HIPAA Breach News

122,000 Providence Health Plan Members Impacted by Dominion National Data Breach

Posted by HIPAA Journal

In July 2019, Dominion National, an insurer and administrator of dental and vision benefits, announced the discovery of a major data breach that impacted around 2.9 million health plan members. Hackers had gained access to Dominion National servers in 2010. The breach was detected on April 24, 2019.

Providence Health Plan has recently announced the breach at Dominion National affected 122,000 of its plan members. Virginia-based Dominion National administers Providence Health Plan’s dental program in Oregon, and as such, had access to plan members’ protected health information (PHI), including names, addresses, dates of birth, insurance information, and Social Security numbers.

Dominion National started administering the health plan’s dental program in 2015. The breach was therefore limited to customers who participated in the dental program between 2015 and 2019.

Affected Providence Health Plan members were notified by Dominion National in August and have been offered two years of complimentary credit monitoring and identity theft protection services.

Laptop Theft from Business Associate Affects 7,358 Connally Memorial Medical Center Patients

Wilson County Memorial Hospital District is notifying 7,358 patients of Connally Memorial Medical Center in Floresville, Texas that some of their personal and health information has been exposed.

Patient information was stored on a laptop computer used by a business associate of the medical center. The laptop was stolen on April 23, 2019.

The unnamed business associate conducted a forensic analysis to determine what, if any, PHI was stored on the device. That analysis revealed a limited amount of PHI was stored in the memory of the laptop, which could possibly have been accessed by unauthorized individuals.

The majority of affected individuals only had their first and last name, date of birth, gender, ethnicity, specialty referral information, and an internal tracking number exposed. A smaller set of patients had their full name, diagnosis, reason for transfer, and transfer date exposed, along with the name of the hospital to where that individual was transferred.

The breach has prompted the medical center to update its business associate agreements to state that all business associates must now use encryption on laptops used to store or access patient information. No financial information or Social Security numbers were exposed, but out of an abundance of caution, affected individuals have been offered complimentary credit monitoring services for 12 months.

The post 122,000 Providence Health Plan Members Impacted by Dominion National Data Breach appeared first on HIPAA Journal.

82% of Healthcare Organizations Have Experienced a Cyberattack on Their IoT Devices

Posted by HIPAA Journal

82% of healthcare providers that have implemented Internet-of-Things (IoT) devices have experienced a cyberattack on at least one of those devices over the course of the past 12 months, according to the Global Connected Industries Cybersecurity Survey from Swedish software company Irdeto.

For the report, Irdeto surveyed 700 security leaders from healthcare organizations and firms in the transportation, manufacturing, and IT industries in the United States, United Kingdom, Germany, China, and Japan. Attacks on IoT devices were common across all those industry sectors, but healthcare organizations experienced the most cyberattacks out of all industries under study.

The biggest threat from these IoT cyberattacks is theft of patient data. The attacks also have potential to compromise end user safety, result in the loss of intellectual property, operational downtime and damage to the organization’s reputation. The failure to effectively secure the devices could also potentially result in a regulatory fine.

When asked about the consequences of a cyberattack on IoT devices, the biggest concern was theft of patient data, which was rated as the main threat by 39% of healthcare respondents. Attacks on IoT devices can also threaten patient safety. 20% of respondents considered patient safety a major risk and 30% of healthcare providers that experienced an IoT cyberattack said patient safety was actually put at risk as a direct result of the attack.

12% of respondents said theft of intellectual property was a major risk, and healthcare security professionals were also concerned about downtime and damage to their organization’s reputation.

The main impact of these attacks is operational downtime, which was experienced by 43% of companies, theft of data (42%), and damage to the company’s reputation (31%).

Mitigating IoT cyberattacks comes at a considerable cost. The average cost to resolve a healthcare IoT cyberattack was $346,205, which was only beaten by attacks on the transport sector, which cost an average of $352,639 to mitigate.

