HIPAA Breach News

Premera Blue Cross Settles Multi-State Action for $10 Million

Posted by HIPAA Journal

Premera Blue Cross has agreed to a $10 million settlement to resolve a multi-state data breach lawsuit involving 30 state attorneys general.

The settlement resolves alleged violations of state and federal laws that contributed to its 10.4 million record data breach in 2014. A hacker gained access to Premera Health’s network on May 5, 2014 and remained undetected until March 6, 2015. For almost a year the hacker had access to highly sensitive plan member information such as names, contact information, dates of birth, member ID numbers, and Social Security numbers.

Alabama, Alaska, Arizona, Arkansas, California, Connecticut, Florida, Hawaii, Idaho, Indiana, Iowa, Kansas, Kentucky, Louisiana, Massachusetts, Minnesota, Mississippi, Montana, Nebraska, Nevada, New Jersey, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Rhode Island, Utah, Vermont and Washington all participated in the lawsuit.

Washington State Attorney General Bob Ferguson led the investigation and looked at the security vulnerabilities that had been exploited by the hacker to gain access to such a large amount of sensitive data and how the attack went undetected for almost a year.

The Health Insurance Portability and Accountability Act’s (HIPAA) Security Rule requires all HIPAA-covered entities to implement administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of protected health information (PHI). The investigators determined that Premera Health violated HIPAA by failing to meet minimum standards for security.

This was not an oversight. Premera Health had been repeatedly told by its own auditors that its security program was inadequate. The risks of a data breach were accepted without any corrections being made to address vulnerabilities.

“We expect all companies – and particularly those that possess sensitive health information – to protect their customers’ data and to respond appropriately in the event of a breach,” said New Jersey Attorney General Gurbir S. Grewal. “As today’s settlement shows, companies that fall short will be held accountable, face penalties, and be required to improve their systems to prevent future harm to even more customers.”

In addition to the financial penalty, Premera Blue Cross is required to implement further security controls to ensure the electronic protected health information of its plan members is better protected. Annual cybersecurity reviews must also be conducted by a third-party cybersecurity expert and data security reports must be sent to the attorneys general.

Premera Blue Cross must also hire a CISO with experience in HIPAA compliance and data security who will be responsible for implementing and maintaining Premera Health’s security program. The CISO is required to attend regular meetings with executive management and must meet with the CEO at least every 2 months. The CISO is also required to report any network breaches within 48 hours of discovery.

It has been an expensive four weeks for Premera Blue Cross. Last month, Premera Blue Cross agreed to pay $74 million to settle a class action lawsuit filed by plan members affected by the breach.

The post Premera Blue Cross Settles Multi-State Action for $10 Million appeared first on HIPAA Journal.

More than 1000 Essential Health Patients Impacted by Nemadji Research Corporation Breach

Posted by HIPAA Journal

Essentia Health, an integrated health system serving Minnesota, Wisconsin, North Dakota, and Idaho, is sending notifications to more than 1,000 patients alerting them to the exposure of some of their protected health information (PHI).

Like many healthcare providers, Essentia Health works with a third-party vendor that provides billing services to help recover lost revenue. Those services were provided by a Bruno, MN-based billing services firm called Nemadji Research Corporation.

Essentia Health provided Nemadji with certain types of PHI to allow the company to perform its contracted services. Essentia Health did not disclose exactly what types of information were exposed in the substitute breach notice posted on its website.

On March 28, 2019, Nemadji discovered unusual activity in an employee’s email account. The investigation revealed the employee had fallen for a phishing scam and had disclosed login credentials to the attacker. The account was subjected to unauthorized access for a period of several hours before the account was deactivated.

The subsequent investigation revealed the email account contained the PHI of patients of some of its clients. The L.A. Times had previously reported that the phishing attack had exposed the PHI of 14,591 Los Angeles Department of Health Services (DHS) patients. The latest report from Essentia Health shows the breach was more widespread.

It is currently unclear how many of the company’s clients were affected. The incident has yet to appear on the Department of Health and Human Services’ Office for Civil Rights breach portal, so it is also unknown how extensive the breach was.

The post More than 1000 Essential Health Patients Impacted by Nemadji Research Corporation Breach appeared first on HIPAA Journal.

