HIPAA Breach News

St Joseph Health System Discovers Medical Record Storage Facility Improperly Disposed of Patient Records

Posted by HIPAA Journal

St Joseph Health System in North Central Indiana is alerting patients that some of their protected health information has been exposed and may have been viewed by unauthorized individuals. The breach did not happen at St Joseph Health, but at one of its business associates.

Central Files Inc, a secure record storage facility in South Bend, IN, was contracted to securely store patient records in compliance with federal and state regulations and to destroy certain records in accordance with HIPAA Rules. Central Files Inc. has now permanently closed but was required to continue to store patient records until an alternative secure records facility could be located.

Between April 1 and April 9, 2020, several healthcare groups affiliated with St Joseph Health System were notified that confidential records containing information patient information had been dumped in a location in the South Bend area at some point prior to April 1, 2020.

The records discovered at the site were in poor condition. According to the substitute breach notification on the St Joseph Health System website, the records were “showing signs of moisture damage, mold, and rodent infestation, and damage from being mixed with trash and other debris.” Attempts were made to identify patients whose data had been exposed, but trained safety personnel determined that inspecting the majority of the records would be hazardous to health and recommended the best course of action was to arrange for the records to be securely destroyed.

The records that could safely be salvaged have been recovered and St Joseph Health System has engaged a vendor to recover the remaining records from the site. That process was completed on May 20, 2020 and arrangements have been made to have those records securely and permanently destroyed.

In many cases, the records were old and contained out of date information. Some of the documentation included paper copies of medical records and billing statements that contained information such as names, contact information, Social Security numbers, dates of services, and clinical and diagnostic information. Patients have been notified about the breach and told that no evidence was found to suggest any information has been misused, although the possibility of unauthorized access could not be ruled out.

The records related to the following entities

  • Saint Joseph Health System (From 1999 to 2013)
  • Allied Physicians of Michiana (From 1995 to 2007)
  • New Avenues (From June 2004 to December 2015)
  • South Bend Medical Foundation (From 2009 to 2015)
  • Goshen Emergency Physicians, LLC / Elkhart Emergency Physicians, Inc. (From 2002 to 2010)
  • Michiana Hematology Oncology (From 2002 to 2004)
  • Cardiology Associates, Inc. (From March 1, 2007 to November 30, 2013)

The breach has yet to appear on the HHS’ Office for Civil Rights website so it is currently unclear how many patients have been affected.

The post St Joseph Health System Discovers Medical Record Storage Facility Improperly Disposed of Patient Records appeared first on HIPAA Journal.

Aveanna Healthcare Facing Class Action Lawsuit Over 2019 Phishing Attack

Posted by HIPAA Journal

The Atlanta, GA-based healthcare provider Aveanna Healthcare is facing a class action lawsuit over a data breach that occurred in the summer of 2019. Affecting 166,000 patients, it is one of the largest healthcare data breaches to be reported this year.

Aveanna Healthcare provides healthcare services to adults and children in 23 states and is the largest provider of pediatric home care in the United States. In the summer of 2019, several email accounts were compromised in a phishing attack. Aveanna Healthcare discovered the attack on August 24, 2019 and immediately secured its email accounts. The investigation revealed the first email account was breached on July 9, 2019, giving the attackers access to protected health information for more than 6 weeks.

Emails in the compromised accounts contained patient information such as names, health information, financial information, passport numbers, driver’s license numbers, Social Security numbers, and other sensitive data. It was not possible to determine whether emails and files were viewed by the attackers. No evidence was found to suggest  patient information was stolen in the attack, but it was not possible to rule out the possibility that the attackers exfiltrated email data before they were shut out of the email accounts.

The Health Insurance Portability and Accountability Act (HIPAA) Breach Notification Rule requires patients affected by data breaches to be notified about the exposure of their PHI without unnecessary delay and no later than 60 days after the discovery of a breach. The Department of Health and Human Services’ Office for Civil Rights must also be notified about a breach within 60 days.

