The email accounts of several employees of Medford, OR-based Hematology Oncology Associates. P.C. have been compromised as a result of responses to phishing emails. The phishing attack was detected on March 19, 2018, although the investigation revealed the first account was breached on December 18, 2018. Further accounts were compromised up until February 22, 2019.

Third-party computer forensics experts were retained to investigate the breach, but it was not possible to determine which, if any, emails and attachments had been opened by the attackers.

The breach investigation was concluded on April 20 and confirmed that some of the emails and attachments in the compromised accounts contained patients’ protected health information.

A password reset has been performed to prevent further unauthorized access and additional security awareness training will be provided to employees.

The breach has been reported to the HHS’ Office for Civil Rights and state attorneys general and affected individuals have been offered free membership to Experian’s IdentityWorks credit monitoring and identity theft protection services.

It is currently unclear how many people have been affected by the breach.

Former Penn Medicine Employee Accused of Accessing and Misusing Patient Information

A former medical assistant at Penn Medicine has been accused of accessing patient information without authorization and misusing the information of at least one patient.

The contract employee had been hired through a staffing agency and worked at Penn Medicine between February and April 2019. Penn Medicine learned on April 29, 2019 that the employee had accessed patient information without any legitimate work reason for doing so.

The types of information that could have been viewed included names, demographic information, clinical information and, for certain patients, Social Security numbers. In total, the former employee had accessed 900 patient records during the 3 months of employment.

Penn Medicine spokesperson Lauren Steinfeld issued a statement saying Penn Medicine is aware of one patient whose PHI had been misused, although the nature of that misuse was not disclosed.

All 900 patients have now been notified about the privacy breach. Penn Medicine is also reviewing its use of contractors and staffing agencies and will be taking steps to ensure all employees maintain high professional standards.

The post Phishing Attack on Hematology Oncology Associates Sees Multiple Email Accounts Breached appeared first on HIPAA Journal.

Cancer Treatment Centers of America (CTCA) has discovered the email account of an employee of its Southeastern Regional Medical Center has been compromised as a result of a response to a phishing email.

The email account breach occurred on March 10, 2019 after the employee disclosed network login credentials when responding to a seemingly legitimate internal email. CTCA discovered the breach the following day and secured the account by changing the password.

The account was accessible for less than two days, but during that time it is possible that information in emails and email attachments may have been viewed. The third-party computer forensics firm that was retained to conduct an investigation and found no evidence to suggest any patient health information was viewed, but it was not possible to rule out PHI access or data theft.

The compromised email account contained names, addresses, medical record numbers, government ID numbers, health insurance information, and some medical information. No Social Security numbers or financial information were exposed.

Individuals affected by the breach are being notified and have been told to be alert to the possibility of misuse of their personal information and to carefully monitor their explanation of benefits statements and other account statements for unfamiliar charges or items.

This is the second successful phishing attack on CTCA to be reported in the past 6 months. In December 2018, an employee’s email account was compromised which contained the protected health information of 41,948 patients.

The breach occurred on May 2, 2018, CTCA was informed about the breach on September 26, 2018, and the breach was announced in early December. In that incident, the account was accessible for less than a day.

In response to the latest incident, further email security enhancements are being evaluated and CTCA is continuing to reinforce security awareness training and is ensuring employees know how to recognize phishing emails.

It is currently unclear how many individuals have been affected by the latest breach. The security breach has been reported to the Vermont Attorney General, but the incident has not yet appeared on the HHS’ Office for Civil Rights breach portal.

The post Another Phishing Attack Reported by Cancer Treatment Centers of America appeared first on HIPAA Journal.

Medical Oncology Hematology Consultants (MOHC), a Newark, DE-based cancer treatment center, is alerting certain patients that some of their protected health information (PHI) has been exposed as a result of an email security breach.

According to the substitute breach notice on the MOHC website, an email account was compromised between June 7 and June 8, 2018. It is unclear when MOHC learned of the breach, but its ‘extensive investigation’ concluded on March 14, 2019 that the breach had resulted in the exposure of patient information.

