HIPAA Breach News

Washington State University Settles Class Action Data Breach Lawsuit for $4.7 Million

Posted by HIPAA Journal

A $4.7 million settlement has recently been approved by the King County Superior Court to reimburse individuals whose personal information was stolen from Washington State University in April 2017.

Washington State University had backed up personal information on portable hard drives which were stored in a safe in a self-storage locker. On April 21, 2017, the university discovered a break-in had occurred at the storage facility and the safe had been stolen. The hard drives contained the sensitive personal information of 1,193,190 individuals. Most of the files on the hard drives were not encrypted.

The drives contained the types of information sought by identity thieves: Names, contact information, and Social Security numbers, in addition to health data of patients, college admissions test scores, and other information. The information dated back around 15 years and had been collected by the WSU Social and Economic Sciences Research Center for a research project.

While the hard drive was stolen, Washington State University maintains there are no indications any data stored on the devices have been accessed or misused. Some of the plaintiffs named in the lawsuit alleged they have suffered identity theft/fraud as a result of the breach, but the university maintains that such cases were not the result of the stolen hard drive. The decision was taken to settle the lawsuit to save money. The settlement, while high, is believed to be far lower than the continued cost of legal action.

In January 2019, a settlement of $5.26 million was agreed by the WSU Board of Regents. While the final settlement is lower, it does not include the cost of credit monitoring and identity theft protection services for individuals impacted by the breach. In addition to settlement amount, Washington State University will cover the cost of two years of credit monitoring and identity theft protection services for up to 1,193,190 patients impacted by the breach.

The final cost will depend on the number of individuals who submit claims. WHU will accept claims up to $5,000 from individuals impacted by the breach to cover out-of-pocket expenses and lost time, provided those costs can be proven. The fund for covering those claims is $3.5 million. If that total is exceeded, claim amounts will be reduced pro rata. Approximately $800,000 has been set aside to cover attorneys’ fees and a further $650,000 will cover administrative costs. Washington State University was covered by a cyber-liability insurance policy which will cover the settlement.

The university has also agreed to update policies and procedures and enhance security. Backup data will now be stored in a more secure location, data security assessments and audits will be regularly conducted, and additional training will be provided to staff. IT contracts in relation to the research project will be cancelled and those functions will be handled in house and archived data from the research project will be permanently destroyed.

The settlement highlights the importance of using encryption to protect stored data, especially data stored on portable electronic devices. In the event of loss or theft of a device, data cannot be accessed and such an incident would not be classed as a reportable breach.

The post Washington State University Settles Class Action Data Breach Lawsuit for $4.7 Million appeared first on HIPAA Journal.

Unsecured Database of Addiction Service Provider Potentially Contained Records of 145,000 Patients

Posted by HIPAA Journal

A database containing highly sensitive information of patients who had previously sought treatment for addiction at rehabilitation centers has been discovered to be freely accessible over the internet.

The database contained approximately 4.91 million records which related to an estimated 145,000 patients of the Levittown, PA-based addiction rehabilitation service provider Steps to Recovery.

The unsecured database was discovered on March 24, 2019 by Justin Paine, Director of Trust and Safety at Cloudflare. Following the discovery, Paine notified Steps to Recovery and its hosting provider on March 24. No reply was received from Steps to Recovery, but its hosting company made contact and the database has now been secured and is no longer accessible online.

Paine had performed a search on the Shodan search engine to identify unsecured databases and devices. According to Paine, the ElasticSearch database contained two indexes which included more than 1.45 GB of data. The information could be accessed by anyone over the internet without the need for any authentication. The database was exposed online for more than two years, from the middle of 2016 to the end of 2018.

The types of information contained in the database included patients’ names, details of the treatments and services received at Steps to Recovery, the dates those services were provided, locations visited by patients, and billing information.

Paine was also able to obtain further information on patients with simple Google searches using information contained in the database. For a small sample of patients, Paine was able to discover information such as ages, dates of birth, email addresses, and possible contact telephone numbers.

The number of patients impacted by the breach has yet to be confirmed by Steps to Recovery and the incident is not yet listed on the Department of Health and Human Services’ Office for Civil Rights Breach portal. It is unclear if any other individuals found the database during the time it was accessible online.

The post Unsecured Database of Addiction Service Provider Potentially Contained Records of 145,000 Patients appeared first on HIPAA Journal.

60,000 Records Exposed in EmCare Phishing Attack

Posted by HIPAA Journal

The Dallas, TX-based physician staffing company EmCare has announced that it has suffered a data breach that has impacted approximately 60,000 individuals, 31,000 of whom were patients.

