HIPAA Breach News

PHI of 109,000 Patients Potentially Compromised in Washington Phishing Attack

Posted by HIPAA Journal

Bellevue, WA-based Overlake Medical Center & Clinics is notifying 109,000 patients that some of their personal and protected health information has potentially been compromised as a result of a December 2019 phishing attack.

The phishing attack was detected on December 9, 2019 and a password reset was performed to prevent further unauthorized access. Overlake determined that one email account was compromised on December 6, 2019 and access remained possible until December 9 when the account was secured. Further email accounts were compromised on December 9, but access was only possible for a few hours.

A review of the affected accounts revealed they contained patient names, addresses, telephone numbers, dates of birth, health insurance provider names, health insurance ID numbers, and diagnosis and treatment information related to the care provided at Overlake. No Social Security numbers or financial information was compromised. The investigation uncovered no evidence of data theft and no reports have been received to suggest patient data has been misused.

Steps have now been taken to prevent similar breaches in the future including enhancing email security measures to block phishing emails, implementing multi-factor authentication for email accounts, enhancing security awareness training for employees, and implementing new email retention policies.

Overlake started mailing notification letters to affected patients on February 4, 2019. The data breach was reported to the Department of Health and Human Services’ Office for Civil Rights on February 7, 2019.

VibrantCare Rehabilitation Phishing Attack Impacts 1,655 Patients

The California physical therapy provider, VibrantCare Rehabilitation, has discovered an employee email account has been compromised following a response to a phishing email.

Unusual activity was detected in the email account and third-party computer specialists were called in to investigate a potential breach. The investigation revealed the email account was accessed by an unauthorized individual between August 20, 2019 and August 27, 2019. A painstaking analysis of the email account revealed it contained the protected health information of 1,655 patients.

The exposed information varied from patient to patient. In addition to first and last names, the exposed information included demographic information, financial account information, credit or debit card information, Social Security numbers, driver’s license numbers, government or state identification numbers, military identification numbers, passport numbers, alien registration numbers, student identification numbers, medical and treatment information, health insurance information, Medicare or Medicaid numbers, patient numbers, medical record numbers, and prescription information.

No evidence of data access or data theft was found and no reports have been received to suggest patient information has been misused; however, as a precaution, affected patients have been advised to monitor their accounts, explanations of benefits, and credit reports for suspicious activity.

VibrantCare Rehabilitation is now reviewing and enhancing its existing policies to prevent further phishing attacks in the future.

The post PHI of 109,000 Patients Potentially Compromised in Washington Phishing Attack appeared first on HIPAA Journal.

MyEyeDr. Patients Notified of Ransomware Attack and Improper Disposal Incident

Posted by HIPAA Journal

MyEyeDr. Optometry of Colorado P.C, a network of vision care offices, is notifying 1,475 Colorado residents that some of their protected health information was potentially compromised prior to a recent ransomware attack.

Certain MyEyeDr. systems were accessed by the attacker on December 11, 2019 and ransomware was downloaded and deployed. Steps were immediately taken by MyEyeDr. to prevent further unauthorized access and restore all affected records. The ransom was not paid.

While it was possible to restore the majority of encrypted data, some files could not be recovered and remain encrypted. A third-party computer forensics firm was engaged to investigate the attack and determine whether any data had been stolen prior to file encryption. The forensics firm found no evidence to suggest data had been exfiltrated and the attack is believed to have only involved file encryption with a view to extorting money from MyEyeDr.

A review of the affected systems revealed they contained patient information such as names, dates of birth, diagnoses, clinical information, and treatment information. Affected patients had received services at MyEyeDr. locations in Colorado between December 1 and December 10, 2019 inclusive.

Improper Disposal incident Affects 7,983 patients of Today’s Vision Willowbrook

MyEyeDr. has also announced a separate incident that resulted in the exposure of the protected health information of 7,983 patients of Today’s Vision Willowbrook, which was acquired by Capital Vision Services d/b/a MyEyeDr. in February 2019.

On or around May 21, 2019, MyEyeDr. discovered historic records of Today’s Vision Willowbrook patients had been disposed of in an improper manner. The records had been discarded in a dumpster near Tomball, Texas, instead of being securely destroyed.

The records contained information such as names, addresses, dates of birth, Social Security numbers, clinical information, and billing information and related to patients who visited Today’s Vision Willowbrook between 1997 and 2003.

