HIPAA Breach News

Email Breach Impacts 35,529 Patients of Saint Francis Healthcare Partners

Posted by HIPAA Journal

Saint Francis Healthcare Partners in Connecticut is notifying 38,529 patients that some of their protected health information has potentially been obtained by hackers as a result of a “sophisticated cybersecurity incident” that allowed an unauthorized individual to gain access to its email system.

The attack occurred on December 30, 2019 but it took until March 20, 2020 for the forensic investigation to determine that patients’ protected health information was potentially compromised.  The types of information stored in the email system that could have been accessed included names, medical histories, medical record numbers, clinical and treatment information, dates of service, diagnoses, health insurance provider names, account numbers, prescription information and/or types of procedures performed. No financial information or Social Security numbers were compromised.

The investigation uncovered no evidence to suggest patient information was accessed, stolen, or misused. Steps have now been taken to improve data security practices and all affected patients have been notified by mail.

Florida Internal Medicine Practice Suffers Ransomware Attack

Daniel Bendetowicz, MD, PA is notifying 3,314 patients that their protected health information has been exposed as a result of a ransomware attack. The attack occurred on March 25, 2020 resulting in the encryption of its computer systems, including patient records. Backup files were not affected so files could be recovered without paying the ransom.

In these types of ransomware attacks, files are not typically accessed by the attackers prior to file encryption; however, data access could not be ruled out so notification letters have been sent to affected patients. Dr. Bendetowicz explained in the breach notification letters that names, addresses, dates of birth, Social Security numbers, health insurance information, and medical information were potentially compromised.

Out of an abundance of caution, identity theft protection services have been offered to all affected patients. Steps have also been taken to improve security to prevent further attacks in the future.

Houston Methodist Hospital Notifies 2,000 Patients of PHI Theft

Houston Methodist Hospital is notifying 1,987 heart patients that some of their protected health information was stored on portable storage devices that were stolen from the vehicle of a vendor representative in mid-February.

The individual was employed by the medical device manufacturer and operated the 3D imaging technology in the hospital’s cardiac catheterization lab.

The hard drives were left in a vehicle from where they were stolen. The hospital reports that the room where the hard drives were stored was locked, and removal of the devices was against hospital protocol and violated established technical safeguards and contractual obligations. The representative believed the room was only locked due to the late hour of the day.

The hard drives contained medical images that included a patient’s name, gender, date of birth, and a code number. The images could only be viewed with specialist software. The clinic reported the theft to law enforcement and hired a private investigator, but the hard drives could not be located.

Email Error Leads to Breach at Ascension Eastwood Clinic

An employee of Ascension Eastwood Clinic in Southfield, MI sent an email to patients on April 15, 2020 explaining the practice was transitioning to telehealth services due to COVID-19 to help prevent the spread of the disease.

An error was made sending the email and patients’ email addresses were not added to the BCC field of the email and could therefore be viewed by other patients. As a result of the error, email addresses and, in some cases, patients’ full names were disclosed to other patients. Apart from allowing a patient to be identified as a patient of the clinic, no other information was exposed.

The HHS’ Office for Civil Rights breach portal shows 999 patients were affected.

The post Email Breach Impacts 35,529 Patients of Saint Francis Healthcare Partners appeared first on HIPAA Journal.

Healthcare Workers in Michigan and Illinois Fired for HIPAA Violations

Posted by HIPAA Journal

Ann & Robert H. Lurie Children’s Hospital of Chicago has terminated an employee for improperly accessing the medical records of patients without authorization over a period of 15 months.

The privacy violations were identified by the hospital on March 5, 2020. The employee’s access to hospital systems was immediately terminated while the investigation was conducted. After reviewing access logs, the hospital found that the employee had accessed the medical records of 4,824 patients without authorization between November 2018 and February 2020.

The types of information accessed by the employee included names, addresses, dates of birth, diagnoses, medications, appointments, and medical procedures. No health insurance information, financial information, or Social Security numbers were accessed.

No reason as been given as to why the medical records were accessed, but the hospital says it does not believe the employee obtained, misused, or disclosed the information to anyone else. The hospital said the employee no longer works at the hospital.

This is not the first incident of its type to occur at Lurie Children’s Hospital. A similar incident was discovered in November 2019, when the hospital learned that a former employee accessed the medical records of patients without authorization between September 2018 and September 2019.