The exposed information was detailed in emails and email attachments in employee email accounts that were accessed by an unauthorized individual after several employees responded to phishing emails and disclosed their email credentials. It is unclear from Emcare’s breach notice when the breach occurred and how long the attackers had access to email accounts.

The breach was discovered on February 19, 2019. An investigation was launched and, assisted by a third-party computer forensics company, it was discovered that the compromised email accounts contained information about patients, employees, and contractors. The following information was saved in email accounts and was potentially accessed or copied by the attackers: Names, dates of birth, driver’s license numbers, Social Security numbers, demographic information, and clinical information.

The investigation did not uncover evidence to suggest patient or employee information was accessed or exfiltrated by the attackers, although the possibility could not be ruled out. No reports have been received to suggest that patient or employee information has been misused to date.

Emcare is offering one year of credit monitoring and identity theft protection services at no cost to individuals whose Social Security number or driver’s license number was potentially compromised.

Notifications letters were sent to affected individuals on April 19, 2019, 59 days after the discovery of the breach – A day before the HIPAA Breach Notification Rule reporting deadline.

EmCare has responded to the breach by implementing a range of “advanced IT solutions” and employees have been provided with further training on email security.

The post 60,000 Records Exposed in EmCare Phishing Attack appeared first on HIPAA Journal.

Klaussner Furniture Industries Discovers Health Plan Data of 9,352 Employees Has Potentially Been Compromised

Posted by HIPAA Journal

The protected health information of 9,352 current and former employees of Klaussner Furniture Industries, Inc., and some dependents of those employees, has been exposed as a result of a security breach.

In February 2019, Klaussner Furniture learned that computers had been accessed by unauthorized individuals. A leading cybersecurity firm was retained to conduct a forensic investigation, which confirmed that two computers had been accessed by an unauthorized third party.

An analysis of the computers revealed they contained files that included first and last names, dates of birth, addresses, Social Security numbers, health benefit election(s), and some health information. No evidence was found that suggests employee information was accessed, copied, or misused, although it was not possible to rule out data access and exfiltration.

Individuals whose information was exposed had either worked at the company in 1998 or were employed at some point between 2004 and February 25, 2019. The sensitive information of dependents of those employees was only exposed if they had been listed on employees’ health benefit elections between 2004 and 2019.

Identify protection and monitoring services are being offered to all individuals affected by the breach for 12 months at no cost.

Klaussner Furniture has improved data security practices, rebuilt affected systems, and implemented additional security measures to prevent further unauthorized access. Additional security measures are also being explored which could further protect employee data.

Veteran Health Administration Notifies 4,882 Patients of Impermissible PHI Disclosure

The Veteran Health Administration (VHA) has discovered an error in a mailing app has resulted in the protected health information of patients being included in letters sent to other patients. To send letters containing protected health information to patients, VHA uses a Xerox software-powered app to pull relevant data from electronic medical records for inclusion in mailings.

An error resulted in other patients imaging results, lab test results, and appointment schedules being printed on letters. In each case, the PHI was disclosed to one other patient. The error occurred on February 13 and was discovered and corrected on February 16, 2019. During that time, letters had been mailed to 4,882 patients. Patients whose PHI was impermissibly disclosed had previously received medical services at Martinsburg VA Medical Center in West Virginia.

All individuals impacted by the breach have now been notified. The VHA is currently reviewing quality control procedures and will make updates as appropriate to prevent any further PHI disclosures.

The post Klaussner Furniture Industries Discovers Health Plan Data of 9,352 Employees Has Potentially Been Compromised appeared first on HIPAA Journal.

Centrelake Medical Group Discovers Servers Compromised and Virus Deployed

Posted by HIPAA Journal

Centrelake Medical Group, a network of 8 medical imaging and oncology centers in California, is notifying certain patients that some of their protected health information has been exposed as a result of a computer virus.

The computer virus was discovered in February 2019 when it prevented the medical group from accessing its files. The virus appears to be a form of ransomware, although no mention of ransomware or a ransom demand was made in the media notice issued by Centrelake.

Centrelake retained a computer forensics company to assist with the investigation to determine the scope of the attack and whether any files containing protected health information had been accessed or copied.

The investigation revealed an unauthorized individual had gained access to its servers on January 9, 2019. Prior to deploying the virus on February 19, 2019, the unauthorized individual was able to access the servers undetected.

It is not unusual for ransomware to be installed on systems after hackers have breached security defenses. In some cases, ransomware is deployed after the system has been investigated and all valuable data has been exfiltrated. In this case, the computer forensics company did not uncover any evidence to suggest patient information was accessed or copied during the time that system access was possible, and no reports have been received to suggest any attempted or actual misuse of data has occurred.

