HIPAA Breach News

Class Action Lawsuit Filed Over Baystate Health Phishing Attack

Posted by HIPAA Journal

In February 2019, Baystate Health experienced a phishing attack that resulted in the exposure of the protected health information (PHI) of 12,000 patients. On April 11, a class action lawsuit was filed on behalf of individuals affected by the breach.

The lawsuit was filed by attorney Kevin Chrisanthopoulos in the U.S. District Court in Springfield, MA, three days after Baystate Health announced the breach.

The lawsuit alleges plaintiffs now face an elevated risk of identity theft and fraud as a result of the phishing attack and seeks monetary damages for all patients whose PHI was exposed.

Upon discovery of the breach, Baystate Health secured its email system and launched an investigation. The investigation revealed the email accounts of nine employees had been compromised as a result of employees responding to phishing emails. The email accounts were subjected to unauthorized access and, as a result, the attacker(s) potentially gained access to patients’ PHI.

For most patients, the information exposed was limited to names, birth dates, diagnoses, treatment information, and medications. Certain patients also had their Medicare number, health insurance information, and/or Social Security number exposed. At the time of issuing notifications – April 8, 2019 – to affected patients, Baystate Health had not been able to confirm whether PHI had been viewed or copied, but no reports had been received to suggest any PHI had been misused.

As a precaution against identity theft and fraud, individuals whose Social Security number was exposed were offered complimentary credit monitoring and identity theft protection services for 12 months at no cost.

Baystate Health has taken reasonable steps to improve email security and prevent further data breaches from occurring. Those steps include providing further training for employees, with a specific focus on improving resilience to phishing attacks. Controls have also been implemented to prevent email account access from outside the organization and the frequency of email logging and log reviews has been increased.

Typically, class action lawsuits seeking damages for the exposure of PHI are only successful when it can be established, on the balance of probabilities, that harm has been suffered as a direct result of a data breach. Only in Illinois is it not necessary to establish harm has occurred as a result of the exposure of personal information for lawsuits to have standing.

“This isn’t the first time the medical center allowed confidential information to be accessed,” explained Chrisanthopoulos. “This is unconscionable, and we need to send a message that this cannot happen again.”

Baystate Health had experienced a similar phishing attack in 2016. In that incident, five employee email accounts were breached and the PHI of 13,112 patients was exposed.

The post Class Action Lawsuit Filed Over Baystate Health Phishing Attack appeared first on HIPAA Journal.

PHI Exposed Due to Webpage Misconfiguration

Posted by HIPAA Journal

Inmediata Health Group Corp, a provider of clearinghouse, software, and business process solutions, has announced that the medical information of some of its clients’ patients has been accidentally exposed online.

In January 2019, Inmediata discovered a webpage used internally by its employees had been misconfigured which allowed search engines to access and index the page. The information accessible through the webpage was limited to names, dates of birth, genders, and medical claims information. A very limited number of individuals also had their Social Security numbers exposed.

A computer forensics company assisted with the investigation and tried to determine whether the webpage and patient information had been accessed by unauthorized individuals. No evidence was uncovered to suggest the information was subjected to unauthorized access, but the possibility could not be ruled out.

All patients whose information was exposed were notified by mail on April 22, 2019. It is currently unclear how many patients have been affected and for how long their information was exposed online.

Ransomware Attack Reported by New Jersey Orthopedic Surgeon

Paramus, NJ-based orthopedic surgeon, Ronald Snyder, M.D., has learned that an office server containing patient billing information has been compromised and encrypted by ransomware.

The attack took place on January 9, 2019 and prevented office staff from accessing patient files. The server was backed up regularly so it was possible to quickly restore almost all files that had been rendered inaccessible without having to pay any ransom demand.

Third-party computer forensics consultants were brought in to assist with the investigation, but it was not possible to determine whether patient information had been accessed due to damage caused by the attack.

No evidence was uncovered to suggest the attack was conducted as part of an attempt to gain access to patient information, although it was not possible to rule out data access. Consequently, all patients affected by the breach have been notified by mail.

The following types of information were stored in files on the server: Names, addresses, dates of birth, genders, co-pay amounts, patient statuses, employment statuses, telephone numbers, email addresses and, for some patients, their insurance identification number, which may have been formed using a Social Security number.

Additional safeguards have since been implemented to prevent further unauthorized accessing of computer equipment.

It is currently unclear how many patients have been affected.

Gardner Family Health Network Discovers Unauthorized Individual Accessed Records Room

Gardner Family Health Network has alerted 5,064 patients about the discovery that an unauthorized individual gained has access to its optometry records room at its Gardner St. James clinic.

