HIPAA Breach News

Potential Breach at Meditab Software Impacts 2 Maryland Healthcare Providers

Posted by HIPAA Journal

Two healthcare providers in Maryland have been affected by a potential breach at their business associate, Meditab Software Inc.

Meditab provides EMR and practice management software to healthcare providers and its systems contain patient information. In March 2019, Meditab discovered some protected health information (PHI) had been left unprotected.

Meditab had created a portal to view statistics for its Fax Cloud services. Statistics were maintained on all faxes, but no images were stored directly on the fax server. When faxes were transmitted, a link to the fax image on a separate and secure server was temporarily available until the fax was confirmed as having been received. When receipt was confirmed, the link is no longer available.

Usernames and passwords were required to gain access to the portal; however, in January, a Meditab programmer deactivated authentication without authorization. While authentication was disabled, a limited number of faxes containing medical information were discoverable between January 9 and March 14, 2019.

The exposed information may have included names, addresses, phone numbers, dates of birth, and medical records and treatment notes, which may include diagnoses and treatment information.

The firm recently informed Capitol Cardiology Associates (CCA) and Southern Maryland Medical Group (SMMG) that the PHI of some of their patients had been exposed.

Meditab said at no point could its analytics portal be searched or crawled by search engines, so discovering the portal would not have been easy. However, if the portal was located, an unauthorized individual could have opened the fax messages individually and had the option of downloading or printing those faxes. Meditab believes the risk of harm to patients is low.

According to the breach reports submitted to the HHS’ Office for Civil Rights, 1,980 CCA patients and 1,400 SMMG patients have been affected.

It is currently unclear whether any other healthcare providers have been affected by the breach.

The post Potential Breach at Meditab Software Impacts 2 Maryland Healthcare Providers appeared first on HIPAA Journal.

AMCA Parent Company Files for Chapter 11 Protection

Posted by HIPAA Journal

Following the massive data breach at American Medical Collection Agency (AMCA) which saw more than 20 million records compromised, AMCA’s parent company, Retrieval-Masters Creditors Bureau Inc., has filed for Chapter 11 protection.

The data breach affected individuals who had received medical testing services from Quest Diagnostics, LabCorp, or BioReference Laboratories. Hackers gained access to the web payment portal used by AMCA and accessed and stole the sensitive personal and financial data of patients. The hackers had access to its payment page for more than 7 months before the breach was detected.

The cost of recovering from a breach on this scale is considerable. So far, AMCA has mailed more than 7 million breach notification letters to affected individuals at a cost of $3.8 million. A further $400,000 has been spent on hiring IT consultants to assist with the breach response.

The data breach caused a cascade of events that led to the bankruptcy filing. Retrieval-Masters Creditors Bureau CEO Russell Fuchs lent AMCA $2.5 million to help cover the cost of mailing the breach notification letters. Fuchs explained in the court filing that the firm had incurred “enormous expenses that were beyond the ability of the debtor to bear.”

Retrieval-Masters was formed in 1977 by Russell Fuchs and was initially focused on small-dollar debt collections for direct mail marketers but has since moved into patient receivables. The company now helps companies recover non-medical and medical debt. Retrieval-Masters stated in the filing that it had reduced staff numbers from 113 to 25 at the end of 2018.

The Chapter 11 filing in the Southern District of New York stated the company is seeking to liquidate assets and liabilities as high as $10 million to cover the rising costs of the cyberattack.

The filing also sheds some light on how the breach was detected.

The breach was first reported on databreaches.net, which had been contacted by researchers at Gemini Advisory who had identified a batch of stolen credit cards and Social Security numbers on a darknet marketplace. Gemini Advisory analysts were able to tie the data to AMCA and issued a notification.

The filing stated AMCA learned about the breach after being notified that a large number of credit cards tied to its payment portal had been used to make fraudulent purchases.

There are still many questions that have not yet been answered related to how access was gained to the payment page and whether the breach was the result of cybersecurity failures. Several state attorneys general have written to AMCA demanding answers.

The post AMCA Parent Company Files for Chapter 11 Protection appeared first on HIPAA Journal.

Shingle Springs Health and Wellness Center Ransomware Attack Impacts 21,000 Patients

Posted by HIPAA Journal

Shingle Springs Health and Wellness Center (SSHWC) in Placerville, CA, is notifying 21,513 patients that protected health information (PHI) was potentially compromised as a result of a recent ransomware attack.

