HIPAA Breach News

Minnesota DHS Suffers Another Phishing Attack: State IT Services Struggling to Cope with Barrage of Attacks

Posted by HIPAA Journal

The Minnesota Department of Human Services (DHS) has discovered another employee email account has been compromised as a result of a phishing attack. The latest incident has only just been reported, although the breach occurred on or before March 26, 2018.

Three Phishing Attacks: 31,800 Records Exposed

The breach is in addition to two other phishing attacks that saw email accounts compromised in June and July of 2018. Those attacks were announced in October 2018 and resulted in the exposure of 20,800 Minnesotans’ PHI. The March 26 email account compromise saw the PHI of 11,000 Minnesotans exposed.

The March phishing attack allowed the attacker to gain access to the email account of an employee of the Direct care and Treatment Administration. Emails were then sent from that account to co-workers requesting wire transfers be made. The email requests were flagged as suspicious and were reported to MNIT, which secured the account. No wire transfers were made.

During the time that the account was accessible, the attacker potentially accessed emails in the account which included protected health information. MNIT was unable to determine whether any PHI had been viewed or copied. The account contained information such as names, contact information, dates of birth, treatment data, legal histories, and two Social Security numbers. No reports of misuse of PHI have been received.

Minnesota IT Services (MNIT) reported the breach to the FBI and, on April 9, 2019, DHS notified the Department of Health and Human Services’ Office for Civil Rights, the Office of the Legislative Auditor, credit reporting agencies, the media, and state senate and house representatives. Individual notices have also been sent to all individuals affected by the breach.

Since being notified about the breach, DHS hired a contractor to assess the contents of the email account to check for protected health information. Due to the number of emails in the account, that process took some time to complete. DHS says the account review was completed on March 21, 2019.

It is unclear from the DHS breach notification letter when the breach was discovered. DHS said MNIT provided details of the breach investigation on February 15, 2019. While breach notifications were issued to affected individuals within 60 days of DHS discovering the breach, in compliance with HIPAA, there was a major delay in the breach being reported to DHS by MNIT.

It took four months before notifications were issued to alert individuals about the previous two phishing attacks, and more than a year for individuals affected by this phishing attack to be notified.

State Government Agencies Suffer 700 Security Incidents in 10 Months

A senate hearing took place in October last year following the announcement of the other two phishing attacks. At the hearing it was made clear that MNIT was simply not prepared for the volume of cyberattacks and lacked the resources to deal with them.

MNIT explained at the hearing that more than 700 security incidents involving state government agencies had to be dealt with by MNIT up to October 2018, including 150 phishing attacks. On average, state employees were sent an average of 22 phishing emails a day.

Up to October, the state government had experienced 80 cyberattacks that required manual analysis and 240 sets of employee credentials had been compromised. At the hearing, MNIT CISO Aaron Call explained that “the frequency and profitability of attacks are increasing, and the cybercriminals are getting more funding.”

Since receiving notification about the latest breach, DHS has implemented additional security measures to prevent further phishing attacks. These include a tool that blocks links and email attachments in emails sent to state employees. DHS says the tool would have prevented this and past breaches from occurring.

Policies and procedures have also been revised at DHS and MNIT has said it is now immediately reporting breaches to agency data practices or privacy staff to allow them to analyze the incidents to determine whether data have been exploited. DHS has said it is continuing to provide employees with training to help them identify increasingly sophisticated cyberattacks against DHS.

The post Minnesota DHS Suffers Another Phishing Attack: State IT Services Struggling to Cope with Barrage of Attacks appeared first on HIPAA Journal.

PHI of 17,531 Patients Potentially Compromised in Business Associate Phishing Attack

Posted by HIPAA Journal

Women’s Health USA Inc., an Avon, CT-based business associate that provides a range of practice management services to healthcare organizations, has experienced a phishing attack that has resulted in the exposure of patients’ protected health information.

An investigation was launched following the discovery of suspicious activity within certain employee email accounts. The affected email accounts were secured, and a leading cybersecurity firm was engaged to assist with the investigation and determine the nature and extent of the breach.

The investigation confirmed that the email accounts of two employees had been accessed by unauthorized individuals as a result of the employees responding to phishing emails and disclosing their email credentials. The first email account breach occurred on April 5, 2018 and the second account was breached on August 13, 2018.

A review of the emails and email attachments in the account revealed they contained a limited amount of protected health information. The exposed information varied from patient to patient but may have included name, date of birth, Medicare Health Insurance Claim Number (HICN), health insurance policy number, diagnosis information, treatment information, and Social Security number.

Women’s Health USA notified all affected healthcare provider clients about the breach on March 15, 2019 and started sending breach notification letters to all affected patients on March 29, 2019.