The incorrect disposal was reported by the media. Local law enforcement officers visited and collected the records. MrEyeDr. said “Based on the prompt action of the Tomball police in securing the records, there is no indication that any unauthorized third parties had or will have an opportunity to misuse any of the patient information contained in the records at issue.”

MyEyeDr. has confirmed that the records were never in the possession of any MyEyeDr. employees and the records do not appear to have been dumped by employees of Today’s Vision Willowbrook.

Monroe County Hospital & Clinics Email Breach Impacts 7,500 Patients

Albia, IA-based Monroe County Hospital & Clinics has discovered an unauthorized individual has gained access to its email system and potentially viewed or obtained the protected health information of approximately 7,500 patients.

The attack was discovered on December 19, 2019 and a computer forensic expert was engaged to investigate the breach and determine the size and scope of the attack. The investigation revealed several employee email accounts had been accessed by unknown individuals between October 28, 2019 and January 20, 2020.

The compromised accounts were discovered to contain protected health information. The exposed information varied from patient to patient and may have included name, address, date of birth, medical record number, date(s) of service, insurance status, payor type, diagnosis codes, reason for visits, and other treatment related information. Some patients also had their Social Security number exposed. Complimentary membership to credit monitoring services has been offered to affected individuals.

Upon discovery of the breach, passwords were reset to prevent further unauthorized account access and employees have been provided with further security awareness training. Additional security measures are also being considered to prevent attacks in the future.

The post MyEyeDr. Patients Notified of Ransomware Attack and Improper Disposal Incident appeared first on HIPAA Journal.

Wise Health System Notifies 66,934 Patients of Phishing Attack

Posted by HIPAA Journal

Wise Health System in Decatur, TX, is notifying 66,934 patients that some of their protected health information was potentially compromised in a phishing attack that occurred on March 14, 2019.

Wise Health System previously reported the phishing attack to the Department of Health and Human Services’ Office for Civil Rights on July 13, 2019 as having affected 35,899 individuals. That total has now been updated following the completion of a data audit. The data audit commenced in June 2019 and has only just been completed. New notifications started to be sent to affected patients on February 13, 2020.

In March 2019, several employees responded to phishing emails and disclosed their account credentials. The attackers used those credentials to access the Employee Kiosk and attempted to reroute payroll direct deposits. Wise Health System reports that attempts were made to reroute approximately 100 direct deposit payments.

Security protocols required two checks to be issued to employees following a change to direct deposit information. This security measure was key to identifying the scam and preventing the misdirection of direct deposit payments. The large number of checks printed on April 5, 2019 raised a red flag and suggested unauthorized individuals had gained access to its systems.

A system-wide password reset was performed to lock the attackers out of the system and two independent computer forensics firms were engaged to investigate the breach. The cyberattack was also reported to the FBI. The FBI investigation revealed the attackers were based in Africa and the case has now been closed.

Wise Health System, the two computer forensics firms, and the FBI share the belief that patient information was not accessed by the attackers. The criminal gangs behind these campaigns are solely concerned with rerouting payroll direct deposits and there have previously been no confirmed reports of data theft by these gangs. However, the email credentials obtained by the attackers would have allowed them to access email accounts that contained protected health information such as names, medical record numbers, diagnostic information, health insurance information, and treatment information.

Out of an abundance of caution, affected patients have been offered credit monitoring, identity theft recovery, and identity theft insurance coverage through the ID Experts MyIDCare service for 12 to 24 months. Following the breach, Wise Health System implemented measures to improve its cybersecurity posture.

PSL Services Discovered Employee Email Account Breach

Peregrine Corporation, dba PSL Services has discovered unauthorized individuals have gained access to the email accounts of several employees from December 16, 2019 through December 19.

A breach was suspected when suspicious activity was detected in the email account of an employee. A third-party computer forensics firm was engaged to investigate the breach and discovered several email accounts had been compromised.

The types of information contained in the compromised email accounts varied from patient to patient and included names, dates of birth, Social Security numbers, driver’s license numbers, medical information, and Medicare numbers.

The compromised accounts are being reviewed to determine which patients have been affected. The incident is still being investigated and the final number of individuals affected has not yet been determined. Affected individuals are being offered free identity theft protection services and written notices will be sent to affected individuals as soon as possible.