Aveanna Healthcare delayed issuing breach notifications to patients until this year and reported the breach to the HHS’ Office for Civil Rights on February 14, 2020, more than 5 months after the breach was discovered.

More than 100 patients affected by the breach have so far been included in the lawsuit. They allege that Aveanna Healthcare failed to issue timely notifications, and when those notifications were eventually sent, they failed to explain what types of information had been compromised. Aveanna Healthcare is alleged to have maintained the private personal and healthcare data of patients “in a reckless manner” and information stored in its systems was vulnerable to attack as a result.

The lawsuit states that Aveanna Healthcare was aware that patient data was at risk yet failed to take adequate steps to secure patient data. The plaintiffs also allege Aveanna Healthcare was not properly monitoring computer systems that contained patient data. If those systems were being monitored, it would not have taken 6 weeks for the data breach to be identified.

The plaintiffs claim they now face an elevated risk of identity theft and fraud as their sensitive data is now in the hands of data thieves. The lawsuit seeks nominal and compensatory damages for patients affected by the breach, reimbursement of out-of-pocket expenses, and injunctive relief.

The post Aveanna Healthcare Facing Class Action Lawsuit Over 2019 Phishing Attack appeared first on HIPAA Journal.

Kaiser Permanente Discovers 8-Year Employee HIPAA Breach

Posted by HIPAA Journal

The Oakland, CA-based healthcare provider, Kaiser Permanente, has discovered a former employee accessed the radiology records of thousands of patients without authorization over a period of 8 years.

The privacy breach was discovered in late March and the employee was placed on administrative leave while an internal investigation was conducted. Kaiser Permanente was unable to find any legitimate work reason for the employee accessing the records and determined that the access fell outside of the scope of the employee’s job functions. The first instance of unauthorized access occurred in 2012 and the employee continued to access radiology records until her actions were discovered in March 2020.

The employee worked as an imaging technician in the radiology department and has now been fired over the HIPAA violation. While unauthorized accessing of protected health information was confirmed, Kaiser Permanente found no evidence to suggest that patient information was copied or was used to commit fraud or any criminal activities.

The breach was reported to the Department of Health and Human Services’ Office for Civil Rights on May 22, 2020 by Kaiser Foundation Health Plan of the Mid-Atlantic States. The breach report shows that over an 8-year period the imaging technician impermissibly accessed the records of 2,756 patients.

All affected individuals are now being notified about the privacy breach by mail.

Ridgeview Institute – Monroe Employee Terminated Over Unauthorized PHI Access and Impermissible Disclosure

Ridgeview Institute – Monroe in Georgia, a provider of mental health and addiction treatment services, has discovered a former employee accessed the records of certain patients without authorization and sent copies of patient information to a personal email account.

The privacy breach was discovered on January 14, 2020, prompting an internal investigation to determine the nature and scope of the breach. It took some time to determine exactly what information had been copied and which patients were affected, hence the delay in notifying affected individuals.

The information in the stolen documents was determined to include patients’ full names, birth dates, Social Security numbers, patient ID numbers, health insurance provider names, diagnoses, treatment information, prescriptions, medical procedures, lab test and other test results.

The employee admitted accessing and copying patient information without authorization and said the data had been subsequently disclosed to her attorney and one other individual.

No reason was provided as to why the information was copied and impermissibly disclosed. According to the Ridgeview Institute, assurances have been obtained from the unauthorized individual to whom the information was disclosed that the documents will not be shared with another parties and the employee, who no longer works at Ridgeview, has confirmed that all other copies of the documents have been destroyed.

All affected patients are in the process of being notified and complimentary identity theft protection services are being offered.

The post Kaiser Permanente Discovers 8-Year Employee HIPAA Breach appeared first on HIPAA Journal.

Mat-Su Surgical Associates Suffers Ransomware Attack

Posted by HIPAA Journal

Palmer, AK-based Mat-Su Surgical Associates has announced it was attacked with ransomware in March. The attack was discovered on March 16 when staff were locked out of its computer systems as a result of the encryption of essential files.

