The Oakland, CA-based healthcare provider, Kaiser Permanente, has discovered a former employee accessed the radiology records of thousands of patients without authorization over a period of 8 years.

The privacy breach was discovered in late March and the employee was placed on administrative leave while an internal investigation was conducted. Kaiser Permanente was unable to find any legitimate work reason for the employee accessing the records and determined that the access fell outside of the scope of the employee’s job functions. The first instance of unauthorized access occurred in 2012 and the employee continued to access radiology records until her actions were discovered in March 2020.

The employee worked as an imaging technician in the radiology department and has now been fired over the HIPAA violation. While unauthorized accessing of protected health information was confirmed, Kaiser Permanente found no evidence to suggest that patient information was copied or was used to commit fraud or any criminal activities.

The breach was reported to the Department of Health and Human Services’ Office for Civil Rights on May 22, 2020 by Kaiser Foundation Health Plan of the Mid-Atlantic States. The breach report shows that over an 8-year period the imaging technician impermissibly accessed the records of 2,756 patients.

All affected individuals are now being notified about the privacy breach by mail.

Ridgeview Institute – Monroe Employee Terminated Over Unauthorized PHI Access and Impermissible Disclosure

Ridgeview Institute – Monroe in Georgia, a provider of mental health and addiction treatment services, has discovered a former employee accessed the records of certain patients without authorization and sent copies of patient information to a personal email account.

The privacy breach was discovered on January 14, 2020, prompting an internal investigation to determine the nature and scope of the breach. It took some time to determine exactly what information had been copied and which patients were affected, hence the delay in notifying affected individuals.

The information in the stolen documents was determined to include patients’ full names, birth dates, Social Security numbers, patient ID numbers, health insurance provider names, diagnoses, treatment information, prescriptions, medical procedures, lab test and other test results.

The employee admitted accessing and copying patient information without authorization and said the data had been subsequently disclosed to her attorney and one other individual.

No reason was provided as to why the information was copied and impermissibly disclosed. According to the Ridgeview Institute, assurances have been obtained from the unauthorized individual to whom the information was disclosed that the documents will not be shared with another parties and the employee, who no longer works at Ridgeview, has confirmed that all other copies of the documents have been destroyed.

All affected patients are in the process of being notified and complimentary identity theft protection services are being offered.

The post Kaiser Permanente Discovers 8-Year Employee HIPAA Breach appeared first on HIPAA Journal.

Palmer, AK-based Mat-Su Surgical Associates has announced it was attacked with ransomware in March. The attack was discovered on March 16 when staff were locked out of its computer systems as a result of the encryption of essential files.

A team of independent computer forensics investigators were engaged to assess the nature and scope of the attack and to determine whether any patient data had been accessed or stolen by the attackers. It was not possible to determine whether the attacker had exfiltrated data or viewed patient information prior to encryption, but the investigators could not rule out unauthorized data access. The attacker was determined to have gained access to parts of its computer system that contained the protected health information of 13,146 patients.

The information potentially compromised in the attack included the names of current and former patients of Valley Surgical Associates and Mat-Su Surgical Associates along with addresses, diagnoses, treatment information, lab test results, health insurance information, Social Security numbers, and other information related to the medical care provided.

All affected patients have been notified by mail and offered complimentary membership to credit monitoring and identity theft protection services through ID Experts.

Mat-Su Surgical Associates has taken steps to improve security, including implementing additional measures to prevent unauthorized remote access to its systems.

The Little Clinic Discovers Online Appointment System Bug that Exposed PHI

The Little Clinic, a network of more than 215 medical care clinics in Ohio, Kansas, Kentucky, Tennessee, Arizona, Georgia, Indiana, Virginia and Colorado, has discovered a bug in its online appointment system potentially resulted in an unauthorized disclosure of patients protected health information.

The bug was discovered internally by The Little Clinic and was determined to have been introduced on October 7, 2018. The issue was corrected on February 13, 2020 and measures were implemented to prevent similar breaches in the future.

The coding error meant that if a patient made an appointment and subsequently modified it online, the patient’s name, address, date of birth, and telephone number could be accessed by other domains. The investigation revealed up to 10,974 patients were potentially affected and may have had some of their personal information disclosed.

The Little Clinic found no evidence to suggest patient data was accessed or misused but determined on April 7, 2020 that the incident constituted a data breach. All individuals potentially affected have now been notified by mail.

