HIPAA Breach News

31,876 Managed Health Services of Indiana Health Plan Members Notified of Impermissible Disclosure of PHI

Posted by HIPAA Journal

Managed Health Services, the Indianapolis, IN-based managed care entity that runs the Hoosier Healthwise and Hoosier Care Connect Medicaid programs, has discovered the protected health information (PHI) of 31,876 plan members has potentially been disclosed in two separate breaches that were announced in December 2018.

31,300 Plan Members Notified of Phishing-Related PHI Breach

A phishing attack on a business associate of Managed Health Services has potentially resulted in the disclosure of some plan members PHI. On or around July 30, 2018, employees of LCP Transportation responded to phishing emails and provided the attacker with credentials that allowed their email accounts to be remotely accessed. LCP Transportation disabled the affected email accounts on September 7, 2018.

A third-party computer forensics firm was hired to assist with the investigation. While no evidence of PHI misuse has been detected, it is possible that emails in the accounts were accessed by the attacker. Some of the emails in the compromised accounts contained plan members’ PHI including names, addresses, dates of birth, dates of service, insurance ID numbers, and a description of medical conditions.

Email security has now been enhanced and employees have received further training on cyber risks.

Managed Health Services was informed of the breach on October 29 and issued notifications to affected plan members on December 21, 2018. Affected individuals have been offered complimentary credit monitoring services with CyberScan for 12 months.

Mailing Error Caused Letters to be Sent to Incorrect Recipients

On December 20, 2018, Managed Health Services issued notifications to 576 plan members informing them that a limited amount of their PHI had been impermissibly disclosed to other plan members as a result of a mailing error.

On October 16, 2018, notification letters were sent to plan members regarding an upcoming pharmacy change; however, an error saw some of the letters sent to incorrect recipients. The mis-mailed letters resulted in the name, insurance identification number, and medication information of one plan member disclosed to another plan member. A call campaign was conducted to contact all individuals who received a letter to request they return the mis-mailed letters.

Managed Health Services has not received any information to suggest that plan members’ PHI has been misused; however, out of an abundance of caution, affected individuals have been offered 12 months of complimentary credit monitoring services through CyberScan.

Managed Health Services has taken steps to prevent mailing errors in the future including reinforcing mailing policies and procedures and reviewing practices in relation to the submission of mailing addresses to its national mailing center.

The post 31,876 Managed Health Services of Indiana Health Plan Members Notified of Impermissible Disclosure of PHI appeared first on HIPAA Journal.

1,080 Chaplaincy Health Care Patients Potentially Impacted by Phishing Attack

Posted by HIPAA Journal

Chaplaincy Health Care, a not-for-profit healthcare provider based in Richland, WA, has experienced a phishing attack that has resulted in the exposure of 1,080 patients’ protected health information.

The phishing attack occurred on November 20, 2018 and was discovered within 4 hours. Prompt action was taken to block unauthorized access and a third-party computer forensics firm was hired to assist with the breach investigation.

The investigation confirmed that a single email account was accessed by the attacker. After gaining access to the email account, the attacker attempted to access further accounts. The breach was discovered when the employee was alerted that her account had been used to send a phishing email to an email contact.

No evidence was uncovered to suggest any patient health information was viewed or copied but, out of an abundance of caution, all patients affected by the breach have been offered complimentary credit monitoring and identity theft protection services through LifeLock for 12 months. Patients were notified about the breach on January 3, 2019.

The firm investigating the breach concluded that the primary aim of the attack was to compromise as many email accounts as possible rather than to access sensitive information, although it was not possible to determine whether any emails in the compromised account had been accessed.

The compromised email account contained full names, home addresses, dates of birth, medical record numbers, prescription information, dates of service, and the last four digits of Social Security numbers.

“Chaplaincy Health Care sincerely apologizes for the inconvenience and the concern this incident has caused,” explained Gary Castillo, Executive Director of Chaplaincy Health Care. “Information security is very important to us and we will continue to do everything we can to fortify our operational protections for our patients and their families.”

In response to the breach, Chaplaincy Health Care has implemented two-factor authentication on its email accounts and employees have been provided with further training on protecting sensitive patient information.

The post 1,080 Chaplaincy Health Care Patients Potentially Impacted by Phishing Attack appeared first on HIPAA Journal.

