North Ottawa Community Health System (NOCH) has discovered an employee at North Ottawa Community Hospital in Grand Haven, MI, accessed the medical records of patients without authorization over a period of 3 years.

The matter was brought to the attention of the health system on October 15 by another employee. An investigation into the alleged inappropriate access was launched on October 17 and the employee was suspended pending the outcome of the investigation.

NOCH confirmed on November 25, 2019 that the employee had accessed the medical records of 4,013 patients without any legitimate work reason for doing so between May 2016 and October 2019. There appeared to be no discernible pattern to the unauthorized access. Patient records appeared to have been accessed at random.

No evidence was found to suggest that any patient information was stolen. NOCH believes the employee was accessing patient information out of curiosity.

The types of information potentially accessed included names, dates of birth, Social Security numbers, Medicare and Medicaid numbers, health insurance information, and some health information. Any patient whose Social Security number was viewable has been offered complimentary credit monitoring and identity theft protection services for 12 months.

Further training on NOCH policies covering medical record access have been provided to all staff members and employee access to patient records has been tightened.

The breach has been reported to the Department of Health and Human Services’ Office for Civil Rights. It is up to OCR to decide if any further action is taken against the employee over the HIPAA violation.

Cyberattack Forces Shutdown of Center for Health Care Services’ Computer Systems

The Center for Health Care Services (CHCS) in San Antonio, TX, experienced a cyberattack over the holiday period which forced it to shut down its computer systems.

CHCS provides healthcare services for individuals with mental health disorders, developmental disabilities, and substance abuse disorder and operates several walk-in clinics and outreach centers in San Antonio.

The CHCS IT team determined that a single server had been compromised after being alerted about the cyberattack by federal officials. The decision was taken to shut down its entire computer system as a precaution. The IT department has started restoring its computer systems and bringing them back online one by one, starting with the systems at its largest clinics. The process is expected to take several days.

The cyberattack was part of a larger attack that started before the holiday period. It is currently unclear how many other organizations have been affected.

The post North Ottawa Community Health System Discovers 3-Year Insider Breach appeared first on HIPAA Journal.

Ann & Robert H. Lurie Children’s Hospital of Chicago, a pediatric specialty hospital in Chicago, IL, has discovered a former employee accessed the medical records of certain patients without a legitimate work reason for doing so. The unauthorized access occurred between September 10, 2018 and September 22, 2019.

The hospital learned of the HIPAA violation on November 15, 2019 and immediately terminated the employee’s access to all patient information while the incident was investigated. The employee was subsequently disciplined for the violation of HIPAA and hospital policies and was terminated.

The employee was unable to view full Social Security numbers, financial information, or health insurance information. The only types of information that could have been viewed were names, addresses, dates of birth, diagnoses, appointment dates, medical procedures, and other limited medical information.

The breach notice published on the hospital’s website makes no mention of the reason why the former employee was accessing patient information, but the hospital says there is no reason to suspect that any patient information has been stolen, further disclosed, or misused.

Patients affected by the breach were notified by mail on December 26, 2019. As a precaution against misuse of their personal and health information, affected patients have been advised to monitor the statements they receive from their healthcare provider. A spokesperson for the hospital said, “Lurie Children’s deeply regrets that this incident occurred,” and confirmed that steps have been taken to prevent any further incidents of this nature from occurring in the future, including providing further training for employees on the hospital’s policies regarding unauthorized accessing of patient records.

The incident has yet to appear on the Department of Health and Human Services’ Office for Civil Rights’ breach portal, so it is currently unclear how many patients have been affected.

The post Ann & Robert H. Lurie Children’s Hospital of Chicago Fires Worker for Unauthorized Medical Record Access appeared first on HIPAA Journal.

Roosevelt General Hospital in Portales, New Mexico has discovered malware on a digital imaging server used by its radiology department. The malware potentially allowed cybercriminals to gain access to the radiological images of around 500 patients.

The malware infection was discovered on November 14, 2019 and prompt action was taken to isolate the server to prevent further unauthorized access and block communications with the attackers’ command and control server. The IT department was able to remove the malware and rebuild the server and all patient data was recovered. A scan was conducted to identify any vulnerabilities and the hospital is now satisfied that the server is secured and protected.

The investigation into the breach did not uncover any evidence to suggest protected health information and medical images were viewed or stolen by the hackers, but the possibility of unauthorized data access and PHI theft could not be ruled out.

The investigation into the security breach is continuing but the hospital’s IT department has confirmed that the breach was limited to the imaging server. Its medical record system and billing systems were unaffected. The types of information accessible through the compromised server included names, addresses, phone numbers, dates of birth, Social Security numbers, driver’s license numbers, health insurance information, medical information and the genders of patients.