A team of independent computer forensics investigators were engaged to assess the nature and scope of the attack and to determine whether any patient data had been accessed or stolen by the attackers. It was not possible to determine whether the attacker had exfiltrated data or viewed patient information prior to encryption, but the investigators could not rule out unauthorized data access. The attacker was determined to have gained access to parts of its computer system that contained the protected health information of 13,146 patients.

The information potentially compromised in the attack included the names of current and former patients of Valley Surgical Associates and Mat-Su Surgical Associates along with addresses, diagnoses, treatment information, lab test results, health insurance information, Social Security numbers, and other information related to the medical care provided.

All affected patients have been notified by mail and offered complimentary membership to credit monitoring and identity theft protection services through ID Experts.

Mat-Su Surgical Associates has taken steps to improve security, including implementing additional measures to prevent unauthorized remote access to its systems.

The Little Clinic Discovers Online Appointment System Bug that Exposed PHI

The Little Clinic, a network of more than 215 medical care clinics in Ohio, Kansas, Kentucky, Tennessee, Arizona, Georgia, Indiana, Virginia and Colorado, has discovered a bug in its online appointment system potentially resulted in an unauthorized disclosure of patients protected health information.

The bug was discovered internally by The Little Clinic and was determined to have been introduced on October 7, 2018. The issue was corrected on February 13, 2020 and measures were implemented to prevent similar breaches in the future.

The coding error meant that if a patient made an appointment and subsequently modified it online, the patient’s name, address, date of birth, and telephone number could be accessed by other domains. The investigation revealed up to 10,974 patients were potentially affected and may have had some of their personal information disclosed.

The Little Clinic found no evidence to suggest patient data was accessed or misused but determined on April 7, 2020 that the incident constituted a data breach. All individuals potentially affected have now been notified by mail.

The post Mat-Su Surgical Associates Suffers Ransomware Attack appeared first on HIPAA Journal.

Geisinger Wyoming Valley Medical Center and District Medical Group Disclose Data Breaches

Posted by HIPAA Journal

District Medical Group (DMG), an integrated medical group serving patients in Arizona, has started notifying 10,190 patients that some of their protected health information has potentially been compromised. On March 11, 2020, DMG discovered an unauthorized individual had gained access to the email accounts of some of its employees as a result of responses to phishing emails.

A password reset was immediately performed to prevent further unauthorized access and a leading cybersecurity firm was engaged to investigate the breach. The investigation revealed a limited number of email accounts were compromised between February 4, 2020 and February 10, 2020.

An analysis of emails and attachments in the breached accounts revealed they contained patient information such as names, medical record numbers, medical information, and health insurance information. A limited number of Social Security numbers were also potentially compromised. No evidence was uncovered that suggested the emails were opened or copied by the attackers.

Affected patients have been advised to be vigilant and monitor their accounts and statements for any sign of fraudulent activity. Out of an abundance of caution, individuals whose Social Security numbers were present in the accounts have been offered complimentary credit monitoring and identity theft protection services.

DMG has reinforced employee education and has taken steps to improve email security to prevent further breaches in the future.

Geisinger Wyoming Valley Medical Center Employee Terminated for Unauthorized Medical Record Access

Geisinger Wyoming Valley Medical Center (GWVMC) in Wilkes-Barre, PA has discovered an employee has been accessing the medical records of patients with no legitimate work reason for doing so.

GWVMC was alerted to the potential HIPAA breach on March 20, 2020 and launched an internal investigation. The employee was authorized to view patient records to complete day-to-day work duties, but it was discovered the medical records of 805 patients had been accessed outside of those work duties. The unauthorized access started in July 2017 and continued until March 2020.

The investigation did not uncover any evidence to suggest patient records were being accessed with malicious intent. Out of an abundance of caution, affected patients have been offered complimentary credit monitoring and identity theft protection services.

The types of information viewed by the employee included names, addresses, telephone numbers, email addresses, dates of birth, Social Security numbers, medical conditions, diagnoses, medications, dates of service, visit notes, test results, and appointment information.

Appropriate disciplinary action was taken against the employee for the violation of HIPAA and hospital policies. The employee no longer works at GWVMC.

