HIPAA Breach News

Up to 7.7 Million Patients of LabCorp Impacted by AMCA Breach

Posted by HIPAA Journal

Following the news that the data breach at American Medical Collection Agency (AMCA) exposed the records of 11.9 million Quest Diagnostics patients, comes news of another healthcare company that has been affected by the breach.

On June 4, 2019, LabCorp, another national network of blood testing centers, announced that 7.7 million individuals whose blood samples were processed by the company may have had their sensitive information exposed.

As was the case with Quest Diagnostics, LabCorp disclosed the breach through a U.S. Securities and Exchange Commission (SEC) filing. LabCorp said it had been notified by AMCA that its data had also been exposed as a result of the cyberattack on AMCA’s web payment portal, which saw hackers gain access to the system between August 1, 2018 and March 30, 2019. LabCorp said AMCA held data on 7.7 million of its customers.

According to the AMCA website, the company manages more than $1 billion in annual receivables for a diverse client base, which includes “”laboratories, hospitals, physician groups, billing services, and medical providers all across the country.”

It is therefore unsurprising that another healthcare organization has announced that it too has been impacted by the data breach at AMCA. It is likely that over the course of the next few days and weeks that there will be several other announcements by healthcare organizations that have also been impacted by the breach.

The number of healthcare records known to have been exposed is now 19.6 million and only two healthcare companies have so far announced that they have been affected.

The LabCorp data did not include Social Security numbers, unlike Quest Diagnostics, but did include names, addresses, phone numbers, dates of birth, dates of service, provider information, balance information, and some banking and credit card information. LabCorp notes that no diagnostic information, medical test results, or insurance information were provided to AMCA. As was the case with Quest Diagnostics, LabCorp has stopped using AMCA for billing collections.

Around 200,000 individuals whose financial information was exposed are being notified by AMCA and have been offered 2 years of credit monitoring and identity theft protection services. LabCorp has not yet received full details on the individuals that have been impacted by the breach, so notifications to other customers cannot yet be issued.

As reported yesterday, Gemini Advisory discovered around 200,000 credit cards listed for sale on a darknet marketplace and tipped off AMCA to the breach. Those credit card numbers were not from LabCorp customers as the data set included Social Security numbers, which were not provided by LabCorp to AMCA.

The post Up to 7.7 Million Patients of LabCorp Impacted by AMCA Breach appeared first on HIPAA Journal.

AMCA Data Breach Impacts 12 Million Quest Diagnostics Patients

Posted by HIPAA Journal

A hacker has gained access to the systems of Elmsford, NY-based billing collections company American Medical Collection Agency (AMCA) and potentially viewed and copied the protected health information of 11.9 million patients of Quest Diagnostics.

Quest Diagnostics is one of the largest blood testing laboratories in the United States but is just one entity that uses AMCA services. It is possible that the breach could be much larger and impact patients of other healthcare organizations. At almost 12 million records, it is already the second largest healthcare data breach ever to be reported, behind Anthem’s 78.8 million record data breach of 2015.

The data breach first came to light in May 2019 when researchers at Gemini Advisory notified databreaches.net that they had discovered the payment card details of around 200,000 patients listed for sale on a darknet marketplace. Gemini Advisory determined that the credit card details came from AMCA and appeared to have been obtained between September 2018 and March 2019.

Gemini Advisory notified AMCA about the potential breach, although no response was received. The matter was then reported to law enforcement which contacted AMCA to confirm that a breach had occurred.

AMCA provides billing collection services to Optum360, which is a business associate of Quest Diagnostics and a unit of the health insurer UnitedHealth Group. AMCA notified Quest Diagnostics and the revenue cycle management vendor Optum360 about the breach on May 14, 2019.

AMCA said a breach had occurred that resulted in the exposure of patient data between August 1, 2018 and March 30, 2019. Computer forensics experts have been retained to investigate the breach and determine exactly how many patients had been affected and the investigation is ongoing.  AMCA suspects around 11.9 million Quest patients have been impacted by the breach. AMCA also confirmed the compromised system contained data from entities other than Quest Diagnostics.

The hackers gained access to systems containing information such as names, personal information, Social Security numbers, financial information, and medical information, although no laboratory test results were compromised.

