HIPAA Breach News

2019 Data Breach Barometer Report Shows Massive Increase in Exposed Healthcare Records

Posted by HIPAA Journal

Protenus has released its 2019 Breach Barometer report: An analysis of healthcare data breaches reported in 2018.

The data for the report came from Databreaches.net, which tracks data breaches reported in the media as well as breach notifications sent to the Department of Health and Human Services’ Office for Civil Rights and state attorneys general.

The report shows there was a small annual increase in the number of healthcare data breaches but a tripling of the number of healthcare records exposed in data breaches.

According to the report, there were 503 healthcare data breaches reported in 2018, up from 477 in 2017. 2017 was a relatively good year in terms of the number of healthcare records exposed – 5,579,438 – but the number rose to 15,085,302 exposed healthcare records in 2018.

In 2017, March was the worst month of the year in terms of the number of records exposed and there was a general downward trend in exposed records throughout the rest of the year. In 2018, there was a general increase in exposed records as the year progressed. The number of exposed records increased each quarter, from 1,175,804 records in Q1 to 6,281,470 healthcare records in Q4.

The largest data breach of the year was a hacking incident at a business associate of a North Carolina health system. Over the space of a week, the hackers gained access to the health records of 2.65 million individuals.

Healthcare hacking incidents have increased steadily since 2016 and were the biggest cause of breaches in 2018, accounting for 44.22% of all tracked data breaches. There were 222 hacking incidents in 2018 compared to 178 in 2017. Data was only available for 180 of those breaches, which combined, resulted in the theft/exposure of 11,335,514 patient records. The hacking-related breaches in 2017 resulted in the theft/exposure of 3,436,742 records. While it was not possible to categorize many of the hacking incidents due to a lack of data, phishing attacks and ransomware/malware incidents were both common.

Insiders were behind 28.09% of breaches, loss/theft incidents accounted for 14.34%, and the cause of 13.35% of breaches was unknown.

Insider breaches included human error and insider wrongdoing. These breaches accounted for a lower percentage of the total than in 2017 when 37% of breaches were attributed to insiders. Information was available for 106 insider-related breaches in 2018. 2,793,607 records were exposed in those breaches – 19% of exposed records for the year. While the total number of insider incidents fell from 176 to 139 year over year, there was a significant increase in the number of records exposed in insider breaches in 2018.

Insider errors resulted in the exposure of 785,281 records in 2017 and 2,056,138 records in 2018. Insider wrongdoing incidents resulted in the exposure of 893,978 records in 2017 and 386,469 records in 2018.

Without the proper tools in place, insider breaches can be difficult to detect. In one case, it took a healthcare provider 15 years to discover that an employee was snooping on patient records. Several incidents took over four years to discover.

Snooping by family members was the most common cause of insider breaches, accounting for 67.38% of the total. Snooping co-workers accounted for 15.81% of insider breaches. Protenus notes that there is a high chance of repeat insider offenses. 51% of cases involved repeat offenders.

Overall, it took an average of 255 days for a breach of any type to be discovered and an average of 73 days for breaches to be reported after they were discovered.

Healthcare providers were the worst affected group with 353 data breaches – 70% of all reporting entities. 62 breaches were reported by health plans (12%) and 39 (8%) were reported by other entities. It was a particularly bad year for business associates of HIPAA covered entities with 49 incidents (10%) reported by business associates. A further 102 incidents (20%) had some business associate involvement.

Protenus expects to trend of more than 1 breach per day to continue in 2019, as has been the case every year since 2016.

The post 2019 Data Breach Barometer Report Shows Massive Increase in Exposed Healthcare Records appeared first on HIPAA Journal.

7,000 Patients Notified About Pawnee County Memorial Hospital Malware Attack

Posted by HIPAA Journal

Pawnee County Memorial Hospital in Pawnee City, Nebraska, is alerting 7,038 patients that some of their protected health information has potentially been accessed by a hacker.

On November 29, 2018, the hospital learned that malware had been installed which allowed an unauthorized individual to gain access to its email system.

Malware was injected into the hospital’s email system when an employee opened a malicious email attachment. According to Pawnee County Memorial Hospital’s substitute breach notice, the email appeared to have been sent from a trusted source and the email attachment seemed genuine.