Third party computer forensics experts were engaged to conduct the investigation, which involved extensive coordination with the company that hosts its email environment. Data access and theft could not be ruled out, although no reports have been received to suggest any patient information has been misused.

Names, dates of birth, Social Security numbers, government ID numbers, financial account information, and health and medical information were exposed. All patients affected by the breach have been notified and offered 12 months of membership to credit monitoring and associated services at no cost.

Steps have been taken to improve email security including the use of a new, secure portal for the delivery of emails from external sources, additional malware blocking measures, a suspicious email reporting system, encryption of outgoing emails, and the provision of further security awareness training to employees. Notifications have also been set up to alert employees if they are attempting to send emails containing unencrypted sensitive information.

This is the second large data breach to be reported by MOHC in the past 2 years. In September 2017, MOHC announced that it was the victim of a ransomware attack that impacted 19,000 patients.

It is currently unclear how many patients have been affected by the latest security breach.

Health Net of California Mailing Error Results in Impermissible Disclosure of PHI

Health Net of California has discovered a coding error on a mailing has resulted in the impermissible disclosure of subscribers’ PHI.

The coding error was introduced on a mail merge which caused letters to be misaligned. As a result, the PHI of subscribers was printed on letters that were mailed to other subscribers. The coding error occurred on March 1 and affected mailings up until March 12, 2019.

As a result of the error, the following data elements were impermissibly disclosed: Name, date of birth, Health Net ID number, health plan name, group number, dependents’ names and ages, primary care physician’s name and address, and the last four digits of dependents’ social security numbers.

Health Net of California identified and corrected the coding error and has implemented additional procedures for future mailings, including several testing scenarios and the use of a checklist to make sure errors are found and corrected prior to letters being mailed.

It is currently unclear how many subscribers have been affected.

American Medical Response Alerts Patients About Email Breach

American Medical Response, a Greenwood Village, CO-based provider of emergency and patient relocation services, has discovered an unauthorized individual has gained access to the PHI of 4,300 patients who had previously used its ambulance service.

The information was contained in employee email accounts that were compromised as a result of a phishing attack. The compromised email accounts contained names, addresses, dates of birth, Social Security numbers, health insurance identifiers, and diagnostic and treatment information. The breach was limited to email accounts and no other systems or databases were subjected to unauthorized access.

While patients’ protected health information was potentially accessed, no reports have been received to suggest any patient information has been misused.

All patients affected by the breach have been notified by mail and have been offered complimentary credit monitoring services. American Medical Response has implemented additional security measures to reduce the risk of further email account breaches and employees have been provided with additional security awareness training.

Bloodworks Northwest Notifies Patients of PHI Exposure

The Seattle, WA-based blood bank and medical research institute, Bloodworks Northwest, is alerting 1,893 patients that some of their PHI has been exposed and potentially stolen.

On March 13, 2019, Bloodworks discovered a list containing patients’ names, dates of birth, and medical diagnoses had gone missing from an employee’s desk. Despite a search being performed, the list could not be located.

Peculiarly, the Notice of Data Privacy Event on the Bloodworks website says “While we are unaware of any misuse of the personal information in the impacted email account, we encourage you to remain vigilant against incidents of identity theft and fraud, to review your account statements, and to monitor your credit reports for suspicious activity.”

It is unclear whether this is an error or if an email account was also compromised. The breach report submitted to the HHS’ Office for Civil Rights suggests the breach solely involved the loss of paperwork.

The post Medical Oncology Hematology Consultants Notifies Patients about June 2018 Data Breach appeared first on HIPAA Journal.

Medical Oncology Hematology Consultants (MOHC), a Newark, DE-based cancer treatment center, is alerting certain patients that some of their protected health information (PHI) has been exposed as a result of an email security breach.

