HIPAA Breach News

Lawsuit Alleges Sharp Grossmont Hospital Secretly Recorded Patients Having Gynecology Operations

Posted by HIPAA Journal

A lawsuit has been filed against Sharp HealthCare and Sharp Grossmont Hospital which alleges the hospital secretly recorded video footage of female patients undressing and having gynaecological examinations performed.

According to the lawsuit, the hospital installed video cameras in three operating rooms as part of an internal investigation into the theft of the anaesthesia drug, propofol, from drug carts. The cameras were actively recording between July 17, 2012 and June 30, 2013 at its facility on Grossmont Center Drive in El Cajon, San Diego.

During the time that the cameras were recording 1,800 patients were filmed undergoing procedures such as hysterectomies, Caesarean births, dilation and curettage for miscarriages, and other surgical procedures. The motion-activated cameras had been installed on drug carts and continued to record even after motion had stopped.

A spokesperson for Sharp Grossmont Hospital confirmed that three cameras had been installed to ensure patient safety by determining the cause of missing drugs from the carts.

The lawsuit states that, “At times, defendants’ patients had their most sensitive genital areas visible.” The position of the laptop cameras was such that patients’ faces could be seen in the recordings and, as such, patients could be identified from the recordings.

The lawsuit alleges the video recordings could be accessed by multiple individuals including medical and non-medical staff and strangers via desktop computers. Controls had not been implemented to log which users had gained access to the video recordings or why the videos had been viewed.

The plaintiffs allege that many of the computers on which the videos were stored have since been replaced or refreshed and that Sharp has destroyed many of the videos; however, Sharp could not confirm whether those files were securely erased and if they could potentially be recovered.

The lawsuit was originally filed in 2016 but was denied class certification. The case has now been re-filed. 81 women who received surgical procedures in the operating rooms during the period in which the cameras were active have been included in the lawsuit and hundreds more women are expected to join.

The plaintiffs allege their privacy was violated as a result of the unlawful recording of video footage, there was a breach of fiduciary duty, negligent infliction of emotional distress, and that the failure to secure the video footage and ensure it was permanently destroyed amounts to gross negligence.

As a result of the actions of Sharp, “Plaintiffs suffered harm including, but not limited to, suffering, anguish, fright, horror, nervousness, grief, anxiety, worry, shock, humiliation, embarrassment, shame, mortification, hurt feelings, disappointment, depression and feelings of powerlessness,” states the lawsuit.

The plaintiffs are seeking a jury trial.

The post Lawsuit Alleges Sharp Grossmont Hospital Secretly Recorded Patients Having Gynecology Operations appeared first on HIPAA Journal.

Security Breaches Reported by DePaul and Southern Hills Eye Care

Posted by HIPAA Journal

DePaul, a provider of assisted living facilities and healthcare services in New York, North Carolina, and South Carolina, is alerting certain members of its behavioral health program that some of their protected health information has been exposed as a result of a phishing attack.

The breach was discovered on February 1, 2019 and the account was immediately secured. The investigation into the breach confirmed that a single email account had been compromised as a result of an employee being fooled by a phishing cam. The email account contained approximately 41,000 emails, which needed to be checked to determine whether they contained any sensitive information.

The vast majority of the emails in the account did not contain any significant medical or psychiatric information; however, a small number of emails contained information such as first and last names, dates of birth, and/or Social Security numbers.

The aim of the attack appeared to be to use the compromised email account to send further phishing emails. No evidence was found to suggest the attacker viewed or copied emails containing sensitive information.

Individuals whose Social Security number was potentially compromised have been offered complimentary credit monitoring services for one year.  DePaul will be providing staff with additional training to improve resilience to phishing attacks.

The breach has yet to be uploaded to the HHS’ Office for Civil Rights breach portal, so it is currently unclear exactly how many individuals have been affected by the breach.

Southern Hills Eye Care Ransomware Attack Reported

Southern Hills Eye Care in Sioux City, IA, has experienced a security incident which may have resulted in the exposure of patients’ protected health information.

