Ann & Robert H. Lurie Children’s Hospital of Chicago, a pediatric specialty hospital in Chicago, IL, has discovered a former employee accessed the medical records of certain patients without a legitimate work reason for doing so. The unauthorized access occurred between September 10, 2018 and September 22, 2019.

The hospital learned of the HIPAA violation on November 15, 2019 and immediately terminated the employee’s access to all patient information while the incident was investigated. The employee was subsequently disciplined for the violation of HIPAA and hospital policies and was terminated.

The employee was unable to view full Social Security numbers, financial information, or health insurance information. The only types of information that could have been viewed were names, addresses, dates of birth, diagnoses, appointment dates, medical procedures, and other limited medical information.

The breach notice published on the hospital’s website makes no mention of the reason why the former employee was accessing patient information, but the hospital says there is no reason to suspect that any patient information has been stolen, further disclosed, or misused.

Patients affected by the breach were notified by mail on December 26, 2019. As a precaution against misuse of their personal and health information, affected patients have been advised to monitor the statements they receive from their healthcare provider. A spokesperson for the hospital said, “Lurie Children’s deeply regrets that this incident occurred,” and confirmed that steps have been taken to prevent any further incidents of this nature from occurring in the future, including providing further training for employees on the hospital’s policies regarding unauthorized accessing of patient records.

The incident has yet to appear on the Department of Health and Human Services’ Office for Civil Rights’ breach portal, so it is currently unclear how many patients have been affected.

The post Ann & Robert H. Lurie Children’s Hospital of Chicago Fires Worker for Unauthorized Medical Record Access appeared first on HIPAA Journal.

Roosevelt General Hospital in Portales, New Mexico has discovered malware on a digital imaging server used by its radiology department. The malware potentially allowed cybercriminals to gain access to the radiological images of around 500 patients.

The malware infection was discovered on November 14, 2019 and prompt action was taken to isolate the server to prevent further unauthorized access and block communications with the attackers’ command and control server. The IT department was able to remove the malware and rebuild the server and all patient data was recovered. A scan was conducted to identify any vulnerabilities and the hospital is now satisfied that the server is secured and protected.

The investigation into the breach did not uncover any evidence to suggest protected health information and medical images were viewed or stolen by the hackers, but the possibility of unauthorized data access and PHI theft could not be ruled out.

The investigation into the security breach is continuing but the hospital’s IT department has confirmed that the breach was limited to the imaging server. Its medical record system and billing systems were unaffected. The types of information accessible through the compromised server included names, addresses, phone numbers, dates of birth, Social Security numbers, driver’s license numbers, health insurance information, medical information and the genders of patients.

All patients whose information was accessible through the server have been notified about the security breach by mail and have been advised to monitor their credit reports for any sign of fraudulent activity. No reports of misuse of patient information have been received by the hospital to date.

The incident has yet to appear on the Department of Health and Human Services’ Office for Civil Rights’ breach portal, so the exact number of patients affected by the breach is not yet available. According to RGH Marketing and Public Relations Director, Jeanette Orrantia, the breach was reported to OCR within 60 days of discovery.

The post New Mexico Hospital Discovers Malware on Imaging Server appeared first on HIPAA Journal.

The State of Colorado is notifying 12,230 individuals about an impermissible disclosure of some of their protected health information as a result of a mailing error.

The error occurred on a Colorado Department of Human Services mailing of Notices to Reapply for food and cash assistance programs.

The error came to light on November 6, 2019. The investigation revealed 10,879 Notice to Reapply forms had been sent which contained the information of incorrect individuals. The information of 12, 230 individuals had been incorrectly included on the forms.

The information included names, employers, whether the person had a vehicle, and a limited amount of other information related to household resources. No addresses, dates of birth, financial information, Social Security numbers, or other information required for identity theft and fraud were disclosed.

Affected individuals were notified about the error on November 10, 2019 and have been advised to either shred the incorrect notices or take them to their local county human services’ office for secure disposal.

The risk of misuse of PHI is low due to the nature of disclosed information but, as a precaution, affected individuals have been offered complimentary credit monitoring services for 12 months.