Even though there are known risks associated with IoT devices, it does not appear to have deterred hospitals and other healthcare organizations from using the devices. It has been estimated up to 15 million IoT devices are now used by healthcare providers. Hospitals typically use an average of 10-15 devices per hospital bed.

Securing the devices can be a challenge, but most healthcare organizations know exactly where the vulnerabilities are. They just lack the resources to correct those vulnerabilities.

Manufacturers need to do more to secure their devices. Security is often an afterthought and safeguards are simply bolted on rather than being incorporated during the design process. Fewer than half of device manufacturers (49%) said security is factored in during the design of the devices and only 53% of device manufacturers conduct code reviews and continuous security checks.

82% of device manufacturers expressed concern about the security of their devices and feared safeguards may not be enough to prevent a successful cyberattack. 93% of device manufacturers said security of their devices could be improved a little to a great deal, as did 96% of device users.

“The previous mindset of security as an afterthought is changing. 99 percent agree that a security solution should be an enabler of new business models, not just a cost,” explained the researchers in their recent report. “This clearly indicates that businesses realize the value add that security can bring to their organization.”

The post 82% of Healthcare Organizations Have Experienced a Cyberattack on Their IoT Devices appeared first on HIPAA Journal.

73 Email Accounts Compromised in Major Phishing Attack on NCH Healthcare System

Posted by HIPAA Journal

The importance of security awareness training for healthcare employees has been highlighted by a recent phishing attack on Bonita Springs, FL-based NCH Healthcare System.

The attack was detected on June 14, 2019 when suspicious email activity was identified in relation to its payroll system. The investigation revealed a staggering 73 employees had responded to phishing emails and disclosed their account credentials to the scammers.

It is common for healthcare organizations to identify an email account breach and later discover the attack was more extensive than originally thought. Oftentimes, several emails accounts are discovered to have been compromised, often as a result of lateral phishing – The use of one compromised email account to send phishing emails to other individuals in the organization. However, a breach as extensive as this is fortunately rare.

NCH Healthcare system is still investigating the attack and is being assisted by a third-party computer forensics firm. The initial findings of the investigation suggest the attackers were not concerned with obtaining PHI, instead the goal of the attackers appears to have been to redirect payroll payments.

The forensic team confirmed on July 2, 2019 that some patient information was exposed as a result of the attack, but as the investigation is still ongoing, at this stage no confirmation has been issued on the types of information that were potentially compromised. Affected individuals will be notified accordingly when the investigation has concluded.

That process is likely to take some time given the extent of the breach and the number of emails in the compromised accounts that need to be checked to determine whether they contain protected health information.

NCH compliance officer Kelly Daly said the security measures put in place prior to the phishing attack limited the harm caused. Without those measures, more of the company’s 5,000 employees could also have fallen for the scam.

No reports have been received to date that suggest patients’ PHI has been misused, but patients are being advised to monitor their explanation of benefits statements and accounts for signs of identity theft and other misuses of their personal information.

The post 73 Email Accounts Compromised in Major Phishing Attack on NCH Healthcare System appeared first on HIPAA Journal.

Ransomware Attack Impacts More Than 400 U.S. Dental Practices

Posted by HIPAA Journal

A ransomware attack on a medical record backup service has prevented hundreds of dental practices in the United States from accessing their patients’ records.

The attack occurred on August 26, 2019 and affected the DDS Safe backup solution developed by Wisconsin-based software company, Digital Dental Record (DDS). The DDS system was accessed via an attack on its cloud management provider, West Allis, WI-based PerCSoft. Ironically, the DDS website states DDS Safe helps to protect dental practices against ransomware attacks.

The attack did not affect all dental practices using the DDS Safe solution. Initial reports suggest between 400 and 500 of the 900 dental practices using the solution have been affected by the REvil/Sodinokibi ransomware attack.

PerCSoft, assisted by a third-party software company, has obtained a decryptor and is in the process of recovering the encrypted files. According to a statement from DDS, recovery of files is estimated to take between 30 minutes to 4 hours per client.