While Quest Diagnostics and Optum360 have been made aware of the scale of the breach, they have not yet received full information about the patients that have been affected. Quest Diagnostics also said it has not yet ben able to verify the accuracy of the information provided by AMCA.

Quest Diagnostics has issued a statement saying it is working closely with Optum360 and will send notification letters to all affected individuals when AMCA provides full details of the breach.

The post AMCA Data Breach Impacts 12 Million Quest Diagnostics Patients appeared first on HIPAA Journal.

7 Month Data Breach Discovered by Communities Connected for Kids

Posted by HIPAA Journal

Port St. Lucie, FL-based Communities Connected for Kids (CCK) has discovered an unauthorized individual gained access to databases containing the protected health information of child clients, their parents and staff members.

The breach was identified when suspicious activity was detected in the databases by one of its third-party vendors. An external computer forensics expert was hired to conduct an investigation which revealed access to the databases was first gained in August 2018. The breach was detected in March 2019 and access to the databases was promptly blocked.

During the 7 months that the individual had access to the databases, range of sensitive information was potentially viewed and downloaded.

The information exposed varied from individual to individual, but may have included name, contact information, date of birth, Social Security number, financial information, family information, Medicaid number, medical record number, prescription information, health insurance information, and medical and clinical information such as diagnoses and treatment information.

According to the breach report submitted to the Department of Health and Human Services’ Office for Civil Rights, 501 individuals were impacted by the breach. That figure may rise, as CCK is still conducting a review of the databases to determine the individuals whose information has been exposed. Once all individuals have been identified, notification letters will be sent, and affected individuals will be provided with free identity theft protection services.

CCK has identified the vulnerabilities which were exploited to gain access to the databases and is working hard to address those issues to ensure that security is improved and further breaches are prevented.

New York Health and Human Services Agency Breach Impacts 1,000 Individuals

People Inc., a not-for profit health and human services agency in Western New York which provides services to seniors and individuals with developmental disabilities, has experienced a phishing attack that has impacted approximately 1,000 individuals.

An investigation was launched on February 19, 2019 following the discovery of unauthorized access to its systems. A forensic investigation confirmed that an unauthorized individual had gained access to two employee email accounts after they responded to phishing emails.

Emails and attachments in the compromised accounts were discovered to include protected health information including names, addresses, Social Security numbers, insurance information, driver’s license numbers, government ID numbers, medical information and financial information.  At this stage, no information has been received to suggest any patient information has been misused.

People Inc., is offering affected individuals free credit monitoring services for one year. The HHS will be notified when People Inc., has confirmed the exact number of individuals affected. The FBI has already been notified about the breach.

The post 7 Month Data Breach Discovered by Communities Connected for Kids appeared first on HIPAA Journal.

Health Quest Patients Notified of Historic Phishing Breach

Posted by HIPAA Journal

Health Quest has announced it has suffered a phishing attack that has resulted in the exposure of certain patients’ protected health information.

The breach affected its affiliates Health Quest Medical Practice, Health Quest Urgent Care and Hudson Valley Newborn Physician Services, and the exposed information related to medical services provided to patients of those affiliates.

According to the breach notice on the Health Quest website, on April 2, 2019, Quest Health learned that patient information was contained in emails and email attachments in several employee email accounts that had been compromised as a result of a phishing attack.

Compromised protected health information included names, diagnoses, treatment information, dates of service, provider names, health insurance claims information and other information related to services received between January 2018 and June 2018.

When the breach was detected, the accounts were secured, and a leading cybersecurity firm was engaged to assist with the investigation. Quest Health has since implemented multi factor authentication and has strengthened email security to prevent further breaches. Breach notification letters are being mailed to affected individuals and should be received in the mail by June 10, 2019.

While the time frame for sending notifications appears to be in line with HIPAA requirements (April to June), the phishing attack actually occurred and was detected in July 2018.

According to Health Quest, “On January 25, 2019, Health Quest Affiliates identified email attachments that contained certain health information, and on April 2, 2019, were determined to contain patient information.”

Notification letters were therefore sent 11 months after the email accounts were compromised, and five months after it was first determined that some health information had been exposed. It is unclear why it took so long to determine that the compromised accounts contained PHI.