The post Geisinger Wyoming Valley Medical Center and District Medical Group Disclose Data Breaches appeared first on HIPAA Journal.

April 2020 Healthcare Data Breach Report

Posted by HIPAA Journal

There were 37 healthcare data breaches of 500 or more records reported in April 2020, up one from the 36 breaches reported in March. As the graph below shows, the number of breaches reported each month has been fairly consistent and has remained well below the 12-month average of 41.9 data breaches per month.

Healthcare data breaches by month (2019-2020)

While the number of breaches increased slightly, there was a significant reduction in the number of breached healthcare records in April. 442,943 healthcare records were breached in April, down 46.56% from the 828,921 records breached in March. This is the second successive month where the number of exposed records has fallen. While this is certainly good news, it should be noted that in the past 12 months, 39.92 million healthcare records have been breached.

Healthcare records breached in the past 6 months

Largest Healthcare Data Breaches in April 2020

 

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Location of Breached Information
Beaumont Health Healthcare Provider 112,211 Hacking/IT Incident Email
Meridian Health Services Corp. Healthcare Provider 111,372 Hacking/IT Incident Email
Arizona Endocrinology Center Healthcare Provider 74,122 Unauthorized Access/Disclosure Electronic Medical Record
Advocate Aurora Health Healthcare Provider 27,137 Hacking/IT Incident Email, Network Server
Doctors Community Medical Center Healthcare Provider 18,481 Hacking/IT Incident Email
Andrews Braces Healthcare Provider 16,622 Hacking/IT Incident Network Server
UPMC Altoona Regional Health Services Healthcare Provider 13,911 Hacking/IT Incident Email
Colorado Department of Human Services, Office of Behavioral Health Healthcare Provider 8,132 Unauthorized Access/Disclosure Network Server
Agility Center Orthopedics Healthcare Provider 7,000 Hacking/IT Incident Email
Beacon Health Options, Inc. Business Associate 6,723 Loss Other Portable Electronic Device

 

Causes of Healthcare Data Breaches in April

As was the case in March, hacking and IT incidents were the leading causes of healthcare data breaches. Unauthorized access/disclosure incidents were the next most common causes of breaches, an increase of 77.77% from the previous month.

333,838 records were compromised in the 18 reported hacking/IT incidents, which account for 75.37% of all records breached in April. The average breach size was 18,547 records and the median breach size was 4,631 records. There were 16 reported unauthorized access/disclosure incidents in April. The average breach size was 6,171 records and the median breach size was 1,122 records. In total, 98,737 records were breached across those 16 incidents.

There were two theft incidents reported in April, both involving portable electronic devices. The records of 3,645 individuals were stored on those devices. There was also one lost portable electronic device containing the records of 6,723 patients.

causes of healthcare data breaches in April 2020

The bar chart below shows the location of breached protected health information. The chart shows email is by far the most common location of breached health information. 48.65% of all reported breaches in April involved PHI stored in emails and email attachments. The majority of those breaches were phishing attacks. Most healthcare data breaches involve electronic data, but one in five breaches involved PHI in paper files and charts.

Location of breached PHI in April 2020

Healthcare Data Breaches by Covered Entity Type

Healthcare providers were the worst affected covered entity type in April with 30 breaches reported. 4 health plans reported a breach in April, and three breaches were reported by business associates of HIPAA-covered entities. A further 8 breaches had some business associate involvement.

Healthcare Data Breaches by State

April’s data breaches were reported by covered entities and business associates in 22 states. Florida and Texas were the worst affected with 4 breaches each. There were three data breaches reported in Michigan and Pennsylvania, and two breaches affecting covered entities and business associates based in California, Connecticut, Minnesota, Missouri, and Wisconsin. One breach was reported by entities based in Arkansas, Arizona, Colorado, Delaware, Indiana, Massachusetts, Maryland, North Carolina, New Mexico, Nevada, Tennessee, Utah, and Washington.

HIPAA Enforcement Activity in April

There were no financial penalties imposed on covered entities or business associates by state Attorneys General or the HHS’ Office for Civil Rights in April.

