HIPAA Breach News

Patients Notified Medical Records Exposed at Tornado Hit Secure Medical Record Facility

Posted by HIPAA Journal

Several healthcare providers have been affected by an unusual data breach at Waupaca, WI-based STAT Informatics Solutions, LLC. STAT provides secure medical records services to several healthcare providers which includes scanning paper files so they can be added to hospital medical record systems.

On March 3, 2020, a STAT facility in Lebanon, TN was hit by a tornado, which caused extensive damage to the building and some of the records stored in the facility. STAT notified all affected clients the same day, and representatives of those healthcare providers visited the site to assist with locating and securing medical records in the facility.

To limit the potential for unauthorized access, a tall fence was erected around the building while the medical records were located and secured. Two security guards were also posted on site 24/7 to prevent unauthorized individuals from accessing the building.

The majority of the medical records were found in the remnants of the building, but the records were determined to be unsalvageable and have now been securely destroyed.

While it is possible that unauthorized individuals may have viewed some paperwork relating to patients, no evidence has been uncovered to suggest that was the case and patients are not believed to be at risk of financial harm. Out of an abundance of caution, patients whose records were stored in the building are being notified by mail and will be offered complimentary credit monitoring services.

The medical records at the facility contained the following types of information: Full names, Social Security numbers, addresses, dates of birth, medical record numbers, account numbers, medical images, diagnoses, nursing and physician documentation, test results, medications, and other types of information typically found in medical records.

The following healthcare providers have confirmed they were affected by the incident.

  • Bayfront Health Port Charlotte, FL
  • Bayfront Health Punta Gorda, FL
  • Commonwealth Health Wilkes-Barre General Hospital, PA (518 records)
  • Commonwealth Health Moses Taylor Hospital, PA (1,905 records)
  • Poplar Bluff Regional Medical Center, MO (1,619 records)

The post Patients Notified Medical Records Exposed at Tornado Hit Secure Medical Record Facility appeared first on HIPAA Journal.

Phishing Attack at BJC HealthCare Impacts Patients at 19 Hospitals

Posted by HIPAA Journal

BJC Healthcare has announced that the email accounts of three of its employees have been accessed by an unauthorized individual after the employees responded to phishing emails.

Suspicious activity was detected in the email accounts on March 6, 2020 and the accounts were immediately secured. A leading computer forensics firm was engaged to conduct an investigation which revealed the three accounts had only been accessed for a limited period of time on March 6. It was not possible to tell if patient data was viewed or obtained by the attacker.

A review of the accounts revealed they contained the data of patients at 19 BJC and affiliated hospitals. Protected health information in emails and attachments varied from patient to patient and may have included the following data elements:

Patients’ names, medical record numbers, patient account numbers, dates of birth, and limited treatment and/or clinical information, which included provider names, visit dates, medications, diagnoses, and testing information. The health insurance information, Social Security numbers, and driver’s license numbers of certain patients were also potentially compromised.

All patients affected by the breach will be notified by mail when the email account review is completed. Patients whose driver’s license or Social Security number has potentially been compromised will be offered complimentary credit monitoring and identity theft protection services.

BJC HealthCare said additional security measures will be implemented to prevent incidents such as this in the future and staff will be retrained to help them identify and avoid suspicious emails.

The following BJC HealthCare and affiliated hospitals were affected by the breach:

  • Alton Memorial Hospital
  • Barnes-Jewish Hospital
  • Barnes-Jewish St. Peters Hospital
  • Barnes-Jewish West County Hospital
  • BJC Behavioral Health
  • BJC Corporate Health Services
  • BJC Home Care
  • BJC Medical Group
  • Boone Hospital Center
  • Christian Hospital
  • Memorial Hospital Belleville
  • Memorial Hospital East
  • Missouri Baptist Medical Center
  • Missouri Baptist Physician Services, LLC
  • Missouri Baptist Sullivan Hospital
  • Parkland Health Center Boone Terre
  • Parkland Health Center Farmington
  • Progress West Hospital
  • Louis Children’s Hospital

The post Phishing Attack at BJC HealthCare Impacts Patients at 19 Hospitals appeared first on HIPAA Journal.

