HIPAA Breach News

5 Million Records Exposed Due to Unsecured MongoDB Marketing Database

Posted by HIPAA Journal

A MongoDB database containing the personal records of around 5 million individuals has been left exposed on the internet.

The database contained personal information and health data and belonged to MedicareSupplement.com, a website run by TZ Insurance Solutions which helps individuals find a Medigap insurance plan. Individuals looking for coverage can visit the website to find out more about suitable health plans and can obtain quotes by filling out an online form and entering their personal information.

Researchers from Compariteh and security researcher Bob Diachenko discovered the database on May 13, 2019. The marketing database contains information such as name, address, telephone number, email address, IP address, date of birth, gender, and information relating to health, life, auto, and supplemental insurance.  Around 239,000 records included the area of insurance interest.

It is unclear for how long the database was exposed, but it was indexed by the search engine BinaryEdge on May 10, 2019.

The researchers reported the breach to MedicareSupplement.com but no response was received, although the database has now been secured and is no longer accessible.

As a result of the lack of authentication controls it would have been possible for a hacker to delete or alter data or install malware on the system.

Summa Health Patients Notified of Data Breach

An unauthorized individual has gained access to the email accounts of several employees of the Akron, OH hospital system Summa Health and potentially viewed or copied patient information.

The email accounts were discovered to have been compromised on May 1, 2019. The Summa Health investigation confirmed that two employee email accounts had been compromised in August 2018, with a further two accounts compromised on March 11 and March 29 as a result of employees responding to phishing emails.

Summa Health hired a leading computer forensics firm to investigate the breach. The company confirmed that the accounts had been accessed and PHI had potentially been viewed. No evidence was uncovered to suggest any patient information was viewed or stolen, but the possibility could not be ruled out.

For the majority of patients, the types of information that were exposed were limited to names, dates of birth, patient account numbers, medical record numbers, and some clinical and treatment information. A small subset of patients also had their Social Security number or driver’s license number exposed.

Summa Health will be implementing additional security measures to prevent further email security breaches and staff will be provided with additional training on privacy and security.

Summa Health has not confirmed how many patients were affected other than saying the breach impacted more than 500 individuals.

The post 5 Million Records Exposed Due to Unsecured MongoDB Marketing Database appeared first on HIPAA Journal.

2,200 Franciscan Health Patients Notified of Unauthorized PHI Access by Employee

Posted by HIPAA Journal

Mishawaka, IN-based Franciscan Health has discovered the protected health information of approximately 2,200 patients has been accessed by a former employee without authorization.

The privacy violation was discovered during a routine privacy audit. Franciscan Health announced that it was confirmed on May 24, 2019 that an employee in the quality research department had accessed the electronic medical records of patients without authorization and with no legitimate work reason for doing so.

The individual concerned is no longer employed by Franciscan Health and the matter has been reported to law enforcement. While unauthorized PHI access was confirmed, Franciscan Health found no evidence to suggest that the employee copied, transmitted, or disclosed any patient information.

Patient information was stored in Franciscan Health’s medical record system, which has been in use since 2012. Through that system, the former employee accessed patient records containing information such as names, addresses, email addresses, dates of birth, phone numbers, gender information, race/ethnicity, last four digits of social security numbers, and medical record numbers.

For certain patients, the following information may also have been accessed: Physician name, diagnoses, lab test results, medications, other treatment information, driver’s license numbers, emergency contact information, and insurance claims information. The records contained the full Social Security numbers of a small subset of patients.

All patients whose protected health information was compromised will be notified by mail and provided with information on how they can sign up for identity theft protection services.  Franciscan Health will cover the cost of those services for 2 years.

Medical Records Abandoned Outside Shuttered Chicago Medical Center

City crews have begun a clean up operation to remove boxes of medical records that have been abandoned outside a shuttered medical center in the Chatham area of Chicago, IL.

Boxes of medical records containing sensitive patient information had been dumped outside the former Medical Professional Home Healthcare center.

The Medical Professional Home Healthcare center was run by Carmen Dooley. In April 2017, the state health medical department license for Dooley and her business expired and was not renewed. The Illinois Department of Public Health visited the property and found it to be unoccupied with utilities cut off. The owner of the business could not be contacted and the agency was decertified by Medicare in 2017.

According to a recent report on CBS, the records had been stored in storage containers on the property. However, the containers were removed and their contents were dumped on site in 5-foot high piles. Some owners of local properties said the records had been there for months and some paperwork containing sensitive information had blown into their years. According to the report, Dooley had not authorized the removal of the storage containers and was unaware that the records had been abandoned.

