HIPAA Breach News

Blackbaud SEC Filing Provides Further Information on Data Breach and Mitigation Costs

Posted by HIPAA Journal

The number of victims reporting being impacted by the Blackbaud ransomware attack and data breach has continued to grow over the past few weeks, with the Department of Health and Human Services’ Office for Civil Rights breach portal continuing to list healthcare victims. Recent additions include Moffitt Cancer Center, OSF HealthCare System, and Geisinger, with those three entities reporting the incident as affecting a total of 276,600 individuals.

While the total number of victims has not been disclosed by Blackbaud, at least 250 healthcare organizations, non-profits, and educational institutions are known to have been impacted, with healthcare organizations reporting the breach as affecting more than 10 million individuals.

Unsurprisingly given the breach costs incurred by organizations and the number of individuals whose personal information has been exposed, Blackbaud is facing many class action lawsuits. At least 23 proposed class action lawsuits have been filed so far in the United States and Canada, according to its 2020 Q3 Quarterly Report filed with the U.S. Securities and Exchange Commission (SEC). 17 of those lawsuits were filed in federal court in the United States, 4 in state courts, and 2 in Canadian courts.

The lawsuits allege victims have suffered harm as a result of the breach and allege violations of several laws, with the lawsuits seeking damages, injunctive relief, and attorneys’ fees, and around 160 claims have been received from Blackbaud’s customers in the U.S, Canada, and United Kingdom.

In addition to the lawsuits, Blackbaud is being investigated by regulators over violations of data privacy laws, including the Department of Health and Human Services, the Federal Trade Commission, and internationally by the UK’s Information Commissioner’s Office and the Office of the Privacy Commissioner of Canada. A joint investigation has also been launched by 43 state attorneys general and the District of Columbia.

According the SEC filing, Blackbaud has already incurred costs in excess of $3.2 million dealing with the cyberattack between July and September 2020, and $3.6 million in costs over the previous 9 months. That figure is offset by $2.9 million accrued in insurance recoveries between July and September.

Costs will continue to be accrued in the response to the breach and while those costs are likely to be considerable, Blackbaud expects its cyber insurance policies to cover the bulk of the costs of the breach.

“We have good insurance in place – our insurers are working with us very closely. The key there is coordinating with them and make sure we’re clear on what they’re covering or not going to cover,” said Blackbaud’s chief financial officer Anthony Boor in an October 30, 2020 call with financial analysts.

While the cyber insurance policies have already covered some of the costs, there is no guarantee that all costs will be covered by those policies. “Lawsuits that are putative class actions require a plaintiff to satisfy a number of procedural requirements before proceeding to trial,” explained Boor. “As a result of these uncertainties, we may be unable to determine the probability of loss until, or after, a court has finally determined that a plaintiff has satisfied the applicable class action procedural requirements.”

In the call with financial analysts, Blackbaud explained that the forensic investigation revealed exactly how the hackers succeeded in gaining access to its systems. The flaw exploited in the attack was present in one of its early generation products which has since been fixed and steps have already been taken to harden security. Blackbaud also explained that millions of dollars had been invested in cybersecurity and personnel prior to the breach in preparation for such an attack.

Blackbaud managed to contain the attack but was not able to prevent the exfiltration of some customer data. The ransom was paid to prevent publication of the data and Blackbaud believes the payment has prevented any further disclosures of data.

“We have no reason to believe that any data went beyond the cybercriminal, was or will be misused, or will be disseminated or otherwise made available publicly,” explained Blackbaud in the SEC filing.

The post Blackbaud SEC Filing Provides Further Information on Data Breach and Mitigation Costs appeared first on HIPAA Journal.

Ascend Clinical and Alamance Skin Center Suffer Ransomware Attacks

Posted by HIPAA Journal

Redwood City, CA-based Ascend Clinical, a provider of ESRD laboratory testing for independent dialysis providers, has announced it suffered a phishing attack that led to a ransomware attack in May 2020.

Unusual system activity and file encryption were detected on or around May 31, 2020. Prompt action was taken to isolate the affected systems and an investigation was launched to determine the nature and scope of the incident. Assisted by a third-party security firm, Ascend Clinical determined access to its systems was gained when an employee responded to a phishing email.

Prior to the use of ransomware, the attackers accessed files that contained names, dates of birth, mailing addresses, and Social Security numbers. Steps have since been taken to strengthen its email security defenses to prevent similar attacks in the future.

The breach report submitted to the HHS’ Office for Civil Rights indicates 77,443 individuals were affected by the incident.

