HIPAA Breach News

Criminal HIPAA Violation Case Sees Healthcare Worker Charged on 415 Counts

Posted by HIPAA Journal

A former employee of ACM Global Laboratories, part of Rochester Regional Health, has been accused of accessing the medical records of a patient, without authorization, on hundreds of occasions in an attempt to find information that could be used in a child custody battle.

A criminal investigation was launched into the alleged HIPAA violations by Jessica Meier, 41, of Hamlin, NY, when it was suspected that she had been abusing her access rights to patient information for malicious purposes.

Kristina Ciaccia was previously in a relationship with Meier’s half brother and has been in a lengthy child custody battle. In court, Ciaccia heard about a historic visit by her own brother to the emergency room at Rochester Regional Health, when she herself was unaware of the visit. Suspecting snooping on her family’s medical records, Ciaccia reported the matter to Rochester Regional Health.

According to court documents, the Rochester Regional Health audit revealed Meier had accessed the private medical records of Ciaccia on more than 200 occasions between March 2017 and August 2019, without any legitimate work purpose for doing so. It was also confirmed that Meier had accessed the medical records of members of Ciaccia’s family.

Ciaccia reported the criminal HIPAA violations to the police and an investigation was launched. Meier was arraigned in Gates Town Court on Tuesday, February 11, 2019 on 215 felony counts of computer trespass and 215 counts of misdemeanor unauthorized use of a computer. Meier pleaded not guilty to all counts and the case is expected to go before a grand jury.

“If you go in somebody’s medical records, you deserve to be charged. You deserve to be held accountable,” Ciaccia told News 10 NBC. Ciaccia also believes Rochester Regional Health should be held accountable, not for the breach itself, but for the failure to identify an ongoing privacy violation that spanned more than two years.

The unauthorized medical record access was only discovered after Ciaccia reported the potential privacy violation to Rochester Regional Health. “I feel like Rochester Regional pay her all year to go in my medical records, said Ciaccia.” Upon discovery of unauthorized access, Rochester Regional Health took disciplinary action against Meier.

HIPAA requires healthcare organizations to implement safeguards to ensure the confidentiality, integrity, and availability of patient information. Even if access controls and other measures are implemented, it is not possible to prevent all cases of improper accessing of medical records by employees. However, when instances occur, they should be identified quickly.

HIPAA requires audit logs to be maintained to track access to protected health information. Those logs allow audits to take place, as was the case when the matter was brought to the attention of Rochester Regional Health by Ciaccia.

HIPAA also requires audit logs to be regularly checked to identify unauthorized accessing of PHI. Had the audit logs been monitored more closely, the privacy violation could have been identified and sanctions could have been applied against Meier sooner.

The post Criminal HIPAA Violation Case Sees Healthcare Worker Charged on 415 Counts appeared first on HIPAA Journal.

2020 Protenus Breach Barometer Report Reveals 49% Increase in Healthcare Hacking Incidents

Posted by HIPAA Journal

According to the 2020 Protenus Breach Barometer report, there were 572 healthcare data breaches of 500 or more records in 2019 and at least 41.4 million patient records were breached. That represents a 13.7% increase in the number of reported breaches and a 174.5% increase in the number of breached records.

The final total for 2019 is likely to be considerably higher, as the number of individuals affected by 91 of those breaches is not known, including two major breaches that have yet to be reported that affected more than 500 dental offices throughout the United States.

The 2020 Protenus Breach Barometer report, produced in conjunction with databreaches.net, was compiled from breaches reported to the HHS’ Office for Civil Rights, the media, and other sources. The report shows a dramatic rise in the number of hacking incidents in 2019, which were up 49% from 2018. 58% of all reported breaches in 2019 were hacking/IT incidents and at least 36,911,960 records were exposed or stolen in those breaches.

“It appears hacking incidents, particularly ransomware incidents, are on the rise; hackers are getting more creative in how they exploit healthcare organizations and patients alike,” explained Protenus in the report.

There has been a significant increase in healthcare ransomware attacks in 2019 and worrisome new trends are emerging. Prior to file encryption, some ransomware gangs have started exfiltrating patient data and threats are being issued to publish that data if the ransom is not paid. There have been several cases where data has been published to encourage victims to pay. One threat group even sent ransom demands to patients demanding payment to prevent the publication of their data, in addition to a ransom demand sent to the covered entity.

