Employees of Turlock Irrigation District in California who are members of their employer-sponsored health plan are being notified that some of their protected health information has been exposed online as a result of an error at a business associate.

Delta Health Systems (DHS) provides administrative services related to the health plan and requires access to certain protected health information. Some of that information was made accessible over the internet through a link to a DHS webpage.

The error was made by third-party website developer. While the website had been configured to restrict access, there was a conflicting setting which provided general access to the document which took precedence.

Affected plan members have been told that their billing statement for their employee-sponsored health plan could have been accessed by unauthorized individuals during the time it was accessible over the internet. The billing statement contained the plan member’s first and last name, employer’s name and address, DHS ID number, and Social Security number.

All affected members have been offered one year of free membership to credit monitoring and identity theft protection services through Experian.

The issue was identified and corrected on April 18, 2019. It was not possible to determine when the error was introduced and for how long plan members’ personal information was exposed. It was not possible to determine whether any unauthorized individuals accessed the billing statements while they were unprotected.

In addition to correcting the problem, DHS has contacted search engines to request the removal of all cached content. DHS is also revising its security policies and procedures and has built a new, more secure website that lacks the software that was misconfigured.

The incident has been reported to the California Attorney General but has not yet been listed on the HHS’ Office for Civil Rights website, so it is currently unclear how many plan members have been affected.

Ellwood City Medical Center Investigating Cyberattack

Officials at Ellwood City Medical Center, in Ellwood City, PA, are currently investigating a cyberattack that compromised part of its systems. The attack appears to have started on or around Saturday May 27, although at this stage, no further information has been released. Analyses are ongoing to determine whether any patient records have been compromised.

The cyberattack comes at a time when the Americore Health-owned medical center is embroiled in problems associated with billing and payroll and is being investigated over late payments of wages to staff.

The post Delta Health Systems Alerts Plan Members to Exposure of SSNs Over Internet appeared first on HIPAA Journal.

It is certainly a week of massive data breaches. 11.9 million Quest Diagnostics records were exposed, 7.7 million records at LabCorp have potentially been compromised, and now University of Chicago Medicine has discovered more than 1.68 million of its records have been exposed.

The records were stored on a misconfigured ElasticSearch server which had had protections removed allowing it to be accessed over the internet without the need for any authentication. The misconfiguration allowed a database to be accessed which contained 1,679,993 records of donors and prospective donors.

The exposed database was discovered by Security Discovery researcher Bob Diachenko on May 28. Diachenko had performed a search using the search engine Shodan to identify unsecured databases. Even though awareness has been raised following the discovery of a large number of exposed ElasticSearch instances and other NoSQL databases in recent months, Security Discovery researchers are still identifying between 5 and 10 ‘big cases’ of unsecured databases every month.

The latest find was a sizable cluster containing 34GB of data. The cluster, named data-ucmbsd2, had been indexed by Shodan and could be accessed over the internet by anyone. The database contained a range of information including names, addresses, phone numbers, email addresses, dates of birth, gender, marital status, wealth information and current financial status, and notes about past communications.

Diachenko determined that the data belonged to UC Medicine and sent a notification and the ElasticSearch instance was secured within 48 hours.

UC Medicine has issued a statement confirming a comprehensive forensic investigation was conducted, which determined the database was not subjected to unauthorized access other than by Diachenko. Diachenko confirmed that he only accessed some of the records to determine who they belonged to and did not download the database. Fortunately, the window of opportunity was short. Diachenko discovered the database one day after it had been indexed by Shodan.

ElasticSearch instances should be configured so they are only accessible over an internal network and authentication controls should be implemented to ensure only authorized individuals have access. Misconfigurations not place data at risk of theft, there have also been instances where the lack of authentication has allowed hackers to encrypt databases using ransomware or even totally delete all stored data.

The post Misconfigured University of Chicago Medicine ElasticSearch Instance Exposed More Than 1.68 Million Records appeared first on HIPAA Journal.

Port St. Lucie, FL-based Communities Connected for Kids (CCK) has discovered an unauthorized individual gained access to databases containing the protected health information of child clients, their parents and staff members.

The breach was identified when suspicious activity was detected in the databases by one of its third-party vendors. An external computer forensics expert was hired to conduct an investigation which revealed access to the databases was first gained in August 2018. The breach was detected in March 2019 and access to the databases was promptly blocked.

During the 7 months that the individual had access to the databases, range of sensitive information was potentially viewed and downloaded.

The information exposed varied from individual to individual, but may have included name, contact information, date of birth, Social Security number, financial information, family information, Medicaid number, medical record number, prescription information, health insurance information, and medical and clinical information such as diagnoses and treatment information.

According to the breach report submitted to the Department of Health and Human Services’ Office for Civil Rights, 501 individuals were impacted by the breach. That figure may rise, as CCK is still conducting a review of the databases to determine the individuals whose information has been exposed. Once all individuals have been identified, notification letters will be sent, and affected individuals will be provided with free identity theft protection services.

CCK has identified the vulnerabilities which were exploited to gain access to the databases and is working hard to address those issues to ensure that security is improved and further breaches are prevented.

New York Health and Human Services Agency Breach Impacts 1,000 Individuals

People Inc., a not-for profit health and human services agency in Western New York which provides services to seniors and individuals with developmental disabilities, has experienced a phishing attack that has impacted approximately 1,000 individuals.

An investigation was launched on February 19, 2019 following the discovery of unauthorized access to its systems. A forensic investigation confirmed that an unauthorized individual had gained access to two employee email accounts after they responded to phishing emails.

