HIPAA Breach News

Metrocare Services Suffers Second Phishing Attack in Two Months

Posted by HIPAA Journal

Metrocare Services, a provider of mental health services in North Texas, has experienced a phishing attack which saw the email accounts of several employees accessed by an unauthorized individual.

The breach was detected on February 6, 2019 and the affected email accounts were rapidly blocked to prevent further access. The investigation revealed the accounts were first compromised in January 2019.

An analysis of the affected accounts revealed they contained the protected health information of 5,290 patients. Patients were notified on April 5, 2019 that the following information could potentially have been accessed as a result of the attack: Name, date of birth, driver’s license information, health insurance information, health information related to the services provided by Metrocare, and for certain patients, Social Security numbers.

The breach investigation did not uncover any evidence to suggest emails containing ePHI had been accessed or copied, but ePHI access and theft could not be ruled out. Individuals whose Social Security number was exposed have been offered free access to identity theft protection and credit monitoring services for 12 months.

In response to the breach, Metrocare Services will be implementing additional security measures and will be strengthening the security of its email system. Multifactor authentication will also be implemented to prevent accounts from being accessed in the event that credentials are compromised in future attacks.

This is not the first phishing attack that Metrocare Services has experienced. Two months previously, in November 2018, the PHI of 1,800 patients was compromised in a similar attack. After that attack Metrocare Services said it was strengthening the security of its email system and had provided additional training to employees to help them identify potential phishing attacks.

Those measures were clearly not sufficient to prevent further attacks. Had multifactor authentication been implemented after the first phishing attack, the second, larger breach could potentially have been prevented.

The post Metrocare Services Suffers Second Phishing Attack in Two Months appeared first on HIPAA Journal.

Health Recovery Services Notifies 20,485 Patients About Potential PHI Breach

Posted by HIPAA Journal

Health Recovery Services, an Athens, OH-based provider of alcohol and drug addiction services, is notifying 20,485 patients that some of their protected health information may have been accessed by an unauthorized individual.

On February 5, 2019, Health Recovery Services discovered an unauthorized IP address had remotely accessed its computer network. Network and information systems were taken offline to prevent further access and a forensic expert was retained to conduct an investigation to determine the nature and scope of the breach.

On March 15, 2019, the forensic investigator determined that the IP address first accessed the network on November 14, 2018 and access remained possible until February 5. No evidence was uncovered to suggest any patient information was accessed or copied, although the possibility of data access and theft could not be totally ruled out. Patients whose protected health information was exposed have been notified by mail ‘out of an abundance of caution’.

The types of patient information contained in files on the compromised server included names, addresses, contact telephone numbers, and dates of birth. Patients who received treatment at Health Recovery Services after 2014 also had medical information, health insurance information, diagnoses, treatment information, and Social Security numbers exposed.

Health Recovery Services rebuilt its entire network to ensure that it was totally secure and free from any security threats. Policies, procedures, and cybersecurity measures were reviewed and will be enhanced to prevent further data breaches. Steps will also be taken to limit the harm that can be caused should a further network server breach be experienced in the future.

The post Health Recovery Services Notifies 20,485 Patients About Potential PHI Breach appeared first on HIPAA Journal.

March 2019 Healthcare Data Breach Report

Posted by HIPAA Journal

In March 2019, healthcare data breaches continued to be reported at a rate of almost one a day. 30 healthcare data breaches were reported to the HHS’ Office for Civil Rights by HIPAA-covered entities and their business associates. The March total is 11% higher than the average of the past 60 months.

HEalthcare data breaches by month

The number of reported breaches fell by 6.67% month over month and there was a 58% decrease in the number of breached healthcare records. March saw the healthcare records of 883,759 individuals exposed, impermissibly disclosed, or stolen as a result of healthcare data breaches.

healthcare records exposed by month

Causes of March 2019 Healthcare Data Breaches

The HHS’ Office for Civil Rights groups together hacking and other IT incidents such as malware and ransomware attacks. This category dominated the breach reports in March with 19 incidents reported. Hacking/IT incidents accounted for 83.69% of all compromised records (739,635 records).

