Oregon’s Medicaid coordinated-care organization, Health Share of Oregon, is notifying approximately 654,000 current and former members that some of their protected health information (PHI) was stored on a laptop computer stolen from its transportation vendor, GridWorks.

GridWorks was contracted to manage Health Share’s Ride to Care program, through which Health Share provided non-emergent transportation for its members.

Health Share’s policies require business associates to use encryption on all portable devices containing patient information but, for reasons unknown, the GridWorks laptop was not encrypted. PHI stored on the laptop computer included names, addresses, contact telephone numbers, birth dates, Health Share ID numbers, Medicaid numbers, and Social Security numbers.

The laptop was stolen in a burglary at GridWorks’ office in November 2019. GridWorks notified Health Share about the laptop theft on January 2, 2020. Health Share started sending notification letters on February 5 to all individuals whose PHI was stored on the laptop. Affected individuals have been offered one year of complimentary credit monitoring and identity theft protection services.

Health Share conducts security audits of its vendors and last audited GridWorks in March 2019. In response to the breach, Health Share will expand its vendor security audit program and steps have been taken to ensure only the minimum amount of patient information is transmitted to its vendors. Training policies have also been enhanced.

In October 2019, Health Share announced that the nonprofit health plan, CareOregon, would be taking over the administration of its Ride to Care program. GridWorks had failed to pay several transportation companies that provided transport under the Ride to Care program. The company went into receivership in December 2019 and will cease operations once the administration of the Ride to Care program has been fully transferred to CareOregon.

The post Health Share of Oregon Notifies 654,000 Members About Business Associate Data Breach appeared first on HIPAA Journal.

Village Center for Care dba VillageCare Rehabilitative and Nursing Center (VRNC) and Village Senior Services Corporation dba VillageCareMAX (VCMAX) have fallen victim to a business email compromise (BEC) attack. BEC attacks involve the impersonation of an executive, either using the executive’s genuine email account compromised in a previous attack or by spoofing the executive’s email address.

An unauthorized individual, pretending to be member of the executive team, requested sensitive information on VRNC patients and VCMAX members. Believing the request to be legitimate, the employee responded and provided the information as requested. VCMAX and VRNC were alerted to a potential BEC attack on or around December 30, 2019.

The investigation confirmed the request was not genuine and sensitive information on VRNC patients and VCMAX members had been impermissibly disclosed. The information sent via email included the names and Medicaid ID numbers of 2,645 VCMAX members and first and last names, dates of birth, insurance provider names, and Insurance ID numbers of 674 VRNC patients.

There have been no reports of misuse of personal information, but all affected individuals have been advised to be vigilant and check accounts, credit reports, and explanation of benefits statements for signs of fraudulent activity. VCMAX and VRNC are reviewing and enhancing their policies and procedures to prevent further attacks of this nature in the future.

1,860 Individuals Impacted by Phishing Attack on Phoenix Children’s Hospital

The email accounts of seven employees of Phoenix Children’s Hospital have been compromised as a result of a targeted phishing campaign between September 5 and September 20, 2019.

Upon discovery of the breach, a leading computer forensic firm was engaged to investigate the extent of the breach. The hospital learned on November 15, 2019 that the compromised accounts contained the protected health information of 1,860 current and former patients which may have been viewed or obtained by the attackers.

The accounts were found to contain patient names, personal information and, for some individuals, limited health information and Social Security numbers.

On January 14, 2020, Phoenix Children’s Hospital started notifying affected patients by mail. Complimentary credit monitoring and identity theft protection services have been offered to patients whose Social Security number was potentially compromised.

The post New York Nursing Center and Phoenix Children’s Hospital Affected by Phishing Attacks appeared first on HIPAA Journal.

On November 21, 2019, Fondren Orthopedic Group, an association of private orthopedic surgery practitioners in Houston and the surrounding areas, experienced a cyberattack that affected certain parts of its IT system.

In a substitute breach notice posted on its website, the incident was described as a malware attack that damaged the medical records of certain patients. Prompt action was taken to contain the infection and its systems were restored; however, the medical records corrupted by the malware could not be recovered and have been permanently lost.

The corrupted records included patients’ names, addresses, telephone numbers, health insurance information, and diagnosis and treatment information. All patients affected by the incident were current or former patients of Dr. K. Matthew Warnock.

Third party forensic investigators were engaged to assist with the investigation and found no evidence of unauthorized data access or exfiltration of data. Fondren Orthopedic Group is reviewing data security policies and procedures and will be enhancing its security protocols to improve resilience to malware attacks. Affected patients have been notified and informed that they will need to complete new patient forms and supply details of their medical histories when they next visit Dr. Warnock.

The cyberattack has been reported to the HHS’ Office for Civil Rights. The breach summary shows up to 30,049 patients have been affected.

Access Health CT Notifies 1,100 About Unspecified Data Breach

Access Health CT, the health insurance marketplace in Connecticut, has notified approximately 1,100 consumers that some of their protected health information was exposed in a data breach.

