HIPAA Breach News

Largest Healthcare Data Breaches of 2018

Posted December 27, 2018 by HIPAA Journal

This post summarizes the largest healthcare data breaches of 2018: Healthcare data breaches that have resulted in the loss, theft, unauthorized accessing, impermissible disclosure, or improper disposal of 100,000 or more healthcare records.

2018 has seen 18 data breaches that have exposed 100,000 or more healthcare records. 8 of those breaches saw more than half a million healthcare records exposed, and three of those breaches exposed more than 1 million healthcare records.

A Bad Year for Healthcare Data Breaches

As of December 27, 2018, the Department of Health and Human Services’ Office for Civil Rights (OCR) has received notifications of 351 data breaches of 500 or more healthcare records. Those breaches have resulted in the exposure of 13,020,821 healthcare records.

It is likely that the year will finish on a par with 2017 in terms of the number of reported healthcare data breaches; however, more than twice as many healthcare records have been exposed in 2018 than in 2017.

In 2017, there were 359 data breaches of 500 or more records reported to OCR. Those breaches resulted in the exposure of 5,138,179 healthcare records.

The Largest Healthcare Data Breaches of 2018

Listed below is a summary of the largest healthcare data breaches of 2018. A brief description of those breaches has been listed below.

At the time of writing, OCR is still investigating all but one of the breaches listed below. Only the LifeBridge Health breach investigation has been closed.

Rank	Name of Covered Entity	Covered Entity Type	Individuals Affected	Type of Breach
1	AccuDoc Solutions, Inc.	Business Associate	2,652,537	Hacking/IT Incident
2	UnityPoint Health	Business Associate	1,421,107	Hacking/IT Incident
3	Employees Retirement System of Texas	Health Plan	1,248,263	Unauthorized Access/Disclosure
4	CA Department of Developmental Services	Health Plan	582,174	Theft
5	MSK Group	Healthcare Provider	566,236	Hacking/IT Incident
6	CNO Financial Group, Inc.	Health Plan	566,217	Unauthorized Access/Disclosure
7	LifeBridge Health, Inc	Healthcare Provider	538,127	Hacking/IT Incident
8	Health Management Concepts, Inc.	Business Associate	502,416	Hacking/IT Incident
9	AU Medical Center, INC	Healthcare Provider	417,000	Hacking/IT Incident
10	SSM Health St. Mary’s Hospital – Jefferson City	Healthcare Provider	301,000	Improper Disposal
11	Oklahoma State University Center for Health Sciences	Healthcare Provider	279,865	Hacking/IT Incident
12	Med Associates, Inc.	Business Associate	276,057	Hacking/IT Incident
13	Adams County	Healthcare Provider	258,120	Unauthorized Access/Disclosure
14	MedEvolve	Business Associate	205,434	Unauthorized Access/Disclosure
15	HealthEquity, Inc.	Business Associate	165,800	Hacking/IT Incident
16	St. Peter’s Surgery & Endoscopy Center	Healthcare Provider	134,512	Hacking/IT Incident
17	New York Oncology Hematology, P.C.	Healthcare Provider	128,400	Hacking/IT Incident
18	Boys Town National Research Hospital	Healthcare Provider	105,309	Hacking/IT Incident

Causes of the Largest Healthcare Data Breaches of 2018

Further information on the causes of the largest healthcare breaches of 2018.

AccuDoc Solutions, Inc.

Morrisville, NC-based AccuDoc Solutions, a billing company that operates the online payment system used by Atrium Health’s network of 44 hospitals in North Carolina, South Carolina and Georgia, discovered that some of its databases had been compromised between September 22 and September 29, 2018. The databases contained the records of 2,652,537 patients. While data could have been viewed, AccuDoc reports that the databases could not be downloaded. Not only was this the largest healthcare data breach of 2018, it was the largest healthcare data breach to be reported since September 2016.

UnityPoint Health

A UnityPoint Health phishing attack was detected on May 31, 2018. The forensic investigation revealed multiple email accounts had been compromised between March 14 and April 3, 2018 as a result of employees being fooled in a business email compromise attack. A trusted executive’s email account was spoofed, and several employees responded to the messages and disclosed their email credentials. The compromised email accounts contained the PHI of 1,421,107 individuals.