The largest data breach of the year was the hacking of American Medical Collection Agency. That single breach impacted multiple healthcare providers and resulted in the theft of more than 20 million patients’ PHI. The 7-month breach was only discovered when patient data was found listed for sale on a dark web marketplace.

Insider data breaches, due to human error and insider wrongdoing, fell by 20% in 2019. Protenus has attributed the reduction to increased adoption of healthcare compliance analytics to detect anomalous behavior as well as improvements to employee education on how to prevent privacy violations.

While this is encouraging, the severity of insider incidents increased in 2019 with 3,800,312 records exposed in insider breaches compared to 2,793,607 records in 2018. 72 of the incidents were confirmed as the result of insider error and 35 incidents were due to insider wrongdoing. 3,659,962 records were breached as a result of human error and 136,566 records were breached in insider wrongdoing incidents.

Healthcare organizations are getting better at detecting breaches. The average time to discover a breach was 255 days in 2018. In 2019, it took an average of 225 days.  The median detection time was 44 days. Several insider breaches took more than 4 years to discover, highlighting the need for AI-based solutions that can detect abnormal user activity.

The HIPAA Breach Notification Rule requires data breaches to be reported within 60 days of discovery, yet in 2019 it took an average of 80 days for breaches to be reported, up from 73 days in 2018.

The post 2020 Protenus Breach Barometer Report Reveals 49% Increase in Healthcare Hacking Incidents appeared first on HIPAA Journal.

PHI of 109,000 Patients Potentially Compromised in Washington Phishing Attack

Posted by HIPAA Journal

Bellevue, WA-based Overlake Medical Center & Clinics is notifying 109,000 patients that some of their personal and protected health information has potentially been compromised as a result of a December 2019 phishing attack.

The phishing attack was detected on December 9, 2019 and a password reset was performed to prevent further unauthorized access. Overlake determined that one email account was compromised on December 6, 2019 and access remained possible until December 9 when the account was secured. Further email accounts were compromised on December 9, but access was only possible for a few hours.

A review of the affected accounts revealed they contained patient names, addresses, telephone numbers, dates of birth, health insurance provider names, health insurance ID numbers, and diagnosis and treatment information related to the care provided at Overlake. No Social Security numbers or financial information was compromised. The investigation uncovered no evidence of data theft and no reports have been received to suggest patient data has been misused.

Steps have now been taken to prevent similar breaches in the future including enhancing email security measures to block phishing emails, implementing multi-factor authentication for email accounts, enhancing security awareness training for employees, and implementing new email retention policies.

Overlake started mailing notification letters to affected patients on February 4, 2019. The data breach was reported to the Department of Health and Human Services’ Office for Civil Rights on February 7, 2019.

VibrantCare Rehabilitation Phishing Attack Impacts 1,655 Patients

The California physical therapy provider, VibrantCare Rehabilitation, has discovered an employee email account has been compromised following a response to a phishing email.

Unusual activity was detected in the email account and third-party computer specialists were called in to investigate a potential breach. The investigation revealed the email account was accessed by an unauthorized individual between August 20, 2019 and August 27, 2019. A painstaking analysis of the email account revealed it contained the protected health information of 1,655 patients.

The exposed information varied from patient to patient. In addition to first and last names, the exposed information included demographic information, financial account information, credit or debit card information, Social Security numbers, driver’s license numbers, government or state identification numbers, military identification numbers, passport numbers, alien registration numbers, student identification numbers, medical and treatment information, health insurance information, Medicare or Medicaid numbers, patient numbers, medical record numbers, and prescription information.

No evidence of data access or data theft was found and no reports have been received to suggest patient information has been misused; however, as a precaution, affected patients have been advised to monitor their accounts, explanations of benefits, and credit reports for suspicious activity.

VibrantCare Rehabilitation is now reviewing and enhancing its existing policies to prevent further phishing attacks in the future.

The post PHI of 109,000 Patients Potentially Compromised in Washington Phishing Attack appeared first on HIPAA Journal.

MyEyeDr. Patients Notified of Ransomware Attack and Improper Disposal Incident

Posted by HIPAA Journal

MyEyeDr. Optometry of Colorado P.C, a network of vision care offices, is notifying 1,475 Colorado residents that some of their protected health information was potentially compromised prior to a recent ransomware attack.