There were 8 unauthorized access/disclosure incidents reported in March. 81,904 healthcare records were impermissibly accessed or disclosed. There were also four theft incidents reported, which involved a total of 23,960 records.

The biggest data breach was reported by Navicent Health – A phishing attack in which the records of 278,016 patients were potentially accessed and copied by the attackers. A similarly sized data breach was reported by ZOLL Services, which impacted 277,319 individuals. The ZOLL Services breach occurred at one of its business associates. It’s email archiving company accidentally removed protections in its network server. It is unclear whether those records were accessed by unauthorized individuals during the time the information was accessible.

Causes of March 2019 healthcare data breaches

Largest Healthcare Data Breaches Reported in March 2019

Rank Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Location of Breached Information
1 Navicent Health, Inc. Healthcare Provider 278,016 Hacking/IT Incident Email
2 ZOLL Services LLC Healthcare Provider 277,319 Hacking/IT Incident Network Server
3 LCP Transportation, Inc Business Associate 54,528 Unauthorized Access/Disclosure Email
4 Superior Dental Care Alliance Business Associate 38,260 Hacking/IT Incident Email
5 Superior Dental Care Health Plan 38,260 Hacking/IT Incident Email
6 St. Francis Physician Services Healthcare Provider 32,178 Hacking/IT Incident Network Server
7 Palmetto Health Healthcare Provider 23,811 Hacking/IT Incident Email
8 Gulfport Anesthesia Services, PA Healthcare Provider 20,000 Theft Other
9 Women’s Health USA, Inc. Business Associate 17,531 Hacking/IT Incident Desktop Computer, Email
10 Verity Medical Foundation Healthcare Provider 14,894 Hacking/IT Incident Email

 

Location of Breached Protected Health Information

Email incidents dominated the March 2019 healthcare data breach reports with 12 incidents reported that involved ePHI stored in emails and/or email attachments. The vast majority of those email breaches were phishing attacks. There were 7 hacking/IT incidents involving network servers – A combination of ransomware attacks, hacks, and the accidental deactivation of security solutions.

causes of march 2019 healthcare data breaches

March 2019 Healthcare Data Breaches by Covered Entity

Healthcare providers reported the most healthcare data breaches in March with 21 reported incidents. 4 breaches were reported by health plans and there were 5 data breaches reported by HIPAA business associates.  A further three breaches had some business associate involvement.

March 2019 healthcare data breaches by covered entity type

Healthcare Data Breaches by State

Healthcare organizations/business associates based in 18 state reported data breaches in March 2019. Three data breaches were reported in each of California, Ohio, and Pennsylvania. Two breaches were reported in each of Arizona, Idaho, Maryland, Massachusetts, Minnesota, Oregon, and South Carolina. One breach was reported in each of Arizona, Connecticut, Florida, Georgia, Indiana, Mississippi, New York, and Oklahoma.

HIPAA Enforcement in March 2019

The HHS’ Office for Civil Rights did not agree any fines or settlements in March 2019; however, the Texas Department of Aging and Disability Services has agreed to a financial penalty over a 2015 data breach.

Texas approved a settlement of $1.6 million to resolve alleged HIPAA violations discovered during the investigation of an 8-year data breach that was reported in June 2015. OCR has yet to confirm the settlement publicly.

There were no HIPAA-related financial penalties agreed with state attorneys general in March 2019.

The post March 2019 Healthcare Data Breach Report appeared first on HIPAA Journal.

Minnesota DHS Suffers Another Phishing Attack: State IT Services Struggling to Cope with Barrage of Attacks

Posted by HIPAA Journal

The Minnesota Department of Human Services (DHS) has discovered another employee email account has been compromised as a result of a phishing attack. The latest incident has only just been reported, although the breach occurred on or before March 26, 2018.

Three Phishing Attacks: 31,800 Records Exposed

The breach is in addition to two other phishing attacks that saw email accounts compromised in June and July of 2018. Those attacks were announced in October 2018 and resulted in the exposure of 20,800 Minnesotans’ PHI. The March 26 email account compromise saw the PHI of 11,000 Minnesotans exposed.

