HIPAA Breach News

2019 Healthcare Data Breach Report

Posted by HIPAA Journal

Figures from the Department of Health and Human Services’ Office for Civil Rights breach portal show a major increase in healthcare data breaches in 2019. Last year, 510 healthcare data breaches of 500 or more records were reported, which represents a 196% increase from 2018.

As the graph below shows, aside from 2015, healthcare data breaches have increased every year since the HHS’ Office for Civil Rights first started publishing breach summaries in October 2009.

37.47% more records were breached in 2019 than 2018, increasing from 13,947,909 records in 2018 to 41,335,889 records in 2019.

Last year saw more data breaches reported than any other year in history and 2019 was the second worst year in terms of the number of breached records. More healthcare records were breached in 2019 than in the six years from 2009 to 2014. In 2019, the healthcare records of 12.55% of the population of the United States were exposed, impermissibly disclosed, or stolen.

Largest Healthcare Data Breaches of 2019

The table below shows the largest healthcare data breaches of 2019, based on the entity that reported the breach.

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Location of Breached Information
1 Optum360, LLC Business Associate 11500000 Hacking/IT Incident Network Server
2 Laboratory Corporation of America Holdings dba LabCorp Healthcare Provider 10251784 Hacking/IT Incident Network Server
3 Dominion Dental Services, Inc., Dominion National Insurance Company, and Dominion Dental Services USA, Inc. Health Plan 2964778 Hacking/IT Incident Network Server
4 Clinical Pathology Laboratories, Inc. Healthcare Provider 1733836 Unauthorized Access/Disclosure Network Server
5 Inmediata Health Group, Corp. Healthcare Clearing House 1565338 Unauthorized Access/Disclosure Network Server
6 UW Medicine Healthcare Provider 973024 Hacking/IT Incident Network Server
7 Women’s Care Florida, LLC Healthcare Provider 528188 Hacking/IT Incident Network Server
8 CareCentrix, Inc. Healthcare Provider 467621 Hacking/IT Incident Network Server
9 Intramural Practice Plan – Medical Sciences Campus – University of Puerto Rico Healthcare Provider 439753 Hacking/IT Incident Network Server
10 BioReference Laboratories Inc. Healthcare Provider 425749 Hacking/IT Incident Other
11 Bayamon Medical Center Corp. Healthcare Provider 422496 Hacking/IT Incident Network Server
12 Memphis Pathology Laboratory d/b/a American Esoteric Laboratories Healthcare Provider 409789 Unauthorized Access/Disclosure Network Server
13 Sunrise Medical Laboratories, Inc. Healthcare Provider 401901 Hacking/IT Incident Network Server
14 Columbia Surgical Specialist of Spokane Healthcare Provider 400000 Hacking/IT Incident Network Server
15 Sarrell Dental Healthcare Provider 391472 Hacking/IT Incident Network Server
16 UConn Health Healthcare Provider 326629 Hacking/IT Incident Email
17 Premier Family Medical Healthcare Provider 320000 Hacking/IT Incident Network Server
18 Metro Santurce, Inc. d/b/a Hospital Pavia Santurce and Metro Hato Rey, Inc. d/b/a Hospital Pavia Hato Rey Healthcare Provider 305737 Hacking/IT Incident Network Server
19 Navicent Health, Inc. Healthcare Provider 278016 Hacking/IT Incident Email
20 ZOLL Services LLC Healthcare Provider 277319 Hacking/IT Incident Network Server

 

The above table does not tell the full story. When a business associate experiences a data breach, it is not always reported by the business associate. Sometimes a breach is experienced by a business associate and the covered entities that they work with report the breaches separately, as was the case with American Medical Collection Agency (AMCA), a collection agency used by several HIPAA covered entities.

In 2019, hackers gained access to AMCA systems and stole sensitive client data. The breach was the second largest healthcare data breach ever reported, with only the Anthem Inc. data breach of 2015 having impacted more individuals.

HIPAA Journal tracked the breach reports submitted to OCR by each affected covered entity. At least 24 organizations are known to have had data exposed/stolen as a result of the hack.

