HIPAA Breach News

July 2019 Healthcare Data Breach Report

Posted by HIPAA Journal

May 2019 was the worst ever month for healthcare data breaches with 46 reported breaches of more than 500 records. More breaches were reported in May than any other month since the HHS’ Office for Civil Rights started publishing breach summaries on its website in 2009. That record of 44 breaches was broken in July.

July saw 50 healthcare data breaches of more than 500 records reported to the Department of Health and Human Services’ Office for Civil Rights, which is 13 more breaches than the monthly average for 2019 and 20.5 more breaches than the monthly average for 2018.

July 2019 was the second worst month in terms of the number of healthcare records exposed. 25,375,729 records are known to have been exposed in July.

There are still 5 months left of 2019, yet more healthcare records have been breached this year than in all of 2016, 2017, and 2018 combined. More than 35 million individuals are known to have had their healthcare records compromised, exposed, or impermissibly disclosed this year.

Causes of July 2019 Healthcare Data Breaches

 

The main reason for the increase in reported data breaches in July is the colossal data breach at American Medical Collection Agency (AMCA). AMCA provides medical billing and collection services and its clients included some of the largest medical testing laboratories in the United States. Those clients have now been lost as a result of the breach.

The final victim count is not yet known, nor the number of records compromised in the breach. To date, 22 healthcare organizations have confirmed they have been affected and more than 24 million records are known to have been exposed. At least 8 healthcare organizations have not yet submitted their breach reports to OCR.

Healthcare Providers Impacted by the American Medical Collection Agency Data Breach

  Healthcare Organization Estimated Records Exposed Confirmed Victim Count
1 Quest Diagnostics/Optum360 11,900,000 11,500,000
2 LabCorp 7,700,000 10,251,784
3 Clinical Pathology Associates 2,200,000 1,733,836
4 Carecentrix 500,000 467,621
5 American Esoteric Laboratories 541,900 409,789
6 Inform Diagnostics 173,617 173,617
7 Laboratory Medicine Consultants 147,600 140,590
8 Integrated Regional Laboratories 29,644 29,644
21 Penobscot Community Health Center 13,000 13,299
9 West Hills Hospital and Medical Center / United West Labs 10,650 10,650
10 Seacoast Pathology, Inc 10,000 8,992
11 Arizona Dermatopathology 7,000 5,903
12 Western Pathology Consultants 4,550 4,079
13 Natera 3,000 3,035
14 Sunrise Medical Laboratories 427,000 TBC
15 BioReference Laboratories/Opko Health 422,600 TBC
16 CBLPath Inc. 148,900 TBC
17 CompuNet Clinical Laboratories 111,000 TBC
18 Austin Pathology Associates 46,500 TBC
19 South Texas Dermatopathology PLLC 16,100 TBC
20 Pathology Solutions 13,300 TBC
22 Laboratory of Dermatology ADX, LLC 4,240 TBC

 

Hacking and IT incidents dominated the breach reports in July with 35 incidents reported. Those breaches resulted in the exposure of 23,203,853 healthcare records. The average breach size was 662,967 records and the mean breach size was 4,559 records.

There were 9 unauthorized access/disclosure incidents in July involving 2,160,699 healthcare records. The average breach size was 240,077 records and the mean breach size was 3,881 records.

There were three theft incidents reported that involved 3,584 records, 2 loss incidents that exposed 4,593 records, and one improper disposal incident that exposed 3,000 records.