Some dental practices have reported file loss as a result of the attack and others have said the decryption process did not work. With the attack coming so close to the end of the month, several dental practices have expressed concern that the attack would prevent them from processing payroll payments. At the time of writing, around 100 dental practices have successfully recovered their files.

Since there is no free decryptor for REvil ransomware available through the NoMoreRansom project, it is highly probably that the ransom was paid. That has not been confirmed publicly by either company, although Brian Krebs of Krebs on Security said several sources have confirmed that PerCSoft paid the ransom to obtain the decryptor.

The ransom amount is unknown, but one Reddit user claims PerCSoft – or its insurer – paid $5,000 per client for the decryptor. That would put the total ransom demand at $2.5 million, which is the same as the demand for the coordinated Sodinokibi ransomware attack that affected 22 government entities in Texas earlier this month.

Both attacks impacted multiple entities by attacking a software provider or managed service provider (MSP). This appears to be the modus oprandi of the threat actors behind the attack. Another attack in June targeted the MSP platform, Webroot SecureAnywhere, which allowed REvil/Sodinokibi ransomware to be deployed on clients’ systems.

The threat actors behind REvil ransomware are running a ransomware-as-a-service operation using a limited number of affiliates to distribute the ransomware. By using a small number of experienced affiliates, the threat actors hope to stay under the radar.

On hacking forums, the threat actors have been trying to recruit affiliates, five of whom have been guaranteed earnings of $50,000. Other affiliates have been told they will earn a minimum of $10,000. The threat actors are offering affiliates 60% of any ransom payments they generate and claim to be experienced, ‘professional’ ransomware developers that have been working in the field for the past five years.

While the code for REvil ransomware differs significantly from other ransomware variants, Tesorion researchers have found code similarities with the now defunct GandCrab ransomware, which was decommissioned this year. The threat actors behind GandCrab claimed to have retired after earning so much money from their ransomware-as-a-service operation over the past 18 months, although Tesorion researchers suspect at least some of the individuals involved in GandCrab may have got involved with or are responsible for REvil ransomware.

Regardless of who is behind the attacks, they are unlikely to windup such a profitable operation any time soon. As long as ransom demands continue to be paid by businesses and their insurers, the attacks will continue.

The post Ransomware Attack Impacts More Than 400 U.S. Dental Practices appeared first on HIPAA Journal.

33,370 Mount Sinai Hospital Patients Impacted by AMCA Breach

Posted by HIPAA Journal

Mount Sinai Hospital has discovered the protected health information (PHI) of 33,730 patients was compromised in the cyberattack on American Medical Collection Agency (AMCA).  The hospital is the 24th known victim of the massive AMCA breach, which has affected almost 25 million patients.

AMCA notified Mount Sinai Hospital on June 4, 2019 that an unauthorized individual had gained access to a web payment page, through which the PHI of its clients’ patients could be accessed. The webpage was compromised on August 1, 2018 and unauthorized access continued until March 30, 2019 when the breach was discovered and the web page was secured.

The breach only affected patients with outstanding medical bills that had been passed to AMCA for collection. The breach involved names, name of lab or medical service provider, dates of service, referring physician’s name, health insurance information, and other medical information related to the services provided by Mount Sinai.

Some patients also had financial information exposed. Those individuals were notified directly by AMCA and offered credit monitoring services. All other individuals are being notified by Mount Sinai Hospital.

Navicent Health Phishing Attack Impacts 1,400 Patients

Macon, GA-based Navicent Health is notifying approximately 1,400 patients that some of their protected health information was exposed in a phishing attack.

Navicent Health discovered an email account was compromised on June 24, 2019 as a result of an employee responding to a phishing email. Patient names, addresses, telephone numbers, medical information, insurance information, bank account information, Social Security numbers, and other personal information was potentially compromised.

This is not the first phishing attack to be reported by Navicent Health this year. In March, the healthcare provider announced a phishing incident had resulted in the exposure of 278,016 patients’ PHI. The breach occurred in July 2018, but it only became clear that PHI had been compromised on January 24, 2019.

