The Iowa Department of Human Services has notified 4,784 individuals about the potential exposure of some of their protected health information.

On November 25, 2019, a member of staff disposed of documents containing the protected health information of Dallas County clients in a regular garbage dumpster, instead of sending the records for shredding. By the time the improper disposal incident was discovered, the dumpster had been emptied. An investigation was launched which revealed the custodial employee who disposed of the paperwork was unaware that the documents contained confidential information.

It was not possible to determine exactly which patients were affected, so notification letters were sent to all individuals potentially impacted by the breach. The documents likely contained information such as names, dates of birth, mailing addresses, driver’s license numbers, Social Security numbers, disability information, medical information, banking and wage information, receipt of Medicaid, mental health information, provider names, prescriptions, and substance abuse and illegal drug use information.

Clearbrook Nursing Home Residents Notified of Impermissible Disclosure of Prescription Information

688 residents of the Cedarbrook nursing home in Lehigh County, PA are being notified that their prescription information was accidentally shared with companies interested in tendering for the nursing home’s pharmacy contract.

An email was sent to 16 companies in December 2018 with an incorrect file attachment. The correct file contained invoice information detailing the medications prescribed in October through November. The file attached to the email included the names of the patients who received those medications.

The error was discovered promptly, and requests were sent to all 16 companies asking for the file to be deleted. All 16 companies, which were HIPAA-covered entities, confirmed that the file had been deleted.

All affected individuals have been notified about the privacy breach out of an abundance of caution. The risk of misuse of patient information is believed to be very low. Procurement procedures have now been updated and require all outgoing contract information to be checked by a supervisor prior to being sent.

The post Iowa Department of Human Services Notifies 4,484 Patients About Improper Disposal Incident appeared first on HIPAA Journal.

Beaumont Health, a not-for-profit 8-hospital health system based in Southfield, MI, has discovered a former employee has accessed the medical records patients without authorization and is understood to have shared protected health information with another individual.

An internal investigation was launched when it was discovered medical records had been accessed without authorization. A review of the former employee’s access logs revealed the unauthorized access first occurred on February 1, 2017 and continued until October 22, 2019. The breach was discovered in December 2018.

Beaumont Health said its internal investigation determined on December 10, 2019 that the medical records of 1,182 patients were accessed over a period of 20 months. The information potentially obtained and disclosed included names, addresses, contact telephone numbers, dates of birth, email addresses, health insurance information, reason why medical care was sought, and Social Security numbers.

The individual to whom the information was believed to have been disclosed was affiliated with a personal injury lawyer. Most of the patients whose records were accessed had sought treatment for injuries sustained in motor vehicle accidents.

When unauthorized access was confirmed, the employee was fired for violating hospital policies and HIPAA Rules. The incident has been reported to law enforcement and Beaumont Health said it will assist law enforcement if prosecution is pursued. The matter has also been reported to the Michigan Health and Hospital Association.

All patients affected by the incident have been notified by mail. Credit monitoring and identity theft protection services have been offered to patients whose Social Security number was compromised. Patients have been advised to be alert to the risk of identity theft and fraud and have been advised to check their explanation of benefits statements and accounts carefully and to report any suspected cases of misuse of their information.

Beaumont Health has taken steps to update internal policies and procedures to prevent similar incidents from occurring in the future.

Former VA Employee Sentenced for Leaking Medical Records of Former Army Major

A former employee of the Department of Veteran Affairs’ Benefits Administration has been sentenced for accessing the medical records of veterans without authorization and for leaking the medical records of a former U.S. Army major who ran for Congress in West Virginia in 2018.

Jeffrey Miller, 40, of Huntington, WV, pleaded guilty to accessing the medical records of 6 veterans, including the former Army Major, Richard Ojeda. Photographs of the records were taken and sent to an acquaintance. The image of Ojeda’s medical records was subsequently distributed to high-ranking Republicans in an attempt to influence his 2018 campaign for the 3^rd Congressional District in West Virginia.

