The Everett & Hurite Ophthalmic Association (EHOA), a team of ophthalmology specialists serving Pittsburgh, PA & Warrendale, PA, has discovered an unauthorized individual gained access to the email account of one of its employees and potentially viewed patient information.

EHOA became aware of a breach on March 23, 2020 when suspicious activity was detected in the employee’s email account. After securing the account, third party forensic specialists were engaged to investigate the incident. The investigation confirmed that the breach was limited to a single email account, which was breached between February 25, 2020 and March 25, 2020.

A comprehensive review of emails and attachments in the account revealed they contained the protected health information of 34,113 patients. The majority of patients had their names included in an internal report that was used for reporting to the HHS’ Centers for Medicare and Medicaid Services (CMS). For certain individuals, their Social Security number, financial data, health insurance details, date of birth, and health and treatment information were also exposed. No evidence was uncovered to suggest patient information was viewed or downloaded by the person who accessed the account.

EHOA has notified all affected patients, has provided further training to its employees, and is enhancing its policies and procedures to prevent similar breaches in the future.

Castro Valley Health, Inc. Discovers PHI was Exposed on Docker Hub

Castro Valley Health, Inc. has discovered patient information was accidentally transferred to a third-party website, Docker Hub, and could potentially have been accessed by unauthorized individuals.

The transfer of patient data occurred between 2016 and 2017 and was discovered on April 21, 2020. Docker Hub is used for creating, managing, and delivering container applications and for image sharing between teams. Files were uploaded to the website that contained patient information such as names, dates of birth, medical record numbers, care start dates, admission visit dates, names of nurses who provided treatment, and physical/speech therapist names. No Social Security numbers, financial information, or clinical/diagnostic data were exposed.

Castro Valley Health said that while data could potentially have been accessed, the data was heavily coded and could not be read without first decoding the data. No evidence was found to suggest any patient data was viewed or downloaded by unauthorized individuals during the time it was exposed. The only person known to have accessed the data was the person who discovered the data and reported the breach to the HHS’ Office for Civil Rights.

Castro Valley Health has now notified all individuals whose data was exposed, and steps have been taken to prevent similar breaches in the future, including updating policies and procedures, conducting additional security audits and risk assessments, and re-educating employees.

The post Everett & Hurite Ophthalmic Association Email Breach Impacts 34,000 Patients appeared first on HIPAA Journal.

University of Utah Health has suffered another phishing attack, with the latest incident resulting in the exposure of the protected health information (PHI) of 2,700 patients.

This is the third phishing incident to be reported to the HHS’ Office for Civil Rights by the University of Utah this year. The previous incidents were reported on March 21 and April 3 and affected 3,670 and 5,000 patients respectively.

In the latest attack, an unauthorized individual gained access to employee email accounts between April 6 and May 22, 2020 as a result of responses to phishing emails. The email accounts were promptly secured, and an investigation was launched to determine whether the attackers gained access to patients’ PHI.

It was not possible to tell whether PHI was accessed or exfiltrated, but the accounts did contain a limited amount of PHI which was potentially accessed. An analysis of emails and attachments in the compromised accounts revealed they contained names, medical record numbers, dates of birth, and some clinical information related to the medical services received at University of Utah Healthcare facilities.

The investigation into the phishing attacks is ongoing, but so far, no evidence has been found to indicate any PHI was stolen by the attackers and no reports have been received to suggest there has been misuse of PHI. Notification letters started to be sent to affected patients on June 5, 2020.

University of Utah Health explained in its substitute breach notice that its information security protocols are being reviewed and security procedures will be reinforced with its employees to improve resilience to phishing attacks in the future. Security enhancements will be implemented across the entire enterprise and multi-factor authentication will be used to prevent email account access if credentials are compromised in the future.

The post University of Utah Health Suffers Further Phishing Attack appeared first on HIPAA Journal.

The Commonwealth of Kentucky Personnel Cabinet has announced that two data breaches occurred between late April and Early May. The attacks resulted in the exposure of the protected health information of around 1,000 members of the Kentucky Employees’ Health Plan.

The first attack occurred between April 21 and April 27 and a second occurred in mid-May. In both cases, the attackers used stolen credentials to gain access to accounts.

In the first attack, legitimate credentials were used to gain access to StayWell systems. StayWell is a third-party vendor that manages a well-being and incentive portal for health plan members.

Through the portal, plan members are empowered to take care of their health and lead healthier lifestyles. Plan members who meet their health goals by completing certain actions and challenges are rewarded with points that can be exchanged for gift cards.

The first cyberattack was detected and investigated by StayWell, the Commonwealth Office of Technology, and the Kentucky Personnel Cabinet. It was determined that while the attackers gained access to the portal, they were not able to view highly sensitive information such as Social Security numbers, dates of birth, and addresses – the types of information commonly sought by identity thieves; however, the attackers were able to biometric screening information and health assessment data. The attackers were also able to access redeem points that had been accumulated by members, which were exchanged for gift cards. The hackers fraudulently redeemed approximately $100,000 of points. 971 individuals were affected by the first breach.

