lorien Health Services Ransomware Attack appeared first on HIPAA Journal.

Quantum Imaging and Therapeutic Associates Investigating Possible Facebook HIPAA Breach

Posted by HIPAA Journal

The Pennsylvania physician-owned radiology practice, Quantum Imaging and Therapeutic Associates, has announced that reports have been received about a non-physician employee who allegedly shared an x-ray of a male patient’s genitalia with members of a Facebook group.

The sharing of medical images on social media networks, without patient consent, is a violation of patient privacy and HIPAA. Quantum issued a statement on Facebook confirming reports had been received about a privacy breach and said “Quantum is committed to respecting the privacy of its patients and is deeply disheartened by these reports,” no further information has been released about the breach pending the results of the investigation. The matter has been reported to Fairview Township police and an investigation has been launched, but no arrests have been made at this stage. Several individuals have commented on the Facebook post claiming the image could be viewed by ‘thousands’ of people.

US HealthCenter Discovered Email Account Breach

The health risk management corporation, US HealthCenter has discovered an email account has been accessed by an unauthorized individual, who may have viewed or obtained the personal and protected health information of members of the Cost Plus World Market’s (Cost Plus) Wellness Program.

The breached email inbox was used to receive completed Annual Preventive Screening affidavits from participants. Questions from Wellness Program participants about the program were also sent to the email account. US HealthCenter discovered the unauthorized access on April 13, 2020 when the account was used to send phishing emails to Cost Plus wellness plan participants. During the time that the account was accessible, the unauthorized individual was able to view and forward emails.

The review of emails in the account showed they contained participants’ names, employee numbers, dates of birth, physician signatures, dates of exams, and limited health information.

The account was immediately secured and the email account is now hosted on a new Microsoft Office 365 platform, which has better security protections and multi-factor authentication has been added to all email accounts. US HealthCenter did not find any evidence to suggest personal information has been misused.

Delaware Department of Health and Social Services Discovered Impermissible PHI Disclosure

The Delaware Department of Health and Social Services has discovered a spreadsheet containing protected health information was accidentally shared with four students.

Four seniors at the University of Delaware had requested information for a project to help them identify service gaps in the community and were sent a spreadsheet. The students required information such as the age range of individuals and their disability status but identifying information had not been removed prior to the spreadsheet being shared. The students were able to view full names, birth dates, diagnoses, and county information related to 350 individuals.

The students gave a presentation of their report via Zoom on May 8, in which data was presented that included patients’ PHI. The Delaware Department of Health and Social Services immediately ended the presentation when it was discovered protected health information had been included. The students were ordered to delete the data and the employee who sent the spreadsheet has been disciplined.

The post Quantum Imaging and Therapeutic Associates Investigating Possible Facebook HIPAA Breach appeared first on HIPAA Journal.