Largest Healthcare Data Breaches in July 2019

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Location of Breached PHI
Optum360, LLC Business Associate 11,500,000 Hacking/IT Incident Network Server
Laboratory Corporation of America Holdings dba LabCorp Healthcare Provider 10,251,784 Hacking/IT Incident Network Server
Clinical Pathology Laboratories, Inc. Healthcare Provider 1,733,836 Unauthorized Access/Disclosure Network Server
CareCentrix, Inc. Healthcare Provider 467,621 Hacking/IT Incident Network Server
Bayamon Medical Center Corp. Healthcare Provider 422,496 Hacking/IT Incident Network Server
Memphis Pathology Laboratory d/b/a American Esoteric Laboratories Healthcare Provider 409,789 Unauthorized Access/Disclosure Network Server
Laboratory Medicine Consultants, Ltd. Healthcare Provider 140,590 Hacking/IT Incident Network Server
Imperial Health, LLP Healthcare Provider 116,262 Hacking/IT Incident Desktop Computer, Network Server
Puerto Rico Women And Children’s Hospital, LLC Healthcare Provider 99,943 Hacking/IT Incident Network Server
Ameritas Life Insurance Corp. Health Plan 39,675 Hacking/IT Incident Email

Location of Breached Protected Health Information

There was a major increase in network server incidents in July. The rise was due to the AMCA breach but also an uptick in ransomware attacks on healthcare providers. Phishing also continues to pose problems for healthcare organizations. 21 of the breaches reported in July involved PHI stored in email accounts.

The number of reported phishing attacks strongly suggests multi-factor authentication has not yet been implemented by many healthcare organizations. If credentials are compromised, MFA can help prevent the email account from being remotely accessed.

July 2019 Healthcare Data Breaches by Covered Entity Type

Healthcare providers were the worst affected covered entity in July with 39 breaches reported. Three health plans reported breaches and there were 8 breaches reported by business associates of HIPAA covered entities. A further 18 healthcare data breaches had some business associate involvement.

July 2019 Healthcare Data Breaches by State

July’s 50 data breaches were spread across 26 states and Puerto Rico. Typically, California experiences the most data breaches in any given month due to the number of healthcare organizations based in California; however, California only saw one healthcare data breach reported in July.

Minnesota was the worst affected state with 6 reported breaches. Four breaches were reported by healthcare organizations based in Michigan, Pennsylvania, and Texas. Three breaches were reported in Nevada and Tennessee, two breaches were reported in each of North Carolina, Ohio, Wisconsin, and Puerto Rico.

One breach was reported in each of Alabama, Arkansas, Arizona, California, Connecticut, Georgia, Kentucky, Louisiana, Massachusetts, Maryland, Maine, Missouri, Nebraska, New Hampshire, New York, Oregon, and South Carolina.

HIPAA Enforcement Activity in July 2019

It has been a relatively quiet year for HIPAA enforcement by the HHS’ Office for Civil Rights. While there were two settlements agreed in May 2019 to resolve HIPAA violations, no further financial penalties have been announced.

State Attorneys General also have the authority to take action against healthcare organizations that have violated HIPAA Rules. July saw one settlement reached between Premera Blue Cross and 30 state attorneys general over its 10.4 million-record data breach in 2014.

Under the terms of the settlement agreement, Premera Blue Cross is required to pay a financial penalty of $10,000,000 to resolve the HIPAA violations discovered during the Washington Attorney General-led investigation.

In addition to the $10 million penalty, Premera Blue Cross settled a class action lawsuit for $74 million. $32 million will cover claims from breach victims and $42 million will be directed toward improving cybersecurity.

The post July 2019 Healthcare Data Breach Report appeared first on HIPAA Journal.

Phishing Attack on Presbyterian Healthcare Services Exposed PHI of 183,000 Patients

Posted by HIPAA Journal

The Albuquerque, NM-based not-for-profit health system, Presbyterian Healthcare Services, has experienced a phishing attack that saw the email accounts of several employees subjected to unauthorized access.

The phishing attack was discovered by Presbyterian Healthcare Services on June 6, 2019. The breach investigation revealed the email accounts were compromised a month previously, on or around May 9, 2019.

Upon discovery of the breach, all affected email accounts were secured to prevent further access. An analysis of the compromised email accounts revealed they contained the protected health information (PHI) of 183,370 individuals. Compromised PHI was limited to names, dates of birth, Social Security numbers, and clinical and health plan information. Affected individuals have been advised to check their statements from their providers and health plans for signs of misuse of their personal information.