The post Mat-Su Surgical Associates Suffers Ransomware Attack appeared first on HIPAA Journal.

District Medical Group (DMG), an integrated medical group serving patients in Arizona, has started notifying 10,190 patients that some of their protected health information has potentially been compromised. On March 11, 2020, DMG discovered an unauthorized individual had gained access to the email accounts of some of its employees as a result of responses to phishing emails.

A password reset was immediately performed to prevent further unauthorized access and a leading cybersecurity firm was engaged to investigate the breach. The investigation revealed a limited number of email accounts were compromised between February 4, 2020 and February 10, 2020.

An analysis of emails and attachments in the breached accounts revealed they contained patient information such as names, medical record numbers, medical information, and health insurance information. A limited number of Social Security numbers were also potentially compromised. No evidence was uncovered that suggested the emails were opened or copied by the attackers.

Affected patients have been advised to be vigilant and monitor their accounts and statements for any sign of fraudulent activity. Out of an abundance of caution, individuals whose Social Security numbers were present in the accounts have been offered complimentary credit monitoring and identity theft protection services.

DMG has reinforced employee education and has taken steps to improve email security to prevent further breaches in the future.

Geisinger Wyoming Valley Medical Center Employee Terminated for Unauthorized Medical Record Access

Geisinger Wyoming Valley Medical Center (GWVMC) in Wilkes-Barre, PA has discovered an employee has been accessing the medical records of patients with no legitimate work reason for doing so.

GWVMC was alerted to the potential HIPAA breach on March 20, 2020 and launched an internal investigation. The employee was authorized to view patient records to complete day-to-day work duties, but it was discovered the medical records of 805 patients had been accessed outside of those work duties. The unauthorized access started in July 2017 and continued until March 2020.

The investigation did not uncover any evidence to suggest patient records were being accessed with malicious intent. Out of an abundance of caution, affected patients have been offered complimentary credit monitoring and identity theft protection services.

The types of information viewed by the employee included names, addresses, telephone numbers, email addresses, dates of birth, Social Security numbers, medical conditions, diagnoses, medications, dates of service, visit notes, test results, and appointment information.

Appropriate disciplinary action was taken against the employee for the violation of HIPAA and hospital policies. The employee no longer works at GWVMC.

The post Geisinger Wyoming Valley Medical Center and District Medical Group Disclose Data Breaches appeared first on HIPAA Journal.

Onamia, Mn-based Mille Lacs Health System has experienced a phishing attack that potentially resulted in the exposure of more than 10,000 patients’ protected health information.

Phishing emails were sent to some of its employees containing links that directed them to a website that requested their email credentials. A small number of employees were fooled by the scam.

Mille Lacs Health System learned about the phishing attack on November 14, 2020 and launched an investigation to determine the extent of the breach. On February 24, 2020, it was confirmed that the stolen email credentials were used by the attacker to access email accounts between August 26, 2019 and January 7, 2020. A review of the compromised email accounts was completed on April 22, 2020 and confirmed that patient information may have been accessed.

Information potentially compromised includes first and last names, addresses, dates of birth, provider names, dates of service, clinical information, treatment information, procedure types, and for certain individuals, Social Security numbers.  No evidence was found to suggest patient information was obtained or misused by the attackers.

All accounts have been secured, a full password reset was performed for all email accounts, and additional measures have been implemented to strengthen email security. Affected individuals were notified about the breach by mail on May 11, 2020 and have been offered complimentary credit monitoring services.

The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates 10,630 patients were affected by the breach.

North Shore Pain Management Experiences Ransomware Attack

North Shore Pain Management in Massachusetts has experienced a manual AKO ransomware attack and the data of some of its patients was stolen.

The incident has not yet appeared on the HHS’ Office for Civil Rights breach portal and, at the time of writing, there is no substitute breach notice on the company’s website. The breach was covered on databreaches.net, which reports that approximately 4GB of data relating to the company has been published on the Tor site used by the attackers. More than 4,000 files containing patient and employee information has been dumped online.

The files contained a range of sensitive protected health information including Social Security numbers, health information, and insurance information.

PsyGenics Employee Emailed Client Information to Personal Email Account

The Detroit-based occupational therapy, speech therapy, and family therapy provider, PsyGenics, Inc., has discovered one of its employees forwarded a spreadsheet containing customer information to a personal email account. The breach was detected on March 25, 2020 as part of a regular security review. The email was sent on March 24, 2020.