The post 33,370 Mount Sinai Hospital Patients Impacted by AMCA Breach appeared first on HIPAA Journal.

Georgia Court of Appeals to Decide Whether Athens Orthopedic Data Breach Victims Are Entitled to Damages

Posted by HIPAA Journal

A class action lawsuit filed by victims of a June 2016 cyberattack on Athens Orthopedic in Georgia has gone before the Georgia Supreme Court to determine whether breach victims are entitled to recover damages.

The cyberattack in question saw the personal information, Social Security numbers, and health insurance information of approximately 200,000 individuals stolen by the hacking group, Dark Overlord.

The Dark Overlord has conducted numerous attacks on healthcare organizations in the United States over the past three years. Initially, attacks were conducted to steal sensitive data, which was subsequently sold on dark web marketplaces. More recently, attacks have involved data theft and extortion. A ransom demand is issued to breached entities that must be paid in order to prevent publication of the stolen data.  Athens Orthopedic did not pay the ransom demand.

The Dark Overlord gained access to Athens Orthopedic’s systems via an attack on a “nationally-known health care information management contractor,” the login credentials of which were used to steal patient data.

Athens Orthopedic monitored websites to determine whether patient data had been published and took steps to take down a list containing the PHI of 500 of its patients, which had been posted on PasteBin. The information was eventually removed, but during the time it was accessible online it is possible that multiple individuals copied the data. The Dark Overlord also listed data for sale online, although it is unclear whether anyone bought the dataset.

Athens Orthopedic notified its patients about the breach and advised them to contact one of the three credit reporting agencies to place a fraud alert on their credit file. Even though Social Security numbers were stolen, affected patients were not offered credit monitoring or identity theft restoration services.

A class action lawsuit was filed on behalf of three victims of the breach – Christine Collins, Paulette Moreland, and Kathryn Strickland – shortly after the breach was announced. The plaintiffs seek compensation for the time spent protecting their identifies and reimbursement of legal fees and the cost of past and future credit monitoring services.

The plaintiffs allege negligence, breach of implied contract, unjust enrichment, and violation of the Georgia Uniform Deceptive Trade Practices Act.

While victims of the breach have incurred costs, there is the issue of whether an injury has been suffered. Collins alleges she had fraudulent charges on her credit card shortly after the breach but failed to allege they were the result of the cyberattack and did not demonstrate PHI had been misused as a direct result of the breach.

The case was dismissed by the Trial Court and the Georgia Court of Appeals as the plaintiffs could demonstrate no financial loss or harm as a direct result of the cyberattack. Consequently, they are not entitled to claim damages under Georgia law. The decision was appealed, and it is now down to the Georgia Supreme Court to determine whether there are any compensable  injuries. Oral arguments were heard this week.

“By ruling that the plaintiffs have failed to allege a compensable injury, the message delivered thus far in this case has been that data-breach victims in Georgia have no legal rights, regardless of how careless the defendant’s data security practices may have been,” argued the plaintiffs’ attorneys.

The plaintiffs allege Athens Orthopedic Clinic as not taken any steps to improve security and that “It continues to store the plaintiffs’ personally identifiable information on computer systems that employ the same lax security measures that permitted the hacker to access and steal the plaintiffs’ information.”

They also maintain their claims should not have been dismissed as “a present injury is not a required element for the plaintiffs’ breach of contract, unjust enrichment, declaratory judgment, or injunctive relief claims under Georgia law.”

The Supreme Court is expected to issue a ruling on the case – Collins Et Al. Vs. Athens Orothpedic Clinic, P.A – within the next six months. Should the Supreme Court overturn the decision of the Court of Appeals, it will have implications for data breach victims not only in the state of Georgia, but throughout the United States.

The post Georgia Court of Appeals to Decide Whether Athens Orthopedic Data Breach Victims Are Entitled to Damages appeared first on HIPAA Journal.

AMCA Data Breach Total Nears 25M as Wisconsin Diagnostic Laboratories Confirms 115K Record Breach

Posted by HIPAA Journal

The victim count from the American Medical Collection Agency (AMCA) data breach has risen to almost 25 million as yet another healthcare organization has announced it has been impacted by the breach.