Shareholder Sues LabCorp to Recover Losses Caused by Data Breaches

Posted by HIPAA Journal

A LabCorp shareholder is taking legal action against LabCorp and its executives and directors over the loss in share value that was caused by two cyberattacks experienced by the company in the past 12 months.

LabCorp was one of the companies worst affected by the data breach at the medical debt collection company, American Medical Collection Agency (AMCA) in 2019. The records of 10,251,784 patients who used LabCorp’s services were obtained by hackers who infiltrated AMCA’s systems. At least 24 of AMCA’s clients were affected by the breach.

A second LabCorp data breach was reported by TechCrunch in January 2020 that involved around 10,000 LabCorp documents, which the lawsuit alleges was not publicly disclosed by the company nor mentioned in any SEC filings. The breach was the result of a website misconfiguration and allowed the documents to be accessed by anyone. The breach was also not reported to the HHS’ Office for Civil Rights, even though TechCrunch researchers confirmed that the documents contained patient data.

Raymond Eugenio holds shares in LabCorp which lost value as a result of the data breaches and filed the lawsuit on April 23, 2020 to recover those and other losses. The lawsuit names LabCorp as the defendant along with 12 of the company’s executives and directors, including LabCorp CIO Lance Berberian, CFO Glenn Eisenberg, and director Adam Schechter.

The lawsuit alleges that prior to the AMCA breach and subsequently, LabCorp failed to implement appropriate cybersecurity procedures and did not have sufficient oversight of cybersecurity, which directly resulted in the two data breaches.

In an SEC filing, LabCorp explained the AMCA data breach cost the company $11.5 million in 2019 in response and remediation costs, but the lawsuit points out that the figure is just a fraction of the total losses and does not cover the cost of litigation that followed. Several class action lawsuits have been filed by victims of the AMCA data breach that name LabCorp so the total losses are not known to its shareholders. The lawsuit also states that the second breach has not been acknowledged publicly or in any SEC filings. As such, Eugenio alleges LabCorp failed in its responsibility to its shareholders and breached its duties of loyalty, care, and good faith.

The lawsuit alleges LabCorp failed to implement effective internal policies, procedures, and controls to protect patient information, there was insufficient oversight of compliance with federal and state regulations and its internal policies and procedures, LabCorp did not have a sufficient data breach response plan in place, PHI was provided to AMCA without ensuring the company had sufficient cybersecurity controls in place, LabCorp did not ensure that individuals and entities affected by the breach were noticed in a timely manner, and that the company did not make adequate public disclosures about the data breaches.

The lawsuit seeks reimbursement for damages sustained as a result of the breaches and public acknowledgement of the January 2020 data breach. the lawsuit also calls for a reform of corporate governance and internal procedures and requires a board-level committee to be set up and an executive officer position appointed to ensure adequate oversight of data security.

The post Shareholder Sues LabCorp to Recover Losses Caused by Data Breaches appeared first on HIPAA Journal.

Ransomware Attacks Claim Three More Healthcare Victims

Posted by HIPAA Journal

Parkview Medical Center in Pueblo, Colorado is recovering from a ransomware attack that started on April 21, 2020. The attack resulted in several IT systems being taken out of action, including its Meditech electronic medical record system, which has been rendered inoperable. The attack is currently being investigated and assistance is being provided by a third-party computer forensics firm.

Parkview Medical Center is currently working around the clock to bring its systems back online and recover the encrypted data. In the meantime, medical services continue to be offered to patients, who remain the number one priority. Staff have switched to pen and paper to record patient information until systems can be brought back online. Despite not having access to important systems, the medical center says the level and quality of care provided to patients has not changed.

A spokesperson for the medical center said, “While our medical staff continue to work around the clock in response to the ongoing global pandemic, we are doing everything in our power to bring our systems back online as quickly and securely as possible.” The hospital’s website still says systems remain out of action on Wednesday, April 29.