The spreadsheet contained information such as customers’ names, diagnosis codes, provider names, and appointment times. No other information such as treatment notes were detailed in the spreadsheet. No reason was given as to why the employee sent the spreadsheet to their personal email account. PsyGenics says it found no evidence of attempted or actual misuse of client information.

The post Mille Lacs Health System Phishing Attack Impacts 10,600 Patients appeared first on HIPAA Journal.

Management and Network Services (MNS), LLC, a Dublin, OH-based provider of administrative support services to post-acute healthcare providers, has discovered the email accounts of some of its employees have been compromised.

In a May 4, 2020 breach notification letter, MNS explained that it learned on or around August 21, 2019 that several employee email accounts had been subjected to unauthorized access between April and July of 2019. The analysis of the email accounts recently revealed five accounts contained the protected health information of patients of its clients.

The information in emails and email attachments varied from individual to individual and may have included the following data elements: name, medical treatment information, diagnosis information/codes, medication information, dates of service, insurance provider, health insurance number, date of birth, and Social Security number. A limited number of individuals also had their driver’s license number, State ID card number, and/or financial account information exposed.

MNS has taken steps to improve email security such as enhancing password policies across the entire organization and implementing multi-factor authentication for all employee email accounts.

The HHS’ Office for Civil Rights breach portal shows 30,132 patients had some of their PHI exposed.

Santa Rosa & Rohnert Park Oral Surgery Suffers Email Security Breach

Santa Rosa & Rohnert Park Oral Surgery on Portland, OR has discovered the email account of one of its employees was accessed by an unauthorized individual. The breach was detected on March 11, 2020 when suspicious activity was detected in the email account. The forensic investigation revealed the email account was breached on December 20, 2019 and access remained possible until March 11, 2020 when the account was secured. The compromised account was found to contain a range of protected health information which may have been viewed or acquired by the attacker.

Affected individuals have been offered complimentary membership to the MyIDCare credit monitoring and identity theft protection service from ID Experts. Santa Rosa & Rohnert Park Oral Surgery is reviewing and enhancing its policies and procedures and will take further steps to improve information security.

PHI of 3,683 Ashtabula County Medical Center Patients Exposed Online

Ashtabula County Medical Center (ACMC), an affiliate of Cleveland Clinic, is notifying 3,683 patients that some of their protected health information has been exposed online. On or around January 6, 2020, ACMC posted an Excel spreadsheet on a website to comply with government requirements about medical cost disclosures. On March 12, 2020, ACMC learned that a limited amount of protected health information had been accidentally included in the spreadsheet.

The exposed information was limited to patients’ names, diagnoses, and health and treatment histories. No Social Security numbers or financial data were exposed. Out of an abundance of caution, affected individuals have been offered a 12-month complimentary membership to identity theft recovery services through IDExperts.

ACMC has now updated its policies and procedures and has implemented additional safeguards to prevent similar breaches in the future.

Phishing Attack Exposed PHI at Orchard Medical Consulting

Orchard Medical Consulting, a provider of nurse case management services for workers’ compensation claims, has announced that an unauthorized individual gained access to the email account of one of its employees and potentially accessed protected health information stored in the account.

The attack was detected on January 30, 2020 and immediate action was taken to secure the account. The investigation revealed the account contained names, dates of birth, and for a very small number of individuals, Social Security number, and medical information such as diagnosis, treatment plan, and/or health history.

No evidence of data access, data theft, or misuse of PHI has been discovered. Affected individuals have been offered complimentary membership to TransUnion Interactive’s myTrueIdentity credit monitoring service out of an abundance of caution. To prevent further breaches, email security has been strengthened, policies and procedures updated, and multi-factor authentication has been implemented.

The post Management and Network Services Notifies 30,132 Patients About PHI Breach appeared first on HIPAA Journal.

The Fortune 500 company Magellan Health has announced it experienced a ransomware attack in April that resulted in the encryption of files and theft of some employee information.

The ransomware attack was detected by Magellan Health on April 11, 2020 when files were encrypted on its systems. The investigation into the attack revealed the attacker had gained access to its systems following a response to a spear phishing email sent on April 6. The attacker had fooled the employee by impersonating a client of Magellan Health.