Organizations Affected by the 2019 AMCA Data Breach

Healthcare Organization Confirmed Victim Count
Quest Diagnostics/Optum360 11,500,000
LabCorp 10,251,784
Clinical Pathology Associates 1,733,836
Carecentrix 467,621
BioReference Laboratories/Opko Health 425,749
American Esoteric Laboratories 409,789
Sunrise Medical Laboratories 401,901
Inform Diagnostics 173,617
CBLPath Inc. 141,956
Laboratory Medicine Consultants 140,590
Wisconsin Diagnostic Laboratories 114,985
CompuNet Clinical Laboratories 111,555
Austin Pathology Associates 43,676
Mount Sinai Hospital 33,730
Integrated Regional Laboratories 29,644
Penobscot Community Health Center 13,299
Pathology Solutions 13,270
West Hills Hospital and Medical Center / United WestLabs 10,650
Seacoast Pathology, Inc 8,992
Arizona Dermatopathology 5,903
Laboratory of Dermatology ADX, LLC 4,082
Western Pathology Consultants 4,079
Natera 3,035
South Texas Dermatopathology LLC 15,982
Total Records Breached 26,059,725

Causes of 2019 Healthcare Data Breaches

The HHS’ Office for Civil Rights assigns breaches to one of five different categories:

  • Hacking/IT incidents
  • Unauthorized access/disclosures
  • Theft
  • Loss
  • Improper disposal

59.41% of healthcare data breaches in 2019 were classified as hacking/IT incidents and involved 87.60% of all breached records. 28.82% of data breaches were classed as unauthorized access/disclosure incidents and involved 11.27% of all records breached in 2019.

10.59% of breaches were classed as loss and theft incidents involving electronic devices containing unencrypted electronic protected health information or physical records. Those incidents accounted for 1.07% of breached records in 2019.

1.18% of breaches and 0.06% of breached records were due to improper disposal of physical records and devices containing electronic protected health information.

Breach Cause Incidents Breached Records Mean Breach Size Median Breach Size
Hacking/IT Incident 303 36,210,097 119,505 6,000
Unauthorized Access/Disclosure 147 4,657,932 31,687 1,950
Theft 39 367,508 9,423 2,477
Loss 15 74,271 4,951 3,135
Improper Disposal 6 26,081 4,347 4,177

We have not tracked the cause of each breach reported in 2019, but the table below provides an indication of the biggest problem area for healthcare organizations – Securing email systems and blocking phishing attacks. The email incidents include misdirected emails, but the majority of email incidents were phishing and spear phishing attacks.

Healthcare Data Breaches by Covered Entity

77.65% of 2019 data breaches were reported by healthcare providers (369 incidents), 11.57% of breaches were reported by health plans (59 incidents), and 0.39% of data breaches were reported by healthcare clearinghouses (2 incidents).

23.33% of the year’s breaches involved business associates to some extent. 10.39% of data breaches were reported by business associates (53 incidents) and 66 data breaches were reported by a covered entity which stated there was some business associate involvement.

States Worst Affected by Healthcare Data Breaches

Data breaches were reported by HIPAA-covered entities or business associates in 48 states, Washington DC, and Puerto Rico. The worst affected state was Texas with 60 data breaches reported. California was the second most badly hit with 42 reported data breaches.

The only states where no data breaches of 500 or more records were reported were North Dakota and Hawaii.

