HIPAA Breach News

Oregon State Hospital and New York Episcopal Health Services Report Phishing Attacks

Posted by HIPAA Journal

Oregon State Hospital has announced that the protected health information (PHI) of some of its patients was potentially compromised as a result of an employee being duped by a spear phishing email.

The email was received on May 3 and the employee responded on May 6. The response resulted in the disclosure of email login credentials.

The unauthorized access was detected quickly, and steps were rapidly taken to secure the account. The employee responded to the message at 9:50 AM and Oregon State Hospital’s IT team detected the breach at 10:30 AM and secured the account. The limited time the attacker had access to the account reduced the potential for any information in emails and email attachments to be viewed or copied.

Currently, Oregon State Hospital is unaware whether the attacker gained access to patients protected health information during the 40 minutes that the account was accessible, and the hospital has yet to determine which patients have been affected.

A third-party cybersecurity company has been hired to conduct an analysis of the compromised account to determine which patients’ PHI has been exposed. The hospital expects that process to take around 4-6 weeks. Once the affected patients have been identified, notifications will be sent.

The hospital has confirmed that the email account contained patient information such as full names, dates of birth, medical record numbers, diagnoses, and treatment plans.

Phishing attacks cannot always be prevented but rapid detection and a prompt breach response can limit the harm caused. The hospital should be commended for both the rapid detection of the breach and the early media notice, which was issued just a week after the breach was experienced.

Episcopal Health Services Issues Further Notifications About 2018 Phishing Attack

Episcopal Health Services, which operates St. John’s Episcopal Hospital in New York, has issued a second batch of notifications to patients who were recently discovered to have been impacted by a 2018 phishing attack.

Episcopal Health Services was alerted to a potential phishing attack when suspicious activity was detected within several employee email accounts in September 2018. An investigation was launched to determine the cause of that suspicious activity, which revealed several email accounts had been subjected to unauthorized access as a result of responses to phishing emails.

The investigation confirmed that the accounts had been breached between August 28, 2018 and October 5, 2018. Those accounts were reviewed to determine whether they contained patient information. Episcopal Health Services determined on November 1, 2018, that some patients’ PHI had been exposed and on November 15, individuals for whom a valid postal address was held were sent notification letters.

The exposed information varied from individual to individual and may have included names, dates of birth, financial information, Social Security numbers, medical record numbers, diagnoses, medical histories, prescription information, treatment information, and health insurance information.

The compromised email accounts continued to be reviewed to determine whether they contained protected health information and on March 19, 2019, a second round of notification letters were sent to patients who were also discovered to have been affected by the breach.

Individuals whose PHI has been exposed have been offered complimentary credit monitoring and identity theft protection services for 12 months.

The breach report submitted to the HHS’ Office for Civil Rights on November 19, 2018 indicates 218,055 individuals were impacted by the phishing attacks.

The post Oregon State Hospital and New York Episcopal Health Services Report Phishing Attacks appeared first on HIPAA Journal.

Ransomware Attack on the Southeastern Council on Alcoholism and Drug Dependence Impacts 25,1485 Patients

Posted by HIPAA Journal

The Southeastern Council on Alcoholism and Drug Dependence (SCADD) in Lebanon, CT, has experienced a ransomware attack that has resulted in widespread file encryption.

The attack was detected on February 18, 2019 when problems started to be experienced with its network. The investigation confirmed ransomware had been installed on its systems, some of which contained the protected health information (PHI) of patients.

While no evidence was uncovered that suggested the attackers accessed files containing PHI, third-party forensic investigators were unable to rule out patient data access. Consequently, the incident was reported to the HHS’ Office for Civil Rights as a potential data breach and notification letters have been sent to affected patients. To date, no reports have been received which suggest any patient information has been misused.

Patients have been informed that their name, address, medical history, treatment information, and Social Security number has potentially been compromised. All affected individuals have been offered complimentary credit monitoring and identity theft protection services.

The breach summary on the OCR website indicates up to 25,148 patients have been affected by the incident.

Independent Health Employee Accidentally Emailed PHI of 7,600 Members to Unauthorized Individual

The Amherst, MA-based health plan, Independent Health, has discovered an employee emailed documents containing the PHI of 7,600 members to an individual who was not authorized to view the information.

The information was mistakenly sent to an Independent Health member on March 19, 2019. That individual contacted Independent Health within an hour of the email being received to report the privacy breach and confirm that the message and documents had been deleted.