Alamance Skin Center Suffers Ransomware Attack

The Greensboro-based health system, Cone Health, has suffered a ransomware attack that affected the Alamance Skin Center in Burlington, NC.

The ransomware attack was limited to the single practice and occurred in late July 2020 and is believed to have started with a phishing attack or brute force attempt to obtain credentials. Prompt action was taken to isolate the impacted systems and third-party computer forensics experts were retained to assess the scope of the breach. The investigation did not find any evidence to suggest patient information was stolen prior to the encryption of files and no reports have been received that indicate patient information has been misused.

However, some patient information was encrypted in the attack and is unrecoverable. Cone Health reports the protected health information affected was limited to patient names, medical record numbers, dates of birth, diagnosis information, addresses, and date(s) of service.

The attack affected the appointments system, which is not accessible. Patients with appointment have been advised to contact the practice to confirm their appointment. Since it was not possible to determine with 100% certainty that patient information was not accessed by the attackers, all affected patients have been advised to be vigilant against incidents of identity theft and fraud.

Alamance Skin Center is reviewing existing policies and procedures and will be implementing additional safeguards to prevent similar incidents in the future.

Perry County Memorial Hospital Discovers Email Security Breach

Perry County Memorial Hospital in Tell City, IN has discovered the email accounts of two employees have been accessed by unauthorized individuals.

An investigation was launched which revealed the accounts were accessed on August 23, 2020. A review of the compromised accounts confirmed they contained private patient data which could have been viewed or obtained by the attackers, although no evidence of data theft was identified.

The information potentially compromised was limited to names, dates of birth, diagnoses/diagnostic codes, internal patient account numbers, provider names, and other health information, along with a limited number of Social Security numbers, Medicare/Medicaid numbers, and health insurance information.

Perry County Memorial Hospital is taking steps to enhance email security to prevent similar breaches in the future. Individuals whose Social Security number was potentially compromised have been offered complimentary membership to identity theft monitoring services.

BryLin Behavioral Health Notifies Patients About Potential PHI Breach

BryLin Behavioral Health System, a provider of mental health and addiction treatment services in Buffalo, NY, is alerting certain patients that some of their protected health information was potentially compromised as a result of a cybersecurity incident that occurred in August 2020.

Unusual network activity was detected by BryLin on August 19, 2020. Immediate action was taken to secure the network and an investigation was launched which revealed its systems had been compromised on August 14, 2020. Unauthorized individuals potentially accessed documents on the compromised systems that contained patient names, dates of birth, addresses, treatment information and/or clinical information and, in some instances, patients’ Social Security numbers and/or health insurance information. The breach only affected data of patients who received medical services at BryLin hospital. Patient information from its outpatient clinic, outpatient substance use, and outpatient mental health care services was not affected.

All patients affected by the breach have now been notified and the 75 patients who had their Social Security number exposed have been offered complimentary credit monitoring services.

It is currently unclear how many individuals have been affected by the breach.

The post Ascend Clinical and Alamance Skin Center Suffer Ransomware Attacks appeared first on HIPAA Journal.

Wakefern Food Corporation Settles HIPAA Breach Case with NJ Attorney General for $235,000

Posted by HIPAA Journal

Wakefern Food Corporation has agreed to pay $235,000 in civil financial penalties to resolve allegations of violations of federal and state laws related to a data breach involving the protected health information of 9,700 customers of two ShopRite supermarkets in Millville, Cumberland County and Kingston, New York. In addition to the financial penalties, the settlement requires improvements to be made to data security practices.

Wakefern Food Corporation is the parent company of Union Lake Supermarket, LLC, which owns the Shoprite store in Millville and ShopRite Supermarkets, Inc., which owns the ShopRite store in Kingston, NY.

In 2016, Wakefern replaced electronic devices that were used to collect customer signatures and purchase information at the two locations. The old devices were disposed of in regular dumpsters without first destroying the devices or purging/clearing the stored data to ensure sensitive information could not be recovered. The devices contained the protected health information of 9,700 customers of the two stores including names, contact information, zip codes, driver’s license numbers, dates of birth, prescription numbers, prescription types, pickup and delivery dates.

After receiving reports about the improper disposal of ePHI, the New Jersey Division of Consumer Affairs launched an investigation and determined the disposal of the devices was in violation of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and there had been multiple violations of the state’s fraud act. Staff at the stores had also not been provided with appropriate training on the handling and disposal of sensitive information.