State Breaches State Breaches State Breaches State Breaches State Breaches
Texas 60 Maryland 14 Arkansas 9 Alabama 4 Mississippi 2
California 42 Washington 14 South Carolina 9 Alaska 4 Montana 2
Illinois 26 Georgia 13 New Jersey 8 Iowa 4 South Dakota 2
New York 25 North Carolina 13 Massachusetts 7 Kentucky 4 Washington DC 2
Ohio 25 Tennessee 11 Puerto Rico 7 Nebraska 4 West Virginia 2
Minnesota 23 Arizona 10 Virginia 7 Oklahoma 4 Delaware 1
Florida 22 Colorado 10 Louisiana 6 Utah 4 Kansas 1
Pennsylvania 19 Connecticut 10 New Mexico 6 Wyoming 3 New Hampshire 1
Missouri 17 Indiana 10 Wisconsin 6 Idaho 2 Rhode Island 1
Michigan 16 Oregon 10 Nevada 5 Maine 2 Vermont 1

HIPAA Enforcement in 2019

The HHS’ Office for Civil Rights continued to enforce compliance with HIPAA at a similar level to the previous three years.

In 2019, there were 10 HIPAA enforcement actions that resulted in financial penalties. 2 civil monetary penalties were imposed and 8 covered entities/business associates agreed settlements with OCR to resolve HIPAA violations.

In total, $12,274,000 was paid to OCR in fines and settlements. The largest financial penalties of the year resulted from investigations of potential HIPAA violations by University of Rochester Medical Center and Touchstone Medical Imaging. Both cases were settled for £3,000,000.

OCR uncovered multiple violations of HIPAA Rules while investigating separate loss/theft incidents reported by University of Rochester Medical Center. OCR discovered risk analysis and risk management failures, a lack of encryption on portable electronic devices, and insufficient device and media controls.

Touchstone Medical Imaging experienced a data breach that resulted in the impermissible disclosure of 307,839 individuals’ PHI due to the exposure of an FTP server over the internet. OCR investigated and determined there had been risk analysis failures, business associate agreements failures, insufficient access rights, a failure to respond to a security incident, and violations of the HIPAA Breach Notification Rule.

Sentara Hospitals agreed to a $2.175 million settlement stemming from a 577-record data breach that was reported to OCR as only affecting 8 individuals. OCR told Sentara Hospitals that the breach notification needed to be updated to include the other individuals affected by the mailing error, but Sentara Hospitals refused. OCR determined a financial penalty was appropriate for the breach notification reporting failure and the lack of a business associate agreement with one of its vendors.

A civil monetary penalty of $2.154 million was imposed on the Miami, FL-based nonprofit academic medical system, Jackson Health System (JHS). Following a data breach, OCR investigated and found a compliance program that had been in disarray for several years. The CMP resolved multiple violations of HIPAA Privacy Rule, Security Rule, and Breach Notification Rule.

A civil monetary penalty of $1,600,000 was imposed on Texas Department of Aging and Disability Services for multiple violations of HIPAA Rules discovered during the investigation of breach involving an exposed internal application. OCR discovered there had been risk analysis failures, access control failures, and information system activity monitoring failures, which contributed to the impermissible disclosure of 6,617 patients’ ePHI.

Medical Informatics Engineering, an Indiana-based provider of electronic medical record software and services, experienced a major data breach in 2015 at its NoMoreClipboard subsidiary. Hackers used a compromised username and password to gain access to a server that contained the protected health information (PHI) of 3.5 million individuals. OCR determined there had been a risk analysis failure and the case was settled for $100,000. MIE also settled a multi-state action with state attorneys general over the same breach and settled that case for $900,000.

The Carroll County, GA ambulance company, West Georgia Ambulance, was investigated over the reported loss of an unencrypted laptop computer that contained the PHI of 500 patients. OCR found there had been a risk analysis failure, there was no security awareness training program for staff, and HIPAA Security Rule policies and procedures had not been implemented. The case was settled for $65,000.

There was one financial penalty for a social media HIPAA violation. Elite Dental Associates respondents to patient reviews on Yelp, and in doing so impermissibly disclosed PHI. OCR determined a financial penalty was appropriate and the case was settled for $10,000.

OCR also launched a new HIPAA enforcement initiative in 2019, under which two settlements were reached with covered entities over HIPAA Right of Access failures. Korunda Medical and Bayfront Health St. Petersburg had both failed to respond to patient requests for copies of their health information within a reasonable time frame. Both covered entities settled their HIPAA violation cases with OCR for $85,000.

