82,577 patients of Texas Health Resources have had some of their health information impermissibly disclosed as a result of a misconfiguration of its billing system.

Texas Health Resources is one of the largest faith-based health systems in the United States and the largest in North Texas, with facilities in 16 counties serving more than 7 million patients.

On August 23, 2019, Texas Health Resources learned that an error in its billing system had resulted in patient information being incorrectly matched with guarantors. The error caused mailings to be sent to incorrect patients or their guarantors. The error occurred on July 19, 2019 and affected mailings up to September 4, 2019.

An investigation was launched to determine which individuals had been affected and the types of patient information that had been impermissibly disclosed. The investigation revealed the following types of information were included in the mailings and had been sent to incorrect individuals: Name, service date, account number, names of treating physicians, name of health insurer, amount owed, and in some cases, a short description of the services received. Highly sensitive information such as Social Security numbers, financial information, and health insurance numbers were not involved. Affected individuals were notified by mail on October 22.

Texas Health Resources has taken steps to prevent similar errors from occurring in the future and has enhanced its data security procedures.

The impermissible disclosure has been reported to the Department of Health and Human Services’ Office for Civil Rights in 15 separate breach reports, one for each of the facilities affected.

The affected hospitals are listed below:

Rosenbaum Dental Group Breach Notification Error Prompts Further Notifications

Florida-based Rosenbaum Dental Group discovered malware had been downloaded onto its systems that potentially gave unauthorized individuals access to the PHI of around 1,200 patients. Affected individuals were notified about the breach on July 1, 2019; however, the breach notifications issued to affected patients were sent on postcards rather than letters. That allowed individuals to be identified as patients of Rosenbaum Dental Group.

In a recent press release, Rosenbaum Dental Group issued an apology about the error and potential HIPAA breach and has confirmed that notification letters are now being sent to advise patients about the error. Affected individuals are being offered one year of complimentary credit monitoring services as a precaution.

The post Texas Health Resources Reports Data Breach Affecting 82,577 Patients appeared first on HIPAA Journal.

Brooklyn Hospital Center in New York has announced that a security breach occurred in late July 2019 that resulted in malware being installed on some of the hospital’s servers.

The attack was discovered promptly, and steps were taken to limit the harm caused; however, it was not possible to prevent certain files from being encrypted.

A third-party digital forensics firm was retained to assess the nature and extent of the malware attack and assist with the recovery of encrypted files. On September 4, following ‘exhaustive efforts’ to recover the encrypted files, it was determined that certain patient information was unrecoverable.

Entire medical records have not been lost, but some patients’ dental and cardiac images could not be restored. The hospital is currently conducting a review to determine which patients have been affected and those individuals will be notified in due course. As is often the case with ransomware attacks such as this, the goal of the attackers appears to have been to extort money from the hospital rather than gain access to patient information. No reports of misuse of patient information have been received and the forensic investigation uncovered no evidence to suggest the attackers accessed or exfiltrated patient information.

Brooklyn Hospital Center already had stringent security controls in place to prevent cyberattacks, although in this instance those controls were circumvented by the attackers. Policies, procedures, and existing security protocols are under review and security controls will be enhanced to prevent further breaches of this nature from occurring in the future.

Unauthorized PHI Access and Use Discovered by Washington University School of Medicine

Washington University School of Medicine (WUSM) has discovered an employee’s personal laptop computer was used by an unauthorized individual to access a WUSM email account which contained the protected health information of certain patients of the Department of Ophthalmology and Visual Sciences.

The unauthorized individual, who had a personal relationship with the employee, accessed the email account between April 29, 2019 and September 3, 2019. A forensic investigation was conducted by a third-party firm to determine what information was contained in the account and could have been accessed. The investigation revealed information in emails and email attachments included patients’ names, medical record numbers, dates of birth, provider names, and limited treatment and clinical information, such as diagnoses and prescription information. The Social Security numbers and health insurance information of certain patients were also potentially compromised.

It was not possible to determine which emails and attachments had been opened, so the decision was taken to notify all individuals whose protected health information was potentially compromised. Any individual who had their Social Security number exposed has been offered complimentary credit monitoring and identity theft protection services.

The breach came to light on September 3, 2019 following reports that certain patients had been sent a letter about an employee of the Ophthalmology Department. The subsequent investigation led to the discovery of the security breach. It is unclear why those individuals were contacted.

WUSM has since implemented additional security enhancements and has re-educated employees on password best practices.

The incident has yet to appear on the Department of Health and Human Services’ Office for Civil Rights’ breach portal, so it is currently unclear how many patients have been affected.

The post Brooklyn Hospital Center Malware Attack Results in Loss of Patients’ Health Records appeared first on HIPAA Journal.

The Guidance Center (TGC), a nonprofit provider of mental health care services to disadvantaged children and their families in Long Beach, Compton, San Pedro, and Avalon in California, has discovered a breach of its digital environment.

In a breach notification letter to the California Attorney General, Xavier Becerra, TGC’s counsel explained that unusual activity was detected within TGC’s digital environment in late March 2019. Staff had reported that files and backups appeared to be missing. An internal investigation was launched which concluded the files had been deleted. Further investigation also showed that a TGC computer had been reconfigured to allow it to be remotely accessed.