“Pharmacies have a legal obligation to protect the privacy and security of the patient information they collect, and to properly dispose of that information when the time comes,” said New Jersey Attorney General Gurbir S. Grewal. “Those who compromise consumers’ private health information face serious consequences.”

Wakefern has agreed to pay $209,856.50 in civil penalties and $25,143.50 for reimbursement of attorneys’ fees and investigative costs and will implement protective measures to ensure future data branches are prevented. Those measures include appointing a chief privacy officer, executing a business associate agreement with ShopRite Supermarkets, Union Lake, and each of the members that operate pharmacies within the supermarkets, and ensuring appropriate measures are implemented to safeguard protected health information. Each of the ShopRite stores that has a pharmacy is required to appoint a HIPAA privacy officer and HIPAA security officer to oversee compliance and online training must be provided for those officers on their privacy and security roles.

“New Jersey consumers have a right to know that when they purchase a prescription medication at the neighborhood supermarket, their most private information will be fully protected under the law and not carelessly left to fall into the wrong hands,” said Paul R. Rodríguez, Acting Director of the Division of Consumer Affairs. “This settlement ensures that ShopRite supermarket pharmacies will be trained and monitored for HIPAA compliance to avoid future conduct that place consumers at risk for privacy invasion and identity theft.”

The post Wakefern Food Corporation Settles HIPAA Breach Case with NJ Attorney General for $235,000 appeared first on HIPAA Journal.

Email Incidents Result in the Potential Disclosure of the PHI of More Than 41,000 Patients

Posted by HIPAA Journal

Four email-related data breaches have recently been reported by U.S healthcare providers, along with an unspecified cyberattack on a mental health and addiction treatment provider.

12,000 Patients Impacted by Email Breach at Arkansas Otolaryngology Center

Little Rock, AR-based Arkansas Otolaryngology Center is alerting 12,000 patients about an email security breach discovered on July 17, 2020. An unauthorized individual was discovered to have gained access to the email account of an employee and was using the account to send unauthorized messages.

Assisted by a third-party computer forensics company, Arkansas Otolaryngology Center determined that four email accounts had been compromised between July 17, 2020 and July 27, 2020. It was not possible to determine whether any emails in the accounts had been subjected to unauthorized access during the time the accounts were accessible.

A review of emails and email attachments in the compromised accounts revealed they contained the following types of protected health information: names, dates of birth, medical record numbers, Social Security numbers, diagnoses, doctors’ names, driver’s license numbers, state identification card numbers, insurance group numbers, treatment locations, and treatment or procedure types or codes. A limited number of individuals also had financial account information exposed.

Upon discovery of the breach a full password reset was performed, and additional technical safeguards have since been implemented to prevent further email breaches. Individuals affected by the breach have been offered complimentary credit monitoring services.

Centerstone of Indiana Email Breach Impacts 11,638 Patients

Centerstone of Indiana, a provider of mental health and substance use disorder treatment services in Indiana, Illinois, Tennessee, and Florida, has discovered an employee’s email account has been accessed by an unauthorized individual.

Unusual activity was detected in the email account and it was immediately secured. The investigation revealed the email account had been accessed between December 12, 2019 and December 16, 2019; however, it took until August 25, 2020 for the investigation to confirm that protected health information was contained within the account.

The protected health information of 11,638 patients was exposed in the incident, including names, dates of birth, Social Security numbers, driver’s license numbers, state identification card numbers, medical diagnoses, treatment information, Medicaid and Medicare information, and health insurance information. The types of exposed data varied from patient to patient. Some employee information was also potentially compromised.

Notification letters were sent to affected patients on Thursday, October 22, 2020 and information has been provided on the steps that should be taken to reduce the risk of misuse of their data.

Centerstone reports that $800,000 has been invested on IT security infrastructure following the breach, including new software applications and security appliances. A security audit and gap assessment are being conducted by third-party security experts to identify any other areas where security can be improved. Policies and procedures are also being reassessed and further training on IT security has been provided to the workforce.

Perry County Memorial Hospital Discovers Email Security Breach

Perry County Memorial Hospital in Tell City, IN has discovered the email accounts of two employees have been accessed by unauthorized individuals.

An investigation was launched which revealed the accounts were accessed on August 23, 2020. A review of the compromised accounts confirmed they contained private patient data which could have been viewed or obtained by the attackers, although no evidence of data theft was identified.

The information potentially compromised was limited to names, dates of birth, diagnoses/diagnostic codes, internal patient account numbers, provider names, and other health information, along with a limited number of Social Security numbers, Medicare/Medicaid numbers, and health insurance information.