All patients whose information was accessible through the server have been notified about the security breach by mail and have been advised to monitor their credit reports for any sign of fraudulent activity. No reports of misuse of patient information have been received by the hospital to date.

The incident has yet to appear on the Department of Health and Human Services’ Office for Civil Rights’ breach portal, so the exact number of patients affected by the breach is not yet available. According to RGH Marketing and Public Relations Director, Jeanette Orrantia, the breach was reported to OCR within 60 days of discovery.

The post New Mexico Hospital Discovers Malware on Imaging Server appeared first on HIPAA Journal.

The State of Colorado is notifying 12,230 individuals about an impermissible disclosure of some of their protected health information as a result of a mailing error.

The error occurred on a Colorado Department of Human Services mailing of Notices to Reapply for food and cash assistance programs.

The error came to light on November 6, 2019. The investigation revealed 10,879 Notice to Reapply forms had been sent which contained the information of incorrect individuals. The information of 12, 230 individuals had been incorrectly included on the forms.

The information included names, employers, whether the person had a vehicle, and a limited amount of other information related to household resources. No addresses, dates of birth, financial information, Social Security numbers, or other information required for identity theft and fraud were disclosed.

Affected individuals were notified about the error on November 10, 2019 and have been advised to either shred the incorrect notices or take them to their local county human services’ office for secure disposal.

The risk of misuse of PHI is low due to the nature of disclosed information but, as a precaution, affected individuals have been offered complimentary credit monitoring services for 12 months.

Sinai Health System Phishing Attack Reported

Chicago-based Sinai Health System has discovered the email accounts of two of its employees have been compromised as a result of responses to phishing emails. No information has been disclosed about the date of the attack and when it was discovered, but Sinai Health System has reported that third-party computer forensics experts determined on October 16, 2019 that the compromised accounts contained protected health information which was potentially accessed by the attackers. No evidence of data theft was uncovered during the investigation and no reports have been received to suggest any PHI has been misused.

The types of information in the compromised accounts varied from patient to patient and may have included names, addresses, dates of birth, Social Security numbers, health information, and health insurance information. Steps have already been taken to improve email security, including upgrading its email filtering controls. Staff have also received further security awareness training to help them identify malicious emails and email retention policies have been revised.

The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates the compromised accounts contained the protected health information of 12,578 patients.

The post Colorado Department of Human Services and Sinai Health System Alert Patients About HIPAA Breaches appeared first on HIPAA Journal.

The Centers for Medicare and Medicaid Services (CMS) has discovered a bug in its Blue Button 2.0 API that exposed the protected health information of 10,000 Medicare beneficiaries. Access to the Blue Button API has been temporarily suspended while the CMS investigates and completes a comprehensive code review. The CMS has not produced a timeline for when the Blue Button 2.0 service will be resumed.

On December 4, 2019, the CMS was alerted to a data anomaly with the Blue Button API by a third-party application partner. The CMS confirmed the data anomaly and immediately suspended access to the production environment while the matter was investigated.

The CMS determined the anomaly was due to a coding bug. That bug potentially allowed data to be shared with incorrect Blue Button 2.0 applications and the wrong beneficiaries. The CMS determined 30 applications have been impacted by the bug.

The Blue Button platform is used by Medicare beneficiaries to authorize third-party applications, services, and research programs to access their claims data. A CMS identity management system verifies user credentials through a randomly generated unique user ID, which ensures the correct beneficiary claims data is shared with the correct third-party applications.

The CMS discovered a coding bug was causing Blue Button 2.0 to truncate a 128-bit user ID to a 96-bit user ID.  A 96-bit user ID is not sufficiently random and, as a result, the same truncated user ID was assigned to different beneficiaries. That meant that some of the beneficiaries with the same truncated user ID in the identity management system had their claims data passed to other users and applications via Blue Button 2.0.

The error and why it resulted in the impermissible disclosure of claims data are perfectly understood, what was not initially clear was how the bug was introduced and why it was not found in time to prevent the exposure and disclosure of sensitive beneficiary data.

There are three takeaways from the initial findings of the investigation related to code reviews, testing, and cross team collaboration.

The CMS investigation found the bug was introduced on January 11, 2018. When changes are made, there is usually a comprehensive review of the changes, but in January a comprehensive review was not completed. If the review had occurred, the bug could have been identified and corrected before any sensitive information was disclosed.

The CMS tests Blue Button 2.0 using synthetic data to verify functionality. This ensures that no personal health information is put at risk. Integration of Blue Button 2.0 with other systems is not tested in order to protect personal health information. Consequently, integration with the identity management system was not tested.

The CMS notes that the code that generates the user ID token is run by a separate identity management team. The Blue Button 2.0 team made assumptions about how the token worked, and they were not validated. If there was better collaboration between enterprise teams, the necessary information would have been present in decision making.