OCR HIPAA Settlements and Civil Monetary Penalties in 2019

HIPAA Enforcement by State Attorneys General in 2019

State attorneys general can also take action over violations of HIPAA Rules. There were three cases against covered entities and business associates in 2019. As previously mentioned, Medical Informatics Engineering settled a multi-state lawsuit and paid a financial penalty of $900,000.

A second multi-state action was settled by Premera Blue Cross. The lawsuit pertained to a 2015 hacking incident that resulted in the theft of 10.4 million records. The investigation uncovered multiple violations of violations of HIPAA Rules and resulted in a $10 million financial penalty.

The California attorney general also took legal action over a data breach that affected 1,991 California residents. The health insurer Aetna had sent two mailings to its members in which highly sensitive information relating to HIV and Afib diagnoses was visible through the windows of the envelopes. The case was settled for $935,000.

The post 2019 Healthcare Data Breach Report appeared first on HIPAA Journal.

Hospital Sisters Health System Email Breach Impacts 16,167 Patients

Posted by HIPAA Journal

Hospital Sisters Health System has recently discovered an email security breach in August 2019 potentially resulted in unauthorized individuals gaining access to access emails and email attachments containing the protected health information of 16,167 patients.

Hospital Sisters Health System is a 15-hospital health system serving patients in Illinois and Wisconsin. Between August 6, 2019 and August 9, 2019, unauthorized individuals gained access to the email accounts of several employees. Prompt action was taken to secure the affected email accounts by changing passwords and a leading computer forensic firm was retained to investigate the breach and determine whether the compromised accounts contained patient information.

On December 2, 2019, Hospital Sisters Health System was informed that patient information had potentially been accessed by the attackers. The compromised email accounts were found to contain patient names, birth dates, and a limited amount of clinical information. Some patients also had their health insurance information, Social Security number, and/or driver’s license number exposed.

On January 31, 2020, Hospital Sisters Health System started mailing notification letters to all affected patients. Individuals whose Social Security number or driver’s license number was exposed have been offered complimentary membership to identity theft protection services and all individuals have been advised to monitor their accounts and explanation of benefits statements closely and to report any suspicious activity to law enforcement.

Hospital Sisters Health System has already taken steps to improve email security to prevent similar breaches from occurring in the future.

The post Hospital Sisters Health System Email Breach Impacts 16,167 Patients appeared first on HIPAA Journal.

Sunshine Behavioral Health Group Discovers PHI Exposed Over Internet

Posted by HIPAA Journal

Portland, OR-based Sunshine Behavioral Health Group, a provider of business services to healthcare providers, has discovered a cloud-based system used to store patient health records was accidentally misconfigured. The misconfiguration allowed patient information to be accessed over the internet.

The error was identified on September 4, 2019 and access controls were immediately implemented to prevent the records from being accessed by unauthorized individuals. Further actions were taken on November 14, 2019 to remove the records from general internet access.

On December 23, 2019, Sunshine Behavioral Health Group determined a folder in the cloud-based system contained information such as names, addresses, credit/debit card numbers, expiry dates, security codes, and electronic/digital signatures of individuals who had paid for healthcare services.

The exposed data related to payors for medical services received at Monarch Shores, Chapters Capistrano, Willow Springs Recovery, and Mountain Springs addition treatment and rehabilitation centers.

All individuals whose information was exposed have been offered complimentary membership to MyIDCare protection services for 24 months.

The incident has yet to appear on the HHS’ Office for Civil Rights breach portal so it is currently unclear how many individuals have been affected.

Thieves Stole Patient Information in Lake County Behavioral Health Burglary

Lake County Behavioral Health in Clearlake, CA, has announced it experienced a burglary on December 5, 2019 and thieves stole a locked filing cabinet containing client health information.

The stolen paperwork contained information such as patient names, contact telephone numbers, case numbers, medications, appointment dates and times, payments, and amounts due. One file contained a patient’s date of birth, Social Security number, medical history, disability status, substance use history, income verification information, and Medi-Cal ID number.