The documents contained plan member information such as ID numbers, providers seen, dates of service, claim numbers, claim payment information, and medical procedure codes. While no Social Security numbers or financial information were exposed and the risk of identity theft or fraud is believed to be low, all affected individuals have been offered 12 months of complimentary identity theft protection and credit monitoring services. The employee in question has been subjected to disciplinary procedures in line with company policy.

The post Ransomware Attack on the Southeastern Council on Alcoholism and Drug Dependence Impacts 25,1485 Patients appeared first on HIPAA Journal.

Ransomware Attack on the Southeastern Council on Alcoholism and Drug Dependence Impacts 25,1485 Patients

Posted by HIPAA Journal

The Southeastern Council on Alcoholism and Drug Dependence (SCADD) in Lebanon, CT, has experienced a ransomware attack that has resulted in widespread file encryption.

The attack was detected on February 18, 2019 when problems started to be experienced with its network. The investigation confirmed ransomware had been installed on its systems, some of which contained the protected health information (PHI) of patients.

While no evidence was uncovered that suggested the attackers accessed files containing PHI, third-party forensic investigators were unable to rule out patient data access. Consequently, the incident was reported to the HHS’ Office for Civil Rights as a potential data breach and notification letters have been sent to affected patients. To date, no reports have been received which suggest any patient information has been misused.

Patients have been informed that their name, address, medical history, treatment information, and Social Security number has potentially been compromised. All affected individuals have been offered complimentary credit monitoring and identity theft protection services.

The breach summary on the OCR website indicates up to 25,148 patients have been affected by the incident.

Independent Health Employee Accidentally Emailed PHI of 7,600 Members to Unauthorized Individual

The Amherst, MA-based health plan, Independent Health, has discovered an employee emailed documents containing the PHI of 7,600 members to an individual who was not authorized to view the information.

The information was mistakenly sent to an Independent Health member on March 19, 2019. That individual contacted Independent Health within an hour of the email being received to report the privacy breach and confirm that the message and documents had been deleted.

The documents contained plan member information such as ID numbers, providers seen, dates of service, claim numbers, claim payment information, and medical procedure codes. While no Social Security numbers or financial information were exposed and the risk of identity theft or fraud is believed to be low, all affected individuals have been offered 12 months of complimentary identity theft protection and credit monitoring services. The employee in question has been subjected to disciplinary procedures in line with company policy.

The post Ransomware Attack on the Southeastern Council on Alcoholism and Drug Dependence Impacts 25,1485 Patients appeared first on HIPAA Journal.

Lawsuit Alleges Hospital Worker Disclosed Information about Woman’s Sexual Assault to her Attacker

Posted by HIPAA Journal

A lawsuit has been filed against Atchison Hospital in Kansas by a sexual assault victim who alleges an x-ray technician at the hospital contacted her attacker and disclosed sensitive information about the treatment she received at the hospital.

According to the Kansas City Star, after being raped, the woman sought treatment at the hospital. She underwent a rape kit examination, and allegedly made it clear to the hospital that she did not want her health information to be disclosed to third parties.

Despite being against the patient’s wishes and a violation of the HIPAA Privacy Rule, information about the examination was disclosed to her attacker by a female X-ray technician at the hospital. The x-ray technician also told the man that he had been accused of sexually assaulting the patient.

Following the disclosure, the man repeatedly harassed and threatened the patient by phone and text message over the following weeks. In addition to receiving a barrage of abuse from her attacker, the lawsuit claims the woman was also harassed by hospital staff.

A complaint was filed with the hospital over the privacy violation and an internal investigation was launched. The medical records system was checked to determine whether there had been any unauthorized accessing of her medical records and interviews were conducted with staff members.

No evidence was uncovered to suggest the woman’s electronic medical records had been accessed inappropriately, but the hospital concluded the X-ray technician had viewed the woman’s medical information in the hospital’s health information department.  The hospital confirmed to the woman that the X-ray technician was not part of her care team and was not authorized to view her records.

The hospital apologized for the privacy breach and reviewed an updated its policies and procedures to reduce the risk of further incidents such as this occurring.

The X-ray technician was fired from the hospital over the privacy violation and was subsequently hired by Saint Luke’s Cushing Hospital. According to the patient’s attorneys, details of the former employee’s conduct were not disclosed to Cushing Hospital and a positive review was provided. The patient’s attorneys claim the hospital did not do enough to communicate the reason for termination to the woman’s potential new employer.