The servers accessed by the unauthorized third party contained software applications and files that may have contained the following types of patient information: Names, phone numbers, addresses, Social Security numbers, health insurance information, diagnoses, services performed, dates of service, medical record numbers, referring provider information, and driver’s license numbers.

Centrelake Medical Group has told patients to be alert to the possibility of data misuse and suggests patients should monitor their financial accounts, credit reports, and explanation of benefits statements for any sign of fraudulent activity. A toll-free number has been set up for patients to obtain further information, but it does not appear that patients are being provided with credit monitoring and identity theft protection services.

The incident has yet to appear on the Department of Health and Human Services’ Office for Civil Rights breach portal, so it is currently unclear exactly how many patients have been affected.

The post Centrelake Medical Group Discovers Servers Compromised and Virus Deployed appeared first on HIPAA Journal.

11,639 Individuals Impacted by Riverplace Counseling Center Malware Attack

Posted by HIPAA Journal

Riverplace Counseling Center in Anoka, MN, has discovered malware has been installed on its systems which may have allowed unauthorized individuals to gain access to patients’ protected health information.

The malware infection was discovered on January 20, 2019. The counseling center engaged an IT firm to conduct a forensic analysis, remove the malware, and restore its systems from backups. The analysis was completed on February 18, 2019.

The IT firm did not find evidence that suggested patient information had been subjected to unauthorized access or had been copied, but data access and PHI theft could not be totally ruled out.

The types on information stored on the affected systems included names, addresses, dates of birth, health insurance information, Social Security numbers, and treatment information.

Affected individuals were notified about the data breach on April 11, 2019 and have been offered identity theft monitoring services via Kroll for 12 months at no cost. No reports have been received to date to suggest any patients’ PHI has been misused.

Riverplace Counseling Center has not publicly disclosed what type of malware was involved, nor how the malware was installed on its systems.

To improve security and reduce the risk of further malware attacks, Riverplace Counseling Center has installed spam filters, upgraded its antivirus software and firewalls, and has provided further training to employees to help them identify unauthorized access.

The counseling center has also consulted with a cybersecurity firm which is providing recommendations on new system-wide policies and procedures to further enhance security.

According to the breach summary on the on the Department of Health and Human Services’ Office for Civil Rights website, up to 11,639 patients’ PHI was potentially compromised.

The post 11,639 Individuals Impacted by Riverplace Counseling Center Malware Attack appeared first on HIPAA Journal.

Clearway Pain Solutions Institute Discovers Unauthorized EMR System Access

Posted by HIPAA Journal

Gulf Coast Pain Consultants, dba Clearway Pain Solutions Institute, has discovered its EMR system has been accessed by an unauthorized individual.

An investigation was launched following the discovery of the breach on February 20, 2019. The investigation revealed the individual accessed a range of patient information.

The types of information that were accessed included patients’ names, telephone numbers, home addresses, email addresses, dates of birth, Social Security numbers, health insurance information, name of referring provider, and demographic information. Clinical information contained in medical records could not be accessed and no financial information was exposed.

Unauthorized access to the system has now been blocked, a full review of all EMR accounts has been conducted, and access levels and EMR system activity has been validated for all user accounts. A review of policies and procedures is being conducted with regards to the accessing of patient information and updates will be made as appropriate.

All patients affected by the breach are now being notified and are being offered 12 months of membership to Experian IdentityWorks at no cost.

The incident has yet to appear on the HHS’ Office for Civil Rights breach portal so it is unclear exactly how many patients have been affected.

Questcare Medical Services Discovers Email Account Breach

Questcare Medical Services, a Dallas, TX-based physician group, has announced the email account of an employee was compromised on February 13, 2019 as a result of a phishing attack. An investigation was immediately launched which revealed the compromised account contained protected health information. Affected patients were notified about the breach on April 12, 2019.

All individuals impacted by the breach had received medical services from Questcare in the Dallas, Fort Worth, or Arlington regions of Texas. The information potentially accessed by the attacker was limited to names, dates of birth and some clinical information. No sensitive financial information or Social Security numbers were exposed.

Questcare has provided further training to staff to improve security awareness and regular reminders about phishing will be sent to staff. Microsoft’s Advanced Threat Protection has also been implemented to provide enhanced protection against phishing attacks.

The number of individuals impacted by the breach has not yet been publicly disclosed.

RS Medical Experiences Phishing Attack

Vancouver, WA- based pain relief device manufacturer RS Medical has experienced a phishing attack that resulted in the email account of an employee being accessed by an unauthorized individual. The purpose of the attack appears to have been to gain access to a company account to send phishing emails rather than obtain sensitive patient information.

