HIPAA Breach News

1,600 Ohio Patients Notified of Impermissible PHI Disclosure

Posted by HIPAA Journal

993 Ohioans who receive benefits from Medicaid or the Ohio Department of Job and Family Services (ODJFS) are being notified that some of their protected health information has been disclosed to unauthorized individuals as a result of a computer error.

Three separate incidents were identified. On February 16, 2019, a computer error resulted in a limited amount of protected health information (PHI) of 250 users of the Ohio Benefits Self-Service Portal to appear in another user’s account. The error was identified and corrected the same day.

Two further incidents occurred on March 20, 2019. A computer error caused information entered into the Ohio Benefits portal to be saved to incorrect accounts. The computer error has been temporarily fixed and a permanent solution is being developed to prevent any recurrences. As many as 100 individuals were affected.

608 members of ODJFS, 34 recipients of Medicaid benefits, and one individual who received both types of benefits, had some of their PHI mailed to 5 different people as a result of a computer error. The computer error was corrected on March 22, 2019.

In all cases, the privacy breach was limited to names, contain information, dates of birth, case numbers, and claim numbers stored in the Ohio Benefits System. Affected individuals have been offered identity theft protection services for 12 months at no cost as a precaution.

840 University Hospitals Rainbow Babies & Children’s Hospital Patients Notified of Impermissible PHI Disclosure

University Hospitals Rainbow Babies & Children’s Hospital in Cleveland, OH, has discovered the PHI of 840 patients has been accidentally disclosed due to an error made by one of its employees.

The employee sent an email to a group of patients that contained a limited amount of personally identifiable information. The email was sent on February 28, and while information about patients was not detailed in the message, it implied that all individuals to whom the email had been sent suffer from the same medical condition.

The employee should have added the message recipients to the BCC field but made an error and included their emails in the ‘to’ field. As a result, the email addresses of all recipients of the email were visible to other members.

Al individuals affected have been notified of the privacy breach and the hospital has sanctioned the employee “in a manner deemed appropriate for the violation.” The employee has been reeducated on proper mail procedures and further education on patient privacy and HIPAA requirements will be provided to other staff members.

The post 1,600 Ohio Patients Notified of Impermissible PHI Disclosure appeared first on HIPAA Journal.

Phishing Attack Impacts 14,305 Patients of Main Line Endoscopy Centers

Posted by HIPAA Journal

Main Line Endoscopy Centers, a network of outpatient endoscopy facilities in the Malvern, Bala Cynwyd, and Media regions of Pennsylvania, has discovered an unauthorized individual has gained access to the email account of one of its employees following a response to a phishing email.

It is not clear exactly when the account was breached, but it was discovered by Main Line on January 30, 2019.

A leading computer forensics firm was retained to assist with the investigation and determine which, if any, emails in the account had been opened and whether any patient information had been compromised. The investigation confirmed that the attackers potentially gained access to the protected health information of certain patients, which included names, dates of birth, and limited clinical information. Some patients also had their Social Security number, driver’s license number, and/or health insurance information exposed.

All patients affected by the breach were sent breach notification letters on March 29, 2019 and individuals whose Social Security number or driver’s license number were exposed have been offered complimentary identity theft protection services for 12 months at no cost.

As a precaution, all individuals affected by the breach have been advised to monitor their accounts, explanation of benefits statements, and credit reports closely for any sign of fraudulent use of their information.

To improve security and prevent further breaches, Main Line has provided further training to all staff to improve email security awareness and alert them to the threat from phishing. Multi-factor authentication has been implemented to prevent accounts from being accessed in the event that further credentials are compromised along with other security measures.

The breach has been reported to the Department of Health and Human Services’ Office for Civil Rights. The OCR breach portal indicates 14,305 patients were affected by the breach.

The post Phishing Attack Impacts 14,305 Patients of Main Line Endoscopy Centers appeared first on HIPAA Journal.

Michigan Practice Forced to Close Following Ransomware Attack

Posted by HIPAA Journal

A ransomware attack can prove costly to resolve. That cost was not deemed worth it by one Michigan practice, which has now permanently closed its doors.

The ransomware encrypted the system at Brookside ENT and Hearing Center in Battle Creek which housed patient records, appointment schedules, and payment information rendering the data inaccessible.

The attackers claimed to be able to provide a key to unlock the encryption, but in order to obtain the key to decrypt files, a payment of $6,500 was required.

The two owners of the practice, William Scalf, MD and John Bizon, MD, decided not to pay the ransom as there was no guarantee that a valid key would be supplied and, after paying, the attackers could simply demand another payment.

Since no payment was made, the attackers deleted all files on the system ensuring no information could be recovered. The partners decided to take early retirement rather than having to rebuild their practice from scratch.

