Relational Insurance Inc., an insurance brokerage firm doing business as Relation Insurance Services of Georgia (RISG), experienced an email security breach in August 2019. An unauthorized individual was discovered to have gained access to the email account of an employee and potentially viewed or copied emails containing protected health information (PHI).

The breach was detected on August 15, 2019 when suspicious activity was detected in the email account. A third-party computer forensics firm assisted with the investigation and determined the account was accessed by an unauthorized individual between August 14 and August 15.

On August 16, 2019, RISG determined the account contained PHI; however, it took until December 13, 2019 for a full review of the account to be completed to determine which individuals had been affected and exactly what information was potentially compromised.

The account was found to contain a wide range of information, which differed from individual to individual. The breached PHI may have included: Name, address, telephone number, email address, date of birth, driver’s license number, Social Security number, passport number, state issued identification number, copies of marriage or birth certificates, account and routing number, financial institution name, credit/debit card number, PIN, expiration date, treatment information, prescription information, provider name, medical record number, patient ID, health insurance information, treatment cost, medical history, mental or physical condition, diagnosis code, procedure type, procedure code, treatment location, admission date, discharge date, medical device number, and date of death.

Steps have been taken to improve email security and prevent similar breaches in the future. The breach report submitted to the HHS’ Office for Civil Rights indicates the PHI of up to 4,335 individuals was potentially compromised.

Email Security Breach Discovered by Rainbow Hospice Care, Inc.

Jefferson, WI-based, Rainbow Hospice Care, Inc. has discovered an employee’s email account has been accessed by an unauthorized individual and the protected health information of 2,029 current and former patents may have been viewed or downloaded.

Third-party forensic investigators were engaged to investigate the breach. While they confirmed that the account had been accessed by an unauthorized individual, they were unable to determine whether any patient information was accessed or exfiltrated.  An analysis of the compromised account revealed it contained patient names, dates of birth, treatment information, medical record numbers, and Social Security numbers.

Patients have been notified about the breach and have been offered complimentary credit monitoring services through Experian. Rainbow Hospice Care is unaware of any cases of misuse of patient information and said in its substitute breach notice that it believes misuse of patient information is unlikely.

The post Relation Insurance and Rainbow Hospice Care Experience Email Security Breaches appeared first on HIPAA Journal.

Six possible data breaches have been reported by healthcare organizations in the past few days that may have resulted in an impermissible disclosure of patient data. 8,701 patients are known to have been affected by the breaches.

Harris Health System Notifies Patients About Potential Privacy Breach

Houston, TX-based Harris Health System has notified 2,298 patients that some of their protected health information (PHI) has been exposed.

On December 30, 2019, two envelopes were sent to Ben Taub Hospital to be scanned and archived in the Harris Health electronic medical record system, but the envelopes were lost in transit.

The envelopes contained 143 sheets which are believed to include data from patients who visited Gulfgate Health Center for medical services between December 9, 2019 and December 27, 2019. The sheets contained information such as names, dates of birth, addresses, telephone numbers, test results, diagnoses, health insurance information, medical information, provider information, and Social Security numbers.

Since it was not possible to determine which patients were affected, the decision was taken to notify all patients who potentially had their PHI exposed. Harris Health System’s chief compliance and risk officer, Carolynn R. Jones, believes the envelopes contained the PHI of approximately 25 patients.

The employee tasked with transporting the information has been sanctioned and policies and procedures for transporting patient data have been reviewed and revised to prevent similar incidents in the future. All individuals potentially affected have been offered complimentary membership to credit monitoring services for one year.

Kaiser Permanente Alerts Patients About Mailing Error

Kaiser Permanente has discovered letters have accidentally been mailed to patients’ former addresses. Kaiser Permanente had embarked on a project to improve mailing addresses for correspondence with members in Southern California. An error was identified on November 1, 2019 that caused the letters to be sent to incorrect addresses. An investigation revealed the error was introduced on October 6, 2019. Addresses were corrected on December 20, 2019.

The mailings sent during that period included referral letters, surveys, care reminders, appointment reminders, and Explanation of Benefits statements. Those letters contained demographic information, details of medications, diagnoses, billing information, and health insurance information. No Social Security numbers or financial information was exposed.

Kaiser Permanente has provided additional training to the staff to prevent further errors in the future. Letters have now been resent to the correct addresses. The HHS’ Office for Civil Rights (OCR) breach portal indicates up to 500 patients may have been affected.

Backup Drive Containing ePHI Stolen from Elk Ridge Dentistry

The Estes Park, CO dentist practice, Elf Ridge Dentistry, has discovered a portable hard drive used to store backups was stolen from the practice.  The hard drive was among several items taken from the practice. The incident was reported to law enforcement, but the hard drive has not been recovered.