PSL Services is reviewing its security measures and will implement additional safeguards to prevent similar breaches from occurring in the future.

The post Wise Health System Notifies 66,934 Patients of Phishing Attack appeared first on HIPAA Journal.

Malware Attack Disables Servers at Physician Network Affiliated with Boston Children’s Hospital

Posted by HIPAA Journal

On Monday, February 10, 2020, Pediatric Physicians’ Organization at Children’s (PPOC), a physician group affiliated with Boston Children’s Hospital, experienced a malware attack that caused a system outage which prevented its 500+ pediatricians, nurse practitioners, and physician assistants from accessing patient data and scheduling calendars.

PPOC has approximately 200 servers, 11 of which were impacted by the attack. IT teams at PPOC and Boston Children’s Hospital worked swiftly to contain the malware and the affected servers have now been quarantined. Servers unaffected by the attack were shut down as a precautionary measure. Boston Children’s Hospital issued a statement confirming its systems were unaffected by the attack.

Patients were advised to reschedule non-urgent appointments as health records cannot be accessed until the malware is removed and the servers are brought back online. Children’s Hospital issued a statement on Wednesday saying progress was being made restoring the servers, but it was still unclear how long the recovery process would take.

PPOC has over 100 practices across the state of Massachusetts and serves more than 350,000 patients. It is currently unclear what type of malware was involved and whether it allowed hackers to gain access to patient data.

Central Kansas Orthopedic Group Suffers Ransomware Attack

Central Kansas Orthopedic Group (CKOG) in Great Bend, KS suffered a ransomware attack in November 2019 that resulted in the encryption of patient records.

The attack was discovered on November 11, 2019. The attackers sent a ransom demand which CKOG refused to pay. All encrypted files, including patient medical records, were successfully restored from backups.

A third-party forensic investigator was retained to assist with the investigation and determine whether patient data had been accessed or copied by the attackers prior to the deployment of ransomware. The investigation uncovered no evidence to suggest the attackers accessed or stole patient data and no reports of data misuse have been received.

The types of information that could potentially have been accessed included names, addresses, email addresses, dates of birth, state-issued ID numbers, driver’s license numbers, health information related to treatment provided by CKOG, Social Security numbers, and health insurance information. All affected patients have been notified by mail and offered identity theft protection services through ID Experts.

CKOG is now reviewing its security platform and has started implementing additional security protocols to harden its security posture.

The HHS’ Office for Civil Rights breach portal shows 17,214 patients were potentially affected by the attack.

The post Malware Attack Disables Servers at Physician Network Affiliated with Boston Children’s Hospital appeared first on HIPAA Journal.

2019 Healthcare Data Breach Report

Posted by HIPAA Journal

Figures from the Department of Health and Human Services’ Office for Civil Rights breach portal show a major increase in healthcare data breaches in 2019. Last year, 510 healthcare data breaches of 500 or more records were reported, which represents a 196% increase from 2018.

As the graph below shows, aside from 2015, healthcare data breaches have increased every year since the HHS’ Office for Civil Rights first started publishing breach summaries in October 2009.

37.47% more records were breached in 2019 than 2018, increasing from 13,947,909 records in 2018 to 41,335,889 records in 2019.

Last year saw more data breaches reported than any other year in history and 2019 was the second worst year in terms of the number of breached records. More healthcare records were breached in 2019 than in the six years from 2009 to 2014. In 2019, the healthcare records of 12.55% of the population of the United States were exposed, impermissibly disclosed, or stolen.

Largest Healthcare Data Breaches of 2019

The table below shows the largest healthcare data breaches of 2019, based on the entity that reported the breach.