It is not known if this was a manual or automated ransomware attack and if any sensitive data was exfiltrated by the attackers prior to the deployment of ransomware.

ExecuPharm Attacked with Maze Ransomware

On March 13, 2020, the King of Prussia, PA-based pharmaceutical company ExecuPharm experienced a Maze ransomware attack in which sensitive data was stolen. The Maze ransomware operators conduct manual ransomware attacks and steal data from victims before encrypting data. They also threaten to publish the data if the ransom payment is not made, as was the case with this attack.

The attackers have previously stated in a press release that they would be halting ransomware attacks on medical organizations during the COVID-19 pandemic, but that clearly does not appear to apply to pharma firms. In this case the data uploaded to the Maze website includes financial information, documents, database backups, and other sensitive data.

According to a statement issued by ExecuPharm, aa leading cybersecurity company has been retained to assist with the investigation and determine the nature and scope of the breach. The incident has been reported to law enforcement and all affected parties have been notified.

In addition to company information, the personal data of employees has also been accessed and exfiltrated by the attackers. That information includes Social Security numbers, financial information, driver licenses, passport numbers, bank account information, IBAN/SWIFT numbers, credit card numbers, national insurance numbers, beneficiary information and other sensitive data. Some data relating to its parent company, Parexel, was also stolen in the attack. Affected individuals have been offered identity theft monitoring services for 12 months free of charge.

The company has rebuilt its servers from backups and once systems have been restored, all data will be recovered from backups. Measures are also being implemented to harden security against these types of attacks, which include multi-factor authentication for remote connections, endpoint protection, and detection and response forensics tools on all systems. Email security measures have also been improved to block ransomware emails.

Brandywine Counselling and Community Services Suffers Ransomware Attack

Brandywine Counselling and Community Services in Delaware has also recently been attacked with ransomware.

The attack was detected on February 10, 2020 and a computer forensic firm was hired to assist with the investigation. The investigation determined servers impacted by the attack contained some client information which was acquired by the attackers.

The attack has been reported to the HHS’ Office for Civil Rights as affecting 4,262 individuals. The data stolen in the attack includes clients’ names, addresses, dates of birth, and/or limited clinical information, such as provider name(s), diagnosis, prescription(s), and/or treatment information, and a limited number of Social Security numbers and driver’s license numbers.

Individuals whose Social Security number or driver’s license number was compromised have been offered complimentary credit monitoring and identity theft protection services. Additional security measures are being implemented to prevent further ransomware attacks in the future.

The post Ransomware Attacks Claim Three More Healthcare Victims appeared first on HIPAA Journal.

233,000 Patients Notified About PHI Breach at Genetic Testing Lab

Posted by HIPAA Journal

Ambry Genetics, an Aliso Viejo, CA-based genetic testing laboratory, is notifying 232,772 individuals that some of their protected health information was exposed as a result of a recent email security breach. At almost 233,000 records, this is the second largest healthcare data breach to be reported in 2020.

Ambry Genetics discovered an unauthorized individual gained access to an employee’s email account between January 22 and January 24, 2020 and potentially viewed and obtained the protected health information of its customers. The security team and third-party computer forensics experts were unable to determine if any information in the compromised accounts was accessed or stolen, but no reports have been received to suggest any personal information has been misused.

The email accounts were reviewed and found to contain information such as names, medical information, and other information related to the services provided by Ambry Genetics. A small number of individuals also had their Social Security number exposed.

Ambry Genetics has taken steps to enhance security and further training on email security is being provided to its employees.

Former Arizona Endocrinology Center Physician Takes PHI of 74,000 Patients to New Employer

Arizona Endocrinology Center is alerting 74,122 patients that some of their protected health information has been impermissibly disclosed to another medical group by a physician after he left the practice.

Before Dr. Dwivedi left Arizona Endocrinology Center, he downloaded patient data and disclosed the information to his new employer, More MD. Patient names, telephone numbers, addresses, medical record numbers, and the names of patients’ primary doctor were downloaded from the EHR. No Social Security numbers, health insurance information, or financial data was obtained by Dr. Dwivedi.