The dental practice learned on January 31, 2020 that the hard drive contained the records of 2,793 patients and included names, addresses, dates of birth, healthcare information, X-ray images, and a limited number of Social Security numbers. Treatment consent forms, referral letters, and emails were also backed up on the device. All affected patients have been offered complimentary membership to identity theft protection services through ID Experts.

PHI Potentially Compromised in Break-in at Armada Physical Therapy

Armada Physical Therapy experienced a break-in around December 19, 2019 at its Menaul Clinic on Menaul Boulevard in Albuquerque, NM and a server was stolen. The theft was reported to law enforcement and the investigation is ongoing, but the stolen server has not been recovered.

It was not possible to determine the exact information stored on the server, but it was known to contain intake forms for patients who received treatment prior to December 4, 2017. Patients who received treatment after that date had their information stored in a different location.

The intake forms contained names, addresses, telephone numbers, email addresses, insurance numbers, and Social Security numbers. Armada Physical Therapy does not believe financial information was stored on the stolen server. It was not possible to determine exactly how many patients were affected by the breach. The breach report submitted to the HHS’ Office for Civil Rights indicates up to 500 patients may have been affected.

Mailing Vendor Error Discovered by Riverview Health

An error at a printing and mailing vendor used by the Noblesville, IN-based healthcare provider, Riverview Health, has resulted in the exposure of the names of 2,610 patients.

The mailing vendor was instructed to send patient notification letters advising them about a potential change to two primary care providers, but an error resulted in letters being sent to incorrect addresses on January 6, 2020. Riverview learned of the error on January 14, 2020.

The letters identified individuals as patients of one of the two Riverview Health primary care providers. No other information was compromised.

Steps have now been taken to prevent similar errors from occurring in the future, including the addition of further review methods prior to the mailing of patient notification letters.

Mental Health Records Found Abandoned in Chicago Street

Physical medical records from the Community Mental Health Council have been found abandoned in an alley in West Englewood, Chicago. The Community Mental Health Council permanently closed its clinics after funding was lost in 2012.

Hundreds of former patients have had their sensitive data exposed. The documents included the names, addresses, Social Security numbers, diagnosis information, medical records, and other sensitive information. They were found strewn across an alley off Hermitage Avenue by a local resident when she took out her trash. City officials were contacted, and the records have now been collected and secured. City officials are now trying to determine who was responsible for dumping the records.

The post 6 Healthcare Organizations Discover PHI Has Potentially Been Compromised appeared first on HIPAA Journal.

Walgreens has started notifying customers that some of their protected health information may have been accessed by other individuals as a result of an error in the personal secure messaging feature of the Walgreens mobile app.

The secure messaging feature allows registered customers to receive SMS prescription refill notifications and deals and coupons. An undisclosed error in the app was identified that allowed certain information in its database to be viewed by other customers.

Affected customers have been advised that one or more personal messages may have been viewed by other individuals between January 9, 2020 and January 15, 2020. The personal messages included patients’ first and last names, drug name and prescription number, store number, and shipping address. Walgreens said health-related information was only exposed for a limited number of affected customers. The messages did not include any Social Security numbers or financial information.

According to a breach notice submitted to the California Attorney General on Friday, the error was detected by Walgreens on January 15, 2020. Walgreens immediately disabled message viewing to prevent any further unauthorized disclosures while the incident was investigated. Walgreens determined an internal application error was to blame and a technical correction was implemented to resolve the issue.

The Walgreens mobile app has been downloaded more than 10 million times from the Google Play store, but the error only impacted a small percentage of customers. According to the data breach summary on the Department of Health and Human Services’ Office for Civil Rights breach portal, 6,681 individuals were affected by the breach. It is unclear how many personal messages were accessed by other customers as a result of the error.

Walgreens will be conducting additional tests of the mobile app in the future before any updated versions are released to ensure updates do not impact the privacy of its customers.

The post Flaw in Walgreens Mobile App Secure Messaging Feature Exposed PHI appeared first on HIPAA Journal.

Phishing attacks have recently been reported by Tennessee Orthopaedic Alliance, Jefferson Dental Care Healthcare Management, and Munson Healthcare.

81,146 Patients Affected by Tennessee Orthopaedic Alliance Phishing Attack

Tennessee Orthopaedic Alliance (TOA) has discovered unauthorized individuals have gained access to the email accounts of two employees. TOA became aware of the breach on October 18, 2019 when unusual activity was detected in an employee’s email account. The account was immediately secured, and third-party computer forensics experts were engaged to investigate the breach. The investigation revealed a second email account had also been compromised and the accounts were accessed by unauthorized individuals between August 16, 2019 and October 14, 2019.

