HIPAA Breach News

June 2020 Healthcare Data Breach Report

Posted by HIPAA Journal

The sharp drop in healthcare data breaches seen in May proved to be short lived, with June seeing a major increase in data breaches. In June, 52 breaches were reported by HIPAA covered entities and business associates. That represents an 85.71% month-over-month increase in reported breaches.

The number of individuals impacted by healthcare data breaches changed little despite the large increase in breaches, with a month-over-month fall of 1.65% to 1,047,015 records, which is well above the 2020 monthly average of 896,374 breached records.

Largest Healthcare Data Breaches in June 2020

The largest healthcare data breach reported by a single entity in June affected the Texas billing and collections agency, Benefit Recovery Specialists, Inc. (BRS) Malware was detected on its systems that potentially gave unauthorized individuals access to the protected health information of more than a quarter of a million people.

There was, however, a much larger data breach reported in June that affected more than 365,000 individuals but was reported individually by each entity affected by the breach. Magellan Health suffered a ransomware attack that also affected at least 9 healthcare providers, health plans, and business associates, specifically Merit Health Insurance Company, Magellan Complete Care of Florida, the University of Florida Health Jacksonville, Magellan Healthcare in Maryland, Magellan Rx Pharmacy, National Imaging Associates, UF Health Shands, UF Health, and Magellan Complete Care of Virginia. The ransomware attack ranks as the the third largest healthcare data breach so far in 2020.

Name of Covered Entity Covered Entity Type Type of Breach Individuals Affected
Benefit Recovery Specialists, Inc. Business Associate Hacking/IT Incident 274,837
Merit Health Insurance Company Health Plan Hacking/IT Incident 102,748
Magellan Complete Care of Florida Health Plan Hacking/IT Incident 76,236
Healthcare Fiscal Management Inc. Business Associate Hacking/IT Incident 58,000
UF Health Jacksonville Healthcare Provider Hacking/IT Incident 54,002
Magellan Healthcare Business Associate Hacking/IT Incident 50,410
Providence Health Plan Health Plan Unauthorized Access/Disclosure 49,511
American Medical Technologies Healthcare Provider Hacking/IT Incident 47,767
Oral and Maxillofacial Surgery Associates, P.A. Healthcare Provider Hacking/IT Incident 35,498
City of Philadelphia Health Plan Hacking/IT Incident 33,376
Magellan Rx Pharmacy Healthcare Provider Hacking/IT Incident 33,040
Cano Health Healthcare Provider Hacking/IT Incident 28,268
National Imaging Associates Business Associate Hacking/IT Incident 22,560
Legacy Community Health Services Healthcare Provider Hacking/IT Incident 19,000
Human Affairs International of California Business Associate Hacking/IT Incident 15,843
UF Health Shands Healthcare Provider Hacking/IT Incident 13,146
North Shore Pain Management Healthcare Provider Hacking/IT Incident 12,472
Choice Health Management Services, LLC Business Associate Hacking/IT Incident 11,650
Iowa Total Care, Inc. Health Plan Unauthorized Access/Disclosure 11,581
The Kroger Co., for itself and its affiliates and subsidiaries Healthcare Provider Hacking/IT Incident 10,974

Causes of June 2020 Healthcare Data Breaches

There were 37 reported hacking/IT incidents in June, which accounted for 71.15% of the month’s breaches and 91.14% of records breached in June. 957,082 records were exposed or stolen in those breaches. The average breach size was 25,867 records and the median breach size was 9,271 records.

There were 11 unauthorized access/disclosure incidents reported in June that impacted 85,580 individuals. The average breach size was 7,780 records and the median breach size was 1,650 records. There were 4 loss/theft incidents reported that impacted 4,353 individuals. The average breach size was 1,088 records and the median breach size was 910 records.

The most common location of breached protected health information was email. 63.46% of the month’s breaches involved ePHI stored in emails and email attachments, with 36.53% of breaches involving network servers. The majority of the email breaches were due to phishing attacks, with the network server breaches mostly involving malware and ransomware.

June 2020 Healthcare Data Breaches by State

Data breaches of 500 or more record were reported by HIPAA-covered entities and business associates in 21 states. California was the worst affected state with 9 breaches, followed by Florida with 7, Texas with 5, Maryland and New York with 4, and three in Illinois.

