Rutland Regional Medical Center in Rutland City, the largest community hospital in the state of Vermont, has discovered hackers have gained access to the email accounts of nine employees and potentially viewed/obtained patients’ protected health information.

On December 21, 2018, an employee of the medical center noticed that their email account had been used to send large quantities of spam emails and on December 28, 2018, a potential security breach was reported to the medical center’s IT department. The IT department determined, on December 31, that the employee’s email account had been remotely accessed by an unauthorized individual.

The account was immediately secured and a third-party forensic expert was called in to conduct an investigation into the breach. While the investigation into the breach is ongoing, the forensics expert concluded on February 6, 2019, that nine email accounts had been compromised between November 2, 2018 and February 6, 2019.

The types of sensitive information in the compromised email accounts included patients’ full names, dates of birth, contact information, patient ID numbers, medical record numbers, financial information, diagnoses, treatment information, Social Security numbers, and health insurance data. The breach was limited to email accounts. The EMR system and other internal systems were unaffected by the breach.

Rutland Regional Medical Center will be sending notification letters to patients whose PHI may have been accessed in due course.

Additional safeguards and security measures will be implemented to further secure patients’ protected health information and improve email security to help prevent further breaches of this nature.

The breach has not yet appeared on the Department for Health and Human Services’ Office for Civil Rights breach portal, so it is currently unclear exactly how many patients have been affected by the breach.

The post Multiple Rutland Regional Medical Center Email Accounts Hacked appeared first on HIPAA Journal.

Kentucky Counseling Center (KCC) has discovered a list of 16,440 patients has been stolen and disclosed to another individual. A current employee is suspected of accessing and copying patient information without authorization, uploading the data to an anonymous file sharing service, and subsequently sending a hyperlink to the list to a former employee of KCC.

The former employee received the link to the patient list on January 6, 2019 and reported the privacy breach to KCC.

KCC launched an investigation into the insider breach to determine when the list was obtained and who was responsible. KCC believes the list was downloaded and stolen on December 6, 2018 by a then current employee of KCC. That person is no longer employed at the Counseling Center.

The motivations behind the HIPAA violations are unclear – Both the unauthorized access/theft and the subsequent impermissible disclosure to a former employee. KCC explained in its breach notification letter that there is no reason to believe that the list was taken with the intent of causing harm to patients.

However, due to the nature of the data contained in the list the decision was taken to offer credit monitoring services to affected patients for 12 months without charge.

The types of information in the list varied from patient to patient and may have included the following data elements: Full name, address, date of birth, phone numbers, gender, marital status, employment status, insurance payor, insurance number, Social Security number, last and next appointment dates, and KCC clinician name.

The measures taken to prevent further incidents such as this from occurring in the future include strengthening passwords and implementing multi-factor authentication on its computer system.

The KCC breach notice does not mention whether the person responsible was fired or left KCC of his/her own accord nor whether the matter has been referred to law enforcement.

The post Insider Wrongdoing Breach at Kentucky Counseling Center Impacts 16,440 Patients appeared first on HIPAA Journal.

Sharecare Health Data Services (SHDS), a San Diego company that provides secure electronic exchange and medical records management services for healthcare organizations, has alerted some of its clients that hackers gained access to parts of its systems that contained sensitive patient information.

SHDS detected abnormal network activity on June 26, 2018, prompting an in-depth investigation. The investigation revealed hackers gained access to systems containing protected health information as early as May 21, 2018. Access remained possible until June 26, 2018, during which time PHI was accessed and exfiltrated by the hackers to locations outside the U.S.

SHDS engaged the services of cybersecurity firm Mandiant to assist with the forensic investigation of the breach. The breach was also reported to the FBI and SHDS has been assisting with its investigation.

SHDS has since taken steps to enhance security and prevent further breaches. Data retention policies have been revised, maintenance communications and protocols have been improved to ensure continuity across its network, and SHDS has retained a third-party firm to provide 24/7 monitoring of its data systems.