Sinai Health System Phishing Attack Reported

Chicago-based Sinai Health System has discovered the email accounts of two of its employees have been compromised as a result of responses to phishing emails. No information has been disclosed about the date of the attack and when it was discovered, but Sinai Health System has reported that third-party computer forensics experts determined on October 16, 2019 that the compromised accounts contained protected health information which was potentially accessed by the attackers. No evidence of data theft was uncovered during the investigation and no reports have been received to suggest any PHI has been misused.

The types of information in the compromised accounts varied from patient to patient and may have included names, addresses, dates of birth, Social Security numbers, health information, and health insurance information. Steps have already been taken to improve email security, including upgrading its email filtering controls. Staff have also received further security awareness training to help them identify malicious emails and email retention policies have been revised.

The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates the compromised accounts contained the protected health information of 12,578 patients.

The post Colorado Department of Human Services and Sinai Health System Alert Patients About HIPAA Breaches appeared first on HIPAA Journal.

The Centers for Medicare and Medicaid Services (CMS) has discovered a bug in its Blue Button 2.0 API that exposed the protected health information of 10,000 Medicare beneficiaries. Access to the Blue Button API has been temporarily suspended while the CMS investigates and completes a comprehensive code review. The CMS has not produced a timeline for when the Blue Button 2.0 service will be resumed.

On December 4, 2019, the CMS was alerted to a data anomaly with the Blue Button API by a third-party application partner. The CMS confirmed the data anomaly and immediately suspended access to the production environment while the matter was investigated.

The CMS determined the anomaly was due to a coding bug. That bug potentially allowed data to be shared with incorrect Blue Button 2.0 applications and the wrong beneficiaries. The CMS determined 30 applications have been impacted by the bug.

The Blue Button platform is used by Medicare beneficiaries to authorize third-party applications, services, and research programs to access their claims data. A CMS identity management system verifies user credentials through a randomly generated unique user ID, which ensures the correct beneficiary claims data is shared with the correct third-party applications.

The CMS discovered a coding bug was causing Blue Button 2.0 to truncate a 128-bit user ID to a 96-bit user ID.  A 96-bit user ID is not sufficiently random and, as a result, the same truncated user ID was assigned to different beneficiaries. That meant that some of the beneficiaries with the same truncated user ID in the identity management system had their claims data passed to other users and applications via Blue Button 2.0.

The error and why it resulted in the impermissible disclosure of claims data are perfectly understood, what was not initially clear was how the bug was introduced and why it was not found in time to prevent the exposure and disclosure of sensitive beneficiary data.

There are three takeaways from the initial findings of the investigation related to code reviews, testing, and cross team collaboration.

The CMS investigation found the bug was introduced on January 11, 2018. When changes are made, there is usually a comprehensive review of the changes, but in January a comprehensive review was not completed. If the review had occurred, the bug could have been identified and corrected before any sensitive information was disclosed.

The CMS tests Blue Button 2.0 using synthetic data to verify functionality. This ensures that no personal health information is put at risk. Integration of Blue Button 2.0 with other systems is not tested in order to protect personal health information. Consequently, integration with the identity management system was not tested.

The CMS notes that the code that generates the user ID token is run by a separate identity management team. The Blue Button 2.0 team made assumptions about how the token worked, and they were not validated. If there was better collaboration between enterprise teams, the necessary information would have been present in decision making.

Steps have now been taken to prevent further errors from occurring in the future. An enhanced quality review and validation process has now been implemented and the Blue Button 2.0 team will be performing comprehensive reviews of all new code to ensure that any coding errors are identified and corrected before the code changes go live and Blue Button 2.0 will now store full user IDs instead of truncated IDs.

A full review of the platform is now being conducted and the API will remain suspended until that coding review has been completed.

An in-depth analysis will also be conducted to determine the potential impact on affected beneficiaries. Decisions will then be made about what other steps are required to protect affected beneficiaries, such as the provision of credit monitoring services.

The post CMS Blue Button 2.0 Coding Bug Exposed PHI of 10,000 Medicare Beneficiaries appeared first on HIPAA Journal.