Certain MyEyeDr. systems were accessed by the attacker on December 11, 2019 and ransomware was downloaded and deployed. Steps were immediately taken by MyEyeDr. to prevent further unauthorized access and restore all affected records. The ransom was not paid.

While it was possible to restore the majority of encrypted data, some files could not be recovered and remain encrypted. A third-party computer forensics firm was engaged to investigate the attack and determine whether any data had been stolen prior to file encryption. The forensics firm found no evidence to suggest data had been exfiltrated and the attack is believed to have only involved file encryption with a view to extorting money from MyEyeDr.

A review of the affected systems revealed they contained patient information such as names, dates of birth, diagnoses, clinical information, and treatment information. Affected patients had received services at MyEyeDr. locations in Colorado between December 1 and December 10, 2019 inclusive.

Improper Disposal incident Affects 7,983 patients of Today’s Vision Willowbrook

MyEyeDr. has also announced a separate incident that resulted in the exposure of the protected health information of 7,983 patients of Today’s Vision Willowbrook, which was acquired by Capital Vision Services d/b/a MyEyeDr. in February 2019.

On or around May 21, 2019, MyEyeDr. discovered historic records of Today’s Vision Willowbrook patients had been disposed of in an improper manner. The records had been discarded in a dumpster near Tomball, Texas, instead of being securely destroyed.

The records contained information such as names, addresses, dates of birth, Social Security numbers, clinical information, and billing information and related to patients who visited Today’s Vision Willowbrook between 1997 and 2003.

The incorrect disposal was reported by the media. Local law enforcement officers visited and collected the records. MrEyeDr. said “Based on the prompt action of the Tomball police in securing the records, there is no indication that any unauthorized third parties had or will have an opportunity to misuse any of the patient information contained in the records at issue.”

MyEyeDr. has confirmed that the records were never in the possession of any MyEyeDr. employees and the records do not appear to have been dumped by employees of Today’s Vision Willowbrook.

Monroe County Hospital & Clinics Email Breach Impacts 7,500 Patients

Albia, IA-based Monroe County Hospital & Clinics has discovered an unauthorized individual has gained access to its email system and potentially viewed or obtained the protected health information of approximately 7,500 patients.

The attack was discovered on December 19, 2019 and a computer forensic expert was engaged to investigate the breach and determine the size and scope of the attack. The investigation revealed several employee email accounts had been accessed by unknown individuals between October 28, 2019 and January 20, 2020.

The compromised accounts were discovered to contain protected health information. The exposed information varied from patient to patient and may have included name, address, date of birth, medical record number, date(s) of service, insurance status, payor type, diagnosis codes, reason for visits, and other treatment related information. Some patients also had their Social Security number exposed. Complimentary membership to credit monitoring services has been offered to affected individuals.

Upon discovery of the breach, passwords were reset to prevent further unauthorized account access and employees have been provided with further security awareness training. Additional security measures are also being considered to prevent attacks in the future.

The post MyEyeDr. Patients Notified of Ransomware Attack and Improper Disposal Incident appeared first on HIPAA Journal.

Wise Health System Notifies 66,934 Patients of Phishing Attack

Posted by HIPAA Journal

Wise Health System in Decatur, TX, is notifying 66,934 patients that some of their protected health information was potentially compromised in a phishing attack that occurred on March 14, 2019.

Wise Health System previously reported the phishing attack to the Department of Health and Human Services’ Office for Civil Rights on July 13, 2019 as having affected 35,899 individuals. That total has now been updated following the completion of a data audit. The data audit commenced in June 2019 and has only just been completed. New notifications started to be sent to affected patients on February 13, 2020.

In March 2019, several employees responded to phishing emails and disclosed their account credentials. The attackers used those credentials to access the Employee Kiosk and attempted to reroute payroll direct deposits. Wise Health System reports that attempts were made to reroute approximately 100 direct deposit payments.

Security protocols required two checks to be issued to employees following a change to direct deposit information. This security measure was key to identifying the scam and preventing the misdirection of direct deposit payments. The large number of checks printed on April 5, 2019 raised a red flag and suggested unauthorized individuals had gained access to its systems.

