Contra Costa Health Plan (CCHP) has started notifying certain patients that some of their protected health information may have been viewed by an unauthorized individual.

That individual was a contractor who won a series of contracts related to utilization management. The contractor first started working with CCHP on December 1, 2018, and was given access to systems containing health plan records to complete her contracted duties.

On May 22, 2018, CCHP learned that the contractor had falsified her identity in order to win the contracts. Upon discovery of the fraud, CCHP terminated the contract and blocked access to its systems. A full audit of the activities of the contractor was conducted to determine what systems had been accessed and whether plan members’ data had been viewed.

The audit revealed that the contractor had accessed plan members’ health plan records while performing her utilization management duties, although no evidence was uncovered to suggest any of the information contained in those records has been further disclosed by the contractor or used inappropriately.

The types of information potentially viewed included names, addresses, phone numbers, dates of birth, medical information, prescription information, and Social Security numbers.

The California’s Department of Health Care Services was notified about the incident and advised CCHP to issue notifications to all plan members whose records had been accessed. Those individuals have been offered complimentary credit monitoring, identity theft protection, and identity restoration services out of an abundance of caution.

Ramsey County Social Services Notifies Patients of Phishing Breach

Ramsey County Social Services in St. Paul, MN, experienced a phishing attack on August 9, 2018 that resulted in the email accounts of 28 employees being accessed by unauthorized individuals.

After gaining access to the email accounts, the attackers attempted to redirect employees’ paychecks. Prompt action was taken to block the attack and secure the accounts and a data security firm was hired to conduct a thorough investigation of the breach.

On October 12, 2018, the data security firm notified Ramsey County Social Services that the hackers had potentially viewed emails in the account that contained the protected health information of approximately 500 patients, most of whom had used the agency’s chemical and mental health services.

The types of information contained in the accounts included names, addresses, dates of birth, Social Security numbers, and a limited amount of medical information. Patients affected by the breach were notified in early December. No reports have been received to suggest any information in the email accounts has been misused.

To better protect employee email accounts, a tool has been implemented to ensure employees set strong passwords and multi-factor authentication has been implemented to prevent accounts from being accessed from unknown locations and devices. New security software has also been implemented that offers enhanced monitoring and auditing capabilities and employees have been provided with further training.

The post PHI Accessed by Contra Costa Health Plan Contractor Who Falsified Identity to Win Contracts appeared first on HIPAA Journal.

Mind & Motion Developmental Centers of Georgia has announced that hackers have succeeded in installing ransomware and malware on a server, which has potentially allowed them to gain access to patients’ protected health information.

The ransomware was downloaded and executed on a server housing Mind & Motion medical records. The types of data that were potentially compromised includes names, addresses, birth dates, patients’ gender, medical histories, medical diagnoses, health insurance information, and Social Security numbers. It is also possible that medical records were compromised as a result of the attack.

Mind & Motion discovered the ransomware attack on September 30, 2018. An IT vendor, TeamLogic IT, was retained to investigate the breach, determine how the attack occurred, and help recover data that had been rendered inaccessible by the ransomware.

In addition to the ransomware infection, TeamLogic IT discovered an inactive keylogger and a spam emailer on the server. All malware was successfully removed and associated accounts were deleted. TeamLogic IT did not uncover evidence to suggest any of the installed malware had been used to access patient financial information or its scheduling and electronic billing systems.

Since the attack was discovered, Mind & Motion has not received any reports from patients to suggest that any of their PHI has been stolen and misused. The attack is believed to have been performed with the purpose of extorting money from Mind & Motion and patients are not expected to experience any negative effects from the attack.

In response to the security breach, and as instructed by its IT vendor, Mind & Motion has reset all passwords and implemented controls to ensure complex passwords are set on all accounts in the future. A policy has also been introduced to force users to change passwords more frequently. Computers and servers have professional anti-malware solutions installed and will be regularly scanned. Mind & Motion has also implemented encryption on all its computers and the latest anti-spam technology has been deployed to protect against phishing attacks.

Promptly after the breach was detected, Mind and Motion hired a compliance consulting firm to make sure that all requirements of HIPAA were satisfied. The consulting firm will be administering further HIPAA compliance training to all staff within 30 days.

A breach report was submitted to the Department of Health and Human Services’ Office for Civil Rights on November 30, 2018 and all affected patients have been notified about the breach by mail. The OCR breach report indicates up to 16,000 patient records were potentially compromised.

The post 16,000 Mind & Motion Patients Impacted by Ransomware Attack appeared first on HIPAA Journal.

Baylor Scott & White Medical Center in Frisco, TX, has discovered the payment information of almost 48,000 patients and guarantors may have been compromised.

The medical center, which is jointly managed by United Surgical Partners International (USPI) and Baylor Scott & White Health, discovered an issue with the credit card processing system of one of its vendors. The investigation revealed there had been a week-long computer intrusion between September 22 and September 29. Upon discovery of the issue, the medical center informed the vendor and stopped all credit card processing through the vendor’s system.

