HIPAA Breach News

23,300 Patients Affected by Critical Care, Pulmonary & Sleep Associates Email Hack

Posted by HIPAA Journal

Critical Care, Pulmonary & Sleep Associates (CCPSA) in Colorado has experienced a data breach that has impacted more than 23,300 patients.

An email account breach was detected by CCPSA on November 23, 2018 when suspicious activity was detected related to an employee’s email account. The account appeared to have been used to send phishing emails to individuals in the employee’s contact list. Those emails attempted to convince the recipients to make fraudulent payments.

Action was promptly taken to lock the hacker out of the account and the entire email environment was secured. All users were required to set new, complex passwords. A third-party computer forensics firm was hired to investigate the attack and determine the scale of the breach. That investigation was concluded on December 14, 2018.

The investigation revealed the attacker had gained access to multiple email accounts between August 14 and November 23, 2018. The breach was determined to be limited to the email system. Its medical record system was unaffected.

An analysis of the compromised email accounts revealed they contained the electronic protected health information of more than 23,300 patients. In addition to patients’ names, the following information was also potentially compromised: Addresses, email addresses, phone numbers, dates of birth, dates of service, diagnoses, medical conditions, lab test results, information related to diagnostic studies, treatment information, insurance information, and for certain patients, costs of medical services, Social Security numbers, and driver’s license numbers.

Prior to the attack, CCPSA had implemented protections to prevent successful phishing attacks. Those protections have now been enhanced. Additionally, changes have been made to how authorized individuals can access the network and changes have also been made by the IT department to certain rules within its computer environment. Additional, mandatory security awareness training has also been provided to the entire workforce.

According to the breach summary posted on the Department of Health and Human Services’ Office for Civil Rights breach portal, the ePHI of 23,377 has been exposed.

The post 23,300 Patients Affected by Critical Care, Pulmonary & Sleep Associates Email Hack appeared first on HIPAA Journal.

Stolen Hard Drive Contained PHI of 76,000 Texas Patients

Posted by HIPAA Journal

All-Star Orthopaedics is alerting patients of Irving, TX-based Las Colinas Orthopedic Surgery & Sports Medicine, PA, that some of their protected health information (PHI) was stored on a hard drive that has been stolen.

The hard drive contained X-ray and other diagnostic images of 76,000 patients, along with patients’ names and dates of birth. While the hard drive was not encrypted, special software is required to access the images. The image files would need to be opened in order to see patients’ names and dates of birth.

The hard drive was stolen on November 20, 2018. The theft was reported to the Department of Health and Human Services’ Office for Civil Rights on January 18, 2019 and breach notification letters have now been sent to all affected patients.

The theft has prompted All-Star Orthopaedics to implement new security protocols to prevent any further breaches of patients PHI and all portable hard drives will now be encrypted prior to transport.

Dermacare Brickell Data Breach Impacts 1,800 Patients

On November 20, 2018, the Miami medical practice Dermacare Brickell discovered paperwork containing the PHI of around 1,800 patients was missing.

The paperwork had been removed from a locked storage unit at The Vue Condominium, close to its office. The files related to patients who had received medical services at the practice between 2010 and 2013.

The medical practice determined that boxes of files had been mistakenly removed and disposed of a condominium association dumpster along with regular trash. The person responsible assured the practice that he did not read any of the files in the boxes and was unaware that the boxes contained patient files.

The improper disposal has been reported to the Miami Police Department and patients have been notified as a precaution, although no evidence has been uncovered to suggest any information has been viewed by unauthorized individuals or misused.

The files did not contain financial information or Social Security numbers, only names, birth dates, previous medical histories as provided by patients, and practice treatment notes.

All patient files will now be stored within its offices. The practice is in the process of transitioning to electronic medical records and all paper copies of records will be shredded once that process has been completed.

The post Stolen Hard Drive Contained PHI of 76,000 Texas Patients appeared first on HIPAA Journal.