There were two breaches in each of Arkansas, North Carolina, Ohio, Oregon, and Pennsylvania, and one breach in each of Colorado, Connecticut, Iowa, Kentucky, Massachusetts, Michigan, Missouri, South Carolina, Tennessee, and Utah.

Healthcare Data Breaches by Covered Entity Type

Healthcare providers were the worst affected covered entity in June with 33 reported data breaches. There was an increase in health plan data breaches with 9 reported incidents, and also an increase in business associate breaches. While there were 10 breaches reported by business associates, a further 7 breaches involved business associates but were reported by the covered entity.

HIPAA Enforcement in June 2020

There were no HIPAA enforcement actions announced by state attorneys general or the HHS’ Office for Civil Rights in June 2020.  The HHS has stated that it is prepared to be flexible with HIPAA investigations during the pandemic, so the lack of enforcement actions so far in 2020 may not be due to any reduction in enforcement, there may just be a delay in imposing penalties until the COVID-19 pandemic is brought under control.

On July 23, 2020, the Secretary of the Department of Health and Human Services, Alex Azar, announced that the nationwide public health emergency has been renewed for a further 90 days so OCR’s Notices of Enforcement Discretion covering good faith uses and disclosures of PHI in relation to telehealth and the operation of COVID-19 testing centers, and the waivers under Section 1135(b)(7) of the Social Security Act remain in effect.

The post June 2020 Healthcare Data Breach Report appeared first on HIPAA Journal.

Small North Carolina Healthcare Provider Fined $25,000 for HIPAA Security Rule Noncompliance

Posted by HIPAA Journal

The HHS’ Office for Civil Rights (OCR) has announced a $25,000 settlement has been reached with Metropolitan Community Health Services to resolve violations of the HIPAA Security Rule.

Washington, NC-based Metropolitan Community Health Services is a Federally Qualified Health Center that provides integrated medical, dental, behavioral health & pharmacy services for adults and children. Operating as Agape Health Services, Metro provides discounted medical services to the underserved population in rural North Carolina. Metropolitan Community Health Services has around 43 employees and serves 3,100 patients each year.

On June 9, 2011, Metropolitan Community Health Services filed a report with OCR over a breach of the protected health information of 1,263 patients. OCR conducted a compliance review to establish whether the breach was the direct result of noncompliance with the HIPAA Rules. The OCR investigation uncovered longstanding, systemic noncompliance with the HIPAA Security Rule.

Prior to the breach, Metropolitan Community Health Service had failed to implement HIPAA Security Rule policies and procedures, in violation of 45 C.F.R. §164.316, and an accurate and thorough assessment of the potential risks to the confidentiality, integrity, and availability of ePHI had not been conducted, in violation of 45 C.F.R. § 164.308(a)(l )(ii)(A). Despite being in business since 1999, no HIPAA security awareness and training had been provided to the workforce prior to June 30, 2016, in violation of 45 C.F.R. §164.308(a)(5).

When deciding on an appropriate settlement, OCR took the size of the organization and several other factors into account.  In addition to paying a financial penalty of $25,000 to resolve the HIPAA violations, Metropolitan Community Health Services has agreed to adopt a robust corrective action plan and will ensure policies and procedures are implemented to the standards required by HIPAA.  Metropolitan Community Health Services will be monitored for compliance with the corrective action plan for a period of two years.

This is the second HIPAA violation penalty to be imposed on a HIPAA covered entity in 2020 to resolve violations of HIPAA Rules, the first being a $100,000 financial penalty in March 2020 for Steven A. Porter, M.D for risk analysis and risk management failures.

The fine confirms that healthcare providers, large and small, are required to comply with HIPAA Rules. “Health care providers owe it to their patients to comply with the HIPAA Rules.  When informed of potential HIPAA violations, providers owe it to their patients to quickly address problem areas to safeguard individuals’ health information,” said Roger Severino, OCR Director.

The post Small North Carolina Healthcare Provider Fined $25,000 for HIPAA Security Rule Noncompliance appeared first on HIPAA Journal.

Ransomware Data Breach Lawsuit Against Sarrell Regional Dental Center Tossed by Federal Judge

Posted by HIPAA Journal

A lawsuit filed against Sarrell Regional Dental Center for Public Health Inc. over a July 2019 ransomware attack has been dismissed by a Federal judge due to a lack of standing.