On January 15, 2019, ransomware was installed on a server in its Sioux City offices and files were encrypted. A forensic investigation confirmed that an unauthorized individual had gained access to the server and may have viewed files containing patients’ protected health information. The types of information in the files included names, addresses, dates of birth, phone numbers, health information, health insurance information, and the Social Security numbers of Medicare patients.

While data access was possible, no evidence was uncovered to suggest any patient information was accessed by unauthorized individuals. Additional security controls have now been implemented to prevent any future breaches of this nature.

The breach has yet to appear on the OCR breach portal so it is currently unclear how many patients have been affected. Notifications were sent to affected patients on March 15, 2019.

The post Security Breaches Reported by DePaul and Southern Hills Eye Care appeared first on HIPAA Journal.

67,493 Patients of Burrell Behavioral Health Impacted by Business Associate Breach

Posted by HIPAA Journal

Burrell Behavioral Health is notifying 67,493 patients that their medical records have been accidentally exposed as a result of an error at an unnamed business associate in August 2018.

The error was introduced into the business associate’s internet-facing portal, which resulted in images of Burrell Behavioral Health patients’ protected health information being exposed. The images contained information such as: Name, address, telephone number, birth date, gender, dates of service, types of service provided, health insurance information, driver’s license number, and Social Security number.

The exposure of patient data was brought to the attention of Burrell Behavioral Health on January 30, 2019. Burrell Behavioral Health notified its business associate about the data exposure and the server was immediately secured.

A forensic investigation was conducted to determine which information had been exposed and whether it was subjected to unauthorized access. The investigation revealed patient information was uploaded to the server in August 2018. No evidence was uncovered to suggest that anyone had accessed the information and neither had automated website crawlers and scanners accessed the information. The format of the images was such that it would not have been possible for the information to be accessed through general web browsing or internet searches.

Consequently, the investigators concluded that there is a “very low probability” of unauthorized data access, although, out of an abundance of caution, all patients whose Social Security number has been compromised as a result of the breach have been offered complimentary identity theft monitoring and protection services.

Burrell Behavioral Health has taken steps to prevent any further breaches of this nature from occurring and is working with its business associates to ensure they have adequate technical and administrative safeguards in place to ensure the confidentiality of patient information.

The post 67,493 Patients of Burrell Behavioral Health Impacted by Business Associate Breach appeared first on HIPAA Journal.

$1.6 Million Settlement Agreed with Texas Department of Aging and Disability Services Over 2015 Data Breach

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights has agreed to settle a HIPAA violation case with the Texas Department of Aging and Disability Services (DADS) to resolve HIPAA violations discovered during the investigation of a 2015 data breach that exposed the protected health information of 6,617 Medicaid recipients.

The breach was caused by an error in a web application which made ePHI accessible over the internet for around 8 years. DADS submitted a breach report to OCR on June 11, 2015.

OCR launched an investigation into the breach to determine whether there had been any violation of HIPAA Rules. On July 2015, OCR notified DADS that the investigation had revealed there had been multiple violations of HIPAA Rules.

DADS was deemed to have violated the risk analysis provision of the HIPAA Security Rule – 45 C.F.R. § 164.308(a)(1)(ii)(A) – by failing to conduct a comprehensive, organization-wide risk analysis to identify potential risks to the confidentiality, integrity, and availability of ePHI.

There had also been a failure to implement appropriate technical policies and procedures for systems containing ePHI to only allow authorized individuals to access those systems, in violation of 45 C.F.R. § 164.308(a)(4) and 45 C.F.R. § 164.312(a)(1).

Appropriate hardware, software, and procedural mechanisms to record and examine information system activity had not been implemented, which contributed to the duration of exposure of ePHI – A violation of 5 C.F.R. § 164.312(b).

As a result of these violations, there was an impermissible disclosure of ePHI, in violation of 45 C.F.R. § 164.502(a).

The severity of the violations warranted a financial penalty and corrective action plan. Both were presented to the State of Texas and DADS was given the opportunity to implement the measures outlined in the CAP to address the vulnerabilities to ePHI.

