HIPAA Breach News

3,193 Employees and Dependents Affected by Bodybuilding.com Data Breach

Posted by HIPAA Journal

The bodybuilding and personal fitness website Bodybuilding.com has announced it has experienced a security incident that may have resulted in the information of customers and employees being accessed by unauthorized individuals.

While the breach affecting customers was not a reportable incident under HIPAA, HIPAA does cover group health plans. As such, bodybuilding.com was required to report the breach of group members’ PHI to the Office for Civil Rights.

The breach was discovered in February 2019 when suspicious activity was detected on its network. A formal breach investigation was launched which revealed access to the network was gained as a result of an employee falling for a phishing scam.

While the data of customers and employees is not believed to have been obtained by unauthorized individuals as a result of the phishing attack, the possibility could not be ruled out.

The breach has now been resolved and its systems have been secured. A forced password reset was performed for all users of the website as a precaution. For customers, the information potentially obtained was limited to names, email addresses, addresses, phone numbers, birth dates, profile information, order histories, billing and shipping addresses, and communications with the company.

Current and former employees of the Idaho-based fitness retailer who are members of the company’s group health plan had some of their employment-related information exposed. The breach also affected enrollees’ dependents and beneficiaries. The exposed information included names, contact information, dates of birth, Social Security numbers, government ID numbers, group health plan subscriber information, claims information, and procedure codes.

The breach investigation was concluded on April 19, and all affected employees have been notified about the exposure of their PHI out of an abundance of caution. No reports of data misuse have been received to date.

The breach summary has recently appeared on the Department of Health and Human Services’ Office for Civil Rights breach portal, which indicates 3,193 current and former employees, dependents, and beneficiaries have been affected by the breach.

The post 3,193 Employees and Dependents Affected by Bodybuilding.com Data Breach appeared first on HIPAA Journal.

Touchstone Medical Imaging Fined $3 Million by OCR for Extensive HIPAA Failures

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced a settlement has been reached with the Franklin, TN-based diagnostic medical imaging services company, Touchstone Medical Imaging. The settlement resolves multiple violations of HIPAA Rules discovered by OCR during the investigation of a 2014 data breach.

Touchstone Medical Imaging has agreed to a settlement of $3,000,000 to resolve the violations and will adopt a corrective action plan (CAP) to address its HIPAA compliance issues. The high settlement amount reflects widespread and prolonged noncompliance with HIPAA Rules. OCR alleged 8 separate violations across 10 HIPAA provisions. The settlement resolves the HIPAA case with no admission of liability.

On May 9, 2014, Touchstone Medical Imaging was informed by the FBI that one of its FTP servers was accessible over the Internet and allowed anonymous connections to a shared directory. The directory contained files that included the protected health information (PHI) of 307,839 individuals.

As a result of the lack of access controls, files had been indexed by search engines and could be found by the public with simple Internet searches. Even when the server was taken offline, patient information could still be accessed over the Internet. The failure to secure the server constituted a violation of 45 C.F.R. § 164.312(a)(1).

The security breach was reported to OCR, but Touchstone initially claimed that no PHI had been exposed. OCR launched an investigation into the breach and during the course of that investigation Touchstone admitted that PHI had in fact been exposed. The types of information that could be accessed over the internet included names, addresses, dates of birth, and Social Security numbers.

In addition to the impermissible disclosure of 307,839 individuals’ PHI – a violation of 45 C.F.R. § 164.502(a) – OCR discovered the security breach had not been properly investigated until September 26, 2014: Several months after Touchstone was initially notified about the breach by the FBI, and after notification had been given to OCR. The delayed breach investigation was a violation of 45 C.F.R. §164.308(a)(6)(ii).

As a result of the delayed investigation, affected individuals did not receive notifications about the exposure of their PHI until 147 days after the discovery of the breach: Well in excess of the 60-day Breach Notification Rule’s maximum time limit for issuing notifications. The delayed breach notices were a violation of 45 C.F.R. § 164.404. Similarly, a media notice was not issued about the breach for 147 days, in violation of 45 C.F.R. § 164.406.

During the course of its investigation, OCR discovered that Touchstone had failed to complete a thorough, organization-wide risk analysis to identify all risks to the confidentiality, integrity, and availability of ePHI: A violation of 45 C.F.R. § 164.308(a)(1)(ii)(A).