StayWell implemented several security enhancements after the first attack; however, the hackers struck again and gained access to the government email accounts of 42 plan members in the second attack and used accumulated points to fraudulently obtain $7,700 in gift cards.

According to StayWell, the second data breach occurred as a direct result of the first and appears to have been due to password reuse. Certain plan members had used the same password for the portal as they did for their government email accounts, which allowed the hackers to access the email accounts.

The second breach serves as a reminder about the danger of reusing passwords on multiple accounts and platforms. Strong passwords should always be set to prevent passwords from easily being guessed, and unique strong passwords should be set on each platform or account. Password managers are useful for storing strong passwords, but it is essential that a very strong password is set as the password manager master password.

StayWell said it is working on further security enhancements and has requested all affected members set stronger, unique passwords. The Personnel Cabinet will make resources, tools, and training available to help state employees and other users of the StayWell platform improve security.

The post $107,000 Stolen from Kentucky Employees’ Health Plan Members in Two Recent Cyberattacks appeared first on HIPAA Journal.

St Joseph Health System in North Central Indiana is alerting patients that some of their protected health information has been exposed and may have been viewed by unauthorized individuals. The breach did not happen at St Joseph Health, but at one of its business associates.

Central Files Inc, a secure record storage facility in South Bend, IN, was contracted to securely store patient records in compliance with federal and state regulations and to destroy certain records in accordance with HIPAA Rules. Central Files Inc. has now permanently closed but was required to continue to store patient records until an alternative secure records facility could be located.

Between April 1 and April 9, 2020, several healthcare groups affiliated with St Joseph Health System were notified that confidential records containing information patient information had been dumped in a location in the South Bend area at some point prior to April 1, 2020.

The records discovered at the site were in poor condition. According to the substitute breach notification on the St Joseph Health System website, the records were “showing signs of moisture damage, mold, and rodent infestation, and damage from being mixed with trash and other debris.” Attempts were made to identify patients whose data had been exposed, but trained safety personnel determined that inspecting the majority of the records would be hazardous to health and recommended the best course of action was to arrange for the records to be securely destroyed.

The records that could safely be salvaged have been recovered and St Joseph Health System has engaged a vendor to recover the remaining records from the site. That process was completed on May 20, 2020 and arrangements have been made to have those records securely and permanently destroyed.

In many cases, the records were old and contained out of date information. Some of the documentation included paper copies of medical records and billing statements that contained information such as names, contact information, Social Security numbers, dates of services, and clinical and diagnostic information. Patients have been notified about the breach and told that no evidence was found to suggest any information has been misused, although the possibility of unauthorized access could not be ruled out.

The records related to the following entities

• Saint Joseph Health System (From 1999 to 2013)
• Allied Physicians of Michiana (From 1995 to 2007)
• New Avenues (From June 2004 to December 2015)
• South Bend Medical Foundation (From 2009 to 2015)
• Goshen Emergency Physicians, LLC / Elkhart Emergency Physicians, Inc. (From 2002 to 2010)
• Michiana Hematology Oncology (From 2002 to 2004)
• Cardiology Associates, Inc. (From March 1, 2007 to November 30, 2013)

The breach has yet to appear on the HHS’ Office for Civil Rights website so it is currently unclear how many patients have been affected.

The post St Joseph Health System Discovers Medical Record Storage Facility Improperly Disposed of Patient Records appeared first on HIPAA Journal.

The Oakland, CA-based healthcare provider, Kaiser Permanente, has discovered a former employee accessed the radiology records of thousands of patients without authorization over a period of 8 years.

The privacy breach was discovered in late March and the employee was placed on administrative leave while an internal investigation was conducted. Kaiser Permanente was unable to find any legitimate work reason for the employee accessing the records and determined that the access fell outside of the scope of the employee’s job functions. The first instance of unauthorized access occurred in 2012 and the employee continued to access radiology records until her actions were discovered in March 2020.

The employee worked as an imaging technician in the radiology department and has now been fired over the HIPAA violation. While unauthorized accessing of protected health information was confirmed, Kaiser Permanente found no evidence to suggest that patient information was copied or was used to commit fraud or any criminal activities.

The breach was reported to the Department of Health and Human Services’ Office for Civil Rights on May 22, 2020 by Kaiser Foundation Health Plan of the Mid-Atlantic States. The breach report shows that over an 8-year period the imaging technician impermissibly accessed the records of 2,756 patients.

All affected individuals are now being notified about the privacy breach by mail.

Ridgeview Institute – Monroe Employee Terminated Over Unauthorized PHI Access and Impermissible Disclosure

Ridgeview Institute – Monroe in Georgia, a provider of mental health and addiction treatment services, has discovered a former employee accessed the records of certain patients without authorization and sent copies of patient information to a personal email account.

The privacy breach was discovered on January 14, 2020, prompting an internal investigation to determine the nature and scope of the breach. It took some time to determine exactly what information had been copied and which patients were affected, hence the delay in notifying affected individuals.

