HIPAA Breach News

Rush University Medical Center Notifies 45,000 Patients of PHI Incident

Posted by HIPAA Journal

Rush University Medical Center is notifying approximately 45,000 patients that their PHI has been exposed as a result of a data incident at a financial services vendor. Rush learned of the incident on January 22, 2019.

An employee of the financial services vendor was discovered to have disclosed a file containing patients’ PHI to an unauthorized third party in May 2018. The types of information in the file varied from patient to patient and may have included names, home addresses, dates of birth, health insurance information, and Social Security numbers. No health information was contained in the file and financial data was not exposed.

Rush conducted an investigation into the breach and while no evidence was found to suggest patient information had been misused, affected patients have been offered membership to the Experian IdentityWorks Credit 3B service to protect against identity theft and fraud as a precaution.

Affected patients have been advised to monitor their financial accounts and explanation of benefits statements from their insurers for any sign of fraudulent activity. All affected patients were notified of the breach by mail on February 25, 2019.

After discovering the breach, Rush suspended its contract with the financial services vendor and the incident has been reported to law enforcement. Steps have now been taken to prevent similar breaches from occurring in the future, including increasing oversight of service vendors, and reviewing and enhancing internal policies, processes, and procedures for contracting third-party firms.

This is the second privacy breach to be reported by Rush in 2019. In February, patients were sent letters to inform them about the retirement of a nurse practitioner at its Epilepsy Center; however, an error in the mailing resulted in 908 letters being sent to incorrect recipients.

The post Rush University Medical Center Notifies 45,000 Patients of PHI Incident appeared first on HIPAA Journal.

St. Francis Physicians Services Notifies Patients of Milestone Family Medicine Data Breach

Posted by HIPAA Journal

Bon Secours St. Francis Health System is notifying patients of a security breach that may have resulted in some of their protected health information (PHI) being viewed/obtained by unauthorized individuals who gained access to the systems of Milestone Family Medicine in Greenville, SC.

Milestone Family Medicine was affiliated with St. Francis Physicians Services (SFPS) until February 24, 2019, and had previously employed physicians at the practice. SFPS learned of a security breach at the practice on January 4, 2019 and took steps to secure systems and prevent further unauthorized access. An investigation was launched and, assisted by a third-party computer forensics firm, SFPS determined that one of the servers that was accessed included the PHI of certain patients.

The attack appears to have targeted EHR systems that were accessible over the Internet. Internet connections providing access to Milestone Family Medicine systems that are not actively being used have been shut down.

The types of information that have been compromised include names, addresses, dates of birth, health insurance information, Social Security numbers, and information related to the medical services provided to patients.

The breach was limited to patients who had previously received medical services at Milestone Family Medicine. Breach notification letters are now being sent to affected individuals and SFPS has offered complimentary credit monitoring and identity theft protection services.

While data theft was possible, no reports have been received to indicate any patients’ PHI has been misused. Affected patients have been advised to monitor their accounts and explanation of benefits statements for indicators of fraudulent activity.

SFPS has said technology management and information security risk oversight are being enhanced to prevent any further breaches of PHI and that the decision to end the affiliation with Milestone Family Medicine was not related to the breach.

The incident has yet to appear on the Department of Health and Human Services’ Office for Civil Rights website, so it is currently unclear exactly how many Milestone Family Medicine patients have been affected by the breach.

Patient Records Potentially Accessed During Rocky Boy Health Center Break-in

Patients health records have potentially been compromised during a break-in at the offices of Rocky Boy Health Center in Box Elder, MT.  The health center discovered the break-in on January 16, 2019. Thieves are believed to have gained entry to the property on or around January 14 by forcing the door lock and padlock.

The offices contained X-Ray and dental records dating back to the 1990’s. The records contained PHI such as names, diagnosis codes, and Social Security numbers.

The break-in was reported to law enforcement and all records stored at the offices have been removed and scanned into the electronic medical record system. The physical records have now been shredded.

The records of 971 patients were stored at the offices. All affected individuals have now been notified.

The post St. Francis Physicians Services Notifies Patients of Milestone Family Medicine Data Breach appeared first on HIPAA Journal.

January 2019 Healthcare Data Breach Report

Posted by HIPAA Journal

After a relatively quiet month for healthcare data breaches, breach numbers rose to more typical levels and were reported at a rate of more than one per day. There were 33 healthcare data breaches reported in January 2019.

Healthcare Data Breaches January 2019 - Month

January was the second successive month where there was a fall in the number of individuals impacted by healthcare data breaches. January’s healthcare data breaches saw 490,937 healthcare records exposed, stolen or impermissibly disclosed.