OCR also identified two cases of Touchstone having failed to enter into a business associate agreement with vendors prior to providing access to systems containing ePHI.

OCR cites the use of an IT services company – MedIT Associates  – without a BAA as a violation 45 C.F.R. §§ 164.502(e)(2), 164.504(e), and 164.308(b), and the use of a third-party data center, XO Communications, without a BAA as a violation of 45 C.F.R. § 164.308(a)(1)(ii)(A).

In addition, in violation of 45 C.F.R. § 164.308(b), XO Communications continues to be used without a business associate agreement in place.

“Covered entities must respond to suspected and known security incidents with the seriousness they are due, especially after being notified by two law enforcement agencies of a problem,” said OCR Director Roger Severino.  “Neglecting to have a comprehensive, enterprise-wide risk analysis, as illustrated by this case, is a recipe for failure.”

The settlement comes just a few days after OCR announced it has reduced the maximum financial penalties for three of the four HITECH Act tiers of HIPAA violations. This settlement confirms that while minor HIPAA violations may now attract lower financial penalties, when serious violations of HIPAA Rules are discovered and healthcare organizations fail to take prompt action to correct violations, the financial penalties can be considerable.

The post Touchstone Medical Imaging Fined $3 Million by OCR for Extensive HIPAA Failures appeared first on HIPAA Journal.

Mailing Error Sees Inmediata Breach Notification Letters Sent to Incorrect Addresses

Posted by HIPAA Journal

Following a security incident that resulted in the exposure of PHI, Inmediata sent notification letters to affected individuals. However, several individuals have reported receiving notification letters in the mail addressed to other people.

The incident that prompted the notifications was a webpage used internally by Inmediata employees that had been accidentally set to allow it to be indexed by search engines. Consequently, the webpage could be found using Internet searches and the PHI of its customers’ patients could be accessed.

The forensic investigation did not find evidence to suggest the webpage was subjected to unauthorized access during the time it was accessible online; however, the possibility could not be ruled out.

Through the webpage, unauthorized individuals could have accessed the following information: Patients’ names, addresses, dates of birth, gender, doctor’s names, and medical claim information. A small number of individuals also had their Social Security number exposed.

Inmediata started sending notification letters to affected individuals on April 22, 2019 but something appears to have gone awry when sending those letters. Several individuals have reported receiving misaddressed letters.

The state of Michigan’s Consumer Protection Division received two such reports from state residents who received letters intended for other individuals. Databreaches.net also received multiple reports from consumers who had received letters in error.

Such an error could have occurred as a result of individuals moving home and data not being updated. Some of the comments suggest that the data had been held for some time. For instance, some letters were addressed to women using their maiden name. In one case, a last name that was used on one encounter with a healthcare provider 25 years previously.

The misaddressed letters only disclosed an individual’s name to others at an address. While that is unlikely to result in harm to patients directly, the mailing error means some individuals will not have received letters and will be unaware that their PHI has been exposed. Consequently, they would not know to take steps to protect their identities.

Michigan Attorney General Dana Nessel and Department of Insurance and Financial Services (DIFS) Director Anita G. Fox issued a statement about the breach highlighting steps that affected individuals can take to protect themselves against identity theft and fraud, although the breach was not confined to Michigan residents.

The letters have also left many individuals confused about who Inmediata is and why the company has their data – An issue that has arisen in the past when other business associates have issued breach notification letters.

A copy of the breach notification letter on the California Attorney General’s website (PDF) states that “In January 2019, Inmediata became aware that some of its member patients’ electronic patient health information was publicly available online as a result of a webpage setting that permitted search engines to index pages that are part of an internal website we use for our business operations.”

Greater clarity about who the company is and why an individual’s data was held would have avoided such confusion.

“It would have been nice if they would have explained how they had [my wife’s] data in the first place since we have never heard of them,” wrote one commenter on databreaches.net report. A sentiment echoed by several other commenters.

Further information on the mailing error will be made available here as and when it becomes available.

The post Mailing Error Sees Inmediata Breach Notification Letters Sent to Incorrect Addresses appeared first on HIPAA Journal.

