Massachusetts General Hospital (MGH) has discovered computer applications used by researchers in its Department of Neurology have been subjected to unauthorized access. The individual responsible would have been able to access the protected health information of approximately 10,000 patients.

MGH discovered the breach on June 24, 2019 and immediately terminated access to the applications and databases. An investigation was launched, and a forensic investigator was engaged to help determine the nature and scope of the breach. The investigation confirmed that two applications had been subjected to unauthorized access between June 10 and June 16, 2019.

Via the applications, the unauthorized individual would have been able to view information in databases related to specific neurology research studies. The types of information in the databases varied from patient to patient and may have included: Name, marital status, age, date of birth, sex, race, ethnicity, dates of visits and tests, medical record number, diagnoses, treatment information, biomarkers, genetic information, assessments and results, and other research information, including date of death and details of autopsy results. Highly sensitive information such as Social Security numbers, financial information, and health insurance information were not exposed.

Based on the findings of the investigation and the nature of the information exposed, MGH does not believe affected individuals need to take any steps to protect their identities. MGH will conduct a review of its security processes for research programs and will take steps to improve security to prevent similar breaches in the future.

Sonoma Valley Hospital Website Hack Forces Domain Change

Sonoma Valley Hospital in California has been forced to abandon its three-letter domain name after hackers took control of the domain.

The attack occurred on August 6. Hackers gained access to its svh.com domain and locked out the hospital. The hospital issued a statement saying it had become clear that the domain could not be recovered so the decision was taken to move to a new domain.

Internet connectivity and email accounts have now been migrated to sonomavalleyhospital.org. Patients have been advised to update their contact details for the hospital as emails sent to email addresses on the old domain are not being received.

No patient information was compromised in the attack, but that does not mean patients are not at risk. The individuals who now control the domain could use it in phishing attacks on Sonoma Valley Hospital patients.

According to the hospital, the impact of the domain theft cannot be overstated. The hospital will have to change all printed material, including business cards, letterheads, marketing material, and branding.

The post Massachusetts General Hospital Data Breach Impacts 10,000 Patients appeared first on HIPAA Journal.

Rhode Island Ear, Nose and Throat Physicians Inc. (RIENT) is notifying 2,943 patients that some of their health information was stored on a server which was subjected to unauthorized access on June 19, 2019 when a hacker gained access to its network.

The breach was detected the same day and the network was secured. A third-party computer forensics firm was hired to assist with the investigation and help determine the nature and extent of the breach.

The compromised servers did not contain the medical records of all patients, only records of patients who received medical services between May 1, 2019 and June 12, 2019.  The forensic investigation did not uncover any evidence to suggest patient information was viewed or copied and no reports have been received to suggest patient information has been misused.

For the majority of affected patients, the breach was limited to names, dates of birth, and clinical information. A small subset of patients also had their Social Security number exposed.

Patients whose Social Security number was exposed have been offered complimentary credit monitoring and identity theft protection services. RIENT is implementing additional technical safeguards to improve its security posture and prevent similar attacks in the future.

California Hospice Suffers Ransomware Attack

The Hospice of San Joaquin in Stockton, CA has announced that on July 2, 2019, hackers installed ransomware on its network and gained access to servers hosting the protected health information of some of its patients.

While the attackers had access to patient information, the hospice does not believe any personal information has been viewed, stolen, or misused by the attackers.

Since unauthorized data access and theft could not be ruled out with a high degree of certainty, patients have been notified about the breach. Individuals affected by the breach had their full name exposed along with their home address, patient ID number, diagnoses, and other sensitive information.

The hospice has already implemented additional security measures to prevent similar attacks in the future.

The post Rhode Island Healthcare Provider Hacked: 3,000 Records Potentially Compromised appeared first on HIPAA Journal.

Nuvance Health has started notifying certain Western Connecticut Health Network (WCHN) patients that some of their protected health information has been exposed.

On June 11, 2019, WCHN sent a box of medical records to the Connecticut State Department of Public Health. The package was sent via the U.S. Postal Service (USPS), but the package was damaged in transit, exposing the contents of the package.

WCHN was notified and retrieved the damaged package from the USPS. A spokesperson for WCHN said there was no indication that any information had been removed and misused and that the package did not appear to have left the custody of the USPS until it was collected by WCHN personnel.

WCHN has now changed its procedures for sending protected health information to ensure similar incidents are prevented in the future. Patients were notified on August 19, 2019.

The types of information in the records was limited to names, addresses, dates of birth, provider names, medical record numbers, diagnosis dates, diagnoses, and medical test results.

4,000 Arizona State University Students Notified of Impermissible PHI Disclosure

Arizona State University (ASU) is notifying approximately 4,000 students that their email addresses, and in some cases their name, have been impermissibly disclosed as a result of a recent mailing error.