Phishing Attack on California Business Associate Impacts 14,591 DHS Patients

Posted by HIPAA Journal

Nemadji Research Corporation, doing business as California Reimbursement Enterprises, has announced that an unauthorized individual has gained access to the email account of an employee and may have viewed or copied the protected health information (PHI) of its clients’ patients.

California Reimbursement Enterprises is a business associate of several healthcare facilities and hospitals in California and provides patient eligibility and billing services. The company also provides services to the Los Angeles County Department of Health Services (DHS).

A potential email account breach was detected on March 28, 2019 when IT staff identified unusual activity in an employee’s email account. Assisted by a third-party computer forensics expert, Nemadji determined the employee responded to a phishing email the same day and the attacker accessed the account for several hours.

All emails in the account were checked and on June 5, 2019, Nemadji confirmed that patient information had been exposed and notifications were issued to affected business partners.

The breached email account contained correspondence between California Reimbursement Enterprises and DHS related to the services provided. Some of those emails included some individuals’ PHI. Nemadji notified DHS about the breach on June 26, 2019 and confirmed 14,591 DHS patients had been affected.

The information potentially viewed of copied was limited to names in combination with one or more of the following data elements: Address, telephone number, date of birth, medical record number, patient account number, admission date(s), discharge date(s), Medi-Cal ID number, month, and year of service. Four patients also had diagnostic codes exposed and two patients had their Social Security number exposed.

Affected patients have been offered complimentary credit monitoring and identity theft protection services and were sent breach notifications on July 8, 2019.

Nemadji has reviewed its cybersecurity defenses and additional security measures have been implemented to reduce the risk of further breaches. Employees have been given additional training and email security protections have been enhanced.

The post Phishing Attack on California Business Associate Impacts 14,591 DHS Patients appeared first on HIPAA Journal.

Sensitive Data Potentially Compromised in Tennessee Hospice Phishing Attack

Posted by HIPAA Journal

Alive Hospice in Nashville, TN, a provider of end-of-life care, palliative care, bereavement support and community education in middle Tennessee, has announced that the email account of an employee was subjected to unauthorized access in May 2019.

Around May 6, 2019, suspicious activity was detected in an employee’s email account. The password for the account was immediately changed and an investigation was launched into the cause of the breach.

The investigation revealed the email account was compromised on May 4, 2019 and hackers had access to the email account for a period of two days. Only one email account was compromised. Unauthorized account access was confirmed, but no evidence was found to suggest any patient information was accessed or stolen.

The types of information in emails and email attachments varied from patient to patient and may have included the following types of PHI in addition to a patient’s name: Date of birth, Social Security number, driver’s license number, financial account number, medical history, treatment information, prescription information, treating or referring physician information, medical record number, health insurance information, Medicare or Medicaid number, username/email and password information.

Alive Hospice has conducted a review of its security protections and will be implementing additional safeguards to help prevent further attacks.  Affected individuals have been offered complimentary credit monitoring and identity theft protection services.

The incident has been reported to the Department of Health and Human Services’ Office for Civil Rights but the incident has yet to appear on the OCR breach portal, so it is currently unclear how many individuals have been affected.

Californian Medical Staffing Agency Victim of Phishing Attack

The Roseville, CA-based medical staffing agency Flexcare LLC has discovered it has been the victim of a phishing attack.

The email account of a single employee was temporarily compromised as a result of a response to a phishing email. The agency’s email security system detected unusual activity in the account shortly after the phishing email was received and the account was automatically shut down.

Computer forensic professionals were hired to help analyze the breach and determine whether the attacker gained access to the employee’s email account and whether any PHI had been viewed or copied.

Despite the prompt account shut down, the investigation confirmed that the account had been subjected to unauthorized access. While no evidence of data access or data theft were found, the forensics investigators concluded that during the time that access was possible, patients’ PHI may have been viewed or copied.

A detailed analysis of emails in the compromised account revealed affected patients had their name exposed along with one of more of the following types of PHI: Address, date of birth, driver’s license number, Social Security number, medical information such as vaccination history, drug test results, and annual health questionnaire answers.

Flexcare will be providing employees with further training on email and network security and multi-factor authentication is being implemented. Affected individuals have been offered 12-month free membership to CyberScout credit monitoring and identity theft protection services.

The post Sensitive Data Potentially Compromised in Tennessee Hospice Phishing Attack appeared first on HIPAA Journal.

