HIPAA Breach News

Phishing Attacks Announced by Comprehensive Sleep Care Center, McLaren Health Plan, and Ivy Rehab Physical Therapy

Posted by HIPAA Journal

Loudoun Medical Group, dba Comprehensive Sleep Care Center (CSCC), has been affected by a phishing attack that occurred on or around June 19, 2019.

The IT department was alerted to a potential email security breach when suspicious activity was detected in an employee’s email account. The password was immediately changed to prevent further unauthorized access and the incident was investigated.

Forensic investigators confirmed the breach was confined to a single email account that was accessed by an unauthorized individual between June 15, 2019 and June 19, 2019.

On October 17, 2019, the investigators confirmed which patient information had been accessed. The information in the email account varied for each patient and may have included the patient’s name along with one or more of the following data elements: Date of birth, Social Security number, passport number, driver’s license number, medical record number, payment card information, patient account number, financial account information, medical history, health insurance information, treatment information and/or date(s) of service.

Additional safeguards have now been implemented to prevent further email security breaches and affected individuals have been provided with information on how they can minimize risk of PHI misuse. To date, no evidence of attempted or actual misuse of patient information has been found.

McLaren Health Plan Affected by Phishing attack on Business Associate

McLaren Health Plan in Flint, MI has discovered the protected health information of some of its members may have been accessed by unauthorized individuals as a result of a phishing attack on one of its business associates, Magellan Rx Management. Magellan Rx Management provided services to the health plan up until December 31, 2018.

Magellan Health announced on November 27, 2019 that its subsidiary, Magellan Rx Management, experienced a phishing attack on May 28, 2019. Magellan Rx discovered the attack on July 5, 2019 and launched a thorough investigation to determine the extent of the breach. The investigation confirmed the breach was limited to a single email account, and that the email account contained the protected health information of certain McLaren Health Plan members such as names, birth dates, health plan member ID numbers, health plan name, provider, diagnosis, drug, and authorization information. McLaren Health plan was informed of the breach on October 4, 2019.

The aim of the attack appears to have been solely to use the email account to send spam. No evidence of data access or misuse has been uncovered.  Magellan Health has since enhanced email security and is providing further training to employees to help them detect malicious emails in the future.

Email Security Breach at Ivy Rehab Physical Therapy

Ivy Rehab Physical Therapy, a network of 200 physical therapy clinics, has experienced a phishing attack in which the protected health information of patients was potentially compromised.

The company discovered the attack in May 2019 and launched an investigation. On September 26, 2019, third-party forensic investigators determined that the protected health information of certain patients was stored in the compromised accounts and may have been accessed by the attackers. No reports of misuse of patient information have been received and no actual evidence of unauthorized data access was identified.

The information potentially accessed included names along with one or more of the following data elements: Health information, Social Security numbers, and financial information. Affected individuals have been offered complimentary identity theft restoration and credit monitoring services.

In response to the attack, Ivy Rehab has changed its password policies and requires more frequent password changes and further, ongoing security awareness training is being provided to staff members.

The post Phishing Attacks Announced by Comprehensive Sleep Care Center, McLaren Health Plan, and Ivy Rehab Physical Therapy appeared first on HIPAA Journal.

Great Plains Health Ransomware Attack Prevents Access to Patient Medical Records

Posted by HIPAA Journal

North Platte, NE-based Great Plains Health has experienced a ransomware attack that has resulted in the encryption of patient medical records.

The attack was detected at around 7pm on Tuesday, November 26. Prompt action was taken to minimize the impact on patients, and staff switched to pen and paper while computer systems were offline. IT staff have been working round the clock dealing with the attack.

With access to medical records prevented, the decision was taken to cancel non-emergency patient appointments and some medical procedures, although surgeries and certain imaging procedures are continuing to be provided as normal. The hospital has not switched to emergency operations and is not diverting patients.

The attack also impacted its phone and email system, although voicemail is unaffected. Staff have been checking voicemail messages regularly and have been calling patients back who have not been able to get through on the telephone.

It is currently unclear whether the ransom demand was paid or if medical records and other encrypted files are being restored from backups. Officials are currently unsure how long it will take to recover from the attack but suggest it could take weeks or even longer.

