HIPAA Breach News

Tandigm Health Website Vulnerability Exposed 7,000 Patients’ PHI

Posted by HIPAA Journal

A vulnerability on a website used by the value-based healthcare company Tandigm Health could potentially have been exploited to gain access to patients’ protected health information.

The website vulnerability was discovered by Tandigm Health on September 25, 2018. A leading computer forensics firm assisted with the investigation to determine whether the flaw could be exploited remotely, whether patients’ protected health information had been accessed, and the types of information that may have been exposed.

The investigation confirmed that the flaw could have been exploited to gain access to sensitive patient information between April 24, 2017 and December 31, 2017. The information accessible through the website was limited to names, birth dates, medical information, and health insurance information. Approximately 7,000 patients’ protected health information was accessible through the website.

The investigation did not uncover any evidence to suggest the flaw had been exploited and no reports been received to suggest patient information has been stolen or misused.

Out of an abundance of caution, all individuals whose personal and health information were exposed have been notified of the potential breach by mail and have been offered free credit monitoring and identity theft protection services for 2 years.

Affected individuals have been advised to monitor their accounts and credit reports for any sign of unauthorized transactions and to review explanation of benefits statements from their health insurers for any medical services that have been listed but not received.

According to a company press release, “Information privacy and security are among Tandigm’s highest priorities, and there are strict security measures in place to protect information in Tandigm’s care.”

Tandigm Health has reassessed its website protections and has enhanced security on its Internet-based platforms. Current policies and procedures covering data security have been reviewed and additional, ongoing data security training is being provided to employees.

The post Tandigm Health Website Vulnerability Exposed 7,000 Patients’ PHI appeared first on HIPAA Journal.

Mercy Medical Center North Iowa Notifies 1,900 Patients About Potential PHI Exposure

Posted by HIPAA Journal

Mercy Medical Center North Iowa has discovered a former employee potentially accessed the medical records of patients without authorization over a period of 12 months.

An internal investigation suggested a former employee had inappropriately accessed patient information between July 2017 and July 2018. The employee had been given access to patient information to complete work duties, but Mercy Medical Center North Iowa was unable to confirm whether all records had been accessed for appropriate job-related purposes.

The types of information the former employee accessed was limited to names, addresses, birth dates, medications, and insurance information.

Breach notification letters were mailed to affected patients on November 26, 2018 and all individuals whose personal information was exposed have been offered 12 months of complimentary identity theft protection services.

The discovery of the unauthorized access has prompted Mercy Medical Center North Iowa to review its privacy practices and further training will be provided to employees to reinforce past training on hospital and HIPAA Rules related to patient privacy.

Mercy Medical Center North Iowa issued the following statement about the breach. “Mercy-North Iowa takes very seriously the responsibility to safeguard the protected health information of patients and apologizes for any concern or inconvenience this situation may cause.”

The privacy violation has been reported to law enforcement and the HHS’ Office for Civil Rights. The Globe Gazette has reported that approximately 1,900 current and former patients have been notified about the breach.

3,930 Patients of Arthritis & Osteoporosis Consultants of the Carolinas Notified About PHI Breach

3,930 patients of Charlotte, NC-based Arthritis & Osteoporosis Consultants of the Carolinas (AOCC) have been notified that some of their protected health information has been exposed.

A report containing patients’ personal and medical information was discovered to be missing on September 10, 2018. AOCC believes the report was accidentally discarded in the trash without first being shredded.

AOCC does not believe the report has been viewed by anyone other than authorized AOCC staff and no reports have been received to suggest patient information has been misused.

The following information was listed in the report: Names, birth dates, payer-issued ID numbers, insurance information, names of treating physicians, and for certain patients, the name of an infusion drug that had been administered.

The post Mercy Medical Center North Iowa Notifies 1,900 Patients About Potential PHI Exposure appeared first on HIPAA Journal.

OCR Fines Allergy Practice $125,000 for Impermissible PHI Disclosure

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights (OCR) has fined a Hartford allergy practice $125,000 to revolve potential violations of the HIPAA Privacy Rule.

On October 6, 2015, OCR received a copy of a civil rights complaint that had been filed with the Department of Justice (DOJ). The complainant alleged Allergy Associates of Hartford – A Connecticut healthcare provider that specializes in treating patients with allergies – had impermissibly disclosed her protected health information to a TV reporter.