Employees Retirement System of Texas

The Employees Retirement System of Texas discovered a flaw in its ERS OnLine portal that allowed certain individuals to view the protected health information of other members after logging into the portal. The breach was attributed to a coding error. Up to 1,248,263 individuals’ PHI was potentially viewed by other health plan members.

CA Department of Developmental Services

The California Department of Developmental Services experienced a break in at its offices. During the time the thieves were in the offices they potentially accessed the sensitive information of approximately 15,000 employees, contractors, job applicants, and parents of minors who receive DDS services, in addition to the PHI of 582,174 patients.

MSK Group

Tennessee-based MSK Group, P.C, a network of orthopedic medical practices, discovered in May 2018 that hackers had gained access to its network. Certain parts of the network had been accessed by the hackers over a period of several months. The records of 566,236 patients, which included personal, health and insurance information, may have been viewed or copied by the hackers.

CNO Financial Group, Inc.

Chicago-based health insurer Bankers Life, a division of CNO Financial Group Inc., discovered hackers gained access to its systems between May 30 and September 13, 2018 and potentially stole the personal information of 566,217 individuals.

LifeBridge Health, Inc

The Baltimore-based healthcare provider LifeBridge Health discovered malware had been installed on a server that hosted the electronic medical record system used by LifeBridge Potomac Professionals and LifeBridge Health’s patient registration and billing systems. Those systems contained the PHI of 538,127 patients.

Health Management Concepts, Inc.

Health Management Concepts discovered hackers gained access to a server used for sharing files and installed ransomware. The ransom demand was paid to unlock the encrypted files; however, HMC reported that the hackers were ‘inadvertently provided’ with a file that contained the PHI of 502,416 individuals. It is suspected that the file was unwittingly sent to the attackers to prove they could decrypt files.

AU Medical Center, INC

An Augusta University Medical Center phishing attack resulted in an unauthorized individual gaining access to the email accounts of two employees. The compromised email accounts contained the PHI of 417,000 patients.

SSM Health St. Mary’s Hospital – Jefferson City

St. Mary’s Hospital moved to new premises and all patients’ medical records were transferred to the new facility; however, on June 1, 2018, the hospital discovered administrative documents containing the protected health information of 301,000 patients had been left behind. In the most part, the breach was limited to names and medical record numbers.

Oklahoma State University Center for Health Sciences

Oklahoma State University Center for Health Sciences discovered an unauthorized individual gained access to parts of its computer network and potentially accessed files containing billing information of Medicaid patients. The breach affected 279,865 patients, although only a limited amount of PHI was accessible.

Med Associates, Inc.

The Latham, NY-based health billing company Med Associates, which provides claims services to more than 70 healthcare providers, discovered an employee’s computer has been accessed by an unauthorized individual. It is possible that the attacker gained access to the PHI of up to 276,057 patients.

Adams County

Adams County, WI, discovered hackers gained access to its network and potentially accessed the PHI and PII of 258,102 individuals. The compromised systems were used by the departments of Health and Human Services, Child Support, Veteran Service Office, Extension Office, Adams County Employees, Solid Waste, and the Sheriff’s Office.

MedEvolve

MedEvolve, a provider of electronic billing and record services to healthcare providers, discovered an FTP server had been left unsecured between March 29, 2018 and May 4, 2018. A file on the FTP server contained the PHI of 205,434 patients of Premier Immediate Medical Care.

HealthEquity, Inc.

HealthEquity, a Utah-based company that provides services to help individuals gain tax advantages to offset the cost of healthcare, experienced a phishing attack that resulted in hackers gaining access to the email accounts of two employees. Those accounts contained the PHI of 165,800 individuals.

St. Peter’s Surgery & Endoscopy Center

St. Peter’s Surgery & Endoscopy Center in New York discovered malware had been installed on one of its servers which potentially allowed hackers to view the PHI of 134,512 patients. The malware was discovered the same day it was installed. The fast detection potentially prevented patients’ data from being viewed or copied.

New York Oncology Hematology, P.C.

A phishing attack on New York Oncology Hematology in Albany, NY, resulted in hackers gaining access to the email accounts of 15 employees. Those accounts contained the PHI of 128,400 current and former patients and employees.

Boys Town National Research Hospital

Boys Town National Research Hospital, an Omaha, NE hospital specializing in pediatric deafness, visual and communication disorders, experienced a phishing attack that allowed hackers to gain access to a single email account. The email account contained the PHI of 105,309 patients.

The post Largest Healthcare Data Breaches of 2018 appeared first on HIPAA Journal.