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Location of Breached Information
1 Optum360, LLC Business Associate 11500000 Hacking/IT Incident Network Server
2 Laboratory Corporation of America Holdings dba LabCorp Healthcare Provider 10251784 Hacking/IT Incident Network Server
3 Dominion Dental Services, Inc., Dominion National Insurance Company, and Dominion Dental Services USA, Inc. Health Plan 2964778 Hacking/IT Incident Network Server
4 Clinical Pathology Laboratories, Inc. Healthcare Provider 1733836 Unauthorized Access/Disclosure Network Server
5 Inmediata Health Group, Corp. Healthcare Clearing House 1565338 Unauthorized Access/Disclosure Network Server
6 UW Medicine Healthcare Provider 973024 Hacking/IT Incident Network Server
7 Women’s Care Florida, LLC Healthcare Provider 528188 Hacking/IT Incident Network Server
8 CareCentrix, Inc. Healthcare Provider 467621 Hacking/IT Incident Network Server
9 Intramural Practice Plan – Medical Sciences Campus – University of Puerto Rico Healthcare Provider 439753 Hacking/IT Incident Network Server
10 BioReference Laboratories Inc. Healthcare Provider 425749 Hacking/IT Incident Other
11 Bayamon Medical Center Corp. Healthcare Provider 422496 Hacking/IT Incident Network Server
12 Memphis Pathology Laboratory d/b/a American Esoteric Laboratories Healthcare Provider 409789 Unauthorized Access/Disclosure Network Server
13 Sunrise Medical Laboratories, Inc. Healthcare Provider 401901 Hacking/IT Incident Network Server
14 Columbia Surgical Specialist of Spokane Healthcare Provider 400000 Hacking/IT Incident Network Server
15 Sarrell Dental Healthcare Provider 391472 Hacking/IT Incident Network Server
16 UConn Health Healthcare Provider 326629 Hacking/IT Incident Email
17 Premier Family Medical Healthcare Provider 320000 Hacking/IT Incident Network Server
18 Metro Santurce, Inc. d/b/a Hospital Pavia Santurce and Metro Hato Rey, Inc. d/b/a Hospital Pavia Hato Rey Healthcare Provider 305737 Hacking/IT Incident Network Server
19 Navicent Health, Inc. Healthcare Provider 278016 Hacking/IT Incident Email
20 ZOLL Services LLC Healthcare Provider 277319 Hacking/IT Incident Network Server

 

The above table does not tell the full story. When a business associate experiences a data breach, it is not always reported by the business associate. Sometimes a breach is experienced by a business associate and the covered entities that they work with report the breaches separately, as was the case with American Medical Collection Agency (AMCA), a collection agency used by several HIPAA covered entities.

In 2019, hackers gained access to AMCA systems and stole sensitive client data. The breach was the second largest healthcare data breach ever reported, with only the Anthem Inc. data breach of 2015 having impacted more individuals.

HIPAA Journal tracked the breach reports submitted to OCR by each affected covered entity. At least 24 organizations are known to have had data exposed/stolen as a result of the hack.

Organizations Affected by the 2019 AMCA Data Breach

Healthcare Organization Confirmed Victim Count
Quest Diagnostics/Optum360 11,500,000
LabCorp 10,251,784
Clinical Pathology Associates 1,733,836
Carecentrix 467,621
BioReference Laboratories/Opko Health 425,749
American Esoteric Laboratories 409,789
Sunrise Medical Laboratories 401,901
Inform Diagnostics 173,617
CBLPath Inc. 141,956
Laboratory Medicine Consultants 140,590
Wisconsin Diagnostic Laboratories 114,985
CompuNet Clinical Laboratories 111,555
Austin Pathology Associates 43,676
Mount Sinai Hospital 33,730
Integrated Regional Laboratories 29,644
Penobscot Community Health Center 13,299
Pathology Solutions 13,270
West Hills Hospital and Medical Center / United WestLabs 10,650
Seacoast Pathology, Inc 8,992
Arizona Dermatopathology 5,903
Laboratory of Dermatology ADX, LLC 4,082
Western Pathology Consultants 4,079
Natera 3,035
South Texas Dermatopathology LLC 15,982
Total Records Breached 26,059,725

Causes of 2019 Healthcare Data Breaches

The HHS’ Office for Civil Rights assigns breaches to one of five different categories:

  • Hacking/IT incidents
  • Unauthorized access/disclosures
  • Theft
  • Loss
  • Improper disposal

59.41% of healthcare data breaches in 2019 were classified as hacking/IT incidents and involved 87.60% of all breached records. 28.82% of data breaches were classed as unauthorized access/disclosure incidents and involved 11.27% of all records breached in 2019.

10.59% of breaches were classed as loss and theft incidents involving electronic devices containing unencrypted electronic protected health information or physical records. Those incidents accounted for 1.07% of breached records in 2019.

1.18% of breaches and 0.06% of breached records were due to improper disposal of physical records and devices containing electronic protected health information.

