HIPAA Breach News

Ramsey County Expands 2018 Phishing Attack Victim Count from 599 to 117,905

Posted by HIPAA Journal

Ramsey County has discovered an August 2018 phishing attack has impacted far more individuals than initially thought. The victim count has been increased from 599 to 117,905.

The initial breach report stated the email accounts of 26 employees were compromised in a phishing attack on or around August 9. The attack was identified promptly and the affected accounts were secured. The individuals responsible conducted the attack in order to re-route employees’ paychecks.

The initial investigation, conducted with assistance from a data security firm, concluded on October 12, 2018 that the attackers would have been able to access sensitive information contained in the compromised accounts. The accounts were discovered to contain clients’ names, addresses, dates of birth, Social Security numbers, and limited medical information.

Ramsey County reported the breach to the HHS’ Office for Civil Rights on December 11, 2018 and notified affected clients. The initial breach report indicated 599 clients had been affected. 9 months on and Ramsey County has announced that 117,905 individuals have had their personal and health data exposed.

On or around May 21, 2019, County officials learned that the email accounts of two of the 26 employees contained ‘limited amounts’ of health information related to services provided to the Minnesota Department of Human Services under the Child & Teen Checkups program and the support provided to the St. Paul-Ramsey County Public Health Department.

The information contained in those accounts includes names, addresses, dates of birth, patient identifiers, appointment dates, appointment types, patient master index numbers, household identification numbers, and the names of patients’ representatives. Social Security numbers, diagnoses, treatment and prescription information were not exposed. No evidence of data theft was uncovered, and no reports have been received indicating there has been any misuse of patient information.

Ramsey County had issued an update about the breach on July 1, 2019 stating a further 4,638 individuals had been affected and 3,272 additional notifications were sent. Ramsey County has said that in total, 116,255 breach notification letters have now been sent.

Under HIPAA, covered entities are required to notify OCR of a breach within 60 days of discovery. If the number of affected individuals is not known at the time, a provisional total can be provided. The breach report can then be updated when further information becomes available.

Breach investigations can take some time to complete, as the extent of a cyberattack may not initially be apparent. Investigations can take several months to complete. In this case, the investigation was complicated as several of the employees whose email accounts were compromised provided services to multiple departments within the County. Ramsey County said that made it difficult to fully evaluate all the information in the compromised accounts.

The post Ramsey County Expands 2018 Phishing Attack Victim Count from 599 to 117,905 appeared first on HIPAA Journal.

Shore Specialty Consultants Pulmonology Group Breach Impacts 9,700 Patients

Posted by HIPAA Journal

New Jersey-based Shore Specialty Consultants Pulmonology Group (SSCPG) is notifying 9,700 patients that some of their protected health information (PHI) has potentially been subjected to unauthorized access as a result of a recent security breach.

On July 8, 2019, SSCPG discovered a hacker gained access to a network server containing patient information. The breach was detected within a day and the server was secured. A forensic investigation of the breach did not uncover any evidence to suggest patient information was accessed or stolen, but the possibility could not be ruled out.

The compromised server contained the PHI of patients who had previously participated in sleep studies at SSCPG. Highly sensitive information such as Social Security numbers, health insurance information and financial information were not exposed. The breach was limited to patients’ names, dates of birth, details of the care received at SSCPG, and some information relating to the sleep study.

The breach prompted SSCPG to conduct a review of its policies and procedures and additional security measures are being implemented. Employees have also been provided with further training.

Little Rock Plastic Surgery Notifies Patients of Internal HIPAA Breach

Little Rock Plastic Surgery (LRPS) in Arkansas has discovered a former nurse downloaded and stole the PHI of several patients.

LRPS discovered the HIPAA breach on July 15, 2019. The investigation revealed the former employee accessed the clinic’s vendor accounts without authorization in order to obtain patient information related to treatments and appointment dates. Reports, photos, and other files containing PHI were downloaded and removed from LRPS by the nurse.

LRPS has taken steps to ensure the stolen information is returned or permanently destroyed. The incident has also been reported to the Department of Health and Human Services’ Office for Civil Rights, the Arkansas Attorney General’s office, and the Arkansas Board of Nursing. Affected patients have been notified by mail.