Arizona Endocrinology Center learned of the incident on February 17, 2020 when patients started reporting they had received text messages from More MD advising them that Dr. Dwivedi had moved to the medical group. More MD also advertised its services in the text messages. The breach investigation revealed the data was downloaded on January 12, 2020.

Arizona Endocrinology Center has told its patients that it has no business relationship with More MD and Dr. Dwivedi no longer works for the practice, so it has been difficult to obtain solid assurances that patient data has now been deleted and will not be used. The practice explained on its website that “our patients and their families are free to contact Dr. Dwivedi and More MD directly to ask them about their personal information.”

The post 233,000 Patients Notified About PHI Breach at Genetic Testing Lab appeared first on HIPAA Journal.

March 2020 Healthcare Data Breach Report

Posted by HIPAA Journal

March 2020 saw a 7.69% month-over-month decrease in the number of reported healthcare data breaches and a 45.88% reduction in the number of breached records.

In March, 36 healthcare data breaches of 500 or more records were reported to the HHS’ Office for Civil Rights (OCR), which is more than 16% fewer than the average number of monthly breaches over the past 12 months. 828,921 healthcare records were breached in March, which is 194% higher than the monthly average number of breached records.

Largest Healthcare Data Breaches in March 2020

The largest healthcare data breach of the month was reported by the genetic testing company, Ambry Genetics Corporation. An unauthorized individual gained access to an employee’s email account that contained the data of 232,772 patients.

A major phishing attack was reported by the medical device manufacturer Tandem Diabetes Care. Several employees’ email accounts were compromised and the protected health information of 140,781 patients was exposed.

The third largest data breach of the month was reported by Brandywine Urology Consultants, which experienced a ransomware attack in which the data of 131,825 patients was potentially compromised. Affordacare Urgent Care Clinics and the Randleman Eye Center were also attacked with ransomware.

The data breaches reported by Golden Valley Health Centers, the Otis R. Bowen Center for Human Services, and Washington University School of Medicine were due to phishing attacks, the Stephan C Dean breach was an email hacking incident not believed to be a phishing attack, and the OneDigital Health and Benefits breach involved the theft of a laptop computer.

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach
Ambry Genetics Corporation Healthcare Provider 232772 Hacking/IT Incident
Tandem Diabetes Care, Inc. Healthcare Provider 140781 Hacking/IT Incident
Brandywine Urology Consultants, PA Healthcare Provider 131825 Hacking/IT Incident
Stephan C Dean Business Associate 70000 Hacking/IT Incident
Affordacare Urgent Care Clinics Healthcare Provider 57411 Hacking/IT Incident
Golden Valley Health Centers Healthcare Provider 39700 Hacking/IT Incident
Otis R. Bowen Center for Human Services Healthcare Provider 35804 Hacking/IT Incident
OneDigital Health and Benefits Business Associate 22894 Theft
Randleman Eye Center Healthcare Provider 19556 Hacking/IT Incident
Washington University School of Medicine Healthcare Provider 14795 Hacking/IT Incident

Causes of March 2020 Healthcare Data Breaches

Hacking/IT incidents dominated the breach reports once again, accounting for 52.78% of the month’s breaches (19 incidents) and 94.38% of all records breached in March (782,407 records). The average breach size was 41,179 records and the median breach size was 10,700 records.

Unauthorized access/disclosure incidents accounted for 25% of the month’s breaches (9 incidents) and 1.81% of breached records (15,071 records). The average breach size was 1,674 records and the median breach size was 910 records.

16.66% of the month’s breaches were due to the theft of paperwork/electronic devices (6 incidents). 30,107 patient records were stolen in those incidents, which account for 3.63% of the breached records in March. The average breach size was 5,017 records and the median breach size was 1,595 records. There were two loss incidents reported in March involving 1,336 records.

The bar chart below shows the location of the breached protected health information and clearly indicates the biggest problem area for healthcare providers – Securing email accounts and preventing phishing attacks. 50% of the breaches in March saw email accounts breached, the vast majority of which were the result of responses to phishing emails.