Breach Cause Incidents Breached Records Mean Breach Size Median Breach Size
Hacking/IT Incident 303 36,210,097 119,505 6,000
Unauthorized Access/Disclosure 147 4,657,932 31,687 1,950
Theft 39 367,508 9,423 2,477
Loss 15 74,271 4,951 3,135
Improper Disposal 6 26,081 4,347 4,177

We have not tracked the cause of each breach reported in 2019, but the table below provides an indication of the biggest problem area for healthcare organizations – Securing email systems and blocking phishing attacks. The email incidents include misdirected emails, but the majority of email incidents were phishing and spear phishing attacks.

Healthcare Data Breaches by Covered Entity

77.65% of 2019 data breaches were reported by healthcare providers (369 incidents), 11.57% of breaches were reported by health plans (59 incidents), and 0.39% of data breaches were reported by healthcare clearinghouses (2 incidents).

23.33% of the year’s breaches involved business associates to some extent. 10.39% of data breaches were reported by business associates (53 incidents) and 66 data breaches were reported by a covered entity which stated there was some business associate involvement.

States Worst Affected by Healthcare Data Breaches

Data breaches were reported by HIPAA-covered entities or business associates in 48 states, Washington DC, and Puerto Rico. The worst affected state was Texas with 60 data breaches reported. California was the second most badly hit with 42 reported data breaches.

The only states where no data breaches of 500 or more records were reported were North Dakota and Hawaii.

State Breaches State Breaches State Breaches State Breaches State Breaches
Texas 60 Maryland 14 Arkansas 9 Alabama 4 Mississippi 2
California 42 Washington 14 South Carolina 9 Alaska 4 Montana 2
Illinois 26 Georgia 13 New Jersey 8 Iowa 4 South Dakota 2
New York 25 North Carolina 13 Massachusetts 7 Kentucky 4 Washington DC 2
Ohio 25 Tennessee 11 Puerto Rico 7 Nebraska 4 West Virginia 2
Minnesota 23 Arizona 10 Virginia 7 Oklahoma 4 Delaware 1
Florida 22 Colorado 10 Louisiana 6 Utah 4 Kansas 1
Pennsylvania 19 Connecticut 10 New Mexico 6 Wyoming 3 New Hampshire 1
Missouri 17 Indiana 10 Wisconsin 6 Idaho 2 Rhode Island 1
Michigan 16 Oregon 10 Nevada 5 Maine 2 Vermont 1

HIPAA Enforcement in 2019

The HHS’ Office for Civil Rights continued to enforce compliance with HIPAA at a similar level to the previous three years.

In 2019, there were 10 HIPAA enforcement actions that resulted in financial penalties. 2 civil monetary penalties were imposed and 8 covered entities/business associates agreed settlements with OCR to resolve HIPAA violations.

In total, $12,274,000 was paid to OCR in fines and settlements. The largest financial penalties of the year resulted from investigations of potential HIPAA violations by University of Rochester Medical Center and Touchstone Medical Imaging. Both cases were settled for £3,000,000.

OCR uncovered multiple violations of HIPAA Rules while investigating separate loss/theft incidents reported by University of Rochester Medical Center. OCR discovered risk analysis and risk management failures, a lack of encryption on portable electronic devices, and insufficient device and media controls.

Touchstone Medical Imaging experienced a data breach that resulted in the impermissible disclosure of 307,839 individuals’ PHI due to the exposure of an FTP server over the internet. OCR investigated and determined there had been risk analysis failures, business associate agreements failures, insufficient access rights, a failure to respond to a security incident, and violations of the HIPAA Breach Notification Rule.

Sentara Hospitals agreed to a $2.175 million settlement stemming from a 577-record data breach that was reported to OCR as only affecting 8 individuals. OCR told Sentara Hospitals that the breach notification needed to be updated to include the other individuals affected by the mailing error, but Sentara Hospitals refused. OCR determined a financial penalty was appropriate for the breach notification reporting failure and the lack of a business associate agreement with one of its vendors.

A civil monetary penalty of $2.154 million was imposed on the Miami, FL-based nonprofit academic medical system, Jackson Health System (JHS). Following a data breach, OCR investigated and found a compliance program that had been in disarray for several years. The CMP resolved multiple violations of HIPAA Privacy Rule, Security Rule, and Breach Notification Rule.

A civil monetary penalty of $1,600,000 was imposed on Texas Department of Aging and Disability Services for multiple violations of HIPAA Rules discovered during the investigation of breach involving an exposed internal application. OCR discovered there had been risk analysis failures, access control failures, and information system activity monitoring failures, which contributed to the impermissible disclosure of 6,617 patients’ ePHI.

