HIPAA Breach News

Email Security Breaches Expose PHI of Seattle Community Psychiatric Clinic Patients

Posted by HIPAA Journal

Community Psychiatric Clinic in Seattle, WA, a provider of accredited outpatient, mental health treatment, and counselling services, has experienced two security breaches in which patient information may have been compromised. In both cases, an unauthorized individual gained access to an employee’s Microsoft Office 365 account.

The first security breach was detected on March 12, 2019 when an employee’s account was subjected to unauthorized access. The affected account was immediately secured, passwords were changed, and the employee’s hard drive was restored.  The email account also had additional protections added to prevent similar breaches from occurring in the future. The investigation did not uncover any evidence to suggest that patient data had been stolen.

Around two months later on May 8, 2019, a second email account was discovered to have been compromised in a separate attack. The attacker used the email account to send a fraudulent wire transfer request to another member of staff. The transfer was executed, but due to the fast response of the clinic, it was possible to recover all the funds. A password reset was performed to lock out the attackers and additional protections have now been implemented on the breached account to reduce the risk of further attacks. Again, no evidence was found to suggest patient information had been stolen.

A forensic investigation revealed that in addition to the above two accounts, a further two accounts had also been compromised. The investigators note that since the attackers accessed the mailboxes through Outlook Web Access, it significantly reduced the potential for large scale data exfiltration. The lack of evidence of data exfiltration suggests the attackers did not succeed in obtainment patient information, but patients have been notified as a precaution.

The breaches have yet to appear on the Department of Health and Human Services’ Office for Civil Rights breach portal so it is currently unclear how many patients have been affected.

The post Email Security Breaches Expose PHI of Seattle Community Psychiatric Clinic Patients appeared first on HIPAA Journal.

PHI of Tens of Thousands of Patients Exposed Online Due to Database Misconfiguration

Posted by HIPAA Journal

A database containing the personal information of individuals who had expressed an interest in Amarin Pharma’s cholesterol drug Vascepa® has been exposed online.

The database was maintained by third party vendor and contained information such as full names, addresses, telephone numbers, email addresses, medications, and interest in a copay card for Vascepa®.

Amarin learned of the breach via media reports of an exposed database containing information of Amarin customers and immediately launched an investigation. The company quickly determined which database had been exposed and took steps to suspend active data feeds and the database was secured the same day.

The vendor’s investigation revealed a database misconfiguration had occurred which rendered the database accessible online between May 2, 2018 and June 20, 2019.

An investigation by the vendor confirmed that the database had been subjected to unauthorized access by a third party between May 29, 2019 and June 20, 2019, and during that time data had been copied.

Amarin and its vendor are continuing to investigate the breach and the database will not be brought back online until additional safeguards have been implemented to prevent any further accidental disclosures.

According to vpnMentor, the database contained the records of approximately 78,000 individuals. A second database containing transaction information was also exposed.

Database of Billing and Insurance Data Processing Vendor Exposed Online

Another exposed database was discovered by security researchers at UpGuard. The database was stored in an unsecured Amazon S3 bucket and contained around 14,000 documents containing a range of medical, personal and financial information. The database was tracked to the billing and insurance data processing vendor Medico.

Spreadsheets, documents, PDF files, text files, and images were accessible through the database. Those files contained names, contact information, banking information, insurance information, Social Security numbers, usernames, passwords, prescription information, other personal and medical information. Most of the information dated from 2018.

UpGuard notified the vendor of the unsecured S3 bucket and the database and files were secured the same day. It is unclear whether the information had been subjected to unauthorized access prior to its discovery by UpGuard researchers.

The post PHI of Tens of Thousands of Patients Exposed Online Due to Database Misconfiguration appeared first on HIPAA Journal.

Further 185,000 Individuals Affected by AMCA Data Breach

Posted by HIPAA Journal

Three more healthcare organizations have announced they have been affected by the data breach at American Medical Collection Agency (AMCA): West Hills Hospital & Medical Center in California, Inform Diagnostics, and CompuNet Clinical Laboratories.