The functions and resources that were involved in the breach have since been transferred to the Health and Human Services Commission (HHSC), which will ensure the CAP is implemented.

The State of Texas presented a counter proposal for a settlement agreement to OCR which will see the deduction of $1,600,000 from sums owed to HHSC from the CMS. The settlement releases HHSC from any further actions related to the breach and HHSC has agreed not to contest the settlement or CAP.

The settlement has yet to be announced by OCR, but it has been approved by the 86th Legislature of the State of Texas. This will be the first 2019 HIPAA settlement between OCR and a HIPAA covered entity.

The post $1.6 Million Settlement Agreed with Texas Department of Aging and Disability Services Over 2015 Data Breach appeared first on HIPAA Journal.

Superior Dental Care Patients Informed of PHI Exposure Due to Email Account Breach

Posted by HIPAA Journal

The Centerville, Ohio dental insurance carrier, Superior Dental Care, has discovered an unauthorized individual has gained access to an employee’s email account and potentially viewed the protected health information of certain members.

The email account breach was detected on January 23, 2019 following the identification of suspicious activity within the employee’s email account. The password for the account was immediately changed and further unauthorized access was prevented.

A third-party computer forensics firm was called in to assist with the investigation and determine the nature and scope of the breach.

On February 11, 2019, Superior Dental Care learned that the account had been accessed by an unidentified third party and unauthorized access to the email account was first gained on December 21, 2018.

The email account contained information such as names, addresses, Social Security numbers, medical information, and payment information related to dental services received.

All individuals affected by the breach have now been notified by mail and the breach has been reported to appropriate authorities.

Processes have already been implemented to strengthen system security and Superior Dental Care will continue to work with third-party security experts to better protect members’ personal information.

The incident has yet to appear on the Department of Health and Human Services’ Office for Civil Rights breach portal, so it is unclear exactly how many members have been affected by the breach.

L.A. Care Health Plan Alerts Members to PHI Exposure Due to Mailing Error

L.A. Care Health Plan is alerting some of its members to a privacy breach that saw members’ protected health information accidentally disclosed to other members.

A system error resulted in L.A. Care member ID cards being mismatched and sent to incorrect plan members. In some cases, members received their correct ID card along with the ID cards of other members in the same envelope.

The system error occurred on June 1, 2018 and affected ID card mailings up until January 30, 2019.

The protected health information that was accidentally disclosed was limited to name, phone number, member ID number, medical group name, PCP/Clinic name, and health plan name.

L.A. Care Health Plan has since updated its processes and procedures to reduce the risk of a similar incident occurring in the future.

The post Superior Dental Care Patients Informed of PHI Exposure Due to Email Account Breach appeared first on HIPAA Journal.

D.C. Attorney General Proposes Tougher Breach Notification Laws

Posted by HIPAA Journal

Washington D.C. Attorney General Karl. A. Racine is looking to strengthen data breach notification laws to provide greater protection for D.C. residents when their personal information is exposed in a data breach.

On March 21, 2019, Attorney General Racine introduced the Security Breach Protection Amendment Act, which expands the definition of personal information that warrants notifications to be sent to consumers in the event of a data breach.

Currently laws in the District of Columbia require breach notifications to be sent if there has been a breach of Social Security numbers, driver’s license numbers, or financial information such as credit and debit card numbers.

If passed, the Security Breach Protection Amendment Act will expand the definition of personal information to include taxpayer ID numbers, genetic information including DNA profiles, biometric information, passport numbers, military Identification data, and health insurance information.

Attorney General Racine said one of the main reasons why the update was required was to better protect state residents from breaches similar to the one experienced by Equifax. That breach affected 143 million individuals globally and 350,000 D.C. residents.

Additionally, the Security Breach Protection Amendment Act requires companies that collect, own, license, handle, or otherwise possess the ‘personal information’ of District residents to implement safeguards to ensure personal information remains private and confidential.

The Security Breach Protection Amendment Act also requires companies to explain to consumers the types of information that have been breached and the steps consumers can take to protect their identities, including the right to place a security freeze on their accounts at no cost.