SSHWC learned on April 7, 2019 that its server infrastructure had been compromised and ransomware had been deployed. As a result of the attack, all computer systems were rendered inoperable and access to patient data and essential files was blocked.

An investigation was immediately launched and the cyberattack was reported to the Federal Bureau of Investigation and the Indian Health Service. SSHWC has now installed new servers and is fast-tracking system upgrades and workstation updates across all departments.

The ransomware attack is believed to have been conducted to extort money from SSHWC; however, files containing PHI were involved in the breach and could potentially have been compromised. Those files contained names, addresses, telephone numbers, Social Security numbers, health insurance information, provider names, dates of service, amount paid or owed, and diagnosis codes.

SSHWC is offering all affected patients 12 months of complimentary credit monitoring services.

This is the third major healthcare ransomware attack to have been reported in the past few days. Estes Park Health experienced a ransomware attack on June 2, 2019, which prevented computer systems and patient data from being accessed. An undisclosed ransom was paid for the keys to decrypt files, but some files remained locked. The attackers demanded further payment to unlock the remaining files.

Boardman, OH-based N.E.O Urology has also recently announced it has suffered a ransomware attack. The decision was taken to pay the $75,000 ransom and all files have now been recovered.

These are just three of several ransomware attacks to have been reported by healthcare organizations in the past two months. As a recent report from Malwarebytes confirms, ransomware is proving popular with hackers once again. In Q1, 2019, ransomware attacks increased by 195% and healthcare organizations accounted for a large percentage of those attacks.

The post Shingle Springs Health and Wellness Center Ransomware Attack Impacts 21,000 Patients appeared first on HIPAA Journal.

Urology Practice Pays $75,000 Ransom to Regain Access to Computer Systems

Posted by HIPAA Journal

Boardman, OH-based N.E.O Urology has experienced a severe ransomware attack that has impacted its entire IT system. The ransomware caused widespread file encryption and locked the healthcare provider out of its computers and patient records.

While the attack was sophisticated, the notification was not. The healthcare provider was sent a fax from the attackers which demanded a $75,000 ransom payment for the keys to unlock the encryption.

N.E.O Urology contacted its IT service provider and after assessing options and the risks, the decision was taken to pay the ransom. The IT service provider made contact with the attackers through a third party and the ransom was paid to obtain the keys to unlock the encryption. Even with the decryption keys, it took the medical practice three days to restore its computer systems due to the severity of the attack and extent of the encryption. The initial investigation suggests the attackers were based in Russia.

Payment of a ransom is not without risk. The attackers may not be able to unlock files or may choose not to do so even after the ransom is paid. The FBI’s advice is never to pay the ransom as it just encourages further attacks. However, when data cannot be recovered by any other means, there may be little choice other than payment of the ransom. N.E.O Urology informed the police department that as a result of the lack of access to its computers it was losing between $30,000 and $50,000 per day.

Ransomware attacks significantly declined throughout 2018, but in Q1, 2019 there was a major uptick in attacks. Ransomware attacks increased 195% in Q1, 2019, according to Malwarebytes. More than 70% of those attacks were on small businesses. Healthcare organizations are an attractive target due to their need to have constant access to databases and patient records and are commonly attacked, much more than other industry sectors.

The inability to restore files from backups and the refusal to pay a ransom can have severe consequences. Earlier this year, Brookside ENT and Hearing Center was attacked and patient records were encrypted. After refusing to pay the ransom, the attackers deleted all the encrypted files. Faced with having to rebuild the practice from scratch, the owners chose early retirement and closed the practice.

To ensure you are not left at the mercy of cybercriminals, it is essential to adopt a robust backup strategy that sees multiple backup copies created, with one copy stored off-site in a secure location on a non-networked device and to test your backups to make sure that file recovery is possible in the event of an attack.

The post Urology Practice Pays $75,000 Ransom to Regain Access to Computer Systems appeared first on HIPAA Journal.

Alabama Jury Awards Woman $300,000 Damages over HIPAA Breach

Posted by HIPAA Journal

A woman in Alabama has been awarded $300,000 in damages after a doctor illegally accessed and disclosed her protected health information to a third party.