Data of More Than 500,000 Staff and Students Compromised in San Diego School District Phishing Attack

Posted December 27, 2018 by HIPAA Journal

The San Diego School District has announced it has suffered a major phishing attack that has resulted in the exposure of the personal data, including health information, of more than 500,000 staff and students.

The phishing attack was detected in October 2018; however, an investigation into the breach revealed the hacker had network access for almost a year. Access to the network was first gained in January 2018 and the attacker continued to access the network until November 2018.

The decision was taken not to alert the hacker to the discovery of the breach immediately. Instead, the school district first investigated the breach to determine the nature of the attack and the extent to which its network had been compromised. Access was only terminated when the initial phase of the investigation was completed.

San Diego School District conducted the investigation in conjunction with the San Diego Unified Police and has identified the hacker responsible for the attack. All compromised accounts have now been reset and unauthorized access to staff and student data is no longer possible.

The phishing emails used in the attack were highly realistic and directed users to a website where they were required to enter their login credentials, which were then harvested by the attacker.

The breach was one of the most severe phishing attacks reported to date. The investigation revealed more than 50 email accounts of district employees were compromised in the attack over the space of 11 months.

The types of information compromised included names, telephone numbers, mailing addresses, home addresses, dates of birth, Social Security numbers, state student ID numbers, schedule information, school attendance information, transfer information, emergency contacts, legal notices, and health information. Compromised employee information also included paychecks and pay advice, staff health benefits enrollment information, beneficiary identity information, savings and flexible spending account data, dependents’ identities, tax information, direct deposit bank names, routing numbers, and account numbers, and payroll and compensation data. The data compromised in the attack dates back to the 2008-2009 school year.

While data access was possible, it is unclear whether the hacker copied any staff and student data. All individuals affected by the breach are now being notified. The wider investigation into the attack is continuing. Additional security measures have now been installed to prevent further breaches of this nature.

The post Data of More Than 500,000 Staff and Students Compromised in San Diego School District Phishing Attack appeared first on HIPAA Journal.

Massachusetts Attorney General Issues $75,000 HIPAA Violation Fine to McLean Hospital

Posted December 21, 2018 by HIPAA Journal

Massachusetts Attorney General Maura Healey has issued a $75,000 HIPAA violation fine to McLean Hospital over a 2015 data breach that exposed the protected health information (PHI) of approximately 1,500 patients.

McLean Hospital, a psychiatric hospital in Belmont, MA, allowed an employee to regularly take 8 backup tapes home. When the employee was terminated in May 2015, McLean Hospital was only able to recover four of the backup tapes. The backup tapes were unencrypted and contained the PHI of approximately 1,500 patients, employees, and deceased donors of the Harvard Brain Tissue Resource Center.

The lost backup tapes included clinical and demographic information such as names, Social Security numbers, medical diagnoses, and family histories. In addition to the exposure of PHI, the state AG’s investigation revealed there had been employee training failures and McLean Hospital had not identified, assessed, and planned for security risks. The loss of the tapes was also not reported in a timely manner and the hospital had failed to encrypt PHI stored on portable devices or use an alternative, equivalent measure to safeguard PHI.

“Hospitals must take measures to protect the private information of their patients,” said AG Maura Healey. “This settlement requires McLean Hospital to implement a new information security program and train its staff on how to properly handle the private information of those they serve.”

Backups of sensitive data should be made regularly to ensure that, in the event of disaster, patients’ PHI can be recovered. If physical copies of PHI are backed up and taken offsite by employees, appropriate security controls should be put in place to prevent those individuals from accessing the data and to ensure that in the event of loss or theft of devices, PHI will not be exposed. While HIPAA falls short of demanding the use of encryption for PHI, if the decision is taken not to encrypt PHI, an alternative safeguard must be implemented that offers an equivalent level of protection.

In addition to the financial penalty, McLean Hospital has agreed to enhance its privacy and security practices. A written information security program will be implemented and maintained, training will be provided to new and existing employees on privacy and security of personal health information, an inventory will be created and maintained of all portable devices containing ePHI, and all electronic PHI will be encrypted within 60 days.

McLean has also agreed to a third-party audit of the Harvard Brain Tissue Resource Center to assess how it handles portable devices containing personal and health information.

“McLean has continued to enhance its privacy and security practices and procedures within the Brain Bank and throughout the research operation. The agreement with the Attorney General represents a continuation of those efforts,” explained McLean Hospital in statement issued to the media.