Perry County Memorial Hospital is taking steps to enhance email security to prevent similar breaches in the future. Individuals whose Social Security number was potentially compromised have been offered complimentary membership to identity theft monitoring services.

Tri-State Specialists Alerts 17,500 Patients About Email Error

Tri-State Specialists, a network of orthopedic surgery clinics serving residents in Iowa, South Dakota, and Nebraska, is alerting 17,050 patients about an incident that resulted in the impermissible disclosure of names and email addresses to a small number of current and former patients.

On September 16, 2020, Tri-State Specialists discovered an email had been sent by an employee that included patients’ names and email addresses in an attached file. No other patient information was included in the file. Patients have been advised to be vigilant for spam messages as a result of the disclosure of their email addresses.

In response to the breach, Tri-State Specialists have revised policies and procedures related to the sending of emails to prevent similar breaches in the future and the importance of data privacy has been re-emphasized with the workforce.

BryLin Behavioral Health Notifies Patients About Potential PHI Breach

BryLin Behavioral Health System, a provider of mental health and addiction treatment services in Buffalo, NY, is alerting certain patients that some of their protected health information was potentially compromised as a result of a cybersecurity incident that occurred in August 2020.

Unusual network activity was detected by BryLin on August 19, 2020. Immediate action was taken to secure the network and an investigation was launched which revealed its systems had been compromised on August 14, 2020. Unauthorized individuals potentially accessed documents on the compromised systems that contained patient names, dates of birth, addresses, treatment information and/or clinical information and, in some instances, patients’ Social Security numbers and/or health insurance information. The breach only affected data of patients who received medical services at BryLin hospital. Patient information from its outpatient clinic, outpatient substance use, and outpatient mental health care services was not affected.

All patients affected by the breach have now been notified and the 75 patients who had their Social Security number exposed have been offered complimentary credit monitoring services.

It is currently unclear how many individuals have been affected by the breach.

The post Email Incidents Result in the Potential Disclosure of the PHI of More Than 41,000 Patients appeared first on HIPAA Journal.

Failure to Terminate Former Employee’s Access Rights Results in $202,000 HIPAA Fine for New Haven, CT

Posted by HIPAA Journal

The City of New Haven, Connecticut has agreed to pay a $202,400 financial penalty to the Department of Health and Human Services’ Office for Civil Rights to resolve a HIPAA violation case.

An OCR investigation was launched in May 2017 following receipt of a data breach notification from New Haven on January 24, 2017. OCR investigated whether the data breach was linked to potential violations of HIPAA Rules.

During the investigation, OCR discovered the New Haven Health Department had terminated an employee on July 27, 2016 during her probationary period. The former employee returned to the New Haven Heath Department on July 27, 2016 with her union representative and used her work key to access her old office, where she locked herself inside with her union representative.

While in her office, the former employee logged into her old computer using her username and password and copied information from her computer onto a USB drive. She also removed personal items and documents from the office, and then exited the premises. A file on the computer contained the protected health information of 498 patients, including names, addresses, dates of birth, race/ethnicity, gender, and sexually transmitted disease test results. That file was downloaded onto the USB drive. The actions of the former employee were witnessed by an intern.

OCR investigators also determined that the former employee had shared her login credentials with an intern, who continued to use those credentials to access PHI on the network after the employee had been terminated.

Had the New Haven Health Department deactivated the former employee’s login credentials at the time of her termination, a data breach would have been prevented. If all users had been given their own, unique login credentials, it would have been possible to accurately determine the system activity of each individual and identify their interactions with electronic protected health information.

OCR concluded that between December 1, 2014 to December 31, 2018, HIPAA Privacy Rule policies and procedures had not been implemented, New Haven had not implemented procedures for terminating access to ePHI when the employment of, or other arrangement with, a workforce member ends, and New Haven had failed to assign unique usernames and passwords to track user identity.

An accurate organization-wide risk assessment had not been performed to identify the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information and there had been an impermissible disclosure of the PHI of 498 individuals.

In addition to the financial penalty, the City of New Haven has agreed to adopt a corrective action plan to address all areas of noncompliance. OCR will monitor the City of New Haven for HIPAA compliance for two years from the date of the resolution agreement.

“Medical providers need to know who in their organization can access patient data at all times. When someone’s employment ends, so must their access to patient records,” said OCR Director Roger Severino.

The settlement is the 4th to be announced by OCR in October 2020, and the 15th HIPAA financial penalty of 2020.