All patients whose information was stolen have been notified by mail and advised to register a fraud alert in case their information is misused. All remaining files have been relocated to a locked room in the heart of the facility, an alarm system has been fitted along with video surveillance with 24-hour monitoring. The break-in is being investigated by the Clearlake Police Department but no arrests have been made.

Jefferson Center for Mental Health Announces Potential Breach of PHI

Jefferson Center for Mental Health, a nonprofit provider of community-focused mental health care and substance use services in Colorado, experienced a burglary at its Independence Corner facility in Wheat Ridge on November 29, 2019.

The burglary was discovered on December 2, 2019 and the break-in was reported to law enforcement. No paperwork containing patient information was taken by the perpetrators, but it is possible that the personal and treatment information of 1,319 patients was viewed by the thieves.

Unauthorized data access is not suspected, but patients have been advised to monitor their accounts as a precaution. Jefferson Center for Mental Health is now taking steps to improve physical security at its offices.

The post Sunshine Behavioral Health Group Discovers PHI Exposed Over Internet appeared first on HIPAA Journal.

Slew of Email Security Breaches Reported by Healthcare Organizations

Posted by HIPAA Journal

A further 5 healthcare data breaches of 500 or more records have recently been reported by HIPAA-covered entities and their business associates.

Email Account Breach Reported by Shields Health Solutions

Shields Health Solutions, a Stoughton, MA-based provider of specialty pharmacy services to hospitals and other covered entities, has discovered an unauthorized individual gained access to the email account of an employee and potentially viewed/copied protected health information.

Suspicious activity was detected in the email account of an employee on October 24, 2019. Assisted by a cybersecurity firm, Shields Health Solutions determined an unauthorized individual accessed the account between October 22 and October 24, 2019. The breach was confined to a single email account.

The email account contained messages and attachments that included patient names, dates of birth, medical record numbers, provider names, clinical information, prescription information, insurer names, and limited claims information. No evidence was uncovered that suggests patient information was accessed or copied.

Shields Health Solutions has since taken steps to improve email security, including implementing multi-factor authentication on all employee email accounts. Notification letters were sent to affected individuals on December 16, 2019. The incident has not yet appeared on the HHS’ Office for Civil Rights (OCR) breach portal so it is currently unclear how many individuals have been affected.

Lafayette Regional Rehabilitation Hospital Email Breach Impacts 1,360 Patients

Lafayette Regional Rehabilitation Hospital in Lafayette, IN, has discovered an unauthorized individual gained access to the email account of an employee in July 2019 and potentially viewed patients’ protected health information.

The breach was detected on November 25, 2019, prompting a thorough investigation to determine whether any patient information had been accessed by unauthorized individuals. No evidence was found to indicate patient information was viewed or copied, but it was not possible to rule out the possibility. The compromised account was found to contain names, dates of birth, and clinical and treatment information related to medical services received at the hospital. A limited number of patients also had their Social Security number exposed.

Notification letters were sent to affected patients on January 24, 2019. Individuals whose Social Security number was exposed have been offered complimentary credit monitoring services. Lafayette Regional Rehabilitation Hospital has since taken steps to improve email security and employees have had security awareness training reinforced.

The breach report submitted to the OCR indicates up to 1,360 patients were affected by the breach.

6,524 Individuals Impacted by Phishing Attack on MHMR of Tarrant County

My Health My Resources (MHMR) of Tarrant County in Fort Worth, TX, has experienced a phishing attack involving the email accounts of a small number of its employees. The phishing attack was detected on December 3, 2019.

The investigation revealed the accounts were accessed by an unauthorized individual between October 12 and October 14, 2019. Emails in the account were found to include names, Social Security numbers, Driver’s license numbers, and some information about the care received at MHMR.

It was not possible to determine whether patient information was viewed, and no information has been received to suggest that any patient information has been misused. Out of an abundance of caution, all individuals whose information was stored in emails in the compromised accounts have been notified by mail. Individuals whose Social Security number or driver’s license number was exposed have been offered complimentary credit monitoring and identity theft protection services.