This is the second HIPAA violation penalty to be issued by Massachusetts in 2018. UMass Memorial Medical Group / UMass Memorial Medical Center settled a HIPAA violation case with Massachusetts for $230,000 in September. The fine related to the failure to secure the ePHI of 15,000 state residents.

The post Massachusetts Attorney General Issues $75,000 HIPAA Violation Fine to McLean Hospital appeared first on HIPAA Journal.

November 2018 Healthcare Data Breach Report

Posted December 20, 2018 by HIPAA Journal

For the second consecutive month there has been an increase in both the number of reported healthcare data breaches and the number of records exposed, stolen, or impermissibly disclosed.

November was the worst month of the year to date for healthcare data breaches in terms of the number of exposed healthcare records. 3,230,063 records were exposed, stolen, or impermissibly disclosed in the breaches reported in November.

To put that figure into perspective, that’s more records than were exposed in all 180 data breaches reported to the HHS’ Office for Civil Rights (OCR) in the first half of 2018.

There were 34 healthcare data breaches reported to OCR in November, making it the second worst month of the year to date for breaches, behind June when 41 breaches were reported.

Largest Healthcare Data Breaches in November 2018

The largest healthcare data breach of 2018 was reported in November by Accudoc Solutions, a business associate of Atrium Health that provides healthcare billing services. That single breach resulted in the exposure of more than 2.65 million healthcare records.

AccuDoc Solutions discovered hackers had gained access to some of its databases for a week in September 2018. According to AccuDoc, the information in the databases could only be viewed, not downloaded.

Rank	Name of Covered Entity	Covered Entity Type	Individuals Affected	Type of Breach
1	AccuDoc Solutions, Inc.	Business Associate	2652537	Hacking/IT Incident
2	HealthEquity, Inc.	Business Associate	165800	Hacking/IT Incident
3	New York Oncology Hematology, P.C.	Healthcare Provider	128400	Hacking/IT Incident
4	Baylor Scott & White Medical Center – Frisco	Healthcare Provider	47984	Hacking/IT Incident
5	Cancer Treatment Centers of America (CTCA) at Western Regional Medical Center	Healthcare Provider	41948	Hacking/IT Incident
6	Oprex Surgery (Baytown), L.P. d/b/a Altus Baytown Hospital	Healthcare Provider	40000	Hacking/IT Incident
7	Center for Vitreo-Retinal Diseases	Healthcare Provider	20371	Unauthorized Access/Disclosure
8	Veterans Health Administration	Healthcare Provider	19254	Unauthorized Access/Disclosure
9	Steward Medical Group	Healthcare Provider	16276	Hacking/IT Incident
10	Mind and Motion, LLC	Healthcare Provider	16000	Hacking/IT Incident

Main Causes of November 2018 Healthcare Data Breaches

As was the case in October, hacking/IT incidents accounted for the highest number of data breaches and the most exposed/stolen healthcare records. There were 18 hacking/IT incidents reported in November. Those breaches impacted 3,138,657 individuals.

There were 11 breaches classified as unauthorized access/disclosure incidents which impacted 65,143 individuals, and 4 loss/theft incidents that resulted in the exposure of 22,333 healthcare records. One improper disposal incident exposed 3,930 healthcare records.

Location of Breached Protected Health Information

Email breaches continue to be a major problem in healthcare. These breaches include phishing attacks, unauthorized accessing of email accounts, and misdirected emails. There were 11 email-related breaches of PHI in November. Up until December 19, 2018, 111 email-related healthcare data breaches have been reported to OCR. Those breaches involved more than 3.4 million healthcare records.

Technical solutions can be implemented to reduce the number of email related breaches. Spam filters will prevent the majority of phishing emails from reaching inboxes, but no technical solution will be 100% effective so employees need to be trained how to recognize phishing attacks and other email threats.

All individuals in an organization from the CEO down should receive regular security awareness training with a particular emphasis on phishing. In addition to regular training sessions, phishing simulation exercises should be conducted. Through phishing simulations, healthcare organizations can assess their security awareness training programs and find out which employees require further training.

Data Breaches by Covered-Entity Type

Healthcare providers were the covered entities worst affected by healthcare data breaches in November 2018 with 29 reported incidents.