The post Failure to Terminate Former Employee’s Access Rights Results in $202,000 HIPAA Fine for New Haven, CT appeared first on HIPAA Journal.

Sky Lakes Medical Center and St. Lawrence Health System Attacked with Ransomware

Posted by HIPAA Journal

Two more hospitals have experienced ransomware attacks that have taken their computer systems offline and have forced clinicians to switch to pen and paper to record patient information.

Both ransomware attacks occurred on Tuesday, October 27, 2020, one on Sky Lakes Medical Center in Klamath Falls, OR and the other on St. Lawrence Health System in New York. It is unclear what ransomware variant was used in the attack on Sky Lakes Medical Center at this stage, but the St. Lawrence Health System ransomware involved a new variant of Ryuk ransomware.

Sky Lakes Medical Center announced on Facebook that while its computer systems had been taken out of action, care continued to be provided to patients and its emergency and urgent care departments remained open and fully operational and most scheduled elective procedures were continuing as planned. At this stage, no evidence has been found to indicate any patient data were compromised in the attack; however, the investigation is still in the early stages.

The attack on St. Lawrence Health System was detected several hours after the initial compromise. St. Lawrence Health System issued a statement saying its IT department had taken systems offline in an effort to contain the attack and prevent the ransomware from spreading to all parts of the network.

The ransomware attack is reported to have affected three of its hospitals – Canton-Potsdam Hospital, Gouverneur Hospital, and Massena Hospital. The decision was taken to divert ambulances from some of the affected hospitals as a precautionary step to ensure care could be provided to patients.

As with the attack on Sky Lakes Medical Center, no evidence has been found to indicate patient information was compromised, although the Ryuk ransomware gang is known to exfiltrate patient data prior to file encryption.

A joint advisory was issued by CISA and the FBI this week, in conjunction with the HHS’ Department of Health and Human Services, warning about an increase in targeted Ryuk ransomware attacks on hospitals and public health sector organizations. Credible evidence had been uncovered suggesting attacks on hospitals and other healthcare providers would likely increase.

Healthcare organizations are being advised to take steps to secure their networks from attacks. Indicators of compromise have been published along with mitigation measures to help prevent attacks and identify attacks in progress. Further information on the advisory along with the steps that should be taken to harden defenses can be found here.

The post Sky Lakes Medical Center and St. Lawrence Health System Attacked with Ransomware appeared first on HIPAA Journal.

Aetna Slapped with $1 Million HIPAA Fine for Three Data Breaches

Posted by HIPAA Journal

Aetna Life Insurance Company and the affiliated covered entity (Aetna) has agreed to settle multiple potential HIPAA violations with the Department of Health and Human Services’ Office for Civil Rights (OCR) that were discovered during the investigation of three data breaches that occurred in 2017.

The first of those data breaches was reported to OCR in June 2017 and concerned the exposure of the protected health information (PHI) of health plan members over the Internet. Two web services were used to display health plan-related documents to its members, but those documents could be accessed over the Internet without the need for any login credentials.

The lack of authentication allowed the documents to be indexed by search engines and displayed in search results. Aetna’s investigation revealed the PHI of 5,002 individuals had been exposed, which included names, insurance identification numbers, claim payment amounts, procedures service codes, and dates of service.

The second two HIPAA breaches involved the exposure and impermissible disclosure of highly sensitive information in two mailings to plan members. In both mailings, window envelopes had been used which allowed PHI to be viewed without opening the envelopes.

The first mailing in July 2017 saw benefit notices sent to 11,887 individuals who were receiving HIV medication, either for treatment or prophylaxis. The words “HIV medication” could be seen through the windows of the envelope, along with the name and address of each individual.

The second mailing, sent in September 2017, concerned a research study on individuals with an irregular heart rhythm. Through the windows of the envelope the name and logo of the atrial fibrillation research study were clearly visible along with the name and address of the recipient. The mailing was sent to 1,600 individuals.

These three incidents resulted in the impermissible disclosure of the PHI of 18,489 individuals and during the course of the investigation OCR investigators uncovered several other violations of the HIPAA Rules.

  • Aetna had not performed periodic technical and nontechnical evaluations of operational changes affecting the security of their electronic PHI (ePHI), in violation of 45 C.F.R. § 164.308(a)(8);
  • Procedures had not been implemented to verify the identity of individuals or entities looking to access their ePHI, in violation of 45 C.F.R. § 164.312(d);
  • Disclosures of ePHI had not been limited to the minimum necessary information to achieve the purpose for the disclosure, in violation of 45 C.F.R. § 164.514(d); and
  • There was a lack of appropriate administrative, technical, and physical safeguards to protect the privacy of PHI, in violation of 45 C.F.R. § 164.530(c).