In the event of a breach of Social Security numbers, companies would be required to offer a minimum of two years membership to identity theft protection services free of charge. The D.C. attorney general would also need to be notified about a breach of personal information, although the timescale for doing so is not stated in the bill.

Violations of the Security Breach Protection Amendment Act would be considered a violation of the D.C. Consumer Protection Procedures Act and could attract a significant financial penalty.

This is not the first time that Attorney General Racine has sought to increase protections for consumers in the event of a data breach. A similar bill was introduced in 2017 but it failed to be passed by the D.C Council.

The Security Breach Protection Amendment Act must first be approved by the Mayor and D.C. Council, then it will be passed to Congress which will have 30 days to complete its review.

The update follows similar amendments that have been proposed in several states and territories over the past few months. While the updates are good news for Americans whose sensitive information is exposed, the current patchwork of state laws can be complicated for businesses, especially those that operate in multiple states.

What is needed is a federal breach notification law that standardizes data breach notification requirements and uses a common definition for ‘personal information’. Such a bill has been proposed in the House and Senate on three occasions in the past three years, but each time it has failed to be passed and signed into law.

The post D.C. Attorney General Proposes Tougher Breach Notification Laws appeared first on HIPAA Journal.

PHI Exposed in Three Recent Email Security Incidents

Posted by HIPAA Journal

Three email system breaches have been reported in the past few days that have resulted in unauthorized individuals gaining access to email accounts containing protected health information.

Navicent Health Notifies Patients About July 2018 Phishing Attack

Macon, GA-based Navicent Health is notifying certain patients that some of their protected health information has potentially been compromised as a result of an cyberattack on its email system.

Upon discovery of the breach in July 2018, law enforcement was notified and a leading computer forensics firm was hired to investigate the breach.

Navicent Health explained in a substitute breach notice on its website that it only became clear on January 24 that email accounts containing patient information had been breached. No reason was given as to why it took 6 months from the discovery of the breach to determine that patients’ PHI had been compromised.

The types of information potentially accessed by the attackers included names, addresses, dates of birth, and some medical information such as appointment dates and billing information. Some individuals also had their Social Security numbers exposed. Navicent Health was unable to determine whether any patients’ PHI was viewed or downloaded by the attackers.

All patients affected by the incident have now been notified and complimentary identity theft protection services have been offered to all individuals’ whose Social Security number was potentially compromised.

Navicent Health has since been working with multiple cybersecurity firms to improve security and prevent further breaches.

Duluth Human Development Center Discovers Email Account Compromise

When performing a routine analysis of email logs on January 25, the Human Development Center (HDC) in Duluth, MN, discovered the email account of an employee was accessed by an unauthorized individual on two occasions on January 16 and 18, 2019.

An analysis of the compromised account revealed it contained protected health information of clients, including names, dates of birth, internal HDC client numbers, descriptions of the HDC services received, and procedure codes. Clients affected by the breach had received services from HDC between 2011 and 2018.

The probability of information being accessed and misused is believed to be low. Affected individuals have now been notified of the breach.

Frederick Regional Health System Email Breach Impacts Hospice Patients

Frederick Regional Health System in Frederick, MD, has discovered the protected health information of certain hospice patients has potentially been accessed by unauthorized individuals as a result of a phishing attack.

The phishing attack was discovered on January 21, 2019 and unauthorized access to the account was promptly terminated. An analysis of the account revealed emails and attachments contained information such as names, health insurance information, type of health insurance and, for some individuals, Social Security numbers.  Patients affected by the breach had received hospice services from Frederick Regional Health System between June 2017 and January 2019.

No evidence of misuse of PHI has been uncovered but, as a precaution, Frederick Regional Health System is offering eligible patients complimentary credit monitoring and identity theft protection services for 12 months. Security has since been enhanced and further email security training has been provided to employees.

The post PHI Exposed in Three Recent Email Security Incidents appeared first on HIPAA Journal.

350,000 Affected by Oregon Department of Human Services Phishing Attack

Posted by HIPAA Journal

Oregon Department of Human Services (ODHS) has experienced a phishing attack that has potentially allowed unauthorized individuals to view or obtain the protected health information of more than 350,000 individuals.