Sarrell was able to recover from the attack and restore its computer systems and data without paying the ransom, although the dental center was forced to close for two weeks while its systems were restored. No evidence was found to indicate patient data was accessed or downloaded from its systems, although it was not possible to rule out a data breach with 100% certainty so notification letters were sent to the 391,000 patients whose personal and protected health information (PHI) was potentially compromised.

A lawsuit was filed against Sarrell in 2019 on behalf of patients affected by the attack. The lawsuit sought class action status and damages for patients whose PHI was potentially compromised in the attack. The lawsuit alleged patients faced a higher risk of identity theft as a result of the attack and had to cover the cost of credit monitoring services.

Judge R. Austin Huffaker Jr. stated in his ruling that while the extent and depth of the breach were “murky”, Sarrell had conducted an investigation into the attack and found no evidence that files containing protected health information had been accessed or exfiltrated by the attackers and there was no evidence patient information had been misused in any way.

The lawsuit alleged the ransomware attack was a direct result of the failure of Sarrell to implement reasonable cybersecurity procedures and protocols and patients’ personal and protected health information was now likely in the hands of identity thieves. Consequently, patients affected by the breach had to spend time and money protecting themselves against identity theft and fraud. However, Judge Austin Huffaker viewed the claims as speculative, since the plaintiffs failed to provide “at least some plausible specific allegation of actual or likely misuse of data.”

Since the plaintiffs and putative class members failed to allege they had suffered identity theft or fraud as a result of the ransomware attack, there were insufficient grounds to sue Sarrell for the security breach. “The fact that the breach occurred cannot, in and of itself, be enough, in the absence of any imminent or likely misuse of protected data, to provide plaintiffs with standing to sue,” wrote Judge Austin Huffaker. “The plaintiffs fail to allege that they or members of the putative class have suffered actual identity theft. Instead, their pleading speaks of ‘possibilities’ and traffics in ‘maybes’.”

The post Ransomware Data Breach Lawsuit Against Sarrell Regional Dental Center Tossed by Federal Judge appeared first on HIPAA Journal.

47,754 Individuals Impacted by Lorien Health Services Ransomware Attack

Posted by HIPAA Journal

Ellicott City, MD-based Lorien Health Services, which runs 9 assisted living facilities in Maryland, has announced it was the victim of a ransomware attack on June 6, 2020.

Third party cybersecurity experts were retained to assist with the investigation and determine whether patient information had been accessed by the attackers. On June 10, 2020, it was confirmed that the attackers had accessed files containing residents’ names, addresses, dates of birth, diagnoses, treatment information, and Social Security numbers and some employee information. Some of that data was stolen in the attack.

The attack was conducted by the operators of Netwalker ransomware. When Lorien Health Services refused to pay the ransom, a sample of the stolen data was published online.

Lorien Health reported the breach to the FBI and the ransomware attack is being investigated. The breach report submitted to the Department of Health and Human Services indicates the compromised systems contained the protected health information of 47,754 individuals. Those individuals have been offered complimentary credit monitoring and identity theft protection services. Notification letters were sent to all impacted individuals on June 16, 2020, just 10 days after the attack.

Accu Copy of Greenville Security Breach Impacts 21,800 Patients

Accu Copy of Greenville, Incorporated, a NC-based company that provides printing and billing statement mailing services to businesses, has discovered unauthorized individuals gained access to one of its servers and may have accessed documents containing the protected health information of patients of Physicians East, a healthcare provider serving eastern North Carolina.

Accu Copy detected the breach on April 10, 2020 and promptly took steps to prevent any further unauthorized access. The investigation into the breach concluded the unauthorized individual first accessed the server on April 1, 2020. On May 15, 2020, Accu Copy confirmed patient data may have been accessed and a review of the files on the server was completed on June 26, 2020.

The server was discovered to contain billing statements for 21,800 patients. The statements related to a Physicians East office visit and contained names, addresses, diagnosis information, treatment information, provider name, and the cost of treatment.

Following the breach, all passwords were changed, and assistance was sought from a cybersecurity company to help improve security.

Coalinga Valley Health Clinics Discovers Improper PHI Access by Former Employee

A former employee of Coalinga Valley Health Clinics, Inc. is alleged to have removed documents from its offices that contained the protected health information of some of its patients.