March 2020 Data Breaches by Covered Entity Type

Healthcare providers were the worst affected covered entity type with 26 reported breaches. There were 3 breaches reported by health plans and a rare breach at a healthcare clearinghouse.

Business associates of HIPAA covered entities reported 6 breaches and a further two breaches were reported by the covered entity but had some business associate involvement.

States Affected by March 2020 Data Breaches

March’s 36 data breaches were spread across 22 states. California was the worst affected with 7 reported breaches. There were three breaches in Georgia and Minnesota, two in each of Hawaii, North Carolina, Pennsylvania, and Texas, and one breach in each of Arizona, Colorado, Delaware, Florida, Illinois, Indiana, Massachusetts, Maryland, Missouri, Montana, New Jersey, Nevada, Ohio, Utah, and Virginia.

HIPAA Enforcement in March 2020

There were no reported enforcement actions by the HHS’ Office for Civil Rights or state attorneys general in March 2020 but there was some major news on the HIPAA enforcement front.

In response to the SARS-CoV-2 Novel Coronavirus pandemic, OCR announced it is exercising enforcement discretion and will not be imposing financial penalties on covered entities and business associates for noncompliance with certain aspects of HIPAA Rules.

Three Notices of Enforcement Discretion were announced by OCR in March related to the good faith provision of telehealth services, uses and disclosures of PHI by business associates to public health authorities, and good faith participation in the operation of COVID-19 testing centers.

Further information on the Notices of Enforcement Discretion, HIPAA, and COVID-19 can be found on this link.

The post March 2020 Healthcare Data Breach Report appeared first on HIPAA Journal.

PHI of 41,000 Patients Exposed in Aurora Medical Center and UPMC Altoona Phishing Attacks

Posted by HIPAA Journal

Aurora Medical Center-Bay Area in Marinette, WI is notifying 27,137 patients that some of their protected health information has been exposed as a result of a January 1, 2020 phishing attack.

Several employees responded to the messages and disclosed their email account credentials, which gave the attackers access to their email accounts. The breach was discovered by the medical center on January 9, 2020. A password reset was immediately performed to prevent any further account access and the security breach was reported to law enforcement.

An internal investigation was launched to determine what information was accessed by the attackers, which revealed emails and attachments in the accounts contained the protected health information of patients. Aurora Medical Center has not received any reports indicating there has been any misuse of patient information, but it was not possible to rule out data theft.

A review of the emails in the accounts revealed they contained a range of PHI. The information varied from patient to patient and may have included names, first and last names, maiden name, marital status, date of birth, address, email address, telephone number, Social Security number, Medical record number, driver’s license number, medical device number, passport number, bank account number, health insurance account number, full face photograph, admission date, discharge date, and treatment date.

Steps have been taken to improve email security and employees have been provided with further security awareness training to help them identify phishing emails.

University of Pittsburg Medical Center Altoona Phishing Attack Reported

UPMC Altoona has discovered an unauthorized individual has gained access to the email account of one of its physicians and potentially viewed or obtained the PHI of some of its patients. The phishing attack was detected on February 13, 2020, shortly after the email account was compromised.

The attacker used the account to send further phishing emails. The investigation did not uncover evidence of data theft, but unauthorized PHI access could not be ruled out.

A forensic investigation revealed the email account contained patient information such as demographic information and limited clinical information. No Social Security numbers, financial information, or health insurance details were exposed.

Notification letters were sent to affected individuals on April 10, 2020. The Office for Civil Rights breach portal indicates up to 13,911 patients have been affected by the phishing attack.

The post PHI of 41,000 Patients Exposed in Aurora Medical Center and UPMC Altoona Phishing Attacks appeared first on HIPAA Journal.

Beaumont Health Notifies 112,000 Patients About May 2019 Data Breach

Posted by HIPAA Journal

Michigan’s largest healthcare system, Beaumont Health, has announced that unauthorized individuals have gained access to the email accounts of some of its employees and potentially viewed or obtained patient information stored in emails and email attachments.