Fedcap Breach Impacts 2,158 Patients

Fedcap Rehabilitation, a New York-based provider of vocational training and employment resources, is alerting 2,158 current and former clients about a recent security breach.

Fedcap officials launched an investigation following the discovery of a fraudulent wire transfer. On May 28, 2019, Fedcap officials confirmed that an unauthorized individual gained access to the email accounts of seven employees.

The breach investigation revealed the accounts were compromised between September 20, 2018 and January 27, 2019. While the aim of the attack was to steal money from Fedcap, it is possible that the attacker gained access to sensitive client information in the compromised email accounts.

An analysis of the compromised accounts has now been completed. Affected patients were notified on August 29, 2019 that the following types of information were potentially accessed/stolen: Names, birth dates, Social Security numbers, passport numbers, driver’s license numbers, account/routing numbers, payment card information, diagnoses, medications, treatment information, medical histories, healthcare provider names, service dates, health insurance information, and group numbers.

To date, Fedcap has not received any reports to suggest any client information has been misused. The breach prompted Fedcap to implement multi-factor authentication on all email accounts and additional procedures have been implemented to strengthen its security processes.

Affected clients have been advised to review their financial accounts, insurance, and explanation of benefits statements for fraudulent activity.

The post Shore Specialty Consultants Pulmonology Group Breach Impacts 9,700 Patients appeared first on HIPAA Journal.

Phishing Incidents Reported by Fraser and East Central Indiana School Trust

Posted by HIPAA Journal

East Central Indiana School Trust (ECIST) has started notifying more than 3,200 individuals that some of their protected health information (PHI) has been exposed as a result of a recent phishing attack.

On May 19, 2019, an employee was fooled into disclosing email account credentials which were used by the attacker to gain access to that individual’s email account. The breach was detected on May 22, 2019 and the account was secured.

A third-party computer forensics company was retained to investigate the breach and determine whether patient information was compromised or stolen in the attack. The forensics firm did not uncover any evidence to suggest emails in the account were opened or downloaded by the attacker, but the possibility of unauthorized data access and theft could not be ruled out.

The compromised email account contained information such as employees’ and dependents’ names, dates of birth, Social Security numbers, driver’s license numbers, prescription details, health insurance information, and some medical information.

The breach has been reported to the HHS’ Office for Civil Rights as potentially impacting up to 3,259 trust members’ employees and their dependents.

PHI Exposed in Fraser Phishing Attack

Fraser, a Minnesota-based provider of autism and early childhood mental health services, experienced a phishing attack on August 6, 2019 involving a single employee’s email account.

The attack was identified promptly and the compromised email account was secured within a few hours. Fraser launched an investigation into the breach and, assisted by its IT vendors, determined that the attacker potentially accessed client information.

The compromised email account contained a Fraser waitlist spreadsheet that detailed clients’ names, internal ID numbers, home cities, ZIP codes, notes about scheduling preferences, and details of the services for which clients were being referred.

Fraser is reviewing and updating its procedures for the internal exchange of client information and its systems will continued to be monitored closely to ensure that its security systems are working correctly.

The HHS’ Office for Civil Rights breach portal indicates 2,890 individuals have potentially been affected by the breach.

The post Phishing Incidents Reported by Fraser and East Central Indiana School Trust appeared first on HIPAA Journal.

Utah Ransomware Attack Impacts 320,000 Patients

Posted by HIPAA Journal

The Utah physician group, Premier Family Medicine, is notifying 320,000 patients that some of their protected health information has potentially been compromised as a result of a recent ransomware attack.

The attack occurred on July 8, 2019 and temporarily prevented access to patient data and certain systems. According to the August 30, 2019 breach notice on its website, the physician group notified law enforcement and engaged the services of technical consultants to investigate the breach and regain access to its systems and patient data. It is unclear whether the ransom demand was paid. The breach affected all ten of its Utah County locations.

“Even though our investigation has found no reason to believe patient information was accessed or taken, we are very concerned that this event even occurred and have taken steps to further enhance the security of our systems,” said Premier Family Medicine chief administrator, Robert Edwards.

