HIPAA Breach News

PHI Exposed in Three Recent Email Security Incidents

Posted by HIPAA Journal

Three email system breaches have been reported in the past few days that have resulted in unauthorized individuals gaining access to email accounts containing protected health information.

Navicent Health Notifies Patients About July 2018 Phishing Attack

Macon, GA-based Navicent Health is notifying certain patients that some of their protected health information has potentially been compromised as a result of an cyberattack on its email system.

Upon discovery of the breach in July 2018, law enforcement was notified and a leading computer forensics firm was hired to investigate the breach.

Navicent Health explained in a substitute breach notice on its website that it only became clear on January 24 that email accounts containing patient information had been breached. No reason was given as to why it took 6 months from the discovery of the breach to determine that patients’ PHI had been compromised.

The types of information potentially accessed by the attackers included names, addresses, dates of birth, and some medical information such as appointment dates and billing information. Some individuals also had their Social Security numbers exposed. Navicent Health was unable to determine whether any patients’ PHI was viewed or downloaded by the attackers.

All patients affected by the incident have now been notified and complimentary identity theft protection services have been offered to all individuals’ whose Social Security number was potentially compromised.

Navicent Health has since been working with multiple cybersecurity firms to improve security and prevent further breaches.

Duluth Human Development Center Discovers Email Account Compromise

When performing a routine analysis of email logs on January 25, the Human Development Center (HDC) in Duluth, MN, discovered the email account of an employee was accessed by an unauthorized individual on two occasions on January 16 and 18, 2019.

An analysis of the compromised account revealed it contained protected health information of clients, including names, dates of birth, internal HDC client numbers, descriptions of the HDC services received, and procedure codes. Clients affected by the breach had received services from HDC between 2011 and 2018.

The probability of information being accessed and misused is believed to be low. Affected individuals have now been notified of the breach.

Frederick Regional Health System Email Breach Impacts Hospice Patients

Frederick Regional Health System in Frederick, MD, has discovered the protected health information of certain hospice patients has potentially been accessed by unauthorized individuals as a result of a phishing attack.

The phishing attack was discovered on January 21, 2019 and unauthorized access to the account was promptly terminated. An analysis of the account revealed emails and attachments contained information such as names, health insurance information, type of health insurance and, for some individuals, Social Security numbers.  Patients affected by the breach had received hospice services from Frederick Regional Health System between June 2017 and January 2019.

No evidence of misuse of PHI has been uncovered but, as a precaution, Frederick Regional Health System is offering eligible patients complimentary credit monitoring and identity theft protection services for 12 months. Security has since been enhanced and further email security training has been provided to employees.

The post PHI Exposed in Three Recent Email Security Incidents appeared first on HIPAA Journal.

350,000 Affected by Oregon Department of Human Services Phishing Attack

Posted by HIPAA Journal

Oregon Department of Human Services (ODHS) has experienced a phishing attack that has potentially allowed unauthorized individuals to view or obtain the protected health information of more than 350,000 individuals.

ODHS learned on January 28, 2019 that unauthorized individuals had gained access to email accounts containing clients’ personal information. Third-party forensics experts from IDExperts were called in to determine the number of individuals affected, the types of data that could have been accessed, and whether clients’ personal information had been extracted.

The investigation conformed that nine employees had clicked links in phishing emails and divulged their login credentials, which allowed the attackers to gain access to their email accounts. The first account was compromised on January 8, 2019.

The compromised email accounts contained almost 2 million emails. Checks are still being performed to find out which individuals have been affected. ODHS has confirmed that emails in the account contained information such as clients’ first and last names, addresses, birth dates, case numbers, Social Security numbers, and information used to administer ODHS programs.

The investigation did not uncover any evidence to suggest the attackers viewed or copied any protected health information, but the possibility of data access/theft could not be ruled out.

The exact number of individuals affected by the phishing attack has not yet been finalized. When all individuals have been identified, IDExperts will be sending breach notification letters by mail and will provide further information on the steps that should be taken to protect against identity theft and fraud.

ODHS is offering complimentary credit monitoring and identity theft recovery services to all individuals affected by the breach.

