HIPAA Breach News

20K Patients of Pasquotank-Camden Emergency Medical Services Impacted by Server Hack

Posted by HIPAA Journal

Pasquotank-Camden Emergency Medical Services (PCEMS) has discovered hackers have infiltrated a server that housed its billing system, which contained the protected health information of 20,420 patients.

As a result of the intrusion, the hackers potentially gained access to the highly sensitive information of individuals who had previously received medical services from PCEMS.

The types of information stored on the server included names, birth dates, Social Security numbers, and some medical information that had been collected by PCEMS.

The breach was reported immediately to the Sheriff of Pasquotank County and federal law enforcement agencies, who determined that the hackers were based outside the United States. No evidence was found to indicate patients’ protected health information was stolen and at the time of issuing notification letters to patients, no reports had been received to suggest patient information had been misused.

Since data theft could not be ruled out, PCEMS has offered all affected patients 12 months of free credit monitoring and identity theft protection services through ID Experts. Affected patients will also be covered by a $1,000,000 insurance reimbursement policy. Enrollment in these services is not automatic. Patients have until May 26, 2019 to register for the services.

PCEMS is now reviewing its cybersecurity protections and will be taking steps to enhance cybersecurity to prevent similar breaches in the future.

Oklahoma Heart Hospital Notifies Patients of Potential ePHI Breach

Oklahoma Heart Hospital is notifying 1,221 patients that some of their protected health information was stored on desktop computers that were stolen in January.

Four desktop computers were stolen from the outpatient clinic at Mercy Hospital in Oklahoma City, OK. Oklahoma Heart Hospital was in the process of relocating those offices when the theft occurred.

The stolen computers were not encrypted so patient information could potentially be accessed by the thieves. Patient information on the computers was present in stored email messages that had been sent between hospital employees and was limited to names, addresses, phone numbers, dates of birth, and clinical information such as blood pressure logs and lab values. Medical records are stored on a secure server and were not exposed.

Oklahoma Heart Hospital has now revised its policies and procedures to prevent similar breaches in the future.

The post 20K Patients of Pasquotank-Camden Emergency Medical Services Impacted by Server Hack appeared first on HIPAA Journal.

Emerson Hospital Alerts Patients to May 2018 Breach at Claims Processing Vendor

Posted by HIPAA Journal

Emerson Hospital in Concord, MA, is alerting 6,300 patients that some of their protected health information has been exposed due to a security breach at a third-party vendor in May 2018.

The hospital explained that the breach occurred between May 9 and May 17, 2018 and was an unauthorized disclosure incident. A former employee of MiraMed Global Services, a company that helps the hospital collect payments, was discovered to have sent files containing protected health information to a third-party who was not authorized to receive the information.

The files contained the types of information usually sought by identity thieves, including names, addresses, Social Security numbers, and insurance policy information. Financial information and health information were not compromised.

The employee responsible was fired over the breach and the matter was reported to law enforcement. It is unclear whether the employee responsible has been charged over the theft.

A forensic investigation confirmed that ePHI had been stolen, but a spokesperson for the hospital issued a statement saying, “A detailed forensic investigation showed that the files were of such poor quality that a third-party did not find the data useful.”

Even though the information does not appear to have been misused, as a precaution, all affected patients have been offered identity theft protection services through Experian IdentityWorks for 24 months without charge.

This is the second healthcare institution to report that it has been affected by the breach. Rush System for Health also reported a similar case to OCR on February 28, 2019. Even though names, Social Security numbers, birthdates, and insurance information was also compromised, Rush reported that patients faced a low-risk of fraud since no financial information was compromised. Approximately 45,000 of its patients were affected.

It is not known whether any other healthcare organizations have been affected by the MiraMed breach.

The post Emerson Hospital Alerts Patients to May 2018 Breach at Claims Processing Vendor appeared first on HIPAA Journal.

‘Dozens’ of Northwestern Memorial Hospital Employees Fired for Accessing Jussie Smollett’s Medical Records

Posted by HIPAA Journal

A major case of snooping on celebrity medical records has been reported that has resulted in ‘dozens’ of healthcare workers being fired from Chicago’s Northwestern Memorial Hospital for accessing the medical records of Jussie Smollett without authorization.

Jussie Smollett attended the hospital’s emergency room for treatment for injuries sustained in an alleged racially motivated attack by two men on January 29, 2019.