Community Psychiatric Clinic Breaches Impact 15,537 Patients

Community Psychiatric Clinic, a provider of mental health services in Seattle, WA, has experienced three email security breaches that have affected a total of 15,537 patients.

Sound, a Washington provider of mental health and addiction treatment services, has recently announced it is combining its services with those of Community Psychiatric Clinic. The merger is expected to be completed in the fall of 2019.

Currently, limited information is available on the breaches. No press releases appear to have been issued and there is no mention of the breaches on the Sound website. The Department of Health and Human Services’ Office for Civil Rights’ breach portal lists three separate incidents, all reported on August 15, 2019. Those incidents affected 3,030, 6,641, and 5,866 patients.

HIPAA Journal contacted Sound requesting further information on the incident(s), but no response has been received to date.  Further information on the Community Psychiatric Clinic breach will be posted here as and when further information becomes available.

Alive Hospice Breach Notification Breaches Further Patient Information

Tennessee-based Alive Hospice experienced a data breach earlier this year which warranted notifications to affected patients. Those notifications were sent on July 3, 2019; however, a mail merge error caused letters to be sent to incorrect recipients.

The letters did not contain any patient information other than the name of the intended recipient. Anyone receiving the letter would know that the intended recipient was a patient of the Alive Hospice.

Alive Hospice has notified all affected individuals by mail and steps have been taken to prevent similar mailing errors in the future. It is currently unclear how many patients have been affected.

The post Utah Ransomware Attack Impacts 320,000 Patients appeared first on HIPAA Journal.

OCR Settles First HIPAA Violation Case Under 2019 Right of Access Initiative

Posted by HIPAA Journal

Earlier this year, the Department of Health and Human Services’ Office for Civil Rights (OCR) announced that one of the main areas of HIPAA enforcement in 2019 would be HIPAA right of access failures, including untimely responses to access requests and overcharging for copies of medical records.

The HIPAA right of access allows patients to obtain copies of their medical records on request. HIPAA-covered entities are required to honor those requests and provide patients with access to PHI or copies of health data contained in a ‘designated record set’ within 30 days of the request being received. A covered entity is permitted to charge a reasonable, cost-based fee for providing a copy of the individual’s PHI, which can include the cost of certain labor, supplies and postage.

HIPAA-covered entities that fail to provide copies of records in a reasonable time frame or charge excessive amounts for providing a copy of a patient’s PHI are in violation of the HIPAA Privacy Rule – See 45 CFR 164.501. Such violations can attract a sizable financial penalty.

This week, OCR has announced that the first settlement has been reached with a HIPAA-covered entity under the right of access initiative. Bayfront Health St. Petersburg, a 480-bed hospital in St. Petersburg, FL, has agreed to pay OCR $85,000 to settle the case.

OCR launched an investigation into a potential HIPAA violation at Bayfront Health following receipt of a complaint from a patient on August 14, 2018. The patient alleged that she had requested her fetal heart monitor records from Bayfront Health St. Petersburg in October 2017. At the time of the complaint, 9 months after the request was made, she had still not been provided with a full copy of her records.

OCR confirmed that the patient made the request on October 18, 2017 and was informed by Bayfront Health that the records could not be found. Two further requests were sent to Bayfront Health by the patient’s counsel on January 2, 2018 and February 12, 2018. In March 2018, Bayfront Health provided an incomplete set of records and a complete response was only received on August 23, 2018. The patient’s counsel shared the records with the patient, but it took the intervention of OCR for the fetal heart monitor records to be provided to the patient. Those records were provided directly to the patient on February 7, 2019.

OCR determined that the failure to provide access to the patient’s designated record set was a clear violation of 45 C.F.R. § 164.524 and that the HIPAA violation warranted a sizable financial penalty.

“Providing patients with their health information not only lowers costs and leads to better health outcomes, it’s the law,” said OCR Director Roger Severino.  “We aim to hold the health care industry accountable for ignoring peoples’ rights to access their medical records and those of their kids.”

In addition to the financial penalty, Bayfront Health has agreed to implement a corrective action plan and will be monitored by OCR for the following 12 months.