The post 2,200 Franciscan Health Patients Notified of Unauthorized PHI Access by Employee appeared first on HIPAA Journal.

2.9 Million Members Affected by Dominion National 9-Year PHI Breach

Posted by HIPAA Journal

Dominion National, a Virginia-based insurer, health plan administrator, and administrator of dental and vision benefits, has experienced a data security incident involving the personal information of individuals connected to the services it provides. Hackers first gained access to its servers in 2010.

Following an internal alert, Dominion National launched an internal investigation and determined on April 24, 2019 that its systems had been breached.

A leading cybersecurity company performed a comprehensive forensic analysis and review of affected data and confirmed the sensitive information of current and former members of Dominion National and Avalon Vision plans may have been compromised along with the PHI of individuals who are members of health plans for which the company provides administration services for.

Data relating to individuals affiliated with the organizations that the company administers dental and vision benefits for, plan producers, and participating healthcare providers were also potentially compromised. Unauthorized access to its systems first occurred on August 25, 2010, nine years before the investigation was completed. It is currently unclear when the Dominion National first became aware of the breach.

The investigation into the cyberattack concluded on April 24, 2019. All affected individuals have been notified and offered two years membership to credit monitoring and identity theft protection services. Dominion National has cleaned all affected servers and has enhanced its monitoring and alerting software.

The types of information involved varied from individual to individual but may have included names along with addresses, email addresses, dates of birth, Social Security numbers, bank account and routing numbers, taxpayer ID numbers, member ID numbers, group numbers, and subscriber numbers.

A long-term breach such as this has potential to affect a great many plan members. According to the summary published on the HHS’ Office for Civil Rights Breach Portal, 2,964,778 plan members have had their PHI exposed.

While system access was confirmed, Dominion National uncovered no evidence to suggest any patient data was accessed, acquired or misused by the individual responsible for the attack. Breach notification letters were mailed on June 21, 2019. The substitute breach notice on the Dominion National website makes no mention of credit monitoring or identity theft protection services.

Updated: 07.03.19

The post 2.9 Million Members Affected by Dominion National 9-Year PHI Breach appeared first on HIPAA Journal.

Ransomware Attacks Reported by California and Illinois Clinics

Posted by HIPAA Journal

Patients of Quantum Vision Centers and Eye Surgery Center in Illinois are being notified that some of their protected health information may have been compromised in an April 2019 ransomware attack.

An unauthorized individual gained access to certain Quantum systems and deployed ransomware on April 18, 2019. The ransomware encrypted files, some of which contained information such as names, dates of birth, addresses, health insurance information, and Social Security numbers.

A third-party computer forensics firm has been hired to help determine the nature and scope of the attack. The investigation is ongoing, but it is believed that the malware was not used to steal any patient information. The sole purpose of the attack appears to have been to extort money from the business.

Encrypted files are now being recovered and backup measures have been implemented to ensure services can continue to be provided to patients, albeit with some disruption.

It is currently unclear exactly how many patients have been affected. Affected individuals have been offered one year of credit monitoring services.

Marin Community Clinics Recovers from Ransomware Attack

Marin Community Clinics in California has experienced a ransomware attack that caused considerable disruption to its IT systems last week.

The attack occurred between 9pm and 10pm on Wednesday, June 19 and resulted in widespread file encryption. A ransom demand was issued and, after consulting with its network operator, Marin Community Clinics paid an undisclosed percentage of the ransom demand.

Computer systems were taken out of action as a result of the attack. Even with the keys to unlock the encrypted files, recovery has taken several days. All computer systems are expected to be brought back online by Saturday 22, June.

Medical services continued to be provided to patients while computer systems were down and the hospital was operating in emergency mode. Patient information was recorded on paper and will be transferred when systems are brought back online. The data recovery process is progressing and major data loss is not anticipated.

Marin Community Clinics’ CEO Mitesh Popat told the Marin Independent Journal that no patient data was compromised and major data loss is not expected; however, there may be minor data loss for certain patients as a result of the data recovery process.

It is currently unclear how the ransomware was introduced and for how long the hackers had access to its systems prior to the deployment of ransomware.

The post Ransomware Attacks Reported by California and Illinois Clinics appeared first on HIPAA Journal.

Phishing Attacks Reported by Broome County, NY and UMassMemorial Community Healthlink

Posted by HIPAA Journal

Broome County in New York has started notifying 7,048 individuals that some of their protected health information (PHI) was compromised in a phishing attack on county employees.