In its substitute breach notice, Access Health CT apologized for any inconvenience caused by the breach and said affected individuals have been offered free access to services to help them protect their personal information. The breach notice did not explain the nature of the breach, when it occurred, nor the types of information that were compromised.

The notice states, “Several efforts to improve security are already in place, with longer-term initiatives planned regarding system changes and more frequent Information Technology (IT) security training to improve data protection and security awareness.”

The post Malware Attack Results in Corruption of Medical Records: 30,000 Patients Affected appeared first on HIPAA Journal.

Manchester Ophthalmology in Connecticut has experienced a cyberattack in which the attackers may have gained access to patient information.  The eye care provider became aware of the cyberattack on November 25, 2019 when employees noticed unusual activity on the network. Assisted by a third-party technology firm, it was determined later that day that hackers had gained access to its systems and attempted to deploy ransomware. Access was first gained to the network on November 22, 2019 and continued until November 25. Remote access was rapidly terminated before information was encrypted.

The investigation found no evidence to suggest any patient information was accessed or downloaded by the attackers, but during the investigation it was determined that certain patient information had not been backed up and could not be recovered. The types of data lost included names, patient-created medical histories, and details of the care those patients received at Manchester Ophthalmology.

Patients have been advised to exercise caution and monitor their accounts and explanation of benefits statements for any sign of fraudulent use of their information. Manchester Ophthalmology has provided further training to employees to ensure the proper backup of all information.

The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates up to 6,846 patients were affected by the security breach.

UnitedHealthcare Alerts Patients About 2019 Data Breach

On January 31, 2020, the Minnetonka, MN health insurer, UnitedHealthcare, announced it was the victim of a data breach in 2019 in which the private information of some of its customers in South Carolina was potentially compromised.

UnitedHealthcare was notified about the data breach on December 10, 2019 and determined that at some point between July 30, 2019 and Nov 13, 2019 an unauthorized individual gained access to the health information of certain members through its member portal. Only members’ first and last names, health plan information, and medical claims data was compromised.

UnitedHealthcare said it is assisting with the law enforcement investigation and steps have been taken to prevent further breaches of this nature in the future. The HHS’ Office for Civil Rights Breach portal indicates 934 individuals were affected by the breach.

2,713 Individuals Informed of Cook County Health Mailing Error

Chicago, IL-based Cook County Health has started notifying 2,713 individuals that some of their protected health information was sent to a third-party vendor in error. The information related to individuals participating in a #keepingitLITE study and was sent to a vendor who was due to assist with mailing study information.

The list of study participants, which was limited to names, addresses, and email addresses, was sent before a business associate agreement was in place. A business associate agreement confirms that a vendor agrees to implement safeguards to ensure the privacy and security of any information. Without the BAA, satisfactory assurances that those safeguards were in place had not been received by Cook County Health.

Action has now been taken to ensure similar errors are prevented in the future.

The post Data Breaches Reported by Manchester Ophthalmology, UnitedHealthcare, and Cook County Health appeared first on HIPAA Journal.

Researchers at TechCrunch have identified a security flaw in a website hosting an internal customer relationship management system used by the clinical laboratory network LabCorp. While the system was password protected, the researchers found a flaw in the part of the system that pulled patient files from the back-end system. The flaw allowed patient data to be accessed without requiring a password and the web address was visible to search engines.

Google had cached only one document containing the health data of a patient, but by changing the document number in the web address the researchers were able to open other documents containing patient health information.

The researchers examined a small selection of files to see what types of data had been exposed. The documents mostly contained information about patients who had tests conducted by LabCorp’s Integrated Oncology specialty testing unit. The documents contained personal information such as names and dates of birth, lab test results and diagnostic data, and for some patients, Social Security numbers.

TechCrunch researchers used computer commands to determine the number of documents accessible on the website. They structured the commands to return information about the properties of the files, rather than opening the documents, to avoid accessing patient information. The analysis revealed around 10,000 documents could potentially be accessed.

TechCrunch notified LabCorp about the issue and the server was taken offline while the flaw was corrected. The link to the exposed data has not yet been removed from Google, but it is no longer active and cannot be used to view patient data.

The is the second major security incident to be experienced by LabCorp in the past 12 months. The records of LabCorp patients were exposed in the 26 million-record breach at American Medical Collection Agency (AMCA) in March 2019. 7.7 million LabCorp patients were initially thought to have been affected, but the breach was reported to the HHS’ Office for Civil Rights as having affected up to 10,251,7847 LabCorp patients.

The post Website Error Exposed Personal and Health Data of LabCorp Patients appeared first on HIPAA Journal.

The Iowa Department of Human Services has notified 4,784 individuals about the potential exposure of some of their protected health information.

On November 25, 2019, a member of staff disposed of documents containing the protected health information of Dallas County clients in a regular garbage dumpster, instead of sending the records for shredding. By the time the improper disposal incident was discovered, the dumpster had been emptied. An investigation was launched which revealed the custodial employee who disposed of the paperwork was unaware that the documents contained confidential information.