Miller was sentenced on January 21, 2020 in federal court and will serve 6 months in jail.

The post Beaumont Health Discovers 20-Month Insider Breach appeared first on HIPAA Journal.

PIH Health, a 2-hospital nonprofit healthcare network based in Whittier, CA, has started notifying nearly 200,000 patients about a potential breach of their personal and protected health information in June 2019.

On June 18, 2019, PIH Health discovered the email accounts of certain employees had been accessed by unauthorized individuals as a result of a targeted phishing attack on its employees. The email accounts were immediately secured and an investigation was launched to determine the nature and extent of the breach.

PIH Health engaged leading cybersecurity experts to assist with the investigation and was notified on October 2, 2019, that the email accounts were subject to unauthorized access between June 11, 2019 and June 18, 2019.

The email accounts were then reviewed by the same cybersecurity experts to determine whether they contained any patient information. The review was completed on November 12, 2019. PIH Health then attempted to obtain up to date contact information for current and former patients affected by the breach. Notifications were sent by mail to those individuals on January 10, 2020.

The phishing attack has been reported to the Department of Health and Human Services Office for Civil Rights. The summary on the OCR breach portal indicates up to 199,548 patients were potentially affected by the attack.

Patients have been advised to monitor their account statements and to report any suspected fraudulent account activity. Patients have also been offered complimentary credit monitoring and identity theft protection services through Kroll for 12 months.

“The privacy and protection of private information is a top priority for PIH Health,” wrote PIH Health in its substitute breach notification. “PIH Health deeply regrets any inconvenience or concern this incident may cause.”

The post Nearly 200,000 Patients Impacted by PIH Health Phishing Attack appeared first on HIPAA Journal.

Adventist Health Sonora in California has discovered an unauthorized individual has gained access to the email account of a hospital associate and potentially viewed patient information.

The email account breach was detected by Adventist Health Sonora’s information security team on September 30, 2019. Immediate action was taken to secure the compromised Office 365 account and an investigation was launched to determine the extent of the breach.

The investigation confirmed that access to the Office 365 account was gained following a response to a phishing email and that it was an isolated incident. No other email accounts or systems were affected.

The purpose of the attack appears to have been to redirect invoice payments and defraud the hospital and its vendors, rather than to obtain sensitive patient information.

According to Adventist Health Sonora, a comprehensive review of the affected account revealed on October 14, 2019 that the account contained the protected health information of 2,653 patients. The types of information exposed included names, dates of birth, medical record numbers, health insurance information, hospital account numbers, and medical information related to the care provided at the hospital.

No evidence was uncovered to suggest any patient information was acquired by the attacker but, out of an abundance of caution, affected patients have been notified and offered complimentary identity theft protection services for 12 months.

Great Plains Health Has Recovered 80% of Systems Impacted by November 2019 Ransomware Attack

Great Plains Health in North Platte, NE, experienced a ransomware attack in November 2019 which saw its network encrypted. The decision was taken not to pay the ransom and instead to restore systems from backups. It has been a time-consuming and painstaking process, but hospital officials have announced that the process is now 80% completed.

Restoration of systems was prioritized with the most important patient systems restored first. It took two weeks for critical patient systems to be recovered. Members of staff worked round the clock to ensure systems were restored in the shortest possible time frame. Throughout the attack and recovery process patients continued to receive medical services and no patients were turned away or redirected to other healthcare facilities.

Hospital officials have now announced that all major IT systems have now been brought back online and the ransomware attack is no longer having any impact on any kind of patient care. Only archives now need to be restored, which contain information rarely used by the hospital.

The post Phishing Attack Reported by Adventist Health Sonora appeared first on HIPAA Journal.

Health Quest, now part of Nuvance Health, has discovered the phishing attack it experienced in July 2018 was more extensive than previously thought.

Several employees were tricked into disclosing their email credentials by phishing emails, which allowed unauthorized individuals to access their accounts. A leading cybersecurity firm was engaged to assist with the investigation and determine whether any patient information had been compromised.

