HIPAA Breach News

Truman Medical Centers Notifies 114,466 Patients of Potential PHI Exposure

Posted December 17, 2019 by HIPAA Journal

Truman Medical Centers, the largest provider of inpatient and outpatient services in Kansas City, MO, has discovered the protected health information of 114,466 patients was stored on an unencrypted laptop computer that was stolen from the vehicle of one of its employees.

The laptop was protected with a password, but it is possible that the password could be cracked and data on the device accessed. At the time of issuing the notifications, Truman Medical Centers has not uncovered any evidence to suggest that any patient information has been accessed by unauthorized individuals or has been misused.

The types of information on the laptop varied from patient to patient and may have included patient names along with one or more of the following types of information: Dates of birth, patient account numbers, medical record numbers, Social Security numbers, health insurance information, and limited medical and treatment information, such as diagnoses, dates of service, and provider names.

The theft occurred on July 18, 2019, but it took until October 29, 2019 to determine that patient information was stored on the device. All individuals whose protected health information was stored on the laptop have now been notified by mail. Individuals whose Social Security number was stored on the device have been offered complimentary credit monitoring and identity protection services.

Employees have been re-educated on portable device security. Additional controls are being installed on employee laptops to enhance security.

Stolen Blackberry Contained the PHI of 2,477 Patients of La Clínica de La Raza, Inc.

La Clínica de La Raza, Inc, a provider of primary health care and other services in Alameda, Contra Costa, and Solano counties in California, has also discovered a portable electronic device has been stolen.

On August 20, 2019, a briefcase containing a La Clínica de La Raza-issued Blackberry device was stolen from an employee’s vehicle. Assisted by a computer forensics firm, La Clínica de La Raza determined on October 16, 2019 that the Blackberry contained the protected health information of 2,477 patients.

The information was found in two emails that had been downloaded onto the device. Those emails contained names, birth dates, medical record numbers, and non-sensitive test results.

While it is possible that the information could be accessed by unauthorized individuals, La Clínica de La Raza said PHI access would have been difficult. Affected patients were notified of the breach by mail on December 13, 2019. Affected individuals have been offered a one year membership to credit monitoring and identity protection services at no cost.

Steps are now being taken to improve the security of portable electronic devices and employees have had training on portable device security reinforced.

The post Truman Medical Centers Notifies 114,466 Patients of Potential PHI Exposure appeared first on HIPAA Journal.

Hackensack Meridian Health Recovering from Ransomware Attack

Posted December 16, 2019 by HIPAA Journal

Hackensack Meridian Health, the largest health network in New Jersey, has announced it experienced a cyberattack last week that saw ransomware deployed on its network. The attack saw files encrypted and took its network offline for two days.

Without access to computer systems and medical records, Hackensack Meridian Health was forced to cancel non-emergency medical procedures and doctors and nurses had to switch to pen and paper to allow care to continue to be provided to patients.

The attack was detected quickly, law enforcement and regulators were immediately notified, and cybersecurity experts were consulted to determine the best course of action. The health network initially announced that it was experiencing external technical issues so as not to interfere with the investigation but confirmed later in the week that the incident was a ransomware attack.

When ransomware is deployed, files need to be restored from backups and systems may need to be rebuilt. That process can take several weeks. In order to prevent continued disruption to patient services, the decision was taken to pay the ransom demand. A spokesperson for Hackensack Meridian Health said, “We believe it’s our obligation to protect our communities’ access to health care.”

The amount of the ransom has not been publicly disclosed but Hackensack Meridian Health did confirm that it holds a cybersecurity insurance policy that will cover some of the cost of the ransom payment and remediation efforts.

Hackensack Meridian Health has confirmed that its main clinical system is now back online and is fully operational, but it may take several days before other parts of its system are brought back online.

Several major ransomware attacks on healthcare organizations and business associates have been announced in the past few weeks. In the past week alone The Cancer Center of Hawaii announced it was attacked and was forced to postpone radiology treatments for patients. A ransomware attack was also announced by a Colorado business associate which impacted more than 100 dental practices.

In its latest cybersecurity letter, the HHS’ Office for Civil Rights explains how HIPAA compliance can help prevent ransomware attacks and ensure healthcare organizations recover from attacks quickly if hackers succeed in breaching their defenses.