The FBI was alerted to the security incident and explained that this appeared to be an isolated attack. No patient data appeared to have been viewed or accessed prior to files being deleted so there is not believed to be any risk to patients; however, patients who had not obtained copies of their medical records prior to the ransomware attack will have lost all records stored by the practice.

That will naturally come at a cost to some patients, who may have to have medical tests performed for a second time. One patient at the practice told WWMT that her daughter had had surgery and she was attempting to schedule a follow up appointment when she discovered that her medical records have been lost. She must now visit another provider, but that provider will have no details about the surgical procedure.

The practice will officially close on April 30, 2019, until which point, patients can contact staff at the practice who will provide referrals.

The incident highlights just how important it is to ensure backups of all data are made. All backups must be tested to ensure they have not been corrupted and file recovery is possible.

A good best practice to adopt is the 3:2:1 approach. Create three backup copies, on two different types of media, and store one copy securely off site on an air-gapped device – One that is not networked or accessible over the internet. In the event of a ransomware attack, systems may be taken out of action and computers may need to have software reinstalled, but at least no data will be lost.

The post Michigan Practice Forced to Close Following Ransomware Attack appeared first on HIPAA Journal.

Lawsuit Alleges Sharp Grossmont Hospital Secretly Recorded Patients Having Gynecology Operations

Posted by HIPAA Journal

A lawsuit has been filed against Sharp HealthCare and Sharp Grossmont Hospital which alleges the hospital secretly recorded video footage of female patients undressing and having gynaecological examinations performed.

According to the lawsuit, the hospital installed video cameras in three operating rooms as part of an internal investigation into the theft of the anaesthesia drug, propofol, from drug carts. The cameras were actively recording between July 17, 2012 and June 30, 2013 at its facility on Grossmont Center Drive in El Cajon, San Diego.

During the time that the cameras were recording 1,800 patients were filmed undergoing procedures such as hysterectomies, Caesarean births, dilation and curettage for miscarriages, and other surgical procedures. The motion-activated cameras had been installed on drug carts and continued to record even after motion had stopped.

A spokesperson for Sharp Grossmont Hospital confirmed that three cameras had been installed to ensure patient safety by determining the cause of missing drugs from the carts.

The lawsuit states that, “At times, defendants’ patients had their most sensitive genital areas visible.” The position of the laptop cameras was such that patients’ faces could be seen in the recordings and, as such, patients could be identified from the recordings.

The lawsuit alleges the video recordings could be accessed by multiple individuals including medical and non-medical staff and strangers via desktop computers. Controls had not been implemented to log which users had gained access to the video recordings or why the videos had been viewed.

The plaintiffs allege that many of the computers on which the videos were stored have since been replaced or refreshed and that Sharp has destroyed many of the videos; however, Sharp could not confirm whether those files were securely erased and if they could potentially be recovered.

The lawsuit was originally filed in 2016 but was denied class certification. The case has now been re-filed. 81 women who received surgical procedures in the operating rooms during the period in which the cameras were active have been included in the lawsuit and hundreds more women are expected to join.

The plaintiffs allege their privacy was violated as a result of the unlawful recording of video footage, there was a breach of fiduciary duty, negligent infliction of emotional distress, and that the failure to secure the video footage and ensure it was permanently destroyed amounts to gross negligence.

As a result of the actions of Sharp, “Plaintiffs suffered harm including, but not limited to, suffering, anguish, fright, horror, nervousness, grief, anxiety, worry, shock, humiliation, embarrassment, shame, mortification, hurt feelings, disappointment, depression and feelings of powerlessness,” states the lawsuit.

The plaintiffs are seeking a jury trial.

The post Lawsuit Alleges Sharp Grossmont Hospital Secretly Recorded Patients Having Gynecology Operations appeared first on HIPAA Journal.

Security Breaches Reported by DePaul and Southern Hills Eye Care

Posted by HIPAA Journal

DePaul, a provider of assisted living facilities and healthcare services in New York, North Carolina, and South Carolina, is alerting certain members of its behavioral health program that some of their protected health information has been exposed as a result of a phishing attack.

The breach was discovered on February 1, 2019 and the account was immediately secured. The investigation into the breach confirmed that a single email account had been compromised as a result of an employee being fooled by a phishing cam. The email account contained approximately 41,000 emails, which needed to be checked to determine whether they contained any sensitive information.

The vast majority of the emails in the account did not contain any significant medical or psychiatric information; however, a small number of emails contained information such as first and last names, dates of birth, and/or Social Security numbers.

The aim of the attack appeared to be to use the compromised email account to send further phishing emails. No evidence was found to suggest the attacker viewed or copied emails containing sensitive information.

Individuals whose Social Security number was potentially compromised have been offered complimentary credit monitoring services for one year.  DePaul will be providing staff with additional training to improve resilience to phishing attacks.

