HIPAA Breach News

Valley Hope Association Notifies Patients of Email Account Breach

Posted by HIPAA Journal

Midwest, has announced that an unauthorized individual has gained access to the email account of an employee.

Valley Hope Association became aware of a potential account breach on October 10, 2018, when unusual account activity was detected. Prompt action was taken to prevent further account access and a third-party computer forensics firm was hired to determine the nature and scope of the breach.

The investigation confirmed on November 23, 2018, that an unauthorized individual had accessed a single email account between October 9-10, 2018, and potentially viewed emails and attachments containing patients’ protected health information. After a thorough review of all emails and email attachments, the forensics firm confirmed that certain patients’ PHI may have been accessed.

The types of information contained in the emails varied from patient to patient and may have included one or more of the following data elements: Name, address, date of birth, Social Security number, medication and prescription information, claims and billing information, medical record number, health insurance information, and physician’s name. No diagnosis or treatment information was contained in the emails.

Following the confirmation of exposed information, Valley Hope Association has been attempting to identify current contact information for all affected individuals and each will be notified and told about the exact information that has potentially been compromised. While data access/theft is a possibility, no reports have been received to suggest any patient information has been misused.

As a precaution against identity theft and fraud, patients impacted by the breach have been offered 12 months of complimentary identity theft monitoring services through Kroll.

Valley Hope Association has been reviewing and revising its policies and procedures to further protect the security and confidentiality of information on its systems and additional safeguards will be implemented as appropriate.

The breach has been reported to law enforcement, state regulators, credit monitoring bureaus, and the Department of Health and Human Services Office’ for Civil Rights.

The incident has yet to appear on the OCR breach portal, so it is currently unclear exactly how many patients have been impacted by the breach.

The post Valley Hope Association Notifies Patients of Email Account Breach appeared first on HIPAA Journal.

December 2018 Healthcare Data Breach Report

Posted by HIPAA Journal

November was a particularly bad month for healthcare data breaches, so it is no surprise that there was an improvement in December. November was the worst month of the year in terms of the number of healthcare records exposed (3,230,063) and the second worst for breaches (34). December was the second-best month for healthcare data breaches with 23 incidents reported, only one more than January.

2018 Healthcare Data Breaches

In total, 516,370 records were exposed, impermissibly disclosed, or stolen in breaches reported in December: A considerable improvement on November. Were it not for the late reporting of the Adams County breach, December would have been the best month of the year to date in terms of the records exposed. The Adams County breach was experienced in March 2018, confirmed on June 29, yet reporting to OCR was delayed until December 11.

2018 Healthcare Data Breaches - Records Exposed

Largest Healthcare Data Breaches in December 2018

Rank Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach
1 Adams County Healthcare Provider 258,120 Unauthorized Access/Disclosure
2 JAND Inc. d/b/a Warby Parker Healthcare Provider 177,890 Hacking/IT Incident
3 University of Vermont Health Network – Elizabethtown Community Hospital Healthcare Provider 32,470 Hacking/IT Incident
4 The Podiatric Offices of Bobby Yee Healthcare Provider 24,000 Hacking/IT Incident
5 Choice Rehabilitation Business Associate 4,309 Hacking/IT Incident
6 Virtual Radiologic Professionals, LLC Healthcare Provider 2,568 Hacking/IT Incident
7 Kent County Community Mental Health Authority Healthcare Provider 2,284 Hacking/IT Incident
8 Butler County Board of County Commissioners Health Plan 1,912 Unauthorized Access/Disclosure
9 Barnes-Jewish Hospital Healthcare Provider 1,643 Hacking/IT Incident
10 Tift Regional Medical Center Healthcare Provider 1,045 Hacking/IT Incident

Causes of December 2018 Healthcare Data Breaches

The healthcare industry experiences more insider breaches than other industry sectors, although in December, hacking/IT Incidents outnumbered unauthorized/access disclosure incidents by almost two to one. Eight of the top ten data breaches for the month were hacks, ransomware attacks, and other IT incidents.

While unauthorized access/disclosure incidents usually impact fewer individuals that hacking breaches, that was not the case in December. The largest breach of the month was the unauthorized accessing of a network server by a former employee of Adams County, WI.