The AMCA data breach was first announced more than two months ago. Most of the companies impacted by the breach were notified by AMCA in May/June that some of their patients’ data had potentially been compromised, but it has taken several weeks for those companies to be provided with sufficient information to make announcements and sent notification letters.

The breach at AMCA occurred between August 1, 2018 and March 30, 2019. During that period, an unauthorized individual had access to a web payment page, through which it was possible to obtain personal and financial information. Affected individuals had had their information passed to AMCA to collect outstanding bills for medical services.

The latest announcements bring the total number of companies known to have been affected to 21. It is not yet known how many patients of West Hills Hospital and Medical Center have been affected, but as it stands, the total victim count is at least 24,390,307. It may take several weeks before the final victim count is known and all of those individuals receive their breach notification letters.

West Hills Hospital and Medical Center

West Hills Hospital and Medical Center in West Hills, CA, uses a company called United WestLabs (UWL)to manage its reference laboratory. United WestLabs was informed by AMCA on June 12, 2019, that it had been impacted by the breach. Affected patients had their name, address, patient account number, amount owed, and service dates compromised. Some patients also had their credit or debit card number exposed.

AMCA has sent breach notification letters to all individuals whose financial information was exposed. All other affected West Hills patients are being notified by the hospital. West Hills Hospital and United WestLabs have now stopped using AMCA’s services.

Inform Diagnostics

Inform Diagnostics is an Irving, TX-based provider of pathology laboratory services. On June 30, 2019, the company was notified by AMCA’s holding company, Retrieval Masters Creditors Bureau, that personal and payment information had been accessed by a hacker. That information included first and last names, banking information, credit/debit card numbers, Social Security numbers, service dates, and names or referring physicians. 173,690 Inform Diagnostics patients are known to have been affected.

CompuNet Clinical Laboratories

Dayton, OH-based laboratory service provider CompuNet Clinical Laboratories was notified by AMCA on June 5, 2019 that the company had been affected by the breach.

The data exposed included names, dates of birth, service dates, medical service provider names, names of referring physicians, health insurance information, and other medical information. A subset of patients also had their Social Security number, credit/debit card number, and/or financial information exposed. Approximately 111,000 patients are known to have been affected.

Companies Known to Have Been Affected by the AMCA Data Breach

Healthcare Organization Records Exposed
Quest Diagnostics/Optum360 11,900,000
LabCorp 7,700,000
Clinical Pathology Associates 2,200,000
American Esoteric Laboratories 541,900
Carecentrix 500,000
Sunrise Medical Laboratories 427,000
BioReference Laboratories/Opko Health 422,600
Inform Diagnostics 173,690
CBLPath Inc. 148,900
Laboratory Medicine Consultants 147,600
CompuNet Clinical Laboratories 111,000
Austin Pathology Associates 46,500
South Texas Dermatopathology PLLC 16,100
Pathology Solutions 13,300
Penobscot Community Health Center 13,000
Seacoast Pathology, Inc 10,000
Arizona Dermatopathology 7,000
Western Pathology Consultants 4,550
Laboratory of Dermatology ADX, LLC 4,240
Natera 3,000
West Hills Hospital and Medical Center / United WestLabs Unknown
Total: 24,390,307

The post Further 185,000 Individuals Affected by AMCA Data Breach appeared first on HIPAA Journal.

Presbyterian Healthcare Services Data Breach Impacts 183,000 Patients

Posted by HIPAA Journal

New Mexico-based Presbyterian Healthcare Services is notifying approximately 183,000 patients and health plan members that some of their protected health information (PHI) has been exposed in a recent security breach.

On or around May 6, 2019, several Presbyterian Healthcare Services employees received phishing emails. Certain employees responded to the emails and inadvertently disclosed their credentials to the attackers. Those credentials were used to gain access to accounts containing sensitive information such as names, dates of birth, and Social Security numbers.