Additional email security training has now been provided to staff and steps have been taken to enhance its security infrastructure and systems.

Reva Phishing Attack Impacts 1,000 Patients

The medical transportation service provider, Reva, has announced that the protected health information of approximately 1,000 patients has potentially been accessed by an unauthorized individual as a result of a phishing attack.

Suspicious activity was detected in the email account of an employee on September 12, 2019. The account was secured and an investigation was launched, which revealed further email accounts had also been compromised. Those accounts had been subjected to unauthorized access between July 23, 2019 and September 13, 2019.

A review of the compromised accounts revealed they contained patients’ names, travel insurance information, dates of service, limited clinical information, passport numbers, driver’s license numbers, and a small number of Social Security numbers.

Complimentary credit monitoring and identity theft protection services have been offered to patients whose Social Security number or driver’s license number was exposed. Affected individuals were notified by mail on January 22, 2019.

Email security has been enhanced in response to the breach, multi-factor authentication has been implemented, and further security awareness training has been provided to employees.

Lawrenceville Internal Medicine Associates Email Error Exposed 8,031 Patients’ Email Addresses

Lawrenceville Internal Medicine Associates (LIMA) in Lawrence Township, NJ, is alerting 8,031 individuals about an email error that exposed patients’ email addresses. The error also impacted certain patients of Endocrinology Associates of Princeton, LLC.

An email announcement was sent to patients on October 29, 2019. Two days later, it was brought to the attention of LIMA that the email addresses of other patients may have been visible in the BCC field of the email. No other information was exposed as a result of the error.

Additional training has been provided to the IT department, email security policies and procedures have been strengthened, and LIMA has changed the email system used to send email communications to patients.

The post Slew of Email Security Breaches Reported by Healthcare Organizations appeared first on HIPAA Journal.

Health Share of Oregon Notifies 654,000 Members About Business Associate Data Breach

Posted by HIPAA Journal

Oregon’s Medicaid coordinated-care organization, Health Share of Oregon, is notifying approximately 654,000 current and former members that some of their protected health information (PHI) was stored on a laptop computer stolen from its transportation vendor, GridWorks.

GridWorks was contracted to manage Health Share’s Ride to Care program, through which Health Share provided non-emergent transportation for its members.

Health Share’s policies require business associates to use encryption on all portable devices containing patient information but, for reasons unknown, the GridWorks laptop was not encrypted. PHI stored on the laptop computer included names, addresses, contact telephone numbers, birth dates, Health Share ID numbers, Medicaid numbers, and Social Security numbers.

The laptop was stolen in a burglary at GridWorks’ office in November 2019. GridWorks notified Health Share about the laptop theft on January 2, 2020. Health Share started sending notification letters on February 5 to all individuals whose PHI was stored on the laptop. Affected individuals have been offered one year of complimentary credit monitoring and identity theft protection services.

Health Share conducts security audits of its vendors and last audited GridWorks in March 2019. In response to the breach, Health Share will expand its vendor security audit program and steps have been taken to ensure only the minimum amount of patient information is transmitted to its vendors. Training policies have also been enhanced.

In October 2019, Health Share announced that the nonprofit health plan, CareOregon, would be taking over the administration of its Ride to Care program. GridWorks had failed to pay several transportation companies that provided transport under the Ride to Care program. The company went into receivership in December 2019 and will cease operations once the administration of the Ride to Care program has been fully transferred to CareOregon.

The post Health Share of Oregon Notifies 654,000 Members About Business Associate Data Breach appeared first on HIPAA Journal.

New York Nursing Center and Phoenix Children’s Hospital Affected by Phishing Attacks

Posted by HIPAA Journal

Village Center for Care dba VillageCare Rehabilitative and Nursing Center (VRNC) and Village Senior Services Corporation dba VillageCareMAX (VCMAX) have fallen victim to a business email compromise (BEC) attack. BEC attacks involve the impersonation of an executive, either using the executive’s genuine email account compromised in a previous attack or by spoofing the executive’s email address.