Presbyterian Healthcare Services has implemented additional safeguards to protect its email system and all employees will be required to undergo annual cybersecurity training. Employees will also be sent regular reminders about safeguarding PHI and avoiding phishing scams.

Lost Thumb Drive Contained PHI of 27,000 Renown Health Patients

27,004 patients of Reno, NV-based Renown Health are being notified that some of their protected health information was saved on an unencrypted thumb drive that has been declared lost.

The device contained information such as patient names, diagnoses, medical record numbers, clinical information, dates of admission, and physician’s names. The breach was limited to patients who had received inpatient services at Renown South Meadows Medical Center between January 1, 2012 and June 14, 2019.

The drive is believed to have been lost on June 30, 2019. The employee who reported the device missing was questioned, and a thorough search was conducted, but the portable storage device could not be located.

Renown Health is reviewing its policies concerning the use of portable storage devices and will be reeducating its employees on safeguarding PHI.

The post Phishing Attack on Presbyterian Healthcare Services Exposed PHI of 183,000 Patients appeared first on HIPAA Journal.

Massachusetts General Hospital Data Breach Impacts 10,000 Patients

Posted by HIPAA Journal

Massachusetts General Hospital (MGH) has discovered computer applications used by researchers in its Department of Neurology have been subjected to unauthorized access. The individual responsible would have been able to access the protected health information of approximately 10,000 patients.

MGH discovered the breach on June 24, 2019 and immediately terminated access to the applications and databases. An investigation was launched, and a forensic investigator was engaged to help determine the nature and scope of the breach. The investigation confirmed that two applications had been subjected to unauthorized access between June 10 and June 16, 2019.

Via the applications, the unauthorized individual would have been able to view information in databases related to specific neurology research studies. The types of information in the databases varied from patient to patient and may have included: Name, marital status, age, date of birth, sex, race, ethnicity, dates of visits and tests, medical record number, diagnoses, treatment information, biomarkers, genetic information, assessments and results, and other research information, including date of death and details of autopsy results. Highly sensitive information such as Social Security numbers, financial information, and health insurance information were not exposed.

Based on the findings of the investigation and the nature of the information exposed, MGH does not believe affected individuals need to take any steps to protect their identities. MGH will conduct a review of its security processes for research programs and will take steps to improve security to prevent similar breaches in the future.

Sonoma Valley Hospital Website Hack Forces Domain Change

Sonoma Valley Hospital in California has been forced to abandon its three-letter domain name after hackers took control of the domain.

The attack occurred on August 6. Hackers gained access to its svh.com domain and locked out the hospital. The hospital issued a statement saying it had become clear that the domain could not be recovered so the decision was taken to move to a new domain.

Internet connectivity and email accounts have now been migrated to sonomavalleyhospital.org. Patients have been advised to update their contact details for the hospital as emails sent to email addresses on the old domain are not being received.

No patient information was compromised in the attack, but that does not mean patients are not at risk. The individuals who now control the domain could use it in phishing attacks on Sonoma Valley Hospital patients.

According to the hospital, the impact of the domain theft cannot be overstated. The hospital will have to change all printed material, including business cards, letterheads, marketing material, and branding.

The post Massachusetts General Hospital Data Breach Impacts 10,000 Patients appeared first on HIPAA Journal.

Rhode Island Healthcare Provider Hacked: 3,000 Records Potentially Compromised

Posted by HIPAA Journal

Rhode Island Ear, Nose and Throat Physicians Inc. (RIENT) is notifying 2,943 patients that some of their health information was stored on a server which was subjected to unauthorized access on June 19, 2019 when a hacker gained access to its network.

The breach was detected the same day and the network was secured. A third-party computer forensics firm was hired to assist with the investigation and help determine the nature and extent of the breach.