Breach Reporting Delays Can Prove Costly

There have been several breaches reported recently where the breaches have occurred several months previously, and notifications have only been issued after investigations have been completed.

Naturally, it is not possible to send notifications to affected individuals until those individuals have been identified, but the HHS is quite clear about the requirement to report breaches promptly and within 60 days of the discovery of the breach.

The discovery date is the date when the breach is discovered, not the date when the total number of individuals affected has been determined. OCR notifications are required within 60 days and addenda can be added to the breach reports when further information becomes available, such as the total number of affected individuals.

State attorneys general and OCR have taken action against organizations in the past over delayed breach notifications and have issued regulatory fines.

The post Health Quest Patients Notified of Historic Phishing Breach appeared first on HIPAA Journal.

Data Breaches Reported by TriHealth, Centura Health, and Columbus Community Hospital

Posted by HIPAA Journal

The Cincinnati-based health system TriHealth is alerting 2,433 patients about an impermissible disclosure of their protected health information (PHI) to a student mentee.

The student was acting under the direct supervision of a former TriHealth physician and accessed patient information for a potential research project. On June 8 and June 9, 2018, the student was provided with patient information including first and last names, dates of birth, ethnicity, life status, cancer diagnosis information, and zip codes.

TriHealth does not believe that there were any further uses or disclosures of patient information nor that any patient information has been misused. PHI was accessed solely in relation to the potential research project.

Since the student was not an approved TriHealth workforce member, access to patient information was prohibited. As such, this was an impermissible disclosure of patient information which warranted breach notifications to be issued to affected patients. Those notification letters have now been sent.

In its website breach notice, TriHealth said all employees are educated on the hospital’s privacy policies when they are hired and are required to undergo annual re-training. In the event of a violation of hospital policy, corrective action is taken which can include discharge from employment. That process was followed in this case.

Centura Health Email Compromise Impacts 7,515 Patients

The Centennial, CO-based health system Centura Health is alerting 7,515 patients about an email security incident that exposed some of their PHI.

Centura Health discovered the breach on April 16, 2019 and promptly secured the affected email account. A forensic investigation confirmed that the account had been accessed by an unauthorized individual who may have viewed or obtained patient information contained in emails and email attachments. No evidence was uncovered to suggest PHI has been accessed, stolen, or misused, but patients are being notified as a precaution. Letters started to be sent on May 22, 2019.

Patients affected by the breach had some or all of the following information exposed: Name, date of birth, demographic information, medical record number, account number, dates of service, treating physician, services received, medical device supplied, and other clinical information. No health insurance information, financial data, or Social Security numbers were exposed.

Centura Health has taken steps to reduce the risk of further email security breaches, including re-educating the workforce on email security, establishing and using strong passwords, and strengthening email security protections.

Phishing Attack Reported by Columbus Community Hospital

Columbus Community Hospital in Columbus, WI, is alerting certain patients that some of their PHI has been exposed as a result of a phishing attack on one of its business associates.

On April 8, 2019, the claims management service provider OS, Inc., notified Columbus Community Hospital that an unauthorized individual had gained access to the email account of one of its employees and may have viewed patient information.

The information in the compromised account includes names, hospital account numbers, insurer names, summaries of charges, and categories of service. A limited number of patients also had their insurance ID number and/or Social Security number exposed. No evidence of data access, theft, or misuse has been identified to date.

OS Inc., provides claims management services to several hospitals. It is currently unclear whether the breach was limited to Columbus Community Hospital or if patients of other hospitals have also been affected.

The breach has yet to appear on the HHS’ Office for Civil Rights website so it is not yet known how many individuals have been affected.

The post Data Breaches Reported by TriHealth, Centura Health, and Columbus Community Hospital appeared first on HIPAA Journal.

Multi-State Action Results in $900,000 Financial Penalty for Medical Informatics Engineering

Posted by HIPAA Journal

Medical Informatics Engineering (MIE) is required to pay a financial penalty of $900,000 to resolve a multi-state action over HIPAA violations related to a breach of 3.9 million records in 2015. The announcement comes just a few days after the HHS’ Office for Civil Rights settled its HIPAA violation case with MIE for $100,000.