Assisted by a third-party computer forensics expert, the hospital determined that the email attachment had been opened on November 16, 2018. The hacker was able to access employees’ email accounts from November 16 to November 24.

The compromised email accounts contained a range of business reports, clinical reports, clinical summaries, and other internal documents. Those documents contained patients’ full names along with one or more of the following data elements: Date of birth, address, diagnosis, lab test results, medical record number, insurance information, state ID number, driver’s license number and, for a limited number of patients, Social Security number.

While PHI access was possible, it is unclear whether the hacker viewed or obtained any patient information. The hospital believes the attack was financially motivated and was not conducted with the aim of stealing patient information.

In response to the breach, the hospital reset all passwords on employee email accounts and additional technology safeguards are being implemented to improve email security.

The hospital has sent breach notification letters to all patients whose PHI was exposed and has offered complimentary enrollment in the MyTrueIdentity online credit monitoring service for 12 months.

The post 7,000 Patients Notified About Pawnee County Memorial Hospital Malware Attack appeared first on HIPAA Journal.

EyeSouth Partners Email Account Breach Impacts 24,000 Patients of Georgia Eye Associates

Posted by HIPAA Journal

EyeSouth Partners has announced that a hacker has gained access to an employee’s email account and has potentially viewed/obtained the electronic protected health information (ePHI) of as many as 24,000 patients.

EyeSouth Partners is a business associate of Georgia Eye Associates, South Georgia Eye Partners, Cobb Eye Center, and Georgia Ophthalmology Associates. On October 25, 2018, EyeSouth Partners became aware that an unauthorized individual had gained access to the email account of one of its employees.

Prompt action was taken to secure the email account and assess the security of its systems. Procedures were also implemented to enhance information security safeguards to prevent any further email account breaches.

The breach investigation revealed the hacker first gained access to the email account on September 11, 2018. Access remained possible until October 25.

Third-party computer forensics experts were hired to assist with the investigation and determine which patients had had their ePHI exposed. On December 19, 2018, EyeSouth Partners was informed that the hacker had potentially accessed emails that contained the ePHI of patients of Georgia Eye Associates.

The information contained in emails and email attachments differed from patient to patient but may have included names, addresses, contact telephone numbers, email addresses, insurance provider names, type of insurance carrier, payment histories, account balances, summaries of charges, summaries of services and procedures, and internal patient ID numbers. A small number of patients also had their Social Security number exposed.

All patients affected by the breach have now been notified by mail and offered complimentary credit monitoring services.

The post EyeSouth Partners Email Account Breach Impacts 24,000 Patients of Georgia Eye Associates appeared first on HIPAA Journal.

EyeSouth Partners Email Account Breach Impacts 24,000 Patients of Georgia Eye Associates

Posted by HIPAA Journal

EyeSouth Partners has announced that a hacker has gained access to an employee’s email account and has potentially viewed/obtained the electronic protected health information (ePHI) of as many as 24,000 patients.

EyeSouth Partners is a business associate of Georgia Eye Associates, South Georgia Eye Partners, Cobb Eye Center, and Georgia Ophthalmology Associates. On October 25, 2018, EyeSouth Partners became aware that an unauthorized individual had gained access to the email account of one of its employees.

Prompt action was taken to secure the email account and assess the security of its systems. Procedures were also implemented to enhance information security safeguards to prevent any further email account breaches.

The breach investigation revealed the hacker first gained access to the email account on September 11, 2018. Access remained possible until October 25.

Third-party computer forensics experts were hired to assist with the investigation and determine which patients had had their ePHI exposed. On December 19, 2018, EyeSouth Partners was informed that the hacker had potentially accessed emails that contained the ePHI of patients of Georgia Eye Associates.

The information contained in emails and email attachments differed from patient to patient but may have included names, addresses, contact telephone numbers, email addresses, insurance provider names, type of insurance carrier, payment histories, account balances, summaries of charges, summaries of services and procedures, and internal patient ID numbers. A small number of patients also had their Social Security number exposed.

All patients affected by the breach have now been notified by mail and offered complimentary credit monitoring services.

The post EyeSouth Partners Email Account Breach Impacts 24,000 Patients of Georgia Eye Associates appeared first on HIPAA Journal.