On March 29, 2020, Beaumont Health learned that the email account breach, which occurred almost 10 months ago, resulted in the exposure and potential theft of patient information. The investigation of the breach revealed the email accounts were accessed by unauthorized individuals between May 23, 2019 and June 3, 2019. A forensic investigation was performed to determine the extent and scope of the breach, along with a manual review of all emails in the compromised accounts. That review has taken some time to complete, hence the delay in issuing breach notification letters.

The breached email accounts were discovered to contain the protected health information of around 5% of its 2.3 million patients, which is around 112,000 individuals. The types of information exposed and potentially stolen varied from patient to patient and may have included names in combination with one or more of the following data elements: Dates of birth, diagnoses, diagnosis codes, treatment locations, treatment types, procedures, prescription information, internal patient account numbers and medical record numbers. A “limited” number of Social Security numbers and other data was also potentially compromised. While email account access was confirmed, it was not possible to tell if the attackers accessed or stole patient information.

The breach has prompted Beaumont Health to provide further training to the workforce to help employees recognize phishing and other malicious emails. Internal procedures have also been revised and additional technical safeguards have been implemented to prevent further breaches in the future.

This is the second data breach to be announced by Beaumont Health this year. In January, the health system notified 1,182 patients that a former employee had been accessing the records of patients who had received treatment after an automobile accident. The former employee is understood to have disclosed the data to a personal injury lawyer.

The post Beaumont Health Notifies 112,000 Patients About May 2019 Data Breach appeared first on HIPAA Journal.

Washington University School of Medicine Breach Impacts 14,795 Oncology Patients

Posted by HIPAA Journal

Washington University School of Medicine is notifying 14,795 oncology patients that some of their protected health information was stored in an email account that was breached in January 2020.

An unauthorized individual gained access to the email account of a research supervisor in the Division of Oncology between January 12, 2020 and January 13, 2020 as a result of a response to a phishing email. Upon discovery of the breach, immediate action was taken to secure the account and prevent further unauthorized access and a third-party computer forensics firm was engaged to assist with the investigation.

A painstaking review of emails and email attachments in the account revealed they contained the following patient information: Names, dates of birth, medical record numbers, patient account numbers, limited treatment and/or clinical information, including diagnoses, provider names, and lab test results. Certain patients also had their health insurance information and/or Social Security numbers exposed.

Affected individuals are now being notified about the breach and individuals whose Social Security numbers were potentially compromised have been offered complimentary membership to credit monitoring and identity protection services.

Washington University School of Medicine has taken steps to improve email security and has reinforced education with its employees to help them identify suspicious emails.

Phishing Attack Reported by Doctors Community Medical Center

Doctors Community Medical Center in Maryland is alerting certain patients to a breach of their protected health information.

The data breach was identified in January 2020 when suspicious activity was detected in its payroll system. An investigation into the breach revealed a small number of employees had been duped by phishing emails and had disclosed their account credentials to the attackers. In addition to gaining access to the employees’ email accounts, the attackers also had access to the employees’ payroll information.

The investigation confirmed that the first accounts were breached on November 6, 2019, with access possible until January 30, 2020. Around February 13, 2020, Doctors Community Medical Center determined that some of the compromised email accounts contained data sheets that included patient information.

A forensic investigation conducted by third-party investigators was unable to confirm if patient data had been accessed, copied, or disclosed, although no reports have been received to suggest patient information has been misused. Since unauthorized data access could not be ruled out, patients have been notified and offered complimentary credit monitoring and identity restoration services.

The types of information that were potentially compromised included names, addresses, dates of birth, Social Security numbers, driver’s license numbers, military identification numbers, financial account information, diagnoses, treatment information, prescription information, provider names, medical record numbers, patient IDs, Medicare/Medicaid numbers, health insurance information, treatment cost information, and access credentials.

The health system is reviewing and updating its policies and procedures and additional safeguards will be implemented to prevent further attacks.

The post Washington University School of Medicine Breach Impacts 14,795 Oncology Patients appeared first on HIPAA Journal.