Ransomware Attack on Podiatric Offices of Bobby Yee Impacts 24,000 Patients

Posted by HIPAA Journal

A ransomware attack on the Podiatric Offices of Bobby Yee has resulted in the encryption of files containing the protected health information (PHI) of up to 24,000 patients and other individuals.

The attack took place on October 29, 2018. Medical records were encrypted by the ransomware along with files containing information such as full name, address, contact telephone number(s), gender, birth date, Social Security number, and health insurance information.

Prompt action was taken to protect patient data and an investigation into the breach did not uncover any evidence to suggest the attacker viewed or copied any patients’ PHI.

The Podiatric Offices of Bobby Yee explained in a December 20, 2018, press release “We may need to reconfirm or reconstruct the information, including your medical information.” It is unclear whether the ransom was paid to obtain the key to decrypt patient data or whether files were recovered from backups.

Humana Insurance Applicants Affected by Bankers Life Data Breach

Humana has announced that certain insurance applicants have had some of their personal information exposed as a result of a hacking incident at the Chicago-based health insurer Bankers Life.

Bankers Life is a division of CNO Financial Group and a business associate of Humana. Bankers Life discovered on August 7, 2018, that hackers had gained access to its systems between May 30 and September 12, 2018. Access to its systems was gained using stolen employee credentials.

The breach was one of the largest healthcare data breaches of 2018 and affected around 566,2017 individuals, according to a breach report issued by CNO Financial Group in November 2018.

Humana notified the California Attorney General of the breach on January 3, 2019. According to the report, Humana was notified about the breach on October 25, 2018.

The breach affects individuals who had previously applied for a health insurance policy through Humana. Information included on those applications includes names, addresses, dates of birth, Humana health insurance application numbers and policy numbers, cost of coverage, and the last four digits of Social Security numbers.

Bankers Life has offered affected individuals free credit monitoring and identity repair services for 12 months. It is currently unclear exactly how many Humana insurance applicants have been affected.

Humana has also recently informed the Department of Health and Human Services’ Office for Civil Rights about another data breach affecting its members – The theft of paper/film records containing the PHI of 684 individuals. The breach report was submitted to OCR on December 31, 2018. No further information on the breach is available at the time of writing.

The post Ransomware Attack on Podiatric Offices of Bobby Yee Impacts 24,000 Patients appeared first on HIPAA Journal.

Advertising Expenditures Increase 64% Following a Healthcare Data Breach

Posted by HIPAA Journal

A recent study has explored the relationship between advertising expenditures and healthcare data breaches. The study shows hospitals significantly increase advertising spending following a data breach.

Healthcare Data Breaches Are the Costliest to Mitigate

Healthcare data breaches are the most expensive to mitigate, far higher than breaches in other industry sectors. According to the Ponemon Institute/IBM Security’s 2018 cost of a data breach study, healthcare data breaches cost, on average, $408 per lost or stolen record. The costs are double, or in some cases almost triple, those in other industry sectors.

In addition to the high costs of mitigating the breaches, the same study confirmed that loss of patients to competitors is a very real threat. Data breaches cause damage to a brand and trust in an organization can be easily lost when confidential personal information is exposed or stolen.

The Ponemon Institute study revealed healthcare organizations have a high churn rate after a breach. At 6.7%, it is higher than the financial sector (6.1%), services (5.2%), energy (3.0%) and education (2.7%).

Hospitals’ Advertising Expenditure Increases 64% Following a Data Breach

In a recent study, Sung J. Choi, PhD and M. Eric Johnson, PhD., investigated how advertising expenditures at hospitals changed following a data breach.

The study, which was recently published in the American Journal of Managed Care, revealed hospitals increase advertising spending by an average of 64% in the year following a data breach. Advertising expenditures were found to be 79% higher over the two-year period following a data breach.

The researchers note that breached hospitals were most likely to be large or teaching hospitals located in urban settings. Hospitals that experienced data breaches had an average of 566 beds and were typically located in areas where there were other hospitals and, consequently, high competition for patients.

Hospitals in the control group that had not experienced a data breach spent an average of £238,000 on advertising each year, whereas hospitals that experienced data breaches spent an average of $817,205 on advertising in the year following a breach – Almost three times as much as the control group. An average of $1.75 million was spend on advertising in the two years following a breach.