An unauthorized individual, pretending to be member of the executive team, requested sensitive information on VRNC patients and VCMAX members. Believing the request to be legitimate, the employee responded and provided the information as requested. VCMAX and VRNC were alerted to a potential BEC attack on or around December 30, 2019.

The investigation confirmed the request was not genuine and sensitive information on VRNC patients and VCMAX members had been impermissibly disclosed. The information sent via email included the names and Medicaid ID numbers of 2,645 VCMAX members and first and last names, dates of birth, insurance provider names, and Insurance ID numbers of 674 VRNC patients.

There have been no reports of misuse of personal information, but all affected individuals have been advised to be vigilant and check accounts, credit reports, and explanation of benefits statements for signs of fraudulent activity. VCMAX and VRNC are reviewing and enhancing their policies and procedures to prevent further attacks of this nature in the future.

1,860 Individuals Impacted by Phishing Attack on Phoenix Children’s Hospital

The email accounts of seven employees of Phoenix Children’s Hospital have been compromised as a result of a targeted phishing campaign between September 5 and September 20, 2019.

Upon discovery of the breach, a leading computer forensic firm was engaged to investigate the extent of the breach. The hospital learned on November 15, 2019 that the compromised accounts contained the protected health information of 1,860 current and former patients which may have been viewed or obtained by the attackers.

The accounts were found to contain patient names, personal information and, for some individuals, limited health information and Social Security numbers.

On January 14, 2020, Phoenix Children’s Hospital started notifying affected patients by mail. Complimentary credit monitoring and identity theft protection services have been offered to patients whose Social Security number was potentially compromised.

The post New York Nursing Center and Phoenix Children’s Hospital Affected by Phishing Attacks appeared first on HIPAA Journal.

Malware Attack Results in Corruption of Medical Records: 30,000 Patients Affected

Posted by HIPAA Journal

On November 21, 2019, Fondren Orthopedic Group, an association of private orthopedic surgery practitioners in Houston and the surrounding areas, experienced a cyberattack that affected certain parts of its IT system.

In a substitute breach notice posted on its website, the incident was described as a malware attack that damaged the medical records of certain patients. Prompt action was taken to contain the infection and its systems were restored; however, the medical records corrupted by the malware could not be recovered and have been permanently lost.

The corrupted records included patients’ names, addresses, telephone numbers, health insurance information, and diagnosis and treatment information. All patients affected by the incident were current or former patients of Dr. K. Matthew Warnock.

Third party forensic investigators were engaged to assist with the investigation and found no evidence of unauthorized data access or exfiltration of data. Fondren Orthopedic Group is reviewing data security policies and procedures and will be enhancing its security protocols to improve resilience to malware attacks. Affected patients have been notified and informed that they will need to complete new patient forms and supply details of their medical histories when they next visit Dr. Warnock.

The cyberattack has been reported to the HHS’ Office for Civil Rights. The breach summary shows up to 30,049 patients have been affected.

Access Health CT Notifies 1,100 About Unspecified Data Breach

Access Health CT, the health insurance marketplace in Connecticut, has notified approximately 1,100 consumers that some of their protected health information was exposed in a data breach.

In its substitute breach notice, Access Health CT apologized for any inconvenience caused by the breach and said affected individuals have been offered free access to services to help them protect their personal information. The breach notice did not explain the nature of the breach, when it occurred, nor the types of information that were compromised.

The notice states, “Several efforts to improve security are already in place, with longer-term initiatives planned regarding system changes and more frequent Information Technology (IT) security training to improve data protection and security awareness.”

The post Malware Attack Results in Corruption of Medical Records: 30,000 Patients Affected appeared first on HIPAA Journal.

Data Breaches Reported by Manchester Ophthalmology, UnitedHealthcare, and Cook County Health

Posted by HIPAA Journal

Manchester Ophthalmology in Connecticut has experienced a cyberattack in which the attackers may have gained access to patient information.  The eye care provider became aware of the cyberattack on November 25, 2019 when employees noticed unusual activity on the network. Assisted by a third-party technology firm, it was determined later that day that hackers had gained access to its systems and attempted to deploy ransomware. Access was first gained to the network on November 22, 2019 and continued until November 25. Remote access was rapidly terminated before information was encrypted.