While patient information was encrypted, Great Plains Health does not believe that any patient information has been viewed or stolen by the attackers. The sole purpose of the attack appears to have been to extort money from Great Plains Health. A full audit of its systems will be conducted to determine whether patient information has been accessed or stolen.

Atria Senior Living Experiences Phishing Attack

The Louisville, Kentucky-based retirement and assisted living company, Atria Senior Living, has announced that an unauthorized individual has gained access to the email accounts of some of its employees and potentially accessed the protected health information of certain clients.

Assisted by a cybersecurity firm, Atria Senior living determined that several employee email accounts had been compromised and were accessed by an unauthorized individual on various occasions between September 18 and September 20, 2019.

A review of all affected email accounts was conducted to determine the types of information that had potentially been compromised and which clients had been affected. It was not possible to tell whether emails or attachments had been opened or copied.

Since unauthorized data access could not be ruled out, affected individuals have been offered complimentary credit monitoring and identity theft protection services for 12 months.

Atria Senior Living has now implemented additional security measures and safeguards to prevent further email security breaches. It is currently unclear how many individuals have been affected by the email security breach.

The post Great Plains Health Ransomware Attack Prevents Access to Patient Medical Records appeared first on HIPAA Journal.

$2.175 HIPAA Settlement Agreed with Sentara Hospitals for Breach Notification Rule and BAA Failures

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced its 8th HIPAA financial penalty of 2019. Sentara Hospitals has agreed to settle potential violations of the HIPAA Privacy and Breach Notification Rules and will pay a penalty of $2.175 million and will adopt a corrective action plan to address areas of noncompliance.

Sentara operates 12 acute care hospitals in Virginia and North Carolina and has more than 300 care facilities in both states. OCR launched a compliance investigation in response to a complaint from a patient on April 17, 2017. The patient had reported receiving a bill from Sentara containing another patient’s protected health information.

Sentara did report the breach to OCR, but the breach report stated that only 8 individuals had been affected, when the mailing had been misdirected and 577 individuals had had some of their PHI impermissibly disclosed. OCR determined that those 577 patients had their information merged with 16,342 different guarantor’s mailing labels.

OCR advised Sentara that under the HIPAA Breach Notification Rule – 45 C.F.R. § 164.408 – notifications were required and that the breach total needed to be updated, but Sentara persisted in its refusal to update the breach report and issue notifications. Sentara maintained that since the bills only contained names, account numbers, and dates of service, and not diagnoses, treatment information, and other medical information, it did not constitute a reportable breach.

OCR also found that Sentara Hospitals provides services for its member covered entities but had not entered into business associate agreements with its business associate until October 17, 2018.

Sentara Hospital’s parent organization and business associate, Sentara Healthcare, had been allowed to create, receive, maintain, and transmit PHI on its behalf without a BAA being in place. Sentara Hospitals had therefore not received satisfactory assurances that PHI would be safeguarded, in violation of 45 C.F.R. § 164.504(e)(2).

The corrective action plan requires Sentara Hospitals to revise its policies and procedures and ensure they are compliant with HIPAA Rules. Policies and procedures must be checked and revised at least annually, or more frequently if appropriate. OCR will be scrutinizing Sentara’s compliance efforts for a period of two years from the start date of the corrective action plan.

“HIPAA compliance depends on accurate and timely self-reporting of breaches because patients and the public have a right to know when sensitive information has been exposed.” said OCR Director, Roger Severino.  “When health care providers blatantly fail to report breaches as required by law, they should expect vigorous enforcement action by OCR.”

The latest settlement is another example of when HIPAA violations are uncovered in response to complaints from patients rather than data breach investigations. All it takes is for one patient to submit a complaint about a potential HIPAA violation for a compliance review to be launched. These investigations can occur at any time, which shows how important it is for healthcare organizations to ensure their policies and procedures fully meet the requirements of HIPAA.

So far in 2019, HIPAA-covered entities and business associates have paid $12,124,000 to OCR to resolve violations of HIPAA Rules.

The post $2.175 HIPAA Settlement Agreed with Sentara Hospitals for Breach Notification Rule and BAA Failures appeared first on HIPAA Journal.

Misconfigured Staff Calendars Exposed Information of Children’s Minnesota Patients for Up to 9.5 Years

Posted by HIPAA Journal

Children’s Minnesota has started notifying 37,942 patients that information related to their appointments has been exposed and could have been accessed by unauthorized individuals.