Class Action Lawsuit Filed Over Baystate Health Phishing Attack

Posted by HIPAA Journal

In February 2019, Baystate Health experienced a phishing attack that resulted in the exposure of the protected health information (PHI) of 12,000 patients. On April 11, a class action lawsuit was filed on behalf of individuals affected by the breach.

The lawsuit was filed by attorney Kevin Chrisanthopoulos in the U.S. District Court in Springfield, MA, three days after Baystate Health announced the breach.

The lawsuit alleges plaintiffs now face an elevated risk of identity theft and fraud as a result of the phishing attack and seeks monetary damages for all patients whose PHI was exposed.

Upon discovery of the breach, Baystate Health secured its email system and launched an investigation. The investigation revealed the email accounts of nine employees had been compromised as a result of employees responding to phishing emails. The email accounts were subjected to unauthorized access and, as a result, the attacker(s) potentially gained access to patients’ PHI.

For most patients, the information exposed was limited to names, birth dates, diagnoses, treatment information, and medications. Certain patients also had their Medicare number, health insurance information, and/or Social Security number exposed. At the time of issuing notifications – April 8, 2019 – to affected patients, Baystate Health had not been able to confirm whether PHI had been viewed or copied, but no reports had been received to suggest any PHI had been misused.

As a precaution against identity theft and fraud, individuals whose Social Security number was exposed were offered complimentary credit monitoring and identity theft protection services for 12 months at no cost.

Baystate Health has taken reasonable steps to improve email security and prevent further data breaches from occurring. Those steps include providing further training for employees, with a specific focus on improving resilience to phishing attacks. Controls have also been implemented to prevent email account access from outside the organization and the frequency of email logging and log reviews has been increased.

Typically, class action lawsuits seeking damages for the exposure of PHI are only successful when it can be established, on the balance of probabilities, that harm has been suffered as a direct result of a data breach. Only in Illinois is it not necessary to establish harm has occurred as a result of the exposure of personal information for lawsuits to have standing.

“This isn’t the first time the medical center allowed confidential information to be accessed,” explained Chrisanthopoulos. “This is unconscionable, and we need to send a message that this cannot happen again.”

Baystate Health had experienced a similar phishing attack in 2016. In that incident, five employee email accounts were breached and the PHI of 13,112 patients was exposed.

The post Class Action Lawsuit Filed Over Baystate Health Phishing Attack appeared first on HIPAA Journal.

PHI Exposed Due to Webpage Misconfiguration

Posted by HIPAA Journal

Inmediata Health Group Corp, a provider of clearinghouse, software, and business process solutions, has announced that the medical information of some of its clients’ patients has been accidentally exposed online.

In January 2019, Inmediata discovered a webpage used internally by its employees had been misconfigured which allowed search engines to access and index the page. The information accessible through the webpage was limited to names, dates of birth, genders, and medical claims information. A very limited number of individuals also had their Social Security numbers exposed.

A computer forensics company assisted with the investigation and tried to determine whether the webpage and patient information had been accessed by unauthorized individuals. No evidence was uncovered to suggest the information was subjected to unauthorized access, but the possibility could not be ruled out.

All patients whose information was exposed were notified by mail on April 22, 2019. It is currently unclear how many patients have been affected and for how long their information was exposed online.

Ransomware Attack Reported by New Jersey Orthopedic Surgeon

Paramus, NJ-based orthopedic surgeon, Ronald Snyder, M.D., has learned that an office server containing patient billing information has been compromised and encrypted by ransomware.

The attack took place on January 9, 2019 and prevented office staff from accessing patient files. The server was backed up regularly so it was possible to quickly restore almost all files that had been rendered inaccessible without having to pay any ransom demand.

Third-party computer forensics consultants were brought in to assist with the investigation, but it was not possible to determine whether patient information had been accessed due to damage caused by the attack.

No evidence was uncovered to suggest the attack was conducted as part of an attempt to gain access to patient information, although it was not possible to rule out data access. Consequently, all patients affected by the breach have been notified by mail.

The following types of information were stored in files on the server: Names, addresses, dates of birth, genders, co-pay amounts, patient statuses, employment statuses, telephone numbers, email addresses and, for some patients, their insurance identification number, which may have been formed using a Social Security number.

