Memphis, MI-based Sacred Heart Rehabilitation Center, a provider of substance abuse treatment and care services for patients diagnosed with HIV/AIDS, has discovered an unauthorized individual has gained access to the email account of an employee following a response to a phishing email.

The email account was breached between April 5 and April 7, 2018. It is unclear when the phishing attack was detected by the rehabilitation center, but the investigation into the breach concluded in November and revealed the account contained some patients’ protected health information. Individuals whose PHI was exposed were sent notification letters on January 9, 2018.

The types of information contained in the compromised account included patients’ names, home addresses, diagnoses, treatment information, health insurance information, and Social Security numbers.

The number of patients affected by the breach has not been publicly disclosed at this point and the breach has not yet been listed on the Department of Health and Human Services’ Office for Civil Rights breach portal. Sacred Heart Rehabilitation Center has said not all patients were affected.

All patients whose PHI was exposed as a result of the attack have been offered complimentary credit monitoring and identity theft protection services for 12 months and have been advised to monitor their financial accounts and explanation of benefits statements for signs of misuse of their PHI. To date, no reports of PHI misuse have been received by Sacred Heart Rehabilitation Center.

To reduce the risk of further successful phishing attacks, additional security measures have been implemented and employees have received further security awareness training.

It has not been a great end to the year for healthcare organizations in Michigan. Blue Cross Blue Shield of Michigan announced in December that two data breaches had occurred, which together impacted more than 16,000 individuals. A phishing attack was also reported by Kent County Community Mental Health Authority, which affected 2,200 patients.

The post Sacred Heart Rehabilitation Center Notifies Patients of Phishing Incident appeared first on HIPAA Journal.

An unencrypted laptop computer has been stolen from Ben-Ora, Hansen, Vanesian Imaging Ltd., dba Solis Mammography.

Solis Mammography learned on October 17, 2018 that the laptop had been stolen from its Phoenix, AZ clinic and reported the theft to law enforcement. To date the device has not been recovered. Attempts were made to reconstruct the data stored assisted by a leading computer forensics firm.

While the investigation confirmed that some patients’ protected health information had been downloaded to the device, it was not possible to ascertain the exact information that had been exposed.

Solis Mammography believes information such as patients names, birth dates, health insurance information, lab test results, medical images, and other information could have been stored on the device and have potentially been accessed by the individual in possession of the computer. Solis Mammography does not believe any financial information was downloaded onto the laptop.

Solis Mammography has taken steps to further secure patient information including strengthening access controls and reviewing and updating policies and procedures concerning the secure disposal of patient information.

No reports have been received to suggest any information stored on the device has been accessed and misused, although patients have been advised to monitor their statements from healthcare providers and insurers for services that have not been received.

Solis Mammography has reported the theft to the Department of Health and Human Services’ Office for Civil Rights on December 16, 2018. The breach report suggests up to 500 patients’ PHI may have been stored on the device.

The post Solis Mammography Notifies 500 Patients of PHI Exposure appeared first on HIPAA Journal.

Starting on October 28, 2018, Kent County Community Mental Health Authority, dba Network180, experienced a targeted phishing attack.

As is common in advanced phishing attacks, the emails appeared to have been sent from a trusted source. Between November 2 and November 13, three employees responded to the emails and disclosed their credentials, which allowed their encrypted email accounts to be accessed by an unauthorized individual.

At least one of the compromised email accounts contained the protected health information (PHI) of patients. A wide range of PHI was included in the emails stored in the compromised account.

The types of information that could potentially have been accessed by the attacker varied from patient to patient, but may have included names, addresses, dates of birth, Medicaid/Medicare ID numbers, Internal ID numbers, Waiver Support Application (WSA) numbers, names of healthcare providers, schools that were attended, names of relatives, ethnicity/race, and the Social Security numbers of 20 patients. No financial information is believed to have been exposed.

The internal investigation into the attack uncovered no evidence to suggest any PHI was accessed, viewed, or misused.

Network180 had security measures in place to keep the PHI of patients private and confidential but those controls were bypassed on this occasion. The internal investigation, conducted by the IT department, HIPAA Privacy Officer, HIPAA Security Officer, and Network180’s HIPAA legal counsel, concluded that the attack was not preventable.

All passwords were reset and unauthorized access is no longer possible. Additional safeguards have now been implemented to improve email security.

While PHI access/theft is not suspected, out of an abundance of caution, all affected patients have been offered at least 12 months of complimentary identity theft protection services through Experian.

The post Phishing Attack Impacts 2,200 Kent County Community Mental Health Authority Patients appeared first on HIPAA Journal.