On December 31, 2018, Sharecare Health Data Services alerted at least two healthcare organizations that their data had potentially been accessed as a result of the attack – More than 5 months after the discovery of the breach. No reason for the delayed notification has been offered.

The incident has yet to appear on the Department of Health and Human Services’ Office for Civil Rights’ breach portal, so it is currently unclear exactly how many patients have been affected.

Los Angeles-based healthcare provider AltaMed Health Services Corporation has announced that 5,767 of its patients were affected by the breach. In its breach notice to the California Attorney General, AltaMed said the information obtained by the hackers was limited to names, addresses, birth dates, unique patient ID numbers, addresses where healthcare services were provided, and for some patients, internal SHDS processing notes and medical record numbers. Social Security numbers, financial information, and detailed clinical information were not stolen in the attack. Patients affected by the breach were notified on February 15, 2019 and have been offered 12 months of credit monitoring and identity theft protection services without charge.

The California Physicians’ Service, doing business as Blue Shield of California, has also notified the California Attorney General of the breach.  Blue Shield of California members affected by the breach have had the following information stolen: Names, addresses, birth dates, BlueShield ID numbers, addresses where healthcare services were provided, and for some patients, internal SHDS processing notes, medical record numbers, and provider names. 12 months of credit monitoring and identity theft protection services have also been offered without charge. Those services can be renewed annually for individuals that remain BlueShield members.

It is currently unclear how many of its members have been affected and whether they are included in the 5,767 AltaMed total.

The post Patients Receive Notifications of PHI Theft 8 Months After Business Associate Data Breach was Detected appeared first on HIPAA Journal.

Memorial Hospital at Gulfport, MS, is notifying approximately 30,000 patients that some of their protected health information has potentially been accessed by an unauthorized individual as a result of a phishing incident.

Memorial Hospital discovered a breach of an employee’s email account on December 17, 2018. The compromised account was immediately secured and an investigation was launched to determine the extent of the breach.

The investigation revealed the employee responded to a phishing email on December 6, 2018, which gave the attacker access to patients’ protected health information stored in emails and email attachments.

Memorial Hospital reports that the breach was limited to names, dates of birth, health insurance information, and information about medical services received at the hospital. A small number of Social Security numbers were also contained in the compromised email account.

Patients affected by the incident were notified by mail on February 15, 2019. Complimentary credit monitoring services have been offered to all patients whose Social Security numbers were compromised. The investigation is ongoing, and the hospital anticipates notifying additional patients in the coming weeks.

5,524 AZ Plastic Surgery Center Patients Notified of Data Breach

AZ Plastic Surgery Center in Tucson, AZ, is notifying 5,524 patients that some of their PHI may have been accessed by hackers who succeeded in gaining access to its computer system. The breach was discovered on December 10, 2018.

The incident has been reported to both the FBI and local law enforcement and the investigation into the breach is continuing.

AZ Plastic Surgery Center engaged third-party computer experts to determine the nature and scope of the breach. While data access was not confirmed, the possibility could not be ruled out with a high degree of certainty. No reports have been received to suggest any PHI has been misused.

The types of information that were potentially accessed included names, dates of birth, addresses, diagnoses, prescription information, health insurance numbers, and procedure notes. A limited number of Social Security numbers and driver’s license numbers may also have been accessed.

Notification letters were mailed to affected patients on February 8, 2019.

Rush University Medical Center Mailing Error Impacts 908 Patients

Rush University Medical Center in Chicago, IL, has notified 908 patients about a mailing error that resulted in the disclosure of their name to another patient.

Patients were sent notification letters about the retirement of a certified nurse practitioner at the Epilepsy Center.

The medical center learned that some of the letters may have included the name of a different patient. As a result, the letters would have disclosed a patient’s name to one other patient, also revealing that person was a patient of the Epilepsy Center.

The post 30,000 Patients Notified of Phishing Incident at Memorial Hospital at Gulfport appeared first on HIPAA Journal.

AdventHealth Medical Group’s Pulmonary & Sleep Medicine in Tavares, FL, formerly known as Lake Pulmonary Critical Care, has discovered hackers gained access to its systems and may have viewed or obtained the protected health information of up to 42,161 patients.