The researchers suggest that the increase in spending is an attempt to minimize patient loss to competitors and to help repair hospitals’ reputations.

The researchers note that the data from the study came from 2011-2014 before ransomware attacks on hospitals became common. Given how much more these types of data breaches disrupt medical services provided by hospitals, advertising spending may be even higher following these types of breaches.

“Advertising and the efforts to fix the damages from a data breach increase healthcare costs and may divert resources and attention away from initiatives to improve care quality,” wrote the researchers. “Advertising costs subsequent to a breach are another cost to the healthcare system that could be avoided with better data security.”

The post Advertising Expenditures Increase 64% Following a Healthcare Data Breach appeared first on HIPAA Journal.

Blue Cross Blue Shield of Michigan Members Notified of Business Associate Ransomware Attack

Posted by HIPAA Journal

A business associate of Blue Cross Blue Shield of Michigan has experienced a ransomware attack that has potentially resulted in the theft of plan members’ protected health information. This is the second data breach affecting Blue Cross Blue Shield of Michigan plan members to be reported in December. Some plan members’ PHI was stored on a laptop computer that was stolen from a different business associate.

The latest breach was experienced by Austin, TX-based Wolverine Solutions Group, a vendor that provides business services to Blue Cross Blue Shield of Michigan and several other healthcare clients.

On September 23, 2018, ransomware was installed on its network that resulted in the encryption of files on servers and workstations, including files containing protected health information.

A third-party computer forensics firm conducted an investigation into the breach but found no evidence of data exfiltration; however, data theft could not be entirely ruled out. The types of information that was potentially accessed and copied included demographic data, health plan contract numbers, and a limited about of health information. Some Social Security numbers may also have been compromised.

According to Databreaches.net, the data breach was not confined to Blue Cross Blue Shield of Michigan. Other healthcare clients were also affected including Molina Healthcare. 895 Molina Healthcare patients have also been notified that their PHI was potentially compromised.

Wolverine Solutions has written to all affected individuals to alert them to the breach and, out of an abundance of caution, has offered 12 months of complimentary credit monitoring services to breach victims. Due to Blue Cross Blue Shield of Michigan’s policies, its members have been offered extended protection for 24 months.

Wolverine Solutions has already taken steps to improve security and has moved to a new computer system that has added protection against these types of attacks. All employees have also received further training on the new safeguards.

The post Blue Cross Blue Shield of Michigan Members Notified of Business Associate Ransomware Attack appeared first on HIPAA Journal.

Email Account Breach Impacts Hundreds of Choice Rehabilitation Residents

Posted by HIPAA Journal

Choice Rehabilitation of Creve Coeur, MO, has discovered an unauthorized individual hacked into a corporate email account of one of its employees and set up a mail forwarder to send emails to a personal email account.

The breach occurred on July 1, 2018 and the mail forwarder remained active until September 30, 2018. A detailed analysis of the email account revealed the protected health information of certain residents was included in billing documents attached to emails that had been sent to its associated skilled nursing facilities.

Highly sensitive information such as financial data, Social Security numbers, Medicare and Medicaid numbers, dates of birth and contact information remained secure at all times. The breach was limited to billing information related to physical, speech, and occupational therapy provided to patients such as names, payor information, medical record numbers, start and end dates of therapy, diagnoses, treatment information, billing codes, and the name of the facility where care was provided.

Upon discovery of the breach, access to the compromised email account was blocked, the mail forwarder was deactivated, and the personal email account used by the attacker has been deactivated. Choice Rehabilitation alerted other corporate users about the breach and reminded them of security safeguards to prevent unauthorized account access. Security awareness training will continue to be regularly provided to employees. Additional safeguards have also been implemented to improve email and network security and monitoring of corporate emails accounts has been stepped up.

Choice Rehabilitation has not received any information to suggest the forwarded emails were opened by the attacker. Due to the nature of the PHI that was potentially accessed, Choice Rehabilitation believes the risk of PHI misuse is low.

The post Email Account Breach Impacts Hundreds of Choice Rehabilitation Residents appeared first on HIPAA Journal.

Vendor of Dental Center of Northwest Ohio Suffers Ransomware Attack

Posted by HIPAA Journal

Current and former patients of the Dental Center of Northwest Ohio in Toledo, OH, are being notified that some of their protected health information has potentially been compromised as a result of a ransomware attack on one of its vendors.