According to the substitute breach notice on the MOHC website, an email account was compromised between June 7 and June 8, 2018. It is unclear when MOHC learned of the breach, but its ‘extensive investigation’ concluded on March 14, 2019 that the breach had resulted in the exposure of patient information.

Third party computer forensics experts were engaged to conduct the investigation, which involved extensive coordination with the company that hosts its email environment. Data access and theft could not be ruled out, although no reports have been received to suggest any patient information has been misused.

Names, dates of birth, Social Security numbers, government ID numbers, financial account information, and health and medical information were exposed. All patients affected by the breach have been notified and offered 12 months of membership to credit monitoring and associated services at no cost.

Steps have been taken to improve email security including the use of a new, secure portal for the delivery of emails from external sources, additional malware blocking measures, a suspicious email reporting system, encryption of outgoing emails, and the provision of further security awareness training to employees. Notifications have also been set up to alert employees if they are attempting to send emails containing unencrypted sensitive information.

This is the second large data breach to be reported by MOHC in the past 2 years. In September 2017, MOHC announced that it was the victim of a ransomware attack that impacted 19,000 patients.

It is currently unclear how many patients have been affected by the latest security breach.

Health Net of California Mailing Error Results in Impermissible Disclosure of PHI

Health Net of California has discovered a coding error on a mailing has resulted in the impermissible disclosure of subscribers’ PHI.

The coding error was introduced on a mail merge which caused letters to be misaligned. As a result, the PHI of subscribers was printed on letters that were mailed to other subscribers. The coding error occurred on March 1 and affected mailings up until March 12, 2019.

As a result of the error, the following data elements were impermissibly disclosed: Name, date of birth, Health Net ID number, health plan name, group number, dependents’ names and ages, primary care physician’s name and address, and the last four digits of dependents’ social security numbers.

Health Net of California identified and corrected the coding error and has implemented additional procedures for future mailings, including several testing scenarios and the use of a checklist to make sure errors are found and corrected prior to letters being mailed.

It is currently unclear how many subscribers have been affected.

American Medical Response Alerts Patients About Email Breach

American Medical Response, a Greenwood Village, CO-based provider of emergency and patient relocation services, has discovered an unauthorized individual has gained access to the PHI of 4,300 patients who had previously used its ambulance service.

The information was contained in employee email accounts that were compromised as a result of a phishing attack. The compromised email accounts contained names, addresses, dates of birth, Social Security numbers, health insurance identifiers, and diagnostic and treatment information. The breach was limited to email accounts and no other systems or databases were subjected to unauthorized access.

While patients’ protected health information was potentially accessed, no reports have been received to suggest any patient information has been misused.

All patients affected by the breach have been notified by mail and have been offered complimentary credit monitoring services. American Medical Response has implemented additional security measures to reduce the risk of further email account breaches and employees have been provided with additional security awareness training.

Bloodworks Northwest Notifies Patients of PHI Exposure

The Seattle, WA-based blood bank and medical research institute, Bloodworks Northwest, is alerting 1,893 patients that some of their PHI has been exposed and potentially stolen.

On March 13, 2019, Bloodworks discovered a list containing patients’ names, dates of birth, and medical diagnoses had gone missing from an employee’s desk. Despite a search being performed, the list could not be located.

Peculiarly, the Notice of Data Privacy Event on the Bloodworks website says “While we are unaware of any misuse of the personal information in the impacted email account, we encourage you to remain vigilant against incidents of identity theft and fraud, to review your account statements, and to monitor your credit reports for suspicious activity.”

It is unclear whether this is an error or if an email account was also compromised. The breach report submitted to the HHS’ Office for Civil Rights suggests the breach solely involved the loss of paperwork.

The post Medical Oncology Hematology Consultants Notifies Patients about June 2018 Data Breach appeared first on HIPAA Journal.

The Lubbock, TX-based medical group UMC Physicians is alerting patients of UMC Southwest Gastroenterology that some of their protected health information has been exposed as a result of errors of judgement by two of its employed providers.