The post April 2020 Healthcare Data Breach Report appeared first on HIPAA Journal.

Mille Lacs Health System Phishing Attack Impacts 10,600 Patients

Posted by HIPAA Journal

Onamia, Mn-based Mille Lacs Health System has experienced a phishing attack that potentially resulted in the exposure of more than 10,000 patients’ protected health information.

Phishing emails were sent to some of its employees containing links that directed them to a website that requested their email credentials. A small number of employees were fooled by the scam.

Mille Lacs Health System learned about the phishing attack on November 14, 2020 and launched an investigation to determine the extent of the breach. On February 24, 2020, it was confirmed that the stolen email credentials were used by the attacker to access email accounts between August 26, 2019 and January 7, 2020. A review of the compromised email accounts was completed on April 22, 2020 and confirmed that patient information may have been accessed.

Information potentially compromised includes first and last names, addresses, dates of birth, provider names, dates of service, clinical information, treatment information, procedure types, and for certain individuals, Social Security numbers.  No evidence was found to suggest patient information was obtained or misused by the attackers.

All accounts have been secured, a full password reset was performed for all email accounts, and additional measures have been implemented to strengthen email security. Affected individuals were notified about the breach by mail on May 11, 2020 and have been offered complimentary credit monitoring services.

The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates 10,630 patients were affected by the breach.

North Shore Pain Management Experiences Ransomware Attack

North Shore Pain Management in Massachusetts has experienced a manual AKO ransomware attack and the data of some of its patients was stolen.

The incident has not yet appeared on the HHS’ Office for Civil Rights breach portal and, at the time of writing, there is no substitute breach notice on the company’s website. The breach was covered on databreaches.net, which reports that approximately 4GB of data relating to the company has been published on the Tor site used by the attackers. More than 4,000 files containing patient and employee information has been dumped online.

The files contained a range of sensitive protected health information including Social Security numbers, health information, and insurance information.

PsyGenics Employee Emailed Client Information to Personal Email Account

The Detroit-based occupational therapy, speech therapy, and family therapy provider, PsyGenics, Inc., has discovered one of its employees forwarded a spreadsheet containing customer information to a personal email account. The breach was detected on March 25, 2020 as part of a regular security review. The email was sent on March 24, 2020.

The spreadsheet contained information such as customers’ names, diagnosis codes, provider names, and appointment times. No other information such as treatment notes were detailed in the spreadsheet. No reason was given as to why the employee sent the spreadsheet to their personal email account. PsyGenics says it found no evidence of attempted or actual misuse of client information.

The post Mille Lacs Health System Phishing Attack Impacts 10,600 Patients appeared first on HIPAA Journal.

Management and Network Services Notifies 30,132 Patients About PHI Breach

Posted by HIPAA Journal

Management and Network Services (MNS), LLC, a Dublin, OH-based provider of administrative support services to post-acute healthcare providers, has discovered the email accounts of some of its employees have been compromised.

In a May 4, 2020 breach notification letter, MNS explained that it learned on or around August 21, 2019 that several employee email accounts had been subjected to unauthorized access between April and July of 2019. The analysis of the email accounts recently revealed five accounts contained the protected health information of patients of its clients.

The information in emails and email attachments varied from individual to individual and may have included the following data elements: name, medical treatment information, diagnosis information/codes, medication information, dates of service, insurance provider, health insurance number, date of birth, and Social Security number. A limited number of individuals also had their driver’s license number, State ID card number, and/or financial account information exposed.

MNS has taken steps to improve email security such as enhancing password policies across the entire organization and implementing multi-factor authentication for all employee email accounts.

The HHS’ Office for Civil Rights breach portal shows 30,132 patients had some of their PHI exposed.

Santa Rosa & Rohnert Park Oral Surgery Suffers Email Security Breach

Santa Rosa & Rohnert Park Oral Surgery on Portland, OR has discovered the email account of one of its employees was accessed by an unauthorized individual. The breach was detected on March 11, 2020 when suspicious activity was detected in the email account. The forensic investigation revealed the email account was breached on December 20, 2019 and access remained possible until March 11, 2020 when the account was secured. The compromised account was found to contain a range of protected health information which may have been viewed or acquired by the attacker.