A system-wide password reset was performed to lock the attackers out of the system and two independent computer forensics firms were engaged to investigate the breach. The cyberattack was also reported to the FBI. The FBI investigation revealed the attackers were based in Africa and the case has now been closed.

Wise Health System, the two computer forensics firms, and the FBI share the belief that patient information was not accessed by the attackers. The criminal gangs behind these campaigns are solely concerned with rerouting payroll direct deposits and there have previously been no confirmed reports of data theft by these gangs. However, the email credentials obtained by the attackers would have allowed them to access email accounts that contained protected health information such as names, medical record numbers, diagnostic information, health insurance information, and treatment information.

Out of an abundance of caution, affected patients have been offered credit monitoring, identity theft recovery, and identity theft insurance coverage through the ID Experts MyIDCare service for 12 to 24 months. Following the breach, Wise Health System implemented measures to improve its cybersecurity posture.

PSL Services Discovered Employee Email Account Breach

Peregrine Corporation, dba PSL Services has discovered unauthorized individuals have gained access to the email accounts of several employees from December 16, 2019 through December 19.

A breach was suspected when suspicious activity was detected in the email account of an employee. A third-party computer forensics firm was engaged to investigate the breach and discovered several email accounts had been compromised.

The types of information contained in the compromised email accounts varied from patient to patient and included names, dates of birth, Social Security numbers, driver’s license numbers, medical information, and Medicare numbers.

The compromised accounts are being reviewed to determine which patients have been affected. The incident is still being investigated and the final number of individuals affected has not yet been determined. Affected individuals are being offered free identity theft protection services and written notices will be sent to affected individuals as soon as possible.

PSL Services is reviewing its security measures and will implement additional safeguards to prevent similar breaches from occurring in the future.

The post Wise Health System Notifies 66,934 Patients of Phishing Attack appeared first on HIPAA Journal.

Malware Attack Disables Servers at Physician Network Affiliated with Boston Children’s Hospital

Posted by HIPAA Journal

On Monday, February 10, 2020, Pediatric Physicians’ Organization at Children’s (PPOC), a physician group affiliated with Boston Children’s Hospital, experienced a malware attack that caused a system outage which prevented its 500+ pediatricians, nurse practitioners, and physician assistants from accessing patient data and scheduling calendars.

PPOC has approximately 200 servers, 11 of which were impacted by the attack. IT teams at PPOC and Boston Children’s Hospital worked swiftly to contain the malware and the affected servers have now been quarantined. Servers unaffected by the attack were shut down as a precautionary measure. Boston Children’s Hospital issued a statement confirming its systems were unaffected by the attack.

Patients were advised to reschedule non-urgent appointments as health records cannot be accessed until the malware is removed and the servers are brought back online. Children’s Hospital issued a statement on Wednesday saying progress was being made restoring the servers, but it was still unclear how long the recovery process would take.

PPOC has over 100 practices across the state of Massachusetts and serves more than 350,000 patients. It is currently unclear what type of malware was involved and whether it allowed hackers to gain access to patient data.

Central Kansas Orthopedic Group Suffers Ransomware Attack

Central Kansas Orthopedic Group (CKOG) in Great Bend, KS suffered a ransomware attack in November 2019 that resulted in the encryption of patient records.

The attack was discovered on November 11, 2019. The attackers sent a ransom demand which CKOG refused to pay. All encrypted files, including patient medical records, were successfully restored from backups.

A third-party forensic investigator was retained to assist with the investigation and determine whether patient data had been accessed or copied by the attackers prior to the deployment of ransomware. The investigation uncovered no evidence to suggest the attackers accessed or stole patient data and no reports of data misuse have been received.

The types of information that could potentially have been accessed included names, addresses, email addresses, dates of birth, state-issued ID numbers, driver’s license numbers, health information related to treatment provided by CKOG, Social Security numbers, and health insurance information. All affected patients have been notified by mail and offered identity theft protection services through ID Experts.

CKOG is now reviewing its security platform and has started implementing additional security protocols to harden its security posture.

The HHS’ Office for Civil Rights breach portal shows 17,214 patients were potentially affected by the attack.

The post Malware Attack Disables Servers at Physician Network Affiliated with Boston Children’s Hospital appeared first on HIPAA Journal.