Hackers first gained access to the Pulmonary & Sleep Medicine center’s systems in August 2017 as a result of the installation of malware. The malware infection was not discovered until December 27, 2018.

The malware was removed and its systems were secured and an investigation was launched to determine the extent of the breach and which patients had been affected.

The investigation revealed the hackers gained access to parts of its system where patients’ protected health information was stored. The information that was potentially accessed included names, addresses, email addresses, telephone numbers, dates of birth, health insurance information, Social Security numbers, medical histories, and the race, gender, weight, and height of patients.

It is unclear how the malware was installed and why it took 16 months to discover the malicious software. AdventHealth has since implemented additional system safeguards to prevent future cyberattacks and has enhanced system audits to ensure that any future breaches are detected more rapidly.

AdventHealth started sending breach notification letters to affected patients on January 25, 2019. All patients whose protected health information was exposed have been offered complimentary credit monitoring, fraud consultation, and identity theft restoration services through Kroll for 12 months. Patients have been advised to monitor their explanation of benefits statements from their insurers for any signs of misuse of their insurance information.

The post 16-Month Malware Infection at Florida Pulmonary & Sleep Medicine Center Impacts 42,000 Patients appeared first on HIPAA Journal.

Paperwork containing patient information has been stolen from an employee of Anesthesia Associates of Kansas City.

The incident occurred on December 14, 2018. The employee had left a bag containing patient schedules in his vehicle. Thieves broke into the vehicle and stole the bag and paperwork.

Anesthesia Associates of Kansas City learned of the incident on December 16, 2018 and launched an investigation to determine what paperwork had been stolen.

It was not possible to determine with a high degree of certainty exactly which schedules were in the stolen bag. Consequently, the decision was taken to issue notification letters to all patients who had undergone surgical treatment between April 4, 2018 and December 14, 2018.

The types of information listed in patient schedules includes names, birth dates, types of surgical procedures, dates of surgery, and the name of the surgeon. Schedules do not contain sensitive information such as addresses, Social Security numbers, insurance information, and financial information.

The theft was reported to law enforcement but neither the bag nor the paperwork have been recovered. All patients whose protected health information was potentially detailed in the patient schedules were informed about the breach by mail on February 1, 2019.

All affected patients have been advised to monitor their accounts and explanation of benefits statements for any sign of fraudulent activity.

The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates up to 3,472 patients’ protected health information may have been compromised.

To prevent further data breaches of this nature in the future, Anesthesia Associates of Kansas City has reinforced its policy of prohibiting the non-essential removal of patient information from its clinics. New policies and procedures have also been developed and implemented to further safeguard patient information when it is necessary to remove it from its facilities.

The post Anesthesia Associates of Kansas City Discovers Theft of Patient Schedules appeared first on HIPAA Journal.

Blue Earth, MN-based United Hospital District has discovered patient information was exposed and potentially accessed by an unauthorized individual as a result of a June 2018 phishing attack.

The phishing incident resulted in the compromise of a single email account, the credentials to which were obtained as a result of an employee responding to a phishing email. The substitute breach notice on the healthcare provider’s website indicates the account was compromised between June 10, 2018 and June 27, 2018.

An in-depth analysis of the compromised account was conducted by third-party cybersecurity professionals who determined on December 12, 2018, that patient information had potentially been accessed. Emails and file attachments in the account were found to contain the protected health information of 2,143 patients.

The types of information contained in the email account varied from patient to patient and may have included names, addresses, internal patient identification numbers, health insurance information and, for a limited number of affected patients, diagnoses, treatment information, and/or Social Security numbers.

While data access was possible it was not confirmed. No reports have been received that suggest there has been any misuse of patient information.

All patients affected by the breach have been notified by mail. Individuals whose Social Security number was exposed have been offered a free 12-month subscription to credit monitoring and identity theft restoration services.

In response to the breach, additional email security measures have been implemented and employees have been given further security awareness training.

The post United Hospital District Phishing Attack Impacts 2,143 Patients appeared first on HIPAA Journal.