The complainant had previously contacted a local TV station after she had been turned away from the allergy practice because of her service animal. The TV reporter subsequently contacted the practice seeking comment. A physician at the practice spoke to the reporter and impermissibly disclosed some of the patient’s protected health information.

OCR’s investigation confirmed there had been an impermissible disclosure of PHI, in violation of the HIPAA Privacy Rule – 45 C.F.R. § 164.502(a).

The physician in question had already been advised by the practice’s Privacy Officer to ignore the reporter’s request for comment or to respond with ‘no comment.’ However, the physician chose to speak with the reporter and disclosed some of the patient’s PHI. OCR viewed the disclosure as ‘a reckless disregard for the patient’s privacy rights.’

After Allergy Associates was contacted by OCR about the privacy breach, Allergy Associates failed to apply appropriate sanctions against the physician concerned for a violation of the practice’s privacy policies and procedures, as is required by the HIPAA Privacy Rule – 45 C.F.R. §164.530(e)(l).

“When a patient complains about a medical practice, doctors cannot respond by disclosing private patient information to the media,” explained OCR Director Roger Severino. “Because egregious disclosures can lead to substantial penalties, covered entities need to pay close attention to HIPAA’s privacy rules, especially when responding to press inquiries.”

Allergy Associates agreed to settle the case with no admission of liability. In addition to paying a financial penalty of $125,000, Allergy Associates has agreed to adopt a robust corrective action plan which includes two years of OCR monitoring the practice’s compliance with HIPAA Rules.

The post OCR Fines Allergy Practice $125,000 for Impermissible PHI Disclosure appeared first on HIPAA Journal.

53% Of Healthcare Data Breaches Due to Insiders and Negligence

Posted by HIPAA Journal

The healthcare industry has had more than its fair share of hacking incidents, but the biggest threat comes from within. The actions of healthcare providers, health insurers, and their employees cause more breaches than hacks, malware, and ransomware attacks.

Researchers at Michigan State University and Johns Hopkins University analyzed data breaches reported to the Department of Health and Human Services’ Office for Civil Rights (OCR) over the past 7 years and found that more than half of breaches were the result on internal negligence.

The research study, which was recently published in the journal JAMA Internal Medicine, is a follow-on from a 2017 study that explored the risk of hospital data breaches and the types of hospitals that were most prone to data breaches. While the previous research cast light on which hospitals were most vulnerable, little information was available on the main causes of the breaches. The latest study addresses that gap in knowledge.

The researchers performed a retrospective analysis of the 1,183 healthcare data breaches reported to OCR between October 21, 2009 and December 31, 2017. Those breaches resulted in the exposure of 164 million healthcare records.

The analysis was limited to breaches of 500 or more records, as OCR does not publish summaries of smaller breaches. The breach reports split data breaches into six categories; hacking/IT incidents, unauthorized access/disclosure incidents, theft, loss, improper disposal, and unknown. 77.6% of breaches were correctly classified and 22.24% were misclassified or the cause was unknown.

The researchers discovered that theft of data by third-parties or unknown individuals was the single leading breach cause, accounting for 32.5% of incidents, with mailing errors in second place (10.5%), followed by theft by current or former employees (9%). Internal/external hacking incidents accounted for around 20% of breaches, although those incidents involved 133.8 million of the 164 million compromised records. 53% of all breaches were found to have originated from inside healthcare organizations.

“One quarter of all the cases were caused by unauthorized access or disclosure – more than twice the amount that were caused by external hackers,” said Xuefeng Liang, associate professor of accounting and information systems at MSU’s Eli Broad College of Business and lead author of the study. “This could be an employee taking PHI home or forwarding to a personal account or device, accessing data without authorization, or even through email mistakes, like sending to the wrong recipients, copying instead of blind copying or sharing unencrypted content.”

An analysis of the location of breached PHI showed 46.1% of breaches involved mobile devices, paper records were involved in 28.7% of breaches and 29.3% of breaches involved network servers.

Typically, the actions taken by healthcare organizations post-breach were the use of encryption software, restricting the use of mobile devices, switching to digital records, improving physical security, strengthening firewalls and other cybersecurity protections, and enhancing monitoring and auditing.

While many breaches involve little risk to patients – the accidental disclosure of a name and address to another patient – the consequences of some breaches can be severe: For patients as well as the breached entity. Anthem Inc’s 78.8 million record breach in 2015 was used as an example. Many breach victims had tax returns filed in their names, resulting in financial losses.