In total, 264,049 healthcare records were exposed in the 7 unauthorized access/disclosure incidents reported in December. The mean breach size was 37,721 records and the median breach size was 911 records.

250,404 healthcare records were exposed in the 13 hacking/IT incidents. The mean breach size was 19,261 records and the median breach size was 1,643 records.

There were two theft incidents reported in December and one case of improper disposal of paper records. No lost devices were reported.

Causes of December 2018 Healthcare Data Breaches

Location of Breached Protected Health Information

Phishing attacks continue to plague healthcare organizations and December was no exception. The largest phishing incident reported in December affected 32,470 patients of Elizabethtown Community Hospital. The PHI was contained in a single email account.

Three email accounts were compromised at Kent County Community Mental Health Authority, although they only contained the PHI of 2,200 individuals.

The most common location of breached PHI in December was email, although network server breaches were more severe. The two largest December 2018 healthcare data breaches were network server incidents which impacted 436,010 individuals – 84.43% of the total number of breached records in December.

Location of Breached Protected Health Information

Data Breaches by Covered-Entity Type

Health plans made it through November without reporting any data breaches, although they didn’t fare so well in December. 6 health plan data breaches were announced in December; however, all were relatively small, with only the breach at Butler County Board of County Commissioners impacting more than 1,000 plan members (1,912).

One data breach was reported by a business associate of a HIPAA-covered entity, although a further three breaches had some business associate involvement. The remaining 16 breaches were reported by healthcare providers.

Data Breaches by Covered-Entity Type

Healthcare Data Breaches by State

In December 2018, healthcare organizations in 13 states reported PHI breaches. Minnesota was the worst affected state with a total of four breaches followed by Arizona with three. There were two breaches reported by healthcare organizations based in each of California, Missouri, New York, Ohio, and Wisconsin, and a single breach was experienced in each of Georgia, Illinois, Kentucky, Massachusetts, Michigan, and Pennsylvania.

HIPAA Fines and Settlements in December 2018

The Department of Health and Human Services’ Office for Civil Rights (OCR) agreed two settlements with HIPAA-covered entities in December to resolve violations of HIPAA Rules. OCR finished the year on ten fines and settlements, the same number as 2017. (You can view all 2018 HIPAA fines and settlements here).

Advanced Care Hospitalists, a Florida Contractor Physicians’ Group, was investigated by OCR following the submission of a breach report in April 2014. The report stated the PHI of 400 patients had been subject to unauthorized access, although the number of individuals affected was subsequently increased to 8,855 patients.

OCR confirmed there had been a preventable impermissible disclosure of PHI, and found that a business associate had been engaged without first entering into a business associate agreement. Additionally, insufficient security measures had been implemented and there had been no effort to comply with HIPAA Rules prior to April 1, 2014. Advanced Care Hospitalists and OCR settled the HIPAA violation case for $500,000.

On June 7, 2013, OCR received a complaint about Pagosa Springs Medical Center, a critical access hospital in Colorado, which had failed to terminate access to a web-based scheduling calendar after an employee’s contract had been terminated. The OCR investigation confirmed the former employee accessed the calendar on two occasions after leaving employment.

For the failure to terminate employee access and the lack of a business associate agreement with Google covering Google Calendar resulted in a financial penalty of $111,400 for Pagosa Springs Medical Center.

There were two financial penalties issued by state Attorneys General in December to resolve violations of HIPAA Rules.

The Massachusetts Attorney General fined McLean Hospital $75,000 over a breach of 1,500 patients PHI. The information was stored on backup tapes that had been taken offsite by an employee. When the employee was terminated, McLean Hospital was unable to recover two of the backup tapes.

The New Jersey Attorney General issued a financial penalty of $100,000 to EmblemHealth over an impermissible disclosure of PHI. In 2016, an EmblemHealth mailing had Social Security numbers printed on the outside of envelopes. This was the second fine for EmblemHealth in relation to the breach. The New York Attorney General had previously settled its case with EmblemHealth for $575,000 earlier in the year.

 

The post December 2018 Healthcare Data Breach Report appeared first on HIPAA Journal.

Physician Receives Probation for Criminal HIPAA Violation

Posted by HIPAA Journal

A physician who pleaded guilty to a criminal violation of HIPAA Rules has received 6 months’ probation rather than a jail term and fine for the wrongful disclosure of patients’ PHI to a pharmaceutical firm.