Business associates of HIPAA-covered entities reported 5 breaches and there were a further five breaches reported by healthcare providers that had some business associate involvement – Twice the number of breaches involving business associates (to some degree) as October.

There were no health plan data breaches reported in November.

Healthcare Data Breaches by State

Texas was the state worst affected by healthcare data breaches in November with 8 reported breaches. New York experienced three healthcare data breaches and there were two breaches reported in each of Georgia, Iowa, Illinois, Missouri, North Carolina, Utah, and Virginia.

One healthcare data breach was reported in Arizona, California, District of Columbia, Massachusetts, Maryland, Nebraska, New Jersey, Pennsylvania, and Washington.

Penalties for HIPAA Violations in November 2018

The Department of Health and Human Services’ Office for Civil Rights settled one HIPAA violation case with a healthcare provider in November.

Allergy Associates of Hartford was fined $125,000 over a physician’s impermissible disclosure of PHI to a TV reporter. The disclosure occurred after the physicians was instructed by the Allergy Associates of Hartford Privacy Officer not to respond to the reporter’s request for information about a patient, or to reply with ‘no comment’. Allergy Associates of Hartford failed to take any action against the physician over the HIPAA violation.

New Jersey also issued a financial penalty to a HIPAA-covered entity in November to resolve a HIPAA violation case. Best Transcription Medical was fined $200,000 for exposing the electronic protected health information of patients over the Internet. The breach affected 1,650 New Jersey residents.

The post November 2018 Healthcare Data Breach Report appeared first on HIPAA Journal.

Credit Card Numbers Exposed in BJC Healthcare Breach

Posted December 19, 2018 by HIPAA Journal

BJC HealthCare, one of the largest not-for-profit healthcare networks in the United States, has discovered hackers have gained access to the website hosting its patient portal and have uploaded malware that potentially intercepted credit/debit card numbers as they were entered in the payment portal.

The breach was discovered on November 19, 2018. The internal investigation revealed malware had been uploaded to the payment portal on October 25, 2018 and payment information may have been intercepted until November 8, 2018. During that time, 5,850 credit/debit card payments had been processed.

BJC HealthCare reports that no Social Security numbers or medical information was compromised. The breach was limited to patients’ names, addresses, and dates of birth, along with the name, billing address, and credit card information or bank information of the person making the payment.

While the above information was potentially intercepted, BJC HealthCare has not received any reports to suggest the attackers obtained and misused patients’ or payors’ data. However, all affected individuals have been advised to carefully monitor their bank and credit card statements for any unauthorized payments.

BJC Healthcare has now implemented additional security controls on its payment portal that provide enhanced protection against malware. All affected patients have been notified of the breach by mail and the incident has been reported to appropriate authorities.

CCRM Dallas-Fort Worth Notifies 1,117 Patients of Email Account Breach

The email account of a nurse at CCRM Dallas Fort Worth has been accessed by an unauthorized individual. The email account breach was detected on October 4, 2018, following reports from patients who had received spam emails from the nurse’s account.

CCRM Dallas-Fort Worth immediately deactivated the email account and contacted its IT vendor who launched an investigation. It was confirmed that the account had been accessed and emails containing patient’s protected health information may have been viewed by the attacker.

The email account contained a range of patient information including names, addresses, email addresses, health insurance information, health information and medical histories, and a limited number of Social Security numbers and driver’s license numbers.

Aside from patients’ email addresses being used by the attacker, no other evidence of PHI misuse has been discovered.

The incident has been reported to the Department of Health and Human Services’ Office for Civil Rights. The breach portal entry indicates 1,117 patients have been affected by the breach. Patients affected by the breach were notified by mail on December 3, 2018.

The post Credit Card Numbers Exposed in BJC Healthcare Breach appeared first on HIPAA Journal.

Up to 32,000 Patients Impacted by Elizabethtown Community Hospital Email Account Breach

Posted December 18, 2018 by HIPAA Journal

Approximately 32,000 patients of the University of Vermont Health Network’s Elizabethtown Community Hospital are being notified that some of their protected health information (PHI) has been exposed as a result of email account breach.

On October 18, 2018, Elizabethtown Community Hospital discovered an unauthorized individual had gained access to an employee’s email account. The password for the compromised email account was immediately changed and a leading forensic security firm was retained to conduct an investigation into the breach. The investigation, which lasted 60 days, confirmed that a single email account was compromised on October 9, 2018.