In addition to the considerable cost of mitigating the breach – improving cybersecurity protections; hiring forensic investigators, cybersecurity consultants, and legal advisors; printing and mailing notification letters; providing credit monitoring services for breach victims – Anthem had to cover the cost of defending multiple class action lawsuits, which were ultimately settled for $115 million. Anthem has also recently been fined $16 million by OCR to resolve the HIPAA violations uncovered during its breach investigation. Anthem’s reputation has also been tarnished by the breach, the cost of which is difficult to calculate.

The findings of the study are important. “Healthcare entities must understand the causes of PHI breaches if they aim to effectively manage the trade-off between wider access or higher efficiency and more security,” explained the researchers in the paper.

The post 53% Of Healthcare Data Breaches Due to Insiders and Negligence appeared first on HIPAA Journal.

October 2018 Healthcare Data Breach Report

Posted by HIPAA Journal

Our October 2018 healthcare data breach report shows there has been a month-over-month increase in healthcare data breaches with October seeing more than one healthcare data breach reported per day.

31 healthcare data breaches were reported by HIPAA-covered entities and their business associates in October – 6 incidents more than the previous month. It should be noted that one breach at a business associate was reported to OCR as three separate breaches.

Healthcare Data Breaches (by Month)

The number of breached records in September (134,006) was the lowest total for 6 months, but the downward trend did not continue in October. There was a massive increase in exposed protected health information (PHI) in October. 2,109,730 records were exposed, stolen or impermissibly disclosed – 1,474% more than the previous month. In October, the average breach size was 68,055 records and the median was 4,058 records.

Healthcare Data Breaches (records exposed by month)

Largest Healthcare Data Breaches in October 2018

There were 11 healthcare data breaches of more than 10,000 records reported in October – A 120% increases from the five 10,000+ record breaches in September. The largest healthcare data breach in October resulted in the exposure of 1.24 million records: An unauthorized access/disclosure incident at Employees Retirement System of Texas. A flaw in its ERS Online portal allowed members to view the PHI of other members.

566,217 records were exposed in a breach at Banker’s Life, a division of CNO Financial Group Inc., also an unauthorized access/disclosure incident. Employee credentials were stolen and used to gain access to company websites, resulting in the exposure and potential theft of policyholder and applicant information.

Rank Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach
1 Employees Retirement System of Texas Health Plan 1248263 Unauthorized Access/Disclosure
2 CNO Financial Group, Inc. Health Plan 566217 Unauthorized Access/Disclosure
3 Health First, Inc Healthcare Provider 42000 Hacking/IT Incident
4 Jones Eye Center, P.C. Healthcare Provider 39605 Hacking/IT Incident
5 Gold Coast Health Plan Business Associate 37005 Hacking/IT Incident
6 The May Eye Care Center Healthcare Provider 30000 Hacking/IT Incident
7 CJ Elmwood Partners, L.P. Healthcare Provider 22416 Hacking/IT Incident
8 Minnesota Department of Human Services Health Plan 20800 Hacking/IT Incident
9 Catawba Valley Medical Center Healthcare Provider 20000 Hacking/IT Incident
10 National Ambulatory Hernia Institute Healthcare Provider 15974 Hacking/IT Incident

Causes of October 2018 Healthcare Data Breaches

Unauthorized access/disclosure breaches resulted in the highest number of compromised records, but hacking/IT incidents were more common in October.  October saw 16 hacking/IT incidents reported, 11 unauthorized access/disclosure incidents, and four theft incidents. There were no reports of lost PHI/ePHI and no improper disposal incidents.

Causes of October 2018 Healthcare Data Breaches

Healthcare Records Exposed by Breach Cause

Healthcare records Exposed by Breach Cause (October 2018)

Location of Breached Protected Health Information

Phishing is arguably the biggest cyber threat faced by healthcare organizations and October saw many phishing attacks reported by healthcare providers. In October, there were 9 incidents involving PHI exposure via email. There were also 9 network server-related breaches, which included hacks, malware, and ransomware attacks.

October 2018 Healthcare data Breach report - Location of Breached PHI

Data Breaches by Covered-Entity Type

In terms of the number of incidents, healthcare providers were the worst hit by data breaches in October with 20 reported breaches, followed by health plans/health insurers with 7. Four HIPAA business associate breaches were reported, three of which were by the same business associate – HealthFitness. One further breach had some business associate involvement.