Healthcare Data Breaches January 2019 - Records Exposed

Largest Healthcare Data Breaches in January 2019

 

Rank Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach
1 Centerstone Insurance and Financial Services (BenefitMall) Business Associate 111589 Hacking/IT Incident
2 Las Colinas Orthopedic Surgery & Sports Medicine, PA Healthcare Provider 76000 Theft
3 Valley Hope Association Healthcare Provider 70799 Hacking/IT Incident
4 Roper St. Francis Healthcare Healthcare Provider 35253 Hacking/IT Incident
5 Managed Health Services Health Plan 31300 Hacking/IT Incident
6 EyeSouth Partners Business Associate 24113 Hacking/IT Incident
7 Dr. DeLuca Dr. Marciano & Associates, P.C. Healthcare Provider 23578 Hacking/IT Incident
8 Critical Care, Pulmonary and Sleep Associates, PLLP Healthcare Provider 23377 Hacking/IT Incident
9 Valley Professionals Community Health Center Healthcare Provider 12029 Hacking/IT Incident
10 Cambridge Healthcare Services, LLC Business Associate 10866 Theft

Causes of January 2018 Healthcare Data Breaches

Hacking and other IT security incidents such as ransomware and malware attacks were the biggest cause of healthcare data breaches in January 2019, accounting for 51.52% of the month’s data breaches (917 incidents) and the largest reported breach of the month. Hacking/IT incidents also accounted for the most breached records: 74.07% of all breached records in January (363,631 records).

Healthcare Data Breaches January 2019 - Causes

Unauthorized access and impermissible disclosure incidents were in second place with 10 incidents (30.30%), although they involved only a small percentage of the month’s breached records – 19,500 or 3.97% of the month’s total.

There were 5 theft incidents reported in January which involved the protected health information of 106,006 individuals – 21.59% of the records exposed in January – and one improper disposal incident that saw 1,800 paper records accidentally discarded with regular trash.

Location of Breached Protected Health Information

Healthcare organizations are still having difficulty preventing phishing attacks and other email-related breaches. As has been the case in the past few months, email-related data breaches have dominated the breach reports. Most of the email breaches in January were due to phishing attacks.

51.52% of healthcare data breaches in January 2019 involved PHI stored in emails and email attachments (17 incidents). Physical PHI, such as paper records, charts, and films was exposed in 15.15% of breaches in January (5 incidents).

Healthcare Data Breaches January 2019 - Location PHI

Healthcare Data Breaches by Covered Entity Type

Healthcare providers were the worst affected by healthcare data breaches in January 2019 with 20 reported incidents, six of which ranked in the top ten breaches of the month.

8 health plans reported breaches in January and there were five breaches reported by business associates of HIPAA-covered entities, including the largest data breach of the month. A further 6 data breaches had some business associate involvement but were reported by the HIPAA-covered entity.

Healthcare Data Breaches January 2019 - By Covered Entity

Healthcare Data Breaches by State

HIPAA covered entities and business associates based in 20 different states reported healthcare data breaches in January 2019. The worst affected state was Texas with four reported breaches. Georgia, Indiana, and Kentucky each had 3 breaches in January and there were two breaches reported in each of California, Connecticut, Florida, Kansas.

Colorado, Illinois, Michigan, Minnesota, North Carolina, Nebraska, New Jersey, Pennsylvania, Rhode Island, South Carolina, Tennessee, and Washington each experienced one healthcare data breach in January.

Penalties for Noncompliance and HIPAA Violations

The Department of Health and Human Services’ Office for Civil Rights (OCR) did not issue any financial penalties in January 2019 or agree to any settlements to resolve HIPAA violations; however, OCR did announce in late January that a further settlement had been agreed with a HIPAA covered entity in December 2018 – Too late for inclusion in our December 2018 Healthcare Data Breach Report.

In December 2018, Cottage Health agreed to settle its HIPAA violation case with OCR for $3,000,000. OCR investigated Cottage Health over two breaches experienced in 2013 and 2015 which saw the protected health information of 62,500 patients exposed online.

OCR also announced that 2018 had been a record year for HIPAA enforcement. OCR’s HIPAA fines and settlements totaled $28,683,400 in 2018, beating the previous record of $23,505,300 set in 2016 by 22%. 2018 also saw the largest ever HIPAA settlement agreed. Anthem Inc., agreed to pay OCR $16,000,000 to resolve HIPAA violations discovered during the investigation of its 78.8 million-record data breach of 2015.