“When individuals contract for health insurance, they expect plans to keep their medical information safe from public exposure. Unfortunately, Aetna’s failure to follow the HIPAA Rules resulted in three breaches in a six-month period, leading to this million-dollar settlement,” said OCR Director Roger Severino.

In addition to the financial penalty, Aetna has agreed to adopt a corrective action plan to address all areas of HIPAA noncompliance discovered by OCR. OCR will be monitoring Aetna closely for noncompliance with the HIPAA Rules for 2 years.

Settlements totaling $2,725,170 were agreed in 2018 to resolve HIPAA violation cases brought by state attorneys general in California ($935,000), Connecticut ($99,959), New Jersey ($365,211.59), New York ($1,150,000) and the District of Columbia ($175,000) over these data breaches. In 2018, Aetna also settled a class action lawsuit filed on behalf of victims of the HIV medication mailing incident for $17 million.

This year has already seen more penalties imposed on covered entities and business associates than any other year since OCR was given the authority to impose fines for HIPAA violations. There have been 14 settlements announced this year totaling $13,211,500.

The post Aetna Slapped with $1 Million HIPAA Fine for Three Data Breaches appeared first on HIPAA Journal.

Sonoma Valley Hospital Suffers Significant EHR Downtime Event

Posted by HIPAA Journal

Sonoma Valley Hospital in California experienced a computer security incident on October 11, 2020 which took its computer systems offline and caused “a significant downtime event.”

The hospital implemented its business continuity plan which allowed care to continue to be provided to patients while its computer systems were out of action. Throughout the incident its emergency department remained available and elective and necessary surgeries continued to be performed. The majority of diagnostic services continued without interruption, although the incident did cause disruption for some patients. The patient portal has remained available throughout, although new results have not been posted since October 11.

An investigation into the incident was immediately launched and third-party cybersecurity experts were engaged to assist with the investigation and recovery efforts. No information on the exact cause of the incident have been released to date, including whether ransomware was involved, and it is not yet known if any patient data was compromised.

Lycoming-Clinton Joinder Board Uncovers Further Data Breach

Lycoming-Clinton Joinder Board (LCJB), which runs programs providing services to individuals with mental illness or intellectual disabilities in Lycoming and Clinton Counties in Pennsylvania, is alerting 14,500 patients that some of their protected health information has potentially been compromised.

On August 10, 2020, while investigating an earlier data breach, LCJB discovered the email accounts of three employees had been accessed by an unauthorized individual. An analysis of the email accounts confirmed they contained patient information, but it was not possible to determine if any information in the accounts had been viewed or obtained by unauthorized individuals.

Information in the accounts varied from patient to patient and may have included names, addresses, dates of birth, medical record numbers, health insurance numbers, medical histories (including diagnoses, substance abuse, lab tests and results, mental or physical health evaluations, and treatment or provider information), costs of care, or circumstances of abuse. A limited number of Social Security numbers were also exposed.

The investigation confirmed the three email accounts were intermittently accessed by an unauthorized individual between August 5, 2020 and August 10, 2020. The earlier breach, which was discovered on June 23, 2020, was also an email security incident, which affected two employee email accounts. Those accounts were accessed by an unauthorized individual between June 19, 2020 and June 23, 2020 and contained the records of 3,905 patients. While there were similarities between both incidents, it was not possible to tell if the same individual was responsible.

In response to the incidents, LCJB has taken several steps to improve email security, including increasing password complexity, implementing 2-factor authentication for remote access, restricting access to systems to users within the United States, and enhancing its cybersecurity training program for staff members. Policies and procedures have also been developed and implemented that require personal information to be securely deleted regularly from the email system and the network.

1,700 Patients of Coast Dental Notified About Possible Theft of PHI

Tampa, Florida-based Coast Dental has started notifying 1,700 patients that records containing their protected health information are missing and have potentially been stolen.

A moving truck containing equipment and patient records was stolen from a parking lot in Atlanta, GA during the night of 6/7 August 2020. The theft was reported to the police department and the truck was recovered and impounded the following day. The truck was locked to secure the contents until the vehicle was released by the police department. An inventory of the contents of the truck was conducted between August 26-28, 2020 which revealed patient records were missing.

On October 13, 2020, notification letters were sent to all patients whose records may have been stolen and, out of an abundance of caution, patients whose Social Security number was potentially compromised have been offered complimentary credit monitoring services.