Broome County officials learned about the attack on January 2, 2019 when it was discovered that an employee’s direct deposit account information had been changed. An investigation was immediately launched which revealed ‘numerous’ Broome County email accounts had been compromised as a result of responses to phishing emails. Further, an unauthorized individual had also gained access to employees’ PeopleSoft accounts.

A computer forensics expert was hired to assist with the investigation and determine how and when access to the accounts was first gained. That investigation revealed the first accounts were compromised on November 20, 2018 and further accounts were compromised up to January 2, 2019.

Employee direct deposit information has been checked and all emails and email attachments in the compromised accounts have been analyzed.

Broome County says multiple county departments were affected, including the Department of Health. The Willow Point Nursing Home and Rehabilitation & Nursing Center were also affected.

The types of information in the emails varied from individual to individual, but may have included names, contact information, Social Security numbers, bank account numbers, other financial information, dates of birth, medical record numbers, patient identification numbers, health insurance information, claims information, and medical and clinical information such as diagnoses and treatment information.

Broome County will implement additional safeguards to protect against any future attempted cyberattacks, including multi-factor authentication, and additional training will be provided to staff.

Community Health Link Phishing Attack Impacts 4,598 Patients

UMass Memorial Community Healthlink, a provider of behavioral health, addiction, and homeless services throughout central Massachusetts, has discovered the email accounts of two employees have been accessed by an unauthorized individual.

The breach was detected on April 18, 2019 and the accounts were secured. The breach investigation revealed the accounts were first accessed the same day and information in the compromised email accounts was only available for a limited time period.

No evidence was found to suggest emails had been viewed or copied; however, the following information may have been subjected to unauthorized access: Names, dates of birth, client identification numbers, diagnosis and treatment information, health insurance information, and in limited instances, Social Security numbers.

In response to the breach, passwords were reset, rules were strengthened to prevent email accounts from being accessed from external domains, automatic alerts have been increased, and defenses have been strengthened against email impersonation attacks. Further training has also been provided to employees.

The post Phishing Attacks Reported by Broome County, NY and UMassMemorial Community Healthlink appeared first on HIPAA Journal.

Ransomware Attack Affects More than 60 Assisted Living Facilities

Posted by HIPAA Journal

A provider of software for assisted living communities has experienced a ransomware attack that has affected more than 60 facilities that use the software.

Tenx Systems, doing business as ResiDex Software, said the attack occurred on April 9, 2019 and affected its server infrastructure.

Rapid action was taken to move the servers to a new hosting provider and files were seamlessly recovered from backups the same day as the attack. No ransom was paid.

A forensic investigation was launched to determine whether any files had been accessed or other malicious actions had been performed by the attackers. The investigation revealed its servers were first compromised on April 2, 2019, 7 days prior to the deployment of ransomware.

While extortion through file encryption may have been the main aim of the attack, it is possible that the attackers gained access to names, Social Security numbers, and medical records contained in the ResiDex system.

It was not possible to establish which, if any, records were subjected to unauthorized access due to the complexity of the attack and the steps taken by the attackers to conceal their activities.

Notifications are now being sent to all affected individuals, which are spread across Massachusetts, Minnesota, Missouri and Tennessee.

The number of individuals affected has not been publicly disclosed and the incident has yet to appear on the HHS’ Office for Civil Rights Breach Portal.

Prescription Information of 78,000 U.S. Patients Exposed Online

Security researchers at vpnMentor have discovered a freely accessible database of patient prescription information that contains records relating to more than 78,000 U.S. patients who use the prescription medication Vascepa.

Vascepa is a drug used to lower triglycerides for individuals on low-cholesterol and low fat diets. The MongoDB database had been left unprotected allowing the following information to be viewed without authentication: Names, addresses, telephone numbers, email addresses, pharmacy information, prescribing doctor, NPI number, NABP E-profile number, and other personally identifiable data.

The records appeared to have come from a company called PSKW, which provides patient and provider messaging, co-pay, and assistance programs for healthcare organizations via a service named ConnectiveRX.

vpnMentor has reported the breach PSKW, although it is currently unclear to whom the database belongs.

The post Ransomware Attack Affects More than 60 Assisted Living Facilities appeared first on HIPAA Journal.

May 2019 Healthcare Data Breach Report

Posted by HIPAA Journal

In April, more healthcare data breaches were reported than in any other month to date. The high level of data breaches has continued in May, with 44 data breaches reported. Those breaches resulted in the exposure of almost 2 million individuals’ protected health information.

Healthcare data breaches by month 2014-2019

On average, 2018 saw 29.5 healthcare data breaches reported to the HHS’ Office for Civil Rights each month – a rate of more than one a day.