Medical Informatics Engineering, an Indiana-based provider of electronic medical record software and services, experienced a major data breach in 2015 at its NoMoreClipboard subsidiary. Hackers used a compromised username and password to gain access to a server that contained the protected health information (PHI) of 3.5 million individuals. OCR determined there had been a risk analysis failure and the case was settled for $100,000. MIE also settled a multi-state action with state attorneys general over the same breach and settled that case for $900,000.

The Carroll County, GA ambulance company, West Georgia Ambulance, was investigated over the reported loss of an unencrypted laptop computer that contained the PHI of 500 patients. OCR found there had been a risk analysis failure, there was no security awareness training program for staff, and HIPAA Security Rule policies and procedures had not been implemented. The case was settled for $65,000.

There was one financial penalty for a social media HIPAA violation. Elite Dental Associates respondents to patient reviews on Yelp, and in doing so impermissibly disclosed PHI. OCR determined a financial penalty was appropriate and the case was settled for $10,000.

OCR also launched a new HIPAA enforcement initiative in 2019, under which two settlements were reached with covered entities over HIPAA Right of Access failures. Korunda Medical and Bayfront Health St. Petersburg had both failed to respond to patient requests for copies of their health information within a reasonable time frame. Both covered entities settled their HIPAA violation cases with OCR for $85,000.

OCR HIPAA Settlements and Civil Monetary Penalties in 2019

HIPAA Enforcement by State Attorneys General in 2019

State attorneys general can also take action over violations of HIPAA Rules. There were three cases against covered entities and business associates in 2019. As previously mentioned, Medical Informatics Engineering settled a multi-state lawsuit and paid a financial penalty of $900,000.

A second multi-state action was settled by Premera Blue Cross. The lawsuit pertained to a 2015 hacking incident that resulted in the theft of 10.4 million records. The investigation uncovered multiple violations of violations of HIPAA Rules and resulted in a $10 million financial penalty.

The California attorney general also took legal action over a data breach that affected 1,991 California residents. The health insurer Aetna had sent two mailings to its members in which highly sensitive information relating to HIV and Afib diagnoses was visible through the windows of the envelopes. The case was settled for $935,000.

The post 2019 Healthcare Data Breach Report appeared first on HIPAA Journal.

Hospital Sisters Health System Email Breach Impacts 16,167 Patients

Posted by HIPAA Journal

Hospital Sisters Health System has recently discovered an email security breach in August 2019 potentially resulted in unauthorized individuals gaining access to access emails and email attachments containing the protected health information of 16,167 patients.

Hospital Sisters Health System is a 15-hospital health system serving patients in Illinois and Wisconsin. Between August 6, 2019 and August 9, 2019, unauthorized individuals gained access to the email accounts of several employees. Prompt action was taken to secure the affected email accounts by changing passwords and a leading computer forensic firm was retained to investigate the breach and determine whether the compromised accounts contained patient information.

On December 2, 2019, Hospital Sisters Health System was informed that patient information had potentially been accessed by the attackers. The compromised email accounts were found to contain patient names, birth dates, and a limited amount of clinical information. Some patients also had their health insurance information, Social Security number, and/or driver’s license number exposed.

On January 31, 2020, Hospital Sisters Health System started mailing notification letters to all affected patients. Individuals whose Social Security number or driver’s license number was exposed have been offered complimentary membership to identity theft protection services and all individuals have been advised to monitor their accounts and explanation of benefits statements closely and to report any suspicious activity to law enforcement.

Hospital Sisters Health System has already taken steps to improve email security to prevent similar breaches from occurring in the future.

The post Hospital Sisters Health System Email Breach Impacts 16,167 Patients appeared first on HIPAA Journal.

Sunshine Behavioral Health Group Discovers PHI Exposed Over Internet

Posted by HIPAA Journal

Portland, OR-based Sunshine Behavioral Health Group, a provider of business services to healthcare providers, has discovered a cloud-based system used to store patient health records was accidentally misconfigured. The misconfiguration allowed patient information to be accessed over the internet.

The error was identified on September 4, 2019 and access controls were immediately implemented to prevent the records from being accessed by unauthorized individuals. Further actions were taken on November 14, 2019 to remove the records from general internet access.