The post Hackensack Meridian Health Recovering from Ransomware Attack appeared first on HIPAA Journal.

$85,000 Penalty for Korunda Medical for HIPAA Right of Access Failures

Posted December 13, 2019 by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights has announced its second enforcement action under its HIPAA Right of Access Initiative. Florida-based Korunda Medical has agreed to settle potential violations of the HIPAA Right of Access and will adopt a corrective action plan and bring its policies and procedures in line with the requirements of the HIPAA Privacy Rule.

In March 2019, OCR received a complaint from a patient who alleged she had not been provided with a copy of her medical records in the requested electronic format despite making repeated requests. The complainant alleged that Korunda Medical refused to send an electronic copy of her medical records to a third party and was overcharging patients for providing copies of their medical records. Under HIPAA, covered entities are only permitted to charge a reasonable, cost-based fee for providing access to patients’ protected health information.

The initial complaint was filed with OCR on March 6, 2019. On March 18, 2019, OCR provided technical assistance to Korunda Medical on the HIPAA Right of Access and closed the complaint. Four days later, a second complaint was received which demonstrated continued noncompliance with the HIPAA Right of Access. On May 8, 2019, OCR advised Korunda Medical that a compliance investigation had been launched. As a result of OCR’s intervention, the complainant was provided with a copy of her medical records free of charge. Continued noncompliance with the HIPAA Right of Access resulted in a $85,000 financial penalty for Korunda Medical.

“For too long, healthcare providers have slow-walked their duty to provide patients their medical records out of a sleepy bureaucratic inertia. We hope our shift to the imposition of corrective actions and settlements under our Right of Access Initiative will finally wake up healthcare providers to their obligations under the law,” said OCR Director, Roger Severino.

The HIPAA Right of Action Initiative is a HIPAA enforcement drive to ensure HIPAA-covered entities are providing patients with copies of their medical records in a timely manner, in the format of their choosing, and without being overcharged. The first enforcement action under this initiative was announced in September 2019. Bayfront Health St Petersburg was also required to pay a financial penalty of $85,000 to resolve HIPAA Right of Access failures.

This is the ninth HIPAA enforcement action of 2019. OCR has settled 8 HIPAA violation cases this year and has issued one civil monetary penalty, with the financial penalties ranging from $10,000 to $3 million. So far in 2019, $12,209,000 has been paid to OCR to resolve HIPAA violations.

The post $85,000 Penalty for Korunda Medical for HIPAA Right of Access Failures appeared first on HIPAA Journal.

Ransomware Attack on The Cancer Center of Hawaii Delayed Radiation Therapy for Patients

Posted December 13, 2019 by HIPAA Journal

On November 5, 2019 The Cancer Center of Hawaii in Oahu was attacked with ransomware. The attack forced the Cancer Center to shut down its network servers, which meant it was temporarily prevented from providing radiation therapy to patients at Pali Momi Medical Center and St. Francis’ hospital in Liliha.

While patient services experienced some disruption, no patient information is believed to have been accessed by the attackers. The forensic investigation into the breach is ongoing but all data stored on its radiology machines has been recovered and its network is now fully operational.

It is unclear for how long its network was down and no information has been released so far on the types of patient information that may have been accessed.

The Cancer Center has notified the FBI about the breach and will report the incident to appropriate authorities, if the forensic investigators confirm that patient data may have been accessed.

The breach was confined to the Cancer Center’s systems. Pali Momi Medical Center and St. Francis’ hospital were unaffected by the attack as their patient data and systems are isolated from the Cancer Center.

Zuckerberg San Francisco General Hospital Alerts Patients to Improper Disposal Incident

1,174 patients of Zuckerberg San Francisco General Hospital are being notified that meal tickets containing a limited amount of their protected health information have been disposed of in an improper manner.

The meal tickets contained patients’ full names, their bed/unit in the hospital, birth month, dietary information, and the menu they received. The tickets should have been disposed of in confidential waste bins but were accidentally disposed of with regular trash.

The breach was due to an employee being unaware that the meal tickets needed to be sent for shredded. The San Francisco Department of Health learned about the improper disposal incident on November 15, 2019. The employee had been disposing of the meal tickets in regular trash bins between June 18 and November 4. The employee has since been advised of the correct procedures for the disposable of sensitive information.