The unauthorized access was discovered on February 19, 2019. It is unclear why the room was accessed or what the individual did in the room, but it is possible the records of patients were viewed.

As a precaution, Gardner Family Health has notified all 5,064 patients whose records could potentially have been viewed. The types of information contained in the records was limited to names, addresses, dates of birth, phone numbers, medical record numbers, and appointment dates, times, and locations.

Gardner Family Health has improved physical security to prevent any similar breaches from occurring in the future.

The post PHI Exposed Due to Webpage Misconfiguration appeared first on HIPAA Journal.

Three Healthcare Phishing Incidents Result in Exposure of 10,000 Patient Records

Posted by HIPAA Journal

National Seating and Mobility, Partners for Quality, and Alana Healthcare have all recently started notifying patients that their protected health information has been exposed as a result of phishing incidents.

3,673 Clients Impacted by Partners For Quality Phishing Attack

Partners For Quality, Inc., (PFQ), a provider of services and support for individuals with intellectual and developmental disabilities, discovered unusual activity within certain employee email accounts on February 19, 2019.

Assisted by a third-party computer forensics company, PFQ determined that three email accounts had been accessed by an unauthorized individual between January 19 and February 27, 2019. Further analysis of the compromised email accounts revealed they contained the sensitive information of clients and employees.

Clients affected by the breach had previously received services from PFQ, Allegheny Children’s Initiative Inc., Citizen Care Inc., Exceptional Adventures, or Milestone Centers Inc.

A wide range of highly sensitive protected health information was stored in the compromised email accounts such as names, dates of birth, Social Security numbers, medical record numbers, billing and claims information, health insurance information, driver’s license numbers, banking and financial account numbers, credit and debit card numbers, PIN numbers, usernames and passwords, diagnoses and treatment information.

While data access was possible, no reports have been received to suggest any client or employee information has been misused. All individuals for whom a valid postal address was held have been notified about the breach by mail.

PFQ has reviewed and updated its policies and procedures and has put additional safeguards in place to improve the security of sensitive information stored in its systems.

Affected individuals have been given further information on how they can protect their identities and have been advised to monitor their accounts for signs of identity theft and fraud. Despite the nature of information that was exposed, it does not appear that affected individuals are being offered credit monitoring and identity theft protection services.

According to the breach summary on the HHS’ Office for Civil Rights website, 3,673 clients were affected by the breach.

National Seating and Mobility Phishing Attack Impacts 3,800 Patients

Franklin, TN-based National Seating and Mobility (NSM), a manufacturer of seating and mobility systems, has discovered unauthorized individuals have gained access to the email accounts of some of its employees as a result of a phishing attack.

The email accounts were breached on or around February 14, 2019 and unauthorized access was promptly terminated. The quick response severely limited the time the attackers had to access emails in the account. NSM conducted an investigation and, assisted by third-party computer experts, determined that the email accounts contained a limited amount of client information – Names, addresses, dates of birth, diagnosis/diagnostic codes, and other information related to the provision of a mobility device. Certain individuals also had their Social Security number, driver’s license number, health insurance information, Medicare/Medicaid number, and/or guarantor’s personal information exposed.

The third-party computer experts concluded on March 12, 2019, that due to the method of access, the email accounts of some employees may have been inadvertently copied during the standard email synchronization process.

While no evidence has been uncovered to suggest there has been any misuse of the exposed information, individuals affected by the breach have been offered free credit monitoring and identity theft protection services. NSM is reviewing its security measures and will take steps to enhance protections to prevent any further breaches.

The breach report submitted to the HHS’ Office for Civil Rights indicates up to 3,800 individuals were affected by the breach.

Alana Healthcare Phishing Incident Impacts 2,691 Patients

On January 17, 2019, the Nashville, TN-based care management company Alana Healthcare discovered an unauthorized individual had gained access to the email account of an employee.  Assisted by a third-party computer forensics company, Alana Healthcare determined on March 14, 2019 that the email account contained sensitive information of 2,691 patients.

Names, dates of birth, Social Security numbers, and some health information were exposed and potentially subjected to unauthorized access. Affected patients have been notified by mail and have been offered credit monitoring and identity theft protection services as a precaution, although no reports have been received to suggest any patient information has been misused.

To prevent further data breaches, Alana Healthcare will be providing employees with additional training and testing on the need to protect sensitive information and multi-factor authentication will be implemented on employee email accounts.

The post Three Healthcare Phishing Incidents Result in Exposure of 10,000 Patient Records appeared first on HIPAA Journal.