Plaintiff Amy Pertuit filed a lawsuit against Medical Center Enterprise (MCE) in Alabama, a former MCE physician, and an attorney over the violation of her privacy in January 2015.

According to lawyers for the plaintiff, Amy Pertuit’s husband was experiencing visitation issues and was involved in a custody battle with his former wife, Deanna Mortenson.

Mortenson contacted Dr. Lyn Diefendfer, a physician at MCE, and convinced her to obtain health information about Amy Pertuit for use against her husband in the custody battle. The information was disclosed to Mortenson’s attorney, Gary Bradshaw.

Dr. Diefendfer accessed Pertuit’s records through the Alabama Prescription Drug Monitoring Program website. Since Dr. Diefendfer had no treatment relationship with Pertuit, she was not authorized to access her medical information. The access and disclosure were violations of hospital policies and HIPAA Rules.

After discovering that her health information had been disclosed, Pertuit lodged a complaint with the Department of Health and Human Services’ Office for Civil Rights which put the hospital on notice. However, the hospital failed to implement appropriate sanctions against Diefendfer. Dr. Diefendfer is alleged to have accessed further health information in 2016 and again disclosed that information to Bradshaw.

The plaintiff’s lawyers also said that the hospital’s privacy officer had investigated Dr. Diefendfer and discovered 22 separate violations of hospital policies and HIPAA Rules.

The lawsuits filed against Dr. Diefender, Deanna Mortensen, and Gary Bradshaw were all settled out of court. The case against MCE went to a jury trial.

The jury unanimously found that MCE had failed to take appropriate action against Dr. Diefender after the discovery of the privacy violation, and awarded the plaintiff $295,000 in punitive damages and a further $5,000 as compensation for pain, suffering, and humiliation.

The post Alabama Jury Awards Woman $300,000 Damages over HIPAA Breach appeared first on HIPAA Journal.

PHI Exposed in Union Labor Life Insurance Phishing Attack

Posted by HIPAA Journal

The Ullico Inc. subsidiary, Union Labor Life Insurance (ULLI), is notifying more than 87,000 plan members that some of their protected health information (PHI) has been exposed as a result of an employee responding to a phishing email.

As is often the case in healthcare phishing attacks, the phishing email was realistic and appeared to be a genuine request from a business partner. The email contained a hyperlink which asked for login credentials to be entered when clicked. The employee entered the credentials, which were harvested by the attacker and used to remotely access the account.

ULLI had systems in place which alerted the information technology department to the unauthorized access. The IT department blocked third-party access to the account within 90 minutes of the account being compromised on April 1, 2019 and disconnected the device from the network. The prompt action greatly limited the potential for the accessing or theft of protected health information contained in emails and email attachments.

ULLI conducted a forensic analysis and determined that access was limited to a single email account on one device. However, that email account was confirmed to contain the PHI of plan members in emails and email attachments.

While the investigation found no evidence to suggest patient information was accessed or stolen, the possibility could not be ruled out with a sufficiently high degree of certainty.

The protected health information that was potentially compromised was limited to: Names, addresses, dates of birth, Social Security numbers, and some personal health information of plan members and their family members.

As a precaution, ULLI has taken the decision to offer all affected individuals 24 months of complimentary credit monitoring and identity theft protection services.

According to the breach report submitted to the Department of Health and Human Services’ Office for Civil Rights, up to 87,400 patients have been affected by the breach.

The post PHI Exposed in Union Labor Life Insurance Phishing Attack appeared first on HIPAA Journal.

Nurse Fired over Alleged Theft and Impermissible Disclosure of PHI

Posted by HIPAA Journal

A former employee of a Germantown, MD-based healthcare provider is suspected of accessing the protected health information of up to 16,542 patients and providing that information to a third party for use in fraudulent activities.

On April 10, 2019, Takai, Hoover & Hsu, P.A., which runs THH Paediatrics in Germantown, was notified by county and state police that an individual had been arrested as part of an investigation in a matter unrelated to THH.

That individual was associated with an employee of THH who is suspected of accessing and impermissibly disclosing patient information including names, dates of birth, Social Security numbers, and addresses of the parents of patients.

Immediate action was taken by THH to investigate the allegations. Access to patient data was restricted for the employee, who was placed on leave on April 16 pending the outcome of the internal and law enforcement investigations.