The investigation found no evidence to suggest any patient information was accessed or downloaded by the attackers, but during the investigation it was determined that certain patient information had not been backed up and could not be recovered. The types of data lost included names, patient-created medical histories, and details of the care those patients received at Manchester Ophthalmology.

Patients have been advised to exercise caution and monitor their accounts and explanation of benefits statements for any sign of fraudulent use of their information. Manchester Ophthalmology has provided further training to employees to ensure the proper backup of all information.

The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates up to 6,846 patients were affected by the security breach.

UnitedHealthcare Alerts Patients About 2019 Data Breach

On January 31, 2020, the Minnetonka, MN health insurer, UnitedHealthcare, announced it was the victim of a data breach in 2019 in which the private information of some of its customers in South Carolina was potentially compromised.

UnitedHealthcare was notified about the data breach on December 10, 2019 and determined that at some point between July 30, 2019 and Nov 13, 2019 an unauthorized individual gained access to the health information of certain members through its member portal. Only members’ first and last names, health plan information, and medical claims data was compromised.

UnitedHealthcare said it is assisting with the law enforcement investigation and steps have been taken to prevent further breaches of this nature in the future. The HHS’ Office for Civil Rights Breach portal indicates 934 individuals were affected by the breach.

2,713 Individuals Informed of Cook County Health Mailing Error

Chicago, IL-based Cook County Health has started notifying 2,713 individuals that some of their protected health information was sent to a third-party vendor in error. The information related to individuals participating in a #keepingitLITE study and was sent to a vendor who was due to assist with mailing study information.

The list of study participants, which was limited to names, addresses, and email addresses, was sent before a business associate agreement was in place. A business associate agreement confirms that a vendor agrees to implement safeguards to ensure the privacy and security of any information. Without the BAA, satisfactory assurances that those safeguards were in place had not been received by Cook County Health.

Action has now been taken to ensure similar errors are prevented in the future.

The post Data Breaches Reported by Manchester Ophthalmology, UnitedHealthcare, and Cook County Health appeared first on HIPAA Journal.

Website Error Exposed Personal and Health Data of LabCorp Patients

Posted by HIPAA Journal

Researchers at TechCrunch have identified a security flaw in a website hosting an internal customer relationship management system used by the clinical laboratory network LabCorp. While the system was password protected, the researchers found a flaw in the part of the system that pulled patient files from the back-end system. The flaw allowed patient data to be accessed without requiring a password and the web address was visible to search engines.

Google had cached only one document containing the health data of a patient, but by changing the document number in the web address the researchers were able to open other documents containing patient health information.

The researchers examined a small selection of files to see what types of data had been exposed. The documents mostly contained information about patients who had tests conducted by LabCorp’s Integrated Oncology specialty testing unit. The documents contained personal information such as names and dates of birth, lab test results and diagnostic data, and for some patients, Social Security numbers.

TechCrunch researchers used computer commands to determine the number of documents accessible on the website. They structured the commands to return information about the properties of the files, rather than opening the documents, to avoid accessing patient information. The analysis revealed around 10,000 documents could potentially be accessed.

TechCrunch notified LabCorp about the issue and the server was taken offline while the flaw was corrected. The link to the exposed data has not yet been removed from Google, but it is no longer active and cannot be used to view patient data.

The is the second major security incident to be experienced by LabCorp in the past 12 months. The records of LabCorp patients were exposed in the 26 million-record breach at American Medical Collection Agency (AMCA) in March 2019. 7.7 million LabCorp patients were initially thought to have been affected, but the breach was reported to the HHS’ Office for Civil Rights as having affected up to 10,251,7847 LabCorp patients.

The post Website Error Exposed Personal and Health Data of LabCorp Patients appeared first on HIPAA Journal.