The compromised servers did not contain the medical records of all patients, only records of patients who received medical services between May 1, 2019 and June 12, 2019.  The forensic investigation did not uncover any evidence to suggest patient information was viewed or copied and no reports have been received to suggest patient information has been misused.

For the majority of affected patients, the breach was limited to names, dates of birth, and clinical information. A small subset of patients also had their Social Security number exposed.

Patients whose Social Security number was exposed have been offered complimentary credit monitoring and identity theft protection services. RIENT is implementing additional technical safeguards to improve its security posture and prevent similar attacks in the future.

California Hospice Suffers Ransomware Attack

The Hospice of San Joaquin in Stockton, CA has announced that on July 2, 2019, hackers installed ransomware on its network and gained access to servers hosting the protected health information of some of its patients.

While the attackers had access to patient information, the hospice does not believe any personal information has been viewed, stolen, or misused by the attackers.

Since unauthorized data access and theft could not be ruled out with a high degree of certainty, patients have been notified about the breach. Individuals affected by the breach had their full name exposed along with their home address, patient ID number, diagnoses, and other sensitive information.

The hospice has already implemented additional security measures to prevent similar attacks in the future.

The post Rhode Island Healthcare Provider Hacked: 3,000 Records Potentially Compromised appeared first on HIPAA Journal.

Medical Records of Western Connecticut Health Network Patients Exposed

Posted by HIPAA Journal

Nuvance Health has started notifying certain Western Connecticut Health Network (WCHN) patients that some of their protected health information has been exposed.

On June 11, 2019, WCHN sent a box of medical records to the Connecticut State Department of Public Health. The package was sent via the U.S. Postal Service (USPS), but the package was damaged in transit, exposing the contents of the package.

WCHN was notified and retrieved the damaged package from the USPS. A spokesperson for WCHN said there was no indication that any information had been removed and misused and that the package did not appear to have left the custody of the USPS until it was collected by WCHN personnel.

WCHN has now changed its procedures for sending protected health information to ensure similar incidents are prevented in the future. Patients were notified on August 19, 2019.

The types of information in the records was limited to names, addresses, dates of birth, provider names, medical record numbers, diagnosis dates, diagnoses, and medical test results.

4,000 Arizona State University Students Notified of Impermissible PHI Disclosure

Arizona State University (ASU) is notifying approximately 4,000 students that their email addresses, and in some cases their name, have been impermissibly disclosed as a result of a recent mailing error.

The students were sent emails in late July about renewing their health insurance. The email addresses should have been hidden but were visible to other students who were sent the mailing.

When the error was discovered, ASU deleted 2,540 of the messages and said 1,130 messages had not been read.

ASU is reviewing its policies and procedures and will take steps to prevent incidents such as this from happening in the future.

The post Medical Records of Western Connecticut Health Network Patients Exposed appeared first on HIPAA Journal.

30K Integrated Regional Laboratories Patients Impacted by AMCA Breach

Posted by HIPAA Journal

Integrated Regional Laboratories (IRL) in Florida is notifying approximately 30,000 patients that their protected health information (PHI) was potentially compromised in the American Medical Collection Agency (AMCA) data breach discovered on March 20, 2019.

On June 3, 2019, AMCA notified IRL about its security breach and confirmed on June 13, 2019 that the PHI of IRL patients had been exposed.

IRL posted a breach notice on its website on July 30, and patients are being notified. IRL stopped sending patient information to AMCA when the breach was discovered, and the company is no longer using AMCA’s services. AMCA has been instructed to securely destroy all copies any IRL patients’ PHI.

According to the breach summary on the HHS’ Office for Civil Rights website, 29,644 patients were affected by the breach.

Over the past few days, the breach summaries of several victims of the AMCA breach have been added to the OCR’s breach portal. HIPAA Journal has been tracking breach reports and has identified 22 HIPAA-covered entities that have been affected by the breach.

So far, 24,739,540 records have been confirmed as having been exposed. The breach reports of 9 victims have yet to be added to the OCR breach portal, but based on provisional figures, the final victim count is likely to exceed 26 million.