Hospital CEO, John Jacobson issued a statement to the Atchison Globe, saying “Patient confidentiality at Atchison Hospital and our ability to protect personal information is a top priority of ours… we are deeply disturbed by the actions of this former employee. In fact, when we were made aware of this situation, we took immediate steps to investigate and within two days, we terminated this individual’s employment.”

The lawsuit accuses the hospital of having inadequate policies in place to protect against the unauthorized accessing of patient information and claims the hospital was negligent, there was an invasion of the patient’s privacy, and the hospital breached its fiduciary duty. The lawsuit seeks punitive damages.

The post Lawsuit Alleges Hospital Worker Disclosed Information about Woman’s Sexual Assault to her Attacker appeared first on HIPAA Journal.

Phishing Attack Reported by Verity Health’s St. Vincent Medical Center

Posted by HIPAA Journal

St. Vincent Medical Center, a part of Verity Health System, has discovered a web email account has been compromised as a result of a response to a phishing email.

The breach occurred on March 15, 2016 and involved the email account of a hospital pathologist. The account compromise was detected on March 26 and the account was secured within hours.

During the time that the unauthorized individual had access to the account, it was used to send phishing emails to internal and external email addresses. Those messages contained malicious attachments and hyperlinks. According to a substitute breach notice provided to the California Attorney General, no other employee accounts were breached as a result of misuse of the email account.

While the intention of the attacker appears to have been to obtain login credentials to other email accounts, during the time that the account was accessible, full access to emails, folders, and email attachments was possible. The investigation into the breach could not confirm whether any patient information in emails and email attachments had been accessed or copied by the attacker.

A review of those emails confirmed they contained the PHI of certain patients including names, addresses, phone numbers, dates of birth, Social Security numbers, medical record numbers, dates of service, medical conditions, treatments provided, lab test results, and health plan names.

Upon discovery of the breach, unauthorized access to the account was terminated and all phishing emails sent from the account were removed from the email system. Employees discovered to have clicked on links in the emails also had their email accounts disabled and secured.

Verity Health System has experienced multiple phishing attacks in the past few months. This incident follows two attacks in late December 2018 and another attack in January. The January attack affected almost 15,000 patients.

Verity Health has now implemented further email security controls to block malicious emails along with multi-factor authentication. Individuals involved have been provided with counseling and re-education and a new security module has been deployed.

It is unclear at this stage exactly how many patients have been affected by the phishing attack on St. Vincent Medical Center.

The post Phishing Attack Reported by Verity Health’s St. Vincent Medical Center appeared first on HIPAA Journal.

Phishing Attack Impacts 1,100 Spectrum Health Lakeland Patients

Posted by HIPAA Journal

For the second time in the space of two months, Spectrum Health Lakeland has announced that a breach has exposed the protected health information (PHI) of some of its patients. The previous breach occurred at Wolverine Services Group and impacted around 60,000 of its patients.

The latest incident involved an unauthorized individual gaining access to an email account as the result of a response to a phishing email. As with the last breach, the incident occurred at a business associate.

OC, Inc., a provider of billing services, discovered an unauthorized individual had gained access to an email account of one of its employees. The email account was discovered to contain the PHI of approximately 1,100 Spectrum Health Lakeland patients.

OS Inc. discovered a potential breach on December 21, 2018 after suspicious activity was detected within an employee email account. A third-party computer forensics expert was hired to assist with the investigation and found no evidence to suggest that any PHI in emails and attachments had been accessed or stolen. However, it was not possible to rule out data access or exfiltration with a sufficiently high level of certainty.

Consequently, the breach was determined to be a reportable incident and notifications to patients were warranted. The email account contained a limited amount of patient information such as names, addresses, health services provided, dates of service, diagnoses, and the names of health insurance providers.

Spectrum Health Lakeland was notified about the breach on March 8, 2019 and has been working with technology experts to determine the full extent and nature of the breach. Spectrum Health Lakeland will continue to use the business associate and has been working closely with the company to ensure additional protections are implemented to prevent any further breaches.

Even though Social Security numbers and other highly sensitive information were not exposed, the decision was taken to offer affected individuals identity theft protection and resolution services free of charge for 12 months through Experian IdentityWorks.

The post Phishing Attack Impacts 1,100 Spectrum Health Lakeland Patients appeared first on HIPAA Journal.