OCR Settles Cottage Health HIPAA Violation Case for $3 Million

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights (OCR) has agreed to settle a HIPAA violation case with the Santa Barbara, CA-based healthcare provider Cottage Health for $3,000,000.

Cottage Health operates four hospitals in California – Santa Barbara Cottage Hospital, Santa Ynez Cottage Hospital, Goleta Valley Cottage Hospital and Cottage Rehabilitation Hospital.

In 2013 and 2015, Cottage Health experienced two security incidents that resulted in the exposure of the electronic protected health information (ePHI) of 62,500 patients.

In 2013, Cottage Health discovered a server containing patients’ ePHI had not been properly secured. Files containing patients’ ePHI could be accessed over the internet without the need for a username or password. Files on the server contained patient names, addresses, dates of birth, diagnoses, conditions, lab test results and other treatment information.

Another server misconfiguration was discovered in 2015. After responding to a troubleshooting ticket, the IT team removed protection on a server which similarly exposed patients’ ePHI over the internet. Patient names, addresses, dates of birth, social security numbers, diagnoses, conditions, and other treatment information could all be accessed without a username or password.

OCR investigated the breaches and Cottage Health’s HIPAA compliance efforts. OCR determined that Cottage Health had failed to conduct a comprehensive, organization-wide risk analysis to determine risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI, as required by 45 C.F.R. § 164.308(a)(l)(ii)(A).

Risks and vulnerabilities had not been reduced to a reasonable and acceptable level, as required by 45 C.F.R. § 164.308(a)(l )(ii)(B).

Periodic technical and non-technical evaluations following environmental or operational changes had not been conducted, which violated 45 C.F.R. § 164.308(a)(8).

OCR also discovered Cottage Health had not entered into a HIPAA-complaint business associate agreement (BAA) with a contractor that maintained ePHI: A violation of 45 C.F.R. § 164.308(b) and 164.502(e).

In addition to the financial penalty, Cottage Health has agreed to adopt a 3-year Corrective Action Plan (CAP). The CAP requires Cottage Health to conduct a comprehensive, organization-wide risk analysis to determine all risks to the confidentiality, integrity, and availability of ePHI. Cottage Health must also develop and implement a risk management plan to address all security risks and vulnerabilities identified during the risk analysis. The risk analysis must be reviewed annually and following any environmental or operational changes. A process for evaluating environmental or operational changes must also be implemented.

Cottage Health must also develop, implement, and distribute written policies and procedures covering the HIPAA Privacy and Security Rules and must train all staff on the new policies and procedures. Cottage Health must also report to OCR annually on the status of its CAP for the following three years.

“Our record year underscores the need for covered entities to be proactive about data security if they want to avoid being on the wrong end of an enforcement action,” said OCR Director Roger Severino. “The Cottage settlement reminds us that information security is a dynamic process and the risks to ePHI may arise before, during, and after implementation covered entity makes system changes.”

A Record Year for HIPAA Fines and Settlements

It has been a busy year of HIPAA enforcement for OCR. In 2018, 10 settlements have been agreed with HIPAA-covered entities and business associates in response to violations of HIPAA Rules and one civil monetary penalty has been issued. The 11 financial penalties totaled $28,683,400, which exceeded the previous record of $23,505,300 set in 2016 by 22%.

2018 also saw OCR agree the largest ever HIPAA settlement in history. Anthem Inc., settled alleged violations of HIPAA Rules for $16,000,000. The settlement was almost three times larger than the previous record – The $5.5 million settlement with Advocate Health Care Network in 2016.

Further Information: 2018 HIPAA Fines and Settlements

The post OCR Settles Cottage Health HIPAA Violation Case for $3 Million appeared first on HIPAA Journal.

Settlement Reached in Community Health Systems 4.5 Million-Record Data Breach Case

Posted by HIPAA Journal

Community Health Systems’ (CHS) patients whose protected health information (PHI) was stolen in a cyberattack in 2014 have been offered compensation for the theft of their PHI.

Tennessee-based Community Health Systems operates over 200 hospitals, making it one of the largest healthcare systems in the U.S.