Wisconsin Diagnostic Laboratories (WDL), a network of 13 medical testing facilities in and around Milwaukee, is notifying 114,985 patients that some of their protected health information was compromised in the AMCA data breach.

On June 3, 2019, AMCA informed WDL that some of its patients’ data had been compromised as a result of the hacking of a web payment portal. The hacker gained access to the payment page on August 1, 2018. The breach was detected on March 30, 2019 and unauthorized access was terminated.

The types of information in AMCA systems was limited to patients’ names, dates of birth, dates of service, names of lab or medical service providers, referring physician’s name, balances owed to WDL, and other medical information related the services provided by WDL. No Social Security numbers or lab test results were compromised in the breach. A limited number of individuals also had their financial information (credit card number/bank account details) compromised. Those individuals have been notified directly by AMCA.

The only patients affected by the breach were those that had outstanding bills that had been passed to AMCA for collection.

As has been the case with other clients impacted by the breach, WDL has ceased doing business with AMCA and has taken steps to ensure that all patient data held by the company is retrieved and secured.

WDL is the 23rd healthcare organizations to confirm it has been affected by the AMCA data breach. Provisional figures indicate 24,911,500 individuals have been impacted by the breach.

Companies Affected by the AMCA Data Breach

  Healthcare Organization Estimated Records Exposed Confirmed Victim Count (OCR)
1 Quest Diagnostics/Optum360 11,900,000 11,500,000
2 LabCorp 7,700,000 10,251,784
3 Clinical Pathology Associates 2,200,000 1,733,836
4 Carecentrix 500,000 467,621
5 American Esoteric Laboratories 541,900 409,789
6 Inform Diagnostics 173,617 173,617
7 Laboratory Medicine Consultants 147,600 140,590
8 Wisconsin Diagnostic Laboratories 114,985 114,985
9 Austin Pathology Associates 46,500 43,676
10 Integrated Regional Laboratories 29,644 29,644
11 Penobscot Community Health Center 13,000 13,299
12 West Hills Hospital and Medical Center / United WestLabs 10,650 10,650
13 Seacoast Pathology, Inc 10,000 8,992
14 Arizona Dermatopathology 7,000 5,903
15 Western Pathology Consultants 4,550 4,079
16 Natera 3,000 3,035
17 Sunrise Medical Laboratories 427,000 TBC
18 BioReference Laboratories/Opko Health 422,600 TBC
19 CBLPath Inc. 148,900 TBC
20 CompuNet Clinical Laboratories 111,000 TBC
21 South Texas Dermatopathology LLC 16,100 TBC
22 Pathology Solutions 13,300 TBC
23 Laboratory of Dermatology ADX, LLC 4,240 TBC
  Total Records Breached 24,545,586 24,911,500

The post AMCA Data Breach Total Nears 25M as Wisconsin Diagnostic Laboratories Confirms 115K Record Breach appeared first on HIPAA Journal.

July 2019 Healthcare Data Breach Report

Posted by HIPAA Journal

May 2019 was the worst ever month for healthcare data breaches with 46 reported breaches of more than 500 records. More breaches were reported in May than any other month since the HHS’ Office for Civil Rights started publishing breach summaries on its website in 2009. That record of 44 breaches was broken in July.

July saw 50 healthcare data breaches of more than 500 records reported to the Department of Health and Human Services’ Office for Civil Rights, which is 13 more breaches than the monthly average for 2019 and 20.5 more breaches than the monthly average for 2018.

July 2019 was the second worst month in terms of the number of healthcare records exposed. 25,375,729 records are known to have been exposed in July.

There are still 5 months left of 2019, yet more healthcare records have been breached this year than in all of 2016, 2017, and 2018 combined. More than 35 million individuals are known to have had their healthcare records compromised, exposed, or impermissibly disclosed this year.