OCR closed out 2018 with 10 settlements to resolve HIPAA violations and one civil monetary penalty, beating last year’s total by one.

There was one HIPAA violation case closed by a state attorney general in January 2019. The California Attorney General agreed to settle a case with health insurer Aetna for $935,000. The financial penalty resolved violations of HIPAA and state laws that contributed to the impermissible disclosure of plan members’ PHI. In two separate 2017 mailings, PHI was visible through the windows of envelopes. The mailings were sent to individuals who had been diagnosed with Afib in one mailing, and patients who were receiving HIV medications in the other. The impermissible disclosures affected 1,991 California residents.

This was the sixth state attorney general financial penalty Aetna has agreed to pay in relation to the mailing errors. In 2018, Aetna settled cases with New York, New Jersey, Washington, Connecticut, and the District of Columbia. The latest financial penalty brings the total financial penalties over the HIPAA violations to $2,725,172.

The post January 2019 Healthcare Data Breach Report appeared first on HIPAA Journal.

UConn Health Phishing Attack Sees PHI of 326,000 Patients Exposed

Posted by HIPAA Journal

UConn Health is notifying approximately 326,000 patients that some of their personal information has been exposed as a result of a phishing attack on some of its employees.

UConn Health learned about the phishing attack on December 24, 2018. All email accounts were secured, and an internal investigation was launched. The investigation confirmed that multiple email accounts had been accessed by unauthorized individuals.

A third-party computer forensics company was retained to investigate the attack and search for protected health information in emails and email attachments in the compromised accounts. While it was not possible to determine who was responsible for the attack nor whether emails and email attachments in the compromised accounts had been viewed by the attacker(s), PHI access could not be ruled out.

UConn Health explained in its substitute breach notice that no reports have been received to indicate any patient information has been misused.

The majority of individuals affected by the attack were patients. Some employees have also had personal information exposed. Information contained in the compromised email accounts was limited to names, addresses, dates of birth, and some clinical information, such as appointment dates and billing information. Approximately 1,500 Social Security numbers were also potentially compromised.

All patients whose PHI was potentially accessed by the attackers have been notified by mail. Complimentary identity theft protection services have been offered to patients whose Social Security number was exposed.

UConn Health is reviewing its technical controls to prevent phishing attacks and is currently evaluating additional security training platforms to better educate staff on phishing and other cybersecurity threats.

In late January, the University of Connecticut warned students to be alert to the risk of phishing attacks following a spate of spam and phishing emails received by students over the past few months, some of which impersonated the UConn mail service. It is unclear whether the warning was related to the email breach at UConn Health.

The post UConn Health Phishing Attack Sees PHI of 326,000 Patients Exposed appeared first on HIPAA Journal.

Multiple Rutland Regional Medical Center Email Accounts Hacked

Posted by HIPAA Journal

Rutland Regional Medical Center in Rutland City, the largest community hospital in the state of Vermont, has discovered hackers have gained access to the email accounts of nine employees and potentially viewed/obtained patients’ protected health information.

On December 21, 2018, an employee of the medical center noticed that their email account had been used to send large quantities of spam emails and on December 28, 2018, a potential security breach was reported to the medical center’s IT department. The IT department determined, on December 31, that the employee’s email account had been remotely accessed by an unauthorized individual.

The account was immediately secured and a third-party forensic expert was called in to conduct an investigation into the breach. While the investigation into the breach is ongoing, the forensics expert concluded on February 6, 2019, that nine email accounts had been compromised between November 2, 2018 and February 6, 2019.

The types of sensitive information in the compromised email accounts included patients’ full names, dates of birth, contact information, patient ID numbers, medical record numbers, financial information, diagnoses, treatment information, Social Security numbers, and health insurance data. The breach was limited to email accounts. The EMR system and other internal systems were unaffected by the breach.

Rutland Regional Medical Center will be sending notification letters to patients whose PHI may have been accessed in due course.

Additional safeguards and security measures will be implemented to further secure patients’ protected health information and improve email security to help prevent further breaches of this nature.

The breach has not yet appeared on the Department for Health and Human Services’ Office for Civil Rights breach portal, so it is currently unclear exactly how many patients have been affected by the breach.

The post Multiple Rutland Regional Medical Center Email Accounts Hacked appeared first on HIPAA Journal.

Insider Wrongdoing Breach at Kentucky Counseling Center Impacts 16,440 Patients

Posted by HIPAA Journal

Kentucky Counseling Center (KCC) has discovered a list of 16,440 patients has been stolen and disclosed to another individual. A current employee is suspected of accessing and copying patient information without authorization, uploading the data to an anonymous file sharing service, and subsequently sending a hyperlink to the list to a former employee of KCC.