In response to the incident, Coast Dental has re-educated its workforce and has refined processes to better secure patient information.

The post Sonoma Valley Hospital Suffers Significant EHR Downtime Event appeared first on HIPAA Journal.

September 2020 Healthcare Data Breach Report: 9.7 Million Records Compromised

Posted by HIPAA Journal

September has been a bad month for data breaches. 95 data breaches of 500 or more records were reported by HIPAA-covered entities and business associates in September – A 156.75% increase compared to August 2020.

Sept 2020 healthcare data breach report monthly breaches

Not only did September see a massive increase in reported data breaches, the number of records exposed also increased significantly. 9,710,520 healthcare records were exposed in those breaches – 348.07% more than August – with 18 entities suffering breaches of more than 100,000 records. The mean breach size was 102,216 records and the median breach size was 16,038 records.

Sept 2020 healthcare data breach report monthly breached records

Causes of September 2020 Healthcare Data Breaches

The massive increase in reported data breaches is due to the ransomware attack on the cloud software company Blackbaud. In May 2020, Blackbaud suffered a ransomware attack in which hackers gained access to servers housing some of its customers’ fundraising databases. Those customers included many higher education and third sector organizations, and a significant number of healthcare providers.

Blackbaud was able to contain the breach; however, prior to the deployment of the ransomware, the attackers exfiltrated some customer data. The breach was initially thought to only include limited data about donors and prospective donors, but further investigations revealed Social Security numbers and financial information were also exfiltrated by the hackers.

Blackbaud negotiated a ransom payment and paid to prevent the publication or sale of the stolen data. Blackbaud has reported it has received assurances that all stolen data were deleted. Blackbaud has engaged a company to monitor dark web sites but no data appears to have been offered for sale.

Blackbaud announced the ransomware attack in July 2020 and notified all affected customers. HIPAA-covered entities affected by the breach started to report the data breach in August, with most reporting in September.

It is currently unclear exactly how many U.S. healthcare organizations were affected by the breach and the final total may never be known. Databreaches.net has been tracking the Blackbaud breach reports and, at last count, at least 80 healthcare organizations are known to have been affected. The records of more than 10 million patients are thought to have been compromised as a result of the ransomware attack.

Sept 2020 healthcare data breach report causes of breaches

Unsurprisingly, given the numbers of healthcare providers affected by the Blackbaud breach, hacking/IT incidents dominated the breach reports. 83 breaches were attributed to hacking/IT incidents and 9,662,820 records were exposed in those breaches – 99.50% of all records reported as breached in September.  The mean breach size was 116,420 records and the median breach size was 27,410 records.

There were 7 unauthorized access/disclosure incidents reported in September involving a total of 34,995 records. The mean breach size was 4,942 records and the median breach size was 1,818 records. There were 4 loss/theft incidents reported involving 12,029 records, with a mean breach size of 3,007 records and a median size of 2,978 records. There was 1 improper disposal incident reported involving 1,076 records.

Most of the compromised records were stored on network servers, although there were a sizable number of breaches involving PHI stored in email accounts.

Sept 2020 healthcare data breach report - location of PHI

Largest Healthcare Data Breaches Reported in September 2020

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Breach Cause
Trinity Health Business Associate 3,320,726 Hacking/IT Incident Blackbaud Ransomware Attack
Inova Health System Healthcare Provider 1,045,270 Hacking/IT Incident Blackbaud Ransomware Attack
NorthShore University HealthSystem Healthcare Provider 348,746 Hacking/IT Incident Blackbaud Ransomware Attack
SCL Health – Colorado (affiliated covered entity) Healthcare Provider 343,493 Hacking/IT Incident Blackbaud Ransomware Attack
Nuvance Health (on behalf of its covered entities) Healthcare Provider 314,829 Hacking/IT Incident Blackbaud Ransomware Attack
The  Baton Rouge Clinic, A Medical Corporation Healthcare Provider 308,169 Hacking/IT Incident Ransomware Attack
Virginia Mason Medical Center Healthcare Provider 244,761 Hacking/IT Incident Blackbaud Ransomware Attack
University of Tennessee Medical Center Healthcare Provider 234,954 Hacking/IT Incident Blackbaud Ransomware Attack
Legacy Community Health Services, Inc. Healthcare Provider 228,009 Hacking/IT Incident Phishing Attack
Allina Health Healthcare Provider 199,389 Hacking/IT Incident Blackbaud Ransomware Attack
University of Missouri Health Care Healthcare Provider 189,736 Hacking/IT Incident Phishing Attack
The Christ Hospital Health Network Healthcare Provider 183,265 Hacking/IT Incident Blackbaud Ransomware Attack
Stony Brook University Hospital Healthcare Provider 175,803 Hacking/IT Incident Blackbaud Ransomware Attack
Atrium Health Healthcare Provider 165,000 Hacking/IT Incident Blackbaud Ransomware Attack
University of Kentucky HealthCare Healthcare Provider 163,774 Hacking/IT Incident Blackbaud Ransomware Attack
Children’s Minnesota Healthcare Provider 160,268 Hacking/IT Incident Blackbaud Ransomware Attack
Roswell Park Comprehensive Cancer Center Healthcare Provider 141,669 Hacking/IT Incident Blackbaud Ransomware Attack
Piedmont Healthcare, Inc. Healthcare Provider 111,588 Hacking/IT Incident Blackbaud Ransomware Attack
SCL Health – Montana (affiliated covered entity) Healthcare Provider 93,642 Hacking/IT Incident Blackbaud Ransomware Attack
Roper St. Francis Healthcare Healthcare Provider 92,963 Hacking/IT Incident Blackbaud Ransomware Attack