Key Findings of the 2019 Verizon Data Breach Investigations Report

Posted by HIPAA Journal

Today sees the release of the 2019 Verizon Data Breach Investigations Report. This is the 12th edition of report, which contains a comprehensive summary of data breaches reported by public and private entities around the globe.

The extensive report provides in-depth insights and perspectives on the tactics and techniques used in cyberattacks and detailed information on the current threat landscape.  The 2019 Verizon Data Breach Investigations Report is the most comprehensive report released by Verizon to date and includes information from 41,686 reported security incidents and 2,013 data breaches from 86 countries. The report was compiled using data from 73 sources.

The report highlights several data breach and cyberattack trends. Some of the key findings of the report are detailed below:

  • C-Suite executives are 12 time more likely to be targeted in social engineering attacks than other employees
  • Cyberespionage attacks increased from 13% of incidents in 2018 to 25% in 2019
  • Financially motivated breaches fell from 76% to 71%
  • Phishing is involved in 32% of breaches and 78% of cyberespionage incidents
  • 90% of malware arrived via email
  • 60% of web application attacks were on cloud-based email servers
  • Most email threats and BEC attacks only resulted in data breaches because multi-factor authentication had not been implemented
  • 52% of cyberattacks involve hacking
  • 34% of attacks involved insiders
  • 43% of cyberattacks were on small businesses
  • Ransomware is the second biggest malware threat and accounts for 24% of breaches
  • There has been a six-fold decrease in attacks on HR personnel
  • Misconfiguration of cloud platforms accounted for 21% of breaches caused by errors

C-Suite Executives Beware!

C-suite executives are being extensively targeted by cybercriminals and for good reason. They are likely to have high-level privileges, so their accounts and credentials are more valuable. Compromised email accounts can be used for social engineering, phishing, and BEC attacks on other members of the organization and vendors.

Attacks on the C-suite are 12 times more likely than on other employees and C-suite executives are 9 times more likely to be the target of social incidents. These figures show just how important it is for C-suite executives to receive regular security awareness training.

These attacks are part of a trend of cybercriminals choosing the path of least resistance. Why invest time and money into hacking a company when an email can be sent to the CEO or CFO requesting a fraudulent transfer. Hacking a C-suite email account and using it to send wire transfer requests is simple, effective, and highly profitable.

Figures from the FBI, a new DBIR partner in 2019, show the median losses due to BEC attacks is a few thousand dollars. However, there are an equal number of attacks with losses from zero to the median as there are from the median to $100 million dollars. 12% of all breaches were the result of business email compromise attacks

Cyberattacks on the Healthcare Industry

The 2019 DBIR included 466 healthcare cybersecurity incidents, 304 of which involved confirmed data disclosures.

Out of all industry sectors analyzed, healthcare was the only industry where the number of incidents caused by insiders was greater than those caused by external threat actors. 59% of incidents involved insiders compared to 42% involving external threat actors. Breaches of medical information are 14 times more likely to be caused by doctors and nurses.

The primary motive for attacks on the healthcare industry was financial gain (83%), followed by fun (6%), convenience (3%), because a grudge was held (3%), and espionage (2%). 72% of breaches involved medical data, 34% involved personal information, and 25% involved credential theft.

81% of all healthcare cybersecurity incidents involved either miscellaneous errors such as software misconfiguration, privilege misuse, and web applications.

Across all industries, ransomware is involved in 24% of attacks but 70% of those attacks were reported by healthcare organizations. It should be noted that, in most cases, ransomware attacks are reportable breaches under HIPAA. The overall number of attacks in other industry sectors may well be much higher, as many attacked companies choose not to report the incidents and just quietly pay the ransom.

Patterns Identified in Healthcare Data Breaches

Pattern Number of Data Breaches
Miscellaneous Errors 97
Privilege Misuse 85
Web Applications 65
Lost and Stolen Assets 28
Everything Else 27
Cyber-Espionage 2
Point of Sale 2
Crimeware 1
Denial of Service 0

Causes of Healthcare Data Breaches

Actions Involved   Incidents Data Breaches
Error 124 110
Misuse 110 85
Hacking 100 78
Social 91 78
Malware 85 7
Physical Theft 47 17

The post Key Findings of the 2019 Verizon Data Breach Investigations Report appeared first on HIPAA Journal.