The case was prosecuted by the Department of Justice in Massachusetts in conjunction with a case against Massachusetts-based pharma firm Aegerion.

In September 2017, the Novelion Therapeutics subsidiary Aegerion agreed to plead guilty to mis-branding the prescription drug Juxtapid. The case also included deferred prosecution related to criminal liability under HIPAA for causing false claims to be submitted to federal healthcare programs for the drug.

Aegerion admitted to conspiring to obtain the individually identifiable health information of patients without authorization for financial gain, in violation of 42 U.S.C. §§ 1320d-6(a) and 1320-6(b)(3) and HIPAA Rules. Aegerion agreed to pay more than $35 million in fines to resolve criminal and civil liability.

The DOJ also charged a Georgia-based pediatric cardiologist with criminal violations of HIPAA Rules for allowing a sales representative of Aegerion to access the confidential health information of patients without first obtaining patient consent. The sales rep was allowed to view the information of patients who had not been diagnosed with a medical condition that could be treated with Juxtapid (lomitapide) in order to identify new potential candidates for the drug.

This is the second such criminal HIPAA violation case in Massachusetts in the past four months to result in probation rather than a jail term or fine. In September, Massachusetts gynecologist Rita Luthra was given 1 year of probation over payments received by a pharmaceutical firm (Warner Chilcott) for providing sales reps with access to the individually identifiable health information of patients for financial gain. While prosecutors were pushing for a fine and a jail term to act as a deterrent, Judge Mastroianni explained in his ruling, “Her loss of license and ability to practice is a substantial deterrent.”

While probation was received in both of these cases, a substantial fine, jail term, and loss of license are real possibilities for physicians found to have criminally violated HIPAA Rules. Both physicians could have received a fine of up to $50,000 for the violations and up to one year in jail.

The post Physician Receives Probation for Criminal HIPAA Violation appeared first on HIPAA Journal.

PHI of Almost 1,000 Lebanon VA Medical Center Patients Impermissibly Disclosed

Posted by HIPAA Journal

Lebanon VA Medical Center in Pennsylvania has discovered the protected health information of hundreds of elderly patients has been impermissibly disclosed to a family member of a veteran.

In November 2018, a member of staff at Lebanon VA Medical Center emailed a document to a family member of a veteran who was searching for nursing home facilities. The list should have contained nursing home facilities that work with the Department of Veteran Affairs; however, a historical list of residents of nursing homes was sent in error.

The list contained veterans’ names, abbreviated Social Security numbers, the nursing home where the veteran had been admitted, diagnoses, and service-connection disability rating percentages.

“Lebanon VA Medical Center and our employees take our responsibility to protect patient information very seriously,” explained Lebanon VA privacy officer Tonya Hromco. “Along with assistance from national offices, we immediately investigated this inadvertent, unauthorized release of information which occurred in late November.”

The incident was an isolated error and steps have now been taken to reduce the potential for further mistakes. Additional controls have been implemented in the section where the error occurred and throughout its facility. Files containing historic information have now been encrypted and restrictions have been placed on the number of individuals with access to those files. Technical controls have also been implemented that prevent members of the department from sending email attachments externally.

A press release issued by Lebanon VA Medical Center says the PHI of 993 individuals was impermissibly disclosed. The breach report on the HHS’ Office for Civil Rights’ breach portal suggests the breach could have impacted up to 1,002 individuals.

Individuals affected by the privacy breach and family members of deceased patients have recently been mailed breach notification letters.

The post PHI of Almost 1,000 Lebanon VA Medical Center Patients Impermissibly Disclosed appeared first on HIPAA Journal.

New Massachusetts Data Breach Notification Law Enacted

Posted by HIPAA Journal

A new Massachusetts data breach notification law has been enacted. The new legislation was signed into law by Massachusetts governor Charlie Baker on January 10, 2019 and will come into effect on April 11, 2019.

The new legislation updates existing Massachusetts data breach notification law and introduces new requirements for notifications.

Under Massachusetts law, a breach is defined as the unauthorized acquisition or use of sensitive personal information that carries a substantial risk of identity theft or fraud. Notifications must be issued if one or more of the following data elements are obtained by an unauthorized individual along with an individual’s first name and last name or first initial and last name.