Magellan Health engaged the cybersecurity firm Mandiant to assist with the investigation into the breach, which revealed the attacker had gained access to a corporate server that contained employee information and exfiltrated a subset of that data prior to the encryption of files. The attacker also downloaded malware that was used to steal login credentials.

The data stolen by the hacker related to current employees and included names, addresses, employee ID numbers, and W-2 and 1099 information, which included taxpayer IDs and Social Security numbers. A limited number of usernames and passwords were also stolen in the attack.

Magellan Health is unaware of any attempts to use that data but has advised affected individuals to be alert to the possibility of identity theft and misuse of their data. Affected individuals have been offered a complimentary 3-year membership to Experian’s IdentityWorks identity theft detection and resolution service.

Magellan Health is working closely with law enforcement and is aggressively investigating the breach and steps have already been taken to improve security to prevent similar breaches in the future.

It is currently unclear how many individuals have been affected by the breach.

The ransomware attack comes just a few months after the company discovered some of its subsidiaries suffered phishing attacks. Magellan Rx Management, Magellan Healthcare, and National Imaging Associates were all affected. Announcements about the breaches were made in September and November 2019, with the phishing attacks allowing unauthorized individuals to gain access to employee email accounts in July 2019.  The emails in the compromised accounts contained the protected health information of 55,637 members.

The post Magellan Health Suffers Ransomware Attack appeared first on HIPAA Journal.

Saint Francis Healthcare Partners in Connecticut is notifying 38,529 patients that some of their protected health information has potentially been obtained by hackers as a result of a “sophisticated cybersecurity incident” that allowed an unauthorized individual to gain access to its email system.

The attack occurred on December 30, 2019 but it took until March 20, 2020 for the forensic investigation to determine that patients’ protected health information was potentially compromised.  The types of information stored in the email system that could have been accessed included names, medical histories, medical record numbers, clinical and treatment information, dates of service, diagnoses, health insurance provider names, account numbers, prescription information and/or types of procedures performed. No financial information or Social Security numbers were compromised.

The investigation uncovered no evidence to suggest patient information was accessed, stolen, or misused. Steps have now been taken to improve data security practices and all affected patients have been notified by mail.

Florida Internal Medicine Practice Suffers Ransomware Attack

Daniel Bendetowicz, MD, PA is notifying 3,314 patients that their protected health information has been exposed as a result of a ransomware attack. The attack occurred on March 25, 2020 resulting in the encryption of its computer systems, including patient records. Backup files were not affected so files could be recovered without paying the ransom.

In these types of ransomware attacks, files are not typically accessed by the attackers prior to file encryption; however, data access could not be ruled out so notification letters have been sent to affected patients. Dr. Bendetowicz explained in the breach notification letters that names, addresses, dates of birth, Social Security numbers, health insurance information, and medical information were potentially compromised.

Out of an abundance of caution, identity theft protection services have been offered to all affected patients. Steps have also been taken to improve security to prevent further attacks in the future.

Houston Methodist Hospital Notifies 2,000 Patients of PHI Theft

Houston Methodist Hospital is notifying 1,987 heart patients that some of their protected health information was stored on portable storage devices that were stolen from the vehicle of a vendor representative in mid-February.

The individual was employed by the medical device manufacturer and operated the 3D imaging technology in the hospital’s cardiac catheterization lab.

The hard drives were left in a vehicle from where they were stolen. The hospital reports that the room where the hard drives were stored was locked, and removal of the devices was against hospital protocol and violated established technical safeguards and contractual obligations. The representative believed the room was only locked due to the late hour of the day.

The hard drives contained medical images that included a patient’s name, gender, date of birth, and a code number. The images could only be viewed with specialist software. The clinic reported the theft to law enforcement and hired a private investigator, but the hard drives could not be located.

Email Error Leads to Breach at Ascension Eastwood Clinic

An employee of Ascension Eastwood Clinic in Southfield, MI sent an email to patients on April 15, 2020 explaining the practice was transitioning to telehealth services due to COVID-19 to help prevent the spread of the disease.

An error was made sending the email and patients’ email addresses were not added to the BCC field of the email and could therefore be viewed by other patients. As a result of the error, email addresses and, in some cases, patients’ full names were disclosed to other patients. Apart from allowing a patient to be identified as a patient of the clinic, no other information was exposed.

The HHS’ Office for Civil Rights breach portal shows 999 patients were affected.

The post Email Breach Impacts 35,529 Patients of Saint Francis Healthcare Partners appeared first on HIPAA Journal.