The Centers for Medicare and Medicaid Services (CMS) has discovered a bug in its Blue Button 2.0 API that exposed the protected health information of 10,000 Medicare beneficiaries. Access to the Blue Button API has been temporarily suspended while the CMS investigates and completes a comprehensive code review. The CMS has not produced a timeline for when the Blue Button 2.0 service will be resumed.

On December 4, 2019, the CMS was alerted to a data anomaly with the Blue Button API by a third-party application partner. The CMS confirmed the data anomaly and immediately suspended access to the production environment while the matter was investigated.

The CMS determined the anomaly was due to a coding bug. That bug potentially allowed data to be shared with incorrect Blue Button 2.0 applications and the wrong beneficiaries. The CMS determined 30 applications have been impacted by the bug.

The Blue Button platform is used by Medicare beneficiaries to authorize third-party applications, services, and research programs to access their claims data. A CMS identity management system verifies user credentials through a randomly generated unique user ID, which ensures the correct beneficiary claims data is shared with the correct third-party applications.

The CMS discovered a coding bug was causing Blue Button 2.0 to truncate a 128-bit user ID to a 96-bit user ID.  A 96-bit user ID is not sufficiently random and, as a result, the same truncated user ID was assigned to different beneficiaries. That meant that some of the beneficiaries with the same truncated user ID in the identity management system had their claims data passed to other users and applications via Blue Button 2.0.

The error and why it resulted in the impermissible disclosure of claims data are perfectly understood, what was not initially clear was how the bug was introduced and why it was not found in time to prevent the exposure and disclosure of sensitive beneficiary data.

There are three takeaways from the initial findings of the investigation related to code reviews, testing, and cross team collaboration.

The CMS investigation found the bug was introduced on January 11, 2018. When changes are made, there is usually a comprehensive review of the changes, but in January a comprehensive review was not completed. If the review had occurred, the bug could have been identified and corrected before any sensitive information was disclosed.

The CMS tests Blue Button 2.0 using synthetic data to verify functionality. This ensures that no personal health information is put at risk. Integration of Blue Button 2.0 with other systems is not tested in order to protect personal health information. Consequently, integration with the identity management system was not tested.

The CMS notes that the code that generates the user ID token is run by a separate identity management team. The Blue Button 2.0 team made assumptions about how the token worked, and they were not validated. If there was better collaboration between enterprise teams, the necessary information would have been present in decision making.

Steps have now been taken to prevent further errors from occurring in the future. An enhanced quality review and validation process has now been implemented and the Blue Button 2.0 team will be performing comprehensive reviews of all new code to ensure that any coding errors are identified and corrected before the code changes go live and Blue Button 2.0 will now store full user IDs instead of truncated IDs.

A full review of the platform is now being conducted and the API will remain suspended until that coding review has been completed.

An in-depth analysis will also be conducted to determine the potential impact on affected beneficiaries. Decisions will then be made about what other steps are required to protect affected beneficiaries, such as the provision of credit monitoring services.

The post CMS Blue Button 2.0 Coding Bug Exposed PHI of 10,000 Medicare Beneficiaries appeared first on HIPAA Journal.

The email accounts of several employees of Conway Medical Center in South Carolina have been accessed by unauthorized individuals.

The phishing attack was detected on October 7, 2019 and affected email accounts were immediately secured to prevent further unauthorized access. External cybersecurity experts were engaged to investigate the breach and determine whether patient information had been viewed or acquired. The investigators determined that the first email accounts were compromised in or before July 2019.

It took until November 20, 2019 for the investigators to confirm that the protected health information of patients had been exposed as each email had to be checked to determine whether it contained PHI and if it had been accessed. That was largely a manual process.

The way the email accounts were accessed meant emails may have synchronized with the attacker’s computer and could have been automatically downloaded.

Those emails contained names, addresses, Social Security numbers, dates of birth, phone numbers, dates of admission, discharge dates, CMC account numbers, amount owed, and other information. For certain patients, the names, addresses, phone numbers, Social Security numbers, place of employment, and other information related to their guarantors was also potentially acquired.

Steps have now been taken to improve email security and notification letters have been mailed to affected patients. Individuals whose financial data has been exposed have been offered complimentary identity theft protection services.

The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates 2,500 patients have been affected by the security breach.