The internal, electronic calendars used by certain staff members had been configured in a way that allowed them to be viewed by individuals outside of Children’s Minnesota’s system. The misconfiguration was detected on August 26, 2019 and was immediately corrected to prevent unauthorized access.

A third-party computer forensics company was engaged to assist with the investigation and determine the extent of the privacy breach. The firm confirmed that in some cases, the calendars may have been misconfigured for several years, with the earliest case determined to be December 2011.

The calendars contained a limited amount of patient information, such as patient names, medical record numbers, dates of birth, insurance information, account numbers, appointment times and locations, names of procedures, and healthcare provider names.

It was not possible to determine whether the calendars had been accessed by unauthorized individuals during the time they were accessible. Affected individuals have been advised to monitor their account statements and explanation of benefits statements for any sign of fraudulent use of their information.

Children’s Minnesota will be reviewing its security policies and will provide additional training to staff to prevent similar incidents of this nature from occurring in the future.

PHI of 15,975 Individuals Exposed Due to Central Valley Regional Center Phishing Attack

Central Valley Regional Center (CVRC), a Merced, CA-based provider of health and support services to individuals with intellectual and developmental disabilities, has discovered an unauthorized individual has gained access to the email accounts of certain employees and potentially viewed or obtained sensitive client information.

The email security breach was discovered on July 29, 2019. The affected email account was immediately disabled, and an investigation was launched to determine the extent of the breach. Assisted by a third-party computer forensics firm, CVRC determined that multiple email accounts had been compromised between July 25 and August 2, 2019. Those email accounts contained information on 15,975 clients.

No evidence of data access or PHI theft was discovered, and no reports have been received to indicate any client information has been misused. However, it was also not possible to rule out unauthorized data access or data exfiltration. As a precaution, affected individuals have been notified and offered complimentary credit monitoring and identity theft protection services.

The types of information that may have been viewed varied from individual to individual and could have involved the following data elements:  Names, addresses, telephone numbers, dates of birth, death dates, Social Security numbers, driver’s license information, state ID card numbers, other government ID numbers, Medi-Cal numbers, UCI numbers, health insurance information, and medical and health information.

A limited number of individuals also had their taxpayer ID number, financial account/payment card information, PINs/ access codes, account password, username, email address, or electronic identifier (and the means to access the related accounts), and/or IRS PIN exposed.

Steps have now been taken to improve security and prevent similar breaches from occurring in the future.

The post Misconfigured Staff Calendars Exposed Information of Children’s Minnesota Patients for Up to 9.5 Years appeared first on HIPAA Journal.

October 2019 Healthcare Data Breach Report

Posted by HIPAA Journal

There was a 44.44% month-over-month increase in healthcare data breaches in October. 52 breaches were reported to the HHS’ Office for Civil Rights in October. 661,830 healthcare records were reported as exposed, impermissibly disclosed, or stolen in those breaches.

This month takes the total number of breached healthcare records in 2019 past the 38 million mark. That equates to 11.64% of the population of the United States.

Largest Healthcare Data Breaches in October 2019

Breached Entity Entity Type Individuals Affected Type of Breach
Betty Jean Kerr People’s Health Centers Healthcare Provider 152,000 Hacking/IT Incident
Kalispell Regional Healthcare Healthcare Provider 140,209 Hacking/IT Incident
The Methodist Hospitals, Inc. Healthcare Provider 68,039 Hacking/IT Incident
Children’s Minnesota Healthcare Provider 37,942 Unauthorized Access/Disclosure
Tots & Teens Pediatrics Healthcare Provider 31,787 Hacking/IT Incident
University of Alabama at Birmingham Healthcare Provider 19,557 Hacking/IT Incident
Prisma Health – Midlands Healthcare Provider 19,060 Hacking/IT Incident
South Texas Dermatopathology Laboratory Healthcare Provider 15,982 Hacking/IT Incident
Central Valley Regional Center Business Associate 15,975 Hacking/IT Incident
Texas Health Harris Methodist Hospital Fort Worth Healthcare Provider 14,881* Unauthorized Access/Disclosure

The largest healthcare data breach in October was reported by Betty Jean Kerr People’s Health Centers and was the result of a ransomware attack. At the time of issuing notifications, files that were encrypted in the attack remained locked. The decision was taken not to pay the ransom demand, but it was not possible to restore files from backups. Those files contained the health information of 152,000 patients.