The Coalinga, CA-based healthcare provider was notified about the alleged data theft by the Coalinga Police Department on April 17, 2020. The employee’s access to health records was immediately terminated and an investigation was launched to determine the extent of the unauthorized access. The Police Department recovered all documents that had been removed from the office and returned them to Coalinga Valley Health Clinics.

Coalinga Valley Health Clinics found no evidence to suggest the documents were taken by the employee in order to misuse patient data, but affected individuals have nonetheless been advised to be alert to the possibility data misuse and have been offered a complimentary 12-month membership to the myTrueIdentity identity theft prevention service.

Coalinga Valley Health Clinics has taken steps to prevent similar breaches in the future and the employee has been terminated.

Email Security Breach Reported by National Cardiovascular Partners

National Cardiovascular Partners, a division of Fresenius Medical Care North America, is alerting patients to a possible breach of their personal and protected health information.

On May 19, 2020, National Cardiovascular Partners discovered an unauthorized individual had gained access to the email account of an employee. The account was immediately secured and an investigation was launched. The investigation revealed the email account was breached on April 27, 2020. A review of the compromised account was completed on June 18, 2020 and confirmed the account contained patients’ protected health information.

National Cardiovascular Partners believes the attack was conducted with the aim of defrauding the company, rather than to obtain patient data. No evidence was found to suggest patient data was accessed or acquired by the attacker.

National Cardiovascular Partners has taken steps to improve email security and further email security training has been provided to its employees. Affected patients have been offered a 12-month complimentary membership to Experian’s IdentityWorks identity theft protection service.

The post 47,754 Individuals Impacted by Lorien Health Services Ransomware Attack appeared first on HIPAA Journal.

Quantum Imaging and Therapeutic Associates Investigating Possible Facebook HIPAA Breach

Posted by HIPAA Journal

The Pennsylvania physician-owned radiology practice, Quantum Imaging and Therapeutic Associates, has announced that reports have been received about a non-physician employee who allegedly shared an x-ray of a male patient’s genitalia with members of a Facebook group.

The sharing of medical images on social media networks, without patient consent, is a violation of patient privacy and HIPAA. Quantum issued a statement on Facebook confirming reports had been received about a privacy breach and said “Quantum is committed to respecting the privacy of its patients and is deeply disheartened by these reports,” no further information has been released about the breach pending the results of the investigation. The matter has been reported to Fairview Township police and an investigation has been launched, but no arrests have been made at this stage. Several individuals have commented on the Facebook post claiming the image could be viewed by ‘thousands’ of people.

US HealthCenter Discovered Email Account Breach

The health risk management corporation, US HealthCenter has discovered an email account has been accessed by an unauthorized individual, who may have viewed or obtained the personal and protected health information of members of the Cost Plus World Market’s (Cost Plus) Wellness Program.

The breached email inbox was used to receive completed Annual Preventive Screening affidavits from participants. Questions from Wellness Program participants about the program were also sent to the email account. US HealthCenter discovered the unauthorized access on April 13, 2020 when the account was used to send phishing emails to Cost Plus wellness plan participants. During the time that the account was accessible, the unauthorized individual was able to view and forward emails.

The review of emails in the account showed they contained participants’ names, employee numbers, dates of birth, physician signatures, dates of exams, and limited health information.

The account was immediately secured and the email account is now hosted on a new Microsoft Office 365 platform, which has better security protections and multi-factor authentication has been added to all email accounts. US HealthCenter did not find any evidence to suggest personal information has been misused.

Delaware Department of Health and Social Services Discovered Impermissible PHI Disclosure

The Delaware Department of Health and Social Services has discovered a spreadsheet containing protected health information was accidentally shared with four students.

Four seniors at the University of Delaware had requested information for a project to help them identify service gaps in the community and were sent a spreadsheet. The students required information such as the age range of individuals and their disability status but identifying information had not been removed prior to the spreadsheet being shared. The students were able to view full names, birth dates, diagnoses, and county information related to 350 individuals.

The students gave a presentation of their report via Zoom on May 8, in which data was presented that included patients’ PHI. The Delaware Department of Health and Social Services immediately ended the presentation when it was discovered protected health information had been included. The students were ordered to delete the data and the employee who sent the spreadsheet has been disciplined.

The post Quantum Imaging and Therapeutic Associates Investigating Possible Facebook HIPAA Breach appeared first on HIPAA Journal.