2019 Healthcare Data Breach Report

Posted by HIPAA Journal

Figures from the Department of Health and Human Services’ Office for Civil Rights breach portal show a major increase in healthcare data breaches in 2019. Last year, 510 healthcare data breaches of 500 or more records were reported, which represents a 196% increase from 2018.

As the graph below shows, aside from 2015, healthcare data breaches have increased every year since the HHS’ Office for Civil Rights first started publishing breach summaries in October 2009.

37.47% more records were breached in 2019 than 2018, increasing from 13,947,909 records in 2018 to 41,335,889 records in 2019.

Last year saw more data breaches reported than any other year in history and 2019 was the second worst year in terms of the number of breached records. More healthcare records were breached in 2019 than in the six years from 2009 to 2014. In 2019, the healthcare records of 12.55% of the population of the United States were exposed, impermissibly disclosed, or stolen.

Largest Healthcare Data Breaches of 2019

The table below shows the largest healthcare data breaches of 2019, based on the entity that reported the breach.

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Location of Breached Information
1 Optum360, LLC Business Associate 11500000 Hacking/IT Incident Network Server
2 Laboratory Corporation of America Holdings dba LabCorp Healthcare Provider 10251784 Hacking/IT Incident Network Server
3 Dominion Dental Services, Inc., Dominion National Insurance Company, and Dominion Dental Services USA, Inc. Health Plan 2964778 Hacking/IT Incident Network Server
4 Clinical Pathology Laboratories, Inc. Healthcare Provider 1733836 Unauthorized Access/Disclosure Network Server
5 Inmediata Health Group, Corp. Healthcare Clearing House 1565338 Unauthorized Access/Disclosure Network Server
6 UW Medicine Healthcare Provider 973024 Hacking/IT Incident Network Server
7 Women’s Care Florida, LLC Healthcare Provider 528188 Hacking/IT Incident Network Server
8 CareCentrix, Inc. Healthcare Provider 467621 Hacking/IT Incident Network Server
9 Intramural Practice Plan – Medical Sciences Campus – University of Puerto Rico Healthcare Provider 439753 Hacking/IT Incident Network Server
10 BioReference Laboratories Inc. Healthcare Provider 425749 Hacking/IT Incident Other
11 Bayamon Medical Center Corp. Healthcare Provider 422496 Hacking/IT Incident Network Server
12 Memphis Pathology Laboratory d/b/a American Esoteric Laboratories Healthcare Provider 409789 Unauthorized Access/Disclosure Network Server
13 Sunrise Medical Laboratories, Inc. Healthcare Provider 401901 Hacking/IT Incident Network Server
14 Columbia Surgical Specialist of Spokane Healthcare Provider 400000 Hacking/IT Incident Network Server
15 Sarrell Dental Healthcare Provider 391472 Hacking/IT Incident Network Server
16 UConn Health Healthcare Provider 326629 Hacking/IT Incident Email
17 Premier Family Medical Healthcare Provider 320000 Hacking/IT Incident Network Server
18 Metro Santurce, Inc. d/b/a Hospital Pavia Santurce and Metro Hato Rey, Inc. d/b/a Hospital Pavia Hato Rey Healthcare Provider 305737 Hacking/IT Incident Network Server
19 Navicent Health, Inc. Healthcare Provider 278016 Hacking/IT Incident Email
20 ZOLL Services LLC Healthcare Provider 277319 Hacking/IT Incident Network Server

 

The above table does not tell the full story. When a business associate experiences a data breach, it is not always reported by the business associate. Sometimes a breach is experienced by a business associate and the covered entities that they work with report the breaches separately, as was the case with American Medical Collection Agency (AMCA), a collection agency used by several HIPAA covered entities.

In 2019, hackers gained access to AMCA systems and stole sensitive client data. The breach was the second largest healthcare data breach ever reported, with only the Anthem Inc. data breach of 2015 having impacted more individuals.

HIPAA Journal tracked the breach reports submitted to OCR by each affected covered entity. At least 24 organizations are known to have had data exposed/stolen as a result of the hack.