From January 2019 to May 2019, an average of 37.2 breaches have been reported each month. Up until May 31, 2019, 186 healthcare data breaches had been reported to OCR, which is more than half (52%) the number of breaches reported last year.

It remains to be seen whether the increase in data breaches is just a temporary blip or whether 40+ healthcare data breaches a month will become the new norm.

Healthcare records exposed by month 2017-2019

May saw a 186% increase in the number of exposed records compared to April. Across the 44 breaches, 1,988,376 healthcare records were exposed or compromised in May. So far this year, more than 6 million healthcare records have been exposed, which is more than half of the number of records exposed in 2018.

Healthcare records exposed by year 2014-2019

In terms of the number of records exposed, May would have been similar to April were it not for a massive data breach at the healthcare clearinghouse Inmediata Health Group. The breach was the largest of the year to date and resulted in the exposure of 1,565,338 records.

A web page which was supposed to only be accessible internally had been misconfigured and the page could be accessed by anyone over the internet.

 

Rank Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach
1 Inmediata Health Group, Corp. Healthcare Clearing House 1,565,338 Unauthorized Access/Disclosure
2 Talley Medical Surgical Eyecare Associates, PC Healthcare Provider 106,000 Unauthorized Access/Disclosure
3 The Union Labor Life Insurance Company Health Plan 87,400 Hacking/IT Incident
4 Encompass Family and internal medicine group Healthcare Provider 26,000 Unauthorized Access/Disclosure
5 The Southeastern Council on Alcoholism and Drug Dependence Healthcare Provider 25,148 Hacking/IT Incident
6 Cancer Treatment Centers of America® (CTCA) at Southeastern Regional Medical Center Healthcare Provider 16,819 Hacking/IT Incident
7 Takai, Hoover, and Hsu, P.A. Healthcare Provider 16,542 Unauthorized Access/Disclosure
8 Hematology Oncology Associates, PC Healthcare Provider 16,073 Hacking/IT Incident
9 Acadia Montana Treatment Center Healthcare Provider 14,794 Hacking/IT Incident
10 American Baptist Homes of the Midwest Healthcare Provider 10,993 Hacking/IT Incident

Causes of May 2019 Healthcare Data Breaches

Hacking/IT incidents were the most numerous in May with 22 reported incidents. In total, 225,671 records were compromised in those breaches. The average breach size was 10,258 records with a median of 4,375 records.

There were 18 unauthorized access/disclosure incidents in May, which resulted in the exposure of 1,752,188 healthcare records. The average breach size was 97,344 records and the median size was 2,418 records.

8,624 records were stolen in three theft incidents. The average breach size 2,875 records and the median size was 3,578 records. There was one loss incident involving 1,893 records.

causes of May 2019 healthcare data breaches

Location of Breached PHI

Email continues to be the most common location of breached PHI. 50% of the month’s breaches involved at least some PHI stored in email accounts. The main cause of these types of breaches is phishing attacks.

Network servers were the second most common location of PHI. They were involved in 11 breaches, which included hacks, malware infections and ransomware attacks.  Electronic medical records were involved in 7 breaches, most of which were unauthorized access/disclosure breaches.

Location of breached PHi (may 2019)

May 2019 Healthcare Data Breaches by Covered Entity Type

Healthcare providers were the worst affected covered entity type in May with 34 breaches. 5 breaches were reported by health plans and 4 breaches were reported by business associates of HIPAA-covered entities. A further two breaches had some business associate involvement. One breach involved a healthcare clearinghouse.

May 2019 healthcare data breaches by covered entity type

May 2019 Healthcare Data Breaches by State

May saw healthcare data breaches reported by entities in 17 states.  Texas was the worst affected state in May with 7 reported breaches. There were 4 breaches reported by covered entities and business associates in California and 3 breaches were reported in each of Indiana and New York.

2 breaches were reported by entities base in Connecticut, Florida, Georgia, Maryland, Minnesota, North Carolina, Ohio, Oregon, Washington, and Puerto Rico. One breach was reported in each of Colorado, Illinois, Kentucky, Michigan, Missouri, Montana, and Pennsylvania.

HIPAA Enforcement Actions in May 2019

OCR agreed two settlements with HIPAA covered entities in May and closed the month with fines totaling $3,100,000.

Touchstone Medical Imaging agreed to settle its HIPAA violation case for $3,000,000. The Franklin, TN-based diagnostic medical imaging services company was investigated after it was discovered that an FTP server was accessible over the internet in 2014.

The settlement resolves 8 alleged HIPAA violations including the lack of a BAA, insufficient access rights, a risk analysis failure, the failure to respond to a security incident, a breach notification failure, a media notification failure, and the impermissible disclosure of the PHI of 307,839 individuals.