36,000 Members Affected by Central California Alliance for Health Email Breach

Posted by HIPAA Journal

The Central California Alliance for Health has discovered an unauthorized individual gained access to the email accounts of several employees and potentially viewed or copied information in emails and email attachments. The breach was detected on May 7, 2020 and prompt action was taken to secure the affected accounts. In each case, the accounts were accessed for a period of about one hour.

A review of the compromised accounts revealed they contained a limited amount of protected health information of Central California Alliance for Health members such as Alliance Care management program records, dates of birth, claims information, demographic information, Medi-Cal ID numbers, referral information, and medical information. No financial information or Social Security numbers were compromised.

Following the breach, a full password reset was performed for all email accounts, including those that were not compromised. Further training on email security has also been provided to employees.

The breach has been reported to the Department of Health and Human Services’ Office for Civil Rights as affecting 35,883 members.

Hutton & Hale, D.D.S., Inc. Hack Impacts 8,394 Patients

Dr. Ann Hale of Hutton & Hale, D.D.S., Inc. has started notifying 8,394 patients that some of their protected health information may have been obtained by a hacker who gained access to the practice’s databases and computer systems on May 25, 2020.

Those systems contained patients’ medical records and protected health information such as names, addresses, contact telephone numbers, Social Security numbers, and X-ray data information.

All affected patients have been offered complimentary membership to identity theft protection and credit monitoring services for 12 months and will be protected by a $1,000,000 identity theft insurance policy. No reports have been received to date to suggest any patient information has been misused.

The practice is adding additional safeguards to its web server infrastructure to prevent further security breaches.

Wisconsin Department of Corrections Breach Impacts 1,853 Individuals

The Wisconsin Department of Corrections has discovered information on individuals in its treatment facilities was exposed on the websites of three vendors contracted to manage canteen orders. The data was discovered by an employee on May 15, 2020. Affected individuals were notified on June 15, 2020.

The exposed information was limited to names along with information about the treatment facility where they are located. That information should have been masked on the websites. The error has now been corrected and the information is no longer accessible via the internet.

The post 36,000 Members Affected by Central California Alliance for Health Email Breach appeared first on HIPAA Journal.

Benefit Recovery Specialists Hacked and PHI of 274,837 Individuals Exposed

Posted by HIPAA Journal

The Houston, TX-based billing and collection company, Benefit Recovery Specialists, Inc., (BRSI) has announced it has discovered malware on its systems that may have allowed unauthorized individuals to view or obtain protected health information.

The personal and protected health information (PHI) on BRSI systems had been provided to the company in its capacity as a business associate and included the PHI of current and former members and patients of its health plan and healthcare provider customers.

The malware was discovered on April 30, 2020 and an internal investigation was immediately launched. Third-party computer forensics specialists were engaged to help investigate the breach and determine the extent and scope of the attack. The investigation revealed an unauthorized individual had gained access to BRSI systems using stolen employee credentials. Once a foothold had been established in the network, the attacker downloaded malware.

The forensic investigators concluded that the attacker first gained access to BRSI systems on April 20, 2020 and had access to the systems until April 30, 2020. During that time, PHI was accessible and may have been exfiltrated. The substitute breach notice on the BRSI website makes no mention of the type of malware involved.

The types of sensitive data on the compromised parts of its systems included names, dates of birth, dates of service, provider names, policy identification numbers, procedure codes, and/or diagnosis codes. The Social Security numbers of some individuals were also potentially compromised.

The investigation into the breach concluded on May 29, 2020 and patients started to be notified on June 2, 2020. No evidence of misuse of individuals’ PHI was identified, but affected individuals have been told to be alert to the risk of identity theft and fraud and have been advised to carefully monitor their account and explanation of benefits statements for signs of misuse of their information. Based on the substitute breach notice, it does not appear that credit monitoring services are being offered to breach victims.

The incident has been reported to the Department of Health and Human Services’ Office for Civil Rights. The breach summary indicates 274,837 individuals have been affected, making this one of the largest healthcare data breaches to be reported in 2020.

The post Benefit Recovery Specialists Hacked and PHI of 274,837 Individuals Exposed appeared first on HIPAA Journal.