HHS To Apply New Caps on Financial Penalties for HIPAA Violations to Reflect Level of Culpability

Posted by HIPAA Journal

Body:

The Department of Health and Human Services has issued a notification of enforcement discretion regarding the civil monetary penalties that are applied when violations of HIPAA Rules are discovered and will be reducing the maximum financial penalty for three of the four penalty tiers.

The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 increased the penalties for HIPAA violations. The new penalties were based on the level of knowledge a HIPAA covered entity or business associate had about the violation and whether action was voluntarily taken to correct any violations.

The 1st penalty tier applies when a covered entity or business associate is unaware that HIPAA Rules were violated and, by exercising a reasonable level of due diligence, would not have known that HIPAA was being violated.

The 2nd tier applies when a covered entity knew about the violation or would have known had a reasonable level of due diligence been exercised, but when the violation falls short of willful neglect of HIPAA Rules.

The 3rd penalty tier applies when there was willful neglect of HIPAA Rules, but the covered entity corrected the problem within 30 days.

The 4th tier applies when there was willful neglect of HIPAA Rules and no efforts were made to correct the problem in a timely manner.

The maximum penalty across all four tiers was set at $1.5 million for violations of an identical provision in a single calendar year.

On January 25, 2013, the HHS implemented an interim final rule (IFR) and adopted the new penalty structure, but believed at the time that there were inconsistencies in the language of the HITCH Act with respect to the penalty amounts. The HHS determined at the time that the most logical reading of the law was to apply the same maximum penalty cap of $1,500,000 across all four penalty tiers.

The HHS has now reviewed the language of the HITECH Act and believes a better reading of the requirements of the HITECH Act would be for the annual penalty caps to be different in three of the four tiers to better reflect the level of culpability. The minimum and maximum amounts in each tier will remain unchanged.

New Interpretation of the HITECT ACT’s Penalties for HIPAA Violations

Penalty Tier Level of Culpability Minimum Penalty per Violation Maximum Penalty per Violation Old Maximum Annual Penalty New Maximum Annual Penalty
1 No Knowledge $100 $50,000 $1,500,000 $25,000
2 Reasonable Cause $1,000 $50,000 $1,500,000 $100,000
3 Willful Neglect – Corrective Action Taken $10,000 $50,000 $1,500,000 $250,000
4 Willful Neglect – No Corrective Action Taken $50,000 $50,000 $1,500,000 $1,500,000

 

The HHS will publish its notification in the Federal Register on April 30, 2019. The HHS notes that its notification of enforcement discretion creates no legal obligations and no legal rights. Consequently, it is not necessary for it to be reviewed by the Office of Management and Budget.

The new penalty caps will be adopted by the HHS until further notice and will continue to be adjusted annually to account for inflation. The HHS expects to engage in further rulemaking to review the penalty amounts to better reflect the text of the HITECH Act.

The post HHS To Apply New Caps on Financial Penalties for HIPAA Violations to Reflect Level of Culpability appeared first on HIPAA Journal.

Medical Billing Service Provider Suffers Ransomware Attack 7 Months After Computer Breach

Posted by HIPAA Journal

Doctors’ Management Service Inc., a Massachusetts-based provider of medical billing services, discovered on December 24, 2018 that malicious software had been downloaded to its network which prevented files from being accessed.

An investigation into the security incident was initiated which determined GandCrab ransomware had been deployed. Files were recovered from backups and no ransom was paid.

The investigation also revealed that the individual responsible for installing the ransomware had first gained access to its systems on April 1, 2017, 7 months before the ransomware was deployed. Access to the network was gained via Remote Desktop Protocol (RDP) on one of its workstations.

Parts of the network that were subjected to unauthorized access contained the protected health information of patients of its clients, which included names, addresses, dates of birth, Social Security numbers, insurance information, Medicare/Medicaid ID numbers, driver’s license numbers, and some diagnostic information.

The attack appeared to have been timed to ensure the attack would not be immediately detected. The deployment of ransomware could have been an attempt to extort money after the hackers’ other objectives had been achieved.

Doctors’ Management Service explained in its breach notification letter that no unauthorized server access was detected until the ransomware was deployed on December 24, and the forensic investigation did not uncover any evidence of data access nor exfiltration of patient data, although the forensic investigators could not rule out the possibility of data theft.

Third-party computer security experts have been consulted and have made recommendations on how network security can be improved. The company will implement additional controls to prevent further security breaches and staff will continue to be educated on security threats.