Following a police investigation into the alleged attack, Chicago Police Superintendent Eddie Johnson announced that the Empire actor had been arrested on February 21 and charged with disorderly conduct and filing a false police report. The police allege that the attack was a hoax and that it had been staged by Smollett as a publicity stunt.

Curiosity got the better of some employees at Northwestern Memorial Hospital who searched for Smollett on the hospital’s system, some of whom accessed his chart and viewed his medical records.

Accessing the medical records of patients without authorization is a violation of Health insurance Portability and Accountability Act (HIPAA) Rules and can result in disciplinary action and, in certain cases, criminal penalties for the employees concerned.

Northwestern Memorial Hospital reviewed PHI access logs and took decisive action over the privacy violations. Employees found to have snooped on Smollett’s medical records were fired.

Northwestern Memorial Hospital has neither confirmed that Smollett was a patient nor provided information about the number of employees that have been terminated, stating that HIPAA prevents such information from being disclosed.

Some employees that were terminated have spoken to the media about the incident. CBS Chicago claims dozens of hospital employees have been terminated for the HIPAA violations while NBC Chicago has reported there have been at least 50 terminations for snooping.

The post ‘Dozens’ of Northwestern Memorial Hospital Employees Fired for Accessing Jussie Smollett’s Medical Records appeared first on HIPAA Journal.

Covenant Care Email Account Breach Impacts 7,858 Patients

Posted by HIPAA Journal

The Aliso Viejo, CA-based provider of residential care and skilled nursing facilities, Covenant Care, has discovered an unauthorized individual gained access to an employee’s email account and may have viewed or obtained the protected health information of 7,858 patients.

On January 29, 2019, suspicious activity was detected in relation to the employee’s email account. Third-party forensics investigators were called in to help determine the nature and scale of the breach. The investigation revealed the email account was compromised on January 22, 2019. Access remained possible until the account was secured on January 29.

A review of the compromised email account was completed on February 13, 2019 and confirmed that during the time that the account was accessible, emails and email attachments could have been opened. An analysis of the messages revealed they contained patient information.

The information on each patient varied from individual to individual and may have included full name, date of birth, Social Security number, health insurance claim number, medical record number, diagnoses, provider(s) name, treatment location(s), Medicare covered days, Medicare billing amounts, admission and re-admission dates, dates of service, discharge dates, and information related to medical equipment, home health services, outpatient services, and hospice services.

At the time of issuing notifications, no evidence had been uncovered to suggest any patient information was accessed, stolen, or misused; however, out of an abundance of caution, patients were notified and have been offered 12 months of credit monitoring and identity theft restoration services at no charge. Notifications started to be sent on March 6, 2019.

Covenant Care reports that strict security safeguards had been implemented prior to the breach and that further controls will be put in place to increase email security. All technical, administrative, and physical safeguards are being reviewed to identify any further areas where improvements can be made, and employees will be provided with further training on email security and security awareness in general.

The post Covenant Care Email Account Breach Impacts 7,858 Patients appeared first on HIPAA Journal.

Beazley Report Reveals Major Increase in Healthcare Hacking and Malware Incidents

Posted by HIPAA Journal

The latest Beazley Breach Insights Report confirms healthcare is the most targeted industry sector, accounting for 41% of all breaches reported to Beazley Breach Response (BBR) Services.

Across all industry sectors, hacking and malware attacks were the most common cause of breaches and accounted for 47% of all incidents, followed by accidental disclosures of sensitive data (20%), insider breaches (8%), portable device loss/theft (6%), and the loss of physical records (5%).

Hacking/malware incidents have increased significantly since 2017, which BBR notes is largely due to a 133% increase in business email compromise (BEC) attacks. Accidental disclosure incidents fell across all industries and insider breaches remained at a similar level to 2017.

While hacking/malware incidents were the main cause of breaches in all other industry sectors, in healthcare they were on a par with accidental disclosures of protected health information, each accounting for 31% of reported breaches.

Insider data breaches were significantly higher than other industry sectors and accounted for 17% of all reported healthcare breaches. 8% of reported healthcare data breaches involved the loss of physical records, 6% were portable device incidents, and 3% were social engineering attacks. 4% of breaches were not categorized.

Hacking/malware incidents increased by 55% in 2018 and accidental disclosures fell by almost 28%. As with other industry sectors, healthcare saw a major increase in BEC attacks.