Additional safeguards have since been implemented to prevent further unauthorized accessing of computer equipment.

It is currently unclear how many patients have been affected.

Gardner Family Health Network Discovers Unauthorized Individual Accessed Records Room

Gardner Family Health Network has alerted 5,064 patients about the discovery that an unauthorized individual gained has access to its optometry records room at its Gardner St. James clinic.

The unauthorized access was discovered on February 19, 2019. It is unclear why the room was accessed or what the individual did in the room, but it is possible the records of patients were viewed.

As a precaution, Gardner Family Health has notified all 5,064 patients whose records could potentially have been viewed. The types of information contained in the records was limited to names, addresses, dates of birth, phone numbers, medical record numbers, and appointment dates, times, and locations.

Gardner Family Health has improved physical security to prevent any similar breaches from occurring in the future.

The post PHI Exposed Due to Webpage Misconfiguration appeared first on HIPAA Journal.

Three Healthcare Phishing Incidents Result in Exposure of 10,000 Patient Records

Posted by HIPAA Journal

National Seating and Mobility, Partners for Quality, and Alana Healthcare have all recently started notifying patients that their protected health information has been exposed as a result of phishing incidents.

3,673 Clients Impacted by Partners For Quality Phishing Attack

Partners For Quality, Inc., (PFQ), a provider of services and support for individuals with intellectual and developmental disabilities, discovered unusual activity within certain employee email accounts on February 19, 2019.

Assisted by a third-party computer forensics company, PFQ determined that three email accounts had been accessed by an unauthorized individual between January 19 and February 27, 2019. Further analysis of the compromised email accounts revealed they contained the sensitive information of clients and employees.

Clients affected by the breach had previously received services from PFQ, Allegheny Children’s Initiative Inc., Citizen Care Inc., Exceptional Adventures, or Milestone Centers Inc.

A wide range of highly sensitive protected health information was stored in the compromised email accounts such as names, dates of birth, Social Security numbers, medical record numbers, billing and claims information, health insurance information, driver’s license numbers, banking and financial account numbers, credit and debit card numbers, PIN numbers, usernames and passwords, diagnoses and treatment information.

While data access was possible, no reports have been received to suggest any client or employee information has been misused. All individuals for whom a valid postal address was held have been notified about the breach by mail.

PFQ has reviewed and updated its policies and procedures and has put additional safeguards in place to improve the security of sensitive information stored in its systems.

Affected individuals have been given further information on how they can protect their identities and have been advised to monitor their accounts for signs of identity theft and fraud. Despite the nature of information that was exposed, it does not appear that affected individuals are being offered credit monitoring and identity theft protection services.

According to the breach summary on the HHS’ Office for Civil Rights website, 3,673 clients were affected by the breach.

National Seating and Mobility Phishing Attack Impacts 3,800 Patients

Franklin, TN-based National Seating and Mobility (NSM), a manufacturer of seating and mobility systems, has discovered unauthorized individuals have gained access to the email accounts of some of its employees as a result of a phishing attack.

The email accounts were breached on or around February 14, 2019 and unauthorized access was promptly terminated. The quick response severely limited the time the attackers had to access emails in the account. NSM conducted an investigation and, assisted by third-party computer experts, determined that the email accounts contained a limited amount of client information – Names, addresses, dates of birth, diagnosis/diagnostic codes, and other information related to the provision of a mobility device. Certain individuals also had their Social Security number, driver’s license number, health insurance information, Medicare/Medicaid number, and/or guarantor’s personal information exposed.

The third-party computer experts concluded on March 12, 2019, that due to the method of access, the email accounts of some employees may have been inadvertently copied during the standard email synchronization process.

While no evidence has been uncovered to suggest there has been any misuse of the exposed information, individuals affected by the breach have been offered free credit monitoring and identity theft protection services. NSM is reviewing its security measures and will take steps to enhance protections to prevent any further breaches.

The breach report submitted to the HHS’ Office for Civil Rights indicates up to 3,800 individuals were affected by the breach.

Alana Healthcare Phishing Incident Impacts 2,691 Patients

On January 17, 2019, the Nashville, TN-based care management company Alana Healthcare discovered an unauthorized individual had gained access to the email account of an employee.  Assisted by a third-party computer forensics company, Alana Healthcare determined on March 14, 2019 that the email account contained sensitive information of 2,691 patients.