PHI of 10,893 Summa Health Patients Potentially Compromised in Phishing Attack

Posted by HIPAA Journal

Akron, Ohio-based Summa Health has discovered an unauthorized individual has gained access to four employee email accounts containing patients’ protected health information (PHI).

Summa Health became aware of the breach on May 1, 2019 and launched an investigation that revealed 2 email accounts had been breached in August 2018, and a further two accounts between March 11, 2019 and March 29, 2019.

All four accounts were immediately secured and a third-party computer forensics firm was hired to determine whether any patient information had been accessed or stolen. The firm found no evidence of data theft or PHI access, although it was not possible to rule out the possibility that patient information was compromised in the breach.

An analysis of the compromised accounts revealed they contained the following types of PHI: Patient names, dates of birth, medical record numbers, patient account numbers, clinical information, and treatment information.

In total, 10,893 patients were affected. A small subset of those patients also had their Social Security numbers and/or driver’s license numbers exposed.

On June 28, 2019, Summa Health submitted two separate breach reports to OCR for the August and March attacks, one affecting 7989 individuals and the other affecting 2,904 individuals.

Complimentary credit monitoring and identity protection services have been offered to patients whose Social Security number or driver’s license number was exposed.

Summa Health will be reinforcing employee training on privacy and security and additional security measures will be implemented to improve email security.

Community Physicians Group Phishing Attack Impacts 5,400 Patients

Siloam Springs, AR-based Community Physicians Group is alerting 5,400 patients that their PHI has been exposed as a result of a phishing attack.

The breach was detected on April 24, 2019 when suspicious activity was identified in an email account. An investigation revealed malicious software had been installed on February 19, 2019 which allowed access to be gained to the email account.

The email account contained PHI in email attachments. The exposed information was limited to names, medical record numbers, dates of service, and a brief description of the nature of the visit. No Social security numbers, financial information, or other highly sensitive information were exposed.

The malware has now been removed and security has been improved with a new cloud-based anti- malware protection system.

Addison County Home Health & Hospice Email Breach Reported

758 patients of Addison County Home Health & Hospice in Vermont are being notified that some of their PHI has been exposed as a result of a recent email security breach.

The breach was discovered on April 26, 2019 and the investigation revealed unauthorized access to the account was first gained on February 19, 2019.

An analysis of the emails in the account revealed they contained names, clinical information, and for certain patients, medical record numbers and Social Security numbers.

A free 12-month membership to credit monitoring and identity protection services has been offered to individuals whose Social Security number was exposed.

The hospice will be augmenting its technical security controls and further training will be provided to employees to help them identify phishing emails.

The post PHI of 10,893 Summa Health Patients Potentially Compromised in Phishing Attack appeared first on HIPAA Journal.

Student Sues Hospital for Unauthorized Use of PHI as Teaching Tool

Posted by HIPAA Journal

A medical student is suing Marshall University and Cabell Huntington Hospital over the impermissible disclosure of some of his protected health information (PHI) to a class of students.

The student, who is identified as J.M.A in the lawsuit, claims his x-rays were used as a teaching tool by a professor at Marshall University Joan C. Edwards School of Medicine, but information identifying J.M.A. as the patient had not been removed or redacted from the images.

The matter had been brought to the attention of the university by another faculty member. On April 15, 2018, the dean of the medical school wrote to J.M.A to inform him of the privacy violation. The university was unaware that the professor was using the image as a teaching tool.

J.M.A. claims he has suffered shame, embarrassment, humiliation, and severe anxiety as a direct result of the disclosure of his identity. It is unclear how many people viewed J.M.A’s x-rays and how many of those individuals disclosed what they saw to others.

J.M.A is represented by Troy N. Giatras, Matthew W. Stonestreet, and Phillip A. Childs of The Giatras Law Firm, and is seeking compensatory and punitive damages.

Three motions to dismiss the lawsuit have been submitted by the defendants Cabell Huntington Hospital; Marshall University Joan C. Edwards School of Medicine and Marshall University Board of Governors; and Radiology Inc.

They are seeking to have the case dismissed as it was not filed in the proper venue and because they say the plaintiff failed to state a claim on which relief can be granted.