  • Social Security number
  • Driver’s license number
  • State issued ID card number
  • Financial account number, or credit/ debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account.

As with the previous law, there is no set timescale for issuing breach notifications. They must be issued “as soon as is practicable and without unreasonable delay,” after it has been established that a breach of personal information has occurred.

That said, one change to the timescale for issuing breach notifications is individuals and companies that have experienced a data breach can no longer wait until the total number of individuals impacted by the breach has been determined. The legislation states “In such case, and where otherwise necessary to update or correct the information required, a person or agency shall provide additional notice as soon as practicable and without unreasonable delay upon learning such additional information.”

One notable update to Massachusetts data breach notification law is the requirement to offer breach victims complimentary credit monitoring services, as is the case in Connecticut and Delaware. The minimum term for complimentary credit monitoring services is 18 months or, in the case of a consumer reporting agency, a minimum of 42 months.

Notifications are required to be issued to all individuals impacted by the breach, the Office of Consumer Affairs and Business Regulation, and the Massachusetts Attorney General’s Office.

The Office of Consumer Affairs and Business Regulation and the Attorney General’s Office must be provided with a detailed description of the nature and circumstances of the breach, the number of Massachusetts residents affected, the steps that have been taken relative to the security breach, steps that will be taken in the future in response to the breach, and whether law enforcement is investigating the breach. If the breach has been experienced by a parent company or affiliated organization, the name of that company must be detailed in the notification.

The post New Massachusetts Data Breach Notification Law Enacted appeared first on HIPAA Journal.

111K Individuals Notified of 4-Month Email Account Compromise

Posted by HIPAA Journal

Centerstone Insurance and Financial Services, operating as BenefitMall, has started notifying more than 111,000 individuals that some of their protected health information has been exposed, and potentially stolen, in a recent email security incident.

Dallas, TX-based BenefitMail is a provider of employee benefits, payroll, HR, and employer services and employs more than 20,000 advisors, brokers, and CPAs across the country. The company is a business associate of several HIPAA-covered entities.

On October 11, 2018, the company became aware that email accounts used by its employees had been accessed by an unauthorized individual. A third-party computer forensics firm was retained and an internal investigation was conducted to assess the nature and scope of the breach.

The investigation revealed the first email accounts had been compromised in June 2018 and further email accounts were breached and accessed up to October 11 when the attack was detected. Prompt action was taken to secure the compromised email accounts and prevent further remote email account access. The email accounts were compromised as a result of employees falling for phishing scams.

An analysis of the compromised email accounts revealed many emails in those accounts contained the personal information of individuals related to the services provided. The information exposed and potentially stolen was limited to names, addresses, social security numbers, dates of birth, bank account numbers, and information relating to payment of insurance premiums.

The security breach has prompted BenefitMail to review its email security controls, which have now been augmented to provide greater protection against phishing attacks. Two-factor authentication has now been implemented on its email system and employees have been provided with further training to improve awareness of phishing scams and how to guard against them. Further security awareness and phishing training will be provided to employees on an ongoing basis.

The security breach has been reported to law enforcement and BenefitMail will continue to assist with their investigation and will work closely with the insurance providers whose members were affected by the breach.. The Department of Health and Human Services’ Office for Civil Rights (OCR) has been notified. The breach report submitted to OCR indicates 111,589 individuals have been affected by the breach.

The post 111K Individuals Notified of 4-Month Email Account Compromise appeared first on HIPAA Journal.

Sacred Heart Rehabilitation Center Notifies Patients of Phishing Incident

Posted by HIPAA Journal

Memphis, MI-based Sacred Heart Rehabilitation Center, a provider of substance abuse treatment and care services for patients diagnosed with HIV/AIDS, has discovered an unauthorized individual has gained access to the email account of an employee following a response to a phishing email.

The email account was breached between April 5 and April 7, 2018. It is unclear when the phishing attack was detected by the rehabilitation center, but the investigation into the breach concluded in November and revealed the account contained some patients’ protected health information. Individuals whose PHI was exposed were sent notification letters on January 9, 2018.

The types of information contained in the compromised account included patients’ names, home addresses, diagnoses, treatment information, health insurance information, and Social Security numbers.