The Kalispell Regional Healthcare data breach was due to a May 2019 phishing attack. An initial investigation did not uncover the extent of the breach. The forensic investigation revealed in August that the health information of up to 140,209 patients may have been accessed.

The Methodist Hospitals, Inc. data breach was also the result of a phishing attack. The incident was reported in October, but the initial email account compromise occurred in March 2019. Two accounts were breached for a total of four months.

South Texas Dermatopathology Laboratory is the last healthcare organization to report that its patients have been impacted by the data breach at the collection agency, AMCA. Its 15,982 records take the total number of individuals impacted by the AMCA breach to 26,059,725.

*Also of note is the data breach at Texas Health Resources. The breach makes the top 10 list of the most healthcare records exposed, but the breach was more far reaching than the table above shows. The Texas Health data breach involved a total of 82,577 records, but the breach was reported to the HHS’ Office for Civil Rights as 15 separate breaches, with one breach report submitted for each of its affected facilities. Had the incident been reported as a single incident, the month’s total would stand at 38 breaches – two more than September.

Causes of October 2019 Healthcare Data Breaches

There were 18 hacking/IT incidents reported in October involving 501,847 healthcare records. The average breach size was 27,880 records and the median breach size was 9,413 records.

There were 28 reported unauthorized access/disclosure incidents involving a total of 134,775 records. The mean breach size was 4,813 records and the median breach size was 2,135 records. Those incidents include the 15 separate breach reports from Texas Health Resources.

There were 5 loss/theft incidents involving 13,454 records. The mean breach size was 2,350 records and the median breach size was 2,752 records. One improper disposal incident was reported involving 11,754 records.

Location of Breached Health Information

Phishing continues to cause problems for healthcare organizations. Not only are healthcare providers struggling to block phishing attacks, they are also not detected quickly when they do occur. Several phishing attacks have been reported that have taken weeks to discover.

Multi-factor authentication can help to reduce the risk of stolen credentials being used by cybercriminals to access corporate email accounts, yet many healthcare organizations only implement this important security measure after a phishing attack has occurred.

This high number of “other” breaches is due to the mailing error at Texas Health, which accounts for 15 of the 19 incidents in the other category.

The majority of the network server breaches were due to ransomware attacks, which include the largest healthcare data breach of the month. That breach highlights just how important it is to ensure that a viable backup copy of all data is created, that the backup is tested to make sure data recovery is possible, and that at least one backup copy is stored on a non-networked device that is not exposed to the internet.

October 2019 Data Breaches by Covered Entity Type

Healthcare providers were the worst affected by data breaches in October with 45 reported incidents. Three breaches were reported by health plans, and four breaches were reported by business associates of HIPAA-covered entities. A further four breaches also had some business associate involvement but were reported by the covered entity.

October 2019 Healthcare Data Breaches by State

October saw healthcare organizations and business associates in 24 states report data breaches. With 15 breach reports coming from Texas Health, Texas was unsurprisingly the worst affected state with 17 incidents.

There were 4 breaches reported by entities based in Ohio, three breaches reported in California, and two breaches reported in each of Arkansas, Florida, Louisiana, Maryland, New Mexico, South Carolina, and Virginia. A single breach was reported in each of Alabama, Arizona, Georgia, Illinois, Indiana, Kentucky, Minnesota, Missouri, Mississippi, Montana, New York, Oregon, South Dakota, and Washington.

HIPAA Enforcement Actions in October 2019

A further two financial penalties for HIPAA violations were announced by the HHS’ Office for Civil Rights in October – One settlement and one civil monetary penalty.

OCR launched an investigation of Elite Dental Associates following a complaint from a patient who had some of her PHI publicly disclosed in response to a Yelp review. OCR found she was not the only patient to have had PHI disclosed in that manner. OCR also determined that the practice’s notice of privacy practices did not include sufficient information and was therefore not compliant with the HIPAA Privacy Rule. Elite Dental Associates agreed to settle its HIPAA violation case with OCR for $10,000.

OCR launched an investigation of Jackson Health System following the disclosure of PHI in the media. A photograph of an operating room display had been published which contained the health information of two individuals, including a well-known NFL star. The OCR investigation uncovered multiple Privacy Rule, Security Rule, and Breach Notification Rule violations spanning several years. OCR imposed a civil monetary penalty of $2,154,000 on Jackson Health System.