Mercy Health Fires Nurse for Multiple Privacy Violations

Mercy Health has also recently taken action against an employee for alleged violations of the HIPAA Privacy Rule. A nurse at Hackley Hospital in Muskegon, MI was terminated on April 3, 2020. The termination came shortly after the nurse raised concerns in media interviews about the level of preparedness of the hospital for the COVID-19 pandemic and how the alleged lack of preparedness put safety at risk. The nurse contacted the Michigan Nurses Association Labor Union, which claimed that Mercy Health fired the nurse for speaking out. The Labor Union also filed a charge with the National Labor Relations Board.

“Howe’s termination came on the evening of April 3, days after he had publicly raised concerns about lack of appropriate PPE and the need for improved screening measures to keep nurses and healthcare workers safe during the COVID-19 pandemic,” said the Labor Union in an April 21, 2020 press release.

10 days after the nurse was fired, and one day after the press release was issued by the Labor Union, Mercy Health released a press release of its own stating the nurse was fired for multiple violations of HIPAA Rules. Mercy Health said it does not usually share details about employment matters related to its workers but was compelled to speak out due to the “misinformation campaign” led by the Labor Union.

Mercy Health claims the fired nurse, Justin Howe, was terminated for accessing the medical records of multiple patients over a period of several days. The records were for not for patients receiving treatment at the campus where the nurse worked and there was no legitimate work reason for accessing those records. Mercy Health claims that Howe was not the only nurse terminated for improper medical record access.

According to Mercy Health’s press release, “We have mechanisms in place to monitor for inappropriate access of privileged information. As part of this review process, Mr. Howe along with others were terminated for the same. This investigative effort is still in process.”

The post Healthcare Workers in Michigan and Illinois Fired for HIPAA Violations appeared first on HIPAA Journal.

Patients Notified Medical Records Exposed at Tornado Hit Secure Medical Record Facility

Posted by HIPAA Journal

Several healthcare providers have been affected by an unusual data breach at Waupaca, WI-based STAT Informatics Solutions, LLC. STAT provides secure medical records services to several healthcare providers which includes scanning paper files so they can be added to hospital medical record systems.

On March 3, 2020, a STAT facility in Lebanon, TN was hit by a tornado, which caused extensive damage to the building and some of the records stored in the facility. STAT notified all affected clients the same day, and representatives of those healthcare providers visited the site to assist with locating and securing medical records in the facility.

To limit the potential for unauthorized access, a tall fence was erected around the building while the medical records were located and secured. Two security guards were also posted on site 24/7 to prevent unauthorized individuals from accessing the building.

The majority of the medical records were found in the remnants of the building, but the records were determined to be unsalvageable and have now been securely destroyed.

While it is possible that unauthorized individuals may have viewed some paperwork relating to patients, no evidence has been uncovered to suggest that was the case and patients are not believed to be at risk of financial harm. Out of an abundance of caution, patients whose records were stored in the building are being notified by mail and will be offered complimentary credit monitoring services.

The medical records at the facility contained the following types of information: Full names, Social Security numbers, addresses, dates of birth, medical record numbers, account numbers, medical images, diagnoses, nursing and physician documentation, test results, medications, and other types of information typically found in medical records.

The following healthcare providers have confirmed they were affected by the incident.

  • Bayfront Health Port Charlotte, FL
  • Bayfront Health Punta Gorda, FL
  • Commonwealth Health Wilkes-Barre General Hospital, PA (518 records)
  • Commonwealth Health Moses Taylor Hospital, PA (1,905 records)
  • Poplar Bluff Regional Medical Center, MO (1,619 records)

The post Patients Notified Medical Records Exposed at Tornado Hit Secure Medical Record Facility appeared first on HIPAA Journal.

Phishing Attack at BJC HealthCare Impacts Patients at 19 Hospitals

Posted by HIPAA Journal

BJC Healthcare has announced that the email accounts of three of its employees have been accessed by an unauthorized individual after the employees responded to phishing emails.

Suspicious activity was detected in the email accounts on March 6, 2020 and the accounts were immediately secured. A leading computer forensics firm was engaged to conduct an investigation which revealed the three accounts had only been accessed for a limited period of time on March 6. It was not possible to tell if patient data was viewed or obtained by the attacker.