1,021 Clients of Equinox, Inc. Notified of PHI Exposure

Equinox, Inc., an Albany, NY-based provider of services to individuals suffering from chemical dependency, mental health issues, and domestic abuse survivors, has discovered the email accounts of two of its employees have been accessed by unauthorized individuals.

The data security breach was discovered on July 26, 2019 when suspicious activity was detected in its digital environment. Its systems were immediately secured and third-party cybersecurity experts were engaged to investigate the breach. Equinox was informed on August 28, 2019 that two email accounts had been accessed by unauthorized individuals.

The affected email accounts were then reviewed to determine whether they contained any patient information. Equinox was informed on October 9, 2019 that the protected health information of 1,021 current and former clients had potentially been accessed. The email accounts contained names, addresses, Social Security numbers, dates of birth, medical treatment or diagnosis information, health insurance information, and/or medication-related information.

No evidence was found to suggest information in emails and attachments was viewed or acquired and no reports have been received to indicate clients’ information has been misused.

Affected individuals were notified on December 6, 2019 and have been offered complimentary credit monitoring and identity theft protection services. Additional security measures have been implemented to prevent further breaches of this nature in the future.

The post Email Security Breaches Reported by Conway Medical Center and Equinox Inc. appeared first on HIPAA Journal.

Tidelands Health in Georgetown, SC, is working round the clock to restore its computer systems after the discovery of malware on its network on December 12, 2019. The attack has forced the healthcare provider to shut down parts of its network and implement emergency protocols. Staff have been using paper records for patients while the malware is removed and systems are restored and brought back online.

Patients are being seen and quality care is still being provided, although a limited number of non-emergency appointment have had to be rescheduled, according to Tidelands Health spokesperson, Dawn Bryant.

The type of malware involved has not been disclosed, although Tidelands Health has said no data was lost and patient information was not compromised.

Third-party cybersecurity experts have been engaged to investigate the attack, remove the malware, and restore its systems. That is a time-consuming, methodical process as the stability and integrity of every system must be thoroughly assessed before it is possible to bring each back online.

Stolen Children’s Hope Alliance Laptop Computer Contained the PHI of 4,564 Patients

Barium Springs, NC-based healthcare provider, Children’s Hope Alliance, is notifying 4,564 patients that some of their protected health information has been exposed. The data was stored on an employee’s laptop computer which was stolen on October 7, 2019.

Third-party computer forensics investigators have been engaged to determine what information was stored on the laptop. The investigation is ongoing, but the preliminary findings indicate documents on the device contained names, addresses, Social Security numbers, tax ID numbers, dates of birth, medication and dosage information, and usernames and passwords.

Notifications will be sent to affected individuals when the investigation has been completed. At this stage, no evidence has been found to indicate any patient information has been accessed by unauthorized individuals and no reports of misuse of patient information have been received.

The post Tidelands Health Recovering from Malware Attack appeared first on HIPAA Journal.

Truman Medical Centers, the largest provider of inpatient and outpatient services in Kansas City, MO, has discovered the protected health information of 114,466 patients was stored on an unencrypted laptop computer that was stolen from the vehicle of one of its employees.

The laptop was protected with a password, but it is possible that the password could be cracked and data on the device accessed. At the time of issuing the notifications, Truman Medical Centers has not uncovered any evidence to suggest that any patient information has been accessed by unauthorized individuals or has been misused.

The types of information on the laptop varied from patient to patient and may have included patient names along with one or more of the following types of information: Dates of birth, patient account numbers, medical record numbers, Social Security numbers, health insurance information, and limited medical and treatment information, such as diagnoses, dates of service, and provider names.

The theft occurred on July 18, 2019, but it took until October 29, 2019 to determine that patient information was stored on the device. All individuals whose protected health information was stored on the laptop have now been notified by mail. Individuals whose Social Security number was stored on the device have been offered complimentary credit monitoring and identity protection services.

Employees have been re-educated on portable device security. Additional controls are being installed on employee laptops to enhance security.

Stolen Blackberry Contained the PHI of 2,477 Patients of La Clínica de La Raza, Inc.

La Clínica de La Raza, Inc, a provider of primary health care and other services in Alameda, Contra Costa, and Solano counties in California, has also discovered a portable electronic device has been stolen.