In 2014, CHS discovered malware had been installed on its network. The malware allowed unauthorized individuals to gain access to patient information between April and June 2014. The cyberattack is believed to have been conducted by threat actors based in China.

An advanced malware variant was used in the attack, which had the sole purpose of obtaining sensitive information. An investigation into the breach confirmed that patient data including names, addresses, phone numbers, dates of birth, and Social Security numbers had been exfiltrated. The PHI of 4.5 million patients was stolen by the attackers.

At the time it was the largest healthcare data breach to be reported to the Department of Health and Human Services’ Office for Civil Rights and still ranks as one of the top six healthcare data breaches of all time.

Following the breach, many lawsuits were filed by patients seeking compensation for the theft of their personal information. The lawsuits were consolidated into a single lawsuit, which survived attempts by CHS to have the case dismissed. A settlement has now been reached to resolve the lawsuit.

The settlement specifies two different payments for breach victims. Individuals who can prove they have incurred out-of-pocket expenses as a result of the breach and/or can show evidence of time lost securing their accounts, can claim up to $250 in compensation. Individuals who have suffered identity theft or fraud as a result of the breach can recover up to $5,000 in losses.

Legal fees totaling $900,000 have also been covered by the settlement agreement along with a payment of $3,500 for each representative class member.

In order to qualify for payment, a compensation claim must be submitted by August 1, 2019. Individuals who do not want to be included in the settlement and those who wish to file an objection, have until May 18 to notify CHS.

The settlement must still be assessed for fairness and approved by a judge. A hearing has been scheduled for August 13, 2019.

The post Settlement Reached in Community Health Systems 4.5 Million-Record Data Breach Case appeared first on HIPAA Journal.

Malware Attack Reported by Minnesota Infertility Clinic

Posted by HIPAA Journal

Malware has been installed on the network of Reproductive Medicine and Infertility Associates: A Woodbury, MN, infertility clinic.

While no evidence was uncovered to suggest any patient information was accessed or exfiltrated by the malware, the possibility of a data breach could not be ruled out.

The malware attack was detected by the clinic on December 5, 2018 and a third-party computer forensics firm was hired to investigate and clean the malware from its systems. While the malware was successfully removed, it was not possible to determine exactly how it was installed on the network.

Information stored on systems potentially accessible by the malware included names, dates of birth, addresses, treatment information, health insurance information, and donors’ Social Security numbers.

All individuals whose PHI was exposed were notified about the incident on February 1, 2019. As a precaution against fraud, all individuals affected by the breach have been offered complimentary identity theft monitoring services.

Anti-malware defenses have now been improved, which include an additional firewall, extra layers of security, and further training for employees on data security.

Server Stolen from Waco Dental Clinic

Stonehaven Dental, an operator of two dental practices in Waco and Harker Heights, TX, has announced that thieves broke into its Waco clinic and stole a computer server that contained patient information.

All data on the server had been backed up via a cloud storage service and could be restored. The server was protected with two layers of password-security, but patient data was not encrypted.

The server contained patients’ names, telephone numbers, addresses, dates of birth, medical records, medical record numbers, health insurance information, and for some patients, Social Security and Driver’s license numbers.

While data access is unlikely, it is possible that the passwords could be cracked. Consequently, the decision was taken to offer affected patients complimentary identity theft protection services.

Affected patients were notified about the incident on January 22, 2019. The HHS’ Office for Civil Rights has also been informed. The breach summary on the OCR website indicates 6,289 patients’ information was stored on the stolen server.

Physical security at Stonehaven Dental offices has now been strengthened and all devices containing patient information are now encrypted.

The post Malware Attack Reported by Minnesota Infertility Clinic appeared first on HIPAA Journal.

23,500 Patients Impacted by Connecticut Eye Clinic Ransomware Attack

Posted by HIPAA Journal

Dr. DeLuca Dr. Marciano & Associates, P.C., a primary eye care clinic in Prospect, CT, has experienced a ransomware attack that has resulted in the encryption of files containing patients’ protected health information.

The attack occurred on November 29, 2018. Prompt action was taken to shut down the network to prevent the spread of the infection, but it was not possible to stop the encryption of files on two servers used to store patient-related files. A ransom demand was received but no payment was made. The encrypted files were successfully restored from backups.