Organizations Affected by the 2019 AMCA Data Breach

Healthcare Organization Confirmed Victim Count
Quest Diagnostics/Optum360 11,500,000
LabCorp 10,251,784
Clinical Pathology Associates 1,733,836
Carecentrix 467,621
BioReference Laboratories/Opko Health 425,749
American Esoteric Laboratories 409,789
Sunrise Medical Laboratories 401,901
Inform Diagnostics 173,617
CBLPath Inc. 141,956
Laboratory Medicine Consultants 140,590
Wisconsin Diagnostic Laboratories 114,985
CompuNet Clinical Laboratories 111,555
Austin Pathology Associates 43,676
Mount Sinai Hospital 33,730
Integrated Regional Laboratories 29,644
Penobscot Community Health Center 13,299
Pathology Solutions 13,270
West Hills Hospital and Medical Center / United WestLabs 10,650
Seacoast Pathology, Inc 8,992
Arizona Dermatopathology 5,903
Laboratory of Dermatology ADX, LLC 4,082
Western Pathology Consultants 4,079
Natera 3,035
South Texas Dermatopathology LLC 15,982
Total Records Breached 26,059,725

Causes of 2019 Healthcare Data Breaches

The HHS’ Office for Civil Rights assigns breaches to one of five different categories:

  • Hacking/IT incidents
  • Unauthorized access/disclosures
  • Theft
  • Loss
  • Improper disposal

59.41% of healthcare data breaches in 2019 were classified as hacking/IT incidents and involved 87.60% of all breached records. 28.82% of data breaches were classed as unauthorized access/disclosure incidents and involved 11.27% of all records breached in 2019.

10.59% of breaches were classed as loss and theft incidents involving electronic devices containing unencrypted electronic protected health information or physical records. Those incidents accounted for 1.07% of breached records in 2019.

1.18% of breaches and 0.06% of breached records were due to improper disposal of physical records and devices containing electronic protected health information.

Breach Cause Incidents Breached Records Mean Breach Size Median Breach Size
Hacking/IT Incident 303 36,210,097 119,505 6,000
Unauthorized Access/Disclosure 147 4,657,932 31,687 1,950
Theft 39 367,508 9,423 2,477
Loss 15 74,271 4,951 3,135
Improper Disposal 6 26,081 4,347 4,177

We have not tracked the cause of each breach reported in 2019, but the table below provides an indication of the biggest problem area for healthcare organizations – Securing email systems and blocking phishing attacks. The email incidents include misdirected emails, but the majority of email incidents were phishing and spear phishing attacks.

Healthcare Data Breaches by Covered Entity

77.65% of 2019 data breaches were reported by healthcare providers (369 incidents), 11.57% of breaches were reported by health plans (59 incidents), and 0.39% of data breaches were reported by healthcare clearinghouses (2 incidents).

23.33% of the year’s breaches involved business associates to some extent. 10.39% of data breaches were reported by business associates (53 incidents) and 66 data breaches were reported by a covered entity which stated there was some business associate involvement.

States Worst Affected by Healthcare Data Breaches

Data breaches were reported by HIPAA-covered entities or business associates in 48 states, Washington DC, and Puerto Rico. The worst affected state was Texas with 60 data breaches reported. California was the second most badly hit with 42 reported data breaches.

The only states where no data breaches of 500 or more records were reported were North Dakota and Hawaii.

State Breaches State Breaches State Breaches State Breaches State Breaches
Texas 60 Maryland 14 Arkansas 9 Alabama 4 Mississippi 2
California 42 Washington 14 South Carolina 9 Alaska 4 Montana 2
Illinois 26 Georgia 13 New Jersey 8 Iowa 4 South Dakota 2
New York 25 North Carolina 13 Massachusetts 7 Kentucky 4 Washington DC 2
Ohio 25 Tennessee 11 Puerto Rico 7 Nebraska 4 West Virginia 2
Minnesota 23 Arizona 10 Virginia 7 Oklahoma 4 Delaware 1
Florida 22 Colorado 10 Louisiana 6 Utah 4 Kansas 1
Pennsylvania 19 Connecticut 10 New Mexico 6 Wyoming 3 New Hampshire 1
Missouri 17 Indiana 10 Wisconsin 6 Idaho 2 Rhode Island 1
Michigan 16 Oregon 10 Nevada 5 Maine 2 Vermont 1

HIPAA Enforcement in 2019

The HHS’ Office for Civil Rights continued to enforce compliance with HIPAA at a similar level to the previous three years.