On August 20, 2019, a briefcase containing a La Clínica de La Raza-issued Blackberry device was stolen from an employee’s vehicle. Assisted by a computer forensics firm, La Clínica de La Raza determined on October 16, 2019 that the Blackberry contained the protected health information of 2,477 patients.

The information was found in two emails that had been downloaded onto the device. Those emails contained names, birth dates, medical record numbers, and non-sensitive test results.

While it is possible that the information could be accessed by unauthorized individuals, La Clínica de La Raza said PHI access would have been difficult. Affected patients were notified of the breach by mail on December 13, 2019. Affected individuals have been offered a one year membership to credit monitoring and identity protection services at no cost.

Steps are now being taken to improve the security of portable electronic devices and employees have had training on portable device security reinforced.

The post Truman Medical Centers Notifies 114,466 Patients of Potential PHI Exposure appeared first on HIPAA Journal.

Hackensack Meridian Health, the largest health network in New Jersey, has announced it experienced a cyberattack last week that saw ransomware deployed on its network. The attack saw files encrypted and took its network offline for two days.

Without access to computer systems and medical records, Hackensack Meridian Health was forced to cancel non-emergency medical procedures and doctors and nurses had to switch to pen and paper to allow care to continue to be provided to patients.

The attack was detected quickly, law enforcement and regulators were immediately notified, and cybersecurity experts were consulted to determine the best course of action. The health network initially announced that it was experiencing external technical issues so as not to interfere with the investigation but confirmed later in the week that the incident was a ransomware attack.

When ransomware is deployed, files need to be restored from backups and systems may need to be rebuilt. That process can take several weeks. In order to prevent continued disruption to patient services, the decision was taken to pay the ransom demand. A spokesperson for Hackensack Meridian Health said, “We believe it’s our obligation to protect our communities’ access to health care.”

The amount of the ransom has not been publicly disclosed but Hackensack Meridian Health did confirm that it holds a cybersecurity insurance policy that will cover some of the cost of the ransom payment and remediation efforts.

Hackensack Meridian Health has confirmed that its main clinical system is now back online and is fully operational, but it may take several days before other parts of its system are brought back online.

Several major ransomware attacks on healthcare organizations and business associates have been announced in the past few weeks. In the past week alone The Cancer Center of Hawaii announced it was attacked and was forced to postpone radiology treatments for patients. A ransomware attack was also announced by a Colorado business associate which impacted more than 100 dental practices.

In its latest cybersecurity letter, the HHS’ Office for Civil Rights explains how HIPAA compliance can help prevent ransomware attacks and ensure healthcare organizations recover from attacks quickly if hackers succeed in breaching their defenses.

The post Hackensack Meridian Health Recovering from Ransomware Attack appeared first on HIPAA Journal.

On November 5, 2019 The Cancer Center of Hawaii in Oahu was attacked with ransomware. The attack forced the Cancer Center to shut down its network servers, which meant it was temporarily prevented from providing radiation therapy to patients at Pali Momi Medical Center and St. Francis’ hospital in Liliha.

While patient services experienced some disruption, no patient information is believed to have been accessed by the attackers. The forensic investigation into the breach is ongoing but all data stored on its radiology machines has been recovered and its network is now fully operational.

It is unclear for how long its network was down and no information has been released so far on the types of patient information that may have been accessed.

The Cancer Center has notified the FBI about the breach and will report the incident to appropriate authorities, if the forensic investigators confirm that patient data may have been accessed.

The breach was confined to the Cancer Center’s systems. Pali Momi Medical Center and St. Francis’ hospital were unaffected by the attack as their patient data and systems are isolated from the Cancer Center.

Zuckerberg San Francisco General Hospital Alerts Patients to Improper Disposal Incident

1,174 patients of Zuckerberg San Francisco General Hospital are being notified that meal tickets containing a limited amount of their protected health information have been disposed of in an improper manner.

The meal tickets contained patients’ full names, their bed/unit in the hospital, birth month, dietary information, and the menu they received. The tickets should have been disposed of in confidential waste bins but were accidentally disposed of with regular trash.

The breach was due to an employee being unaware that the meal tickets needed to be sent for shredded. The San Francisco Department of Health learned about the improper disposal incident on November 15, 2019. The employee had been disposing of the meal tickets in regular trash bins between June 18 and November 4. The employee has since been advised of the correct procedures for the disposable of sensitive information.