Medical Informatics Engineering settled its case with OCR and agreed to pay a financial penalty of $100,000 to resolve alleged HIPAA violations uncovered during the investigation of its 2015 breach of 3.5 million patient records. Hackers had gained access to MIE servers for 19 days in May 2015.

OCR determined there had been a failure to conduct a comprehensive risk analysis and, as a result of that failure, there was an impermissible disclosure of 3.5 million individuals’ PHI.

It did not end there for MIE. MIE also settled a multi-state lawsuit filed by 16 state attorneys general. A multi-state investigation uncovered several HIPAA violations. MIE agreed to pay a penalty of $900,000 to resolve the case.

The post May 2019 Healthcare Data Breach Report appeared first on HIPAA Journal.

Oregon Department of Human Services Notifies 645,000 Clients of Phishing Breach

Posted by HIPAA Journal

The Oregon Department of Human Services (ODHS) is notifying 645,000 clients that some of their personal information has potentially been compromised as a result of a phishing attack.

The targeted attack started on January 9, 2019 and resulted in 9 ODHS employees following links in emails and disclosing their login credentials.

ODHS and the Department of Administrative Services Enterprise Security Office discovered the breach on January 28 following reports from employees who believed their email accounts had been accessed. All affected email accounts were rapidly identified and remote access to the accounts was blocked the same day.

An investigation was launched into the breach to determine what protected health information may have been viewed and who had been affected. That process has taken some time to complete as it involved checking around 2 million emails.

The attackers accessed the compromised accounts and were able to access emails in the accounts for a period of 19 days. ODHS has confirmed that no malware was installed by the attackers but they may have viewed or obtained PHI such as names, contact information, Social Security numbers, case numbers, and sensitive health information.

On March 21, when it became clear that PHI was involved, ODHS uploaded a substitute breach notice to its website and created a call center where affected individuals could find out more about the breach. However, individual breach notifications were not sent until June 21.

ODHS oversees programs related to child welfare, individuals with disabilities, and seniors and deals with some of the most vulnerable individuals in the state. To protect those individuals from harm, ODHS has covered the cost of a $1 million identity theft reimbursement insurance policy and is offering all affected individuals 12 months of complimentary credit monitoring and identity theft recovery services.

ODHS spokesperson Robert Oakes said this was an “extremely sophisticated email attack.” ODHS has since closed access to the email web application that was breached and will continue to conduct internal security audits to vulnerabilities and will subject those vulnerabilities to a HIPAA-compliant risk management process. Training is already provided to staff on security awareness and efforts will continue to educate the workforce about the dangers from phishing.

The post Oregon Department of Human Services Notifies 645,000 Clients of Phishing Breach appeared first on HIPAA Journal.

Potential Breach at Meditab Software Impacts 2 Maryland Healthcare Providers

Posted by HIPAA Journal

Two healthcare providers in Maryland have been affected by a potential breach at their business associate, Meditab Software Inc.

Meditab provides EMR and practice management software to healthcare providers and its systems contain patient information. In March 2019, Meditab discovered some protected health information (PHI) had been left unprotected.

Meditab had created a portal to view statistics for its Fax Cloud services. Statistics were maintained on all faxes, but no images were stored directly on the fax server. When faxes were transmitted, a link to the fax image on a separate and secure server was temporarily available until the fax was confirmed as having been received. When receipt was confirmed, the link is no longer available.

Usernames and passwords were required to gain access to the portal; however, in January, a Meditab programmer deactivated authentication without authorization. While authentication was disabled, a limited number of faxes containing medical information were discoverable between January 9 and March 14, 2019.

The exposed information may have included names, addresses, phone numbers, dates of birth, and medical records and treatment notes, which may include diagnoses and treatment information.

The firm recently informed Capitol Cardiology Associates (CCA) and Southern Maryland Medical Group (SMMG) that the PHI of some of their patients had been exposed.

Meditab said at no point could its analytics portal be searched or crawled by search engines, so discovering the portal would not have been easy. However, if the portal was located, an unauthorized individual could have opened the fax messages individually and had the option of downloading or printing those faxes. Meditab believes the risk of harm to patients is low.

According to the breach reports submitted to the HHS’ Office for Civil Rights, 1,980 CCA patients and 1,400 SMMG patients have been affected.

It is currently unclear whether any other healthcare providers have been affected by the breach.

The post Potential Breach at Meditab Software Impacts 2 Maryland Healthcare Providers appeared first on HIPAA Journal.