Presbyterian Healthcare Services became aware of the breach on June 9 and immediately secured the affected accounts. The breach investigation uncovered no evidence to suggest any personal information was accessed or stolen by the attacker and no reports been received to suggest any PHI has been misused.

The breach affected approximately 21% of Presbyterian Healthcare Services patients and plan members. Affected individuals have been offered complimentary credit monitoring and identity theft protection services for 12 months and have been advised to monitor their accounts and explanation of benefits statements carefully for any sign of fraudulent activity.

Presbyterian Healthcare Services is taking steps to improve email security to prevent any further breaches of this nature in the future.

3,812 Patients Affected by Three Rivers Community Health Group Phishing Attack

Perry County Medical Center, Inc. d/b/a Three Rivers Community Health Group, has discovered an unauthorized individual has gained access to the email account of one of its employees and may have viewed patient information.

The account breach was discovered on May 28, 2019. A forensic investigation was conducted by external computer experts who determined that patient information such as names, dates of birth, dates of service, physicians’ names, prescription information, health insurance group, and ID numbers may have been accessed. No financial information or Social Security numbers were breached.

No evidence of unauthorized data access or data theft were uncovered and the community health group is unaware of any instances of identity theft or misuse of PHI. As a precaution, all affected individuals have been offered complimentary credit monitoring and identity theft protection services.

The attack has prompted a review of privacy and security controls and additional protections will be implemented as appropriate to enhance email security.

The post Presbyterian Healthcare Services Data Breach Impacts 183,000 Patients appeared first on HIPAA Journal.

Imperial Health Ransomware Attack Impacts More Than 111,000 Patients

Posted by HIPAA Journal

Imperial Health, a physicians’ network serving patients in Southwest Louisiana, is alerting more than 111,000 patients that some of their protected health information has potentially been compromised in a recent ransomware attack.

An unauthorized party had succeeded in downloading ransomware onto the network, which encrypted files and a database used by the Imperial Health’s Center for Orthopaedics (CFO). The attack was detected on May 19, 2019.

The database contained the protected health information of 116,262 patients. While no evidence of data access or data theft was uncovered during the investigation, it was not possible to rule out a breach of PHI. The decision was therefore taken to issue notifications to affected patients to allow them to take step to eliminate any risk of harm.

The information stored in the database related to patients who had previously received medical services at CFO. The information varied from patient to patient and may have included name, address, telephone number, birth date, Social Security number, medical record number, diagnoses, treatment information, medications, dates of service, treating physician, and other clinical information.

The incident has been reported to law enforcement and Imperial Health is assisting with the investigation. Imperial Health has removed the ransomware from its network and has successfully restored data. New anti-virus software has now been deployed to better deal with the threat from malware and ransomware in the future.

Lost Laptop Contained PHI of 1,500 Patients

The Philadelphia Department of Behavioral Health and Intellectual Disability Services (DBHIDS) has announced that a laptop computer containing the protected health information of approximately 1,500 patients has been lost. The laptop was password-protected but not encrypted.

The laptop computer was in a briefcase which was lost on public transport. The laptop contained information such as names, dates of birth, MCI numbers, service provider names, and Medicaid waiver services that the client had applied for or was receiving.

All 1,500 affected individuals were notified of the breach the same day that the laptop was lost and have been offered one year of credit monitoring services at no cost. A forensic review confirmed that the laptop had not been used to access patient records.

It is DBHIDS policy for all laptop computers to be encrypted and it is unclear how this device was missed. DBHIDS will conduct a review and will ensure all laptop computers are encrypted, staff will be re-assigned to the HIPAA Basics training course, and further training on security-focused topics will also be provided.

The post Imperial Health Ransomware Attack Impacts More Than 111,000 Patients appeared first on HIPAA Journal.