An investigation of the breach revealed that the two servers affected by the attack contained patient files that included information such as patient names, Social Security numbers, and some treatment information.

Dr. DeLuca Dr. Marciano & Associates has taken steps to prevent further cyberattacks, which include closing remote access to the network, implementing technical solutions to protect against ransomware, and enhancing its anti-virus software.

While there is no indication that patient information was accessed or stolen, all individuals whose protected health information was potentially compromised have been notified by mail and, out of an abundance of caution, offered complimentary credit monitoring and identity theft protection services.

The ransomware attack has been reported to all appropriate authorities. The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights (OCR) indicates 23,578 patients have been affected by the breach.

Patients’ PHI Potentially Accessed in Chaplaincy Health Care Phishing Attack

Chaplaincy Health Care, a not-for-profit provider of hospice, behavioral health, palliative care, and chaplain services in the tri-cities area of southeast Washington, has discovered an unauthorized individual has gained access to the email account of an employee and potentially viewed patients’ protected health information.

The breach was detected on November 20, 2018 – The same day that the account was breached. Assisted by a third-party computer forensics firm, Chaplaincy Health Care determined that an unknown individual gained access to a single email account for a period of around 4 hours.

Emails in the account contained patients’ names, home addresses, dates of birth, medical record numbers, prescription information, dates of service, and the last four digits of Social Security numbers.

Breach notification letters were sent to affected individuals on January 3, 2019. Complimentary credit monitoring and identity theft protection services have been offered to breach victims.

The breach has prompted Chaplaincy Health Care to provide further training on email security to employees. 2-factor authentication has also been implemented to protect against unauthorized account access.

The breach report submitted to OCR indicates the PHI of 1,086 patients was potentially accessed.

The post 23,500 Patients Impacted by Connecticut Eye Clinic Ransomware Attack appeared first on HIPAA Journal.

12,000 Patients Impacted by Valley Professionals Community Health Center Phishing Attack

Posted by HIPAA Journal

Valley Professionals Community Health Center, a network of seven healthcare centers in Indiana, has experienced a phishing attack that has resulted an employee’s email account being accessed by an unauthorized individual.

Phishing attacks often involve the impersonation of companies. In this case, the attacker impersonated a healthcare organization that had previously worked with Valley Professionals Community Health Center. The supposed sender of the email was known to staff at the health center and the email appeared genuine.

On November 27, 2018, Valley Professionals Community Health Center detected suspicious activity relating to the employee’s email account. Prompt action was taken to secure the account and an investigation was launched to determine the cause of the activity. Assistance was provided by a third-party computer forensics company, which determined that the account had been accessed by an unauthorized individual between October 26 and November 27, 2018.

The emails in the account contained information such as patient names, addresses, dates of birth, Social Security numbers, medical record numbers, patient ID numbers, diagnoses, procedure information, treatment information, information relating to payment for medical services, and provider information. A small number of patients also had their bank account number, routing information, and/or health insurance information exposed.

Since it was not possible to determine which, if any, emails in the account had been accessed by the attacker, the decision was taken to send notification letters to all individuals whose protected health information was contained in the account. Approximately 12,000 patients have been sent notification letters. All patients affected by the incident have been offered complimentary credit monitoring services.

The breach has prompted Valley Professionals Community Health Center to implement additional technical safeguard to prevent further successful phishing attacks and additional training and education has been provided to employees.

Sunflower State Health Plan Alerts 1,625 Members of Impermissible PHI Disclosure

Sunflower Health Plan in Kansas is alerting 1,625 plan members that some of their protected health information has been impermissibly disclosed to other individuals.

On November 26, 2018, Sunflower Health Plan mailed ID cards and Welcome Packlets to 1,625 plan members; however, an error with the mailing resulted in the letters being sent to incorrect addresses.  The letters contained patients’ full names and Medicaid ID numbers.

The error was detected on December 3, 2018 and replacement ID cards and Welcome Packlets were mailed to the correct addresses.

Sunflower Health Plan has now changed its mailing processes to prevent further mailing errors and PHI exposures. No reports of improper use of PHI have been received.

The post 12,000 Patients Impacted by Valley Professionals Community Health Center Phishing Attack appeared first on HIPAA Journal.