Brooklyn Hospital Center in New York has announced that a security breach occurred in late July 2019 that resulted in malware being installed on some of the hospital’s servers.

The attack was discovered promptly, and steps were taken to limit the harm caused; however, it was not possible to prevent certain files from being encrypted.

A third-party digital forensics firm was retained to assess the nature and extent of the malware attack and assist with the recovery of encrypted files. On September 4, following ‘exhaustive efforts’ to recover the encrypted files, it was determined that certain patient information was unrecoverable.

Entire medical records have not been lost, but some patients’ dental and cardiac images could not be restored. The hospital is currently conducting a review to determine which patients have been affected and those individuals will be notified in due course. As is often the case with ransomware attacks such as this, the goal of the attackers appears to have been to extort money from the hospital rather than gain access to patient information. No reports of misuse of patient information have been received and the forensic investigation uncovered no evidence to suggest the attackers accessed or exfiltrated patient information.

Brooklyn Hospital Center already had stringent security controls in place to prevent cyberattacks, although in this instance those controls were circumvented by the attackers. Policies, procedures, and existing security protocols are under review and security controls will be enhanced to prevent further breaches of this nature from occurring in the future.

Unauthorized PHI Access and Use Discovered by Washington University School of Medicine

Washington University School of Medicine (WUSM) has discovered an employee’s personal laptop computer was used by an unauthorized individual to access a WUSM email account which contained the protected health information of certain patients of the Department of Ophthalmology and Visual Sciences.

The unauthorized individual, who had a personal relationship with the employee, accessed the email account between April 29, 2019 and September 3, 2019. A forensic investigation was conducted by a third-party firm to determine what information was contained in the account and could have been accessed. The investigation revealed information in emails and email attachments included patients’ names, medical record numbers, dates of birth, provider names, and limited treatment and clinical information, such as diagnoses and prescription information. The Social Security numbers and health insurance information of certain patients were also potentially compromised.

It was not possible to determine which emails and attachments had been opened, so the decision was taken to notify all individuals whose protected health information was potentially compromised. Any individual who had their Social Security number exposed has been offered complimentary credit monitoring and identity theft protection services.

The breach came to light on September 3, 2019 following reports that certain patients had been sent a letter about an employee of the Ophthalmology Department. The subsequent investigation led to the discovery of the security breach. It is unclear why those individuals were contacted.

WUSM has since implemented additional security enhancements and has re-educated employees on password best practices.

The incident has yet to appear on the Department of Health and Human Services’ Office for Civil Rights’ breach portal, so it is currently unclear how many patients have been affected.

The post Brooklyn Hospital Center Malware Attack Results in Loss of Patients’ Health Records appeared first on HIPAA Journal.

The Guidance Center (TGC), a nonprofit provider of mental health care services to disadvantaged children and their families in Long Beach, Compton, San Pedro, and Avalon in California, has discovered a breach of its digital environment.

In a breach notification letter to the California Attorney General, Xavier Becerra, TGC’s counsel explained that unusual activity was detected within TGC’s digital environment in late March 2019. Staff had reported that files and backups appeared to be missing. An internal investigation was launched which concluded the files had been deleted. Further investigation also showed that a TGC computer had been reconfigured to allow it to be remotely accessed.

TGC believes the change to the computer and deletion of files was most likely the work of a former employee. The matter was reported to both the Long Beach Police Department and the FBI, and the individual suspected of the illegal access was sent a cease and desist letter by TGC’s attorney on March 30, 2019. Following that letter, all further unauthorized access stopped.

On April 19, 2019, TGC engaged a difficult forensics company to determine whether any patient information had been accessed without authorization. No evidence of unauthorized PHI access or data exfiltration was discovered; however, certain employee email accounts had been accessed remotely.

According to the substitute breach notification letter on the TGC website, TGC learned on September 19, 2019 that some sensitive information was contained in those email accounts. It took some time to determine which clients had been affected and to find up to date contact information for those individuals. Breach notification letters were sent on October 25, 2019.