Baylor Scott & White Health did not uncover evidence to suggest any patient/guarantor information had been further disclosed or misused; however, as a precaution, all individuals affected by the incident have been offered one year of complimentary credit monitoring services through TransUnion Interactive.

The security breach was limited to the third-party vendor’s system. Hospital information and clinical systems remained secure at all times. No health information or Social Security numbers were exposed. Only the Frisco medical center was affected by the breach.

The information that was exposed and potentially accessed by an unauthorized individual was limited to: Names, addresses, dates of service, medical record numbers, health insurance provider information, account numbers, the last four digits of credit card numbers, CCV numbers, type of credit card used, recurring payment dates, account balances, invoice numbers, and transaction statuses.

All individuals affected by the breach have been notified by mail. The data security incident was reported to the Department of Health and Human Services’ Office for Civil Rights on November 26, 2018. The OCR breach portal indicates 47,948 individuals have been affected.

The post 48,000 Patients of Frisco Medical Center Notified of Breach of Payment Information appeared first on HIPAA Journal.

Prairie Fields Family Medicine in Fremont, NE, is alerting 6,450 patients that some of their protected health information was contained in an unencrypted spreadsheet that was inadvertently sent to the wrong email recipient.

The email was sent on October 1, 2018, and the error was discovered the same day. Prairie Fields Family Medicine has made multiple attempts to contact the owner of the email account to ensure the spreadsheet is securely deleted but, so far, no response has been received.

The lack of contact has led Prairie Fields Family Medicine to believe the email account is no longer in use and has been abandoned, although the possibility remains that the spreadsheet has been opened and patient information has been compromised.

The spreadsheet did not contain any financial data or health information typically contained in medical records. The breach was limited to patients’ first and last names, birth date, telephone number, first language spoken, sex, race, and, for certain patients, primary and secondary health insurer information, including providers’ names and account numbers.

All affected patients have been notified of the breach by mail and the Department of Health and Human Services’ Office for Civil Rights has been informed.

Prairie Fields Family Medicine has not received any information to suggest any patient health information has been accessed or misused, but since insurance information has potentially been compromised, affected patients have been advised to check their explanation of benefits statements for suspicious activity.

The privacy breach has prompted Prairie Fields Family Medicine to put additional controls in place to prevent further impermissible disclosures of patients’ protected health information.

The post 6,450 Prairie Fields Family Medicine Patients Notified About Email-Related Privacy Breach appeared first on HIPAA Journal.

A managed service provider that hosts the electronic health records of Redwood Eye Center in Vallejo, CA has experienced a security breach that has resulted in the exposure of 16,000 patients’ protected health information.

IT Lighthouse provides computer support and application hosting services, including the hosting of electronic health records. During the evening of September 19, 2018, hackers succeeded in installing ransomware on a server that was hosting the electronic health records of patients of Redwood Eye Center. Redwood Eye Center was notified about the security breach on September 20, 2018.

A third-party computer forensics firm was hired by IT Lighthouse to assist with the investigation and a specialized medical software vendor was consulted and helped Redwood Eye Center recover the affected data.

The types of data that were potentially accessed by the attackers included patients’ names, addresses, birth dates, health insurance information, and medical treatment information. The investigation did not uncover any evidence to suggest the attackers accessed the PHI of Redwood Eye Center patients, but notification letters were sent out of an abundance of caution on December 6, 2018.

The breach notification letter sent to the California attorney general indicates 16,055 California residents have had their protected health information exposed.

Email Privacy Breach Reported by Butler County

Butler County, OH, is notifying approximately 1,350 employees that some of their protected health information has been exposed as a result of an email error. The county’s wellness coordinator sent an email in September about health insurance which included a spreadsheet that contained the wellness information of employees.

The spreadsheet had hidden columns which contained information such as names, insurance ID numbers, and information about the employees’ participation in the county wellness program. Highly sensitive information such as Social Security numbers and passwords were not exposed. Affected individuals have been advised to take steps to prevent the fraudulent use of their insurance information.

Butler County sought legal advice about the breach and was advised to report the incident to the Department of Health and Services which is investigating.

Coding Error Resulted in Disclosure of Thielen Student Health Center Patient Data

599 patients of Thielen Student Health Center in Ames, IA, are being notified that some of their protected health information has been impermissibly disclosed to other patients.

Thielen Student Health Center uses software to send satisfaction surveys to patients. In a recent survey run, a coding error occurred when patient information was put into the system. As a result of the error, names of patients, appointment dates, and providers’ names were incorrectly added to the surveys. Individuals affected had the above information disclosed to one other patient.

The error was rapidly identified and the health center was able to recall many of the surveys before they were seen. All affected individuals have now been notified and changes have now been made to remove personally identifiable information from future surveys.

The post 16,000 Redwood Eye Center Patients Impacted by MSP Breach appeared first on HIPAA Journal.