PHI Exposed in Break in at Pardee UNC Health Care

Pardee UNC Health Care is notifying certain patients that some of their PHI has potentially been compromised during a break in at its facility at 2029 Asheville Hwy, Hendersonville, NC. The break-in was discovered on May 9, 2019. Thieves gained entry to the basement of the building and stole electronic equipment.

No electronic protected health information was exposed as the computers did not have hard drives, but while searching the basement a stack of 590 Federal Drug Testing Custody and Control forms were found. The forms contained names, phone numbers, birth dates, social security numbers, employers’ name, driver’s license numbers, and results of the drug screening test and dated from October 2003 to December 2004.

Officials at Pardee did not find any evidence to suggest information had been viewed or stolen, but the stack of files had been moved to a place where they would have been in full view of the thieves as they entered the basement, so there is a possibility that PHI has been compromised.

All files have now been removed from the basement and are in a secure storage facility. Pardee UNC had previously stored paperwork in several locations. The paperwork has now been retrieved and been moved to a single, secure storage facility.

“We are reviewing existing employee training and record retention protocols and policies and will reinforce and revise as needed, said Jennifer Melia, Compliance & Privacy Officer for Pardee UNC Health Care.

UNC Health Care is offering 12 months of free credit monitoring protection services to affected individuals. It is unclear how many individuals have been affected.

The post Student Sues Hospital for Unauthorized Use of PHI as Teaching Tool appeared first on HIPAA Journal.

UChicago Accused of Illegally Sharing Patient Data with Google

Posted by HIPAA Journal

A lawsuit has been filed by a former patient of UChicago Medicine who claims his medical records – and those of hundreds of thousands of other patients – have been shared with Google without authorization.

UChicago Medicine, UChicago Medical Center, and Google have been named in the lawsuit. The suit claims patient information was shared with Google as part of study aimed to advance the use of artificial intelligence, but patient authorization was not obtained in advance and data were not properly deidentified.

In 2017, UChicago Medicine started sending patient data to Google as part of a project to look at how historical health record data could be used to predict future medical events. Patient data were fed into a machine learning system which attempted to make health predictions about patients.

The HIPAA Privacy Rule does not prohibit such disclosures, but prior to patient health information being disclosed, patients must either give their consent or protected health information must first be de-identified – Stripped of the 18 identifiers that allow protected health information to be tied to a particular patient.

The lawsuit was filed by a former patient of UChicago Medicine, Matt Dinerstein, who had been admitted to UChicago Medicine on two occasions in June 2015.

In the lawsuit, Dinerstein claims that huge quantities of patient data were provided to Google without authorization from patients and that patient information was not correctly deidentified. Currently, Dinerstein is the only plaintiff named in the lawsuit, but the suit will be expanded to a class action should other patients come forward.

According to a spokesperson for UChicago Medicine, the claims in the lawsuit are “without merit” and no information was shared with any third-party in violation of HIPAA or other regulations protecting patient privacy.

While several hospitals participated in the study and supplied patient data to Google, UChicago data differed as it contained time stamps and information about when patients were admitted and discharged from hospital.

Google confirmed in a 2018 research paper on scalable and accurate deep learning for electronic health records that medical record data had been obtained from UChicago Medicine and that all data were deidentified, but dates of service were included in the data set.

Since Google already holds vast quantities of data on individuals, it could potentially tie the UChicago Medicine data to other information to re-identify patients.

The lawsuit claims that since Google acquired DeepMind in 2014, the company has the machine learning technologies to be able to tie medical records to personal information in Google User accounts, although no evidence has been obtained by the law firm to suggest Google has misused any patient data.

“We believe that not only is this the most significant health care data breach case in our nation’s history, but it is the most egregious given our allegations that the data was voluntarily handed over,” said Jay Edelson, founder of Edelson PC, a law firm that specializes in class action lawsuits against tech companies.

The post UChicago Accused of Illegally Sharing Patient Data with Google appeared first on HIPAA Journal.

5 Million Records Exposed Due to Unsecured MongoDB Marketing Database

Posted by HIPAA Journal

A MongoDB database containing the personal records of around 5 million individuals has been left exposed on the internet.

The database contained personal information and health data and belonged to MedicareSupplement.com, a website run by TZ Insurance Solutions which helps individuals find a Medigap insurance plan. Individuals looking for coverage can visit the website to find out more about suitable health plans and can obtain quotes by filling out an online form and entering their personal information.