The hospital’s information technology systems were not accessed and medical records remained secure at all times. An analysis of the breached email account revealed it contained the PHI of around 32,000 patients. The types of information that were exposed differed from patient to patient and may have included names, addresses, dates of birth, primary information such as medical record numbers, dates of service, summaries of services provided, and limited medical information. The Social Security numbers of 1,200 patients were also exposed.

During the nine days that the account was accessible it is possible that the PHI of patients was viewed or copied, although no evidence of data theft was found. Elizabethtown Community Hospital is unaware of any misuse of patient information.

Elizabethtown Community Hospital decided to notify 32,000 patients out of an abundance of caution. The investigation is ongoing, and the breach may be found to have affected fewer patients. Free credit monitoring and identity theft protection services have been offered to all patients whose social security number was exposed.

Elizabethtown Community Hospital has now enhanced the security of its email system and further training has been provided to employees in relation to protecting patient information.

The post Up to 32,000 Patients Impacted by Elizabethtown Community Hospital Email Account Breach appeared first on HIPAA Journal.

PHI Accessed by Contra Costa Health Plan Contractor Who Falsified Identity to Win Contracts

Posted December 17, 2018 by HIPAA Journal

Contra Costa Health Plan (CCHP) has started notifying certain patients that some of their protected health information may have been viewed by an unauthorized individual.

That individual was a contractor who won a series of contracts related to utilization management. The contractor first started working with CCHP on December 1, 2018, and was given access to systems containing health plan records to complete her contracted duties.

On May 22, 2018, CCHP learned that the contractor had falsified her identity in order to win the contracts. Upon discovery of the fraud, CCHP terminated the contract and blocked access to its systems. A full audit of the activities of the contractor was conducted to determine what systems had been accessed and whether plan members’ data had been viewed.

The audit revealed that the contractor had accessed plan members’ health plan records while performing her utilization management duties, although no evidence was uncovered to suggest any of the information contained in those records has been further disclosed by the contractor or used inappropriately.

The types of information potentially viewed included names, addresses, phone numbers, dates of birth, medical information, prescription information, and Social Security numbers.

The California’s Department of Health Care Services was notified about the incident and advised CCHP to issue notifications to all plan members whose records had been accessed. Those individuals have been offered complimentary credit monitoring, identity theft protection, and identity restoration services out of an abundance of caution.

Ramsey County Social Services Notifies Patients of Phishing Breach

Ramsey County Social Services in St. Paul, MN, experienced a phishing attack on August 9, 2018 that resulted in the email accounts of 28 employees being accessed by unauthorized individuals.

After gaining access to the email accounts, the attackers attempted to redirect employees’ paychecks. Prompt action was taken to block the attack and secure the accounts and a data security firm was hired to conduct a thorough investigation of the breach.

On October 12, 2018, the data security firm notified Ramsey County Social Services that the hackers had potentially viewed emails in the account that contained the protected health information of approximately 500 patients, most of whom had used the agency’s chemical and mental health services.

The types of information contained in the accounts included names, addresses, dates of birth, Social Security numbers, and a limited amount of medical information. Patients affected by the breach were notified in early December. No reports have been received to suggest any information in the email accounts has been misused.

To better protect employee email accounts, a tool has been implemented to ensure employees set strong passwords and multi-factor authentication has been implemented to prevent accounts from being accessed from unknown locations and devices. New security software has also been implemented that offers enhanced monitoring and auditing capabilities and employees have been provided with further training.

The post PHI Accessed by Contra Costa Health Plan Contractor Who Falsified Identity to Win Contracts appeared first on HIPAA Journal.

16,000 Mind & Motion Patients Impacted by Ransomware Attack

Posted December 14, 2018 by HIPAA Journal

Mind & Motion Developmental Centers of Georgia has announced that hackers have succeeded in installing ransomware and malware on a server, which has potentially allowed them to gain access to patients’ protected health information.

The ransomware was downloaded and executed on a server housing Mind & Motion medical records. The types of data that were potentially compromised includes names, addresses, birth dates, patients’ gender, medical histories, medical diagnoses, health insurance information, and Social Security numbers. It is also possible that medical records were compromised as a result of the attack.

Mind & Motion discovered the ransomware attack on September 30, 2018. An IT vendor, TeamLogic IT, was retained to investigate the breach, determine how the attack occurred, and help recover data that had been rendered inaccessible by the ransomware.