In total, the protected health information of 1,235 current and former clients was detailed in the email accounts and could therefore have been accessed, although no evidence of unauthorized PHI access was discovered.

The information in the accounts was limited to names, addresses, dates of birth, health insurance/claims information, medical information and, for a limited number of patients, Social Security numbers.

All individuals whose Social Security number was exposed have been offered 12 months of complimentary credit monitoring services. Additional security controls have now been implemented to prevent any similar incidents from occurring in the future and the deleted files have been restored. No reason was given as to why the email accounts were accessed and files and backups were deleted.

The post California Mental Health Services Provider Discovers Unauthorized Email Account Access and File Deletion appeared first on HIPAA Journal.

Prisma Health Midlands is notifying approximately 19,000 patients and 3,000 employees about a data breach involving the Palmetto Health website.

Prisma Health – formerly Palmetto Health – learned on August 29, 2019 that an unauthorized individual had obtained the login credentials of a Prisma Health employee. Those credentials allowed the attacker to access the Palmetto Health website, which contained volunteer registration information and patient pre-registration forms that had been completed online.

Those forms related to 6 Midlands hospitals and contained information such as names, addresses, dates of birth, limited health information and, for certain individuals, their Social Security number. No medical records or financial information were exposed. Prisma Health was not able to determine for how long the credentials were accessible.

Upon discovery of the incident, the employee’s password was changed to prevent any further unauthorized access and policies and procedures are being updated to prevent similar breaches in the future. Affected individuals have been notified by mail and individuals whose Social Security number was exposed have been offered complimentary credit monitoring and identity theft protection services for 12 months.

Prisma Health has suffered multiple privacy breaches this year. In April, Prisma Health announced it had been the victim of a phishing attack that saw the email accounts of several employees accessed by an unauthorized individual. The PHI of 23,811 individuals was exposed as a result of the attack. A further privacy breach was announced in July when a notebook containing the PHI of OB/GYN patients from its Richland Campus in Columbia was discovered to have been stolen from a physician’s car. Information on up to 2,770 individuals was recorded in the notebook.

Seattle Cancer Care Alliance Email Error Exposed Patients’ Email Addresses

944 patients of Seattle Cancer Care Alliance (SCCA) have had their email addresses exposed to other patients as a result of an error by a member of staff when sending an August 27, 2019 email invitation.

Rather than adding email addresses to the blind carbon copy (BCC) field, thus shielding the recipients’ email addresses from each other, the email addresses were added to visible fields and could be seen by all individuals who received the email invitation. No other information was disclosed.

SCCA is now evaluating its systems, policies and procedures and safeguards will be implemented to prevent similar breaches in the future. Notification letters were sent to affected patients on October 16, 2019.

The post Prisma Health Website Breach Potentially Impacts 22,000 Individuals appeared first on HIPAA Journal.

Salt Lake City, OH-based Smith’s Food & Drug has announced that the pharmacy records of around 58,000 patients have been disposed of in an improper manner.

The improper disposal incident was discovered by the grocery and drug store chain on August 29, 2019 and affected customers of its store at 4600 East Sunset Road in Henderson, NV.

12 boxes of files containing physical pharmacy records, including prescriptions, were disposed of by a former associate in an improper manner. The records were not shredded, pulped, burned, or pulverized to render them unreadable, indecipherable, and ensure they could not otherwise be reconstructed, as is required by HIPAA. The boxes of files were put in the store’s trash compactor along with regular trash.

Since the records are no longer accessible, it was not possible to determine which patients were impacted and the exact types of information that had been exposed. Smith’s Food & Drug has estimated the sensitive information of approximately 57,600 patients was likely contained in the pharmacy records. The types of HIPAA-covered information in the records likely included the full names of patients, along with an address, phone number, date of birth, gender, prescription number, drug name, and third-party payor information. According to a statement issued by Smith’s Food & Drug, the records were 11 or more years old.