On December 23, 2019, Sunshine Behavioral Health Group determined a folder in the cloud-based system contained information such as names, addresses, credit/debit card numbers, expiry dates, security codes, and electronic/digital signatures of individuals who had paid for healthcare services.

The exposed data related to payors for medical services received at Monarch Shores, Chapters Capistrano, Willow Springs Recovery, and Mountain Springs addition treatment and rehabilitation centers.

All individuals whose information was exposed have been offered complimentary membership to MyIDCare protection services for 24 months.

The incident has yet to appear on the HHS’ Office for Civil Rights breach portal so it is currently unclear how many individuals have been affected.

Thieves Stole Patient Information in Lake County Behavioral Health Burglary

Lake County Behavioral Health in Clearlake, CA, has announced it experienced a burglary on December 5, 2019 and thieves stole a locked filing cabinet containing client health information.

The stolen paperwork contained information such as patient names, contact telephone numbers, case numbers, medications, appointment dates and times, payments, and amounts due. One file contained a patient’s date of birth, Social Security number, medical history, disability status, substance use history, income verification information, and Medi-Cal ID number.

All patients whose information was stolen have been notified by mail and advised to register a fraud alert in case their information is misused. All remaining files have been relocated to a locked room in the heart of the facility, an alarm system has been fitted along with video surveillance with 24-hour monitoring. The break-in is being investigated by the Clearlake Police Department but no arrests have been made.

Jefferson Center for Mental Health Announces Potential Breach of PHI

Jefferson Center for Mental Health, a nonprofit provider of community-focused mental health care and substance use services in Colorado, experienced a burglary at its Independence Corner facility in Wheat Ridge on November 29, 2019.

The burglary was discovered on December 2, 2019 and the break-in was reported to law enforcement. No paperwork containing patient information was taken by the perpetrators, but it is possible that the personal and treatment information of 1,319 patients was viewed by the thieves.

Unauthorized data access is not suspected, but patients have been advised to monitor their accounts as a precaution. Jefferson Center for Mental Health is now taking steps to improve physical security at its offices.

The post Sunshine Behavioral Health Group Discovers PHI Exposed Over Internet appeared first on HIPAA Journal.

Slew of Email Security Breaches Reported by Healthcare Organizations

Posted by HIPAA Journal

A further 5 healthcare data breaches of 500 or more records have recently been reported by HIPAA-covered entities and their business associates.

Email Account Breach Reported by Shields Health Solutions

Shields Health Solutions, a Stoughton, MA-based provider of specialty pharmacy services to hospitals and other covered entities, has discovered an unauthorized individual gained access to the email account of an employee and potentially viewed/copied protected health information.

Suspicious activity was detected in the email account of an employee on October 24, 2019. Assisted by a cybersecurity firm, Shields Health Solutions determined an unauthorized individual accessed the account between October 22 and October 24, 2019. The breach was confined to a single email account.

The email account contained messages and attachments that included patient names, dates of birth, medical record numbers, provider names, clinical information, prescription information, insurer names, and limited claims information. No evidence was uncovered that suggests patient information was accessed or copied.

Shields Health Solutions has since taken steps to improve email security, including implementing multi-factor authentication on all employee email accounts. Notification letters were sent to affected individuals on December 16, 2019. The incident has not yet appeared on the HHS’ Office for Civil Rights (OCR) breach portal so it is currently unclear how many individuals have been affected.

Lafayette Regional Rehabilitation Hospital Email Breach Impacts 1,360 Patients

Lafayette Regional Rehabilitation Hospital in Lafayette, IN, has discovered an unauthorized individual gained access to the email account of an employee in July 2019 and potentially viewed patients’ protected health information.

The breach was detected on November 25, 2019, prompting a thorough investigation to determine whether any patient information had been accessed by unauthorized individuals. No evidence was found to indicate patient information was viewed or copied, but it was not possible to rule out the possibility. The compromised account was found to contain names, dates of birth, and clinical and treatment information related to medical services received at the hospital. A limited number of patients also had their Social Security number exposed.

Notification letters were sent to affected patients on January 24, 2019. Individuals whose Social Security number was exposed have been offered complimentary credit monitoring services. Lafayette Regional Rehabilitation Hospital has since taken steps to improve email security and employees have had security awareness training reinforced.

The breach report submitted to the OCR indicates up to 1,360 patients were affected by the breach.

