HIPAA Breach News

Lawsuit Alleges Hospital Worker Disclosed Information about Woman’s Sexual Assault to her Attacker

Posted by HIPAA Journal

A lawsuit has been filed against Atchison Hospital in Kansas by a sexual assault victim who alleges an x-ray technician at the hospital contacted her attacker and disclosed sensitive information about the treatment she received at the hospital.

According to the Kansas City Star, after being raped, the woman sought treatment at the hospital. She underwent a rape kit examination, and allegedly made it clear to the hospital that she did not want her health information to be disclosed to third parties.

Despite being against the patient’s wishes and a violation of the HIPAA Privacy Rule, information about the examination was disclosed to her attacker by a female X-ray technician at the hospital. The x-ray technician also told the man that he had been accused of sexually assaulting the patient.

Following the disclosure, the man repeatedly harassed and threatened the patient by phone and text message over the following weeks. In addition to receiving a barrage of abuse from her attacker, the lawsuit claims the woman was also harassed by hospital staff.

A complaint was filed with the hospital over the privacy violation and an internal investigation was launched. The medical records system was checked to determine whether there had been any unauthorized accessing of her medical records and interviews were conducted with staff members.

No evidence was uncovered to suggest the woman’s electronic medical records had been accessed inappropriately, but the hospital concluded the X-ray technician had viewed the woman’s medical information in the hospital’s health information department.  The hospital confirmed to the woman that the X-ray technician was not part of her care team and was not authorized to view her records.

The hospital apologized for the privacy breach and reviewed an updated its policies and procedures to reduce the risk of further incidents such as this occurring.

The X-ray technician was fired from the hospital over the privacy violation and was subsequently hired by Saint Luke’s Cushing Hospital. According to the patient’s attorneys, details of the former employee’s conduct were not disclosed to Cushing Hospital and a positive review was provided. The patient’s attorneys claim the hospital did not do enough to communicate the reason for termination to the woman’s potential new employer.

Hospital CEO, John Jacobson issued a statement to the Atchison Globe, saying “Patient confidentiality at Atchison Hospital and our ability to protect personal information is a top priority of ours… we are deeply disturbed by the actions of this former employee. In fact, when we were made aware of this situation, we took immediate steps to investigate and within two days, we terminated this individual’s employment.”

The lawsuit accuses the hospital of having inadequate policies in place to protect against the unauthorized accessing of patient information and claims the hospital was negligent, there was an invasion of the patient’s privacy, and the hospital breached its fiduciary duty. The lawsuit seeks punitive damages.

The post Lawsuit Alleges Hospital Worker Disclosed Information about Woman’s Sexual Assault to her Attacker appeared first on HIPAA Journal.

Phishing Attack Reported by Verity Health’s St. Vincent Medical Center

Posted by HIPAA Journal

St. Vincent Medical Center, a part of Verity Health System, has discovered a web email account has been compromised as a result of a response to a phishing email.

The breach occurred on March 15, 2016 and involved the email account of a hospital pathologist. The account compromise was detected on March 26 and the account was secured within hours.

During the time that the unauthorized individual had access to the account, it was used to send phishing emails to internal and external email addresses. Those messages contained malicious attachments and hyperlinks. According to a substitute breach notice provided to the California Attorney General, no other employee accounts were breached as a result of misuse of the email account.

While the intention of the attacker appears to have been to obtain login credentials to other email accounts, during the time that the account was accessible, full access to emails, folders, and email attachments was possible. The investigation into the breach could not confirm whether any patient information in emails and email attachments had been accessed or copied by the attacker.

A review of those emails confirmed they contained the PHI of certain patients including names, addresses, phone numbers, dates of birth, Social Security numbers, medical record numbers, dates of service, medical conditions, treatments provided, lab test results, and health plan names.

Upon discovery of the breach, unauthorized access to the account was terminated and all phishing emails sent from the account were removed from the email system. Employees discovered to have clicked on links in the emails also had their email accounts disabled and secured.