Alaska Department of Health and Social Services Revises 2018 Breach Victim Total from 501 to 500K-700K

Posted by HIPAA Journal

A laptop computer malware infection discovered by the Alaska Department of Health and Social Services (ADHSS) in April 2018 was initially thought to have potentially allowed hackers to gain access to the electronic protected health information (ePHI) of 501 individuals; however, the breach has been determined to be far more extensive than was initially thought.

On January 22, 2019, state officials said the malware potentially allowed the attackers to access and obtain the ePHI of between 500,000 and 700,000 individuals and that notification letters to the additional breach victims people had started to be sent. So far, letters have been sent to 87,000 individuals.

The malware variant used in the attack was a variant of the Zeus/Zbot Trojan – An information stealer. The individuals whose ePHI was potentially obtained by the hackers had interacted at some point with the Department of Public Assistance (DPA) through the DPA Northern regional offices.

Last year, ADHSS said the laptop had accessed sites in Russia, had unauthorized software installed, and other suspicious computer behavior was discovered that strongly indicated and malware infection. ADHSS was able to identify the virus and remove it, although the malware gave the attackers had access to the laptop between April 26 and April 30, 2018.

The malware was determined to have been inadvertently installed by an employee as a result of opening an email attachment. According to Shawnda O’Brien, director of the state’s Division of Public Assistance, the email appeared to be legitimate and sent from an applicant requesting assistance.

O’Brien explained that by the time the Trojan was identified and removed, it had got through several layers of security and the attackers gained full access to the laptop’s hard drive. The malware was not initially detected by anti-virus software as it was a day one attack – Conducted before the AV software had been updated with the Trojan’s signature.

The attack was investigated by ADHSS and the breach was reported to the Department of Health and Human Services’ Office for Civil Rights on June 28, 2018, although the investigation into the breach continued.

Due to the volume of data involved, assistance was sought from the FBI. The FBI’s analysis was extensive and took several months to complete. ADHSS has only recently received a list of the individuals whose PHI was stored on the laptop. The FBI investigation is continuing.

The laptop contained documents that included first and last names, dates of birth, phone numbers, Medicaid/Medicare billing codes, criminal justice information, health billing information, Social Security numbers, driver’s license numbers, pregnancy status, incarceration status, and other confidential information.

O’Brian said to KTVA, “We don’t have any reason to believe their information was compromised, but because their information could have been compromised, we had to let them know.”

While the virus made contact with sites in Russia, it could not be established whether the hackers were based in Russia or who was behind the attack.

Malicious emails can be highly convincing and can easily fool employees; however, this is not the only malware attack to have been experienced by AHDSS. Malware was discovered on two desktop computers in 2017. The breach was also reported to have affected 501 individuals. In 2009, a laptop computer was stolen that contained ePHI. That breach was also reported to have affected 501 individuals.

The 2009 breach was investigated by OCR which uncovered multiple HIPAA violation. The case was settled in 2012 and a financial penalty of $1.7 million was paid to OCR. The HIPAA violations included the failure to conduct a comprehensive risk analysis to identify vulnerabilities that could be exploited to gain access to PHI, insufficient device and media controls, and a lack of staff training on data security.

The post Alaska Department of Health and Social Services Revises 2018 Breach Victim Total from 501 to 500K-700K appeared first on HIPAA Journal.

Valley Hope Association Notifies Patients of Email Account Breach

Posted by HIPAA Journal

Midwest, has announced that an unauthorized individual has gained access to the email account of an employee.

Valley Hope Association became aware of a potential account breach on October 10, 2018, when unusual account activity was detected. Prompt action was taken to prevent further account access and a third-party computer forensics firm was hired to determine the nature and scope of the breach.

The investigation confirmed on November 23, 2018, that an unauthorized individual had accessed a single email account between October 9-10, 2018, and potentially viewed emails and attachments containing patients’ protected health information. After a thorough review of all emails and email attachments, the forensics firm confirmed that certain patients’ PHI may have been accessed.