All employees have been provided with further training to help them identify phishing emails and to improve awareness of other cybersecurity issues. Additional security measures have also been implemented to enhance email security.

The phishing attack and data breach has been reported to the Department of Health and Human Services’ Office for Civil Rights. The breach summary indicates 17,531 patients were affected by the breach.

The post PHI of 17,531 Patients Potentially Compromised in Business Associate Phishing Attack appeared first on HIPAA Journal.

PHI of 23,811 Palmetto Health Patients Exposed in Phishing Attack

Posted by HIPAA Journal

Palmetto Health – Now Prisma Health – has experienced a phishing attack that has resulted in several email accounts being accessed by unauthorized individuals.

Emails were sent to Palmetto Health employees which contained a malicious hyperlink. When the link in the emails was clicked, employees were directed to a realistic-looking web page where they were required to enter their email credentials. Doing so disclosed those credentials to the attackers, who used them to gain access to the email accounts.

A third-party computer forensics firm was retained to conduct an investigation into the breach to determine the nature and extent of access and whether any patients’ protected health information had been accessed or obtained.

The forensics firm determined that the first of the email accounts were compromised in November 2018. The review process took some time to complete as emails had to be manually checked to determine whether they contained any protected health information. The review process was completed on February 19, 2019 and revealed the protected health information of 23,811 patients had been exposed.

The exposed information was limited to names and information used by Palmetto Health when providing treatment or consultation. A small percentage of the emails also contained health insurance information, Social Security numbers, and/or financial information.

Palmetto Health believes the aim of the attack was to gain access to payroll information rather than to obtain patient health information. No evidence was uncovered to suggest any patient information was accessed or copied, but data theft could not be ruled out.

Complementary credit monitoring and identity theft protection services have been offered to all patients whose financial information has potentially been accessed.

Weslaco Regional Rehabilitation Hospital Patients Notified of Phishing Attack

Earnest Health has announced that certain patients who visited the Weslaco Regional Rehabilitation Hospital in Texas have had some of their protected health information exposed as a result of an October 2018 phishing attack.

The exposed information was limited to names, dates of birth, health insurance details, patient care information, driver’s license numbers, and Social Security numbers.

The hospital has notified all affected patients by mail and has offered complimentary credit monitoring and identity theft protection services to all patients whose driver’s license number or Social Security number was exposed.

Staff at the hospital are being provided with further training to help them identify potentially malicious emails.

The breach is not yet listed on the HHS’ Office for Civil Rights breach portal so it is currently unclear exactly how many patients were affected.

The post PHI of 23,811 Palmetto Health Patients Exposed in Phishing Attack appeared first on HIPAA Journal.

12,000 Patients of Baystate Health Notified of PHI Exposure Due to Phishing Attack

Posted by HIPAA Journal

Massachusetts-based Baystate Health has experienced a phishing attack that has resulted in the exposure of the protected health information of approximately 12,000 patients.

Several employee email accounts were compromised between February 7 and March 7, 2019. The phishing attacks were identified during the same time frame and in each case, the compromised email accounts were immediately secured. A third-party computer forensics firm was engaged to assist with the investigation.

An analysis of the compromised email accounts revealed they contained patients’ names, dates of birth, diagnoses, treatment information, medications and, in some cases, Social Security numbers, health insurance information, and Medicare numbers.

All patients whose protected health information was potentially accessed as a result of the attack were notified by mail on April 5. Patients whose Social Security number was exposed have been offered one year of credit monitoring and identity theft protection services without charge.

Those services have been offered as a precaution. No evidence has been uncovered to suggest that the individuals behind the phishing attack viewed, copied, or misused patient information.

All patients affected by the breach have been urged to review statements from their providers and explanation of benefits statements from insurers to check that they have not been billed for medical services that have not been received.

Baystate Health performed a forced password reset on all affected accounts and has implemented controls to prevent employee email accounts from being accessed from outside the network unless specifically authorized.

Email logging and log reviews have also been increased to ensure that any future email account breaches are identified rapidly, and additional security awareness training is being provided to employees to help them detect and avoid phishing emails.

The incident has yet to appear on the Department of Health and Human Services’ Office for Civil Rights breach portal, so the exact number of patients affected has not yet been confirmed.

The post 12,000 Patients of Baystate Health Notified of PHI Exposure Due to Phishing Attack appeared first on HIPAA Journal.

Hardin Memorial Health Cyberattack Results in EHR Downtime

Posted by HIPAA Journal

Hardin Memorial Health in Kentucky has experienced a cyberattack which caused disruption to its IT systems and EHR downtime.

The cyberattack started on the evening of Friday April 5. A statement issued by a spokesperson for the health system confirmed that IT systems were disrupted as a result of a security breach. Details of the cyberattack have not yet been released so it is unclear whether this was a hacking incident, malware or ransomware attack.