Verity Health System has experienced multiple phishing attacks in the past few months. This incident follows two attacks in late December 2018 and another attack in January. The January attack affected almost 15,000 patients.

Verity Health has now implemented further email security controls to block malicious emails along with multi-factor authentication. Individuals involved have been provided with counseling and re-education and a new security module has been deployed.

It is unclear at this stage exactly how many patients have been affected by the phishing attack on St. Vincent Medical Center.

The post Phishing Attack Reported by Verity Health’s St. Vincent Medical Center appeared first on HIPAA Journal.

Phishing Attack Impacts 1,100 Spectrum Health Lakeland Patients

Posted by HIPAA Journal

For the second time in the space of two months, Spectrum Health Lakeland has announced that a breach has exposed the protected health information (PHI) of some of its patients. The previous breach occurred at Wolverine Services Group and impacted around 60,000 of its patients.

The latest incident involved an unauthorized individual gaining access to an email account as the result of a response to a phishing email. As with the last breach, the incident occurred at a business associate.

OC, Inc., a provider of billing services, discovered an unauthorized individual had gained access to an email account of one of its employees. The email account was discovered to contain the PHI of approximately 1,100 Spectrum Health Lakeland patients.

OS Inc. discovered a potential breach on December 21, 2018 after suspicious activity was detected within an employee email account. A third-party computer forensics expert was hired to assist with the investigation and found no evidence to suggest that any PHI in emails and attachments had been accessed or stolen. However, it was not possible to rule out data access or exfiltration with a sufficiently high level of certainty.

Consequently, the breach was determined to be a reportable incident and notifications to patients were warranted. The email account contained a limited amount of patient information such as names, addresses, health services provided, dates of service, diagnoses, and the names of health insurance providers.

Spectrum Health Lakeland was notified about the breach on March 8, 2019 and has been working with technology experts to determine the full extent and nature of the breach. Spectrum Health Lakeland will continue to use the business associate and has been working closely with the company to ensure additional protections are implemented to prevent any further breaches.

Even though Social Security numbers and other highly sensitive information were not exposed, the decision was taken to offer affected individuals identity theft protection and resolution services free of charge for 12 months through Experian IdentityWorks.

The post Phishing Attack Impacts 1,100 Spectrum Health Lakeland Patients appeared first on HIPAA Journal.

Key Findings of the 2019 Verizon Data Breach Investigations Report

Posted by HIPAA Journal

Today sees the release of the 2019 Verizon Data Breach Investigations Report. This is the 12th edition of report, which contains a comprehensive summary of data breaches reported by public and private entities around the globe.

The extensive report provides in-depth insights and perspectives on the tactics and techniques used in cyberattacks and detailed information on the current threat landscape.  The 2019 Verizon Data Breach Investigations Report is the most comprehensive report released by Verizon to date and includes information from 41,686 reported security incidents and 2,013 data breaches from 86 countries. The report was compiled using data from 73 sources.

The report highlights several data breach and cyberattack trends. Some of the key findings of the report are detailed below:

  • C-Suite executives are 12 time more likely to be targeted in social engineering attacks than other employees
  • Cyberespionage attacks increased from 13% of incidents in 2018 to 25% in 2019
  • Financially motivated breaches fell from 76% to 71%
  • Phishing is involved in 32% of breaches and 78% of cyberespionage incidents
  • 90% of malware arrived via email
  • 60% of web application attacks were on cloud-based email servers
  • Most email threats and BEC attacks only resulted in data breaches because multi-factor authentication had not been implemented
  • 52% of cyberattacks involve hacking
  • 34% of attacks involved insiders
  • 43% of cyberattacks were on small businesses
  • Ransomware is the second biggest malware threat and accounts for 24% of breaches
  • There has been a six-fold decrease in attacks on HR personnel
  • Misconfiguration of cloud platforms accounted for 21% of breaches caused by errors

C-Suite Executives Beware!