Names, dates of birth, Social Security numbers, and some health information were exposed and potentially subjected to unauthorized access. Affected patients have been notified by mail and have been offered credit monitoring and identity theft protection services as a precaution, although no reports have been received to suggest any patient information has been misused.

To prevent further data breaches, Alana Healthcare will be providing employees with additional training and testing on the need to protect sensitive information and multi-factor authentication will be implemented on employee email accounts.

The post Three Healthcare Phishing Incidents Result in Exposure of 10,000 Patient Records appeared first on HIPAA Journal.

HHS To Apply New Caps on Financial Penalties for HIPAA Violations to Reflect Level of Culpability

Posted by HIPAA Journal

Body:

The Department of Health and Human Services has issued a notification of enforcement discretion regarding the civil monetary penalties that are applied when violations of HIPAA Rules are discovered and will be reducing the maximum financial penalty for three of the four penalty tiers.

The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 increased the penalties for HIPAA violations. The new penalties were based on the level of knowledge a HIPAA covered entity or business associate had about the violation and whether action was voluntarily taken to correct any violations.

The 1st penalty tier applies when a covered entity or business associate is unaware that HIPAA Rules were violated and, by exercising a reasonable level of due diligence, would not have known that HIPAA was being violated.

The 2nd tier applies when a covered entity knew about the violation or would have known had a reasonable level of due diligence been exercised, but when the violation falls short of willful neglect of HIPAA Rules.

The 3rd penalty tier applies when there was willful neglect of HIPAA Rules, but the covered entity corrected the problem within 30 days.

The 4th tier applies when there was willful neglect of HIPAA Rules and no efforts were made to correct the problem in a timely manner.

The maximum penalty across all four tiers was set at $1.5 million for violations of an identical provision in a single calendar year.

On January 25, 2013, the HHS implemented an interim final rule (IFR) and adopted the new penalty structure, but believed at the time that there were inconsistencies in the language of the HITCH Act with respect to the penalty amounts. The HHS determined at the time that the most logical reading of the law was to apply the same maximum penalty cap of $1,500,000 across all four penalty tiers.

The HHS has now reviewed the language of the HITECH Act and believes a better reading of the requirements of the HITECH Act would be for the annual penalty caps to be different in three of the four tiers to better reflect the level of culpability. The minimum and maximum amounts in each tier will remain unchanged.

New Interpretation of the HITECT ACT’s Penalties for HIPAA Violations

Penalty Tier Level of Culpability Minimum Penalty per Violation Maximum Penalty per Violation Old Maximum Annual Penalty New Maximum Annual Penalty
1 No Knowledge $100 $50,000 $1,500,000 $25,000
2 Reasonable Cause $1,000 $50,000 $1,500,000 $100,000
3 Willful Neglect – Corrective Action Taken $10,000 $50,000 $1,500,000 $250,000
4 Willful Neglect – No Corrective Action Taken $50,000 $50,000 $1,500,000 $1,500,000

 

The HHS will publish its notification in the Federal Register on April 30, 2019. The HHS notes that its notification of enforcement discretion creates no legal obligations and no legal rights. Consequently, it is not necessary for it to be reviewed by the Office of Management and Budget.

The new penalty caps will be adopted by the HHS until further notice and will continue to be adjusted annually to account for inflation. The HHS expects to engage in further rulemaking to review the penalty amounts to better reflect the text of the HITECH Act.

The post HHS To Apply New Caps on Financial Penalties for HIPAA Violations to Reflect Level of Culpability appeared first on HIPAA Journal.

Medical Billing Service Provider Suffers Ransomware Attack 7 Months After Computer Breach

Posted by HIPAA Journal

Doctors’ Management Service Inc., a Massachusetts-based provider of medical billing services, discovered on December 24, 2018 that malicious software had been downloaded to its network which prevented files from being accessed.

An investigation into the security incident was initiated which determined GandCrab ransomware had been deployed. Files were recovered from backups and no ransom was paid.

The investigation also revealed that the individual responsible for installing the ransomware had first gained access to its systems on April 1, 2017, 7 months before the ransomware was deployed. Access to the network was gained via Remote Desktop Protocol (RDP) on one of its workstations.