A review of the accounts revealed they contained the data of patients at 19 BJC and affiliated hospitals. Protected health information in emails and attachments varied from patient to patient and may have included the following data elements:

Patients’ names, medical record numbers, patient account numbers, dates of birth, and limited treatment and/or clinical information, which included provider names, visit dates, medications, diagnoses, and testing information. The health insurance information, Social Security numbers, and driver’s license numbers of certain patients were also potentially compromised.

All patients affected by the breach will be notified by mail when the email account review is completed. Patients whose driver’s license or Social Security number has potentially been compromised will be offered complimentary credit monitoring and identity theft protection services.

BJC HealthCare said additional security measures will be implemented to prevent incidents such as this in the future and staff will be retrained to help them identify and avoid suspicious emails.

The following BJC HealthCare and affiliated hospitals were affected by the breach:

  • Alton Memorial Hospital
  • Barnes-Jewish Hospital
  • Barnes-Jewish St. Peters Hospital
  • Barnes-Jewish West County Hospital
  • BJC Behavioral Health
  • BJC Corporate Health Services
  • BJC Home Care
  • BJC Medical Group
  • Boone Hospital Center
  • Christian Hospital
  • Memorial Hospital Belleville
  • Memorial Hospital East
  • Missouri Baptist Medical Center
  • Missouri Baptist Physician Services, LLC
  • Missouri Baptist Sullivan Hospital
  • Parkland Health Center Boone Terre
  • Parkland Health Center Farmington
  • Progress West Hospital
  • Louis Children’s Hospital

The post Phishing Attack at BJC HealthCare Impacts Patients at 19 Hospitals appeared first on HIPAA Journal.

Shareholder Sues LabCorp to Recover Losses Caused by Data Breaches

Posted by HIPAA Journal

A LabCorp shareholder is taking legal action against LabCorp and its executives and directors over the loss in share value that was caused by two cyberattacks experienced by the company in the past 12 months.

LabCorp was one of the companies worst affected by the data breach at the medical debt collection company, American Medical Collection Agency (AMCA) in 2019. The records of 10,251,784 patients who used LabCorp’s services were obtained by hackers who infiltrated AMCA’s systems. At least 24 of AMCA’s clients were affected by the breach.

A second LabCorp data breach was reported by TechCrunch in January 2020 that involved around 10,000 LabCorp documents, which the lawsuit alleges was not publicly disclosed by the company nor mentioned in any SEC filings. The breach was the result of a website misconfiguration and allowed the documents to be accessed by anyone. The breach was also not reported to the HHS’ Office for Civil Rights, even though TechCrunch researchers confirmed that the documents contained patient data.

Raymond Eugenio holds shares in LabCorp which lost value as a result of the data breaches and filed the lawsuit on April 23, 2020 to recover those and other losses. The lawsuit names LabCorp as the defendant along with 12 of the company’s executives and directors, including LabCorp CIO Lance Berberian, CFO Glenn Eisenberg, and director Adam Schechter.

The lawsuit alleges that prior to the AMCA breach and subsequently, LabCorp failed to implement appropriate cybersecurity procedures and did not have sufficient oversight of cybersecurity, which directly resulted in the two data breaches.

In an SEC filing, LabCorp explained the AMCA data breach cost the company $11.5 million in 2019 in response and remediation costs, but the lawsuit points out that the figure is just a fraction of the total losses and does not cover the cost of litigation that followed. Several class action lawsuits have been filed by victims of the AMCA data breach that name LabCorp so the total losses are not known to its shareholders. The lawsuit also states that the second breach has not been acknowledged publicly or in any SEC filings. As such, Eugenio alleges LabCorp failed in its responsibility to its shareholders and breached its duties of loyalty, care, and good faith.

The lawsuit alleges LabCorp failed to implement effective internal policies, procedures, and controls to protect patient information, there was insufficient oversight of compliance with federal and state regulations and its internal policies and procedures, LabCorp did not have a sufficient data breach response plan in place, PHI was provided to AMCA without ensuring the company had sufficient cybersecurity controls in place, LabCorp did not ensure that individuals and entities affected by the breach were noticed in a timely manner, and that the company did not make adequate public disclosures about the data breaches.

The lawsuit seeks reimbursement for damages sustained as a result of the breaches and public acknowledgement of the January 2020 data breach. the lawsuit also calls for a reform of corporate governance and internal procedures and requires a board-level committee to be set up and an executive officer position appointed to ensure adequate oversight of data security.