The February report drew attention to the risk of BEC attacks – The compromising of a company email account which is then used to conduct phishing and social engineering attacks on other employees in the organization and business contacts. These scams are often conducted with the aim of obtaining sensitive information such as W2 Form data or to trick employees into making fraudulent wire transfers.

Beazley also drew attention to an increase in sextortion scams. One of the most common scams involves sending emails to employees claiming malware has been installed on their work computer which has recorded footage of them while they accessed adult websites. The hacker threatens to send a video containing webcam footage spliced with screen grabs of the websites that were being viewed at the time to the victim’s contacts.

These scams are conducted to extort money but also to install malware. Zip files attached to emails claim to include a copy of the video. Opening and executing the attachment triggers the download of information stealers and GandCrab ransomware.

Beazley reports that the sextortion cases that its BBR Services team has dealt contained empty threats, although some clients experienced malware infections as a result of opening the attached files.

The post Beazley Report Reveals Major Increase in Healthcare Hacking and Malware Incidents appeared first on HIPAA Journal.

Ransomware Attack Impacts 400,000 Patients of Columbia Surgical Specialists of Spokane

Posted by HIPAA Journal

A ransomware attack on Columbia Surgical Specialists of Spokane in Washington has potentially allowed unauthorized individuals to access the protected health information of up to 400,000 patients.

The security breach was reported to the Department of Health and Human Services’ Office for Civil Rights on February 18, 2019 and is listed as a hacking/IT incident affecting a network server.

No breach notice has been published on the healthcare provider’s website at the time of writing, so little is known about the nature and extent of the attack. However, HIPAA Journal has learned that this was a ransomware incident that occurred on January 7, 2019.

The files encrypted by the ransomware are being recovered from backups and no ransom has been paid. Notifications will be sent to patients in due course.

Further information on the Columbia Surgical Specialists of Spokane breach will be posted here as and when it becomes available.

Mary Free Bed Rehabilitation Hospital Breach Impacts 4,755 Patients

Mary Free Bed Rehabilitation Hospital in Grand Rapids, MI, has announced that 4,755 patients have had some of their protected health information exposed as a result of a ransomware attack on its billing service provider, Wolverine Solutions Group.

Wolverine Solutions Group experienced a ransomware attack on September 25, 2018, although the hospital only learned the names of the patients whose PHI may have been compromised on February 6, 2019. Some healthcare clients were notified as early as November that their patients had been impacted by the breach, but due to the ongoing process of file recovery it has taken some time to determine all of the patients that have been affected.  Wolverine Solutions has been issuing notifications based on rolling discovery dates.

The attack affected Wolverine Solutions’ systems which contained names, addresses, billing numbers, and insurance providers’ names. Around one quarter of affected Mary Free Bed patients also had their Social Security number exposed.

While PHI could have potentially been viewed, Wolverine Solutions Group believes the attack was conducted with the sole purpose of obtaining a ransom payment. However, since data access/theft could not be ruled out, Wolverine Solutions Group has offered affected individuals 12 months of credit monitoring and identity repair services without charge.

All Mary Free Bed Rehabilitation Hospital patients affected by the breach were sent notification letters by Wolverine Solutions on March 4, 2019.

The post Ransomware Attack Impacts 400,000 Patients of Columbia Surgical Specialists of Spokane appeared first on HIPAA Journal.

Rush University Medical Center Notifies 45,000 Patients of PHI Incident

Posted by HIPAA Journal

Rush University Medical Center is notifying approximately 45,000 patients that their PHI has been exposed as a result of a data incident at a financial services vendor. Rush learned of the incident on January 22, 2019.

An employee of the financial services vendor was discovered to have disclosed a file containing patients’ PHI to an unauthorized third party in May 2018. The types of information in the file varied from patient to patient and may have included names, home addresses, dates of birth, health insurance information, and Social Security numbers. No health information was contained in the file and financial data was not exposed.

Rush conducted an investigation into the breach and while no evidence was found to suggest patient information had been misused, affected patients have been offered membership to the Experian IdentityWorks Credit 3B service to protect against identity theft and fraud as a precaution.

Affected patients have been advised to monitor their financial accounts and explanation of benefits statements from their insurers for any sign of fraudulent activity. All affected patients were notified of the breach by mail on February 25, 2019.

After discovering the breach, Rush suspended its contract with the financial services vendor and the incident has been reported to law enforcement. Steps have now been taken to prevent similar breaches from occurring in the future, including increasing oversight of service vendors, and reviewing and enhancing internal policies, processes, and procedures for contracting third-party firms.