In terms of the number of exposed records, health plans/insurers fared worse than other HIPAA-covered entities. 1,848,235 healthcare records were exposed at health plans/insurers, 221,994 healthcare records were exposed in healthcare provider breaches, and 39,501 records exposed by business associates.

October 2018 Healthcare Data Breaches by entity type

Healthcare Data Breaches by State

Texas was worst affected by healthcare data breaches in October. 5 breaches were reported by covered entities/business associates based in Texas. California, Connecticut, Illinois, and Washington each had 3 breaches reported. There were two breaches reported in each of Florida, Iowa, Indiana, and Pennsylvania. Minnesota, Missouri, North Carolina, New Mexico, Oklahoma, and Oregon had one breach apiece.

Penalties for HIPAA Violations in October

After a period of quiet on the HIPAA penalty front, the Department of Health and Human Services’ Office for Civil Rights announced three settlements in September related to filming patients without consent. There were followed up in October with a massive fine for Anthem Inc.

The Anthem Inc., HIPAA violation penalty was expected, and given the scale of the breach (78.8 million records), the penalty was likely to be large. After assessing the extent of HIPAA violations, the scale of the breach, and its impact, OCR fined Anthem $16,000,000. The previous largest ever HIPAA penalty was $5,550,000 (Advocate Health Care Network, 2016)

In October, a multi-state action against the health insurer Aetna was concluded and settlements were reached to resolve the HIPAA violations. The penalties related to the impermissible disclosure of 13,160 plan members’ HIV/AIDS diagnoses via a mailing. Settlements were reached with Connecticut, New Jersey, and the District of Columbia totaling $640,170. Washington was also part of the multi-state action, but the settlement amount has not yet been decided.

The post October 2018 Healthcare Data Breach Report appeared first on HIPAA Journal.

Key Dental Group Alerts Patients About Potential HIPAA Violation

Posted by HIPAA Journal

Key Dental Group, a dental practice in Pembroke Pines, FL, is informing its patients about an alleged HIPAA violation which has potential to result in the unauthorized accessing of their protected health information (PHI).

After changing its electronic medical record (EMR) database provider, Key Dental Group requested its former vendor, MOGO, the return its EMR database. Even though the end user license agreement (EULA) stated that all patient data must be returned on termination of the agreement, MOGO has refused to return the database.

MOGO communicated to Key Dental Group, via its attorney, that the database would not be returned. The Pembroke Pines dental practice alleges that in addition to violating the EULA, MOGO, as a HIPAA business associate, is in violation of the Health Insurance Portability and Accountability Act.

Any security breach, such as the unauthorized accessing of patients’ protected health information, requires notifications to be sent to affected patients. Key Dental Group cannot say whether the database has been accessed after the termination of the EULA, but since the KDG-MOGO database can no longer be accessed, monitored, or protected from unauthorized access, notifications were deemed necessary.

“While Key Dental Group cannot definitively say that unauthorized access has or will occur to this database, given the apparent violations of various portions of HIPAA triggered by MOGO’s actions and the sensitivity of the information the database contains, Key Dental Group, PA is publicly notifying its patients at this time of this incident,” wrote Key Dental Group in a recent press release about the HIPAA incident.

All patients whose PHI – which includes names, addresses, dates of birth, medical histories, diagnoses/conditions, lab/test results, treatment information, medications, health insurance information, claims information, and the Social Security numbers of some Medicare/Medicaid patients – is present in the database have been told to be alert to the possibility of identity theft and fraud.

The post Key Dental Group Alerts Patients About Potential HIPAA Violation appeared first on HIPAA Journal.

Stolen FHN Healthcare Laptop Contained the PHI of 4,458 Patients

Posted by HIPAA Journal

FHN Healthcare, which operates FHN Memorial Hospital in Freeport, IL, and a network of family healthcare centers throughout northwest Illinois, has learned that a laptop computer containing the protected health information of 4,458 patients has been stolen from the vehicle of an employee.

The theft was immediately reported to law enforcement, but the device has not been recovered. FHN Healthcare reconstructed the data stored on the device and discovered it contained names, addresses, birth dates, medical record numbers, health insurance information, medical information, Social Security numbers, and driver’s license numbers.