The number of patients affected by the breach has not been publicly disclosed at this point and the breach has not yet been listed on the Department of Health and Human Services’ Office for Civil Rights breach portal. Sacred Heart Rehabilitation Center has said not all patients were affected.

All patients whose PHI was exposed as a result of the attack have been offered complimentary credit monitoring and identity theft protection services for 12 months and have been advised to monitor their financial accounts and explanation of benefits statements for signs of misuse of their PHI. To date, no reports of PHI misuse have been received by Sacred Heart Rehabilitation Center.

To reduce the risk of further successful phishing attacks, additional security measures have been implemented and employees have received further security awareness training.

It has not been a great end to the year for healthcare organizations in Michigan. Blue Cross Blue Shield of Michigan announced in December that two data breaches had occurred, which together impacted more than 16,000 individuals. A phishing attack was also reported by Kent County Community Mental Health Authority, which affected 2,200 patients.

The post Sacred Heart Rehabilitation Center Notifies Patients of Phishing Incident appeared first on HIPAA Journal.

Solis Mammography Notifies 500 Patients of PHI Exposure

Posted by HIPAA Journal

An unencrypted laptop computer has been stolen from Ben-Ora, Hansen, Vanesian Imaging Ltd., dba Solis Mammography.

Solis Mammography learned on October 17, 2018 that the laptop had been stolen from its Phoenix, AZ clinic and reported the theft to law enforcement. To date the device has not been recovered. Attempts were made to reconstruct the data stored assisted by a leading computer forensics firm.

While the investigation confirmed that some patients’ protected health information had been downloaded to the device, it was not possible to ascertain the exact information that had been exposed.

Solis Mammography believes information such as patients names, birth dates, health insurance information, lab test results, medical images, and other information could have been stored on the device and have potentially been accessed by the individual in possession of the computer. Solis Mammography does not believe any financial information was downloaded onto the laptop.

Solis Mammography has taken steps to further secure patient information including strengthening access controls and reviewing and updating policies and procedures concerning the secure disposal of patient information.

No reports have been received to suggest any information stored on the device has been accessed and misused, although patients have been advised to monitor their statements from healthcare providers and insurers for services that have not been received.

Solis Mammography has reported the theft to the Department of Health and Human Services’ Office for Civil Rights on December 16, 2018. The breach report suggests up to 500 patients’ PHI may have been stored on the device.

The post Solis Mammography Notifies 500 Patients of PHI Exposure appeared first on HIPAA Journal.

Phishing Attack Impacts 2,200 Kent County Community Mental Health Authority Patients

Posted by HIPAA Journal

Starting on October 28, 2018, Kent County Community Mental Health Authority, dba Network180, experienced a targeted phishing attack.

As is common in advanced phishing attacks, the emails appeared to have been sent from a trusted source. Between November 2 and November 13, three employees responded to the emails and disclosed their credentials, which allowed their encrypted email accounts to be accessed by an unauthorized individual.

At least one of the compromised email accounts contained the protected health information (PHI) of patients. A wide range of PHI was included in the emails stored in the compromised account.

The types of information that could potentially have been accessed by the attacker varied from patient to patient, but may have included names, addresses, dates of birth, Medicaid/Medicare ID numbers, Internal ID numbers, Waiver Support Application (WSA) numbers, names of healthcare providers, schools that were attended, names of relatives, ethnicity/race, and the Social Security numbers of 20 patients. No financial information is believed to have been exposed.

The internal investigation into the attack uncovered no evidence to suggest any PHI was accessed, viewed, or misused.

Network180 had security measures in place to keep the PHI of patients private and confidential but those controls were bypassed on this occasion. The internal investigation, conducted by the IT department, HIPAA Privacy Officer, HIPAA Security Officer, and Network180’s HIPAA legal counsel, concluded that the attack was not preventable.

All passwords were reset and unauthorized access is no longer possible. Additional safeguards have now been implemented to improve email security.

While PHI access/theft is not suspected, out of an abundance of caution, all affected patients have been offered at least 12 months of complimentary identity theft protection services through Experian.

The post Phishing Attack Impacts 2,200 Kent County Community Mental Health Authority Patients appeared first on HIPAA Journal.