The email accounts of several employees of Conway Medical Center in South Carolina have been accessed by unauthorized individuals.

The phishing attack was detected on October 7, 2019 and affected email accounts were immediately secured to prevent further unauthorized access. External cybersecurity experts were engaged to investigate the breach and determine whether patient information had been viewed or acquired. The investigators determined that the first email accounts were compromised in or before July 2019.

It took until November 20, 2019 for the investigators to confirm that the protected health information of patients had been exposed as each email had to be checked to determine whether it contained PHI and if it had been accessed. That was largely a manual process.

The way the email accounts were accessed meant emails may have synchronized with the attacker’s computer and could have been automatically downloaded.

Those emails contained names, addresses, Social Security numbers, dates of birth, phone numbers, dates of admission, discharge dates, CMC account numbers, amount owed, and other information. For certain patients, the names, addresses, phone numbers, Social Security numbers, place of employment, and other information related to their guarantors was also potentially acquired.

Steps have now been taken to improve email security and notification letters have been mailed to affected patients. Individuals whose financial data has been exposed have been offered complimentary identity theft protection services.

The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates 2,500 patients have been affected by the security breach.

1,021 Clients of Equinox, Inc. Notified of PHI Exposure

Equinox, Inc., an Albany, NY-based provider of services to individuals suffering from chemical dependency, mental health issues, and domestic abuse survivors, has discovered the email accounts of two of its employees have been accessed by unauthorized individuals.

The data security breach was discovered on July 26, 2019 when suspicious activity was detected in its digital environment. Its systems were immediately secured and third-party cybersecurity experts were engaged to investigate the breach. Equinox was informed on August 28, 2019 that two email accounts had been accessed by unauthorized individuals.

The affected email accounts were then reviewed to determine whether they contained any patient information. Equinox was informed on October 9, 2019 that the protected health information of 1,021 current and former clients had potentially been accessed. The email accounts contained names, addresses, Social Security numbers, dates of birth, medical treatment or diagnosis information, health insurance information, and/or medication-related information.

No evidence was found to suggest information in emails and attachments was viewed or acquired and no reports have been received to indicate clients’ information has been misused.

Affected individuals were notified on December 6, 2019 and have been offered complimentary credit monitoring and identity theft protection services. Additional security measures have been implemented to prevent further breaches of this nature in the future.

The post Email Security Breaches Reported by Conway Medical Center and Equinox Inc. appeared first on HIPAA Journal.

Tidelands Health in Georgetown, SC, is working round the clock to restore its computer systems after the discovery of malware on its network on December 12, 2019. The attack has forced the healthcare provider to shut down parts of its network and implement emergency protocols. Staff have been using paper records for patients while the malware is removed and systems are restored and brought back online.

Patients are being seen and quality care is still being provided, although a limited number of non-emergency appointment have had to be rescheduled, according to Tidelands Health spokesperson, Dawn Bryant.

The type of malware involved has not been disclosed, although Tidelands Health has said no data was lost and patient information was not compromised.

Third-party cybersecurity experts have been engaged to investigate the attack, remove the malware, and restore its systems. That is a time-consuming, methodical process as the stability and integrity of every system must be thoroughly assessed before it is possible to bring each back online.

Stolen Children’s Hope Alliance Laptop Computer Contained the PHI of 4,564 Patients

Barium Springs, NC-based healthcare provider, Children’s Hope Alliance, is notifying 4,564 patients that some of their protected health information has been exposed. The data was stored on an employee’s laptop computer which was stolen on October 7, 2019.

Third-party computer forensics investigators have been engaged to determine what information was stored on the laptop. The investigation is ongoing, but the preliminary findings indicate documents on the device contained names, addresses, Social Security numbers, tax ID numbers, dates of birth, medication and dosage information, and usernames and passwords.

Notifications will be sent to affected individuals when the investigation has been completed. At this stage, no evidence has been found to indicate any patient information has been accessed by unauthorized individuals and no reports of misuse of patient information have been received.

The post Tidelands Health Recovering from Malware Attack appeared first on HIPAA Journal.