FHN healthcare already encrypts all its laptop computers, although the investigation into the incident revealed that the stolen device had not been encrypted and was only protected with a password. FHN reports that the lack of encryption was due to a technical issue with its encryption software and that the missed device was an isolated incident.

The discovery of the encryption failure has prompted FHN Healthcare to re-encrypt all its laptop computers. The employee who was issued with the laptop has been retrained on safeguarding mobile devices and the re-training has also been extended to other employees.

All patients impacted by the breach were notified by mail on November 2, 2018. Patients whose Social Security number or driver’s license number were exposed have been offered complimentary identity theft protection services for 12 months.

The post Stolen FHN Healthcare Laptop Contained the PHI of 4,458 Patients appeared first on HIPAA Journal.

128,400 Employees and Patients Impacted by Phishing Attack on Albany Cancer Treatment Center

Posted by HIPAA Journal

New York Oncology Hematology in Albany, NY, has announced that hackers have gained access to 15 employee email accounts which contained the sensitive information of as many as 128,400 current and former patients and employees.

As is common in phishing attacks, the emails contained a hyperlink to a seemingly legitimate email login page which requested usernames and passwords. When the information was entered it was harvested by the attackers.

According to the substitute breach notice on the New York Oncology Hematology website, each compromised email account only remained accessible for a short period of time before access was terminated. The email breaches were identified by New York Oncology Hematology’s IT vendor, which shut down access to the compromised accounts by resetting the passwords.

Access to 14 email accounts was gained on April 20, and a second attack took place between April 21 and April 27, which resulted in a further email account being compromised.

New York Oncology Hematology hired a third-party computer forensics firm to investigate the breach and, on October 1, 2018, the firm confirmed that the compromised email accounts contained the protected health information of patients and sensitive employee information. The breach was restricted to patients and employees who joined New York Oncology Hematology prior to April 27, 2018.

The types of information in the compromised accounts differed from individual to individual and may have included names, home addresses, email addresses, dates of birth, insurance information, medical information, diagnostic codes, test results, account numbers, and dates of service. A limited number of patient and employee Social Security and driver’s license numbers were also exposed.

New York Oncology Hematology has not uncovered any evidence to suggest that sensitive information was accessed or stolen by the attackers and no reports have been received to suggest data misuse.

Out of an abundance of caution, New York Oncology Hematology is offering all affected individuals 12 months of complimentary credit and identity theft monitoring services through Experian. New York Oncology Hematology has since taken steps to improve email security.

All individuals potentially impacted by the incident were notified of the breach on November 16, 2018. Given that unauthorized access was rapidly detected and blocked, it is unclear why it took almost 7 months for notification letters to be issued.

The post 128,400 Employees and Patients Impacted by Phishing Attack on Albany Cancer Treatment Center appeared first on HIPAA Journal.

Email Hacking Incident Reported by Episcopal Health Services

Posted by HIPAA Journal

Certain current and former patients of St. John’s Episcopal Hospital and Episcopal Health Services in New York are being notified that some of their protected health information has potentially been compromised.

On September 18, 2018, Episcopal Health Services became aware of suspicious activity in several employee email accounts. An investigation was immediately launched, and a third-party digital forensics firm was called in to determine the nature and scope of the breach. The investigation revealed multiple employee email accounts had been compromised between August 28, 2018 and October 5, 2018.

A thorough review of the compromised email accounts was completed on November 1. The types of information exposed differed from patient to patient but may have included name, date of birth, Social Security number, medical history, prescription information, diagnoses, treatment information, medical record number, financial information, and health insurance information.

“Episcopal Health Services is committed to, and takes very seriously, its responsibility to protect all data entrusted to us. We are continuously taking steps to enhance data security protections,” explained Episcopal Health Services in its substitute breach notice. The measures taken to improve security include a forced password reset on all employee email accounts and the implementation of additional email security controls to prevent further unauthorized access.

While no evidence of data theft or misuse was uncovered during the investigation, out of an abundance of caution, Episcopal Health Services has offered all affected individuals 12 months of credit monitoring services without charge. Due to the sensitive nature of the information that was exposed, Episcopal Health Services has advised patients to monitor their account statements for any sign of suspicious activity.

It is currently unclear how many patients have been impacted by the breach.

The post Email Hacking Incident Reported by Episcopal Health Services appeared first on HIPAA Journal.