C-suite executives are being extensively targeted by cybercriminals and for good reason. They are likely to have high-level privileges, so their accounts and credentials are more valuable. Compromised email accounts can be used for social engineering, phishing, and BEC attacks on other members of the organization and vendors.

Attacks on the C-suite are 12 times more likely than on other employees and C-suite executives are 9 times more likely to be the target of social incidents. These figures show just how important it is for C-suite executives to receive regular security awareness training.

These attacks are part of a trend of cybercriminals choosing the path of least resistance. Why invest time and money into hacking a company when an email can be sent to the CEO or CFO requesting a fraudulent transfer. Hacking a C-suite email account and using it to send wire transfer requests is simple, effective, and highly profitable.

Figures from the FBI, a new DBIR partner in 2019, show the median losses due to BEC attacks is a few thousand dollars. However, there are an equal number of attacks with losses from zero to the median as there are from the median to $100 million dollars. 12% of all breaches were the result of business email compromise attacks

Cyberattacks on the Healthcare Industry

The 2019 DBIR included 466 healthcare cybersecurity incidents, 304 of which involved confirmed data disclosures.

Out of all industry sectors analyzed, healthcare was the only industry where the number of incidents caused by insiders was greater than those caused by external threat actors. 59% of incidents involved insiders compared to 42% involving external threat actors. Breaches of medical information are 14 times more likely to be caused by doctors and nurses.

The primary motive for attacks on the healthcare industry was financial gain (83%), followed by fun (6%), convenience (3%), because a grudge was held (3%), and espionage (2%). 72% of breaches involved medical data, 34% involved personal information, and 25% involved credential theft.

81% of all healthcare cybersecurity incidents involved either miscellaneous errors such as software misconfiguration, privilege misuse, and web applications.

Across all industries, ransomware is involved in 24% of attacks but 70% of those attacks were reported by healthcare organizations. It should be noted that, in most cases, ransomware attacks are reportable breaches under HIPAA. The overall number of attacks in other industry sectors may well be much higher, as many attacked companies choose not to report the incidents and just quietly pay the ransom.

Patterns Identified in Healthcare Data Breaches

Pattern Number of Data Breaches
Miscellaneous Errors 97
Privilege Misuse 85
Web Applications 65
Lost and Stolen Assets 28
Everything Else 27
Cyber-Espionage 2
Point of Sale 2
Crimeware 1
Denial of Service 0

Causes of Healthcare Data Breaches

Actions Involved   Incidents Data Breaches
Error 124 110
Misuse 110 85
Hacking 100 78
Social 91 78
Malware 85 7
Physical Theft 47 17

The post Key Findings of the 2019 Verizon Data Breach Investigations Report appeared first on HIPAA Journal.

American Indian Health & Services and Madison Parish Hospital Discover Impermissible PHI Disclosures by Employees

Posted by HIPAA Journal

American Indian Health & Services, the operator of a community health clinic in Santa Barbara, CA, has discovered a former employee forwarded emails containing the sensitive data of certain employees, patients, and vendors to a personal email account, in violation of HIPAA Rules.

The incident was detected on March 7, 2019. An analysis to the email account revealed the former employee, who was employed at the clinic at the time, had forwarded emails to her personal email account between March 26 and February 6, 2019.

The emails contained names, billing information, provider names and locations, dates of service, amounts paid/owed for services provided, health insurance and payor information, and Medicare/Medicaid and/or Medical numbers.

The incident has been reported to law enforcement, state, and federal regulators and affected individuals have been notified by mail. No reports of misuse of patient information have been received to date, but as a precaution against identity theft and fraud, affected individuals have been offered 12 months of credit monitoring and identity theft restoration services at no cost.

It is currently unclear how many current and former patients have been affected by the incident.

