FHN Healthcare, which operates FHN Memorial Hospital in Freeport, IL, and a network of family healthcare centers throughout northwest Illinois, has learned that a laptop computer containing the protected health information of 4,458 patients has been stolen from the vehicle of an employee.

The theft was immediately reported to law enforcement, but the device has not been recovered. FHN Healthcare reconstructed the data stored on the device and discovered it contained names, addresses, birth dates, medical record numbers, health insurance information, medical information, Social Security numbers, and driver’s license numbers.

FHN healthcare already encrypts all its laptop computers, although the investigation into the incident revealed that the stolen device had not been encrypted and was only protected with a password. FHN reports that the lack of encryption was due to a technical issue with its encryption software and that the missed device was an isolated incident.

The discovery of the encryption failure has prompted FHN Healthcare to re-encrypt all its laptop computers. The employee who was issued with the laptop has been retrained on safeguarding mobile devices and the re-training has also been extended to other employees.

All patients impacted by the breach were notified by mail on November 2, 2018. Patients whose Social Security number or driver’s license number were exposed have been offered complimentary identity theft protection services for 12 months.

The post Stolen FHN Healthcare Laptop Contained the PHI of 4,458 Patients appeared first on HIPAA Journal.

New York Oncology Hematology in Albany, NY, has announced that hackers have gained access to 15 employee email accounts which contained the sensitive information of as many as 128,400 current and former patients and employees.

As is common in phishing attacks, the emails contained a hyperlink to a seemingly legitimate email login page which requested usernames and passwords. When the information was entered it was harvested by the attackers.

According to the substitute breach notice on the New York Oncology Hematology website, each compromised email account only remained accessible for a short period of time before access was terminated. The email breaches were identified by New York Oncology Hematology’s IT vendor, which shut down access to the compromised accounts by resetting the passwords.

Access to 14 email accounts was gained on April 20, and a second attack took place between April 21 and April 27, which resulted in a further email account being compromised.

New York Oncology Hematology hired a third-party computer forensics firm to investigate the breach and, on October 1, 2018, the firm confirmed that the compromised email accounts contained the protected health information of patients and sensitive employee information. The breach was restricted to patients and employees who joined New York Oncology Hematology prior to April 27, 2018.

The types of information in the compromised accounts differed from individual to individual and may have included names, home addresses, email addresses, dates of birth, insurance information, medical information, diagnostic codes, test results, account numbers, and dates of service. A limited number of patient and employee Social Security and driver’s license numbers were also exposed.

New York Oncology Hematology has not uncovered any evidence to suggest that sensitive information was accessed or stolen by the attackers and no reports have been received to suggest data misuse.

Out of an abundance of caution, New York Oncology Hematology is offering all affected individuals 12 months of complimentary credit and identity theft monitoring services through Experian. New York Oncology Hematology has since taken steps to improve email security.

All individuals potentially impacted by the incident were notified of the breach on November 16, 2018. Given that unauthorized access was rapidly detected and blocked, it is unclear why it took almost 7 months for notification letters to be issued.

The post 128,400 Employees and Patients Impacted by Phishing Attack on Albany Cancer Treatment Center appeared first on HIPAA Journal.

Certain current and former patients of St. John’s Episcopal Hospital and Episcopal Health Services in New York are being notified that some of their protected health information has potentially been compromised.

On September 18, 2018, Episcopal Health Services became aware of suspicious activity in several employee email accounts. An investigation was immediately launched, and a third-party digital forensics firm was called in to determine the nature and scope of the breach. The investigation revealed multiple employee email accounts had been compromised between August 28, 2018 and October 5, 2018.

A thorough review of the compromised email accounts was completed on November 1. The types of information exposed differed from patient to patient but may have included name, date of birth, Social Security number, medical history, prescription information, diagnoses, treatment information, medical record number, financial information, and health insurance information.

“Episcopal Health Services is committed to, and takes very seriously, its responsibility to protect all data entrusted to us. We are continuously taking steps to enhance data security protections,” explained Episcopal Health Services in its substitute breach notice. The measures taken to improve security include a forced password reset on all employee email accounts and the implementation of additional email security controls to prevent further unauthorized access.

While no evidence of data theft or misuse was uncovered during the investigation, out of an abundance of caution, Episcopal Health Services has offered all affected individuals 12 months of credit monitoring services without charge. Due to the sensitive nature of the information that was exposed, Episcopal Health Services has advised patients to monitor their account statements for any sign of suspicious activity.

It is currently unclear how many patients have been impacted by the breach.

The post Email Hacking Incident Reported by Episcopal Health Services appeared first on HIPAA Journal.

HealthEquity is notifying 190,000 individuals that some of their protected health information has been exposed as a result of a phishing attack.

HealthEquity is a Utah-based company that provides services to help individuals gain tax advantages to offset the cost of healthcare, either through employers or health plans. These services include health savings accounts (HSAs), health flexible spending arrangements (FSAs), limited purpose FSAs, and dependent care reimbursement accounts (DCRAs).

In order to provide those services, HealthEquity has access to protected health information, some of which is communicated via email for business purposes. On October 5, 2018, HealthEquity’s security team discovered two Office 365 email accounts had been accessed by an unauthorized individual.

On October 20, 2018, following an analysis into the cyberattack, HealthEquity confirmed that two employee email accounts had been breached and that those accounts contained the sensitive personal information of employees and individuals who benefited from its services through their health plan or employer.

The investigation determined that one of the email accounts was accessed by an unauthorized third party on October 5, 2018. The second email account was first breached on September 4, 2018 and was subsequently accessed by an unauthorized individual on multiple occasions up to October 3, 2018.

While the investigation confirmed that the accounts had been accessed, it is currently unclear whether any emails in the accounts were opened and viewed or copied. No reports of misuse of information have been received.