The health system has been working round the clock to restore affected systems and servers. Hardin Memorial Health’s IT team has already brought most IT systems back online and has restored access to its EHR system in some units.

Despite the lack of access to its EHR system, business continued as usual and the hospital did not have to cancel appointments. All 50 of its locations remained open. “At no time during this event has the quality and safety of patient care been affected,” said HMH Vice President and Chief Marketing and Development Officer, Tracee Troutt.

Upon discovery of the security breach, emergency procedures were implemented, and an IT assessment was conducted to determine the nature and extent of the incident. That assessment is ongoing, but most of the issues associated with the attack were resolved within 24 hours.

Extra staff were brought in over the weekend to assist with its remediation efforts and to conduct administrative processes manually until systems could be brought back online.

“A combined team of some 40 internal IT and patient care specialists, complemented by external experts, importantly including our Baptist Health partners, worked over the weekend to resolve issues quickly and is working on the assessment,” said Troutt.

The hospital was well prepared for system downtime. The Hardin Memorial Health IT team regularly tests emergency procedures to make sure they can be implemented quickly and are effective at preventing disruption to patient services. Extra protocols have already been implemented to reinforce system security.

This incident shows that while it may not be possible to prevent all cyberattacks, with tried and tested backup and emergency response plans it is possible to recover from a cyberattack quickly and prevent disruption to patient services.

The post Hardin Memorial Health Cyberattack Results in EHR Downtime appeared first on HIPAA Journal.

Emotet Malware Potentially Exfiltrated PHI of Oregon Endodontic Group Patients

Posted by HIPAA Journal

Oregon Endodontic Group has discovered malware has been installed on an office computer which potentially exported data contained in the office’s email account.

On November 13, 2018, Oregon Endodontic Group detected suspicious activity within an email account used at its offices.

A third -party forensic firm was engaged to assist with the investigation and identify the nature and scope of the security breach. The firm confirmed that a malware variant called Emotet had been downloaded onto an office computer. Emotet is a banking Trojan that is capable of exfiltrating data contained in email accounts. The computer forensics firm could not confirm whether any email data had been exfiltrated, but the possibility could not be ruled out.

The email account concerned was analyzed to determine whether it contained any protected health information. The analysis was completed on February 11, 2019.

The types of information contained in the account were limited to names along with one of more of the following data elements: Date of birth, diagnosis information, treatment information, and health insurance information. 41 individuals had their name and Social Security number exposed; seven individuals had their name and financial information exposed; and two individuals had their name and driver’s license number exposed.

Oregon Endodontic Group has engaged the services of an IT security firm which is assessing security controls and additional protections will be implemented as appropriate to enhance security.

Humana Notifies Members in Texas About Web Portal Breach

Humana has discovered unauthorized individuals have registered on the web portal used by one of its authorized service providers (Availity) and have attempted to obtain eligibility and benefit verification of plan members. The web portal is used by providers to check eligibility and benefits of multiple health plans.

The individuals posed as physician provider groups and potentially obtained a limited amount plan members’ information between January 15, 2016 and February 14, 2019.

The information potentially accessed was limited to names, Humana ID numbers, benefit information, plan effective dates, and care reminders. As a precaution, affected members have been offered credit monitoring and identity theft protection services and have been advised to monitor their explanation of benefits statements for signs of fraudulent activity. No reports of PHI misuse have been reported to date.

Humana notes in its breach notification letters that Availity did have policies and procedures in place to protect customer information and controls have now been augmented to prevent similar breaches in the future.

The breach affected 522 Humana members in Texas.

The post Emotet Malware Potentially Exfiltrated PHI of Oregon Endodontic Group Patients appeared first on HIPAA Journal.

1,600 Ohio Patients Notified of Impermissible PHI Disclosure

Posted by HIPAA Journal

993 Ohioans who receive benefits from Medicaid or the Ohio Department of Job and Family Services (ODJFS) are being notified that some of their protected health information has been disclosed to unauthorized individuals as a result of a computer error.

Three separate incidents were identified. On February 16, 2019, a computer error resulted in a limited amount of protected health information (PHI) of 250 users of the Ohio Benefits Self-Service Portal to appear in another user’s account. The error was identified and corrected the same day.

Two further incidents occurred on March 20, 2019. A computer error caused information entered into the Ohio Benefits portal to be saved to incorrect accounts. The computer error has been temporarily fixed and a permanent solution is being developed to prevent any recurrences. As many as 100 individuals were affected.

608 members of ODJFS, 34 recipients of Medicaid benefits, and one individual who received both types of benefits, had some of their PHI mailed to 5 different people as a result of a computer error. The computer error was corrected on March 22, 2019.

In all cases, the privacy breach was limited to names, contain information, dates of birth, case numbers, and claim numbers stored in the Ohio Benefits System. Affected individuals have been offered identity theft protection services for 12 months at no cost as a precaution.