Madison Parish Hospital Service District Discovers PHI of 1,436 Patients was Impermissibly Disclosed

Madison Parish Hospital Service District is notifying 1,436 patients of Madison Parish Hospital and its clinic in Tallulah, LA, that some of their protected health information has been impermissibly disclosed to a third-party.

According to the breach notice uploaded to the hospital website, an employee of the hospital was discovered to have accessed a list of patients and disclosed that list to a third-party.

Few details of the breach have been made public, so it is unclear who the third party was, the types of information that were disclosed, or the reason for the disclosure.

Madison Parish Hospital believes the information was sent confidentially and there have been no further disclosures of the received information. According to the breach notice, the incident was discovered on February 20, 2018. The timing of the notification suggests this may have been a typo and the incident occurred in February 2019.

The post American Indian Health & Services and Madison Parish Hospital Discover Impermissible PHI Disclosures by Employees appeared first on HIPAA Journal.

Ransomware Attack Reported by American Baptist Homes of the Midwest

Posted by HIPAA Journal

American Baptist Homes of the Midwest (ABHM), a provider of assisted living and assisted care facilities throughout the U.S Midwest, has reported a security breach involving the use of ransomware on its network.

The attack commenced on or around March 10, 2019. The attack was detected promptly, but only after the encryption routine had commenced. The attack was stopped and affected accounts were secured, but not in time to prevent widespread file encryption. The files encrypted by the ransomware contained the records of many ABHM clients.

ABHM’s clinical and billing systems were not affected, only general file systems and email accounts. The attack is believed to have been conducted with the sole purpose of extorting money from ABHM, although due to the nature of access gained to install the ransomware, unauthorized accessing of protected health information could not be ruled. No evidence of data theft or misuse of PHI has been found to date.

The types of information stored on the compromised servers and systems included individuals’ names and addresses in combination with the following data elements: Social Security numbers, financial information, diagnoses, lab test results, medications and some other medical information.

The attack affected the following locations:

Colorado:

  • Health Center at Franklin Park, Denver
  • Mountain Vista Senior Living, Wheat Ridge

Iowa:

  • Crest Services – Cedar Rapids; Des Moines; Harlan; Ottumwa; and Chariton
  • Elm Crest Senior Living, Harlan

Minnesota:

  • Crest Services- Albert Lea
  • Thorne Crest Senior Living, Albert Lea

Nebraska:

  • Maple Crest Health Center, Omaha

South Dakota:

  • Trail Ridge Senior Living, Sioux Falls

Wisconsin:

  • Tudor Oaks Senior Living, Muskego

Assisted by a third-party data forensics company, ABHM was able to successfully remove the ransomware from its systems and restore encrypted data from backups.

To improve security and prevent further cyberattacks, ABHM engaged the services of a cybersecurity expert who conducted an in-depth risk assessment to identify potential risks and vulnerabilities.

Technical security measures have now been implemented to enhance security. Those measures include the strengthening of password requirements, the use of rate limiting to prevent brute force attacks on its systems, and a 24/7 security monitoring system to safeguard all ABHM data.

All affected individuals have now been notified by mail and the incident has been reported to law enforcement and the HHS’ Office for Civil Rights (OCR).

The incident has yet to appear on the OCR breach portal so it is currently unclear exactly how many individuals have been affected by the breach.

The post Ransomware Attack Reported by American Baptist Homes of the Midwest appeared first on HIPAA Journal.

3,193 Employees and Dependents Affected by Bodybuilding.com Data Breach

Posted by HIPAA Journal

The bodybuilding and personal fitness website Bodybuilding.com has announced it has experienced a security incident that may have resulted in the information of customers and employees being accessed by unauthorized individuals.

While the breach affecting customers was not a reportable incident under HIPAA, HIPAA does cover group health plans. As such, bodybuilding.com was required to report the breach of group members’ PHI to the Office for Civil Rights.

The breach was discovered in February 2019 when suspicious activity was detected on its network. A formal breach investigation was launched which revealed access to the network was gained as a result of an employee falling for a phishing scam.