The types of information contained in the emails varied from patient to patient and may have included one or more of the following data elements: Name, address, date of birth, Social Security number, medication and prescription information, claims and billing information, medical record number, health insurance information, and physician’s name. No diagnosis or treatment information was contained in the emails.

Following the confirmation of exposed information, Valley Hope Association has been attempting to identify current contact information for all affected individuals and each will be notified and told about the exact information that has potentially been compromised. While data access/theft is a possibility, no reports have been received to suggest any patient information has been misused.

As a precaution against identity theft and fraud, patients impacted by the breach have been offered 12 months of complimentary identity theft monitoring services through Kroll.

Valley Hope Association has been reviewing and revising its policies and procedures to further protect the security and confidentiality of information on its systems and additional safeguards will be implemented as appropriate.

The breach has been reported to law enforcement, state regulators, credit monitoring bureaus, and the Department of Health and Human Services Office’ for Civil Rights.

The incident has yet to appear on the OCR breach portal, so it is currently unclear exactly how many patients have been impacted by the breach.

The post Valley Hope Association Notifies Patients of Email Account Breach appeared first on HIPAA Journal.

December 2018 Healthcare Data Breach Report

Posted by HIPAA Journal

November was a particularly bad month for healthcare data breaches, so it is no surprise that there was an improvement in December. November was the worst month of the year in terms of the number of healthcare records exposed (3,230,063) and the second worst for breaches (34). December was the second-best month for healthcare data breaches with 23 incidents reported, only one more than January.

2018 Healthcare Data Breaches

In total, 516,370 records were exposed, impermissibly disclosed, or stolen in breaches reported in December: A considerable improvement on November. Were it not for the late reporting of the Adams County breach, December would have been the best month of the year to date in terms of the records exposed. The Adams County breach was experienced in March 2018, confirmed on June 29, yet reporting to OCR was delayed until December 11.

2018 Healthcare Data Breaches - Records Exposed

Largest Healthcare Data Breaches in December 2018

Rank Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach
1 Adams County Healthcare Provider 258,120 Unauthorized Access/Disclosure
2 JAND Inc. d/b/a Warby Parker Healthcare Provider 177,890 Hacking/IT Incident
3 University of Vermont Health Network – Elizabethtown Community Hospital Healthcare Provider 32,470 Hacking/IT Incident
4 The Podiatric Offices of Bobby Yee Healthcare Provider 24,000 Hacking/IT Incident
5 Choice Rehabilitation Business Associate 4,309 Hacking/IT Incident
6 Virtual Radiologic Professionals, LLC Healthcare Provider 2,568 Hacking/IT Incident
7 Kent County Community Mental Health Authority Healthcare Provider 2,284 Hacking/IT Incident
8 Butler County Board of County Commissioners Health Plan 1,912 Unauthorized Access/Disclosure
9 Barnes-Jewish Hospital Healthcare Provider 1,643 Hacking/IT Incident
10 Tift Regional Medical Center Healthcare Provider 1,045 Hacking/IT Incident

Causes of December 2018 Healthcare Data Breaches

The healthcare industry experiences more insider breaches than other industry sectors, although in December, hacking/IT Incidents outnumbered unauthorized/access disclosure incidents by almost two to one. Eight of the top ten data breaches for the month were hacks, ransomware attacks, and other IT incidents.

While unauthorized access/disclosure incidents usually impact fewer individuals that hacking breaches, that was not the case in December. The largest breach of the month was the unauthorized accessing of a network server by a former employee of Adams County, WI.

In total, 264,049 healthcare records were exposed in the 7 unauthorized access/disclosure incidents reported in December. The mean breach size was 37,721 records and the median breach size was 911 records.

250,404 healthcare records were exposed in the 13 hacking/IT incidents. The mean breach size was 19,261 records and the median breach size was 1,643 records.