The post Ransomware Attack on The Cancer Center of Hawaii Delayed Radiation Therapy for Patients appeared first on HIPAA Journal.

Cheyenne Regional Medical Center in Wyoming has recently learned that patient information may have been compromised as a result of a phishing attack discovered in April.

The medical center was alerted to a potential security breach following the detection of suspicious activity related to employee payroll accounts on or around April 5, 2019. Around a week later, the medical center leared that employee email accounts had been compromised.

The investigation revealed the attackers had gained access to employee email accounts between March 27, 2019 and April 8, 2019. The aim of the attack appears to have been to access employee payroll information, although patient information contained in email accounts may also have been accessed.

The types of information potentially accessed varied from patient to patient and may have included names, dates of birth, Social Security numbers, driver’s license numbers, dates of service, provider names, medical record numbers, patient identification numbers, medical information, diagnoses, treatment information, and health insurance information. A very small percentage of patients also had financial information or credit card numbers exposed.

The forensic investigation confirmed on August 21, 2019 that patient information was potentially accessed by the hackers, although at that stage of the investigation the full extent of the attack was not known. It took until November 1, 2019 before the medical center obtained a full list of affected patients.

There was a further delay sending notifications as up to date contact information was not held on a significant number of patients. Finding that information took time.

The medical center explained that most patient information is stored in its electronic medical record system, but information is securely exchanged between staff members via email for administrative purposes and for consultations.

Affected patients have now been notified by mail and have been offered complimentary credit monitoring and identity theft protection services through Kroll.

Cheyenne Regional Medical Center should be commended for its thorough explanation of the breach and investigation, and the reason for the 8-month delay sending notifications. All patients want to be notified of any exposure of their personal and health information quickly but will be unaware of the work involved in a breach investigation and how long it can take to find the information necessary to issue notifications. Such a detailed explanation will help patients to understand why it has taken so long to learn about the breach.

The post Patients Notified of Phishing Attack at Cheyenne Regional Medical Center appeared first on HIPAA Journal.

Evans, CO-based Sunrise Community Health has discovered the email accounts of several employees were compromised as a result of employees responding to phishing emails. The email accounts were accessed by unauthorized individuals between September 11, 2019 and November 22, 2019.

Assisted by third party computer forensics experts, Sunrise Community Health determined on November 5, 2019 that the compromised email accounts contained the protected health information of certain patients. The types of data present in the email accounts varied from patient to patient and may have included names, dates of birth, Sunrise patient ID numbers, Sunrise provider names, dates of service, types of clinical examinations performed, the results of those examinations, diagnoses, medication names, and names of health insurance carriers.

Sunrise Community Health does not believe the aim of the attack was to obtain patient information, but the possibility of unauthorized data access and data theft could not be ruled out. The attackers appeared to be targeting invoice and payroll information.

The investigation into the attack is continuing but breach notification letters have now been sent to affected individuals. Sunrise Community Health is offering affected patients complimentary credit monitoring and identity theft restoration services.

1,486 Katherine Shaw Bethea Hospital Patients Impacted by Phishing Attack

Katherine Shaw Bethea Hospital in Dixon, IL has discovered an unauthorized individual has gained access to the email account of an employee and potentially obtained a spreadsheet containing the protected health information of 1,486 patients.

The spreadsheet contained names, dates of birth, phone numbers, health insurance carrier names, diagnoses, and clinical information of patients under 18 years of age who had visited the emergency department between November 1, 2018 and May 1, 2019.

Katherine Shaw Bethea Hospital has implemented additional measures to improve email security and all staff members have been provided with further cybersecurity training to help them identify phishing scams.

NYC Health + Hospitals Alerts Patients to Improper Disclosure Incident

NYC Health + Hospitals is alerting patients who received treatment following a motor vehicle accident that some of their protected health information may have been impermissibly disclosed to third parties by an employee.

NYC Health + Hospitals was notified on October 3, 2019 that one of its employees had disclosed patient information to third parties such as law firms between 2016 and November 2019.

NYC Health + Hospitals is assuming that all patients who received treatment at its hospitals and clinics following a motor vehicle accident may have been affected. The investigation into the incident is ongoing and appropriate disciplinary action is being taken against the employee concerned.

The post Phishing Attacks Reported by Sunrise Community Health and Katherine Shaw Bethea Hospital appeared first on HIPAA Journal.