This is the second privacy breach to be reported by Rush in 2019. In February, patients were sent letters to inform them about the retirement of a nurse practitioner at its Epilepsy Center; however, an error in the mailing resulted in 908 letters being sent to incorrect recipients.

The post Rush University Medical Center Notifies 45,000 Patients of PHI Incident appeared first on HIPAA Journal.

St. Francis Physicians Services Notifies Patients of Milestone Family Medicine Data Breach

Posted by HIPAA Journal

Bon Secours St. Francis Health System is notifying patients of a security breach that may have resulted in some of their protected health information (PHI) being viewed/obtained by unauthorized individuals who gained access to the systems of Milestone Family Medicine in Greenville, SC.

Milestone Family Medicine was affiliated with St. Francis Physicians Services (SFPS) until February 24, 2019, and had previously employed physicians at the practice. SFPS learned of a security breach at the practice on January 4, 2019 and took steps to secure systems and prevent further unauthorized access. An investigation was launched and, assisted by a third-party computer forensics firm, SFPS determined that one of the servers that was accessed included the PHI of certain patients.

The attack appears to have targeted EHR systems that were accessible over the Internet. Internet connections providing access to Milestone Family Medicine systems that are not actively being used have been shut down.

The types of information that have been compromised include names, addresses, dates of birth, health insurance information, Social Security numbers, and information related to the medical services provided to patients.

The breach was limited to patients who had previously received medical services at Milestone Family Medicine. Breach notification letters are now being sent to affected individuals and SFPS has offered complimentary credit monitoring and identity theft protection services.

While data theft was possible, no reports have been received to indicate any patients’ PHI has been misused. Affected patients have been advised to monitor their accounts and explanation of benefits statements for indicators of fraudulent activity.

SFPS has said technology management and information security risk oversight are being enhanced to prevent any further breaches of PHI and that the decision to end the affiliation with Milestone Family Medicine was not related to the breach.

The incident has yet to appear on the Department of Health and Human Services’ Office for Civil Rights website, so it is currently unclear exactly how many Milestone Family Medicine patients have been affected by the breach.

Patient Records Potentially Accessed During Rocky Boy Health Center Break-in

Patients health records have potentially been compromised during a break-in at the offices of Rocky Boy Health Center in Box Elder, MT.  The health center discovered the break-in on January 16, 2019. Thieves are believed to have gained entry to the property on or around January 14 by forcing the door lock and padlock.

The offices contained X-Ray and dental records dating back to the 1990’s. The records contained PHI such as names, diagnosis codes, and Social Security numbers.

The break-in was reported to law enforcement and all records stored at the offices have been removed and scanned into the electronic medical record system. The physical records have now been shredded.

The records of 971 patients were stored at the offices. All affected individuals have now been notified.

The post St. Francis Physicians Services Notifies Patients of Milestone Family Medicine Data Breach appeared first on HIPAA Journal.

January 2019 Healthcare Data Breach Report

Posted by HIPAA Journal

After a relatively quiet month for healthcare data breaches, breach numbers rose to more typical levels and were reported at a rate of more than one per day. There were 33 healthcare data breaches reported in January 2019.

Healthcare Data Breaches January 2019 - Month

January was the second successive month where there was a fall in the number of individuals impacted by healthcare data breaches. January’s healthcare data breaches saw 490,937 healthcare records exposed, stolen or impermissibly disclosed.

Healthcare Data Breaches January 2019 - Records Exposed

Largest Healthcare Data Breaches in January 2019

 

Rank Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach
1 Centerstone Insurance and Financial Services (BenefitMall) Business Associate 111589 Hacking/IT Incident
2 Las Colinas Orthopedic Surgery & Sports Medicine, PA Healthcare Provider 76000 Theft
3 Valley Hope Association Healthcare Provider 70799 Hacking/IT Incident
4 Roper St. Francis Healthcare Healthcare Provider 35253 Hacking/IT Incident
5 Managed Health Services Health Plan 31300 Hacking/IT Incident
6 EyeSouth Partners Business Associate 24113 Hacking/IT Incident
7 Dr. DeLuca Dr. Marciano & Associates, P.C. Healthcare Provider 23578 Hacking/IT Incident
8 Critical Care, Pulmonary and Sleep Associates, PLLP Healthcare Provider 23377 Hacking/IT Incident
9 Valley Professionals Community Health Center Healthcare Provider 12029 Hacking/IT Incident
10 Cambridge Healthcare Services, LLC Business Associate 10866 Theft

Causes of January 2018 Healthcare Data Breaches

Hacking and other IT security incidents such as ransomware and malware attacks were the biggest cause of healthcare data breaches in January 2019, accounting for 51.52% of the month’s data breaches (917 incidents) and the largest reported breach of the month. Hacking/IT incidents also accounted for the most breached records: 74.07% of all breached records in January (363,631 records).