The former employee has not been charged at this stage and no direct evidence has been found to suggest that any patient information was taken and misused; however, THH took the decision to fire the employee on May 3, 2019 after receiving further information from law enforcement. The matter has also been reported the Maryland Board of Nursing.

THH has hired a computer forensics company to conduct a detailed investigation of its computer systems to determine what, if any, protected health information has been accessed and whether information was copied.

Monroe County Hospital Notifies 10,970 Patients About PHI Breach at Navicent Health

Monroe County Hospital (MCH) in Forsyth, GA, is notifying 10,970 patients that some of their PHI may have been compromised in a security breach at one of its vendors.

On March 26, 2019, the hospital was informed by Navicent Health that some patient information was potentially compromised in a recent cyberattack. An unauthorized individual had gained access to the email accounts of several Navicent Health employees and potentially accessed MCH patient data. This was part of a much larger breach affecting more than 278,000 patients.

The forensic investigation revealed the following PHI may have been compromised: Names, addresses, dates of birth, medical record numbers, limited health information, and for certain individuals, driver’s license numbers or Social Security numbers.

All affected individuals were mailed notification letters on May 24.

The post Nurse Fired over Alleged Theft and Impermissible Disclosure of PHI appeared first on HIPAA Journal.

PHI Potentially Compromised at Rosenbaum Dental Group and Kingman Regional Medical Center

Posted by HIPAA Journal

Kingman Regional Medical Center (KRMC) has discovered a flaw on its website resulted in the exposure of the protected health information (PHI) of certain patients.

KRMC became aware of the security issue on April 8, 2019 and the website was shut down while the security problem was investigated. Assisted by a third-party computer forensics company, KRMC determined that the configuration of the website was such that unauthorized individuals may have been able to gain access to patient information.

The website was housed on an isolated server, so any access to data was limited to the information stored on the server. For a small subset of patients who used the website to enter information related to their care, such as making an appointment, could have had the following information exposed: Name, date of birth, and information supplied related to a medical condition for which medical services were being requested.

Affected patients were notified of the breach by mail on June 7, 2019. The KRMC website has been offline now for more than 2 months. KRMC is in the process of rebuilding the website with enhanced privacy and security safeguards.

Rosenbaum Dental Group Discovers Malware Infection

Rosenbaum Dental Group is notifying some of its patients that it has discovered malware on its systems, through which unauthorized individuals may have gained access to their protected health information.

The types of information stored on the affected system included names, addresses, telephone numbers, and health insurance information.

It was not possible to determine whether patients’ PHI was compromised in the malware attack. All patients who have potentially been affected have been notified by mail and have been offered one year’s membership to credit monitoring and reporting services at no charge.

A breach notice has been submitted to the Department of Health and Human Services Office for Civil Rights, but it has yet to appear on the OCR breach portal. It is therefore currently unclear how many individuals have been affected.

The post PHI Potentially Compromised at Rosenbaum Dental Group and Kingman Regional Medical Center appeared first on HIPAA Journal.

Mercy Health Discovers PHI of 978 Patients Was Exposed

Posted by HIPAA Journal

Mercy Health has discovered a limited amount of patient data had been saved on a private server which was used for other activities such as online scheduling and electronic physician office check-ins. As a result, patient information could potentially have been accessed by unauthorized individuals.

The issue has been corrected and all patient information has now been secured. The investigation did not uncover any evidence of unauthorized access or data theft, but it was not possible to rule out either with a very high degree of certainty.

Patient information was accessible on the server from an unspecified date in 2014 to March 25, 2019, when the problem was detected and rectified. The security issue only affected certain individuals who had received medical services at Mercy Health facilities in Grand Rapids or Muskegon in Michigan.

The types of information potentially accessed were limited to names, addresses, email addresses, and health insurance information for the vast majority of affected individuals. A limited number of patients may also have had their Social Security number and diagnosis information exposed.

The incident has been reported to the appropriate authorities and affected individuals have been sent breach notification letters.  According to the breach summary on the HHS’ Office for Civil Rights website, the protected health information of 978 patients was exposed.

The post Mercy Health Discovers PHI of 978 Patients Was Exposed appeared first on HIPAA Journal.