First Half of 2019 Sees 31.6 Million Healthcare Records Breached

Posted by HIPAA Journal

It has been a particularly bad six months for the healthcare industry. Data breaches have been reported in record numbers and the number of healthcare records exposed on a daily basis is extremely concerning. The trend of more than one healthcare data breach a day has continued throughout 2019, even reaching a rate of 2 per day in May.

According to the 2019 Mid-Year Data Breach Barometer Report from Protenus and Databreaches.net, 31,611,235 healthcare records were breached between January 2019 and June 2019. To put that figure into perspective, it is double the number of records exposed in healthcare data breaches in the entirety of 2018 (14,217,811 records).

One breach stands out from the 285 incidents reported in the first half of the year: The data breach at American Medical Collection Agency (AMCA). A batch of stolen credentials on a dark net marketplace was traced back to AMCA, which discovered its payment web page had been compromised for months. It is not yet known exactly how many healthcare records were exposed in the incident, but 18 clients are known to have been affected and more than 20 million records have been confirmed as having been breached.

The report shows the first 6 months was dominated by hacking incidents, which accounted for 60% of all incidents and 88% of breached records. 168 data breaches were due to hacking, 88 involved phishing, 27 involved ransomware or malware, and one involved another form of extortion.

20.91% of all breaches – 60 incidents – were insider breaches. 3,457,621 records were exposed in those breaches or 11% of all breached records. 35% of incidents were classified as being caused by insider error and 22% were due to insider wrongdoing. There were 24 theft incidents were reported involving at least 184,932 records and the cause of 32 incidents (142,009 records) is unknown.

Healthcare providers reported 72% of breaches, 11% were reported by health plans, and 9% were reported by business associates. 8% of breaches could not be classified. While the above distribution of breaches is not atypical, 2019 has been a particularly bad year for business associates.

In three of the first six months of 2019 a business associate reported the largest breach of the month. The largest breach of the year was at a business associate. That breach is already the second largest healthcare data breach of all time. Hacking was the biggest problem area for business associates. 45% of business associate data breaches were due to hacking and other IT incidents.

One business associate, Dominion National, took 8.5 years to discover its systems had been breached. By the time the breach was discovered, the records of 2,964,778 individuals had been compromised. Overall the average time to discover a breach was 50 days. The average time to report a breach to the HHS was 77 days and the median reporting time was 60 days.

“In order for healthcare organizations to reduce risk across their organization and to truly combat the challenges associated with health data security, it is critical for healthcare privacy offices to utilize healthcare compliance analytics that will allow them to audit every access to their patient data,”  wrote Protenus. “Full visibility into how their data is being accessed will help healthcare organizations prevent data breaches from wreaking havoc on their organization and the patients who trust them with their personal information.”

The post First Half of 2019 Sees 31.6 Million Healthcare Records Breached appeared first on HIPAA Journal.

More than 522,000 Puerto Rico Patients Impacted by Ransomware Attack

Posted by HIPAA Journal

More than half a million patients in Bayamón, Puerto Rico have been affected by a ransomware attack on a medical center and associated hospital.

Bayamón Medical Center and Puerto Rico Women and Children’s Hospital discovered on May 21, 2019 that their computer systems had been infected with ransomware. The ransomware encrypted a wide range of files and prevented hospital staff from accessing patient information ‘for a short period of time,’ according to a July 19, 2019 press release announcing the attack.

Approximately 522,000 current and former patients are being notified about the ransomware attack as a precautionary measure. The internal investigation into the attack confirmed that patient information was affected, but no evidence of unauthorized data access or theft was identified.

The information potentially compromised was limited to names, demographic information, clinical information, financial information, and in some cases, diagnosis information, dates of birth, and Social Security numbers.

The ransomware attack only rendered data temporarily inaccessible and all patient information has now been restored without data loss. It is unclear whether the ransom demand was paid for the keys to unlock the encryption or if systems were rebuilt and data restored from backups.