The students were sent emails in late July about renewing their health insurance. The email addresses should have been hidden but were visible to other students who were sent the mailing.

When the error was discovered, ASU deleted 2,540 of the messages and said 1,130 messages had not been read.

ASU is reviewing its policies and procedures and will take steps to prevent incidents such as this from happening in the future.

The post Medical Records of Western Connecticut Health Network Patients Exposed appeared first on HIPAA Journal.

Integrated Regional Laboratories (IRL) in Florida is notifying approximately 30,000 patients that their protected health information (PHI) was potentially compromised in the American Medical Collection Agency (AMCA) data breach discovered on March 20, 2019.

On June 3, 2019, AMCA notified IRL about its security breach and confirmed on June 13, 2019 that the PHI of IRL patients had been exposed.

IRL posted a breach notice on its website on July 30, and patients are being notified. IRL stopped sending patient information to AMCA when the breach was discovered, and the company is no longer using AMCA’s services. AMCA has been instructed to securely destroy all copies any IRL patients’ PHI.

According to the breach summary on the HHS’ Office for Civil Rights website, 29,644 patients were affected by the breach.

Over the past few days, the breach summaries of several victims of the AMCA breach have been added to the OCR’s breach portal. HIPAA Journal has been tracking breach reports and has identified 22 HIPAA-covered entities that have been affected by the breach.

So far, 24,739,540 records have been confirmed as having been exposed. The breach reports of 9 victims have yet to be added to the OCR breach portal, but based on provisional figures, the final victim count is likely to exceed 26 million.

Mid-Valley Behavioral Care Network Phishing Attack Impacts Almost 11,000 Patients

Salem, OR-based Mid-Valley Behavioral Care Network (BCN) has discovered two email accounts used by employees have been subjected to unauthorized access. The data breach was detected on June 26, 2019 and the investigation revealed the accounts were compromised for a period of around 24 hours.

BCN manages care for members of the Willamette Valley Community health plan. The protected health information of 10,710 members of the WVCH plan was exposed, as well as the personal information of 2,092 Oregon Health Plan providers.

It was not possible to determine whether emails in the account were accessed or if any PHI was stolen. Notification letters were sent to affected members on August 9, 2019. Additional safeguards have now been implemented to prevent any further breaches.

Hacked Server Contained PHI of 1,938 Bayview Dental Patients

Bayview Dental is alerting 1,938 of its patients that their protected health information was stored on a server that was subjected to unauthorized access.

Suspicious activity was detected on the server on May 28, 2019 and forensic experts were called in to investigate a potential breach. On July 4, 2019, Bayview Dental was informed by the forensic investigators that the protected health information of certain patients may have been accessed. It was not possible to determine whether any patient information was viewed or copied by the attacker.

Affected patients had the following information exposed: Name, address, phone number, date of birth, dental insurance information, medical/dental history information and, in certain cases, Social Security number.

Affected individuals have been notified and offered complimentary credit monitoring services for 12 months. Bayview Digital has implemented additional safeguards to prevent further cyberattacks and staff have been provided with additional training on data privacy and security.

The post 30K Integrated Regional Laboratories Patients Impacted by AMCA Breach appeared first on HIPAA Journal.

Approximately 5,500 patients of Michigan Medicine are being notified that some of their protected health information has been exposed in a recent phishing attack.

In July, Michigan Medicine employees were targeted in large scale phishing campaign. 3,200 Michigan Medicine employees received phishing emails containing a hyperlink to a legitimate looking web page that requested the user’s email login credentials.

Three employees responded to the emails and disclosed their credentials. Those accounts were subjected to unauthorized access and were used to send further phishing emails. Michigan Medicine detected suspicious activity in the email accounts on July 8, 9 and 12, 2019 and performed a password reset to prevent any further unauthorized access. As a precaution, the passwords were also resent on the email accounts of all employees who received one of the phishing emails.

Two of the accounts were discovered to contain patient information. In addition to a patient’s name, one or more of the following may have been compromised: Address, date of birth, medical record number, diagnostic information, treatment information, health insurance information and, for a small number of patients, Social Security number.

No evidence was uncovered to suggest patient information was viewed or copied; however, since data theft cannot be ruled out, Michigan Medicine has assumed that patient information has been compromised.

Affected patients have been offered complimentary credit monitoring services and have been advised to monitor their accounts and statements from insurers for signs of fraudulent activity.

Michigan Medicine is implementing additional technical safeguards to enhance email security and will be retraining employees to improve security awareness.

PHI of Patients Exposed in Virginia Gay Hospital Phishing Attack

Virginia Gay Hospital in Vinton, OH, is notifying certain patients that some of their protected health information may have been accessed by an authorized individual who gained access the email account of an employee on June 18, 2019.