Mid-Valley Behavioral Care Network Phishing Attack Impacts Almost 11,000 Patients

Salem, OR-based Mid-Valley Behavioral Care Network (BCN) has discovered two email accounts used by employees have been subjected to unauthorized access. The data breach was detected on June 26, 2019 and the investigation revealed the accounts were compromised for a period of around 24 hours.

BCN manages care for members of the Willamette Valley Community health plan. The protected health information of 10,710 members of the WVCH plan was exposed, as well as the personal information of 2,092 Oregon Health Plan providers.

It was not possible to determine whether emails in the account were accessed or if any PHI was stolen. Notification letters were sent to affected members on August 9, 2019. Additional safeguards have now been implemented to prevent any further breaches.

Hacked Server Contained PHI of 1,938 Bayview Dental Patients

Bayview Dental is alerting 1,938 of its patients that their protected health information was stored on a server that was subjected to unauthorized access.

Suspicious activity was detected on the server on May 28, 2019 and forensic experts were called in to investigate a potential breach. On July 4, 2019, Bayview Dental was informed by the forensic investigators that the protected health information of certain patients may have been accessed. It was not possible to determine whether any patient information was viewed or copied by the attacker.

Affected patients had the following information exposed: Name, address, phone number, date of birth, dental insurance information, medical/dental history information and, in certain cases, Social Security number.

Affected individuals have been notified and offered complimentary credit monitoring services for 12 months. Bayview Digital has implemented additional safeguards to prevent further cyberattacks and staff have been provided with additional training on data privacy and security.

The post 30K Integrated Regional Laboratories Patients Impacted by AMCA Breach appeared first on HIPAA Journal.

PHI Exposed in Phishing Attacks on Michigan Medicine and Virginia Gay Hospital

Posted by HIPAA Journal

Approximately 5,500 patients of Michigan Medicine are being notified that some of their protected health information has been exposed in a recent phishing attack.

In July, Michigan Medicine employees were targeted in large scale phishing campaign. 3,200 Michigan Medicine employees received phishing emails containing a hyperlink to a legitimate looking web page that requested the user’s email login credentials.

Three employees responded to the emails and disclosed their credentials. Those accounts were subjected to unauthorized access and were used to send further phishing emails. Michigan Medicine detected suspicious activity in the email accounts on July 8, 9 and 12, 2019 and performed a password reset to prevent any further unauthorized access. As a precaution, the passwords were also resent on the email accounts of all employees who received one of the phishing emails.

Two of the accounts were discovered to contain patient information. In addition to a patient’s name, one or more of the following may have been compromised: Address, date of birth, medical record number, diagnostic information, treatment information, health insurance information and, for a small number of patients, Social Security number.

No evidence was uncovered to suggest patient information was viewed or copied; however, since data theft cannot be ruled out, Michigan Medicine has assumed that patient information has been compromised.

Affected patients have been offered complimentary credit monitoring services and have been advised to monitor their accounts and statements from insurers for signs of fraudulent activity.

Michigan Medicine is implementing additional technical safeguards to enhance email security and will be retraining employees to improve security awareness.

PHI of Patients Exposed in Virginia Gay Hospital Phishing Attack

Virginia Gay Hospital in Vinton, OH, is notifying certain patients that some of their protected health information may have been accessed by an authorized individual who gained access the email account of an employee on June 18, 2019.

The hospital called in a computer forensics company which determined that the compromised email account contained information such as names, dates of birth, Social Security numbers, and medical information of individuals who received outpatient services at the hospital. No evidence was uncovered to suggest patient information was viewed or copied.

Patients affected by the breach are now being notified. It is currently unclear how many individuals had their PHI exposed.

The post PHI Exposed in Phishing Attacks on Michigan Medicine and Virginia Gay Hospital appeared first on HIPAA Journal.