Benefit Recovery Specialists Hacked and PHI of 274,837 Individuals Exposed

Posted by HIPAA Journal

The Houston, TX-based billing and collection company, Benefit Recovery Specialists, Inc., (BRSI) has announced it has discovered malware on its systems that may have allowed unauthorized individuals to view or obtain protected health information.

The personal and protected health information (PHI) on BRSI systems had been provided to the company in its capacity as a business associate and included the PHI of current and former members and patients of its health plan and healthcare provider customers.

The malware was discovered on April 30, 2020 and an internal investigation was immediately launched. Third-party computer forensics specialists were engaged to help investigate the breach and determine the extent and scope of the attack. The investigation revealed an unauthorized individual had gained access to BRSI systems using stolen employee credentials. Once a foothold had been established in the network, the attacker downloaded malware.

The forensic investigators concluded that the attacker first gained access to BRSI systems on April 20, 2020 and had access to the systems until April 30, 2020. During that time, PHI was accessible and may have been exfiltrated. The substitute breach notice on the BRSI website makes no mention of the type of malware involved.

The types of sensitive data on the compromised parts of its systems included names, dates of birth, dates of service, provider names, policy identification numbers, procedure codes, and/or diagnosis codes. The Social Security numbers of some individuals were also potentially compromised.

The investigation into the breach concluded on May 29, 2020 and patients started to be notified on June 2, 2020. No evidence of misuse of individuals’ PHI was identified, but affected individuals have been told to be alert to the risk of identity theft and fraud and have been advised to carefully monitor their account and explanation of benefits statements for signs of misuse of their information. Based on the substitute breach notice, it does not appear that credit monitoring services are being offered to breach victims.

The incident has been reported to the Department of Health and Human Services’ Office for Civil Rights. The breach summary indicates 274,837 individuals have been affected, making this one of the largest healthcare data breaches to be reported in 2020.

The post Benefit Recovery Specialists Hacked and PHI of 274,837 Individuals Exposed appeared first on HIPAA Journal.

Health Plan Member Portals Accessed Using Stolen Credentials

Posted by HIPAA Journal

The Philadelphia-based health plan, Independence Blue Cross, and AmeriHealth HMO, Inc. and AmeriHealth Insurance Company of New Jersey have discovered unauthorized individuals gained access to pages in their member portals between March 17, 2020 and April 30, 2020 and potentially viewed the personal and protected health information of some of their members.

The types of information exposed included names, member identification numbers, plan type, spending account balances, user reward summaries, and claims information.

An investigation into the breach revealed valid credentials had been used to access the portal. In all cases, the passwords used to access to the member portals had been obtained as a result of breaches of third-party websites and applications, such as the breach of MyFitnessPal in 2018. The passwords for those third-party websites had been reused on member portals.

The health plans were informed of the breach on May 8, 2020 and immediately took steps to secure the accounts and prevent further unauthorized access. All affected members have now been notified and have been offered 24 months of free credit monitoring and identity theft protection services.

49,500 Providence Health Plan Members Affected by Business Associate Data Breach

49,511 members of the Oregon-based Providence Health Plan have been affected by a data breach at one of its business associates.

On April 17, 2020, Brooklyn-based Zipari alerted Providence Health Plan about a coding error that allowed documents related to employer-sponsored health plans to be exposed online. The coding error was detected by Zipari on April 9, 2020. The investigation revealed the documents had been accessed by unauthorized individuals in May, September, and November 2019. The documents contained member names, employer names, and dates of birth. No other information was compromised.

The breach prompted Providence Health Plan to arrange a third-party audit of Zipari’s data security practices. Affected plan members have been offered complimentary credit monitoring services.

Central California Alliance for Health Discovers ‘Many’ Email Accounts Breached

On May 7, 2020, Central California Alliance for Health (CCAH) discovered an unauthorized individual gained access to the email accounts of some of its employees and potentially viewed and obtained the protected health information of some of its members. According to the breach notice submitted to the California Attorney General’s office, many CCAH email accounts were subjected to unauthorized access for about one hour.

A review of the compromised email accounts revealed they contained names, dates of birth, demographic information, Medi-Cal ID numbers, Alliance Care Management Program records, claims information, medical information, and referral information.

A full password reset was performed on all CCAH email accounts and further training has been provided to the workforce on email security. CCAH is unaware of any misuse of members information.

The post Health Plan Member Portals Accessed Using Stolen Credentials appeared first on HIPAA Journal.