In May 2019, Quest Health learned that the protected health information of 28,910 patients was contained in emails and attachments in the affected accounts and notification letters were sent to those individuals. The compromised accounts contained patient names, contact information, claims information, and some health data.

A secondary investigation of the breach revealed on October 25, 2019 that another employee’s email account was compromised which contained protected health information. According to the substitute breach notification on the Quest Health website, the compromised information varied from patient to patient, but may have included one or more of the following data elements in addition to names:

Dates of birth, Social Security numbers, driver’s license numbers, Medicare Health Insurance Claim Numbers (HICNs), provider name(s), dates of treatment, treatment and diagnosis information, health insurance plan member and group numbers, health insurance claims information, financial account information with PIN/security code, and payment card information.

No evidence of unauthorized viewing of patient data was uncovered and no reports have been received to indicate any patient information was misused. Out of an abundance of caution additional letters were mailed to patients on January 10, 2020.

Quest Health is now using multi-factor authentication on its email accounts and has strengthened security processes and provided additional training to its HQ employees on phishing and other cybersecurity issues.

It is currently unclear how many additional patients have been affected. At the time of posting, the breach report on the HHS’ Office for Civil Rights breach portal still states 28,910 individuals were impacted.

The post Quest Health Systems Discovers Additional Patients Impacted by 2018 Phishing Attack appeared first on HIPAA Journal.

The Portland, ME-based healthcare provider InterMed is notifying 33,000 patients that some of their protected health information has potentially been compromised as a result of a phishing attack.

The attack was detected on September 6, 2019. An internal investigation confirmed that the account was compromised on September 4 and the attackers had access to the account until September 6, 2019.

A leading national computer forensic firm was engaged to investigate the breach and discovered a further three email accounts had also been compromised between September 7 and September 10, 2019.

A comprehensive review of the affected email accounts was conducted but it was not possible to determine what emails or attachments, if any, had been viewed by the attackers.

The types of information in the compromised accounts varied from patient to patient and may have included patients’ names, dates of birth, health insurance information, and some clinical information. A “very limited” number of patients also had their Social Security number exposed.

InterMed started mailing breach notification letters to affected patients on November 5, 2019. Complimentary credit monitoring and identity protection services have been offered to patients whose Social Security number was exposed.

Steps have now been taken to improve email security and training has been reinforced to ensure employees adhere to email security best practices.

Phishing Attack Impacts 11,308 Patients of Central Maine Orthopaedics

11,308 patients of Central Maine Orthopaedics, part of Spectrum Healthcare Partners, are being notified that some of their protected health information has potentially been viewed by an unauthorized individual who gained access to the email account of one of its employees.

Spectrum Healthcare Partners discovered the unauthorized access on November 14, 2019 and immediately secured the affected account. The investigation revealed the account had been breached on November 5, 2019. A review of the emails and attachments in the account revealed they contained patients’ names, dates of birth, addresses, health insurance information, clinical and treatment information, and amounts owed to Central Maine Orthopaedics.

While it was confirmed that the attacker remotely accessed the account, no evidence was uncovered to suggest patient information was obtained or misused.

Affected patients were notified out of an abundance of caution on January 13, 2020 and have been advised to monitor their explanation of benefits and account statements for any sign of fraudulent use of their information.

Spectrum Healthcare Partners has strengthened its technical controls and is providing more stringent security training to employees.

4,564-Record Breach Reported by Children’s Hope Alliance

The Barium Springs, NC-based child welfare agency, Children’s Hope Alliance, has announced that a laptop computer containing sensitive information has been stolen.

According to the substitute breach notice on the Children’s Hope Alliance website, the laptop was stolen on October 7, 2019. A digital forensic firm was engaged to determine whether the laptop contained any sensitive information. The investigation is ongoing, but the initial finding show documents on the device contained information such as names, addresses, Social Security numbers, tax identification numbers, dates of birth, usernames and passwords, and medication and dosage information.