While the data of customers and employees is not believed to have been obtained by unauthorized individuals as a result of the phishing attack, the possibility could not be ruled out.

The breach has now been resolved and its systems have been secured. A forced password reset was performed for all users of the website as a precaution. For customers, the information potentially obtained was limited to names, email addresses, addresses, phone numbers, birth dates, profile information, order histories, billing and shipping addresses, and communications with the company.

Current and former employees of the Idaho-based fitness retailer who are members of the company’s group health plan had some of their employment-related information exposed. The breach also affected enrollees’ dependents and beneficiaries. The exposed information included names, contact information, dates of birth, Social Security numbers, government ID numbers, group health plan subscriber information, claims information, and procedure codes.

The breach investigation was concluded on April 19, and all affected employees have been notified about the exposure of their PHI out of an abundance of caution. No reports of data misuse have been received to date.

The breach summary has recently appeared on the Department of Health and Human Services’ Office for Civil Rights breach portal, which indicates 3,193 current and former employees, dependents, and beneficiaries have been affected by the breach.

The post 3,193 Employees and Dependents Affected by Bodybuilding.com Data Breach appeared first on HIPAA Journal.

Touchstone Medical Imaging Fined $3 Million by OCR for Extensive HIPAA Failures

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced a settlement has been reached with the Franklin, TN-based diagnostic medical imaging services company, Touchstone Medical Imaging. The settlement resolves multiple violations of HIPAA Rules discovered by OCR during the investigation of a 2014 data breach.

Touchstone Medical Imaging has agreed to a settlement of $3,000,000 to resolve the violations and will adopt a corrective action plan (CAP) to address its HIPAA compliance issues. The high settlement amount reflects widespread and prolonged noncompliance with HIPAA Rules. OCR alleged 8 separate violations across 10 HIPAA provisions. The settlement resolves the HIPAA case with no admission of liability.

On May 9, 2014, Touchstone Medical Imaging was informed by the FBI that one of its FTP servers was accessible over the Internet and allowed anonymous connections to a shared directory. The directory contained files that included the protected health information (PHI) of 307,839 individuals.

As a result of the lack of access controls, files had been indexed by search engines and could be found by the public with simple Internet searches. Even when the server was taken offline, patient information could still be accessed over the Internet. The failure to secure the server constituted a violation of 45 C.F.R. § 164.312(a)(1).

The security breach was reported to OCR, but Touchstone initially claimed that no PHI had been exposed. OCR launched an investigation into the breach and during the course of that investigation Touchstone admitted that PHI had in fact been exposed. The types of information that could be accessed over the internet included names, addresses, dates of birth, and Social Security numbers.

In addition to the impermissible disclosure of 307,839 individuals’ PHI – a violation of 45 C.F.R. § 164.502(a) – OCR discovered the security breach had not been properly investigated until September 26, 2014: Several months after Touchstone was initially notified about the breach by the FBI, and after notification had been given to OCR. The delayed breach investigation was a violation of 45 C.F.R. §164.308(a)(6)(ii).

As a result of the delayed investigation, affected individuals did not receive notifications about the exposure of their PHI until 147 days after the discovery of the breach: Well in excess of the 60-day Breach Notification Rule’s maximum time limit for issuing notifications. The delayed breach notices were a violation of 45 C.F.R. § 164.404. Similarly, a media notice was not issued about the breach for 147 days, in violation of 45 C.F.R. § 164.406.

During the course of its investigation, OCR discovered that Touchstone had failed to complete a thorough, organization-wide risk analysis to identify all risks to the confidentiality, integrity, and availability of ePHI: A violation of 45 C.F.R. § 164.308(a)(1)(ii)(A).

OCR also identified two cases of Touchstone having failed to enter into a business associate agreement with vendors prior to providing access to systems containing ePHI.