Causes of July 2019 Healthcare Data Breaches

 

The main reason for the increase in reported data breaches in July is the colossal data breach at American Medical Collection Agency (AMCA). AMCA provides medical billing and collection services and its clients included some of the largest medical testing laboratories in the United States. Those clients have now been lost as a result of the breach.

The final victim count is not yet known, nor the number of records compromised in the breach. To date, 22 healthcare organizations have confirmed they have been affected and more than 24 million records are known to have been exposed. At least 8 healthcare organizations have not yet submitted their breach reports to OCR.

Healthcare Providers Impacted by the American Medical Collection Agency Data Breach

  Healthcare Organization Estimated Records Exposed Confirmed Victim Count
1 Quest Diagnostics/Optum360 11,900,000 11,500,000
2 LabCorp 7,700,000 10,251,784
3 Clinical Pathology Associates 2,200,000 1,733,836
4 Carecentrix 500,000 467,621
5 American Esoteric Laboratories 541,900 409,789
6 Inform Diagnostics 173,617 173,617
7 Laboratory Medicine Consultants 147,600 140,590
8 Integrated Regional Laboratories 29,644 29,644
21 Penobscot Community Health Center 13,000 13,299
9 West Hills Hospital and Medical Center / United West Labs 10,650 10,650
10 Seacoast Pathology, Inc 10,000 8,992
11 Arizona Dermatopathology 7,000 5,903
12 Western Pathology Consultants 4,550 4,079
13 Natera 3,000 3,035
14 Sunrise Medical Laboratories 427,000 TBC
15 BioReference Laboratories/Opko Health 422,600 TBC
16 CBLPath Inc. 148,900 TBC
17 CompuNet Clinical Laboratories 111,000 TBC
18 Austin Pathology Associates 46,500 TBC
19 South Texas Dermatopathology PLLC 16,100 TBC
20 Pathology Solutions 13,300 TBC
22 Laboratory of Dermatology ADX, LLC 4,240 TBC

 

Hacking and IT incidents dominated the breach reports in July with 35 incidents reported. Those breaches resulted in the exposure of 23,203,853 healthcare records. The average breach size was 662,967 records and the mean breach size was 4,559 records.

There were 9 unauthorized access/disclosure incidents in July involving 2,160,699 healthcare records. The average breach size was 240,077 records and the mean breach size was 3,881 records.

There were three theft incidents reported that involved 3,584 records, 2 loss incidents that exposed 4,593 records, and one improper disposal incident that exposed 3,000 records.

Largest Healthcare Data Breaches in July 2019

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Location of Breached PHI
Optum360, LLC Business Associate 11,500,000 Hacking/IT Incident Network Server
Laboratory Corporation of America Holdings dba LabCorp Healthcare Provider 10,251,784 Hacking/IT Incident Network Server
Clinical Pathology Laboratories, Inc. Healthcare Provider 1,733,836 Unauthorized Access/Disclosure Network Server
CareCentrix, Inc. Healthcare Provider 467,621 Hacking/IT Incident Network Server
Bayamon Medical Center Corp. Healthcare Provider 422,496 Hacking/IT Incident Network Server
Memphis Pathology Laboratory d/b/a American Esoteric Laboratories Healthcare Provider 409,789 Unauthorized Access/Disclosure Network Server
Laboratory Medicine Consultants, Ltd. Healthcare Provider 140,590 Hacking/IT Incident Network Server
Imperial Health, LLP Healthcare Provider 116,262 Hacking/IT Incident Desktop Computer, Network Server
Puerto Rico Women And Children’s Hospital, LLC Healthcare Provider 99,943 Hacking/IT Incident Network Server
Ameritas Life Insurance Corp. Health Plan 39,675 Hacking/IT Incident Email

Location of Breached Protected Health Information

There was a major increase in network server incidents in July. The rise was due to the AMCA breach but also an uptick in ransomware attacks on healthcare providers. Phishing also continues to pose problems for healthcare organizations. 21 of the breaches reported in July involved PHI stored in email accounts.