The former employee received the link to the patient list on January 6, 2019 and reported the privacy breach to KCC.

KCC launched an investigation into the insider breach to determine when the list was obtained and who was responsible. KCC believes the list was downloaded and stolen on December 6, 2018 by a then current employee of KCC. That person is no longer employed at the Counseling Center.

The motivations behind the HIPAA violations are unclear – Both the unauthorized access/theft and the subsequent impermissible disclosure to a former employee. KCC explained in its breach notification letter that there is no reason to believe that the list was taken with the intent of causing harm to patients.

However, due to the nature of the data contained in the list the decision was taken to offer credit monitoring services to affected patients for 12 months without charge.

The types of information in the list varied from patient to patient and may have included the following data elements: Full name, address, date of birth, phone numbers, gender, marital status, employment status, insurance payor, insurance number, Social Security number, last and next appointment dates, and KCC clinician name.

The measures taken to prevent further incidents such as this from occurring in the future include strengthening passwords and implementing multi-factor authentication on its computer system.

The KCC breach notice does not mention whether the person responsible was fired or left KCC of his/her own accord nor whether the matter has been referred to law enforcement.

The post Insider Wrongdoing Breach at Kentucky Counseling Center Impacts 16,440 Patients appeared first on HIPAA Journal.

PHI of Almost 1 Million UW Medicine Patients Exposed Online

Posted by HIPAA Journal

Approximately 974,000 patients of UW Medicine have had their protected health information exposed online due to the accidental removal of protections on a website server. The error resulted in sensitive internal files being indexed by search engines. Internet searches allowed sensitive patient information to be accessed by unauthorized individuals without any need for authentication.

Seattle-based UW Medicine discovered a vulnerability on a website server on December 26, 2018, following a tip-off from a patient who was performing a Google search of their own name.

An investigation was launched to determine how information was exposed, for how long, and how many patients had potentially been affected. UW Medicine determined that an error had been made in the configuration of a database which resulted in internal files being temporarily available over the Internet. The server misconfiguration occurred on December 4, 2019. The incident was attributed to human error. Ironically, the exposed database was used by UW Medicine to keep track of patient health information disclosures.

The error was immediately fixed on December 26 and UW Medicine contacted Google to remove all cached copies of the files from its listings. UW Medicine reports that all cached copies of its files were removed by January 10, 2019.

An analysis of the files revealed they contained patients’ names, medical record numbers, information about with whom UW Medicine had shared patient information, a summary of the reason for the disclosure, and a brief description of the types of information that were shared (demographics, labs, office visits etc.). In some cases, the name of a health condition was mentioned in relation to a research study and the name of a lab test was included. In the case of the latter, the information may have indicated what the patient was being tested for (E.g. HIV, dementia), but not the result of the test.

No financial information, insurance information, Social Security numbers, detailed health information, or other highly sensitive data could be accessed by unauthorized individuals as a result of the database misconfiguration.

The most common reasons for disclosures mentioned in database were information shared with Child Protective Services, law enforcement, public health authorities, and when researchers required access to a patient’s medical records to check if the patient was eligible to take part in a research study.

It has taken some time for UW Medicine to ensure that all information has been secured and to identify the patients impacted by the breach. The incident has now been reported to the HHS’ Office for Civil Rights and all patients are now being sent breach notification letters. UW Medicine cannot confirm how many people accessed the files during the time they were available, but due to the nature of data exposed, the risk of identity theft and fraud is believed to be negligible.

The error has proven costly for UW Medicine. According to Dr. Timothy Dellit, chief medical officer at UW Medicine, the mailing of breach notification letters has cost UW Medicine around $1 million, not including the cost of the investigation and identifying patients impacted by the breach.

The breach has prompted a review of policies and procedures, which have now been updated to prevent similar incidents from occurring in the future.

The post PHI of Almost 1 Million UW Medicine Patients Exposed Online appeared first on HIPAA Journal.

Patients Receive Notifications of PHI Theft 8 Months After Business Associate Data Breach was Detected

Posted by HIPAA Journal

Sharecare Health Data Services (SHDS), a San Diego company that provides secure electronic exchange and medical records management services for healthcare organizations, has alerted some of its clients that hackers gained access to parts of its systems that contained sensitive patient information.

SHDS detected abnormal network activity on June 26, 2018, prompting an in-depth investigation. The investigation revealed hackers gained access to systems containing protected health information as early as May 21, 2018. Access remained possible until June 26, 2018, during which time PHI was accessed and exfiltrated by the hackers to locations outside the U.S.