OCR cites the use of an IT services company – MedIT Associates  – without a BAA as a violation 45 C.F.R. §§ 164.502(e)(2), 164.504(e), and 164.308(b), and the use of a third-party data center, XO Communications, without a BAA as a violation of 45 C.F.R. § 164.308(a)(1)(ii)(A).

In addition, in violation of 45 C.F.R. § 164.308(b), XO Communications continues to be used without a business associate agreement in place.

“Covered entities must respond to suspected and known security incidents with the seriousness they are due, especially after being notified by two law enforcement agencies of a problem,” said OCR Director Roger Severino.  “Neglecting to have a comprehensive, enterprise-wide risk analysis, as illustrated by this case, is a recipe for failure.”

The settlement comes just a few days after OCR announced it has reduced the maximum financial penalties for three of the four HITECH Act tiers of HIPAA violations. This settlement confirms that while minor HIPAA violations may now attract lower financial penalties, when serious violations of HIPAA Rules are discovered and healthcare organizations fail to take prompt action to correct violations, the financial penalties can be considerable.

The post Touchstone Medical Imaging Fined $3 Million by OCR for Extensive HIPAA Failures appeared first on HIPAA Journal.

Mailing Error Sees Inmediata Breach Notification Letters Sent to Incorrect Addresses

Posted by HIPAA Journal

Following a security incident that resulted in the exposure of PHI, Inmediata sent notification letters to affected individuals. However, several individuals have reported receiving notification letters in the mail addressed to other people.

The incident that prompted the notifications was a webpage used internally by Inmediata employees that had been accidentally set to allow it to be indexed by search engines. Consequently, the webpage could be found using Internet searches and the PHI of its customers’ patients could be accessed.

The forensic investigation did not find evidence to suggest the webpage was subjected to unauthorized access during the time it was accessible online; however, the possibility could not be ruled out.

Through the webpage, unauthorized individuals could have accessed the following information: Patients’ names, addresses, dates of birth, gender, doctor’s names, and medical claim information. A small number of individuals also had their Social Security number exposed.

Inmediata started sending notification letters to affected individuals on April 22, 2019 but something appears to have gone awry when sending those letters. Several individuals have reported receiving misaddressed letters.

The state of Michigan’s Consumer Protection Division received two such reports from state residents who received letters intended for other individuals. Databreaches.net also received multiple reports from consumers who had received letters in error.

Such an error could have occurred as a result of individuals moving home and data not being updated. Some of the comments suggest that the data had been held for some time. For instance, some letters were addressed to women using their maiden name. In one case, a last name that was used on one encounter with a healthcare provider 25 years previously.

The misaddressed letters only disclosed an individual’s name to others at an address. While that is unlikely to result in harm to patients directly, the mailing error means some individuals will not have received letters and will be unaware that their PHI has been exposed. Consequently, they would not know to take steps to protect their identities.

Michigan Attorney General Dana Nessel and Department of Insurance and Financial Services (DIFS) Director Anita G. Fox issued a statement about the breach highlighting steps that affected individuals can take to protect themselves against identity theft and fraud, although the breach was not confined to Michigan residents.

The letters have also left many individuals confused about who Inmediata is and why the company has their data – An issue that has arisen in the past when other business associates have issued breach notification letters.

A copy of the breach notification letter on the California Attorney General’s website (PDF) states that “In January 2019, Inmediata became aware that some of its member patients’ electronic patient health information was publicly available online as a result of a webpage setting that permitted search engines to index pages that are part of an internal website we use for our business operations.”

Greater clarity about who the company is and why an individual’s data was held would have avoided such confusion.

“It would have been nice if they would have explained how they had [my wife’s] data in the first place since we have never heard of them,” wrote one commenter on databreaches.net report. A sentiment echoed by several other commenters.

Further information on the mailing error will be made available here as and when it becomes available.

The post Mailing Error Sees Inmediata Breach Notification Letters Sent to Incorrect Addresses appeared first on HIPAA Journal.