It was not possible to determine exactly which patients were affected, so notification letters were sent to all individuals potentially impacted by the breach. The documents likely contained information such as names, dates of birth, mailing addresses, driver’s license numbers, Social Security numbers, disability information, medical information, banking and wage information, receipt of Medicaid, mental health information, provider names, prescriptions, and substance abuse and illegal drug use information.

Clearbrook Nursing Home Residents Notified of Impermissible Disclosure of Prescription Information

688 residents of the Cedarbrook nursing home in Lehigh County, PA are being notified that their prescription information was accidentally shared with companies interested in tendering for the nursing home’s pharmacy contract.

An email was sent to 16 companies in December 2018 with an incorrect file attachment. The correct file contained invoice information detailing the medications prescribed in October through November. The file attached to the email included the names of the patients who received those medications.

The error was discovered promptly, and requests were sent to all 16 companies asking for the file to be deleted. All 16 companies, which were HIPAA-covered entities, confirmed that the file had been deleted.

All affected individuals have been notified about the privacy breach out of an abundance of caution. The risk of misuse of patient information is believed to be very low. Procurement procedures have now been updated and require all outgoing contract information to be checked by a supervisor prior to being sent.

The post Iowa Department of Human Services Notifies 4,484 Patients About Improper Disposal Incident appeared first on HIPAA Journal.

Beaumont Health, a not-for-profit 8-hospital health system based in Southfield, MI, has discovered a former employee has accessed the medical records patients without authorization and is understood to have shared protected health information with another individual.

An internal investigation was launched when it was discovered medical records had been accessed without authorization. A review of the former employee’s access logs revealed the unauthorized access first occurred on February 1, 2017 and continued until October 22, 2019. The breach was discovered in December 2018.

Beaumont Health said its internal investigation determined on December 10, 2019 that the medical records of 1,182 patients were accessed over a period of 20 months. The information potentially obtained and disclosed included names, addresses, contact telephone numbers, dates of birth, email addresses, health insurance information, reason why medical care was sought, and Social Security numbers.

The individual to whom the information was believed to have been disclosed was affiliated with a personal injury lawyer. Most of the patients whose records were accessed had sought treatment for injuries sustained in motor vehicle accidents.

When unauthorized access was confirmed, the employee was fired for violating hospital policies and HIPAA Rules. The incident has been reported to law enforcement and Beaumont Health said it will assist law enforcement if prosecution is pursued. The matter has also been reported to the Michigan Health and Hospital Association.

All patients affected by the incident have been notified by mail. Credit monitoring and identity theft protection services have been offered to patients whose Social Security number was compromised. Patients have been advised to be alert to the risk of identity theft and fraud and have been advised to check their explanation of benefits statements and accounts carefully and to report any suspected cases of misuse of their information.

Beaumont Health has taken steps to update internal policies and procedures to prevent similar incidents from occurring in the future.

Former VA Employee Sentenced for Leaking Medical Records of Former Army Major

A former employee of the Department of Veteran Affairs’ Benefits Administration has been sentenced for accessing the medical records of veterans without authorization and for leaking the medical records of a former U.S. Army major who ran for Congress in West Virginia in 2018.

Jeffrey Miller, 40, of Huntington, WV, pleaded guilty to accessing the medical records of 6 veterans, including the former Army Major, Richard Ojeda. Photographs of the records were taken and sent to an acquaintance. The image of Ojeda’s medical records was subsequently distributed to high-ranking Republicans in an attempt to influence his 2018 campaign for the 3^rd Congressional District in West Virginia.

Miller was sentenced on January 21, 2020 in federal court and will serve 6 months in jail.

The post Beaumont Health Discovers 20-Month Insider Breach appeared first on HIPAA Journal.

PIH Health, a 2-hospital nonprofit healthcare network based in Whittier, CA, has started notifying nearly 200,000 patients about a potential breach of their personal and protected health information in June 2019.

On June 18, 2019, PIH Health discovered the email accounts of certain employees had been accessed by unauthorized individuals as a result of a targeted phishing attack on its employees. The email accounts were immediately secured and an investigation was launched to determine the nature and extent of the breach.

PIH Health engaged leading cybersecurity experts to assist with the investigation and was notified on October 2, 2019, that the email accounts were subject to unauthorized access between June 11, 2019 and June 18, 2019.

The email accounts were then reviewed by the same cybersecurity experts to determine whether they contained any patient information. The review was completed on November 12, 2019. PIH Health then attempted to obtain up to date contact information for current and former patients affected by the breach. Notifications were sent by mail to those individuals on January 10, 2020.

The phishing attack has been reported to the Department of Health and Human Services Office for Civil Rights. The summary on the OCR breach portal indicates up to 199,548 patients were potentially affected by the attack.

Patients have been advised to monitor their account statements and to report any suspected fraudulent account activity. Patients have also been offered complimentary credit monitoring and identity theft protection services through Kroll for 12 months.

“The privacy and protection of private information is a top priority for PIH Health,” wrote PIH Health in its substitute breach notification. “PIH Health deeply regrets any inconvenience or concern this incident may cause.”

The post Nearly 200,000 Patients Impacted by PIH Health Phishing Attack appeared first on HIPAA Journal.