The ransomware attack has been reported to the Department of Health and Human Services’ Office for Civil Rights as two separate breaches affecting 422,496 patients of Bayamón Medical Center and 99,943 patients of Puerto Rico Women and Children’s Hospital.

The incident is the latest in a string of ransomware attacks on healthcare organizations. Data from Malwarebytes indicates ransomware attacks increased by 195% in Q1, 2019 and a recently published report from Coveware shows ransomware attacks increased by 184% in Q2. Last month, Carbon Black released the findings of a survey which indicated 66% of healthcare organizations had experienced a ransomware attack in the past 12 months.

Until ransomware stops being profitable or a more lucrative method of attacking businesses is found, ransomware attacks will continue. With ransom payments of tens of thousands of dollars being paid to attackers, it is probable that the problem will get much worse before it gets better.

The post More than 522,000 Puerto Rico Patients Impacted by Ransomware Attack appeared first on HIPAA Journal.

Kentucky Community Health Center Pays $70,000 Ransom to Recover PHI

Posted by HIPAA Journal

On June 7, 2019, Louisville, KY-based Park DuValle Community Health Center suffered a ransomware attack. Hackers succeeded in gaining access to its network and installed ransomware which rendered its medical record system and appointment scheduling platform inaccessible.

The not-for-profit health center provides medical services to the uninsured and low-income patients in the western Louisville area. For seven weeks, employees at the health center have been recording patient information on pen and paper and have had to rely on patients’ accounts of past treatments and medications. With its systems out of action, no patient data could be viewed, and appointments could not be scheduled. The clinic had to operate on a walk-in basis.

The medical record system contained the records of around 20,000 current and former patients who had previously received treatment at one of its medical centers in Louisville, Russell, Newburg, or Taylorsville.

This is not the first ransomware attack suffered by the health center this year.  A prior attack occurred on April 2, 2019, which similarly took its computer systems out of action. In that case, backups were used to restore data and its systems were rebuilt from scratch. The health center was able to recover data without paying a ransom, although its systems were offline for around three weeks while the attack was remediated.

The health center consulted with third-party IT specialists and the FBI after the latest attack and the decision was taken to pay the ransom for the keys to decrypt files. Park DuValle CEO Elizabeth Ann Hagan-Grigsby explained to WDRB reporters that it was not possible to rebuild its systems and recover data from backups after the latest attack.

The ransom was paid in two installments, the first was made two weeks ago and the final payment was made last week. The latest payment was for 6 Bitcoin. Approximately $70,000 was paid in total. The health center expects to have fully restored its systems by August 1, 2019.

The ransom payment is only a small part of the cost of a ransomware attack. Hagan-Grigsby said the attack has so far cost around $1 million.

While the ransomware prevented files from being accessed, Hagan-Grigsby does not believe there has been a data breach. She said the Department of Health and Human Services has been notified but was told there was no data breach. no evidence was found to suggest unencrypted patient information was viewed and its firewall logs show no data was exfiltrated from its systems.

The Park DuValle ransomware is one of several healthcare ransomware attacks to be reported in the past few days. Ransomware attacks have also recently been reported by Springhill Medical Center in Alabama, Harbor Community Hospital in Washington, and Dr. Carl Bilancione’s dental office in Maitland, Florida.

An attack was also reported by Bayamón Medical Center in Puerto Rico, which also affected its affiliated Puerto Rico Women and Children’s Hospital. The attack impacted more than 520,000 patients.

The post Kentucky Community Health Center Pays $70,000 Ransom to Recover PHI appeared first on HIPAA Journal.

2019 Cost of A Data Breach Study Reveals Increase in U.S. Healthcare Data Breach Costs

Posted by HIPAA Journal

The Ponemon Institute/IBM Security has published its 2019 Cost of a Data Breach Report – A comprehensive analysis of data breaches reported in 2018.