Parts of the network that were subjected to unauthorized access contained the protected health information of patients of its clients, which included names, addresses, dates of birth, Social Security numbers, insurance information, Medicare/Medicaid ID numbers, driver’s license numbers, and some diagnostic information.

The attack appeared to have been timed to ensure the attack would not be immediately detected. The deployment of ransomware could have been an attempt to extort money after the hackers’ other objectives had been achieved.

Doctors’ Management Service explained in its breach notification letter that no unauthorized server access was detected until the ransomware was deployed on December 24, and the forensic investigation did not uncover any evidence of data access nor exfiltration of patient data, although the forensic investigators could not rule out the possibility of data theft.

Third-party computer security experts have been consulted and have made recommendations on how network security can be improved. The company will implement additional controls to prevent further security breaches and staff will continue to be educated on security threats.

Impacted clients and patients have been notified about the incident and the breach has been reported to the Department of Health and Human Services’ Office for Civil Rights. The breach summary has yet to appear on the OCR breach portal, so it is unclear how many individuals have been impacted.

The post Medical Billing Service Provider Suffers Ransomware Attack 7 Months After Computer Breach appeared first on HIPAA Journal.

Email Hacking Incidents Result in Exposure of 8,600 Patients’ PHI

Posted by HIPAA Journal

Three more healthcare organizations have discovered unauthorized individuals have gained access to the email accounts of employees and potentially accessed patients’ protected health information. In total, across the three incidents, the PHI of 8,635 patients has been exposed.

PHI of 5,319 Patients of Center for Sight and Hearing Exposed

Rockford, IL-based Center for Sight and Hearing discovered on January 23, 2019 that an unauthorized individual had gained access to the email account of an employee. The investigation revealed the account was compromised on January 18 and the account contained the PHI of 5,319 patients.

A third-party computer forensics company confirmed on February 21, 2019 that names, addresses, and scheduling information was contained in the compromised account. To improve security, Center for Sight and Hearing has implemented a new password management system and multi-factor authentication.

2,290 Patients Notified About Harbor Behavioral Health Phishing Attack

Harbor Behavioral Health, a network of counselling and mental health treatment centers in Northwest Ohio, discovered on February 13, 2019 that an unauthorized individual had gained access to the email account of an employee.

Assisted by a third-party computer forensics firm, Harbor determined that the hacker had access to the account for three months between December 2018 and February 2019 and that a further email account had also been compromised.

In both cases, unauthorized access to the accounts was immediately terminated and the accounts were secured. An analysis of the compromised accounts revealed they contained information such as names, dates of birth, health insurance details, and information related to the services provided by Harbor. The Social Security numbers and driver’s license numbers of a limited number of patients were also exposed. In total, the compromised email accounts contained the PHI of 2,290 patients.

Complimentary credit monitoring and identity theft protection services have been offered to all patients whose Social Security number or driver’s license number was exposed.

In addition to securing the accounts, Harbor has strengthened controls to prevent unauthorized access from external IP addresses, increased log reviews and the frequency of automated alerts, and has strengthened its security processes. Additional training has also been given to employees to help them detect and avoid phishing emails.

1,026 Individuals Impacted by Dakota County Email Account Breach

Dakota County, MN, has discovered the email account of an employee has been hacked and accessed by an unauthorized individual. The email account breach was discovered on February 13, 2019 and the account was immediately secured.

As a precaution, a forced password reset was performed on all employee email accounts to ensure no other accounts could be accessed, although the investigation confirmed that only a single account had been compromised. Third-party cybersecurity consultants were retained to conduct an investigation into the breach and confirmed the account had been accessed. It was not possible to determine whether any emails had been opened or copied.

The compromised account contained information maintained by Dakota County Social Services, including names, addresses, Social Security numbers, driver’s license numbers, health insurance information, medical histories, diagnoses, and treatment information.

Complimentary identity protection services have been offered to individuals affected by the breach and notification letters were sent on April 12, 2019. Dakota County has also strengthened its email security defenses to prevent further attacks.

The post Email Hacking Incidents Result in Exposure of 8,600 Patients’ PHI appeared first on HIPAA Journal.