Managed Health Services, the Indianapolis, IN-based managed care entity that runs the Hoosier Healthwise and Hoosier Care Connect Medicaid programs, has discovered the protected health information (PHI) of 31,876 plan members has potentially been disclosed in two separate breaches that were announced in December 2018.

31,300 Plan Members Notified of Phishing-Related PHI Breach

A phishing attack on a business associate of Managed Health Services has potentially resulted in the disclosure of some plan members PHI. On or around July 30, 2018, employees of LCP Transportation responded to phishing emails and provided the attacker with credentials that allowed their email accounts to be remotely accessed. LCP Transportation disabled the affected email accounts on September 7, 2018.

A third-party computer forensics firm was hired to assist with the investigation. While no evidence of PHI misuse has been detected, it is possible that emails in the accounts were accessed by the attacker. Some of the emails in the compromised accounts contained plan members’ PHI including names, addresses, dates of birth, dates of service, insurance ID numbers, and a description of medical conditions.

Email security has now been enhanced and employees have received further training on cyber risks.

Managed Health Services was informed of the breach on October 29 and issued notifications to affected plan members on December 21, 2018. Affected individuals have been offered complimentary credit monitoring services with CyberScan for 12 months.

Mailing Error Caused Letters to be Sent to Incorrect Recipients

On December 20, 2018, Managed Health Services issued notifications to 576 plan members informing them that a limited amount of their PHI had been impermissibly disclosed to other plan members as a result of a mailing error.

On October 16, 2018, notification letters were sent to plan members regarding an upcoming pharmacy change; however, an error saw some of the letters sent to incorrect recipients. The mis-mailed letters resulted in the name, insurance identification number, and medication information of one plan member disclosed to another plan member. A call campaign was conducted to contact all individuals who received a letter to request they return the mis-mailed letters.

Managed Health Services has not received any information to suggest that plan members’ PHI has been misused; however, out of an abundance of caution, affected individuals have been offered 12 months of complimentary credit monitoring services through CyberScan.

Managed Health Services has taken steps to prevent mailing errors in the future including reinforcing mailing policies and procedures and reviewing practices in relation to the submission of mailing addresses to its national mailing center.

The post 31,876 Managed Health Services of Indiana Health Plan Members Notified of Impermissible Disclosure of PHI appeared first on HIPAA Journal.

Chaplaincy Health Care, a not-for-profit healthcare provider based in Richland, WA, has experienced a phishing attack that has resulted in the exposure of 1,080 patients’ protected health information.

The phishing attack occurred on November 20, 2018 and was discovered within 4 hours. Prompt action was taken to block unauthorized access and a third-party computer forensics firm was hired to assist with the breach investigation.

The investigation confirmed that a single email account was accessed by the attacker. After gaining access to the email account, the attacker attempted to access further accounts. The breach was discovered when the employee was alerted that her account had been used to send a phishing email to an email contact.

No evidence was uncovered to suggest any patient health information was viewed or copied but, out of an abundance of caution, all patients affected by the breach have been offered complimentary credit monitoring and identity theft protection services through LifeLock for 12 months. Patients were notified about the breach on January 3, 2019.

The firm investigating the breach concluded that the primary aim of the attack was to compromise as many email accounts as possible rather than to access sensitive information, although it was not possible to determine whether any emails in the compromised account had been accessed.

The compromised email account contained full names, home addresses, dates of birth, medical record numbers, prescription information, dates of service, and the last four digits of Social Security numbers.

“Chaplaincy Health Care sincerely apologizes for the inconvenience and the concern this incident has caused,” explained Gary Castillo, Executive Director of Chaplaincy Health Care. “Information security is very important to us and we will continue to do everything we can to fortify our operational protections for our patients and their families.”

In response to the breach, Chaplaincy Health Care has implemented two-factor authentication on its email accounts and employees have been provided with further training on protecting sensitive patient information.

The post 1,080 Chaplaincy Health Care Patients Potentially Impacted by Phishing Attack appeared first on HIPAA Journal.

A ransomware attack on the Podiatric Offices of Bobby Yee has resulted in the encryption of files containing the protected health information (PHI) of up to 24,000 patients and other individuals.

The attack took place on October 29, 2018. Medical records were encrypted by the ransomware along with files containing information such as full name, address, contact telephone number(s), gender, birth date, Social Security number, and health insurance information.

Prompt action was taken to protect patient data and an investigation into the breach did not uncover any evidence to suggest the attacker viewed or copied any patients’ PHI.

The Podiatric Offices of Bobby Yee explained in a December 20, 2018, press release “We may need to reconfirm or reconstruct the information, including your medical information.” It is unclear whether the ransom was paid to obtain the key to decrypt patient data or whether files were recovered from backups.