The post 350,000 Affected by Oregon Department of Human Services Phishing Attack appeared first on HIPAA Journal.

UCLA Health Settles Class Action Data Breach Lawsuit for $7.5 Million

Posted by HIPAA Journal

UCLA Health has settled a class action lawsuit filed on behalf of victims of data breach that was discovered in October 2014. UCLA Health has agreed to pay $7.5 million to settle the lawsuit.

UCLA Health detected suspicious activity on its network in October 2014 and contacted the FBI to assist with the investigation. The forensic investigation confirmed that hackers had succeeded in gaining access to its network, although at the time it was thought that they did not access the parts of the network where patients’ medical information was stored. However, on May 5, 2015, UCLA confirmed that the hackers had gained access to parts of the network containing patients’ protected health information and may have viewed/copied names, addresses, dates of birth, Medicare IDs, health insurance information, and Social Security numbers. In total, 4.5 million patients were affected by the breach.

The Department of Health and Human Services’ Office for Civil Rights investigated the breach and was satisfied with UCLA Health’s breach response and the technical and administrative safeguards that had been implemented post-breach to improve security.

UCLA Health avoided a financial penalty, but a class action lawsuit was filed on behalf of patients affected by the breach. The plaintiffs alleged UCLA Health failed to inform them about the breach in a timely manner, there had been breach of contract, violations of California’s privacy laws, and that UCLA Health’s failure to protect the privacy of patients constituted negligence.

UCLA Health notified patients about the breach on July 15, 2015, and while this was in line with HIPAA requirements – under 60 days from the discovery that PHI had been compromised – the plaintiffs believed they should have been notified more quickly, given the fact that the breach had occurred 9 months previously.

Under the terms of the settlement, all patients affected by the breach can claim two years of free credit monitoring and identity theft protection services. Patients will also be allowed to submit a claim to recover costs that have been incurred protecting themselves against unauthorized use of their personal and health information and they can also submit a claim to recover losses from fraud and identity theft.

Patients can claim up to $5,000 to cover the costs of protecting their identities and up to $20,000 for any losses or damage caused by identity theft and fraud. $2 million of the $7.5 million settlement has been set aside to cover patients’ claims.  The remaining $5.5 million will be paid into a cybersecurity fund which will be used to improve cybersecurity defenses at UCLA Health.

Patients have until May 20, 2019 to submit an objection or exclude themselves from the settlement. Preventative measure claim forms must be submitted by June 18, 2019 and patients must enroll in the free credit monitoring and identity theft protection services by September 16, 2019. The deadline for submitting claims for the reimbursement of losses is June 18, 2021. The final court hearing on the settlement is scheduled for June 18, 2019.

The post UCLA Health Settles Class Action Data Breach Lawsuit for $7.5 Million appeared first on HIPAA Journal.

Verity Health System Suffers Third Phishing Breach in 3 Months

Posted by HIPAA Journal

Verity Health System patients’ PHI was exposed in a phishing attack in 2016, in two further phishing attacks in November 2018, and the 6-hospital health system has now announced yet another attack occurred in January 2019. The latest phishing incident has impacted 14,894 patients. Across the three incidents, three employees’ email accounts were compromised.

Verity Health System explained in its breach notification letters that no evidence was uncovered to suggest any patients’ protected health information had been accessed by unauthorized individuals. The attacks are believed to have been conducted for use in further phishing attacks on other individuals in the organization, although PHI access could not be ruled out.

The types of information exposed in the latest attack includes names, addresses, contact telephone numbers, dates of birth, diagnoses, treatment information, health insurance policy numbers, subscriber numbers, patient ID numbers, and billing codes. Some of the files attached to emails also included Social Security numbers and driver’s license numbers. Some Verity Health employees also had personal information exposed.

Patients affected by the breach had previously received medical services at Verity Health’s O’Connor Hospital, St. Louise Regional Hospital, St. Francis Medical Center, St. Vincent Medical Center, and Seton Medical Center, including the Seton Coastside campus. Some Verity Medical Foundation patients were also affected.

All patients affected by the breach have now been notified by mail and individuals whose Social Security number or driver’s license number was exposed have been offered complimentary credit monitoring services for 12 months.