While it is unlikely that the records were viewed or obtained by unauthorized individuals, since the records were not disposed of in a secure manner, unauthorized access cannot be ruled out. Smith’s Food & Drug has not received any reports to suggest any patient information has been misused but has advised customers to review their explanation of benefits statements from their health plans and to report any medical services listed that have not been received.

Smith’s Food & Drug is re-educating select associates on company policies and HIPAA Rules concerning the disposal of sensitive information and additional safeguards are being implemented to prevent similar incidents in the future.  Smith’s Food & Drug has confirmed that the associate responsible has been terminated.

The post Improper Disposal Incident at Smith’s Food & Drug Affects Almost 58,000 Patients appeared first on HIPAA Journal.

St Louis, MO-based Betty Jean Kerr People’s Health Centers experienced a ransomware attack on September 2, 2019 that prevented staff at its health centers from accessing certain types of patient, provider, and employee information.

The security incident was detected on September 3 and law enforcement was notified. A ransom demand was received, but the decision was taken not to pay. A third-party IT firm was engaged to assist with recovery, but it has not been possible to recover the encrypted data. The encrypted data is considered to have been permanently lost, unless a decryptor is developed by security researchers that allows files to be recovered. No mention has been made about the type of ransomware used in the attack and if backup files were also encrypted in the attack.

The investigation revealed the following types of information had been encrypted in the attack: Patient names, addresses, dates of birth, Social Security numbers, pharmacy data, health insurance information, dental x-rays, and a limited amount of clinical data. Affected patients had received medical services at Betty Jean Kerr People’s Health Centers between 2011 and September 2, 2019. The attack did not affect its electronic medical record system.

Healthcare providers affected by the breach had sought to be credentialed by People’s Health Centers between 2010 and September 2019. Names, addresses, and Social Security numbers provided by those healthcare organizations were also encrypted, as were the names, addresses, and Social Security numbers of individuals employed by People’s Health Centers between 2012 and September 2, 2019.

People’s Health Centers has confirmed that patient data, provider data, and employee information was encrypted, but it was not possible to determine whether the attackers accessed or copied any data during the attack. The individual(s) responsible for the attack is believed to be based outside the United States.

In total, up to 152,000 individuals have had their sensitive data exposed. People’s Health Centers is offering 12 months of free credit monitoring services to individuals affected by the breach.

The post Betty Jean Kerr People’s Health Centers Ransomware Attack Impacts 152,000 Patients appeared first on HIPAA Journal.

Danville, PA-based Geisinger Health Plan has discovered the protected health information (PHI) of some of its members has been exposed as a result of a suspected phishing attack on one of its business associates, Magellan NIA.

Magellan NIA provides radiology benefits management services to the health plan, which requires access to plan members’ PHI.

Magellan NIA discovered the breach on July 5, 2019 when suspicious activity was detected in the email account of one of its employees. The account was immediately secured to prevent further unauthorized access and misuse and an investigation was launched to determine the extent of the breach. The investigation revealed the account was breached on May 28, and there had been several connections to the account between up until July 5. Those connections were made from a location outside the United States.

Geisinger Health Plan believes the sole purpose of the attack was to gain access to email accounts for the purpose of spamming, rather than to steal sensitive plan member data. However, it was not possible to rule out unauthorized data access and theft of plan member data, so the incident is being classed as a data breach. Affected members have been offered complimentary credit monitoring and identity theft protection services as a precautionary measure.

Magellan NIA has since implemented additional security measures to protect against further phishing attacks, including disabling certain email protocols, implementing Microsoft Password Hash Sync, and establishing geofencing.

Geisinger Health Plan says it was informed about the breach on September 24 and was sent a list of affected members on October 3. The business associate has notified affected members directly. Geisinger Health Plan ensured that the notification process was completed correctly and has now terminated its business relationship with the company.

At this stage, no information is available on the number of plan members that have been affected.

The post Geisinger Health Plan Notifies Members About Business Associate Phishing Attack appeared first on HIPAA Journal.