Affected individuals have been offered complimentary membership to the MyIDCare credit monitoring and identity theft protection service from ID Experts. Santa Rosa & Rohnert Park Oral Surgery is reviewing and enhancing its policies and procedures and will take further steps to improve information security.

PHI of 3,683 Ashtabula County Medical Center Patients Exposed Online

Ashtabula County Medical Center (ACMC), an affiliate of Cleveland Clinic, is notifying 3,683 patients that some of their protected health information has been exposed online. On or around January 6, 2020, ACMC posted an Excel spreadsheet on a website to comply with government requirements about medical cost disclosures. On March 12, 2020, ACMC learned that a limited amount of protected health information had been accidentally included in the spreadsheet.

The exposed information was limited to patients’ names, diagnoses, and health and treatment histories. No Social Security numbers or financial data were exposed. Out of an abundance of caution, affected individuals have been offered a 12-month complimentary membership to identity theft recovery services through IDExperts.

ACMC has now updated its policies and procedures and has implemented additional safeguards to prevent similar breaches in the future.

Phishing Attack Exposed PHI at Orchard Medical Consulting

Orchard Medical Consulting, a provider of nurse case management services for workers’ compensation claims, has announced that an unauthorized individual gained access to the email account of one of its employees and potentially accessed protected health information stored in the account.

The attack was detected on January 30, 2020 and immediate action was taken to secure the account. The investigation revealed the account contained names, dates of birth, and for a very small number of individuals, Social Security number, and medical information such as diagnosis, treatment plan, and/or health history.

No evidence of data access, data theft, or misuse of PHI has been discovered. Affected individuals have been offered complimentary membership to TransUnion Interactive’s myTrueIdentity credit monitoring service out of an abundance of caution. To prevent further breaches, email security has been strengthened, policies and procedures updated, and multi-factor authentication has been implemented.

The post Management and Network Services Notifies 30,132 Patients About PHI Breach appeared first on HIPAA Journal.

Magellan Health Suffers Ransomware Attack

Posted by HIPAA Journal

The Fortune 500 company Magellan Health has announced it experienced a ransomware attack in April that resulted in the encryption of files and theft of some employee information.

The ransomware attack was detected by Magellan Health on April 11, 2020 when files were encrypted on its systems. The investigation into the attack revealed the attacker had gained access to its systems following a response to a spear phishing email sent on April 6. The attacker had fooled the employee by impersonating a client of Magellan Health.

Magellan Health engaged the cybersecurity firm Mandiant to assist with the investigation into the breach, which revealed the attacker had gained access to a corporate server that contained employee information and exfiltrated a subset of that data prior to the encryption of files. The attacker also downloaded malware that was used to steal login credentials.

The data stolen by the hacker related to current employees and included names, addresses, employee ID numbers, and W-2 and 1099 information, which included taxpayer IDs and Social Security numbers. A limited number of usernames and passwords were also stolen in the attack.

Magellan Health is unaware of any attempts to use that data but has advised affected individuals to be alert to the possibility of identity theft and misuse of their data. Affected individuals have been offered a complimentary 3-year membership to Experian’s IdentityWorks identity theft detection and resolution service.

Magellan Health is working closely with law enforcement and is aggressively investigating the breach and steps have already been taken to improve security to prevent similar breaches in the future.

It is currently unclear how many individuals have been affected by the breach.

The ransomware attack comes just a few months after the company discovered some of its subsidiaries suffered phishing attacks. Magellan Rx Management, Magellan Healthcare, and National Imaging Associates were all affected. Announcements about the breaches were made in September and November 2019, with the phishing attacks allowing unauthorized individuals to gain access to employee email accounts in July 2019.  The emails in the compromised accounts contained the protected health information of 55,637 members.

The post Magellan Health Suffers Ransomware Attack appeared first on HIPAA Journal.