The post Shareholder Sues LabCorp to Recover Losses Caused by Data Breaches appeared first on HIPAA Journal.

Ransomware Attacks Claim Three More Healthcare Victims

Posted by HIPAA Journal

Parkview Medical Center in Pueblo, Colorado is recovering from a ransomware attack that started on April 21, 2020. The attack resulted in several IT systems being taken out of action, including its Meditech electronic medical record system, which has been rendered inoperable. The attack is currently being investigated and assistance is being provided by a third-party computer forensics firm.

Parkview Medical Center is currently working around the clock to bring its systems back online and recover the encrypted data. In the meantime, medical services continue to be offered to patients, who remain the number one priority. Staff have switched to pen and paper to record patient information until systems can be brought back online. Despite not having access to important systems, the medical center says the level and quality of care provided to patients has not changed.

A spokesperson for the medical center said, “While our medical staff continue to work around the clock in response to the ongoing global pandemic, we are doing everything in our power to bring our systems back online as quickly and securely as possible.” The hospital’s website still says systems remain out of action on Wednesday, April 29.

It is not known if this was a manual or automated ransomware attack and if any sensitive data was exfiltrated by the attackers prior to the deployment of ransomware.

ExecuPharm Attacked with Maze Ransomware

On March 13, 2020, the King of Prussia, PA-based pharmaceutical company ExecuPharm experienced a Maze ransomware attack in which sensitive data was stolen. The Maze ransomware operators conduct manual ransomware attacks and steal data from victims before encrypting data. They also threaten to publish the data if the ransom payment is not made, as was the case with this attack.

The attackers have previously stated in a press release that they would be halting ransomware attacks on medical organizations during the COVID-19 pandemic, but that clearly does not appear to apply to pharma firms. In this case the data uploaded to the Maze website includes financial information, documents, database backups, and other sensitive data.

According to a statement issued by ExecuPharm, aa leading cybersecurity company has been retained to assist with the investigation and determine the nature and scope of the breach. The incident has been reported to law enforcement and all affected parties have been notified.

In addition to company information, the personal data of employees has also been accessed and exfiltrated by the attackers. That information includes Social Security numbers, financial information, driver licenses, passport numbers, bank account information, IBAN/SWIFT numbers, credit card numbers, national insurance numbers, beneficiary information and other sensitive data. Some data relating to its parent company, Parexel, was also stolen in the attack. Affected individuals have been offered identity theft monitoring services for 12 months free of charge.

The company has rebuilt its servers from backups and once systems have been restored, all data will be recovered from backups. Measures are also being implemented to harden security against these types of attacks, which include multi-factor authentication for remote connections, endpoint protection, and detection and response forensics tools on all systems. Email security measures have also been improved to block ransomware emails.

Brandywine Counselling and Community Services Suffers Ransomware Attack

Brandywine Counselling and Community Services in Delaware has also recently been attacked with ransomware.

The attack was detected on February 10, 2020 and a computer forensic firm was hired to assist with the investigation. The investigation determined servers impacted by the attack contained some client information which was acquired by the attackers.

The attack has been reported to the HHS’ Office for Civil Rights as affecting 4,262 individuals. The data stolen in the attack includes clients’ names, addresses, dates of birth, and/or limited clinical information, such as provider name(s), diagnosis, prescription(s), and/or treatment information, and a limited number of Social Security numbers and driver’s license numbers.

Individuals whose Social Security number or driver’s license number was compromised have been offered complimentary credit monitoring and identity theft protection services. Additional security measures are being implemented to prevent further ransomware attacks in the future.

The post Ransomware Attacks Claim Three More Healthcare Victims appeared first on HIPAA Journal.

233,000 Patients Notified About PHI Breach at Genetic Testing Lab

Posted by HIPAA Journal

Ambry Genetics, an Aliso Viejo, CA-based genetic testing laboratory, is notifying 232,772 individuals that some of their protected health information was exposed as a result of a recent email security breach. At almost 233,000 records, this is the second largest healthcare data breach to be reported in 2020.

Ambry Genetics discovered an unauthorized individual gained access to an employee’s email account between January 22 and January 24, 2020 and potentially viewed and obtained the protected health information of its customers. The security team and third-party computer forensics experts were unable to determine if any information in the compromised accounts was accessed or stolen, but no reports have been received to suggest any personal information has been misused.