The types of information that were potentially accessed include names, account types, Social Security numbers, employer names, and health plan names.

Many breached entities that discover highly sensitive protected health information has been compromised offer credit monitoring and identity theft protection services to breach victims. Those services are usually provided for 12 months or, less frequently, for 24 months without charge. HealthEquity took the decision to offer breach victims access to those services for five years without charge. Breach victims will also be protected by a $1,000,000 insurance reimbursement policy. Those services have been provided through MyIDCare.

In addition to provided extended protection to breach victims, HealthEquity has taken steps to improve email security and has updated its security protocols. Measures currently taken include the provision of further training to its workforce, the implementation of additional technical security controls, and enhanced monitoring of email accounts for suspicious activity.

The post HealthEquity Notifies 190,000 Individuals of Phishing-Related PHI Breach appeared first on HIPAA Journal.

Southwest Washington Regional Surgery Center in Vancouver, WA, has suffered a phishing attack that has resulted in the exposure of 2,393 patients’ protected health information.

The breach was confined to a single email account and no evidence was uncovered to suggest any emails have been accessed or downloaded by the attacker. An extensive investigation was conducted with assistance provided by a third-party cybersecurity firm. The investigation concluded on September 25.

The investigation included a manual review of all emails in the compromised account to identify patients affected and the types of information that may have been compromised.

Southwest Washington Regional Surgery Center explained in its breach notice that the beach was limited to the following PHI elements: Names, driver’s license numbers, Social Security numbers, medical information, and for a limited number of patients, credit card numbers.

The investigation revealed the email account was compromised on May 27, 2018 and access remained possible until August 13, 2018.

Patients impacted by the breach were sent breach notification letters on November 6, 2018 and have been offered complimentary credit monitoring and identity theft restoration services for 12 months. Information has also been provided on the steps that should take to reduce the risk of identity theft and fraud.

The breach has prompted Southwest Washington Regional Surgery Center to enhance its email access protocols to prevent further successful phishing attacks, passwords were reset, and its password policy updated.

The post 2,393 Patients of Southwest Washington Regional Surgery Center Impacted by Phishing Attack appeared first on HIPAA Journal.

A July 2018 ransomware attack on May Eye Care Center in Hanover, PA saw a range of sensitive patient information encrypted, including data in its electronic medical record system.

The ransomware attack was discovered by May Eye Care on July 29, 2018. The ransomware was downloaded on a server that contained patients’ names, addresses, dates of birth, insurance information, diagnoses, treatment information, clinical information, and a limited number of Social Security numbers.

May Eye Care Center called in a leading computer forensics company to investigate the breach and an IT firms that specializes in data security was engaged to conduct a full review of security systems and protocols. Security has now been improved to prevent further attacks.

A ransom demand was received, but no payment was made. May Eye Care Center was able to recover all of the files encrypted by the ransomware from backups without any loss of data.

Al patients impacted by the incident have been notified and the breach was reported to the Department of Health and Human Services’ Office for Civil Rights on October 11. The breach summary on the OCR Breach Portal indicates 30,000 patients were impacted by the incident.

May Eye Care Center believes the sole purpose of the attack was to obtain a ransom payment. No evidence has been uncovered to suggest any patients’ protected health information was accessed by the attackers and no reports of misuse of PHI have been received. However, since data theft cannot be ruled out, all patients have been advised to check their credit reports, accounts, and explanation of benefits statements for any sign of fraudulent activity.

The post 30,000 Patients Impacted by May Eye Care Center Ransomware Attack appeared first on HIPAA Journal.

Metrocare Services, the largest provider of mental health services in North Texas, has suffered a phishing attack that has resulted in the exposure of 1,804 patients’ protected health information.

Several employee email accounts were compromised in the attack, with the first account breach occurring on August 2, 2018. Metrocare did not discover the phishing attacks until September 4.

As soon as the breach was discovered, steps were taken to secure the accounts. Metrocare has also given its employees additional training on information security, additional measures are being introduced to improve the security of its information technology infrastructure, and email security has been strengthened.

The investigation into the breach could not determine whether any emails containing patients’ protected health information were accessed by the attackers, but data access could not be ruled out. No reports have been received that suggest any PHI has been misused.

The types of information that were exposed differed from patient to patient and included data such as names, dates of birth, driver’s license numbers, health insurance information, information relating to services received from Metrocare, and in some cases, Social Security numbers.

Metrocare started notifying affected patients by mail on November 1. Patients whose Social Security numbers were potentially compromised have been offered 12 months of complimentary credit monitoring and identity protection services. All patients impacted by the breach have been advised to check their Explanation of Benefits statements for healthcare services that have not been received or authorized.

Summit Medical Group Notifies Patients of Potential PHI Exposure

Summit Medical Group is notifying certain patients that some of their protected health information has potentially been compromised.

The information was recorded in a notebook that was maintained by a medical assistant in its Berkeley Heights dermatology office. On September 5, 2018, Summit Medical Group’s management and privacy office was informed that the notebook was missing.

The New Jersey physician-owned multispecialty medical practice conducted a search for the missing notebook but it couldn’t be located. Employees were interviewed and footage from security cameras was checked. According to Summit Medical Group, the notebook was only ever used in the dermatology office and no evidence of theft was discovered.

The notebook contained written notes on patients seen by the medical assistant since January 12, 2018. The types of information recorded in the notebook varied for each patient and included names, addresses, dates of birth, telephone numbers, health insurance numbers, Medicare IDs, and treatment information.

Since the notebook may have been stolen, patients have been advised to monitor their account and explanation of benefits statements and remain vigilant for incidents of identity theft and fraud.

The post 1,800 Patients’ PHI Compromised in Metrocare Services Phishing Attack appeared first on HIPAA Journal.