Humana Insurance Applicants Affected by Bankers Life Data Breach

Humana has announced that certain insurance applicants have had some of their personal information exposed as a result of a hacking incident at the Chicago-based health insurer Bankers Life.

Bankers Life is a division of CNO Financial Group and a business associate of Humana. Bankers Life discovered on August 7, 2018, that hackers had gained access to its systems between May 30 and September 12, 2018. Access to its systems was gained using stolen employee credentials.

The breach was one of the largest healthcare data breaches of 2018 and affected around 566,2017 individuals, according to a breach report issued by CNO Financial Group in November 2018.

Humana notified the California Attorney General of the breach on January 3, 2019. According to the report, Humana was notified about the breach on October 25, 2018.

The breach affects individuals who had previously applied for a health insurance policy through Humana. Information included on those applications includes names, addresses, dates of birth, Humana health insurance application numbers and policy numbers, cost of coverage, and the last four digits of Social Security numbers.

Bankers Life has offered affected individuals free credit monitoring and identity repair services for 12 months. It is currently unclear exactly how many Humana insurance applicants have been affected.

Humana has also recently informed the Department of Health and Human Services’ Office for Civil Rights about another data breach affecting its members – The theft of paper/film records containing the PHI of 684 individuals. The breach report was submitted to OCR on December 31, 2018. No further information on the breach is available at the time of writing.

The post Ransomware Attack on Podiatric Offices of Bobby Yee Impacts 24,000 Patients appeared first on HIPAA Journal.

A business associate of Blue Cross Blue Shield of Michigan has experienced a ransomware attack that has potentially resulted in the theft of plan members’ protected health information. This is the second data breach affecting Blue Cross Blue Shield of Michigan plan members to be reported in December. Some plan members’ PHI was stored on a laptop computer that was stolen from a different business associate.

The latest breach was experienced by Austin, TX-based Wolverine Solutions Group, a vendor that provides business services to Blue Cross Blue Shield of Michigan and several other healthcare clients.

On September 23, 2018, ransomware was installed on its network that resulted in the encryption of files on servers and workstations, including files containing protected health information.

A third-party computer forensics firm conducted an investigation into the breach but found no evidence of data exfiltration; however, data theft could not be entirely ruled out. The types of information that was potentially accessed and copied included demographic data, health plan contract numbers, and a limited about of health information. Some Social Security numbers may also have been compromised.

According to Databreaches.net, the data breach was not confined to Blue Cross Blue Shield of Michigan. Other healthcare clients were also affected including Molina Healthcare. 895 Molina Healthcare patients have also been notified that their PHI was potentially compromised.

Wolverine Solutions has written to all affected individuals to alert them to the breach and, out of an abundance of caution, has offered 12 months of complimentary credit monitoring services to breach victims. Due to Blue Cross Blue Shield of Michigan’s policies, its members have been offered extended protection for 24 months.

Wolverine Solutions has already taken steps to improve security and has moved to a new computer system that has added protection against these types of attacks. All employees have also received further training on the new safeguards.

The post Blue Cross Blue Shield of Michigan Members Notified of Business Associate Ransomware Attack appeared first on HIPAA Journal.

Choice Rehabilitation of Creve Coeur, MO, has discovered an unauthorized individual hacked into a corporate email account of one of its employees and set up a mail forwarder to send emails to a personal email account.

The breach occurred on July 1, 2018 and the mail forwarder remained active until September 30, 2018. A detailed analysis of the email account revealed the protected health information of certain residents was included in billing documents attached to emails that had been sent to its associated skilled nursing facilities.

Highly sensitive information such as financial data, Social Security numbers, Medicare and Medicaid numbers, dates of birth and contact information remained secure at all times. The breach was limited to billing information related to physical, speech, and occupational therapy provided to patients such as names, payor information, medical record numbers, start and end dates of therapy, diagnoses, treatment information, billing codes, and the name of the facility where care was provided.

Upon discovery of the breach, access to the compromised email account was blocked, the mail forwarder was deactivated, and the personal email account used by the attacker has been deactivated. Choice Rehabilitation alerted other corporate users about the breach and reminded them of security safeguards to prevent unauthorized account access. Security awareness training will continue to be regularly provided to employees. Additional safeguards have also been implemented to improve email and network security and monitoring of corporate emails accounts has been stepped up.

Choice Rehabilitation has not received any information to suggest the forwarded emails were opened by the attacker. Due to the nature of the PHI that was potentially accessed, Choice Rehabilitation believes the risk of PHI misuse is low.

The post Email Account Breach Impacts Hundreds of Choice Rehabilitation Residents appeared first on HIPAA Journal.