The breach has yet to be uploaded to the HHS’ Office for Civil Rights breach portal, so it is currently unclear exactly how many individuals have been affected by the breach.

Southern Hills Eye Care Ransomware Attack Reported

Southern Hills Eye Care in Sioux City, IA, has experienced a security incident which may have resulted in the exposure of patients’ protected health information.

On January 15, 2019, ransomware was installed on a server in its Sioux City offices and files were encrypted. A forensic investigation confirmed that an unauthorized individual had gained access to the server and may have viewed files containing patients’ protected health information. The types of information in the files included names, addresses, dates of birth, phone numbers, health information, health insurance information, and the Social Security numbers of Medicare patients.

While data access was possible, no evidence was uncovered to suggest any patient information was accessed by unauthorized individuals. Additional security controls have now been implemented to prevent any future breaches of this nature.

The breach has yet to appear on the OCR breach portal so it is currently unclear how many patients have been affected. Notifications were sent to affected patients on March 15, 2019.

The post Security Breaches Reported by DePaul and Southern Hills Eye Care appeared first on HIPAA Journal.

67,493 Patients of Burrell Behavioral Health Impacted by Business Associate Breach

Posted by HIPAA Journal

Burrell Behavioral Health is notifying 67,493 patients that their medical records have been accidentally exposed as a result of an error at an unnamed business associate in August 2018.

The error was introduced into the business associate’s internet-facing portal, which resulted in images of Burrell Behavioral Health patients’ protected health information being exposed. The images contained information such as: Name, address, telephone number, birth date, gender, dates of service, types of service provided, health insurance information, driver’s license number, and Social Security number.

The exposure of patient data was brought to the attention of Burrell Behavioral Health on January 30, 2019. Burrell Behavioral Health notified its business associate about the data exposure and the server was immediately secured.

A forensic investigation was conducted to determine which information had been exposed and whether it was subjected to unauthorized access. The investigation revealed patient information was uploaded to the server in August 2018. No evidence was uncovered to suggest that anyone had accessed the information and neither had automated website crawlers and scanners accessed the information. The format of the images was such that it would not have been possible for the information to be accessed through general web browsing or internet searches.

Consequently, the investigators concluded that there is a “very low probability” of unauthorized data access, although, out of an abundance of caution, all patients whose Social Security number has been compromised as a result of the breach have been offered complimentary identity theft monitoring and protection services.

Burrell Behavioral Health has taken steps to prevent any further breaches of this nature from occurring and is working with its business associates to ensure they have adequate technical and administrative safeguards in place to ensure the confidentiality of patient information.

The post 67,493 Patients of Burrell Behavioral Health Impacted by Business Associate Breach appeared first on HIPAA Journal.

$1.6 Million Settlement Agreed with Texas Department of Aging and Disability Services Over 2015 Data Breach

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights has agreed to settle a HIPAA violation case with the Texas Department of Aging and Disability Services (DADS) to resolve HIPAA violations discovered during the investigation of a 2015 data breach that exposed the protected health information of 6,617 Medicaid recipients.

The breach was caused by an error in a web application which made ePHI accessible over the internet for around 8 years. DADS submitted a breach report to OCR on June 11, 2015.

OCR launched an investigation into the breach to determine whether there had been any violation of HIPAA Rules. On July 2015, OCR notified DADS that the investigation had revealed there had been multiple violations of HIPAA Rules.

DADS was deemed to have violated the risk analysis provision of the HIPAA Security Rule – 45 C.F.R. § 164.308(a)(1)(ii)(A) – by failing to conduct a comprehensive, organization-wide risk analysis to identify potential risks to the confidentiality, integrity, and availability of ePHI.

There had also been a failure to implement appropriate technical policies and procedures for systems containing ePHI to only allow authorized individuals to access those systems, in violation of 45 C.F.R. § 164.308(a)(4) and 45 C.F.R. § 164.312(a)(1).

Appropriate hardware, software, and procedural mechanisms to record and examine information system activity had not been implemented, which contributed to the duration of exposure of ePHI – A violation of 5 C.F.R. § 164.312(b).

As a result of these violations, there was an impermissible disclosure of ePHI, in violation of 45 C.F.R. § 164.502(a).

The severity of the violations warranted a financial penalty and corrective action plan. Both were presented to the State of Texas and DADS was given the opportunity to implement the measures outlined in the CAP to address the vulnerabilities to ePHI.

The functions and resources that were involved in the breach have since been transferred to the Health and Human Services Commission (HHSC), which will ensure the CAP is implemented.

The State of Texas presented a counter proposal for a settlement agreement to OCR which will see the deduction of $1,600,000 from sums owed to HHSC from the CMS. The settlement releases HHSC from any further actions related to the breach and HHSC has agreed not to contest the settlement or CAP.

The settlement has yet to be announced by OCR, but it has been approved by the 86th Legislature of the State of Texas. This will be the first 2019 HIPAA settlement between OCR and a HIPAA covered entity.