MIE licenses a web-based electronic health record application called WebChart and its subsidiary, NoMoreClipboard (NMC), provides patient portal and personal health record services to healthcare providers that allow patients to access and manage their health information. By providing those services, MIE and NMC are business associates and are required to comply with HIPAA Rules.

Between May 7 and May 26 2015, hackers gained access to a server containing data related to its NMC service.  Names, addresses, usernames, passwords, and sensitive health information were potentially accessed and stolen.

A lawsuit was filed in December 2018 alleging MIE and NMC had violated state laws and several HIPAA provisions. 16 state attorneys general were named as plaintiffs in the lawsuit: Arizona, Arkansas, Connecticut, Florida, Indiana, Iowa, Kansas, Kentucky, Louisiana, Michigan, Minnesota, Nebraska, North Carolina, Tennessee, West Virginia, and Wisconsin.

The plaintiffs’ investigation into the breach revealed hackers had exploited several vulnerabilities, MIE had poor password policies in place, and security management protocols had not been followed.

Under the terms of the consent judgement, in addition to the financial penalty, MIE must implement and maintain an information security program and deploy a security incident and event monitoring (SIEM) solution to allow it to detect and respond quickly to cyberattacks.

Data loss prevention technology must be deployed to prevent the unauthorized exfiltration of data, controls must be implemented to prevent SQL injection attacks, and activity logs must be maintained and regularly reviewed.

Password policies must be implemented that require the use of strong, complex passwords and multi-factor authentication and single sign-on must be used on all systems that store or are used to access ePHI.

Additional controls need to be implemented covering the creation of accounts that have access to ePHI. MIE must refrain from using generic accounts that can be accessed via the Internet and no generic accounts are allowed to have administrative privileges.

MIE is also required to comply with all the administrative and technical safeguards of the HIPAA Security Rule and states’ deceptive trade practices acts with respect to the collection, maintenance, and safeguarding of consumers’ protected health information. Reasonable security policies and procedures must be implemented and maintained to protect that information. MIE must also provide appropriate training to all employees regarding its information security policies and procedures at least annually.

In addition, MIE is required to engage a third-party professional to conduct an annual risk analysis to identify threats and vulnerabilities to ePHI each year for the next five years. A report of the findings of that risk analysis and the recommendations must be sent to the Indiana Attorney General within 180 days and annually thereafter.

The consent judgement has been agreed by all parties and resolves the alleged HIPAA violations and violations of state laws. The consent judgement now awaits court approval. The consent judgement can be found on the website of the Florida Office of the Attorney General – PDF.

The post Multi-State Action Results in $900,000 Financial Penalty for Medical Informatics Engineering appeared first on HIPAA Journal.

Medical Informatics Engineering Settles HIPAA Breach Case for $100,000

Posted by HIPAA Journal

Medical Informatics Engineering, Inc (MIE) has settled its HIPAA violation case with the HHS’ Office for Civil Rights for $100,000.

MIE, an Indiana-based provider of electronic medical record software and services, experienced a major data breach in 2015 at its NoMoreClipboard subsidiary.

Hackers used a compromised username and password to gain access to a server that contained the protected health information (PHI) of 3.5 million individuals. The hackers had access to the server for 19 days between May 7 and May 26, 2015. 239 of its healthcare clients were impacted by the breach.

OCR was notified about the breach on July 23, 2015 and launched an investigation to determine whether it was the result of non-compliance with HIPAA Rules.

OCR discovered MIE had failed to conduct an accurate and through risk analysis to identify all potential risks to the confidentiality, integrity, and availability of PHI prior to the breach – A violation of the HIPAA Security Rule 45 C.F.R. § 164.308(a)(l)(ii)(A).

As a result of that failure, there was an impermissible disclosure of 3.5 million individual’s PHI, in violation of 45 C.F.R. § 164.502(a).

MIE chose to settle the case with OCR with no admission of liability. In addition to paying a financial penalty, MIE has agreed to adopt a corrective action plan that requires a comprehensive, organization-wide risk analysis to be conducted and a risk management plan to be developed to address all identified risks and reduce them to a reasonable and acceptable level.

“Entities entrusted with medical records must be on guard against hackers,” said OCR Director Roger Severino. “The failure to identify potential risks and vulnerabilities to ePHI opens the door to breaches and violates HIPAA.”