Healthcare Data Breaches January 2019 - Causes

Unauthorized access and impermissible disclosure incidents were in second place with 10 incidents (30.30%), although they involved only a small percentage of the month’s breached records – 19,500 or 3.97% of the month’s total.

There were 5 theft incidents reported in January which involved the protected health information of 106,006 individuals – 21.59% of the records exposed in January – and one improper disposal incident that saw 1,800 paper records accidentally discarded with regular trash.

Location of Breached Protected Health Information

Healthcare organizations are still having difficulty preventing phishing attacks and other email-related breaches. As has been the case in the past few months, email-related data breaches have dominated the breach reports. Most of the email breaches in January were due to phishing attacks.

51.52% of healthcare data breaches in January 2019 involved PHI stored in emails and email attachments (17 incidents). Physical PHI, such as paper records, charts, and films was exposed in 15.15% of breaches in January (5 incidents).

Healthcare Data Breaches January 2019 - Location PHI

Healthcare Data Breaches by Covered Entity Type

Healthcare providers were the worst affected by healthcare data breaches in January 2019 with 20 reported incidents, six of which ranked in the top ten breaches of the month.

8 health plans reported breaches in January and there were five breaches reported by business associates of HIPAA-covered entities, including the largest data breach of the month. A further 6 data breaches had some business associate involvement but were reported by the HIPAA-covered entity.

Healthcare Data Breaches January 2019 - By Covered Entity

Healthcare Data Breaches by State

HIPAA covered entities and business associates based in 20 different states reported healthcare data breaches in January 2019. The worst affected state was Texas with four reported breaches. Georgia, Indiana, and Kentucky each had 3 breaches in January and there were two breaches reported in each of California, Connecticut, Florida, Kansas.

Colorado, Illinois, Michigan, Minnesota, North Carolina, Nebraska, New Jersey, Pennsylvania, Rhode Island, South Carolina, Tennessee, and Washington each experienced one healthcare data breach in January.

Penalties for Noncompliance and HIPAA Violations

The Department of Health and Human Services’ Office for Civil Rights (OCR) did not issue any financial penalties in January 2019 or agree to any settlements to resolve HIPAA violations; however, OCR did announce in late January that a further settlement had been agreed with a HIPAA covered entity in December 2018 – Too late for inclusion in our December 2018 Healthcare Data Breach Report.

In December 2018, Cottage Health agreed to settle its HIPAA violation case with OCR for $3,000,000. OCR investigated Cottage Health over two breaches experienced in 2013 and 2015 which saw the protected health information of 62,500 patients exposed online.

OCR also announced that 2018 had been a record year for HIPAA enforcement. OCR’s HIPAA fines and settlements totaled $28,683,400 in 2018, beating the previous record of $23,505,300 set in 2016 by 22%. 2018 also saw the largest ever HIPAA settlement agreed. Anthem Inc., agreed to pay OCR $16,000,000 to resolve HIPAA violations discovered during the investigation of its 78.8 million-record data breach of 2015.

OCR closed out 2018 with 10 settlements to resolve HIPAA violations and one civil monetary penalty, beating last year’s total by one.

There was one HIPAA violation case closed by a state attorney general in January 2019. The California Attorney General agreed to settle a case with health insurer Aetna for $935,000. The financial penalty resolved violations of HIPAA and state laws that contributed to the impermissible disclosure of plan members’ PHI. In two separate 2017 mailings, PHI was visible through the windows of envelopes. The mailings were sent to individuals who had been diagnosed with Afib in one mailing, and patients who were receiving HIV medications in the other. The impermissible disclosures affected 1,991 California residents.

This was the sixth state attorney general financial penalty Aetna has agreed to pay in relation to the mailing errors. In 2018, Aetna settled cases with New York, New Jersey, Washington, Connecticut, and the District of Columbia. The latest financial penalty brings the total financial penalties over the HIPAA violations to $2,725,172.

The post January 2019 Healthcare Data Breach Report appeared first on HIPAA Journal.