The information in the stolen documents was determined to include patients’ full names, birth dates, Social Security numbers, patient ID numbers, health insurance provider names, diagnoses, treatment information, prescriptions, medical procedures, lab test and other test results.

The employee admitted accessing and copying patient information without authorization and said the data had been subsequently disclosed to her attorney and one other individual.

No reason was provided as to why the information was copied and impermissibly disclosed. According to the Ridgeview Institute, assurances have been obtained from the unauthorized individual to whom the information was disclosed that the documents will not be shared with another parties and the employee, who no longer works at Ridgeview, has confirmed that all other copies of the documents have been destroyed.

All affected patients are in the process of being notified and complimentary identity theft protection services are being offered.

The post Kaiser Permanente Discovers 8-Year Employee HIPAA Breach appeared first on HIPAA Journal.

Palmer, AK-based Mat-Su Surgical Associates has announced it was attacked with ransomware in March. The attack was discovered on March 16 when staff were locked out of its computer systems as a result of the encryption of essential files.

A team of independent computer forensics investigators were engaged to assess the nature and scope of the attack and to determine whether any patient data had been accessed or stolen by the attackers. It was not possible to determine whether the attacker had exfiltrated data or viewed patient information prior to encryption, but the investigators could not rule out unauthorized data access. The attacker was determined to have gained access to parts of its computer system that contained the protected health information of 13,146 patients.

The information potentially compromised in the attack included the names of current and former patients of Valley Surgical Associates and Mat-Su Surgical Associates along with addresses, diagnoses, treatment information, lab test results, health insurance information, Social Security numbers, and other information related to the medical care provided.

All affected patients have been notified by mail and offered complimentary membership to credit monitoring and identity theft protection services through ID Experts.

Mat-Su Surgical Associates has taken steps to improve security, including implementing additional measures to prevent unauthorized remote access to its systems.

The Little Clinic Discovers Online Appointment System Bug that Exposed PHI

The Little Clinic, a network of more than 215 medical care clinics in Ohio, Kansas, Kentucky, Tennessee, Arizona, Georgia, Indiana, Virginia and Colorado, has discovered a bug in its online appointment system potentially resulted in an unauthorized disclosure of patients protected health information.

The bug was discovered internally by The Little Clinic and was determined to have been introduced on October 7, 2018. The issue was corrected on February 13, 2020 and measures were implemented to prevent similar breaches in the future.

The coding error meant that if a patient made an appointment and subsequently modified it online, the patient’s name, address, date of birth, and telephone number could be accessed by other domains. The investigation revealed up to 10,974 patients were potentially affected and may have had some of their personal information disclosed.

The Little Clinic found no evidence to suggest patient data was accessed or misused but determined on April 7, 2020 that the incident constituted a data breach. All individuals potentially affected have now been notified by mail.

The post Mat-Su Surgical Associates Suffers Ransomware Attack appeared first on HIPAA Journal.

District Medical Group (DMG), an integrated medical group serving patients in Arizona, has started notifying 10,190 patients that some of their protected health information has potentially been compromised. On March 11, 2020, DMG discovered an unauthorized individual had gained access to the email accounts of some of its employees as a result of responses to phishing emails.

A password reset was immediately performed to prevent further unauthorized access and a leading cybersecurity firm was engaged to investigate the breach. The investigation revealed a limited number of email accounts were compromised between February 4, 2020 and February 10, 2020.

An analysis of emails and attachments in the breached accounts revealed they contained patient information such as names, medical record numbers, medical information, and health insurance information. A limited number of Social Security numbers were also potentially compromised. No evidence was uncovered that suggested the emails were opened or copied by the attackers.

Affected patients have been advised to be vigilant and monitor their accounts and statements for any sign of fraudulent activity. Out of an abundance of caution, individuals whose Social Security numbers were present in the accounts have been offered complimentary credit monitoring and identity theft protection services.

DMG has reinforced employee education and has taken steps to improve email security to prevent further breaches in the future.

Geisinger Wyoming Valley Medical Center Employee Terminated for Unauthorized Medical Record Access

Geisinger Wyoming Valley Medical Center (GWVMC) in Wilkes-Barre, PA has discovered an employee has been accessing the medical records of patients with no legitimate work reason for doing so.

GWVMC was alerted to the potential HIPAA breach on March 20, 2020 and launched an internal investigation. The employee was authorized to view patient records to complete day-to-day work duties, but it was discovered the medical records of 805 patients had been accessed outside of those work duties. The unauthorized access started in July 2017 and continued until March 2020.

The investigation did not uncover any evidence to suggest patient records were being accessed with malicious intent. Out of an abundance of caution, affected patients have been offered complimentary credit monitoring and identity theft protection services.

The types of information viewed by the employee included names, addresses, telephone numbers, email addresses, dates of birth, Social Security numbers, medical conditions, diagnoses, medications, dates of service, visit notes, test results, and appointment information.

Appropriate disciplinary action was taken against the employee for the violation of HIPAA and hospital policies. The employee no longer works at GWVMC.

The post Geisinger Wyoming Valley Medical Center and District Medical Group Disclose Data Breaches appeared first on HIPAA Journal.