TGC believes the change to the computer and deletion of files was most likely the work of a former employee. The matter was reported to both the Long Beach Police Department and the FBI, and the individual suspected of the illegal access was sent a cease and desist letter by TGC’s attorney on March 30, 2019. Following that letter, all further unauthorized access stopped.

On April 19, 2019, TGC engaged a difficult forensics company to determine whether any patient information had been accessed without authorization. No evidence of unauthorized PHI access or data exfiltration was discovered; however, certain employee email accounts had been accessed remotely.

According to the substitute breach notification letter on the TGC website, TGC learned on September 19, 2019 that some sensitive information was contained in those email accounts. It took some time to determine which clients had been affected and to find up to date contact information for those individuals. Breach notification letters were sent on October 25, 2019.

In total, the protected health information of 1,235 current and former clients was detailed in the email accounts and could therefore have been accessed, although no evidence of unauthorized PHI access was discovered.

The information in the accounts was limited to names, addresses, dates of birth, health insurance/claims information, medical information and, for a limited number of patients, Social Security numbers.

All individuals whose Social Security number was exposed have been offered 12 months of complimentary credit monitoring services. Additional security controls have now been implemented to prevent any similar incidents from occurring in the future and the deleted files have been restored. No reason was given as to why the email accounts were accessed and files and backups were deleted.

The post California Mental Health Services Provider Discovers Unauthorized Email Account Access and File Deletion appeared first on HIPAA Journal.

Prisma Health Midlands is notifying approximately 19,000 patients and 3,000 employees about a data breach involving the Palmetto Health website.

Prisma Health – formerly Palmetto Health – learned on August 29, 2019 that an unauthorized individual had obtained the login credentials of a Prisma Health employee. Those credentials allowed the attacker to access the Palmetto Health website, which contained volunteer registration information and patient pre-registration forms that had been completed online.

Those forms related to 6 Midlands hospitals and contained information such as names, addresses, dates of birth, limited health information and, for certain individuals, their Social Security number. No medical records or financial information were exposed. Prisma Health was not able to determine for how long the credentials were accessible.

Upon discovery of the incident, the employee’s password was changed to prevent any further unauthorized access and policies and procedures are being updated to prevent similar breaches in the future. Affected individuals have been notified by mail and individuals whose Social Security number was exposed have been offered complimentary credit monitoring and identity theft protection services for 12 months.

Prisma Health has suffered multiple privacy breaches this year. In April, Prisma Health announced it had been the victim of a phishing attack that saw the email accounts of several employees accessed by an unauthorized individual. The PHI of 23,811 individuals was exposed as a result of the attack. A further privacy breach was announced in July when a notebook containing the PHI of OB/GYN patients from its Richland Campus in Columbia was discovered to have been stolen from a physician’s car. Information on up to 2,770 individuals was recorded in the notebook.

Seattle Cancer Care Alliance Email Error Exposed Patients’ Email Addresses

944 patients of Seattle Cancer Care Alliance (SCCA) have had their email addresses exposed to other patients as a result of an error by a member of staff when sending an August 27, 2019 email invitation.

Rather than adding email addresses to the blind carbon copy (BCC) field, thus shielding the recipients’ email addresses from each other, the email addresses were added to visible fields and could be seen by all individuals who received the email invitation. No other information was disclosed.

SCCA is now evaluating its systems, policies and procedures and safeguards will be implemented to prevent similar breaches in the future. Notification letters were sent to affected patients on October 16, 2019.

The post Prisma Health Website Breach Potentially Impacts 22,000 Individuals appeared first on HIPAA Journal.

Salt Lake City, OH-based Smith’s Food & Drug has announced that the pharmacy records of around 58,000 patients have been disposed of in an improper manner.

The improper disposal incident was discovered by the grocery and drug store chain on August 29, 2019 and affected customers of its store at 4600 East Sunset Road in Henderson, NV.

12 boxes of files containing physical pharmacy records, including prescriptions, were disposed of by a former associate in an improper manner. The records were not shredded, pulped, burned, or pulverized to render them unreadable, indecipherable, and ensure they could not otherwise be reconstructed, as is required by HIPAA. The boxes of files were put in the store’s trash compactor along with regular trash.

Since the records are no longer accessible, it was not possible to determine which patients were impacted and the exact types of information that had been exposed. Smith’s Food & Drug has estimated the sensitive information of approximately 57,600 patients was likely contained in the pharmacy records. The types of HIPAA-covered information in the records likely included the full names of patients, along with an address, phone number, date of birth, gender, prescription number, drug name, and third-party payor information. According to a statement issued by Smith’s Food & Drug, the records were 11 or more years old.

While it is unlikely that the records were viewed or obtained by unauthorized individuals, since the records were not disposed of in a secure manner, unauthorized access cannot be ruled out. Smith’s Food & Drug has not received any reports to suggest any patient information has been misused but has advised customers to review their explanation of benefits statements from their health plans and to report any medical services listed that have not been received.

Smith’s Food & Drug is re-educating select associates on company policies and HIPAA Rules concerning the disposal of sensitive information and additional safeguards are being implemented to prevent similar incidents in the future.  Smith’s Food & Drug has confirmed that the associate responsible has been terminated.

The post Improper Disposal Incident at Smith’s Food & Drug Affects Almost 58,000 Patients appeared first on HIPAA Journal.