In all of the phishing attacks, Verity Health identified the breach quickly and promptly terminated unauthorized access to the compromised accounts. The accounts were then disabled and affected computers were disconnected from the network and all emails that the attackers sent from the compromised accounts were deleted from the email network.

The attacks have prompted Verity Health to deploy a new phishing training module and all employees will be required to complete the training. A new project has also been launched to improve email security, which includes compulsory password resets and disabling unknown URLs.

The post Verity Health System Suffers Third Phishing Breach in 3 Months appeared first on HIPAA Journal.

Medical Device Manufacturer Notifies 277,319 Patients About PHI Exposure

Posted by HIPAA Journal

The Pennsylvania medical device manufacturer and software developer, ZOLL Medical Corporation, has started notifying 277,319 patients about the exposure of some of their personal and medical information.

The information was contained in emails that had been archived using a third-party email archiving solution. During a server migration, archived emails were exposed and could potentially have been accessed by unauthorized individuals.

Upon discovery of the breach, ZOLL initiated an investigation and hired a third-party computer forensics company to determine whether any unauthorized individuals had accessed emails and viewed or downloaded patient information.

The investigation revealed protections had been removed on November 8, 2018 and emails remained accessible until December 28, 2018. No evidence was uncovered to suggest any sensitive information was accessed by unauthorized individuals, but it was not possible to rule out the possibility that personal and medical information had been compromised.

An analysis of the archived emails revealed they contained patient names, addresses, dates of birth and a limited amount of medical information. A small percentage of affected patients also had their Social Security number exposed.

As a precaution against identity theft and fraud, all patients affected by the breach have been offered complimentary credit monitoring and identity theft protection services for 12 months.

ZOLL has confirmed that the email archiving company has secured all exposed emails and has implemented measures to prevent further data breaches. ZOLL has said it has conducted a review of its own processes for managing third-party vendors and has updated policies and procedures to prevent any further data breaches.

The post Medical Device Manufacturer Notifies 277,319 Patients About PHI Exposure appeared first on HIPAA Journal.

Northwestern Medicine Sued Over Medical Information Disclosure on Twitter

Posted by HIPAA Journal

Northwestern Medicine Regional Medical Group is being sued by a patient whose sensitive medial information was disclosed on Twitter and Facebook.

Gina Graziano discovered some of her sensitive medical information had been disclosed on social media websites and contacted Northwestern Medicine to complain about the privacy investigation.

Northwestern Medicine investigated the complaint and determined that Graziano’s medical records had been accessed on two separate occasions by a hospital employee who had no treatment relationship with Graziano. The records were accessed on March 5 and 6, 2019, using an employee’s login credentials.

Graziano’s medical file contained a range of sensitive information, including her personal details, the reason for a recent visit to the emergency department, lab test results, medications, medical history, imaging results, and other information.

Sensitive information which Graziano did not want to be placed in the public domain was disseminated on social media sites causing her to be publicly humiliated. While Northwestern Medicine did not disclose the name of the employee in the letter sent in response to her complaint, Graziano learned that the individual was Jessica Wagner, the current girlfriend of her ex-boyfriend David Wirth. Both individuals have also been named in the legal action.

In her lawsuit, Wagner is alleged to have accessed Graziano’s medical records for a period of 37 minutes, then impermissibly disclosed some of her medical information to Wagner, who then posted the information on social media sites with intent to cause Graziano harm.

Northwestern Medicine has confirmed that appropriate disciplinary action has been taken against the employee over the HIPAA violation and the Department of Health and Human Services has been notified of the HIPAA breach. It is unclear whether criminal charges have been filed against Wagner. CBS Chicago reports that Wagner was fired over the HIPAA violation.

Northwestern Medicine has issued an apology and has offered Graziano 12 months of credit monitoring services as a precaution against identity theft and fraud.

The post Northwestern Medicine Sued Over Medical Information Disclosure on Twitter appeared first on HIPAA Journal.

Database of New Jersey Healthcare Provider Found to be Leaking Patient Data

Posted by HIPAA Journal

Another unsecured healthcare database has been discovered which contains an estimated 37,000 records.