The number of reported phishing attacks strongly suggests multi-factor authentication has not yet been implemented by many healthcare organizations. If credentials are compromised, MFA can help prevent the email account from being remotely accessed.

July 2019 Healthcare Data Breaches by Covered Entity Type

Healthcare providers were the worst affected covered entity in July with 39 breaches reported. Three health plans reported breaches and there were 8 breaches reported by business associates of HIPAA covered entities. A further 18 healthcare data breaches had some business associate involvement.

July 2019 Healthcare Data Breaches by State

July’s 50 data breaches were spread across 26 states and Puerto Rico. Typically, California experiences the most data breaches in any given month due to the number of healthcare organizations based in California; however, California only saw one healthcare data breach reported in July.

Minnesota was the worst affected state with 6 reported breaches. Four breaches were reported by healthcare organizations based in Michigan, Pennsylvania, and Texas. Three breaches were reported in Nevada and Tennessee, two breaches were reported in each of North Carolina, Ohio, Wisconsin, and Puerto Rico.

One breach was reported in each of Alabama, Arkansas, Arizona, California, Connecticut, Georgia, Kentucky, Louisiana, Massachusetts, Maryland, Maine, Missouri, Nebraska, New Hampshire, New York, Oregon, and South Carolina.

HIPAA Enforcement Activity in July 2019

It has been a relatively quiet year for HIPAA enforcement by the HHS’ Office for Civil Rights. While there were two settlements agreed in May 2019 to resolve HIPAA violations, no further financial penalties have been announced.

State Attorneys General also have the authority to take action against healthcare organizations that have violated HIPAA Rules. July saw one settlement reached between Premera Blue Cross and 30 state attorneys general over its 10.4 million-record data breach in 2014.

Under the terms of the settlement agreement, Premera Blue Cross is required to pay a financial penalty of $10,000,000 to resolve the HIPAA violations discovered during the Washington Attorney General-led investigation.

In addition to the $10 million penalty, Premera Blue Cross settled a class action lawsuit for $74 million. $32 million will cover claims from breach victims and $42 million will be directed toward improving cybersecurity.

The post July 2019 Healthcare Data Breach Report appeared first on HIPAA Journal.

Phishing Attack on Presbyterian Healthcare Services Exposed PHI of 183,000 Patients

Posted by HIPAA Journal

The Albuquerque, NM-based not-for-profit health system, Presbyterian Healthcare Services, has experienced a phishing attack that saw the email accounts of several employees subjected to unauthorized access.

The phishing attack was discovered by Presbyterian Healthcare Services on June 6, 2019. The breach investigation revealed the email accounts were compromised a month previously, on or around May 9, 2019.

Upon discovery of the breach, all affected email accounts were secured to prevent further access. An analysis of the compromised email accounts revealed they contained the protected health information (PHI) of 183,370 individuals. Compromised PHI was limited to names, dates of birth, Social Security numbers, and clinical and health plan information. Affected individuals have been advised to check their statements from their providers and health plans for signs of misuse of their personal information.

Presbyterian Healthcare Services has implemented additional safeguards to protect its email system and all employees will be required to undergo annual cybersecurity training. Employees will also be sent regular reminders about safeguarding PHI and avoiding phishing scams.

Lost Thumb Drive Contained PHI of 27,000 Renown Health Patients

27,004 patients of Reno, NV-based Renown Health are being notified that some of their protected health information was saved on an unencrypted thumb drive that has been declared lost.

The device contained information such as patient names, diagnoses, medical record numbers, clinical information, dates of admission, and physician’s names. The breach was limited to patients who had received inpatient services at Renown South Meadows Medical Center between January 1, 2012 and June 14, 2019.

The drive is believed to have been lost on June 30, 2019. The employee who reported the device missing was questioned, and a thorough search was conducted, but the portable storage device could not be located.

Renown Health is reviewing its policies concerning the use of portable storage devices and will be reeducating its employees on safeguarding PHI.

The post Phishing Attack on Presbyterian Healthcare Services Exposed PHI of 183,000 Patients appeared first on HIPAA Journal.