American Indian Health & Services and Madison Parish Hospital Discover Impermissible PHI Disclosures by Employees

Posted by HIPAA Journal

American Indian Health & Services, the operator of a community health clinic in Santa Barbara, CA, has discovered a former employee forwarded emails containing the sensitive data of certain employees, patients, and vendors to a personal email account, in violation of HIPAA Rules.

The incident was detected on March 7, 2019. An analysis to the email account revealed the former employee, who was employed at the clinic at the time, had forwarded emails to her personal email account between March 26 and February 6, 2019.

The emails contained names, billing information, provider names and locations, dates of service, amounts paid/owed for services provided, health insurance and payor information, and Medicare/Medicaid and/or Medical numbers.

The incident has been reported to law enforcement, state, and federal regulators and affected individuals have been notified by mail. No reports of misuse of patient information have been received to date, but as a precaution against identity theft and fraud, affected individuals have been offered 12 months of credit monitoring and identity theft restoration services at no cost.

It is currently unclear how many current and former patients have been affected by the incident.

Madison Parish Hospital Service District Discovers PHI of 1,436 Patients was Impermissibly Disclosed

Madison Parish Hospital Service District is notifying 1,436 patients of Madison Parish Hospital and its clinic in Tallulah, LA, that some of their protected health information has been impermissibly disclosed to a third-party.

According to the breach notice uploaded to the hospital website, an employee of the hospital was discovered to have accessed a list of patients and disclosed that list to a third-party.

Few details of the breach have been made public, so it is unclear who the third party was, the types of information that were disclosed, or the reason for the disclosure.

Madison Parish Hospital believes the information was sent confidentially and there have been no further disclosures of the received information. According to the breach notice, the incident was discovered on February 20, 2018. The timing of the notification suggests this may have been a typo and the incident occurred in February 2019.

The post American Indian Health & Services and Madison Parish Hospital Discover Impermissible PHI Disclosures by Employees appeared first on HIPAA Journal.

Ransomware Attack Reported by American Baptist Homes of the Midwest

Posted by HIPAA Journal

American Baptist Homes of the Midwest (ABHM), a provider of assisted living and assisted care facilities throughout the U.S Midwest, has reported a security breach involving the use of ransomware on its network.

The attack commenced on or around March 10, 2019. The attack was detected promptly, but only after the encryption routine had commenced. The attack was stopped and affected accounts were secured, but not in time to prevent widespread file encryption. The files encrypted by the ransomware contained the records of many ABHM clients.

ABHM’s clinical and billing systems were not affected, only general file systems and email accounts. The attack is believed to have been conducted with the sole purpose of extorting money from ABHM, although due to the nature of access gained to install the ransomware, unauthorized accessing of protected health information could not be ruled. No evidence of data theft or misuse of PHI has been found to date.

The types of information stored on the compromised servers and systems included individuals’ names and addresses in combination with the following data elements: Social Security numbers, financial information, diagnoses, lab test results, medications and some other medical information.

The attack affected the following locations:

Colorado:

  • Health Center at Franklin Park, Denver
  • Mountain Vista Senior Living, Wheat Ridge

Iowa:

  • Crest Services – Cedar Rapids; Des Moines; Harlan; Ottumwa; and Chariton
  • Elm Crest Senior Living, Harlan

Minnesota:

  • Crest Services- Albert Lea
  • Thorne Crest Senior Living, Albert Lea

Nebraska:

  • Maple Crest Health Center, Omaha

South Dakota:

  • Trail Ridge Senior Living, Sioux Falls

Wisconsin:

  • Tudor Oaks Senior Living, Muskego

Assisted by a third-party data forensics company, ABHM was able to successfully remove the ransomware from its systems and restore encrypted data from backups.

To improve security and prevent further cyberattacks, ABHM engaged the services of a cybersecurity expert who conducted an in-depth risk assessment to identify potential risks and vulnerabilities.

Technical security measures have now been implemented to enhance security. Those measures include the strengthening of password requirements, the use of rate limiting to prevent brute force attacks on its systems, and a 24/7 security monitoring system to safeguard all ABHM data.

All affected individuals have now been notified by mail and the incident has been reported to law enforcement and the HHS’ Office for Civil Rights (OCR).

The incident has yet to appear on the OCR breach portal so it is currently unclear exactly how many individuals have been affected by the breach.

The post Ransomware Attack Reported by American Baptist Homes of the Midwest appeared first on HIPAA Journal.