The discovery was made on March 1, 2019 by security researcher Jeremiah Fowler. A brief analysis of the database appeared to show the records belonged to the New Jersey healthcare provider, Home Health Radiology Services LLC. The database contained highly sensitive patient information such as names, addresses, phone numbers, and dates of birth along with medical notes, diagnoses, treatment information, insurance information, and in some cases, Social Security numbers.

In a recent blog post on securitydiscovery.com, Fowler explained that 37,000 case files were found along with 1,540 doctor’s information records, chat logs, emails, support tickets, and many other sensitive files.

The records were mostly contained in an Elastic database which could be accessed over the internet by anyone without the need for any authentication.

The unsecured database was reported to Home Health Radiology Services, which promptly secured the database to prevent any further unauthorized access. It is currently unclear how long the database was accessible over the internet and whether anyone other than Fowler viewed the data.

The incident is one of many similar breaches that have occurred as a result of protections being removed from servers and databases. Also this week, a fax server used by Sacramento, CA-based medical software provider Meditab Software Inc., was discovered to have had protections removed which allowed healthcare faxes to be viewed in real time over the internet. More than 6 million records were reportedly housed on the server.

In February, almost 1 million records of UW medicine were discovered to have been exposed over the internet due to a database misconfiguration.

These incidents highlight the importance of putting policies and procedures in place to ensure that all servers and databases used storing patient health information are checked to ensure they have protections in place to prevent unauthorized data access, especially after any software upgrades have been performed or patches have been applied.

These are not just isolated incidents. In late 2018, a study by the enterprise threat management platform provider Intsights suggested as many as 30% of healthcare databases have been exposed online.

The post Database of New Jersey Healthcare Provider Found to be Leaking Patient Data appeared first on HIPAA Journal.

Potentially Massive Breach of Protected Health Information Discovered

Posted by HIPAA Journal

Sacramento, CA-based medical software provider Meditab Software Inc., and it’s San Juan, PR-based affiliate, MedPharm Services have suffered a massive breach of protected health information.

Meditab provides electronic medical record (EMR) and practice management software to hospitals, physician’s offices, and pharmacies. According to the company website, its software is used by more than 2,200 healthcare clients.

Meditab also provides a fax processing service and one of the servers used for processing faxes has been discovered to be leaking data and could be accessed over the internet without the need for any authentication.

The unprotected fax server was discovered by the Dubai-based cybersecurity firm SpiderSilk. The fax server was hosted on a subdomain of MedPharm Services and housed an Elastisearch database containing fax communications. Those faxes could be accessed in real time. The database was created in March 2018 and housed more than 6 million records. It is currently unclear how many of those records contained protected health information.

According to a recent report on TechCrunch, a brief review of the faxes in the database revealed they contained highly sensitive information such as names, addresses, dates of birth, insurance information, payment information, Social Security numbers, doctor’s notes, prescription details, diagnoses, lab test results, and medical histories. None of the information was encrypted.

Meditab Software and MedPharm Services were both founded by Kalpesh Patel, who TechCrunch contacted about the breach. After being alerted to the breach, the fax server was taken offline, and an investigation was launched to identify the cause of the breach.

Database logs are currently being assessed to determine the extent of the breach, which patients have been affected, and whether the database was accessed by unauthorized individuals or downloaded.

It is unclear for how long the server was left unprotected and how many patients have been affected by the breach. Considering the number of records in the database, this breach has potential to be one of the largest ever healthcare data breaches in the United States.

Further information will be posted as and when it becomes available.

The post Potentially Massive Breach of Protected Health Information Discovered appeared first on HIPAA Journal.

February 2019 Healthcare Data Breach Report

Posted by HIPAA Journal

Healthcare data breaches continued to be reported at a rate of more than one a day in February. February saw 32 healthcare data breaches reported, one fewer than January.

Healthcare data breaches by month

The number of reported breaches may have fell by 3%, but February’s breaches were far more severe. More than 2.11 million healthcare records were compromised in February breaches – A 330% increase from the previous month.