The post $1.6 Million Settlement Agreed with Texas Department of Aging and Disability Services Over 2015 Data Breach appeared first on HIPAA Journal.

Superior Dental Care Patients Informed of PHI Exposure Due to Email Account Breach

Posted by HIPAA Journal

The Centerville, Ohio dental insurance carrier, Superior Dental Care, has discovered an unauthorized individual has gained access to an employee’s email account and potentially viewed the protected health information of certain members.

The email account breach was detected on January 23, 2019 following the identification of suspicious activity within the employee’s email account. The password for the account was immediately changed and further unauthorized access was prevented.

A third-party computer forensics firm was called in to assist with the investigation and determine the nature and scope of the breach.

On February 11, 2019, Superior Dental Care learned that the account had been accessed by an unidentified third party and unauthorized access to the email account was first gained on December 21, 2018.

The email account contained information such as names, addresses, Social Security numbers, medical information, and payment information related to dental services received.

All individuals affected by the breach have now been notified by mail and the breach has been reported to appropriate authorities.

Processes have already been implemented to strengthen system security and Superior Dental Care will continue to work with third-party security experts to better protect members’ personal information.

The incident has yet to appear on the Department of Health and Human Services’ Office for Civil Rights breach portal, so it is unclear exactly how many members have been affected by the breach.

L.A. Care Health Plan Alerts Members to PHI Exposure Due to Mailing Error

L.A. Care Health Plan is alerting some of its members to a privacy breach that saw members’ protected health information accidentally disclosed to other members.

A system error resulted in L.A. Care member ID cards being mismatched and sent to incorrect plan members. In some cases, members received their correct ID card along with the ID cards of other members in the same envelope.

The system error occurred on June 1, 2018 and affected ID card mailings up until January 30, 2019.

The protected health information that was accidentally disclosed was limited to name, phone number, member ID number, medical group name, PCP/Clinic name, and health plan name.

L.A. Care Health Plan has since updated its processes and procedures to reduce the risk of a similar incident occurring in the future.

The post Superior Dental Care Patients Informed of PHI Exposure Due to Email Account Breach appeared first on HIPAA Journal.

D.C. Attorney General Proposes Tougher Breach Notification Laws

Posted by HIPAA Journal

Washington D.C. Attorney General Karl. A. Racine is looking to strengthen data breach notification laws to provide greater protection for D.C. residents when their personal information is exposed in a data breach.

On March 21, 2019, Attorney General Racine introduced the Security Breach Protection Amendment Act, which expands the definition of personal information that warrants notifications to be sent to consumers in the event of a data breach.

Currently laws in the District of Columbia require breach notifications to be sent if there has been a breach of Social Security numbers, driver’s license numbers, or financial information such as credit and debit card numbers.

If passed, the Security Breach Protection Amendment Act will expand the definition of personal information to include taxpayer ID numbers, genetic information including DNA profiles, biometric information, passport numbers, military Identification data, and health insurance information.

Attorney General Racine said one of the main reasons why the update was required was to better protect state residents from breaches similar to the one experienced by Equifax. That breach affected 143 million individuals globally and 350,000 D.C. residents.

Additionally, the Security Breach Protection Amendment Act requires companies that collect, own, license, handle, or otherwise possess the ‘personal information’ of District residents to implement safeguards to ensure personal information remains private and confidential.

The Security Breach Protection Amendment Act also requires companies to explain to consumers the types of information that have been breached and the steps consumers can take to protect their identities, including the right to place a security freeze on their accounts at no cost.

In the event of a breach of Social Security numbers, companies would be required to offer a minimum of two years membership to identity theft protection services free of charge. The D.C. attorney general would also need to be notified about a breach of personal information, although the timescale for doing so is not stated in the bill.

Violations of the Security Breach Protection Amendment Act would be considered a violation of the D.C. Consumer Protection Procedures Act and could attract a significant financial penalty.

This is not the first time that Attorney General Racine has sought to increase protections for consumers in the event of a data breach. A similar bill was introduced in 2017 but it failed to be passed by the D.C Council.

The Security Breach Protection Amendment Act must first be approved by the Mayor and D.C. Council, then it will be passed to Congress which will have 30 days to complete its review.

The update follows similar amendments that have been proposed in several states and territories over the past few months. While the updates are good news for Americans whose sensitive information is exposed, the current patchwork of state laws can be complicated for businesses, especially those that operate in multiple states.

What is needed is a federal breach notification law that standardizes data breach notification requirements and uses a common definition for ‘personal information’. Such a bill has been proposed in the House and Senate on three occasions in the past three years, but each time it has failed to be passed and signed into law.

The post D.C. Attorney General Proposes Tougher Breach Notification Laws appeared first on HIPAA Journal.