The email accounts were reviewed and found to contain information such as names, medical information, and other information related to the services provided by Ambry Genetics. A small number of individuals also had their Social Security number exposed.

Ambry Genetics has taken steps to enhance security and further training on email security is being provided to its employees.

Former Arizona Endocrinology Center Physician Takes PHI of 74,000 Patients to New Employer

Arizona Endocrinology Center is alerting 74,122 patients that some of their protected health information has been impermissibly disclosed to another medical group by a physician after he left the practice.

Before Dr. Dwivedi left Arizona Endocrinology Center, he downloaded patient data and disclosed the information to his new employer, More MD. Patient names, telephone numbers, addresses, medical record numbers, and the names of patients’ primary doctor were downloaded from the EHR. No Social Security numbers, health insurance information, or financial data was obtained by Dr. Dwivedi.

Arizona Endocrinology Center learned of the incident on February 17, 2020 when patients started reporting they had received text messages from More MD advising them that Dr. Dwivedi had moved to the medical group. More MD also advertised its services in the text messages. The breach investigation revealed the data was downloaded on January 12, 2020.

Arizona Endocrinology Center has told its patients that it has no business relationship with More MD and Dr. Dwivedi no longer works for the practice, so it has been difficult to obtain solid assurances that patient data has now been deleted and will not be used. The practice explained on its website that “our patients and their families are free to contact Dr. Dwivedi and More MD directly to ask them about their personal information.”

The post 233,000 Patients Notified About PHI Breach at Genetic Testing Lab appeared first on HIPAA Journal.

March 2020 Healthcare Data Breach Report

Posted by HIPAA Journal

March 2020 saw a 7.69% month-over-month decrease in the number of reported healthcare data breaches and a 45.88% reduction in the number of breached records.

In March, 36 healthcare data breaches of 500 or more records were reported to the HHS’ Office for Civil Rights (OCR), which is more than 16% fewer than the average number of monthly breaches over the past 12 months. 828,921 healthcare records were breached in March, which is 194% higher than the monthly average number of breached records.

Largest Healthcare Data Breaches in March 2020

The largest healthcare data breach of the month was reported by the genetic testing company, Ambry Genetics Corporation. An unauthorized individual gained access to an employee’s email account that contained the data of 232,772 patients.

A major phishing attack was reported by the medical device manufacturer Tandem Diabetes Care. Several employees’ email accounts were compromised and the protected health information of 140,781 patients was exposed.

The third largest data breach of the month was reported by Brandywine Urology Consultants, which experienced a ransomware attack in which the data of 131,825 patients was potentially compromised. Affordacare Urgent Care Clinics and the Randleman Eye Center were also attacked with ransomware.

The data breaches reported by Golden Valley Health Centers, the Otis R. Bowen Center for Human Services, and Washington University School of Medicine were due to phishing attacks, the Stephan C Dean breach was an email hacking incident not believed to be a phishing attack, and the OneDigital Health and Benefits breach involved the theft of a laptop computer.

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach
Ambry Genetics Corporation Healthcare Provider 232772 Hacking/IT Incident
Tandem Diabetes Care, Inc. Healthcare Provider 140781 Hacking/IT Incident
Brandywine Urology Consultants, PA Healthcare Provider 131825 Hacking/IT Incident
Stephan C Dean Business Associate 70000 Hacking/IT Incident
Affordacare Urgent Care Clinics Healthcare Provider 57411 Hacking/IT Incident
Golden Valley Health Centers Healthcare Provider 39700 Hacking/IT Incident
Otis R. Bowen Center for Human Services Healthcare Provider 35804 Hacking/IT Incident
OneDigital Health and Benefits Business Associate 22894 Theft
Randleman Eye Center Healthcare Provider 19556 Hacking/IT Incident
Washington University School of Medicine Healthcare Provider 14795 Hacking/IT Incident

Causes of March 2020 Healthcare Data Breaches

Hacking/IT incidents dominated the breach reports once again, accounting for 52.78% of the month’s breaches (19 incidents) and 94.38% of all records breached in March (782,407 records). The average breach size was 41,179 records and the median breach size was 10,700 records.

Unauthorized access/disclosure incidents accounted for 25% of the month’s breaches (9 incidents) and 1.81% of breached records (15,071 records). The average breach size was 1,674 records and the median breach size was 910 records.