The March phishing attack allowed the attacker to gain access to the email account of an employee of the Direct care and Treatment Administration. Emails were then sent from that account to co-workers requesting wire transfers be made. The email requests were flagged as suspicious and were reported to MNIT, which secured the account. No wire transfers were made.

During the time that the account was accessible, the attacker potentially accessed emails in the account which included protected health information. MNIT was unable to determine whether any PHI had been viewed or copied. The account contained information such as names, contact information, dates of birth, treatment data, legal histories, and two Social Security numbers. No reports of misuse of PHI have been received.

Minnesota IT Services (MNIT) reported the breach to the FBI and, on April 9, 2019, DHS notified the Department of Health and Human Services’ Office for Civil Rights, the Office of the Legislative Auditor, credit reporting agencies, the media, and state senate and house representatives. Individual notices have also been sent to all individuals affected by the breach.

Since being notified about the breach, DHS hired a contractor to assess the contents of the email account to check for protected health information. Due to the number of emails in the account, that process took some time to complete. DHS says the account review was completed on March 21, 2019.

It is unclear from the DHS breach notification letter when the breach was discovered. DHS said MNIT provided details of the breach investigation on February 15, 2019. While breach notifications were issued to affected individuals within 60 days of DHS discovering the breach, in compliance with HIPAA, there was a major delay in the breach being reported to DHS by MNIT.

It took four months before notifications were issued to alert individuals about the previous two phishing attacks, and more than a year for individuals affected by this phishing attack to be notified.

State Government Agencies Suffer 700 Security Incidents in 10 Months

A senate hearing took place in October last year following the announcement of the other two phishing attacks. At the hearing it was made clear that MNIT was simply not prepared for the volume of cyberattacks and lacked the resources to deal with them.

MNIT explained at the hearing that more than 700 security incidents involving state government agencies had to be dealt with by MNIT up to October 2018, including 150 phishing attacks. On average, state employees were sent an average of 22 phishing emails a day.

Up to October, the state government had experienced 80 cyberattacks that required manual analysis and 240 sets of employee credentials had been compromised. At the hearing, MNIT CISO Aaron Call explained that “the frequency and profitability of attacks are increasing, and the cybercriminals are getting more funding.”

Since receiving notification about the latest breach, DHS has implemented additional security measures to prevent further phishing attacks. These include a tool that blocks links and email attachments in emails sent to state employees. DHS says the tool would have prevented this and past breaches from occurring.

Policies and procedures have also been revised at DHS and MNIT has said it is now immediately reporting breaches to agency data practices or privacy staff to allow them to analyze the incidents to determine whether data have been exploited. DHS has said it is continuing to provide employees with training to help them identify increasingly sophisticated cyberattacks against DHS.

The post Minnesota DHS Suffers Another Phishing Attack: State IT Services Struggling to Cope with Barrage of Attacks appeared first on HIPAA Journal.

PHI of 17,531 Patients Potentially Compromised in Business Associate Phishing Attack

Posted by HIPAA Journal

Women’s Health USA Inc., an Avon, CT-based business associate that provides a range of practice management services to healthcare organizations, has experienced a phishing attack that has resulted in the exposure of patients’ protected health information.

An investigation was launched following the discovery of suspicious activity within certain employee email accounts. The affected email accounts were secured, and a leading cybersecurity firm was engaged to assist with the investigation and determine the nature and extent of the breach.

The investigation confirmed that the email accounts of two employees had been accessed by unauthorized individuals as a result of the employees responding to phishing emails and disclosing their email credentials. The first email account breach occurred on April 5, 2018 and the second account was breached on August 13, 2018.

A review of the emails and email attachments in the account revealed they contained a limited amount of protected health information. The exposed information varied from patient to patient but may have included name, date of birth, Medicare Health Insurance Claim Number (HICN), health insurance policy number, diagnosis information, treatment information, and Social Security number.

Women’s Health USA notified all affected healthcare provider clients about the breach on March 15, 2019 and started sending breach notification letters to all affected patients on March 29, 2019.

All employees have been provided with further training to help them identify phishing emails and to improve awareness of other cybersecurity issues. Additional security measures have also been implemented to enhance email security.