While the settlement releases MIE from further actions by OCR over the above violations of HIPAA Rules, MIE is not out of the woods yet. In December 2018, a multi-state lawsuit was filed against MIE by 12 state attorneys general over the breach.

The lawsuit alleged there was a failure to implement adequate security controls, that known vulnerabilities had not been corrected, encryption had not been used, security awareness training had not been provided to staff, and there were post-breach failures at MIE. That lawsuit has yet to be resolved. It could well result in a further financial penalty for MIE.

This is OCR’s second financial penalty of 2019. Earlier this month, a $3,000,000 settlement was agreed with Touchstone Medical Imaging to resolve multiple HIPAA violations, several of which were related to the delayed response to a data breach.

The post Medical Informatics Engineering Settles HIPAA Breach Case for $100,000 appeared first on HIPAA Journal.

Boxes of Records of Today’s Vision Patients and Employees Discovered in Texas Dumpster

Posted by HIPAA Journal

Thousands of medical records have been found abandoned in a publicly accessible dumpster in Texas. The boxes contain records of Today’s Vision patients and employees and include paperwork containing highly sensitive information.

Today’s Vision has more than 50 independently owned and operated optometry clinics throughout Texas. Most of the records appear to have come from Today’s Vision in Willowbrook in northwest Houston. The Willowbrook location is no longer operational and was sold to MyEyeDr three months ago.

Dr. Donald Glenz owned and ran both the Willowbrook and Tomball Today’s Vision offices, prior to the sale to MyEyeDr in February. Dr. Glenz is unaware how the files came to be dumped and who is responsible. Dr. Glenz told KPRC that the incident is being investigated to determine who was responsible. Prior to any records being deleted they are usually shredded in accordance with HIPAA requirements but that did not occur in this instance. Today’s Vision executive director Greg Watson described the discovery as ‘disturbing.’

The incident is also being investigated by MyEyeDr and the Department of Health and Human Services is working closely with the police department and is investigating the HIPAA violation.

Over 20 boxes of records were discovered in a dumpster behind the strip mall in Tomball, which is several miles away from the offices where the records were held. The boxes have been recovered by Tomball Police department and are being securely stored.

The records appear to relate to patients who received vision services between 1997 and 2013 and staff who served at Willowbrook location in the same time period.

The types of information in the paperwork include names, addresses, phone numbers, payment information, insurance information, limited health histories, and Social Security numbers. Employee information includes work related information such as resumes, immigration status, vacation requests, payment information, and some personal information.

The post Boxes of Records of Today’s Vision Patients and Employees Discovered in Texas Dumpster appeared first on HIPAA Journal.

PHI of 1.5 Million Individuals Exposed Online by Inmediata

Posted by HIPAA Journal

In April, Inmediata, a provider of clearinghouse services to healthcare organizations, announced that the protected health information of certain patients had been exposed online as a result of a misconfigured setting on an internal web page.

The incident has now been reported to the Department of Health and Human Services’ Office for Civil Rights. The breach report indicates 1,565,338 individuals had their PHI exposed. That makes the data breach the largest to be reported in 2019.

The information had been made available to employees through an internal web page, but the failure to configure that page correctly allowed the data to be made accessible over the internet without the need for authentication. The page was indexed by Google and patient information could be found through online searches.

The information had been provided by hospitals, health plans, and independent physicians and included names, addresses, dates of birth, gender, claims data and, for a small number of patients, Social Security numbers.

Inmediata immediately deactivated the web page when it was discovered that patient information had been exposed and a computer forensics firm was retained to conduct an investigation to determine whether any patient information had been accessed by unauthorized individuals during the time it was available online.

While the investigation did not uncover any evidence to suggest that information had been accessed or copied by unauthorized individuals, it was not possible to rule out unauthorized data access entirely.

Immediata started sending breach notification letters to affected individuals on April 22, 2019. As if suffering such a large data breach was not bad enough, there were further impermissible disclosures of protected information in the breach response.

Individuals reported receiving breach notification letters addressed to other individuals. In addition, several individuals complained that it was not made clear who the company was and why it had their personal information.

You can read more about the mailing error on this link.

The post PHI of 1.5 Million Individuals Exposed Online by Inmediata appeared first on HIPAA Journal.