16.66% of the month’s breaches were due to the theft of paperwork/electronic devices (6 incidents). 30,107 patient records were stolen in those incidents, which account for 3.63% of the breached records in March. The average breach size was 5,017 records and the median breach size was 1,595 records. There were two loss incidents reported in March involving 1,336 records.

The bar chart below shows the location of the breached protected health information and clearly indicates the biggest problem area for healthcare providers – Securing email accounts and preventing phishing attacks. 50% of the breaches in March saw email accounts breached, the vast majority of which were the result of responses to phishing emails.

March 2020 Data Breaches by Covered Entity Type

Healthcare providers were the worst affected covered entity type with 26 reported breaches. There were 3 breaches reported by health plans and a rare breach at a healthcare clearinghouse.

Business associates of HIPAA covered entities reported 6 breaches and a further two breaches were reported by the covered entity but had some business associate involvement.

States Affected by March 2020 Data Breaches

March’s 36 data breaches were spread across 22 states. California was the worst affected with 7 reported breaches. There were three breaches in Georgia and Minnesota, two in each of Hawaii, North Carolina, Pennsylvania, and Texas, and one breach in each of Arizona, Colorado, Delaware, Florida, Illinois, Indiana, Massachusetts, Maryland, Missouri, Montana, New Jersey, Nevada, Ohio, Utah, and Virginia.

HIPAA Enforcement in March 2020

There were no reported enforcement actions by the HHS’ Office for Civil Rights or state attorneys general in March 2020 but there was some major news on the HIPAA enforcement front.

In response to the SARS-CoV-2 Novel Coronavirus pandemic, OCR announced it is exercising enforcement discretion and will not be imposing financial penalties on covered entities and business associates for noncompliance with certain aspects of HIPAA Rules.

Three Notices of Enforcement Discretion were announced by OCR in March related to the good faith provision of telehealth services, uses and disclosures of PHI by business associates to public health authorities, and good faith participation in the operation of COVID-19 testing centers.

Further information on the Notices of Enforcement Discretion, HIPAA, and COVID-19 can be found on this link.

The post March 2020 Healthcare Data Breach Report appeared first on HIPAA Journal.

PHI of 41,000 Patients Exposed in Aurora Medical Center and UPMC Altoona Phishing Attacks

Posted by HIPAA Journal

Aurora Medical Center-Bay Area in Marinette, WI is notifying 27,137 patients that some of their protected health information has been exposed as a result of a January 1, 2020 phishing attack.

Several employees responded to the messages and disclosed their email account credentials, which gave the attackers access to their email accounts. The breach was discovered by the medical center on January 9, 2020. A password reset was immediately performed to prevent any further account access and the security breach was reported to law enforcement.

An internal investigation was launched to determine what information was accessed by the attackers, which revealed emails and attachments in the accounts contained the protected health information of patients. Aurora Medical Center has not received any reports indicating there has been any misuse of patient information, but it was not possible to rule out data theft.

A review of the emails in the accounts revealed they contained a range of PHI. The information varied from patient to patient and may have included names, first and last names, maiden name, marital status, date of birth, address, email address, telephone number, Social Security number, Medical record number, driver’s license number, medical device number, passport number, bank account number, health insurance account number, full face photograph, admission date, discharge date, and treatment date.

Steps have been taken to improve email security and employees have been provided with further security awareness training to help them identify phishing emails.

University of Pittsburg Medical Center Altoona Phishing Attack Reported

UPMC Altoona has discovered an unauthorized individual has gained access to the email account of one of its physicians and potentially viewed or obtained the PHI of some of its patients. The phishing attack was detected on February 13, 2020, shortly after the email account was compromised.

The attacker used the account to send further phishing emails. The investigation did not uncover evidence of data theft, but unauthorized PHI access could not be ruled out.

A forensic investigation revealed the email account contained patient information such as demographic information and limited clinical information. No Social Security numbers, financial information, or health insurance details were exposed.

Notification letters were sent to affected individuals on April 10, 2020. The Office for Civil Rights breach portal indicates up to 13,911 patients have been affected by the phishing attack.

The post PHI of 41,000 Patients Exposed in Aurora Medical Center and UPMC Altoona Phishing Attacks appeared first on HIPAA Journal.