840 University Hospitals Rainbow Babies & Children’s Hospital Patients Notified of Impermissible PHI Disclosure

University Hospitals Rainbow Babies & Children’s Hospital in Cleveland, OH, has discovered the PHI of 840 patients has been accidentally disclosed due to an error made by one of its employees.

The employee sent an email to a group of patients that contained a limited amount of personally identifiable information. The email was sent on February 28, and while information about patients was not detailed in the message, it implied that all individuals to whom the email had been sent suffer from the same medical condition.

The employee should have added the message recipients to the BCC field but made an error and included their emails in the ‘to’ field. As a result, the email addresses of all recipients of the email were visible to other members.

Al individuals affected have been notified of the privacy breach and the hospital has sanctioned the employee “in a manner deemed appropriate for the violation.” The employee has been reeducated on proper mail procedures and further education on patient privacy and HIPAA requirements will be provided to other staff members.

The post 1,600 Ohio Patients Notified of Impermissible PHI Disclosure appeared first on HIPAA Journal.

Phishing Attack Impacts 14,305 Patients of Main Line Endoscopy Centers

Posted by HIPAA Journal

Main Line Endoscopy Centers, a network of outpatient endoscopy facilities in the Malvern, Bala Cynwyd, and Media regions of Pennsylvania, has discovered an unauthorized individual has gained access to the email account of one of its employees following a response to a phishing email.

It is not clear exactly when the account was breached, but it was discovered by Main Line on January 30, 2019.

A leading computer forensics firm was retained to assist with the investigation and determine which, if any, emails in the account had been opened and whether any patient information had been compromised. The investigation confirmed that the attackers potentially gained access to the protected health information of certain patients, which included names, dates of birth, and limited clinical information. Some patients also had their Social Security number, driver’s license number, and/or health insurance information exposed.

All patients affected by the breach were sent breach notification letters on March 29, 2019 and individuals whose Social Security number or driver’s license number were exposed have been offered complimentary identity theft protection services for 12 months at no cost.

As a precaution, all individuals affected by the breach have been advised to monitor their accounts, explanation of benefits statements, and credit reports closely for any sign of fraudulent use of their information.

To improve security and prevent further breaches, Main Line has provided further training to all staff to improve email security awareness and alert them to the threat from phishing. Multi-factor authentication has been implemented to prevent accounts from being accessed in the event that further credentials are compromised along with other security measures.

The breach has been reported to the Department of Health and Human Services’ Office for Civil Rights. The OCR breach portal indicates 14,305 patients were affected by the breach.

The post Phishing Attack Impacts 14,305 Patients of Main Line Endoscopy Centers appeared first on HIPAA Journal.

Michigan Practice Forced to Close Following Ransomware Attack

Posted by HIPAA Journal

A ransomware attack can prove costly to resolve. That cost was not deemed worth it by one Michigan practice, which has now permanently closed its doors.

The ransomware encrypted the system at Brookside ENT and Hearing Center in Battle Creek which housed patient records, appointment schedules, and payment information rendering the data inaccessible.

The attackers claimed to be able to provide a key to unlock the encryption, but in order to obtain the key to decrypt files, a payment of $6,500 was required.

The two owners of the practice, William Scalf, MD and John Bizon, MD, decided not to pay the ransom as there was no guarantee that a valid key would be supplied and, after paying, the attackers could simply demand another payment.

Since no payment was made, the attackers deleted all files on the system ensuring no information could be recovered. The partners decided to take early retirement rather than having to rebuild their practice from scratch.

The FBI was alerted to the security incident and explained that this appeared to be an isolated attack. No patient data appeared to have been viewed or accessed prior to files being deleted so there is not believed to be any risk to patients; however, patients who had not obtained copies of their medical records prior to the ransomware attack will have lost all records stored by the practice.

That will naturally come at a cost to some patients, who may have to have medical tests performed for a second time. One patient at the practice told WWMT that her daughter had had surgery and she was attempting to schedule a follow up appointment when she discovered that her medical records have been lost. She must now visit another provider, but that provider will have no details about the surgical procedure.

The practice will officially close on April 30, 2019, until which point, patients can contact staff at the practice who will provide referrals.

The incident highlights just how important it is to ensure backups of all data are made. All backups must be tested to ensure they have not been corrupted and file recovery is possible.

A good best practice to adopt is the 3:2:1 approach. Create three backup copies, on two different types of media, and store one copy securely off site on an air-gapped device – One that is not networked or accessible over the internet. In the event of a ransomware attack, systems may be taken out of action and computers may need to have software reinstalled, but at least no data will be lost.

The post Michigan Practice Forced to Close Following Ransomware Attack appeared first on HIPAA Journal.