In 2019, there were 10 HIPAA enforcement actions that resulted in financial penalties. 2 civil monetary penalties were imposed and 8 covered entities/business associates agreed settlements with OCR to resolve HIPAA violations.

In total, $12,274,000 was paid to OCR in fines and settlements. The largest financial penalties of the year resulted from investigations of potential HIPAA violations by University of Rochester Medical Center and Touchstone Medical Imaging. Both cases were settled for £3,000,000.

OCR uncovered multiple violations of HIPAA Rules while investigating separate loss/theft incidents reported by University of Rochester Medical Center. OCR discovered risk analysis and risk management failures, a lack of encryption on portable electronic devices, and insufficient device and media controls.

Touchstone Medical Imaging experienced a data breach that resulted in the impermissible disclosure of 307,839 individuals’ PHI due to the exposure of an FTP server over the internet. OCR investigated and determined there had been risk analysis failures, business associate agreements failures, insufficient access rights, a failure to respond to a security incident, and violations of the HIPAA Breach Notification Rule.

Sentara Hospitals agreed to a $2.175 million settlement stemming from a 577-record data breach that was reported to OCR as only affecting 8 individuals. OCR told Sentara Hospitals that the breach notification needed to be updated to include the other individuals affected by the mailing error, but Sentara Hospitals refused. OCR determined a financial penalty was appropriate for the breach notification reporting failure and the lack of a business associate agreement with one of its vendors.

A civil monetary penalty of $2.154 million was imposed on the Miami, FL-based nonprofit academic medical system, Jackson Health System (JHS). Following a data breach, OCR investigated and found a compliance program that had been in disarray for several years. The CMP resolved multiple violations of HIPAA Privacy Rule, Security Rule, and Breach Notification Rule.

A civil monetary penalty of $1,600,000 was imposed on Texas Department of Aging and Disability Services for multiple violations of HIPAA Rules discovered during the investigation of breach involving an exposed internal application. OCR discovered there had been risk analysis failures, access control failures, and information system activity monitoring failures, which contributed to the impermissible disclosure of 6,617 patients’ ePHI.

Medical Informatics Engineering, an Indiana-based provider of electronic medical record software and services, experienced a major data breach in 2015 at its NoMoreClipboard subsidiary. Hackers used a compromised username and password to gain access to a server that contained the protected health information (PHI) of 3.5 million individuals. OCR determined there had been a risk analysis failure and the case was settled for $100,000. MIE also settled a multi-state action with state attorneys general over the same breach and settled that case for $900,000.

The Carroll County, GA ambulance company, West Georgia Ambulance, was investigated over the reported loss of an unencrypted laptop computer that contained the PHI of 500 patients. OCR found there had been a risk analysis failure, there was no security awareness training program for staff, and HIPAA Security Rule policies and procedures had not been implemented. The case was settled for $65,000.

There was one financial penalty for a social media HIPAA violation. Elite Dental Associates respondents to patient reviews on Yelp, and in doing so impermissibly disclosed PHI. OCR determined a financial penalty was appropriate and the case was settled for $10,000.

OCR also launched a new HIPAA enforcement initiative in 2019, under which two settlements were reached with covered entities over HIPAA Right of Access failures. Korunda Medical and Bayfront Health St. Petersburg had both failed to respond to patient requests for copies of their health information within a reasonable time frame. Both covered entities settled their HIPAA violation cases with OCR for $85,000.

OCR HIPAA Settlements and Civil Monetary Penalties in 2019

HIPAA Enforcement by State Attorneys General in 2019

State attorneys general can also take action over violations of HIPAA Rules. There were three cases against covered entities and business associates in 2019. As previously mentioned, Medical Informatics Engineering settled a multi-state lawsuit and paid a financial penalty of $900,000.

A second multi-state action was settled by Premera Blue Cross. The lawsuit pertained to a 2015 hacking incident that resulted in the theft of 10.4 million records. The investigation uncovered multiple violations of violations of HIPAA Rules and resulted in a $10 million financial penalty.

The California attorney general also took legal action over a data breach that affected 1,991 California residents. The health insurer Aetna had sent two mailings to its members in which highly sensitive information relating to HIV and Afib diagnoses was visible through the windows of the envelopes. The case was settled for $935,000.