Arakyta, a managed IT service provider, notified the dental center on September 1, 2018, of a security breach on a server hosting certain dental center systems. Assisted by third-party computer experts, the dental center determined on November 7, 2018, that an unknown, unauthorized individual had gained access to the server and had potentially viewed or copied patient data.

No evidence of data theft was detected and no reports have been received from patients to suggest any protected health information was stolen and misused. However, since it was not possible to rule out data theft with a high degree of certainty, the decision was taken to issue notifications to patients and to provide them with complimentary credit monitoring and identity theft restoration services.

The types of data potentially viewed/copied by the attacker included full names, home addresses, dates of birth, Social Security numbers, driver’s license numbers, state identification numbers, medical histories, diagnoses, treatment information, clinical data, medical records, patient ID numbers, health insurance information, benefit information, and financial data.

Both the dental center and Arakyta had security measures in place to prevent unauthorized data access, but those controls were bypassed by the attacker. The dental center has since reviewed its policies related to the privacy and security of patient data and has implemented additional safeguards to prevent further breaches of protected health information.

The breach has been reported to the Department of Health and Human Services’ Office for Civil Rights (OCR) and other appropriate authorities. The breach summary has yet to be added to the OCR breach portal, so it is currently unclear how many patients have been affected.

The post Vendor of Dental Center of Northwest Ohio Suffers Ransomware Attack appeared first on HIPAA Journal.

Orlando Family Physicians Group Phishing Attack Impacts 8,400 Patients

Posted by HIPAA Journal

8,400 patients of the Humana-owned Family Physicians Group in Orlando are being notified that some of their protected health information has potentially been compromised as a result of a phishing attack.

Family Physicians Group is one of the largest providers of healthcare for Medicare and Medicaid beneficiaries in Central Florida and operates 22 clinics in the region.

An investigation into the breach confirmed that an employee’s email account was accessed by an unauthorized individual on August 7, 2018. Unauthorized account access remained possible until August 21, 2018, when the breach was discovered and login credentials were changed. The login credentials were obtained by the attacker when the employee responded to a phishing email.

Affected patients were notified about the incident on December 28, 2018. It is unclear why it took more than 4 months to issue notifications to patients.

An analysis of the emails in the compromised account confirmed certain messages contained the protected health information of patients. No financial data or Social Security numbers were recorded in emails. The breach was limited to names, dates of birth, physicians’ names, and health insurance information.

Family Physicians Group has not received any information to suggest that patient data were stolen and misused.

Family Physicians Group reset all email passwords as a precaution and has upgraded its email application and implemented further security measures to improve protection from phishing attacks.

The post Orlando Family Physicians Group Phishing Attack Impacts 8,400 Patients appeared first on HIPAA Journal.

15,000 Customers Notified About Blue Cross Blue Shield of Michigan Data Breach

Posted by HIPAA Journal

Approximately 15,000 customers of Blue Cross Blue Shield of Michigan have been notified that some of their private information was stored on a laptop computer that was stolen from an employee of a business associate of one of its subsidiaries.

The laptop computer was stolen on October 26, 2018, and Blue Cross Blue Shield of Michigan was alerted to the exposure of plan members’ protected health information (PHI) on November 12, 2018. The breach affects members of Blue Cross’ Medicare Advantage health insurance plans. Notifications are now being mailed to all plan members affected by the breach.

The laptop computer was protected with a password and plan members’ data stored on the device had been encrypted; however, the employee’s credentials may also have been stolen. Consequently, there is a risk that PHI could have been accessed.

The data stored on the stolen laptop was limited to names, addresses, members’ identification numbers, dates of birth, genders, provider information, diagnoses, and medications. The laptop did not contain Social Security numbers or financial data.

An investigation into the incident has been launched and the employee’s login credentials have now been changed. The risk of identity theft and fraud is believed to be low; however, out of an abundance of caution, all individuals affected by the breach have been offered 24 months of complimentary identity theft protection services. There is no indication that any information stored on the stolen laptop has been accessed by unauthorized individuals.

Blue Cross Blue Shield of Michigan is working closely with its subsidiary company and is assessing policies and procedures and will update them accordingly. Additional safeguards will also be implemented to prevent further security breaches.

The post 15,000 Customers Notified About Blue Cross Blue Shield of Michigan Data Breach appeared first on HIPAA Journal.