Steps have now been taken to prevent further errors from occurring in the future. An enhanced quality review and validation process has now been implemented and the Blue Button 2.0 team will be performing comprehensive reviews of all new code to ensure that any coding errors are identified and corrected before the code changes go live and Blue Button 2.0 will now store full user IDs instead of truncated IDs.

A full review of the platform is now being conducted and the API will remain suspended until that coding review has been completed.

An in-depth analysis will also be conducted to determine the potential impact on affected beneficiaries. Decisions will then be made about what other steps are required to protect affected beneficiaries, such as the provision of credit monitoring services.

The post CMS Blue Button 2.0 Coding Bug Exposed PHI of 10,000 Medicare Beneficiaries appeared first on HIPAA Journal.

The email accounts of several employees of Conway Medical Center in South Carolina have been accessed by unauthorized individuals.

The phishing attack was detected on October 7, 2019 and affected email accounts were immediately secured to prevent further unauthorized access. External cybersecurity experts were engaged to investigate the breach and determine whether patient information had been viewed or acquired. The investigators determined that the first email accounts were compromised in or before July 2019.

It took until November 20, 2019 for the investigators to confirm that the protected health information of patients had been exposed as each email had to be checked to determine whether it contained PHI and if it had been accessed. That was largely a manual process.

The way the email accounts were accessed meant emails may have synchronized with the attacker’s computer and could have been automatically downloaded.

Those emails contained names, addresses, Social Security numbers, dates of birth, phone numbers, dates of admission, discharge dates, CMC account numbers, amount owed, and other information. For certain patients, the names, addresses, phone numbers, Social Security numbers, place of employment, and other information related to their guarantors was also potentially acquired.

Steps have now been taken to improve email security and notification letters have been mailed to affected patients. Individuals whose financial data has been exposed have been offered complimentary identity theft protection services.

The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates 2,500 patients have been affected by the security breach.

1,021 Clients of Equinox, Inc. Notified of PHI Exposure

Equinox, Inc., an Albany, NY-based provider of services to individuals suffering from chemical dependency, mental health issues, and domestic abuse survivors, has discovered the email accounts of two of its employees have been accessed by unauthorized individuals.

The data security breach was discovered on July 26, 2019 when suspicious activity was detected in its digital environment. Its systems were immediately secured and third-party cybersecurity experts were engaged to investigate the breach. Equinox was informed on August 28, 2019 that two email accounts had been accessed by unauthorized individuals.

The affected email accounts were then reviewed to determine whether they contained any patient information. Equinox was informed on October 9, 2019 that the protected health information of 1,021 current and former clients had potentially been accessed. The email accounts contained names, addresses, Social Security numbers, dates of birth, medical treatment or diagnosis information, health insurance information, and/or medication-related information.

No evidence was found to suggest information in emails and attachments was viewed or acquired and no reports have been received to indicate clients’ information has been misused.

Affected individuals were notified on December 6, 2019 and have been offered complimentary credit monitoring and identity theft protection services. Additional security measures have been implemented to prevent further breaches of this nature in the future.

The post Email Security Breaches Reported by Conway Medical Center and Equinox Inc. appeared first on HIPAA Journal.

Tidelands Health in Georgetown, SC, is working round the clock to restore its computer systems after the discovery of malware on its network on December 12, 2019. The attack has forced the healthcare provider to shut down parts of its network and implement emergency protocols. Staff have been using paper records for patients while the malware is removed and systems are restored and brought back online.

Patients are being seen and quality care is still being provided, although a limited number of non-emergency appointment have had to be rescheduled, according to Tidelands Health spokesperson, Dawn Bryant.

The type of malware involved has not been disclosed, although Tidelands Health has said no data was lost and patient information was not compromised.

Third-party cybersecurity experts have been engaged to investigate the attack, remove the malware, and restore its systems. That is a time-consuming, methodical process as the stability and integrity of every system must be thoroughly assessed before it is possible to bring each back online.

Stolen Children’s Hope Alliance Laptop Computer Contained the PHI of 4,564 Patients

Barium Springs, NC-based healthcare provider, Children’s Hope Alliance, is notifying 4,564 patients that some of their protected health information has been exposed. The data was stored on an employee’s laptop computer which was stolen on October 7, 2019.

Third-party computer forensics investigators have been engaged to determine what information was stored on the laptop. The investigation is ongoing, but the preliminary findings indicate documents on the device contained names, addresses, Social Security numbers, tax ID numbers, dates of birth, medication and dosage information, and usernames and passwords.

Notifications will be sent to affected individuals when the investigation has been completed. At this stage, no evidence has been found to indicate any patient information has been accessed by unauthorized individuals and no reports of misuse of patient information have been received.

The post Tidelands Health Recovering from Malware Attack appeared first on HIPAA Journal.