There were two theft incidents reported in December and one case of improper disposal of paper records. No lost devices were reported.

Causes of December 2018 Healthcare Data Breaches

Location of Breached Protected Health Information

Phishing attacks continue to plague healthcare organizations and December was no exception. The largest phishing incident reported in December affected 32,470 patients of Elizabethtown Community Hospital. The PHI was contained in a single email account.

Three email accounts were compromised at Kent County Community Mental Health Authority, although they only contained the PHI of 2,200 individuals.

The most common location of breached PHI in December was email, although network server breaches were more severe. The two largest December 2018 healthcare data breaches were network server incidents which impacted 436,010 individuals – 84.43% of the total number of breached records in December.

Location of Breached Protected Health Information

Data Breaches by Covered-Entity Type

Health plans made it through November without reporting any data breaches, although they didn’t fare so well in December. 6 health plan data breaches were announced in December; however, all were relatively small, with only the breach at Butler County Board of County Commissioners impacting more than 1,000 plan members (1,912).

One data breach was reported by a business associate of a HIPAA-covered entity, although a further three breaches had some business associate involvement. The remaining 16 breaches were reported by healthcare providers.

Data Breaches by Covered-Entity Type

Healthcare Data Breaches by State

In December 2018, healthcare organizations in 13 states reported PHI breaches. Minnesota was the worst affected state with a total of four breaches followed by Arizona with three. There were two breaches reported by healthcare organizations based in each of California, Missouri, New York, Ohio, and Wisconsin, and a single breach was experienced in each of Georgia, Illinois, Kentucky, Massachusetts, Michigan, and Pennsylvania.

HIPAA Fines and Settlements in December 2018

The Department of Health and Human Services’ Office for Civil Rights (OCR) agreed two settlements with HIPAA-covered entities in December to resolve violations of HIPAA Rules. OCR finished the year on ten fines and settlements, the same number as 2017. (You can view all 2018 HIPAA fines and settlements here).

Advanced Care Hospitalists, a Florida Contractor Physicians’ Group, was investigated by OCR following the submission of a breach report in April 2014. The report stated the PHI of 400 patients had been subject to unauthorized access, although the number of individuals affected was subsequently increased to 8,855 patients.

OCR confirmed there had been a preventable impermissible disclosure of PHI, and found that a business associate had been engaged without first entering into a business associate agreement. Additionally, insufficient security measures had been implemented and there had been no effort to comply with HIPAA Rules prior to April 1, 2014. Advanced Care Hospitalists and OCR settled the HIPAA violation case for $500,000.

On June 7, 2013, OCR received a complaint about Pagosa Springs Medical Center, a critical access hospital in Colorado, which had failed to terminate access to a web-based scheduling calendar after an employee’s contract had been terminated. The OCR investigation confirmed the former employee accessed the calendar on two occasions after leaving employment.

For the failure to terminate employee access and the lack of a business associate agreement with Google covering Google Calendar resulted in a financial penalty of $111,400 for Pagosa Springs Medical Center.

There were two financial penalties issued by state Attorneys General in December to resolve violations of HIPAA Rules.

The Massachusetts Attorney General fined McLean Hospital $75,000 over a breach of 1,500 patients PHI. The information was stored on backup tapes that had been taken offsite by an employee. When the employee was terminated, McLean Hospital was unable to recover two of the backup tapes.

The New Jersey Attorney General issued a financial penalty of $100,000 to EmblemHealth over an impermissible disclosure of PHI. In 2016, an EmblemHealth mailing had Social Security numbers printed on the outside of envelopes. This was the second fine for EmblemHealth in relation to the breach. The New York Attorney General had previously settled its case with EmblemHealth for $575,000 earlier in the year.

 

The post December 2018 Healthcare Data Breach Report appeared first on HIPAA Journal.