The post October 2019 Healthcare Data Breach Report appeared first on HIPAA Journal.

IT Firm Ransomware Attack Prevents Nursing Homes and Acute Care Facilities from Accessing Medical Records

Posted by HIPAA Journal

Virtual Care Provider Inc. (VCP), a Wisconsin-based provider of internet and email services, data storage, cybersecurity, and other IT services has experienced a ransomware attack that has resulted in the encryption of medical records and other data the firm hosts for its clients. Its clients include 110 nursing home operators and acute care facilities throughout the United States. Those entities have been prevented from accessing critical patient data, including medical records. The company provides support for 80,000 computers, in around 2,400 facilities in 45 states.

The attack involved Ryuk ransomware, a ransomware strain that has been used to attack many healthcare organizations and managed IT service providers in the United States in recent months. The ransomware is typically deployed as a secondary payload following an initial Trojan download. The attacks often involve extensive encryption and cause major disruption and huge ransom demands are often issued. This attack is no different. A ransom demand of $14 million has reportedly been issued, which the company has said it cannot afford to pay.

According to Brian Krebs of KrebsonSecurity, who spoke to VCP owner and CEO Karen Christianson, the attack has affected virtually all of the company’s core offerings, including internet access, email, stored patient records, clients’ phone systems, billing, as well as the VCP payroll system.

The attack has meant acute care facilities and nursing homes cannot view or update patient records and order essential drugs to ensure they are delivered in time. Several small facilities are unable to bill for Medicaid, which will force them to close their doors if systems are not restored before December 5th in time for claims to be submitted. VCP has prioritized restoring its Citrix-based virtual private networking platform to allow clients to access patients’ medical records.

The attack commenced on November 17, 2019 and VCP is still struggling to restore access to client data and cannot process payroll for almost 150 employees. Christianson is concerned that the attack could potentially result in the untimely demise of some patients and may force her to permanently close her business.

KrebsonSecurity reports that the initial attack may date back to September 2018 and likely started with a TrickBot or Emotet infection, with Ryuk deployed as a secondary payload.

The post IT Firm Ransomware Attack Prevents Nursing Homes and Acute Care Facilities from Accessing Medical Records appeared first on HIPAA Journal.

107,000 Ferguson Medical Group Patients Impacted by Ransomware Attack

Posted by HIPAA Journal

Saint Francis Healthcare System has announced that the computer network of Ferguson Medical Group has been attacked with ransomware.

The attack occurred on September 21, 2019, before Saint Francis Medical Center acquired the Sikeston, MO-based medical group. Saint Francis Healthcare learned about the ransomware attack on September 21.

According to a notice on the Saint Francis Healthcare website, the attackers succeeded in encrypting medical records of all patients who had received medical services at Ferguson Medical Group prior to January 1, 2019. The incident was reported to the Federal Bureau of Investigation and steps were immediately taken to isolate the affected systems.

The attackers demanded payment of a ransom for the keys to decrypt files on the network. Since there was no guarantee that the attackers were able to supply working decryption keys and due to other uncertainties, the decision was taken not to pay and to instead recover files from backups.

While many files were recovered, some information could not be restored and has been permanently lost. It was not possible to recover any documentation that had been scanned and saved on its systems, and medical records for patients who received services at Ferguson Medical Group between September 20, 2018 and December 31, 2018 were also permanently lost.

An analysis of the attack uncovered no evidence to suggest the attackers obtained files containing the protected health information of patients prior to encryption and there have been no reports received to suggest any patent information has been misused. However, since it is not possible to rule out unauthorized data access and theft, affected patients have been offered complimentary credit monitoring and identity theft protection services.

The incident has been listed on the Department of Health and Human Services’ Office for Civil Rights breach portal. The breach summary indicates 107,054 Ferguson Medical Group patients have been affected. It is not clear how many of those patients have had some or all of their health information lost as a result of the attack.

The post 107,000 Ferguson Medical Group Patients Impacted by Ransomware Attack appeared first on HIPAA Journal.

Phishing Attacks Reported by Choice Cancer Care Treatment Center and CAH Holdings

Posted by HIPAA Journal

Choice Cancer Care Treatment Center (CCCT), a network of cancer care centers in Texas, has discovered the protected health information of some of its patients has potentially been accessed by unauthorized individuals as a result of a phishing attack in May 2019.