6,524 Individuals Impacted by Phishing Attack on MHMR of Tarrant County

My Health My Resources (MHMR) of Tarrant County in Fort Worth, TX, has experienced a phishing attack involving the email accounts of a small number of its employees. The phishing attack was detected on December 3, 2019.

The investigation revealed the accounts were accessed by an unauthorized individual between October 12 and October 14, 2019. Emails in the account were found to include names, Social Security numbers, Driver’s license numbers, and some information about the care received at MHMR.

It was not possible to determine whether patient information was viewed, and no information has been received to suggest that any patient information has been misused. Out of an abundance of caution, all individuals whose information was stored in emails in the compromised accounts have been notified by mail. Individuals whose Social Security number or driver’s license number was exposed have been offered complimentary credit monitoring and identity theft protection services.

Additional email security training has now been provided to staff and steps have been taken to enhance its security infrastructure and systems.

Reva Phishing Attack Impacts 1,000 Patients

The medical transportation service provider, Reva, has announced that the protected health information of approximately 1,000 patients has potentially been accessed by an unauthorized individual as a result of a phishing attack.

Suspicious activity was detected in the email account of an employee on September 12, 2019. The account was secured and an investigation was launched, which revealed further email accounts had also been compromised. Those accounts had been subjected to unauthorized access between July 23, 2019 and September 13, 2019.

A review of the compromised accounts revealed they contained patients’ names, travel insurance information, dates of service, limited clinical information, passport numbers, driver’s license numbers, and a small number of Social Security numbers.

Complimentary credit monitoring and identity theft protection services have been offered to patients whose Social Security number or driver’s license number was exposed. Affected individuals were notified by mail on January 22, 2019.

Email security has been enhanced in response to the breach, multi-factor authentication has been implemented, and further security awareness training has been provided to employees.

Lawrenceville Internal Medicine Associates Email Error Exposed 8,031 Patients’ Email Addresses

Lawrenceville Internal Medicine Associates (LIMA) in Lawrence Township, NJ, is alerting 8,031 individuals about an email error that exposed patients’ email addresses. The error also impacted certain patients of Endocrinology Associates of Princeton, LLC.

An email announcement was sent to patients on October 29, 2019. Two days later, it was brought to the attention of LIMA that the email addresses of other patients may have been visible in the BCC field of the email. No other information was exposed as a result of the error.

Additional training has been provided to the IT department, email security policies and procedures have been strengthened, and LIMA has changed the email system used to send email communications to patients.

The post Slew of Email Security Breaches Reported by Healthcare Organizations appeared first on HIPAA Journal.

Health Share of Oregon Notifies 654,000 Members About Business Associate Data Breach

Posted by HIPAA Journal

Oregon’s Medicaid coordinated-care organization, Health Share of Oregon, is notifying approximately 654,000 current and former members that some of their protected health information (PHI) was stored on a laptop computer stolen from its transportation vendor, GridWorks.

GridWorks was contracted to manage Health Share’s Ride to Care program, through which Health Share provided non-emergent transportation for its members.

Health Share’s policies require business associates to use encryption on all portable devices containing patient information but, for reasons unknown, the GridWorks laptop was not encrypted. PHI stored on the laptop computer included names, addresses, contact telephone numbers, birth dates, Health Share ID numbers, Medicaid numbers, and Social Security numbers.

The laptop was stolen in a burglary at GridWorks’ office in November 2019. GridWorks notified Health Share about the laptop theft on January 2, 2020. Health Share started sending notification letters on February 5 to all individuals whose PHI was stored on the laptop. Affected individuals have been offered one year of complimentary credit monitoring and identity theft protection services.

Health Share conducts security audits of its vendors and last audited GridWorks in March 2019. In response to the breach, Health Share will expand its vendor security audit program and steps have been taken to ensure only the minimum amount of patient information is transmitted to its vendors. Training policies have also been enhanced.

In October 2019, Health Share announced that the nonprofit health plan, CareOregon, would be taking over the administration of its Ride to Care program. GridWorks had failed to pay several transportation companies that provided transport under the Ride to Care program. The company went into receivership in December 2019 and will cease operations once the administration of the Ride to Care program has been fully transferred to CareOregon.

The post Health Share of Oregon Notifies 654,000 Members About Business Associate Data Breach appeared first on HIPAA Journal.