Physician Receives Probation for Criminal HIPAA Violation

Posted by HIPAA Journal

A physician who pleaded guilty to a criminal violation of HIPAA Rules has received 6 months’ probation rather than a jail term and fine for the wrongful disclosure of patients’ PHI to a pharmaceutical firm.

The case was prosecuted by the Department of Justice in Massachusetts in conjunction with a case against Massachusetts-based pharma firm Aegerion.

In September 2017, the Novelion Therapeutics subsidiary Aegerion agreed to plead guilty to mis-branding the prescription drug Juxtapid. The case also included deferred prosecution related to criminal liability under HIPAA for causing false claims to be submitted to federal healthcare programs for the drug.

Aegerion admitted to conspiring to obtain the individually identifiable health information of patients without authorization for financial gain, in violation of 42 U.S.C. §§ 1320d-6(a) and 1320-6(b)(3) and HIPAA Rules. Aegerion agreed to pay more than $35 million in fines to resolve criminal and civil liability.

The DOJ also charged a Georgia-based pediatric cardiologist with criminal violations of HIPAA Rules for allowing a sales representative of Aegerion to access the confidential health information of patients without first obtaining patient consent. The sales rep was allowed to view the information of patients who had not been diagnosed with a medical condition that could be treated with Juxtapid (lomitapide) in order to identify new potential candidates for the drug.

This is the second such criminal HIPAA violation case in Massachusetts in the past four months to result in probation rather than a jail term or fine. In September, Massachusetts gynecologist Rita Luthra was given 1 year of probation over payments received by a pharmaceutical firm (Warner Chilcott) for providing sales reps with access to the individually identifiable health information of patients for financial gain. While prosecutors were pushing for a fine and a jail term to act as a deterrent, Judge Mastroianni explained in his ruling, “Her loss of license and ability to practice is a substantial deterrent.”

While probation was received in both of these cases, a substantial fine, jail term, and loss of license are real possibilities for physicians found to have criminally violated HIPAA Rules. Both physicians could have received a fine of up to $50,000 for the violations and up to one year in jail.

The post Physician Receives Probation for Criminal HIPAA Violation appeared first on HIPAA Journal.

PHI of Almost 1,000 Lebanon VA Medical Center Patients Impermissibly Disclosed

Posted by HIPAA Journal

Lebanon VA Medical Center in Pennsylvania has discovered the protected health information of hundreds of elderly patients has been impermissibly disclosed to a family member of a veteran.

In November 2018, a member of staff at Lebanon VA Medical Center emailed a document to a family member of a veteran who was searching for nursing home facilities. The list should have contained nursing home facilities that work with the Department of Veteran Affairs; however, a historical list of residents of nursing homes was sent in error.

The list contained veterans’ names, abbreviated Social Security numbers, the nursing home where the veteran had been admitted, diagnoses, and service-connection disability rating percentages.

“Lebanon VA Medical Center and our employees take our responsibility to protect patient information very seriously,” explained Lebanon VA privacy officer Tonya Hromco. “Along with assistance from national offices, we immediately investigated this inadvertent, unauthorized release of information which occurred in late November.”

The incident was an isolated error and steps have now been taken to reduce the potential for further mistakes. Additional controls have been implemented in the section where the error occurred and throughout its facility. Files containing historic information have now been encrypted and restrictions have been placed on the number of individuals with access to those files. Technical controls have also been implemented that prevent members of the department from sending email attachments externally.

A press release issued by Lebanon VA Medical Center says the PHI of 993 individuals was impermissibly disclosed. The breach report on the HHS’ Office for Civil Rights’ breach portal suggests the breach could have impacted up to 1,002 individuals.

Individuals affected by the privacy breach and family members of deceased patients have recently been mailed breach notification letters.

The post PHI of Almost 1,000 Lebanon VA Medical Center Patients Impermissibly Disclosed appeared first on HIPAA Journal.

New Massachusetts Data Breach Notification Law Enacted

Posted by HIPAA Journal

A new Massachusetts data breach notification law has been enacted. The new legislation was signed into law by Massachusetts governor Charlie Baker on January 10, 2019 and will come into effect on April 11, 2019.