The post Ransomware Attack on The Cancer Center of Hawaii Delayed Radiation Therapy for Patients appeared first on HIPAA Journal.

Patients Notified of Phishing Attack at Cheyenne Regional Medical Center

Posted December 12, 2019 by HIPAA Journal

Cheyenne Regional Medical Center in Wyoming has recently learned that patient information may have been compromised as a result of a phishing attack discovered in April.

The medical center was alerted to a potential security breach following the detection of suspicious activity related to employee payroll accounts on or around April 5, 2019. Around a week later, the medical center leared that employee email accounts had been compromised.

The investigation revealed the attackers had gained access to employee email accounts between March 27, 2019 and April 8, 2019. The aim of the attack appears to have been to access employee payroll information, although patient information contained in email accounts may also have been accessed.

The types of information potentially accessed varied from patient to patient and may have included names, dates of birth, Social Security numbers, driver’s license numbers, dates of service, provider names, medical record numbers, patient identification numbers, medical information, diagnoses, treatment information, and health insurance information. A very small percentage of patients also had financial information or credit card numbers exposed.

The forensic investigation confirmed on August 21, 2019 that patient information was potentially accessed by the hackers, although at that stage of the investigation the full extent of the attack was not known. It took until November 1, 2019 before the medical center obtained a full list of affected patients.

There was a further delay sending notifications as up to date contact information was not held on a significant number of patients. Finding that information took time.

The medical center explained that most patient information is stored in its electronic medical record system, but information is securely exchanged between staff members via email for administrative purposes and for consultations.

Affected patients have now been notified by mail and have been offered complimentary credit monitoring and identity theft protection services through Kroll.

Cheyenne Regional Medical Center should be commended for its thorough explanation of the breach and investigation, and the reason for the 8-month delay sending notifications. All patients want to be notified of any exposure of their personal and health information quickly but will be unaware of the work involved in a breach investigation and how long it can take to find the information necessary to issue notifications. Such a detailed explanation will help patients to understand why it has taken so long to learn about the breach.

The post Patients Notified of Phishing Attack at Cheyenne Regional Medical Center appeared first on HIPAA Journal.

Phishing Attacks Reported by Sunrise Community Health and Katherine Shaw Bethea Hospital

Posted December 11, 2019 by HIPAA Journal

Evans, CO-based Sunrise Community Health has discovered the email accounts of several employees were compromised as a result of employees responding to phishing emails. The email accounts were accessed by unauthorized individuals between September 11, 2019 and November 22, 2019.

Assisted by third party computer forensics experts, Sunrise Community Health determined on November 5, 2019 that the compromised email accounts contained the protected health information of certain patients. The types of data present in the email accounts varied from patient to patient and may have included names, dates of birth, Sunrise patient ID numbers, Sunrise provider names, dates of service, types of clinical examinations performed, the results of those examinations, diagnoses, medication names, and names of health insurance carriers.

Sunrise Community Health does not believe the aim of the attack was to obtain patient information, but the possibility of unauthorized data access and data theft could not be ruled out. The attackers appeared to be targeting invoice and payroll information.

The investigation into the attack is continuing but breach notification letters have now been sent to affected individuals. Sunrise Community Health is offering affected patients complimentary credit monitoring and identity theft restoration services.

1,486 Katherine Shaw Bethea Hospital Patients Impacted by Phishing Attack

Katherine Shaw Bethea Hospital in Dixon, IL has discovered an unauthorized individual has gained access to the email account of an employee and potentially obtained a spreadsheet containing the protected health information of 1,486 patients.

The spreadsheet contained names, dates of birth, phone numbers, health insurance carrier names, diagnoses, and clinical information of patients under 18 years of age who had visited the emergency department between November 1, 2018 and May 1, 2019.

Katherine Shaw Bethea Hospital has implemented additional measures to improve email security and all staff members have been provided with further cybersecurity training to help them identify phishing scams.

NYC Health + Hospitals Alerts Patients to Improper Disclosure Incident

NYC Health + Hospitals is alerting patients who received treatment following a motor vehicle accident that some of their protected health information may have been impermissibly disclosed to third parties by an employee.