After gaining access to the account, the attacker sent around 10,000 phishing emails which alerted the company to the account breach. The breach was detected within 2 hours of the account being accessed.

While PHI access is not suspected, it could not be ruled out with a high degree of certainty. Notification letters have been sent to approximately 250 individuals whose PHI was included in the account.

The exposed PHI was limited to names, dates of birth, phone numbers, home addresses, diagnosis codes, and details of the medical equipment and supplies that had been provided by RS Medical.

The post Clearway Pain Solutions Institute Discovers Unauthorized EMR System Access appeared first on HIPAA Journal.

Blue Cross of Idaho Website Hacked and Attempts Made to Reroute Payments

Posted by HIPAA Journal

Blue of Cross of Idaho has discovered its website has been hacked and an unauthorized individual gained access to its member portal and viewed the protected health information of some of its members.

Blue of Cross of Idaho is one of the largest health insurers in the state and serves approximately 560,000 Idahoans. Blue of Cross of Idaho’s executive vice president Paul Zurlo said the breach affected around 1% of its members – around 5,600 individuals.

The website security breach occurred on March 21, 2019 and was discovered the following day. During the time that portal access was possible, the hacker accessed provider remittance documents and attempted to reroute provider financial transactions.

Upon discovery of the breach, Blue of Cross of Idaho terminated the unauthorized access and secured its portal to prevent financial fraud and further accessing of documents. The incident was reported to the FBI and the investigation remains open. The health insurer is working with internal and external cybersecurity consultants and financial experts to assess the security of the patient portal and financial transactions that have taken place. All transactions going through the system are being monitored to ensure they are legitimate.

The remittance documents that were accessed did not contain Social Security numbers, driver’s license numbers, bank account information or debit/credit card numbers. The compromised information was limited to names, enrollee numbers, patient account numbers, claims numbers, payment data, procedure codes, provider names, and dates of service.

Members impacted by the breach have been advised to carefully monitor their bank account, credit card, and other financial statements for any sign of fraudulent activity as a precaution, even though financial information was not exposed. Explanation of benefits statements should also be checked for any services listed that have not been provided.

Following the exposure of sensitive information, it is customary to offer free access to credit monitoring and identity theft protection services. If Social Security numbers, financial information, or driver’s license numbers are exposed in a data breach, those services are usually provided for 12 months at no cost.

Even though highly sensitive information was not exposed and there does not appear to have been any attempts to misuse PHI, Blue of Cross of Idaho is offering credit monitoring and identity theft protection services to affected members for three years.

Blue of Cross of Idaho will also be sending new ID cards with different membership ID numbers to all affected individuals in the next few weeks and will continue to monitor the security of its system to ensure that members’ personal information is safe and secure.

The post Blue Cross of Idaho Website Hacked and Attempts Made to Reroute Payments appeared first on HIPAA Journal.

Metrocare Services Suffers Second Phishing Attack in Two Months

Posted by HIPAA Journal

Metrocare Services, a provider of mental health services in North Texas, has experienced a phishing attack which saw the email accounts of several employees accessed by an unauthorized individual.

The breach was detected on February 6, 2019 and the affected email accounts were rapidly blocked to prevent further access. The investigation revealed the accounts were first compromised in January 2019.

An analysis of the affected accounts revealed they contained the protected health information of 5,290 patients. Patients were notified on April 5, 2019 that the following information could potentially have been accessed as a result of the attack: Name, date of birth, driver’s license information, health insurance information, health information related to the services provided by Metrocare, and for certain patients, Social Security numbers.

The breach investigation did not uncover any evidence to suggest emails containing ePHI had been accessed or copied, but ePHI access and theft could not be ruled out. Individuals whose Social Security number was exposed have been offered free access to identity theft protection and credit monitoring services for 12 months.

In response to the breach, Metrocare Services will be implementing additional security measures and will be strengthening the security of its email system. Multifactor authentication will also be implemented to prevent accounts from being accessed in the event that credentials are compromised in future attacks.

This is not the first phishing attack that Metrocare Services has experienced. Two months previously, in November 2018, the PHI of 1,800 patients was compromised in a similar attack. After that attack Metrocare Services said it was strengthening the security of its email system and had provided additional training to employees to help them identify potential phishing attacks.

Those measures were clearly not sufficient to prevent further attacks. Had multifactor authentication been implemented after the first phishing attack, the second, larger breach could potentially have been prevented.

The post Metrocare Services Suffers Second Phishing Attack in Two Months appeared first on HIPAA Journal.