The new legislation updates existing Massachusetts data breach notification law and introduces new requirements for notifications.

Under Massachusetts law, a breach is defined as the unauthorized acquisition or use of sensitive personal information that carries a substantial risk of identity theft or fraud. Notifications must be issued if one or more of the following data elements are obtained by an unauthorized individual along with an individual’s first name and last name or first initial and last name.

  • Social Security number
  • Driver’s license number
  • State issued ID card number
  • Financial account number, or credit/ debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account.

As with the previous law, there is no set timescale for issuing breach notifications. They must be issued “as soon as is practicable and without unreasonable delay,” after it has been established that a breach of personal information has occurred.

That said, one change to the timescale for issuing breach notifications is individuals and companies that have experienced a data breach can no longer wait until the total number of individuals impacted by the breach has been determined. The legislation states “In such case, and where otherwise necessary to update or correct the information required, a person or agency shall provide additional notice as soon as practicable and without unreasonable delay upon learning such additional information.”

One notable update to Massachusetts data breach notification law is the requirement to offer breach victims complimentary credit monitoring services, as is the case in Connecticut and Delaware. The minimum term for complimentary credit monitoring services is 18 months or, in the case of a consumer reporting agency, a minimum of 42 months.

Notifications are required to be issued to all individuals impacted by the breach, the Office of Consumer Affairs and Business Regulation, and the Massachusetts Attorney General’s Office.

The Office of Consumer Affairs and Business Regulation and the Attorney General’s Office must be provided with a detailed description of the nature and circumstances of the breach, the number of Massachusetts residents affected, the steps that have been taken relative to the security breach, steps that will be taken in the future in response to the breach, and whether law enforcement is investigating the breach. If the breach has been experienced by a parent company or affiliated organization, the name of that company must be detailed in the notification.

The post New Massachusetts Data Breach Notification Law Enacted appeared first on HIPAA Journal.

111K Individuals Notified of 4-Month Email Account Compromise

Posted by HIPAA Journal

Centerstone Insurance and Financial Services, operating as BenefitMall, has started notifying more than 111,000 individuals that some of their protected health information has been exposed, and potentially stolen, in a recent email security incident.

Dallas, TX-based BenefitMail is a provider of employee benefits, payroll, HR, and employer services and employs more than 20,000 advisors, brokers, and CPAs across the country. The company is a business associate of several HIPAA-covered entities.

On October 11, 2018, the company became aware that email accounts used by its employees had been accessed by an unauthorized individual. A third-party computer forensics firm was retained and an internal investigation was conducted to assess the nature and scope of the breach.

The investigation revealed the first email accounts had been compromised in June 2018 and further email accounts were breached and accessed up to October 11 when the attack was detected. Prompt action was taken to secure the compromised email accounts and prevent further remote email account access. The email accounts were compromised as a result of employees falling for phishing scams.

An analysis of the compromised email accounts revealed many emails in those accounts contained the personal information of individuals related to the services provided. The information exposed and potentially stolen was limited to names, addresses, social security numbers, dates of birth, bank account numbers, and information relating to payment of insurance premiums.

The security breach has prompted BenefitMail to review its email security controls, which have now been augmented to provide greater protection against phishing attacks. Two-factor authentication has now been implemented on its email system and employees have been provided with further training to improve awareness of phishing scams and how to guard against them. Further security awareness and phishing training will be provided to employees on an ongoing basis.

The security breach has been reported to law enforcement and BenefitMail will continue to assist with their investigation and will work closely with the insurance providers whose members were affected by the breach.. The Department of Health and Human Services’ Office for Civil Rights (OCR) has been notified. The breach report submitted to OCR indicates 111,589 individuals have been affected by the breach.

The post 111K Individuals Notified of 4-Month Email Account Compromise appeared first on HIPAA Journal.