SHDS engaged the services of cybersecurity firm Mandiant to assist with the forensic investigation of the breach. The breach was also reported to the FBI and SHDS has been assisting with its investigation.

SHDS has since taken steps to enhance security and prevent further breaches. Data retention policies have been revised, maintenance communications and protocols have been improved to ensure continuity across its network, and SHDS has retained a third-party firm to provide 24/7 monitoring of its data systems.

On December 31, 2018, Sharecare Health Data Services alerted at least two healthcare organizations that their data had potentially been accessed as a result of the attack – More than 5 months after the discovery of the breach. No reason for the delayed notification has been offered.

The incident has yet to appear on the Department of Health and Human Services’ Office for Civil Rights’ breach portal, so it is currently unclear exactly how many patients have been affected.

Los Angeles-based healthcare provider AltaMed Health Services Corporation has announced that 5,767 of its patients were affected by the breach. In its breach notice to the California Attorney General, AltaMed said the information obtained by the hackers was limited to names, addresses, birth dates, unique patient ID numbers, addresses where healthcare services were provided, and for some patients, internal SHDS processing notes and medical record numbers. Social Security numbers, financial information, and detailed clinical information were not stolen in the attack. Patients affected by the breach were notified on February 15, 2019 and have been offered 12 months of credit monitoring and identity theft protection services without charge.

The California Physicians’ Service, doing business as Blue Shield of California, has also notified the California Attorney General of the breach.  Blue Shield of California members affected by the breach have had the following information stolen: Names, addresses, birth dates, BlueShield ID numbers, addresses where healthcare services were provided, and for some patients, internal SHDS processing notes, medical record numbers, and provider names. 12 months of credit monitoring and identity theft protection services have also been offered without charge. Those services can be renewed annually for individuals that remain BlueShield members.

It is currently unclear how many of its members have been affected and whether they are included in the 5,767 AltaMed total.

The post Patients Receive Notifications of PHI Theft 8 Months After Business Associate Data Breach was Detected appeared first on HIPAA Journal.

30,000 Patients Notified of Phishing Incident at Memorial Hospital at Gulfport

Posted by HIPAA Journal

Memorial Hospital at Gulfport, MS, is notifying approximately 30,000 patients that some of their protected health information has potentially been accessed by an unauthorized individual as a result of a phishing incident.

Memorial Hospital discovered a breach of an employee’s email account on December 17, 2018. The compromised account was immediately secured and an investigation was launched to determine the extent of the breach.

The investigation revealed the employee responded to a phishing email on December 6, 2018, which gave the attacker access to patients’ protected health information stored in emails and email attachments.

Memorial Hospital reports that the breach was limited to names, dates of birth, health insurance information, and information about medical services received at the hospital. A small number of Social Security numbers were also contained in the compromised email account.

Patients affected by the incident were notified by mail on February 15, 2019. Complimentary credit monitoring services have been offered to all patients whose Social Security numbers were compromised. The investigation is ongoing, and the hospital anticipates notifying additional patients in the coming weeks.

5,524 AZ Plastic Surgery Center Patients Notified of Data Breach

AZ Plastic Surgery Center in Tucson, AZ, is notifying 5,524 patients that some of their PHI may have been accessed by hackers who succeeded in gaining access to its computer system. The breach was discovered on December 10, 2018.

The incident has been reported to both the FBI and local law enforcement and the investigation into the breach is continuing.

AZ Plastic Surgery Center engaged third-party computer experts to determine the nature and scope of the breach. While data access was not confirmed, the possibility could not be ruled out with a high degree of certainty. No reports have been received to suggest any PHI has been misused.

The types of information that were potentially accessed included names, dates of birth, addresses, diagnoses, prescription information, health insurance numbers, and procedure notes. A limited number of Social Security numbers and driver’s license numbers may also have been accessed.

Notification letters were mailed to affected patients on February 8, 2019.

Rush University Medical Center Mailing Error Impacts 908 Patients

Rush University Medical Center in Chicago, IL, has notified 908 patients about a mailing error that resulted in the disclosure of their name to another patient.

Patients were sent notification letters about the retirement of a certified nurse practitioner at the Epilepsy Center.

The medical center learned that some of the letters may have included the name of a different patient. As a result, the letters would have disclosed a patient’s name to one other patient, also revealing that person was a patient of the Epilepsy Center.

The post 30,000 Patients Notified of Phishing Incident at Memorial Hospital at Gulfport appeared first on HIPAA Journal.