Truman Medical Centers, the largest provider of inpatient and outpatient services in Kansas City, MO, has discovered the protected health information of 114,466 patients was stored on an unencrypted laptop computer that was stolen from the vehicle of one of its employees.

The laptop was protected with a password, but it is possible that the password could be cracked and data on the device accessed. At the time of issuing the notifications, Truman Medical Centers has not uncovered any evidence to suggest that any patient information has been accessed by unauthorized individuals or has been misused.

The types of information on the laptop varied from patient to patient and may have included patient names along with one or more of the following types of information: Dates of birth, patient account numbers, medical record numbers, Social Security numbers, health insurance information, and limited medical and treatment information, such as diagnoses, dates of service, and provider names.

The theft occurred on July 18, 2019, but it took until October 29, 2019 to determine that patient information was stored on the device. All individuals whose protected health information was stored on the laptop have now been notified by mail. Individuals whose Social Security number was stored on the device have been offered complimentary credit monitoring and identity protection services.

Employees have been re-educated on portable device security. Additional controls are being installed on employee laptops to enhance security.

Stolen Blackberry Contained the PHI of 2,477 Patients of La Clínica de La Raza, Inc.

La Clínica de La Raza, Inc, a provider of primary health care and other services in Alameda, Contra Costa, and Solano counties in California, has also discovered a portable electronic device has been stolen.

On August 20, 2019, a briefcase containing a La Clínica de La Raza-issued Blackberry device was stolen from an employee’s vehicle. Assisted by a computer forensics firm, La Clínica de La Raza determined on October 16, 2019 that the Blackberry contained the protected health information of 2,477 patients.

The information was found in two emails that had been downloaded onto the device. Those emails contained names, birth dates, medical record numbers, and non-sensitive test results.

While it is possible that the information could be accessed by unauthorized individuals, La Clínica de La Raza said PHI access would have been difficult. Affected patients were notified of the breach by mail on December 13, 2019. Affected individuals have been offered a one year membership to credit monitoring and identity protection services at no cost.

Steps are now being taken to improve the security of portable electronic devices and employees have had training on portable device security reinforced.

The post Truman Medical Centers Notifies 114,466 Patients of Potential PHI Exposure appeared first on HIPAA Journal.

Hackensack Meridian Health, the largest health network in New Jersey, has announced it experienced a cyberattack last week that saw ransomware deployed on its network. The attack saw files encrypted and took its network offline for two days.

Without access to computer systems and medical records, Hackensack Meridian Health was forced to cancel non-emergency medical procedures and doctors and nurses had to switch to pen and paper to allow care to continue to be provided to patients.

The attack was detected quickly, law enforcement and regulators were immediately notified, and cybersecurity experts were consulted to determine the best course of action. The health network initially announced that it was experiencing external technical issues so as not to interfere with the investigation but confirmed later in the week that the incident was a ransomware attack.

When ransomware is deployed, files need to be restored from backups and systems may need to be rebuilt. That process can take several weeks. In order to prevent continued disruption to patient services, the decision was taken to pay the ransom demand. A spokesperson for Hackensack Meridian Health said, “We believe it’s our obligation to protect our communities’ access to health care.”

The amount of the ransom has not been publicly disclosed but Hackensack Meridian Health did confirm that it holds a cybersecurity insurance policy that will cover some of the cost of the ransom payment and remediation efforts.

Hackensack Meridian Health has confirmed that its main clinical system is now back online and is fully operational, but it may take several days before other parts of its system are brought back online.

Several major ransomware attacks on healthcare organizations and business associates have been announced in the past few weeks. In the past week alone The Cancer Center of Hawaii announced it was attacked and was forced to postpone radiology treatments for patients. A ransomware attack was also announced by a Colorado business associate which impacted more than 100 dental practices.

In its latest cybersecurity letter, the HHS’ Office for Civil Rights explains how HIPAA compliance can help prevent ransomware attacks and ensure healthcare organizations recover from attacks quickly if hackers succeed in breaching their defenses.

The post Hackensack Meridian Health Recovering from Ransomware Attack appeared first on HIPAA Journal.