NYC Health + Hospitals was notified on October 3, 2019 that one of its employees had disclosed patient information to third parties such as law firms between 2016 and November 2019.

NYC Health + Hospitals is assuming that all patients who received treatment at its hospitals and clinics following a motor vehicle accident may have been affected. The investigation into the incident is ongoing and appropriate disciplinary action is being taken against the employee concerned.

The post Phishing Attacks Reported by Sunrise Community Health and Katherine Shaw Bethea Hospital appeared first on HIPAA Journal.

Ransomware Attack on Managed Service Provider Impacts More than 100 Dental Practices

Posted December 9, 2019 by HIPAA Journal

A Colorado IT firm that specializes in providing managed IT services to dental offices has been attacked with ransomware. Through the firm’s systems, more than 100 dental practices have also been attacked and have had ransomware deployed.

The attack on Englewood, CO-based Complete Technology Solutions (CTS) commenced on November 25, 2019. According to a report on KrebsonSecurity, CTS was issued with a ransom demand of $700,000 for the keys to unlock the encryption. The decision was taken not to pay the ransom.

In order to provide IT services to the dental practices, CTS is able to logon to their systems using a remote access tool. That tool appears to have been abused by the attackers, who used it to access the systems of all its clients and deploy Sodinokibi ransomware.

Some of the dental practices impacted by the attack have been able to recover data from backups, specifically, dental practices that had a copy of their backup data stored securely offsite. Many dental practices are still without access to their data or systems and are turning patients away due to ongoing system outages.

KrebsonSecurity reports that some of those practices are trying to negotiate with the attackers to obtain keys to unlock their own data.

Recovery has been complicated in some cases due to multiple ransom notes and file extensions, which has meant it has only been possible to recover some of their encrypted data after paying the ransom demand. That has meant paying again for further keys to unlock the encrypted files. Black Talon Security told KrebsonSecurity that one dental practice had 50 devices encrypted and received more than 20 ransom notes. Multiple payments had to be made to recover records.

The attack is similar to the one that was conducted on the Wisconsin firm PerCSoft, through which around 400 dental offices were attacked with ransomware in August 2019. PerCSoft provides digital data backup services for dental offices. Sodinokibi ransomware was also used in that attack.

It is becoming increasingly common for ransomware gangs to target managed service providers. A single attack on a managed service provider can allow the attackers to attack hundreds of other companies, making the returns far higher.

A recent report by Kaspersky Lab also confirmed that ransomware attackers are targeting backups and Network Attached Storage (NAS) devices to make it much harder for victims to recover their files for free without paying the ransom.

The latest attack shows just how important it is not only to ensure that backups of all critical data are made, but why it is essential for at least one copy of a backup to be stored securely off site, on a non-networked device that is not accessible over the internet.

The post Ransomware Attack on Managed Service Provider Impacts More than 100 Dental Practices appeared first on HIPAA Journal.

Southeastern Minnesota Oral & Maxillofacial Surgery Ransomware Attack Impacts 80,000 Patients

Posted December 6, 2019 by HIPAA Journal

Southeastern Minnesota Oral & Maxillofacial Surgery (SEMOMS) has announced it has been attacked with ransomware and that the protected health information of up to 80,000 patients was potentially compromised in the attack.

The attack was detected on September 23, 2019. The IT team responded and isolated the affected server and took steps to restore the encrypted data. It is unclear whether the ransom was paid or if the IT team was able to restore the server from backups.

Assisted by computer forensics experts, SEMOMS determined that the affected server contained names and X-ray images and that the server had been accessed by an unauthorized individual. No evidence was uncovered to suggest any patient information was accessed or exfiltrated by the attackers, but the possibility of unauthorized ePHI access and data theft could not be discounted. Consequently, notification letters have been sent to all individuals whose protected health information was potentially compromised.

Healthcare Administrative Partners Phishing Attack Impacts 17,693 Patients

Healthcare Administrative Partners (HAP), a Media, PA-based provider of medical billing and coding services to healthcare organizations, has discovered the email account of one of its employees was accessed by an unauthorized individual following a response to a phishing email.

The phishing attack was detected on June 26, 2019 when suspicious activity was identified in the employee’s email account. On September 26, 2019, HAP determined that the protected health information of certain clients was present in the email account.