Those providers had each set up a Google shared drive which was used to track follow up tasks related to the provision of care to patients. While the shared drives were set up with good intentions and were intended to help improve the care provided to patients, the providers used an unapproved cloud storage solution and patient data was inadvertently stored on an unsecured network.

UMC Physicians discovered the policy violation on March 12, 2019 and launched an investigation to determine which patients’ protected health information had been exposed. During the course of that investigation, UMC Physicians determined that one of the providers had also been forwarding emails containing patient information to an unsecured Gmail account.

The types of information that had been stored on the unsecured network and emailed to the Gmail account included names, addresses, telephone numbers, medical record numbers, dates of birth, dates of service, health insurance carriers, diagnoses, and medical procedures performed. Highly sensitive information such as Social Security numbers, insurance policy numbers, and financial information were not exposed.

In response to the discovery, UMC Physicians has provided additional training to employees on the use of approved cloud storage solutions and technical controls will be implemented to prevent unauthorized cloud storage solutions from being used in the future.

No evidence has been found to suggest patient information has been accessed by unauthorized individuals nor have any reports been received to indicate there has been misuse of patient information. All patients whose protected health information has been exposed have been notified of the breach by mail.

It is currently unclear exactly how many patients have been affected.

The post UMC Physicians Discovers Patient Information Was Uploaded to Unapproved and Unsecured Cloud Service appeared first on HIPAA Journal.

Oregon State Hospital has announced that the protected health information (PHI) of some of its patients was potentially compromised as a result of an employee being duped by a spear phishing email.

The email was received on May 3 and the employee responded on May 6. The response resulted in the disclosure of email login credentials.

The unauthorized access was detected quickly, and steps were rapidly taken to secure the account. The employee responded to the message at 9:50 AM and Oregon State Hospital’s IT team detected the breach at 10:30 AM and secured the account. The limited time the attacker had access to the account reduced the potential for any information in emails and email attachments to be viewed or copied.

Currently, Oregon State Hospital is unaware whether the attacker gained access to patients protected health information during the 40 minutes that the account was accessible, and the hospital has yet to determine which patients have been affected.

A third-party cybersecurity company has been hired to conduct an analysis of the compromised account to determine which patients’ PHI has been exposed. The hospital expects that process to take around 4-6 weeks. Once the affected patients have been identified, notifications will be sent.

The hospital has confirmed that the email account contained patient information such as full names, dates of birth, medical record numbers, diagnoses, and treatment plans.

Phishing attacks cannot always be prevented but rapid detection and a prompt breach response can limit the harm caused. The hospital should be commended for both the rapid detection of the breach and the early media notice, which was issued just a week after the breach was experienced.

Episcopal Health Services Issues Further Notifications About 2018 Phishing Attack

Episcopal Health Services, which operates St. John’s Episcopal Hospital in New York, has issued a second batch of notifications to patients who were recently discovered to have been impacted by a 2018 phishing attack.

Episcopal Health Services was alerted to a potential phishing attack when suspicious activity was detected within several employee email accounts in September 2018. An investigation was launched to determine the cause of that suspicious activity, which revealed several email accounts had been subjected to unauthorized access as a result of responses to phishing emails.

The investigation confirmed that the accounts had been breached between August 28, 2018 and October 5, 2018. Those accounts were reviewed to determine whether they contained patient information. Episcopal Health Services determined on November 1, 2018, that some patients’ PHI had been exposed and on November 15, individuals for whom a valid postal address was held were sent notification letters.

The exposed information varied from individual to individual and may have included names, dates of birth, financial information, Social Security numbers, medical record numbers, diagnoses, medical histories, prescription information, treatment information, and health insurance information.

The compromised email accounts continued to be reviewed to determine whether they contained protected health information and on March 19, 2019, a second round of notification letters were sent to patients who were also discovered to have been affected by the breach.

Individuals whose PHI has been exposed have been offered complimentary credit monitoring and identity theft protection services for 12 months.