The post OCR Settles First HIPAA Violation Case Under 2019 Right of Access Initiative appeared first on HIPAA Journal.

Community Psychiatric Clinic and Metro Mobility Data Breaches Impact 30,000 Patients

Posted by HIPAA Journal

Community Psychiatric Clinic, a provider of mental health services in Seattle, WA, has experienced three email security breaches that have affected a total of 15,537 patients.

Sound, a Washington provider of mental health and addiction treatment services, has recently announced it is combining its services with those of Community Psychiatric Clinic. The merger is expected to be completed in the fall of 2019.

Currently, limited information is available on the breaches. No press releases appear to have been issued and there is no mention of the breaches on the Sound website. The Department of Health and Human Services’ Office for Civil Rights’ breach portal lists three separate incidents, all reported on August 15, 2019. Those incidents affected 3,030, 6,641, and 5,866 patients.

HIPAA Journal contacted Sound requesting further information on the incident(s), but no response has been received to date.

Further information on the Community Psychiatric Clinic breach will be posted here as and when further information becomes available.

Metro Mobility Email Account Breach Impacts 15,000 Individuals

Metro Mobility, a transport service for people with disabilities in the twin Cities region, has discovered the email account of an employee has been subjected to unauthorized access.

The email account breach was discovered on August 14, 2019 and the compromised account was immediately secured. The forensic investigation of the breach revealed the email account was compromised on June 13, 2019.

The compromised email account was discovered to contain the protected health information of approximately 15,000 patients. The breach involved patient names, collection/drop-off addresses, dates and times of rides, and any special instructions provided to Metro Mobility drivers regarding the collections and drop-offs.

The forensic investigation did not uncover any evidence to suggest emails in the account were accessed or copied, but the possibility could not be ruled out. The breach has been reported to the St. Paul Police Department and an investigation into the breach is continuing.

Alive Hospice Breach Notification Breaches Further Patient Information

Tennessee-based Alive Hospice experienced a data breach earlier this year which warranted notifications to affected patients. Those notifications were sent on July 3, 2019; however, a mail merge error caused letters to be sent to incorrect recipients.

The letters did not contain any patient information other than the name of the intended recipient. Anyone receiving the letter would know that the intended recipient was a patient of the Alive Hospice.

Alive Hospice has notified all affected individuals by mail and steps have been taken to prevent similar mailing errors in the future. It is currently unclear how many patients have been affected.

The post Community Psychiatric Clinic and Metro Mobility Data Breaches Impact 30,000 Patients appeared first on HIPAA Journal.

Study Confirms Why Prompt Data Breach Notifications Are So Important

Posted by HIPAA Journal

When healthcare organizations experience a data breach it is understandable that breach victims will be upset and angry. Information is provided to healthcare organizations in the understanding that safeguards have been implemented to keep that information private and confidential.

When patients and health plan members learn that their sensitive, private information has been exposed or stolen, many choose to take their business elsewhere.

According to a new study* by the credit reporting agency Experian, if the breach response is properly managed and the breached entity is transparent and issues notifications promptly, customer churn rate can be kept to an absolute minimum.

The Health Insurance Portability and Accountability Act’s (HIPAA) Breach Notification Rule requires notifications to be issued to breach victims ‘without unreasonable delay’ and no later than 60 days from the discovery of the breach. However, a majority of patients expect to be notified much more quickly. The study showed 73% of patients/plan members expect to be notified about a breach within 24 hours of the breach being discovered.

Prompt data breach notifications can make a big difference. Patients and plan members are likely to be much more forgiving if they are informed about a data breach promptly. 90% of respondents said they would be somewhat forgiving if they knew that the breached organization had a plan in place for communicating with patients in the event of a data breach, but many organizations are not prepared for the worst.

Previous research conducted by Experian suggests 34% of breach response plans do not include customer notification and only 52% of companies have a data breach crisis or communications plan in place. If the communications team is made aware in advance of notification requirements, the people responsible for the communications are mapped out, and approval processes are planned in advance, it will allow notifications to be issued much more quickly.