In addition to the ransomware infection, TeamLogic IT discovered an inactive keylogger and a spam emailer on the server. All malware was successfully removed and associated accounts were deleted. TeamLogic IT did not uncover evidence to suggest any of the installed malware had been used to access patient financial information or its scheduling and electronic billing systems.

Since the attack was discovered, Mind & Motion has not received any reports from patients to suggest that any of their PHI has been stolen and misused. The attack is believed to have been performed with the purpose of extorting money from Mind & Motion and patients are not expected to experience any negative effects from the attack.

In response to the security breach, and as instructed by its IT vendor, Mind & Motion has reset all passwords and implemented controls to ensure complex passwords are set on all accounts in the future. A policy has also been introduced to force users to change passwords more frequently. Computers and servers have professional anti-malware solutions installed and will be regularly scanned. Mind & Motion has also implemented encryption on all its computers and the latest anti-spam technology has been deployed to protect against phishing attacks.

Promptly after the breach was detected, Mind and Motion hired a compliance consulting firm to make sure that all requirements of HIPAA were satisfied. The consulting firm will be administering further HIPAA compliance training to all staff within 30 days.

A breach report was submitted to the Department of Health and Human Services’ Office for Civil Rights on November 30, 2018 and all affected patients have been notified about the breach by mail. The OCR breach report indicates up to 16,000 patient records were potentially compromised.

The post 16,000 Mind & Motion Patients Impacted by Ransomware Attack appeared first on HIPAA Journal.

EmblemHealth Pays $100,000 HIPAA Violation Penalty to New Jersey for 2016 Data Breach

Posted December 11, 2018 by HIPAA Journal

The health insurance provider EmblemHealth has been fined $100,000 by New Jersey for a 2016 data breach that exposed the protected health information (PHI) of more than 6,000 New Jersey plan members.

On October 3, 2016, EmblemHealth sent Medicare Part D Prescription Drug Plan Evidence of Coverage documents to its members.

The mailing labels included beneficiary identification codes and Medicare Health Insurance Claim Numbers (HCIN), which mirror Social Security numbers. The documents were sent to more than 81,000 policy members, 6,443 of whom were New Jersey residents.

The New Jersey Division of Consumer Affairs investigated the breach and identified policy, procedural, and training failures. Previous mailings of Evidence of Coverage documents were handled by a trained employee, but when that individual left EmblemHealth, mailing duties were handed to a team manager who had only been given minimal task-specific training and worked unsupervised.

That individual sent a data file to EmblemHealth’s mailing vendor without first removing HCINs, which resulted in the HCINs being printed on mailing labels: A violation of HIPAA, the New Jersey Identity Theft Prevention Act, and the New Jersey Consumer Fraud Act.

“Health insurers entrusted with their customers’ sensitive personal information have a duty to avoid improper disclosures,” said New Jersey Attorney General Gurbir S. Grewal. “EmblemHealth fell short of its obligations to its customers in this case, and I am pleased that our settlement includes measures designed to prevent similar breaches at this company in the future.”

In addition to the financial penalty, EmblemHealth has agreed to make changes to its policies and procedures to prevent further breaches of plan members’ PHI. Those measures include the use of unique patient identifiers for mailings rather than HCINs or Medicare Beneficiary Identifiers.

EmblemHealth will also ensure that a formal transfer process takes place when the responsibilities of outgoing staff are passed on to other EmblemHealth employees or third parties, and that all necessary training will be provided.

All incoming employees will also be required to complete additional privacy and security training modules and refresher training sessions will be conducted annually. The New Jersey Division of Consumer Affairs will be monitoring EmblemHealth over the next three years and must be informed of any further breaches of the PHI of New Jersey customers.

“This settlement should serve as a reminder that we are committed to safeguarding consumer privacy, and will hold accountable any businesses that are careless in the handling of such personal data,” said Paul R. Rodríguez, Acting Director of the Division of Consumer Affairs.

New Jersey has been highly active as an enforcer of HIPAA Rules and has agreed four settlements in 2018 to resolve violations of HIPAA Rules. In addition to the EmblemHealth HIPAA fine, New Jersey has settled HIPAA violations with Best Transcription Medical ($200,000), Aetna ($365,211.59), and Virtua Medical Group ($417,816) in 2018.

The post EmblemHealth Pays $100,000 HIPAA Violation Penalty to New Jersey for 2016 Data Breach appeared first on HIPAA Journal.