The phishing attack and data breach has been reported to the Department of Health and Human Services’ Office for Civil Rights. The breach summary indicates 17,531 patients were affected by the breach.

The post PHI of 17,531 Patients Potentially Compromised in Business Associate Phishing Attack appeared first on HIPAA Journal.

PHI of 23,811 Palmetto Health Patients Exposed in Phishing Attack

Posted by HIPAA Journal

Palmetto Health – Now Prisma Health – has experienced a phishing attack that has resulted in several email accounts being accessed by unauthorized individuals.

Emails were sent to Palmetto Health employees which contained a malicious hyperlink. When the link in the emails was clicked, employees were directed to a realistic-looking web page where they were required to enter their email credentials. Doing so disclosed those credentials to the attackers, who used them to gain access to the email accounts.

A third-party computer forensics firm was retained to conduct an investigation into the breach to determine the nature and extent of access and whether any patients’ protected health information had been accessed or obtained.

The forensics firm determined that the first of the email accounts were compromised in November 2018. The review process took some time to complete as emails had to be manually checked to determine whether they contained any protected health information. The review process was completed on February 19, 2019 and revealed the protected health information of 23,811 patients had been exposed.

The exposed information was limited to names and information used by Palmetto Health when providing treatment or consultation. A small percentage of the emails also contained health insurance information, Social Security numbers, and/or financial information.

Palmetto Health believes the aim of the attack was to gain access to payroll information rather than to obtain patient health information. No evidence was uncovered to suggest any patient information was accessed or copied, but data theft could not be ruled out.

Complementary credit monitoring and identity theft protection services have been offered to all patients whose financial information has potentially been accessed.

Weslaco Regional Rehabilitation Hospital Patients Notified of Phishing Attack

Earnest Health has announced that certain patients who visited the Weslaco Regional Rehabilitation Hospital in Texas have had some of their protected health information exposed as a result of an October 2018 phishing attack.

The exposed information was limited to names, dates of birth, health insurance details, patient care information, driver’s license numbers, and Social Security numbers.

The hospital has notified all affected patients by mail and has offered complimentary credit monitoring and identity theft protection services to all patients whose driver’s license number or Social Security number was exposed.

Staff at the hospital are being provided with further training to help them identify potentially malicious emails.

The breach is not yet listed on the HHS’ Office for Civil Rights breach portal so it is currently unclear exactly how many patients were affected.

The post PHI of 23,811 Palmetto Health Patients Exposed in Phishing Attack appeared first on HIPAA Journal.

12,000 Patients of Baystate Health Notified of PHI Exposure Due to Phishing Attack

Posted by HIPAA Journal

Massachusetts-based Baystate Health has experienced a phishing attack that has resulted in the exposure of the protected health information of approximately 12,000 patients.

Several employee email accounts were compromised between February 7 and March 7, 2019. The phishing attacks were identified during the same time frame and in each case, the compromised email accounts were immediately secured. A third-party computer forensics firm was engaged to assist with the investigation.

An analysis of the compromised email accounts revealed they contained patients’ names, dates of birth, diagnoses, treatment information, medications and, in some cases, Social Security numbers, health insurance information, and Medicare numbers.

All patients whose protected health information was potentially accessed as a result of the attack were notified by mail on April 5. Patients whose Social Security number was exposed have been offered one year of credit monitoring and identity theft protection services without charge.

Those services have been offered as a precaution. No evidence has been uncovered to suggest that the individuals behind the phishing attack viewed, copied, or misused patient information.

All patients affected by the breach have been urged to review statements from their providers and explanation of benefits statements from insurers to check that they have not been billed for medical services that have not been received.

Baystate Health performed a forced password reset on all affected accounts and has implemented controls to prevent employee email accounts from being accessed from outside the network unless specifically authorized.

Email logging and log reviews have also been increased to ensure that any future email account breaches are identified rapidly, and additional security awareness training is being provided to employees to help them detect and avoid phishing emails.

The incident has yet to appear on the Department of Health and Human Services’ Office for Civil Rights breach portal, so the exact number of patients affected has not yet been confirmed.

The post 12,000 Patients of Baystate Health Notified of PHI Exposure Due to Phishing Attack appeared first on HIPAA Journal.