The report shows data breach costs have continue to rise and the costliest breaches are experienced by healthcare organizations, as has been the case for the past 9 years.

Average Data Breach Costs $3.92 Million

Over the past five years, the average cost of a data breach has increased by 12%. The global average cost of a data breach has increased to $3.92 million. The average breach size is 25,575 records and the cost per breached record is now $150; up from $148 last year.

Globally, the healthcare industry has the highest breach costs with an average mitigation cost of $6.45 million. Healthcare data breaches typically cost 65% more than data breaches experienced in other industry sectors.

Data breach costs are the highest in the United States, where the average cost of a data breach is $8.19 million – or $242 per record. The average cost of a healthcare data breach in the United States is $15 million.

Healthcare Data Breaches Cost $429 per Record

In healthcare, the average cost of a breach has increased to $429 per record from $408 last year – an increase of 5.15%. The financial sector has the second highest breach costs. Financial industry breaches cost an average of $210 per record – less than half the per record cost of a healthcare data breach.

Fortunately, mega data breaches are relatively rare but when they do occur the costs can soar. Mega data breaches are classed as breaches of more than 1 million records. IBM projected losses due to a data breach of $1 million records would be $42 million, whereas a breach of 50 million records would cost $388 million to resolve. The recent data breach at American Medical Collection Agency, which is known to have affected 18 healthcare providers and 25 million individuals, would fit halfway along that cost scale.

“Cybercrime represents big money for cybercriminals, and unfortunately that equates to significant losses for businesses,” said Wendi Whitmore, Global Lead for IBM X-Force Incident Response and Intelligence Services. “With organizations facing the loss or theft of over 11.7 billion records in the past 3 years alone, companies need to be aware of the full financial impact that a data breach can have on their bottom line –and focus on how they can reduce these costs.”

The survey was conducted by the Ponemon Institute on 507 companies that have experienced a data breach in the past year and involved 3,211 interviews with individuals with knowledge of the breach. Breach costs were determined using an activity-based costing (ABC) method, which identifies activities and assigns a cost to each based on actual use.

The Effects of A Data Breach Are Felt For Years

In this year’s study, IBM analyzed the financial impact of a data breach including the longtail financial costs. The analysis revealed the financial repercussions of a data breach are felt for years. The majority of the breach costs are realized in the first year after the breach when 67% of the cost is accrued. 22% of the cost is accrued in the second year, and 11% of the cost comes 2 or more years after the breach. In highly regulated industries such as healthcare, the longtail costs are higher.

For the majority of businesses, the biggest cost is loss of business after a data breach. Across all industry sectors, loss of business has been the biggest breach cost for the past 5 years, which now costs businesses an average of $1.42 million or 36% of their total breach cost. The average loss of customers following a data breach is 3.9%, although the figure is higher for healthcare organizations who often struggle to retain patients after a breach.

Breach costs are affected by several factors, including the nature of the breach and the organization’s size. The average cost of a data breach at an SMB with fewer than 500 employees is $2.5 million or 5% of annual revenue. With such crippling costs, it is easy to see why so many SMBs fail within 6 months of experiencing a data breach.

Malicious attacks were most common (51%) and were also the costliest breaches to resolve. Malicious attacks cost 25% more to resolve than breaches caused by system glitches or human error. Malicious attacks are now occurring much more frequently. There was a 21% increase in malicious attacks between 2014 and 2019.

The study identified several factors which reduce the cost of a data breach. The most important step to take to reduce breach costs is to form an incident response (IR) team. Companies that had formed an IR team, developed an IR plan, and extensively tested that plan, reduced their breach costs by an average of $1.23 million.

A rapid breach response greatly reduces breach costs. The average time from breach to discovery is 279 days. Companies that identified and remediated the breach inside 200 days saved an average of $1.2 million.

The post 2019 Cost of A Data Breach Study Reveals Increase in U.S. Healthcare Data Breach Costs appeared first on HIPAA Journal.