ODHS learned on January 28, 2019 that unauthorized individuals had gained access to email accounts containing clients’ personal information. Third-party forensics experts from IDExperts were called in to determine the number of individuals affected, the types of data that could have been accessed, and whether clients’ personal information had been extracted.

The investigation conformed that nine employees had clicked links in phishing emails and divulged their login credentials, which allowed the attackers to gain access to their email accounts. The first account was compromised on January 8, 2019.

The compromised email accounts contained almost 2 million emails. Checks are still being performed to find out which individuals have been affected. ODHS has confirmed that emails in the account contained information such as clients’ first and last names, addresses, birth dates, case numbers, Social Security numbers, and information used to administer ODHS programs.

The investigation did not uncover any evidence to suggest the attackers viewed or copied any protected health information, but the possibility of data access/theft could not be ruled out.

The exact number of individuals affected by the phishing attack has not yet been finalized. When all individuals have been identified, IDExperts will be sending breach notification letters by mail and will provide further information on the steps that should be taken to protect against identity theft and fraud.

ODHS is offering complimentary credit monitoring and identity theft recovery services to all individuals affected by the breach.

The post 350,000 Affected by Oregon Department of Human Services Phishing Attack appeared first on HIPAA Journal.

UCLA Health Settles Class Action Data Breach Lawsuit for $7.5 Million

Posted by HIPAA Journal

UCLA Health has settled a class action lawsuit filed on behalf of victims of data breach that was discovered in October 2014. UCLA Health has agreed to pay $7.5 million to settle the lawsuit.

UCLA Health detected suspicious activity on its network in October 2014 and contacted the FBI to assist with the investigation. The forensic investigation confirmed that hackers had succeeded in gaining access to its network, although at the time it was thought that they did not access the parts of the network where patients’ medical information was stored. However, on May 5, 2015, UCLA confirmed that the hackers had gained access to parts of the network containing patients’ protected health information and may have viewed/copied names, addresses, dates of birth, Medicare IDs, health insurance information, and Social Security numbers. In total, 4.5 million patients were affected by the breach.

The Department of Health and Human Services’ Office for Civil Rights investigated the breach and was satisfied with UCLA Health’s breach response and the technical and administrative safeguards that had been implemented post-breach to improve security.

UCLA Health avoided a financial penalty, but a class action lawsuit was filed on behalf of patients affected by the breach. The plaintiffs alleged UCLA Health failed to inform them about the breach in a timely manner, there had been breach of contract, violations of California’s privacy laws, and that UCLA Health’s failure to protect the privacy of patients constituted negligence.

UCLA Health notified patients about the breach on July 15, 2015, and while this was in line with HIPAA requirements – under 60 days from the discovery that PHI had been compromised – the plaintiffs believed they should have been notified more quickly, given the fact that the breach had occurred 9 months previously.

Under the terms of the settlement, all patients affected by the breach can claim two years of free credit monitoring and identity theft protection services. Patients will also be allowed to submit a claim to recover costs that have been incurred protecting themselves against unauthorized use of their personal and health information and they can also submit a claim to recover losses from fraud and identity theft.

Patients can claim up to $5,000 to cover the costs of protecting their identities and up to $20,000 for any losses or damage caused by identity theft and fraud. $2 million of the $7.5 million settlement has been set aside to cover patients’ claims.  The remaining $5.5 million will be paid into a cybersecurity fund which will be used to improve cybersecurity defenses at UCLA Health.

Patients have until May 20, 2019 to submit an objection or exclude themselves from the settlement. Preventative measure claim forms must be submitted by June 18, 2019 and patients must enroll in the free credit monitoring and identity theft protection services by September 16, 2019. The deadline for submitting claims for the reimbursement of losses is June 18, 2021. The final court hearing on the settlement is scheduled for June 18, 2019.

The post UCLA Health Settles Class Action Data Breach Lawsuit for $7.5 Million appeared first on HIPAA Journal.