Records exposed in Healthcare data breaches by month

Causes of Healthcare Data Breaches in February 2019

Commonly there is a fairly even split between hacking/IT incidents and unauthorized access/disclosure incidents; however, in February, hacking and IT incidents such as malware infections and ransomware attacks dominated the healthcare data breach reports.

75% of all reported breaches in February (24 incidents) were hacking/IT incidents and those incidents resulted in the theft/exposure of 96.25% of all records that were breached. All but one of the top ten healthcare data breaches in February were due to hacks and IT incidents.

There were four unauthorized access/disclosure incidents and 4 cases of theft of physical or electronic PHI. The unauthorized access/disclosure incidents involved 3.1% of all compromised records and 0.65% of records were compromised in the theft incidents.

Causes of Healthcare data breaches in February 2019

Largest Healthcare Data Breaches in February 2019

The largest healthcare data breach reported in February involved the accidental removal of safeguards on a network server, which allowed the protected health information of more than 973,000 patients of UW Medicine to be exposed on the internet. Files were indexed by the search engines and could be found with simple Google searches. Files stored on the network server were accessible for a period of more than 3 weeks.

The second largest data breach was due to a ransomware attack on Columbia Surgical Specialist of Spokane. While patient information may have been accessed, no evidence was found to suggest any ePHI was stolen by the attackers.

The 326,629-record breach at UConn Health was due to a phishing attack that saw multiple employees’ email accounts compromised, and one email account was compromised in a phishing attack on Rutland Regional Medical Center that contained the ePHi of more than 72,000 patients.

Rank Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach
1 UW Medicine Healthcare Provider 973,024 Hacking/IT Incident
2 Columbia Surgical Specialist of Spokane Healthcare Provider 400,000 Hacking/IT Incident
3 UConn Health Healthcare Provider 326,629 Hacking/IT Incident
4 Rutland Regional Medical Center Healthcare Provider 72,224 Hacking/IT Incident
5 Delaware Guidance Services for Children and Youth, Inc. Healthcare Provider 50,000 Hacking/IT Incident
6 Rush University Medical Center Healthcare Provider 44,924 Unauthorized Access/Disclosure
7 AdventHealth Medical Group Healthcare Provider 42,161 Hacking/IT Incident
8 Reproductive Medicine and Infertility Associates, P.A. Healthcare Provider 40,000 Hacking/IT Incident
9 Memorial Hospital at Gulfport Healthcare Provider 30,642 Hacking/IT Incident
10 Pasquotank-Camden Emergency Medical Service Healthcare Provider 20,420 Hacking/IT Incident

 

Location of Breached Protected Health Information

Email is usually the most common location of compromised PHI, although in February there was a major rise in data breaches due to compromised network servers. 46.88% of all breaches reported in February involved ePHI stored on network servers, 25% involved ePHI stored in email, and 12.5% involved ePHI in electronic medical records.

Location of breached PHI

Healthcare Data Breaches by Covered Entity Type

Healthcare providers were the worst affected by data breaches in February 2019 with 24 incidents reported. There were five breaches reported by health plans, and three breaches reported by business associates of HIPAA-covered entities. A further seven breaches had some business associate involvement.

February 2019 healthcare data breaches by covered entity

Healthcare Data Breaches by State

The healthcare data breaches reported in February were spread across 22 states. California and Florida were the worst affected states with three breaches apiece. Two breaches were reported in each of Illinois, Kentucky, Maryland, Minnesota, Texas, and Washington, and one breach was reported in each of Arizona, Colorado, Connecticut, Delaware, Georgia, Kansas, Massachusetts, Mississippi, Montana, North Carolina, Virginia, Wisconsin, and West Virginia.

HIPAA Enforcement Actions in February 2019

2018 was a record year for HIPAA enforcement actions, although 2019 has started slowly. The HHS’ Office for Civil Rights has not issued any fines nor agreed any HIPAA settlements so far in 2019.

There were no enforcement actions by state attorneys general over HIPAA violations in February. The only 2019 penalty to date is January’s $935.000 settlement between California and Aetna.

The post February 2019 Healthcare Data Breach Report appeared first on HIPAA Journal.