Impacted clients and patients have been notified about the incident and the breach has been reported to the Department of Health and Human Services’ Office for Civil Rights. The breach summary has yet to appear on the OCR breach portal, so it is unclear how many individuals have been impacted.

The post Medical Billing Service Provider Suffers Ransomware Attack 7 Months After Computer Breach appeared first on HIPAA Journal.

Email Hacking Incidents Result in Exposure of 8,600 Patients’ PHI

Posted by HIPAA Journal

Three more healthcare organizations have discovered unauthorized individuals have gained access to the email accounts of employees and potentially accessed patients’ protected health information. In total, across the three incidents, the PHI of 8,635 patients has been exposed.

PHI of 5,319 Patients of Center for Sight and Hearing Exposed

Rockford, IL-based Center for Sight and Hearing discovered on January 23, 2019 that an unauthorized individual had gained access to the email account of an employee. The investigation revealed the account was compromised on January 18 and the account contained the PHI of 5,319 patients.

A third-party computer forensics company confirmed on February 21, 2019 that names, addresses, and scheduling information was contained in the compromised account. To improve security, Center for Sight and Hearing has implemented a new password management system and multi-factor authentication.

2,290 Patients Notified About Harbor Behavioral Health Phishing Attack

Harbor Behavioral Health, a network of counselling and mental health treatment centers in Northwest Ohio, discovered on February 13, 2019 that an unauthorized individual had gained access to the email account of an employee.

Assisted by a third-party computer forensics firm, Harbor determined that the hacker had access to the account for three months between December 2018 and February 2019 and that a further email account had also been compromised.

In both cases, unauthorized access to the accounts was immediately terminated and the accounts were secured. An analysis of the compromised accounts revealed they contained information such as names, dates of birth, health insurance details, and information related to the services provided by Harbor. The Social Security numbers and driver’s license numbers of a limited number of patients were also exposed. In total, the compromised email accounts contained the PHI of 2,290 patients.

Complimentary credit monitoring and identity theft protection services have been offered to all patients whose Social Security number or driver’s license number was exposed.

In addition to securing the accounts, Harbor has strengthened controls to prevent unauthorized access from external IP addresses, increased log reviews and the frequency of automated alerts, and has strengthened its security processes. Additional training has also been given to employees to help them detect and avoid phishing emails.

1,026 Individuals Impacted by Dakota County Email Account Breach

Dakota County, MN, has discovered the email account of an employee has been hacked and accessed by an unauthorized individual. The email account breach was discovered on February 13, 2019 and the account was immediately secured.

As a precaution, a forced password reset was performed on all employee email accounts to ensure no other accounts could be accessed, although the investigation confirmed that only a single account had been compromised. Third-party cybersecurity consultants were retained to conduct an investigation into the breach and confirmed the account had been accessed. It was not possible to determine whether any emails had been opened or copied.

The compromised account contained information maintained by Dakota County Social Services, including names, addresses, Social Security numbers, driver’s license numbers, health insurance information, medical histories, diagnoses, and treatment information.

Complimentary identity protection services have been offered to individuals affected by the breach and notification letters were sent on April 12, 2019. Dakota County has also strengthened its email security defenses to prevent further attacks.

The post Email Hacking Incidents Result in Exposure of 8,600 Patients’ PHI appeared first on HIPAA Journal.

Washington State University Settles Class Action Data Breach Lawsuit for $4.7 Million

Posted by HIPAA Journal

A $4.7 million settlement has recently been approved by the King County Superior Court to reimburse individuals whose personal information was stolen from Washington State University in April 2017.

Washington State University had backed up personal information on portable hard drives which were stored in a safe in a self-storage locker. On April 21, 2017, the university discovered a break-in had occurred at the storage facility and the safe had been stolen. The hard drives contained the sensitive personal information of 1,193,190 individuals. Most of the files on the hard drives were not encrypted.

The drives contained the types of information sought by identity thieves: Names, contact information, and Social Security numbers, in addition to health data of patients, college admissions test scores, and other information. The information dated back around 15 years and had been collected by the WSU Social and Economic Sciences Research Center for a research project.

While the hard drive was stolen, Washington State University maintains there are no indications any data stored on the devices have been accessed or misused. Some of the plaintiffs named in the lawsuit alleged they have suffered identity theft/fraud as a result of the breach, but the university maintains that such cases were not the result of the stolen hard drive. The decision was taken to settle the lawsuit to save money. The settlement, while high, is believed to be far lower than the continued cost of legal action.