The hospital called in a computer forensics company which determined that the compromised email account contained information such as names, dates of birth, Social Security numbers, and medical information of individuals who received outpatient services at the hospital. No evidence was uncovered to suggest patient information was viewed or copied.

Patients affected by the breach are now being notified. It is currently unclear how many individuals had their PHI exposed.

The post PHI Exposed in Phishing Attacks on Michigan Medicine and Virginia Gay Hospital appeared first on HIPAA Journal.

Eye Care Associates, a fully integrated regional eye care provider in northeast Ohio, experienced a ransomware attack in late July which took its computer systems out of action. Two weeks after the attack occurred, its computer systems remain locked.

According to Director of Operations, Mary Jo Silva, the attack occurred in the early hours of July 28, 2019. The Beaver Township Police Department was notified about the attack and the board was informed.

A ransom demand was received, but no amount was stated on the demand. Contact with the attackers was required in order to discover how needed to be paid. Silva said no contact was made with the attackers and no payment was made. Eye Care Associates has been working with its backup and file storage service provider to recover all encrypted files. Silva expects systems to be brought back online in the next couple of days. An investigation into the attack has uncovered no evidence to suggest patient information was stolen. The Business Journal reports that the ransomware was delivered via email.

The attack has caused considerable disruption at the hospital. It has not been possible to book new appointments for two weeks as the appointment system has been down. The hospital has also had to rely on paper records when providing treatment to patients.

Multiple Email Accounts Compromised in NCH Healthcare System Phishing Attack

Naples, FL-based NCH Healthcare System has experienced a phishing attack in which patient information may have been compromised.

NCH Healthcare identified suspicious activity in its payroll system on June 14, 2019 and called in third party computer forensics experts to investigate the breach. The investigation revealed the email accounts of several employees had been compromised as a result of responses to phishing emails.

It is possible that patient information in emails and email attachments could have been accessed or copied by the attackers. Patients have been notified about the breach and have been advised to monitor their accounts and explanation of benefits statements for any signs of fraudulent activity.

It is unclear at this stage how many patients have been affected by the breach.

The post Ohio Eye Care Provider Suffers Ransomware Attack appeared first on HIPAA Journal.

Renown Health, the largest healthcare provider in Northern Nevada, has started notifying certain patients that some of their protected health information (PHI) may have been compromised.

Patient information was present in files on a portable storage device (thumb drive) discovered to be missing on June 30, 2019. An extensive search of the facility was conducted but the thumb drive could not be located.

An investigation was conducted to determine what files had been saved to the device and which patients had their PHI exposed.

Files on the storage device related to patients who had received inpatient services at Renown South Meadows Medical Center between January 1, 2012 and June 14, 2019. The types of information in the files included names, diagnoses, medical record numbers, clinical information, admission dates, and physicians’ names.  No Social Security numbers or financial information were stored on the device.

Patients have been advised to exercise caution and monitor their accounts and explanation of benefits statements for any signs of fraudulent activity. Renown Health will be reviewing its policies covering the use of portable devices such as thumb drives and will be reeducating its workforce on safeguarding patient information.

The data breach has not yet appeared on the Department of Health and Human Services’ Office for Civil Rights’ breach portal, so it is unclear how many patients have been affected.

This is the second data breach of this nature to be reported in the past few days. The New York Fire Department also reported a breach involving the loss of a portable electronic device containing the ePHI of patients. Around 10,000 EMS patients were impacted by the breach.

These incidents highlight the importance of implementing encryption on all portable electronic devices used to store ePHI. In the event of device loss or theft, ePHI cannot be accessed by unauthorized individuals and a data breach will be prevented.

The post Renown Health Discovers PHI was Stored on Lost Thumb Drive appeared first on HIPAA Journal.

More than 10,000 EMS patients taken to hospital by a New York Fire Department (FDNY) ambulance between 2011 and 2018 have had some of their protected health information exposed.

According to FDNY spokesperson Myles Miller, there was “a loss of data caused by one employee’s failure to follow the department’s data security policies.”

The fire department learned on March 4, 2019 that an employee’s personal hard drive was missing. The hard drive had been used by the employee to store files containing patient information such as patient care reports.

A patient care report is created when a 911 call is received that requires an ambulance to respond. The reports contained information on 10,253 patients such as name, address, telephone number, date of birth, insurance details, health condition, and for approximately 3,000 patients, their Social Security number.

All affected individuals are now being notified of the breach and individuals whose Social Security number was exposed have been offered complimentary credit monitoring services. “The FDNY is treating the incident as if the information may have been seen by an unauthorized person,” wrote the FDNY in its breach notification letter.

The employee in question was authorized to access patient information but was not authorized to use a personal, unencrypted hard drive to store files containing protected health information. The employee will be subjected to disciplinary measures and all employees required to handle medical information will be retrained.

The post More than 10,000 FDNY EMS Patients Notified of PHI Exposure appeared first on HIPAA Journal.