TOA determined on January 3, 2019 that the compromised email accounts contained names, addresses, phone numbers, dates of birth, Social Security numbers, health insurance information, diagnostic information, treatment information, and treatment costs.

Patients were notified about the breach on February 14, 2019. Individuals whose Social Security number was potentially compromised have been offered complimentary credit monitoring and identity theft protection services. While PHI in the accounts could have been accessed by the attackers, TOA found no evidence to indicate patient information has been misused.

The HHS’ Office for Civil Rights breach portal indicates 81,146 patients were affected by the breach.

Jefferson Dental Care Healthcare Management Notifies 45,748 Patients About PHI Exposure

Jefferson Dental Care Healthcare Management in Dallas, TX, has discovered an unauthorized individual accessed the email account of an employee between July 21, 2019 and Aug. 26, 2019.

Suspicious email account activity was detected on or around October 19, 2019 and the account was immediately secured. JDH Healthcare Management determined on December 10, 2019 that the account contained the PHI of 45,748 patients. While no evidence was found to indicate patient information was accessed by the attacker, it is possible that names, addresses, dates of birth, medical treatment information, medical histories, health insurance information, payment information, patient numbers, and medical record numbers may have been compromised. Complimentary credit monitoring and identity protection services have been offered to affected patients.

JDH Healthcare Management is reviewing its policies and procedures and additional safeguards will be implemented to improve email security.

Patients Notified of Munson Healthcare Phishing Attack

Munson Healthcare in Traverse City, MI, has discovered unauthorized individuals have gained access to the email accounts of some of its employees. Assisted by third-party computer forensic experts, Munson Healthcare determined that the email accounts were subjected to unauthorized access between July 31, 2019 and October 22, 2019.

A review of the affected email accounts was completed on January 16, 2020. The accounts were found to contain patient names, dates of birth, insurance information, and treatment and diagnostic information. The accounts also contained a limited number of financial account numbers, driver’s license numbers, and Social Security numbers.

Complimentary credit monitoring services have been offered to individuals whose Social Security numbers were potentially compromised. Munson Healthcare will be implementing additional technical safeguards to prevent similar breaches in the future.

The post Tennessee Orthopaedic Alliance Phishing Attack Impacts Over 81,000 Patients appeared first on HIPAA Journal.

Rady Children’s Hospital-San Diego, the largest children’s hospital in California, discovered a security breach on January 3, 2020 in which the protected health information of certain patients was potentially accessed by an unauthorized individual.

A computer used by the radiology department had been remotely accessed by an unauthorized individual via an open internet port. A digital forensics firm was engaged to investigate the breach and determined that the computer was compromised on June 20, 2019 and access remained possible until the port was closed on January 3, 2020.

An analysis of the compromised device revealed on February 5, 2020 that names and genders of patients were potentially compromised along with the type and date of imaging studies and, for some patients, their date of birth, medical record number, referring physician’s name, and/or a description of the imaging study. No financial information, Social Security numbers, diagnoses, or medical images were compromised. Complimentary credit monitoring services have been offered to affected patients.

Rady Children’s Hospital is working closely with the digital forensics firm to determine what additional security measures are required to prevent further cyberattacks in the future.

The incident has yet to appear on the HHS’ Office for Civil Rights breach portal so it is currently unclear how many patients have been affected.

Multiple Email Accounts Breached in Aveanna Healthcare Phishing Attack

Atlanta, GA-based Aveanna Healthcare, the largest provider of pediatric home care in the United States, has discovered the email accounts of several employees were compromised over the summer of 2019.

Aveanna Healthcare first identified suspicious activity in the email accounts of some of its employees on August 24, 2019. Third-party computer forensics specialists were engaged to assist with the investigation and determine the nature and extent of the attack. The investigation revealed several email accounts were compromised between July 9, 2019 and August 24, 2019. It was not possible to determine if any patient information was accessed or stolen by the attackers. The review of the compromised email accounts was completed on December 19, 2019.

The breach report submitted to the California Attorney General shows 5,004 California residents were affected. It is currently unclear how many patients in other states have also been affected. Californian patients were notified about the breach on February 14, 2020 and were offered complimentary credit monitoring and identity theft protection services for 12 months through TransUnion. Aveanna Healthcare determined that the following information of California residents was contained in the accounts: Names, Social Security numbers, driver’s license numbers, bank and financial information, State ID numbers, medical information, and health insurance information.

Endeavor Energy Resources Phishing Attack Impacts 5,100 Individuals

The oil and gas exploration form, Endeavor Energy Resources, has announced it has experienced a phishing attack that potentially saw unauthorized individuals gain access to the personal and health information of 5,103 current and former employees.

The attack was detected on January 14, 2020 when unusual activity was detected in the Office 365 email account of one of its employees. On February 7, 2020, Endeavour determined the compromised email account contained the names and health plan ID numbers of current and former Endeavor employees, employees of Endeavor affiliates, and dependents who also participate in the health plan.