A third-party computer forensics firm was engaged to assist with the breach investigation. It was not possible to determine whether emails and email attachments containing ePHI had been accessed, but the possibility could not be ruled out.

The account contained patients’ names, addresses, dates of birth, medical record numbers, physicians’ names, prescriptions, medical diagnoses, and limited treatment information. HAP notified all affected providers on October 4, 2019.

Steps have now been taken to improve email security. All passwords for email were reset, all external emails are now labelled as external, employees are being provided with additional security awareness training, and mailbox size restrictions and email archiving have been implemented to reduce data exposure in the event of a further attack. HAP is also investigating multi-factor authentication options.

Elizabeth Family Health Notifies 28,375 Patients About Data Exposure

The Elizabeth, CO-based healthcare provider, Elizabeth Family Health, is notifying 28,375 patients that some of their protected health information has been exposed.

On September 23, 2019, Elizabeth Family Health suffered a break-in and its facilities were vandalized. The perpetrator removed several items from its facilities, including server backup tape cartridges. Those cartridges contained the protected health information of patients, including names, demographic information, and Social Security numbers.

Elizabeth Family Health has not received any reports of misuse of patient information but has mailed affected individuals as a precaution and has provided information on the steps that can be taken to prevent their personal information from being misused.

The post Southeastern Minnesota Oral & Maxillofacial Surgery Ransomware Attack Impacts 80,000 Patients appeared first on HIPAA Journal.

Kalispell Regional Healthcare Sued Over 130,000-Record Data Breach

Posted December 5, 2019 by HIPAA Journal

Kalispell Regional Healthcare in Montana is being sued over a phishing attack in which hackers gained access to employee email accounts containing the protected health information of almost 130,000 patients.

The compromised email accounts contained patient information such as names, contact information, medical bill account numbers, medical histories, and health insurance information. Approximately 250 individuals also had their Social Security number exposed.

The phishing attack occurred in May 2019, but it was not initially clear which, if any, patients had been affected. It took until August for forensic investigators to determine that patient information had potentially been compromised.

All affected patients were notified, and the health system offered 12 months of free credit monitoring and identity theft protection services to patients whose Social Security numbers had potentially been compromised.

One of the patients whose personal and health information was compromised has now taken legal action over the data breach. The lawsuit was filed in Cascade County District Court in Great Falls, MT on November 25 by attorney John Heenan. Heenan is seeking class action status for the lawsuit.

The lawsuit alleges Kalispell Regional Healthcare failed to take the necessary steps to keep patients’ personal and health information private and confidential, it did not abide by best practices and industry standards for securing patient data, and that the health system failed to notify patients about the breach in a timely manner. As a result of the alleged failures, it the lawsuit alleges patients have been placed at risk of identity theft and fraud.

It does not appear that Henderson’s personal and health information has been misused at the time the lawsuit was filed; however, he claims that he is at risk of identity theft and fraud, which could occur at any time now that his information is in the hands of hackers.

Patients cannot sue healthcare providers for damages under HIPAA as there is no private cause of action, but it is possible to take legal action in many states over healthcare data breaches, as is the case in Montana.

The Montana Uniform Health Care Information Act allows victims of healthcare data breaches to sue healthcare providers for violations of the Act. The lawsuit alleges Kalispell Regional Healthcare is in violation of the Act.

After it was learned that patient information had potentially been compromised, the health system issued notifications to affected patients and reported the breach local media outlets. in the areas

Kalispell Regional Healthcare’s director of information technology, Melanie Swenson, explained that “This wasn’t your everyday, average hacker. They were very sophisticated at disguising their tracks.” She also explained that protecting the privacy of patients is a key priority for the health system and that email security solutions had been implemented prior to the attack to block spam and phishing emails. The security solutions were blocking around 50,000 inbound email threats each day. She also stated that CynergisTec had conducted an audit of the health system in 2018 and found it to be in the top 9% of healthcare industry organizations for cybersecurity compliance.

Since the attack, email security has been improved and the health system has increased training for employees to help them recognize phishing attacks and other email threats.

The post Kalispell Regional Healthcare Sued Over 130,000-Record Data Breach appeared first on HIPAA Journal.

Daily HIPAA News, HIPAA RSS Feeds, HIPAA Information