Hardin Memorial Health Cyberattack Results in EHR Downtime

Posted by HIPAA Journal

Hardin Memorial Health in Kentucky has experienced a cyberattack which caused disruption to its IT systems and EHR downtime.

The cyberattack started on the evening of Friday April 5. A statement issued by a spokesperson for the health system confirmed that IT systems were disrupted as a result of a security breach. Details of the cyberattack have not yet been released so it is unclear whether this was a hacking incident, malware or ransomware attack.

The health system has been working round the clock to restore affected systems and servers. Hardin Memorial Health’s IT team has already brought most IT systems back online and has restored access to its EHR system in some units.

Despite the lack of access to its EHR system, business continued as usual and the hospital did not have to cancel appointments. All 50 of its locations remained open. “At no time during this event has the quality and safety of patient care been affected,” said HMH Vice President and Chief Marketing and Development Officer, Tracee Troutt.

Upon discovery of the security breach, emergency procedures were implemented, and an IT assessment was conducted to determine the nature and extent of the incident. That assessment is ongoing, but most of the issues associated with the attack were resolved within 24 hours.

Extra staff were brought in over the weekend to assist with its remediation efforts and to conduct administrative processes manually until systems could be brought back online.

“A combined team of some 40 internal IT and patient care specialists, complemented by external experts, importantly including our Baptist Health partners, worked over the weekend to resolve issues quickly and is working on the assessment,” said Troutt.

The hospital was well prepared for system downtime. The Hardin Memorial Health IT team regularly tests emergency procedures to make sure they can be implemented quickly and are effective at preventing disruption to patient services. Extra protocols have already been implemented to reinforce system security.

This incident shows that while it may not be possible to prevent all cyberattacks, with tried and tested backup and emergency response plans it is possible to recover from a cyberattack quickly and prevent disruption to patient services.

The post Hardin Memorial Health Cyberattack Results in EHR Downtime appeared first on HIPAA Journal.

Emotet Malware Potentially Exfiltrated PHI of Oregon Endodontic Group Patients

Posted by HIPAA Journal

Oregon Endodontic Group has discovered malware has been installed on an office computer which potentially exported data contained in the office’s email account.

On November 13, 2018, Oregon Endodontic Group detected suspicious activity within an email account used at its offices.

A third -party forensic firm was engaged to assist with the investigation and identify the nature and scope of the security breach. The firm confirmed that a malware variant called Emotet had been downloaded onto an office computer. Emotet is a banking Trojan that is capable of exfiltrating data contained in email accounts. The computer forensics firm could not confirm whether any email data had been exfiltrated, but the possibility could not be ruled out.

The email account concerned was analyzed to determine whether it contained any protected health information. The analysis was completed on February 11, 2019.

The types of information contained in the account were limited to names along with one of more of the following data elements: Date of birth, diagnosis information, treatment information, and health insurance information. 41 individuals had their name and Social Security number exposed; seven individuals had their name and financial information exposed; and two individuals had their name and driver’s license number exposed.

Oregon Endodontic Group has engaged the services of an IT security firm which is assessing security controls and additional protections will be implemented as appropriate to enhance security.

Humana Notifies Members in Texas About Web Portal Breach

Humana has discovered unauthorized individuals have registered on the web portal used by one of its authorized service providers (Availity) and have attempted to obtain eligibility and benefit verification of plan members. The web portal is used by providers to check eligibility and benefits of multiple health plans.

The individuals posed as physician provider groups and potentially obtained a limited amount plan members’ information between January 15, 2016 and February 14, 2019.

The information potentially accessed was limited to names, Humana ID numbers, benefit information, plan effective dates, and care reminders. As a precaution, affected members have been offered credit monitoring and identity theft protection services and have been advised to monitor their explanation of benefits statements for signs of fraudulent activity. No reports of PHI misuse have been reported to date.

Humana notes in its breach notification letters that Availity did have policies and procedures in place to protect customer information and controls have now been augmented to prevent similar breaches in the future.

The breach affected 522 Humana members in Texas.

The post Emotet Malware Potentially Exfiltrated PHI of Oregon Endodontic Group Patients appeared first on HIPAA Journal.