Steps have now been taken to improve email security to prevent similar attacks in the future. At this stage of the investigation, Endeavor has found no evidence to suggest any information in the account has been misused.

The post Data Breaches Reported by Rady Children’s Hospital, Aveanna Healthcare and Endeavor Energy Resources appeared first on HIPAA Journal.

The Lake Success, NY-based home health company, Personal Touch Home Care (PTHC), has started notifying patients that a recent ransomware attack on its Wyomissing, PA-based IT vendor, Crossroads Technologies Inc., has potentially seen some of their protected health information compromised.

Crossroads informed PTHC on December 1, 2019 that the ransomware attack affected its Pennsylvania data center where PTHC’s electronic medical records were hosted. The ransomware attack prevented patient records from being accessed for a few days. While the EHR system was down, staff at PTHC switched to emergency protocols and used pen and paper to record patient information.

The encrypted data has now been recovered. It is unclear whether Crossroads restored the data from backups or if the ransom was paid and if any other healthcare clients were affected.

The compromised medical records contained patient names, addresses, telephone numbers, dates of birth, medical record numbers, health insurance card numbers, plan benefit numbers, Social Security numbers, and treatment information.

PTHC is currently unaware of the extent to which PHI was compromised and whether the attackers obtained PHI prior to the encryption of data. At this stage of the investigation, no evidence has been found to suggest patient information was exfiltrated prior to the deployment of the ransomware. Crossroads is still investigating the attack.

The incident was reported to the Department of Health and Human Services’ Office for Civil Rights as 17 separate breach reports, one for each of the offices affected. The data breaches were reported separately as each office is a separate legal entity. In total, the PHI of 156,409 patients and caregivers across 6 states has been compromised. Affected individuals have been offered complimentary credit monitoring and identity theft protection services.

The following offices were affected by the attack:

This is the third major business associate ransomware attack to be reported in the past few days. A ransomware attack on the Albany, NY-based accounting and tax firm BST & Co. CPAs LLC affected patients of the Community Care Physicians medical group, and NRC Health, a provider of patient survey services and software, experienced an attack that impacted some of its healthcare clients.

The post Medical Records of 156,400 Personal Touch Home Care Patients Compromised in Ransomware Attack on EHR Hosting Company appeared first on HIPAA Journal.

The Albany, NY-based accounting, tax, and advisory firm, BST & Co. CPAs LLC, has experienced a Maze ransomware attack that has affected patients of the New York medical group, Community Care Physicians P.C.

The Maze ransomware gang is one of a handful of threat groups that steal data from victims prior to deploying their ransomware payload. A threat is then issued to publish the stolen data if the ransom is not paid. Some of the data stolen in the attack has since been published by the gang, including names, dates of birth, addresses, contact telephone numbers, and Social Security numbers of BST employees.

BST has issued a statement saying a computer virus was detected on December 7, 2019 which prevented access to its files. In addition to internal data, some information related to local clients was also potentially compromised, including Community Care Physicians.

A leading computer forensics firm was engaged to assist with the investigation and determine the nature and scope of the attack. The forensics experts determined the virus was active on the network from December 4, 2019 to December 7, 2019 and that the attackers had gained access to parts of the network where client data was stored. BST managed to recover the encrypted data from backups.

BST confirmed the individuals affected by the breach by February 5, 2020 and notification letters were sent by BST on February 14, 2020. The compromised client data included names, dates of birth, medical record numbers, medical billing codes, and insurance descriptions.

The incident has yet to appear on the HHS’ Office for Civil Rights breach portal so it is currently unclear how many individuals have been affected.

United Regional Phishing Attack Affects up to 2,000 Patients

Wichita Falls, TX-based United Regional Health Care System has announced it has suffered a phishing attack that has seen the email account of one of its employees accessed by an unauthorized individual. The attack occurred in July 2019, but it took until December 2019 to complete the investigation and review the email account to determine whether patient information was compromised.

It was not possible to determine whether emails were accessed or copied by the attacker, but unauthorized access and data theft could not be ruled out. The email account contained patient names, dates of birth, patient account and/or medical record numbers, and clinical information such as provider name and location, lab test results, diagnostic data, prescription information, procedures, and/or treatment information. A limited number of individuals also had their Social Security numbers, driver’s license numbers, health insurance information, and/or passport information exposed.

Patients were notified about the breach on February 18, 2020. Individuals whose Social Security number or driver’s license number was included in the account have been offered complimentary credit monitoring and identity theft protection services.

The post Maze Ransomware Attack on Accounting Firm Impacts Patients of New York Medical Group appeared first on HIPAA Journal.