In January 2019, a settlement of $5.26 million was agreed by the WSU Board of Regents. While the final settlement is lower, it does not include the cost of credit monitoring and identity theft protection services for individuals impacted by the breach. In addition to settlement amount, Washington State University will cover the cost of two years of credit monitoring and identity theft protection services for up to 1,193,190 patients impacted by the breach.

The final cost will depend on the number of individuals who submit claims. WHU will accept claims up to $5,000 from individuals impacted by the breach to cover out-of-pocket expenses and lost time, provided those costs can be proven. The fund for covering those claims is $3.5 million. If that total is exceeded, claim amounts will be reduced pro rata. Approximately $800,000 has been set aside to cover attorneys’ fees and a further $650,000 will cover administrative costs. Washington State University was covered by a cyber-liability insurance policy which will cover the settlement.

The university has also agreed to update policies and procedures and enhance security. Backup data will now be stored in a more secure location, data security assessments and audits will be regularly conducted, and additional training will be provided to staff. IT contracts in relation to the research project will be cancelled and those functions will be handled in house and archived data from the research project will be permanently destroyed.

The settlement highlights the importance of using encryption to protect stored data, especially data stored on portable electronic devices. In the event of loss or theft of a device, data cannot be accessed and such an incident would not be classed as a reportable breach.

The post Washington State University Settles Class Action Data Breach Lawsuit for $4.7 Million appeared first on HIPAA Journal.

Unsecured Database of Addiction Service Provider Potentially Contained Records of 145,000 Patients

Posted by HIPAA Journal

A database containing highly sensitive information of patients who had previously sought treatment for addiction at rehabilitation centers has been discovered to be freely accessible over the internet.

The database contained approximately 4.91 million records which related to an estimated 145,000 patients of the Levittown, PA-based addiction rehabilitation service provider Steps to Recovery.

The unsecured database was discovered on March 24, 2019 by Justin Paine, Director of Trust and Safety at Cloudflare. Following the discovery, Paine notified Steps to Recovery and its hosting provider on March 24. No reply was received from Steps to Recovery, but its hosting company made contact and the database has now been secured and is no longer accessible online.

Paine had performed a search on the Shodan search engine to identify unsecured databases and devices. According to Paine, the ElasticSearch database contained two indexes which included more than 1.45 GB of data. The information could be accessed by anyone over the internet without the need for any authentication. The database was exposed online for more than two years, from the middle of 2016 to the end of 2018.

The types of information contained in the database included patients’ names, details of the treatments and services received at Steps to Recovery, the dates those services were provided, locations visited by patients, and billing information.

Paine was also able to obtain further information on patients with simple Google searches using information contained in the database. For a small sample of patients, Paine was able to discover information such as ages, dates of birth, email addresses, and possible contact telephone numbers.

The number of patients impacted by the breach has yet to be confirmed by Steps to Recovery and the incident is not yet listed on the Department of Health and Human Services’ Office for Civil Rights Breach portal. It is unclear if any other individuals found the database during the time it was accessible online.

The post Unsecured Database of Addiction Service Provider Potentially Contained Records of 145,000 Patients appeared first on HIPAA Journal.

60,000 Records Exposed in EmCare Phishing Attack

Posted by HIPAA Journal

The Dallas, TX-based physician staffing company EmCare has announced that it has suffered a data breach that has impacted approximately 60,000 individuals, 31,000 of whom were patients.

The exposed information was detailed in emails and email attachments in employee email accounts that were accessed by an unauthorized individual after several employees responded to phishing emails and disclosed their email credentials. It is unclear from Emcare’s breach notice when the breach occurred and how long the attackers had access to email accounts.

The breach was discovered on February 19, 2019. An investigation was launched and, assisted by a third-party computer forensics company, it was discovered that the compromised email accounts contained information about patients, employees, and contractors. The following information was saved in email accounts and was potentially accessed or copied by the attackers: Names, dates of birth, driver’s license numbers, Social Security numbers, demographic information, and clinical information.

The investigation did not uncover evidence to suggest patient or employee information was accessed or exfiltrated by the attackers, although the possibility could not be ruled out. No reports have been received to suggest that patient or employee information has been misused to date.

Emcare is offering one year of credit monitoring and identity theft protection services at no cost to individuals whose Social Security number or driver’s license number was potentially compromised.

Notifications letters were sent to affected individuals on April 19, 2019, 59 days after the discovery of the breach – A day before the HIPAA Breach Notification Rule reporting deadline.

EmCare has responded to the breach by implementing a range of “advanced IT solutions” and employees have been provided with further training on email security.

The post 60,000 Records Exposed in EmCare Phishing Attack appeared first on HIPAA Journal.