The post 2019 Healthcare Data Breach Report appeared first on HIPAA Journal.

Hospital Sisters Health System Email Breach Impacts 16,167 Patients

Posted by HIPAA Journal

Hospital Sisters Health System has recently discovered an email security breach in August 2019 potentially resulted in unauthorized individuals gaining access to access emails and email attachments containing the protected health information of 16,167 patients.

Hospital Sisters Health System is a 15-hospital health system serving patients in Illinois and Wisconsin. Between August 6, 2019 and August 9, 2019, unauthorized individuals gained access to the email accounts of several employees. Prompt action was taken to secure the affected email accounts by changing passwords and a leading computer forensic firm was retained to investigate the breach and determine whether the compromised accounts contained patient information.

On December 2, 2019, Hospital Sisters Health System was informed that patient information had potentially been accessed by the attackers. The compromised email accounts were found to contain patient names, birth dates, and a limited amount of clinical information. Some patients also had their health insurance information, Social Security number, and/or driver’s license number exposed.

On January 31, 2020, Hospital Sisters Health System started mailing notification letters to all affected patients. Individuals whose Social Security number or driver’s license number was exposed have been offered complimentary membership to identity theft protection services and all individuals have been advised to monitor their accounts and explanation of benefits statements closely and to report any suspicious activity to law enforcement.

Hospital Sisters Health System has already taken steps to improve email security to prevent similar breaches from occurring in the future.

The post Hospital Sisters Health System Email Breach Impacts 16,167 Patients appeared first on HIPAA Journal.

Sunshine Behavioral Health Group Discovers PHI Exposed Over Internet

Posted by HIPAA Journal

Portland, OR-based Sunshine Behavioral Health Group, a provider of business services to healthcare providers, has discovered a cloud-based system used to store patient health records was accidentally misconfigured. The misconfiguration allowed patient information to be accessed over the internet.

The error was identified on September 4, 2019 and access controls were immediately implemented to prevent the records from being accessed by unauthorized individuals. Further actions were taken on November 14, 2019 to remove the records from general internet access.

On December 23, 2019, Sunshine Behavioral Health Group determined a folder in the cloud-based system contained information such as names, addresses, credit/debit card numbers, expiry dates, security codes, and electronic/digital signatures of individuals who had paid for healthcare services.

The exposed data related to payors for medical services received at Monarch Shores, Chapters Capistrano, Willow Springs Recovery, and Mountain Springs addition treatment and rehabilitation centers.

All individuals whose information was exposed have been offered complimentary membership to MyIDCare protection services for 24 months.

The incident has yet to appear on the HHS’ Office for Civil Rights breach portal so it is currently unclear how many individuals have been affected.

Thieves Stole Patient Information in Lake County Behavioral Health Burglary

Lake County Behavioral Health in Clearlake, CA, has announced it experienced a burglary on December 5, 2019 and thieves stole a locked filing cabinet containing client health information.

The stolen paperwork contained information such as patient names, contact telephone numbers, case numbers, medications, appointment dates and times, payments, and amounts due. One file contained a patient’s date of birth, Social Security number, medical history, disability status, substance use history, income verification information, and Medi-Cal ID number.

All patients whose information was stolen have been notified by mail and advised to register a fraud alert in case their information is misused. All remaining files have been relocated to a locked room in the heart of the facility, an alarm system has been fitted along with video surveillance with 24-hour monitoring. The break-in is being investigated by the Clearlake Police Department but no arrests have been made.

Jefferson Center for Mental Health Announces Potential Breach of PHI

Jefferson Center for Mental Health, a nonprofit provider of community-focused mental health care and substance use services in Colorado, experienced a burglary at its Independence Corner facility in Wheat Ridge on November 29, 2019.

The burglary was discovered on December 2, 2019 and the break-in was reported to law enforcement. No paperwork containing patient information was taken by the perpetrators, but it is possible that the personal and treatment information of 1,319 patients was viewed by the thieves.

Unauthorized data access is not suspected, but patients have been advised to monitor their accounts as a precaution. Jefferson Center for Mental Health is now taking steps to improve physical security at its offices.

The post Sunshine Behavioral Health Group Discovers PHI Exposed Over Internet appeared first on HIPAA Journal.