Emails and attachments in the compromised accounts were discovered to include protected health information including names, addresses, Social Security numbers, insurance information, driver’s license numbers, government ID numbers, medical information and financial information.  At this stage, no information has been received to suggest any patient information has been misused.

People Inc., is offering affected individuals free credit monitoring services for one year. The HHS will be notified when People Inc., has confirmed the exact number of individuals affected. The FBI has already been notified about the breach.

The post 7 Month Data Breach Discovered by Communities Connected for Kids appeared first on HIPAA Journal.

Health Quest has announced it has suffered a phishing attack that has resulted in the exposure of certain patients’ protected health information.

The breach affected its affiliates Health Quest Medical Practice, Health Quest Urgent Care and Hudson Valley Newborn Physician Services, and the exposed information related to medical services provided to patients of those affiliates.

According to the breach notice on the Health Quest website, on April 2, 2019, Quest Health learned that patient information was contained in emails and email attachments in several employee email accounts that had been compromised as a result of a phishing attack.

Compromised protected health information included names, diagnoses, treatment information, dates of service, provider names, health insurance claims information and other information related to services received between January 2018 and June 2018.

When the breach was detected, the accounts were secured, and a leading cybersecurity firm was engaged to assist with the investigation. Quest Health has since implemented multi factor authentication and has strengthened email security to prevent further breaches. Breach notification letters are being mailed to affected individuals and should be received in the mail by June 10, 2019.

While the time frame for sending notifications appears to be in line with HIPAA requirements (April to June), the phishing attack actually occurred and was detected in July 2018.

According to Health Quest, “On January 25, 2019, Health Quest Affiliates identified email attachments that contained certain health information, and on April 2, 2019, were determined to contain patient information.”

Notification letters were therefore sent 11 months after the email accounts were compromised, and five months after it was first determined that some health information had been exposed. It is unclear why it took so long to determine that the compromised accounts contained PHI.

Breach Reporting Delays Can Prove Costly

There have been several breaches reported recently where the breaches have occurred several months previously, and notifications have only been issued after investigations have been completed.

Naturally, it is not possible to send notifications to affected individuals until those individuals have been identified, but the HHS is quite clear about the requirement to report breaches promptly and within 60 days of the discovery of the breach.

The discovery date is the date when the breach is discovered, not the date when the total number of individuals affected has been determined. OCR notifications are required within 60 days and addenda can be added to the breach reports when further information becomes available, such as the total number of affected individuals.

State attorneys general and OCR have taken action against organizations in the past over delayed breach notifications and have issued regulatory fines.

The post Health Quest Patients Notified of Historic Phishing Breach appeared first on HIPAA Journal.

The Cincinnati-based health system TriHealth is alerting 2,433 patients about an impermissible disclosure of their protected health information (PHI) to a student mentee.

The student was acting under the direct supervision of a former TriHealth physician and accessed patient information for a potential research project. On June 8 and June 9, 2018, the student was provided with patient information including first and last names, dates of birth, ethnicity, life status, cancer diagnosis information, and zip codes.

TriHealth does not believe that there were any further uses or disclosures of patient information nor that any patient information has been misused. PHI was accessed solely in relation to the potential research project.

Since the student was not an approved TriHealth workforce member, access to patient information was prohibited. As such, this was an impermissible disclosure of patient information which warranted breach notifications to be issued to affected patients. Those notification letters have now been sent.

In its website breach notice, TriHealth said all employees are educated on the hospital’s privacy policies when they are hired and are required to undergo annual re-training. In the event of a violation of hospital policy, corrective action is taken which can include discharge from employment. That process was followed in this case.

Centura Health Email Compromise Impacts 7,515 Patients

The Centennial, CO-based health system Centura Health is alerting 7,515 patients about an email security incident that exposed some of their PHI.

Centura Health discovered the breach on April 16, 2019 and promptly secured the affected email account. A forensic investigation confirmed that the account had been accessed by an unauthorized individual who may have viewed or obtained patient information contained in emails and email attachments. No evidence was uncovered to suggest PHI has been accessed, stolen, or misused, but patients are being notified as a precaution. Letters started to be sent on May 22, 2019.

Patients affected by the breach had some or all of the following information exposed: Name, date of birth, demographic information, medical record number, account number, dates of service, treating physician, services received, medical device supplied, and other clinical information. No health insurance information, financial data, or Social Security numbers were exposed.

Centura Health has taken steps to reduce the risk of further email security breaches, including re-educating the workforce on email security, establishing and using strong passwords, and strengthening email security protections.

Phishing Attack Reported by Columbus Community Hospital

Columbus Community Hospital in Columbus, WI, is alerting certain patients that some of their PHI has been exposed as a result of a phishing attack on one of its business associates.

On April 8, 2019, the claims management service provider OS, Inc., notified Columbus Community Hospital that an unauthorized individual had gained access to the email account of one of its employees and may have viewed patient information.

The information in the compromised account includes names, hospital account numbers, insurer names, summaries of charges, and categories of service. A limited number of patients also had their insurance ID number and/or Social Security number exposed. No evidence of data access, theft, or misuse has been identified to date.

OS Inc., provides claims management services to several hospitals. It is currently unclear whether the breach was limited to Columbus Community Hospital or if patients of other hospitals have also been affected.

The breach has yet to appear on the HHS’ Office for Civil Rights website so it is not yet known how many individuals have been affected.

The post Data Breaches Reported by TriHealth, Centura Health, and Columbus Community Hospital appeared first on HIPAA Journal.