While incredibly fast breach notifications are expected, in practice it is often not possible to issue notifications in such a short time frame. A phishing attack that results in an email account being subjected to unauthorized access requires every email in that email account to be checked for PHI. It is not always possible to automate that search effectively and manual checks are often required. It is therefore important to start investigations promptly, yet 84% of businesses did not include forensic analysis in their breach response plans which can lead to delays in issuing notifications.

Slow and ineffective communication is likely to add insult to injury following a data breach. 66% of respondents said slow breach notification and poor communication would likely see them stop doing business with the breached entity, and 45% of respondents would not only seek an alternative service provider, they would also instruct their friends and family members to do the same.

*Data for the report came from an Experian survey of 1,000 adults in the United States by consultancy firm KRC Research in July 2019.

The post Study Confirms Why Prompt Data Breach Notifications Are So Important appeared first on HIPAA Journal.

Multiple Email Accounts Compromised in UC Health Phishing Attack

Posted by HIPAA Journal

University of Cincinnati Health (UC Health) is investigating a security breach that saw the email accounts of multiple employees accessed by an unauthorized individual.

The attack occurred between July 6 and July 12, 2019 and involved ‘a limited number’ of employee email accounts. An analysis of the compromised email accounts revealed they contained patients’ names, birth dates, medical record numbers, and some clinical information.

A forensic analysis of UC Health email system was unable to establish whether the attackers opened or copied any emails or email attachments.  UC Health is attempting to determine exactly which patients have been affected and notification letters will be sent “in the coming weeks.” UC Health announced the breach on its website on September 4, 2019.

UC Health will be enhancing email security and re-educating employees to help them identify phishing and other malicious emails.

The incident has not yet appeared on the HHS’ Office for Civil Rights website, so it is unknown how many patients have been affected.

Conway Regional Medical Center Phishing Attack Reported

Conway Regional Medical Center in Conway, AR has discovered patient information has been compromised in a recent phishing attack. The breach was detected when suspicious activity was observed in employee email accounts. The investigation confirmed the accounts had been subjected to unauthorized access as a result of employees responding to phishing emails.

The emails contained names, addresses, health insurance information, Social Security numbers, and a limited about of medical information. No evidence was found to suggest patient information was stolen or misused. At this stage it is unclear how many patients have been affected.

The medical center is reviewing its security policies and procedures, which will be updated to reduce the risk of further data breaches.

The post Multiple Email Accounts Compromised in UC Health Phishing Attack appeared first on HIPAA Journal.

Artesia General Hospital Phishing Attack Impacts 13,905 Patients

Posted by HIPAA Journal

Artesia General Hospital in Artesia, NM, has discovered the protected health information (PHI) of 13,905 patients has been compromised in a phishing attack.

The breach was detected when an employee’s email account was discovered to have been used to send unauthorized emails. The breach was detected on June 18, 2019 and the forensic analysis revealed the account had been accessed by an unauthorized individual between June 11 to June 18.

A leading computer forensics company was engaged to investigate the breach, but no evidence of data theft was discovered. To date, no reports have been received to suggest PHI has been stolen or misused.

The email accounts contained patients’ names, birth dates, patient account numbers, medical record numbers, health insurance information, and some treatment and/or clinical information, such as diagnoses, dates of service, and provider names. A small subset of affected patients also had Social Security numbers exposed.

The hospital has re-enforced security awareness training and additional measures are being implemented to improve email security. Patients who had their Social Security number exposed are being offered complimentary credit monitoring and identity theft protection services.

1,653 Patients of Carle Foundation Hospital Impacted by Phishing Attack

The email accounts of three physicians at Carle Foundation Hospital in Urbana, IL have been compromised in a phishing attack.

The security breach was detected on June 24, 2019 and the investigation revealed the accounts were compromised three weeks previously on June 3, 2019. Assisted by a third-party cybersecurity company, the hospital determined names, medical record numbers, birth dates, diagnoses, treatment plans, and clinical information were exposed. Affected patients had received previously received cardiology or surgery services at the hospital.

No evidence of data theft of PHI misuse was detected and notifications were sent ‘out of an abundance of caution.’  To prevent further incidents, employees are being retrained and email security is being improved.

The post Artesia General Hospital Phishing Attack Impacts 13,905 Patients appeared first on HIPAA Journal.