September 2020 Data Breaches by Covered Entity Type

88 healthcare providers reported data breaches of 500 or more records in September and 2 breaches were reported by health plans. 5 breaches were reported by business associates of HIPAA-covered entities, but a further 53 breaches involved a business associate, with the breach reported by the covered entity. Virtually all of those 53 breaches were due to the ransomware attack on Blackbaud.

Sept 2020 healthcare data breach report - covered entity type

September 2020 Data Breaches by State

Covered entities and business associates in 30 states and the district of Columbia reported data breaches of 500 or more records in September.

New York was the worst affected state with 10 breaches, 6 breaches were reported in each of California, Minnesota, and Pennsylvania, 5 in each of Colorado, South Carolina, and Texas, 4 in Florida, Georgia, Massachusetts, Ohio, and Virginia, 3 in each of Iowa, Kentucky, Louisiana, and Michigan, and 2 in each of Connecticut, Maryland, North Carolina, Tennessee, and Wisconsin.

One breach was reported in each of Alabama, Delaware, Illinois, Indiana, Missouri, New Hampshire, New Jersey, Oklahoma, Washington, and the District of Columbia.

HIPAA Enforcement Activity in September 2020

Prior to September, the HHS’ Office for Civil Rights had only imposed three financial penalties on covered entities and business associates to resolve HIPAA violations, but there was a flurry of announcements about HIPAA settlements in September with 8 financial penalties announced.

The largest settlement was agreed with Premera Blue Cross to resolve HIPAA violations discovered during the investigation of its 2014 data breach that affected 10.4 million of its members. OCR found compliance issues related to risk analyses, risk management, and hardware and software controls. Premera agreed to pay a financial penalty of $6,850,000 to resolve the case. This was the second largest HIPAA fine ever imposed on a covered entity.

CHSPSC LLC, a business associate of Community Health Systems, agreed to pay OCR $2,300,000 to resolve its HIPAA violation case which stemmed from a breach of the PHI of 6 million individuals in 2014. OCR found compliance issues related to risk analyses, information system activity reviews, security incident procedures, and access controls.

Athens Orthopedic Clinic PA agreed to pay a $1,500,000 penalty to resolve its case with OCR which stemmed from the hacking of its systems by TheDarkOverlord hacking group. The PHI of 208,557 patients was compromised in the attack. OCR’s investigation uncovered compliance issues related to risk analyses, risk management, audit controls, HIPAA policies and procedures, business associate agreements, and HIPAA Privacy Rule training for the workforce.

Five of the September settlements resulted from OCR’s HIPAA Right of Access enforcement initiative and were due to the failure to provide patients with timely access to their medical records.

Entity Settlement
Beth Israel Lahey Health Behavioral Services $70,000
Housing Works, Inc. $38,000
All Inclusive Medical Services, Inc. $15,000
Wise Psychiatry, PC $10,000
King MD $3,500

 

There was one settlement to resolve a multistate investigation by state attorneys general, with Anthem Inc. agreeing to pay a financial penalty of $48.2 million to resolve multiple violations of HIPAA and state laws in relation to its 78.8 million record data breach in 2015, which is on top of the $16 million financial penalty imposed by OCR in October 2018.

The post September 2020 Healthcare Data Breach Report: 9.7 Million Records Compromised appeared first on HIPAA Journal.