The breach report submitted to the HHS’ Office for Civil Rights on November 19, 2018 indicates 218,055 individuals were impacted by the phishing attacks.

The post Oregon State Hospital and New York Episcopal Health Services Report Phishing Attacks appeared first on HIPAA Journal.

The Southeastern Council on Alcoholism and Drug Dependence (SCADD) in Lebanon, CT, has experienced a ransomware attack that has resulted in widespread file encryption.

The attack was detected on February 18, 2019 when problems started to be experienced with its network. The investigation confirmed ransomware had been installed on its systems, some of which contained the protected health information (PHI) of patients.

While no evidence was uncovered that suggested the attackers accessed files containing PHI, third-party forensic investigators were unable to rule out patient data access. Consequently, the incident was reported to the HHS’ Office for Civil Rights as a potential data breach and notification letters have been sent to affected patients. To date, no reports have been received which suggest any patient information has been misused.

Patients have been informed that their name, address, medical history, treatment information, and Social Security number has potentially been compromised. All affected individuals have been offered complimentary credit monitoring and identity theft protection services.

The breach summary on the OCR website indicates up to 25,148 patients have been affected by the incident.

Independent Health Employee Accidentally Emailed PHI of 7,600 Members to Unauthorized Individual

The Amherst, MA-based health plan, Independent Health, has discovered an employee emailed documents containing the PHI of 7,600 members to an individual who was not authorized to view the information.

The information was mistakenly sent to an Independent Health member on March 19, 2019. That individual contacted Independent Health within an hour of the email being received to report the privacy breach and confirm that the message and documents had been deleted.

The documents contained plan member information such as ID numbers, providers seen, dates of service, claim numbers, claim payment information, and medical procedure codes. While no Social Security numbers or financial information were exposed and the risk of identity theft or fraud is believed to be low, all affected individuals have been offered 12 months of complimentary identity theft protection and credit monitoring services. The employee in question has been subjected to disciplinary procedures in line with company policy.

The post Ransomware Attack on the Southeastern Council on Alcoholism and Drug Dependence Impacts 25,1485 Patients appeared first on HIPAA Journal.

The Southeastern Council on Alcoholism and Drug Dependence (SCADD) in Lebanon, CT, has experienced a ransomware attack that has resulted in widespread file encryption.

The attack was detected on February 18, 2019 when problems started to be experienced with its network. The investigation confirmed ransomware had been installed on its systems, some of which contained the protected health information (PHI) of patients.

While no evidence was uncovered that suggested the attackers accessed files containing PHI, third-party forensic investigators were unable to rule out patient data access. Consequently, the incident was reported to the HHS’ Office for Civil Rights as a potential data breach and notification letters have been sent to affected patients. To date, no reports have been received which suggest any patient information has been misused.

Patients have been informed that their name, address, medical history, treatment information, and Social Security number has potentially been compromised. All affected individuals have been offered complimentary credit monitoring and identity theft protection services.

The breach summary on the OCR website indicates up to 25,148 patients have been affected by the incident.

Independent Health Employee Accidentally Emailed PHI of 7,600 Members to Unauthorized Individual

The Amherst, MA-based health plan, Independent Health, has discovered an employee emailed documents containing the PHI of 7,600 members to an individual who was not authorized to view the information.

The information was mistakenly sent to an Independent Health member on March 19, 2019. That individual contacted Independent Health within an hour of the email being received to report the privacy breach and confirm that the message and documents had been deleted.

The documents contained plan member information such as ID numbers, providers seen, dates of service, claim numbers, claim payment information, and medical procedure codes. While no Social Security numbers or financial information were exposed and the risk of identity theft or fraud is believed to be low, all affected individuals have been offered 12 months of complimentary identity theft protection and credit monitoring services. The employee in question has been subjected to disciplinary procedures in line with company policy.

The post Ransomware Attack on the Southeastern Council on Alcoholism and Drug Dependence Impacts 25,1485 Patients appeared first on HIPAA Journal.