Cancer Centers of America’s Western Regional Medical Center in Bullhead City, AZ, has discovered the email account of one of its employees has been compromised as a result of a response to a phishing email.

The phishing email appeared to have been sent from the email account of a Cancer Treatment Centers of America executive and used social engineering techniques to fool the employee into disclosing login credentials to the account.

The attacker was able to access the account, but only for a limited time as the account compromise was detected by IT staff and the user ‘s account password was reset. However, during the time that the email account was accessible it is possible that some messages containing patients’ protected health information (PHI) was accessed.

Cancer Treatment Centers of America called in a nationally recognized computer forensics firm to assist with the investigation. While it was not possible to tell which, if any, emails were accessed, it was discovered that the compromised email account contained the PHI of 41,948 patients.

The information in the emails varied from patient to patient and may have included: Name, address, email address, date of birth, medical record number, treatment dates, facility visited, physician name, type of cancer, and health insurance information. A small number of Social Security numbers were exposed but the emails did not include any financial information.

Free credit monitoring and identity theft protection services have been offered to all patients whose Social Security number was exposed. Cancer Treatment Centers of America has since provided further training to employees to help them identify suspicious emails.

The breach occurred on May 2, 2018 and the CTCA Information Technology Department quickly took action to reset the account; however, the Cancer Treatment Centers of America website breach notice states that CTCA only became aware of the breach of PHI on September 26, 2018.

The breach was reported to the Department of Health and Human Services’ Office for Civil Rights on November 26, 2018.

The post PHI of 41,000 Patients of Cancer Centers of America Potentially Compromised in Phishing Attack appeared first on HIPAA Journal.

A roundup of recent healthcare ransomware attacks, privacy breaches, and security incidents that have been announced in the past few days.

Center for Vitreo-Retinal Diseases Ransomware Attack Impacts 20,371 Patients

The Center for Vitreo-Retinal Diseases in Libertyville, IL, experienced a ransomware attack that resulted in the encryption of data on its servers. The attack was detected on September 18, 2018. The investigation into the breach suggests the attacker may have gained access to the protected health information of 20,371 patients that was stored on the affected servers.

The attack appeared to have been conducted with the intention of extorting money from the practice. While it is possible that patient information was accessed by the attacker, no evidence of unauthorized data access, data theft, or misuse of patient information has been discovered.

The information that was potentially compromised included names, addresses, telephone numbers, birth dates, health insurance information, health data, and the Social Security numbers of Medicare patients.

The Center for Vitreo-Retinal Diseases has since reviewed its security protections and has taken steps to prevent similar security breaches from occurring in the future.

Rhode Island Health Center Experiences Ransomware Attack

Woonsocket, RI-based Thundermist Medical Center experienced a ransomware attack on the evening of Thursday, November 28 which took some of its computer systems out of action. Fast action was taken to secure patient information and unaffected systems were isolated to prevent widespread file encryption.

The health center implemented its emergency protocols and was able to continue providing medical services. There was minimal impact on patients although certain appointments were cancelled out of safety concerns due to the inability to access medical records. Thundermist Medical Center does not believe any patient information was compromised in the attack.

Mailing Error by Vendor of OrthoTexas Physicians and Surgeons Caused Patient Name Disclosure

OrthoTexas Physicians and Surgeons, a network of orthopedic and sports medicine practices in Texas, has discovered an error was made on an October 5, 2018 mass mailing which resulted in the accidental disclosure of patient information to other patients.

The letters were notifications that a physician had joined the practice and would be treating patients at its facilities in Frisco and Plano. The letters, which were incorrectly dated August 27, 2018, were placed in incorrect envelopes by the practice’s mailing vendor.

The mailing was sent to 2,172 patients and resulted in the name of one patient being disclosed to another patient. No other patient information was included in the mailing.

San Mateo Medical Center Discovers Improper Disposal of 500 Patients’ PHI

San Mateo Medical Center in Daly City, CA, has discovered the medical records of up to 500 patients have been accidentally exposed as a result of an improper disposal incident.

The paper records had been left overnight in a box under an employee’s desk and temporary cleaning staff mistook the box for recycling and disposed the documents in a recycling bin that was only intended to be used for non-confidential paperwork. San Mateo Medical Center has separate recycling bins for paperwork containing confidential information which is sent for shredding prior to disposal.

The paperwork relates to patients who visited its Daly City facility on November 5-6 inclusive. Since the documents have not been recovered it was not possible to tell exactly which patients have been affected, and neither the exact information that was recorded on the documents.

San Mateo Medical Center believes the patients affected by the incident have had the following information exposed: Name, birth date, medical record number, service date, patient account number, gender, age, provider or resource name, and insurance code.

San Mateo Medical Center has reinforced its policies on the correct way to dispose of sensitive information and the Daly City clinic manager has instructed staff not to leave confidential information out overnight and to place confidential documents in shredding bins immediately when they are no longer required.

The post Ransomware Attacks Reported by Healthcare Providers in Illinois and Rhode Island appeared first on HIPAA Journal.