Suspicious activity in the email account of an employee was detected on May 21, 2019. The subsequent investigation confirmed that the account had been accessed by an unauthorized individual between May 1st and May 21st, 2019. The email account was immediately secured, and a third-party digital forensic firm was engaged to conduct a thorough investigation.

An analysis of CCCT systems confirmed that the breach was confined to the email system and only one email account had been subjected to unauthorized access. A programmatic and manual review of all emails and email attachments in the account revealed the protected health information of certain patients had been exposed. The review was completed on September 18, 2019. CCCT then reviewed all affected records and confirmed the contact information for all individuals affected. Breach notifications were sent to affected individuals in November. Individuals affected by the breach have been offered complimentary credit monitoring and identity theft protection services.

The breach was mostly limited to names, medical information and health insurance information. A very small number of patients also had their Social Security number, driver’s license number, passport number, and/or credit card number exposed.

It was not possible to determine whether the attacker viewed or acquired any patient health information. No reports have been received to suggest there has been any actual or attempted misuse of patient information.

CCCT has reviewed its data security policies and procedures and further training has been provided to employees on data privacy and security.

CAH Holdings Reports Phishing Attack Impacting Several Employee Email Accounts

CAH Holdings Inc., an independent insurance agency that provides regional insurance and risk management services, has discovered the email accounts of several employees have been accessed by unauthorized individuals.

CAH Holdings has not publicly disclosed when the breach occurred nor when it was detected, only stating that a review of the affected employee email accounts was completed on September 16, 2019. That review confirmed that billing related information had potentially been compromised, including names and Social Security numbers and some or all of the following data elements: Date of birth, address, health insurance number, driver’s license number, diagnosis, and treatment plan. That information had been provided to CAH holdings by insurance companies and employers.

A third-party computer forensics firm assisted with the review of the compromised accounts, but it was not possible to determine whether any emails or email attachments had been opened or copied by the attackers.

The breach has prompted CAH Holdings to implement multi-factor authentication on its Office 365 email accounts, and anti-spam controls have also been augmented. CAH Holdings has also hired a Chief Information Security Officer (CISO) who will be performing a thorough review of its security protocols. Additional security measures will be implemented, as appropriate, based on the findings of that review.

No evidence of misuse of sensitive information has been uncovered but, as a precaution, all affected individuals have been offered complimentary credit monitoring and identity theft protection services. Affected individuals are also covered by a $1 million insurance reimbursement policy.

The post Phishing Attacks Reported by Choice Cancer Care Treatment Center and CAH Holdings appeared first on HIPAA Journal.

Former Aegis Medical Group Employee Potentially Accessed 9,800 Records Without Authorization

Posted by HIPAA Journal

The Florida physician network, Aegis Medical Group, has started notifying 9,800 patients that their protected health information may have been accessed by a former employee. That individual is understood to have attempted to sell patient records to third parties suspected of being involved in identity theft and fraud.

Aegis Medical Group was informed by law enforcement on September 11, 2019 about the employee. The law enforcement investigation determined that the employee attempted to sell the data of just two patients. Working with law enforcement, the physician network determined that the records of up to 9,800 patients were potentially accessed by the employee between July 24, 2019 and September 9, 2019.

The information contained in the records was limited to first and last names, dates of birth, account numbers, postal addresses, diagnosis information, and Social Security numbers. Approximately 75% of the records that may have been accessed were physical records rather than electronic copies.

Following notification by law enforcement, Aegis Medical Group immediately terminated the employee. It is unclear at this point in time whether the former employee has been charged.

Due to the nature of data exposed, all affected patients have been advised to monitor their accounts, explanation of benefits statements, and credit card statements for signs of misuse of their information and have been told about other steps they can take to prevent identity theft and fraud. Complimentary credit monitoring and identity theft protection services are also being provided.

Aegis Medical Group has confirmed that all physical records were stored properly although, to improve security, physical records are now being converted to digital formats as digital records are easier to secure and monitor for unauthorized access. Employees have been notified about the incident, told about the consequences of improper PHI access, and the importance of maintaining the confidentiality and security of patient records.

The post Former Aegis Medical Group Employee Potentially Accessed 9,800 Records Without Authorization appeared first on HIPAA Journal.