The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates 4,564 individuals have been impacted. The breach summary states that this was a hacking/IT incident involving email. It is unclear at this stage whether this is an error, a separate breach, or if the laptop was used to hack into the employee’s email account.

The post 44,000 Patients Impacted by Phishing Attacks on InterMed and Spectrum Healthcare Partners appeared first on HIPAA Journal.

SouthEast Eye Specialist (SEES) Group in Franklin, TN, is notifying 13,000 patients that some of their protected health information has been exposed as a result of a recent phishing attack.

It is unclear from the SEES Group’s substitute breach notice when the phishing attack occurred, but on November 1, 2019, SEES Group determined patient information was contained in email accounts that were accessed by unknown individuals.

The breach was discovered when the IT department identified suspicious activity in some employee email accounts. A third-party computer forensics company was retained to assist with the investigation and determine whether any emails or email attachments containing patient information had been viewed or copied by the attackers.

The investigation uncovered no evidence to suggest that patient information was viewed or obtained by unauthorized individuals, but it was not possible to rule out the possibility that patient information had been compromised.

A painstaking analysis of all emails in the affected accounts revealed they contained information on patients including names, treatment information, and Social Security numbers.

SEES Group is now reviewing its information security policies and procedures and email security will be augmented to prevent similar incidents from occurring in the future.

2,008 Patients Notified About btyDental Ransomware Attack

btyDental, a network of dental practices in Anchorage, AK, is notifying 2,008 patients about a ransomware attack that involved some of their protected health information.

Ransomware was installed on some of its servers on or around November 17, 2019. The servers contained patients’ X-ray images along with their names. The servers contained no other protected health information, which was stored in systems unaffected by the attack.

Steps were immediately taken to restore the affected servers and third-party IT consultants were retained to assist with the investigation. No evidence was found to suggest any patient images were accessed or obtained by the attackers.

btyDental has reviewed its security policies and procedures and has taken steps to prevent similar attacks from occurring in the future and will continue to evaluate the security of its systems and implement the most up-to-date security measures.

The post Phishing Attack on SouthEast Eye Specialist Group Impacts 13,000 Patients appeared first on HIPAA Journal.

A California healthcare provider was attacked with ransomware and two weeks on and its medical record system is still out of action.

Enloe Medical Center in Chico, CA, discovered the attack on January 2, 2020. Its entire network was encrypted, including its electronic medical record (EMR) system, which prevented staff from accessing patient information. Emergency protocols were immediately implemented to ensure care could still be provided to patients and only a limited number of elective medical procedures had to be rescheduled.

The attack also affected the telephone system which was taken out of action on the day of the attack. The telephone system was restored the following day but its EMR system is still out of action and employees are continuing to rely on pen and paper for recording patient data.

While there were some cancelled appointments in the first week after the attack, Enloe Medical Center says care is being provided to patients without delay while work continues to restore its systems. No information has been released on the type of ransomware involved, but the initial findings of the investigation suggest patient data has not been compromised.

“Upon learning of this incident, we immediately took steps to restore critical operating systems and ensure the security of our network. At this point in time, we have no indication or evidence that suggests patient medical data has been compromised,” said Kevin Woodward, Enloe’s chief financial officer. The ransomware attack has been reported to local and federal law enforcement agencies and the investigation is continuing.

Ransomware attacks have been increasing throughout 2019 and there are no signs of the attacks abating. In addition to file encryption, several ransomware gangs have adopted a new tactic to increase the probability of the ransom being paid. Prior to the deployment of ransomware, sensitive data is being stolen.

Recent attacks involving the MegaCortex, LockerGoGa, Maze, and Sodinokibi ransomware variants have seen data stolen prior to the deployment of ransomware. The threat actors using Maze and Sodinokibi ransomware have issued threats to expose the stolen data if the ransom is not paid. Both have followed through on those promises and have published sensitive data when the decision was taken not to pay the ransom.

The post Enloe Medical Center Continues to Experience EMR Downtime Due to Ransomware Attack appeared first on HIPAA Journal.