Researchers from Compariteh and security researcher Bob Diachenko discovered the database on May 13, 2019. The marketing database contains information such as name, address, telephone number, email address, IP address, date of birth, gender, and information relating to health, life, auto, and supplemental insurance.  Around 239,000 records included the area of insurance interest.

It is unclear for how long the database was exposed, but it was indexed by the search engine BinaryEdge on May 10, 2019.

The researchers reported the breach to MedicareSupplement.com but no response was received, although the database has now been secured and is no longer accessible.

As a result of the lack of authentication controls it would have been possible for a hacker to delete or alter data or install malware on the system.

Summa Health Patients Notified of Data Breach

An unauthorized individual has gained access to the email accounts of several employees of the Akron, OH hospital system Summa Health and potentially viewed or copied patient information.

The email accounts were discovered to have been compromised on May 1, 2019. The Summa Health investigation confirmed that two employee email accounts had been compromised in August 2018, with a further two accounts compromised on March 11 and March 29 as a result of employees responding to phishing emails.

Summa Health hired a leading computer forensics firm to investigate the breach. The company confirmed that the accounts had been accessed and PHI had potentially been viewed. No evidence was uncovered to suggest any patient information was viewed or stolen, but the possibility could not be ruled out.

For the majority of patients, the types of information that were exposed were limited to names, dates of birth, patient account numbers, medical record numbers, and some clinical and treatment information. A small subset of patients also had their Social Security number or driver’s license number exposed.

Summa Health will be implementing additional security measures to prevent further email security breaches and staff will be provided with additional training on privacy and security.

Summa Health has not confirmed how many patients were affected other than saying the breach impacted more than 500 individuals.

The post 5 Million Records Exposed Due to Unsecured MongoDB Marketing Database appeared first on HIPAA Journal.

2,200 Franciscan Health Patients Notified of Unauthorized PHI Access by Employee

Posted by HIPAA Journal

Mishawaka, IN-based Franciscan Health has discovered the protected health information of approximately 2,200 patients has been accessed by a former employee without authorization.

The privacy violation was discovered during a routine privacy audit. Franciscan Health announced that it was confirmed on May 24, 2019 that an employee in the quality research department had accessed the electronic medical records of patients without authorization and with no legitimate work reason for doing so.

The individual concerned is no longer employed by Franciscan Health and the matter has been reported to law enforcement. While unauthorized PHI access was confirmed, Franciscan Health found no evidence to suggest that the employee copied, transmitted, or disclosed any patient information.

Patient information was stored in Franciscan Health’s medical record system, which has been in use since 2012. Through that system, the former employee accessed patient records containing information such as names, addresses, email addresses, dates of birth, phone numbers, gender information, race/ethnicity, last four digits of social security numbers, and medical record numbers.

For certain patients, the following information may also have been accessed: Physician name, diagnoses, lab test results, medications, other treatment information, driver’s license numbers, emergency contact information, and insurance claims information. The records contained the full Social Security numbers of a small subset of patients.

All patients whose protected health information was compromised will be notified by mail and provided with information on how they can sign up for identity theft protection services.  Franciscan Health will cover the cost of those services for 2 years.

Medical Records Abandoned Outside Shuttered Chicago Medical Center

City crews have begun a clean up operation to remove boxes of medical records that have been abandoned outside a shuttered medical center in the Chatham area of Chicago, IL.

Boxes of medical records containing sensitive patient information had been dumped outside the former Medical Professional Home Healthcare center.

The Medical Professional Home Healthcare center was run by Carmen Dooley. In April 2017, the state health medical department license for Dooley and her business expired and was not renewed. The Illinois Department of Public Health visited the property and found it to be unoccupied with utilities cut off. The owner of the business could not be contacted and the agency was decertified by Medicare in 2017.

According to a recent report on CBS, the records had been stored in storage containers on the property. However, the containers were removed and their contents were dumped on site in 5-foot high piles. Some owners of local properties said the records had been there for months and some paperwork containing sensitive information had blown into their years. According to the report, Dooley had not authorized the removal of the storage containers and was unaware that the records had been abandoned.

The post 2,200 Franciscan Health Patients Notified of Unauthorized PHI Access by Employee appeared first on HIPAA Journal.