Ohio Eye Care Provider Suffers Ransomware Attack

Posted by HIPAA Journal

Eye Care Associates, a fully integrated regional eye care provider in northeast Ohio, experienced a ransomware attack in late July which took its computer systems out of action. Two weeks after the attack occurred, its computer systems remain locked.

According to Director of Operations, Mary Jo Silva, the attack occurred in the early hours of July 28, 2019. The Beaver Township Police Department was notified about the attack and the board was informed.

A ransom demand was received, but no amount was stated on the demand. Contact with the attackers was required in order to discover how needed to be paid. Silva said no contact was made with the attackers and no payment was made. Eye Care Associates has been working with its backup and file storage service provider to recover all encrypted files. Silva expects systems to be brought back online in the next couple of days. An investigation into the attack has uncovered no evidence to suggest patient information was stolen. The Business Journal reports that the ransomware was delivered via email.

The attack has caused considerable disruption at the hospital. It has not been possible to book new appointments for two weeks as the appointment system has been down. The hospital has also had to rely on paper records when providing treatment to patients.

Multiple Email Accounts Compromised in NCH Healthcare System Phishing Attack

Naples, FL-based NCH Healthcare System has experienced a phishing attack in which patient information may have been compromised.

NCH Healthcare identified suspicious activity in its payroll system on June 14, 2019 and called in third party computer forensics experts to investigate the breach. The investigation revealed the email accounts of several employees had been compromised as a result of responses to phishing emails.

It is possible that patient information in emails and email attachments could have been accessed or copied by the attackers. Patients have been notified about the breach and have been advised to monitor their accounts and explanation of benefits statements for any signs of fraudulent activity.

It is unclear at this stage how many patients have been affected by the breach.

The post Ohio Eye Care Provider Suffers Ransomware Attack appeared first on HIPAA Journal.

Hackers Demand $1 Million Ransom from Washington Hospital

Posted by HIPAA Journal

A ransomware attack on an Aberdeen, WA-hospital and associated clinics is still causing problems two months after the attack occurred. The attackers have demanded $1 million for the keys to unlock the encryption.

On June 15, 2019, Grays Harbor Community Hospital started experiencing IT problems. The attack occurred on a Saturday when staffing was limited so initially the problem was attributed to an IT issue. On Monday it became apparent that ransomware was involved and steps were taken to isolate the infection and secure the network; however, the attackers had already moved laterally and had gained access to servers and the systems used by Harbor Medical Group clinics. The initial point of attack appears to have been a response to a phishing email by a single employee.

Harbor Medical Group operates 8 clinics in the Aberdeen and Hoquiam region, and those clinics were the worst affected by the attack. Grays Harbor Community Hospital used older software, which prevented the ransomware from being installed on the hospital’s main computer system. The clinics used more recent software, which allowed the attackers to infect more systems. Those systems are still down at the clinics, which are using pen and paper to record patient information.

A spokesperson for the hospital said patient care has not been affected. The hospital is continuing to provide emergency care to patients and appointments are going ahead as scheduled. There have been some delays to appointments and there are still issues accessing patient information. Patients have been told to bring details of their prescriptions and their medical histories and to make that information available at point of care.

The hospital had created backups but it was not possible to recover files as the backups had also been encrypted. As of August 13, 2019, the hospital still had not regained access to its files. The attack has been reported to the FBI and the hospital is assisting with its investigation.

The hospital had previously taken out a cybersecurity insurance policy for $1 million, which may cover the ransom payment. It is unclear whether the ransom has been paid.

No evidence of data access or theft was found, but the possibility could not be discounted. Affected patients had the following information exposed: Full name, address, phone number, date of birth, Social Security number, insurance information, diagnoses, and treatment information.

The hospital has started notifying the 85,000 patients affected by the breach and each has been offered complimentary credit monitoring services. Security measures are being assessed at the hospital and medical group and additional hardware and software solutions will be implemented as appropriate to improve security. Employees will also be provided with additional training.

The post Hackers Demand $1 Million Ransom from Washington Hospital appeared first on HIPAA Journal.