HIPAA Breach News

Summary of Recent Healthcare Data Breaches

Posted by HIPAA Journal

A round up of healthcare data breaches recently announced by healthcare providers and business associates of HIPAA covered entities.

Tillamook Chiropractic Clinic Discovers 26-Month Malware Infection

The medical records of 4,058 patients of the Tillamook Chiropractic Clinic in Tillamook, OR have been stolen as a result of a malware infection.

On August 3, 2018, the clinic conducted an internal security audit which showed that malware had been installed on its network, even though a firewall was in place, antivirus and antimalware software were installed and up to date, and its software was fully patched. An investigation into the security breach revealed the malware had been installed on May 24, 2016 and had remained undetected for 26 months. The malware had been installed on the primary insurance billing system, which the clinic reports was used as a staging area by the attackers to collect patient records before exfiltrating the data.

The information believed to have been stolen includes full names, home addresses, work addresses, dates of birth, phone numbers, diagnoses, lab test results, medications, driver’s license numbers, insurance billing information, bank routing numbers, bank account numbers, employee payroll data, and for Medicare patients, Social Security numbers.

Tillamook Chiropractic Clinic removed the malware on August 3, 2018 and has now modernized and upgraded its computer security systems and policies.

Gwinnett Medical Center Investigating Possible Hack

A possible data breach has occurred at Lawrenceville, GA-based Gwinnett Medical Center. The PHI of approximately 40 patients has been accessed by an unauthorized individual according to Gwinnett Medical Center spokeswoman Beth Hardy. Names, genders, and dates of birth were exposed on Twitter and notification letters are being sent to those 40 individuals to alert them to the breach.

However, the breach could be far larger. Steve Ragan at Salted Hash reported that a source at the medical center said threats had been received from the attackers and that the breach potentially impacts hundreds of patients. The attackers allegedly posted data on Twitter as they claimed the medical center was attempting to cover up the breach.

Gwinnett Medical Center has informed the FBI about the security breach and is still conducting investigations into the cyberattack.

Hardy said, “GMC takes cyber security very seriously and we are committed to maintaining the integrity, availability and confidentiality of our systems and data.”

Toyota Industries North America Breach Impacts 19,000 Individuals

Columbus, IN-based Toyota Industries North America (TINA) has announced that approximately 19,000 current and former employees and health plan participants of the TINA family of companies have been informed that some of their PHI has been exposed. An unauthorized individual succeeded in gaining access to a small number of company email accounts and potentially viewed/copied PHI.

The breach was discovered on August 30 and information security experts were called in to help secure its system and investigate the breach. A wide range of PII and PHI were present in the compromised email accounts including first and last names, home addresses, dates of birth, phone numbers, financial account information, social security numbers, photographs of social security cards, driver’s license numbers, photographs of driver’s licenses, email addresses, photographs of birth certificates, photographs of passports, treatment information, prescription information, diagnoses, health plan beneficiary numbers and portal usernames, passwords and security questions.

All affected individuals have been notified by mail and have been offered a year of free credit monitoring and identity theft protection services. TINA has taken several steps following the breach to improve security, including implementing multi-factor authentication, making real-time security monitoring enhancements, and revising its password protection and password resetting policies. TINA is also currently reviewing and updating user training and technology and security practices to reduce the risk of further email breaches.

722 Patients Affected by Kansas City Business Associate Mis-mailing Incident

The Kansas City, MO-based revenue cycle management company, Pulse Systems, has announced that the PHI of 722 patients of Lincoln Pulmonary and Critical Care in Nebraska has been impermissibly disclosed. An error was made sending statements on July 27 that resulted in individuals receiving statements intended for other patients. The statements included only included names and procedure information. Steps have now been taken to prevent similar errors from being made in the future and all affected individuals have been notified about the privacy breach.

Oklahoma Department of Human Services Mis-mailing Incident Affects 813 Individuals

More than 800 parents and guardians who were involved in a developmental disabilities services program run by the Oklahoma Department of Human Services (ODHS) have been notified that some of their PHI has been impermissibly disclosed as a result of a computer software error. The error resulted in envelopes being mis-addressed in Plan of Care change notice mailings sent between May 17 and July 25.

The mailings contained names, addresses, DHS case numbers, Medicaid client ID numbers, plan of care numbers, providers’ names, services authorized and beginning and end dates, and an explanation that the person is authorized to receive Medicaid Home and Community-Based Waiver Services. No Social Security numbers were disclosed.

ODHS believes 813 individuals have received mailings containing someone else’s information, although it is not possible to tell if any other individuals have been affected.

Email Account Breaches Result in Exposure of 16,000 Individuals’ PHI

Ransom Memorial Hospital in Ottawa, KS, has discovered an unauthorized individual has gained access to an as of yet undisclosed number of email accounts which have been determined to contain the PHI of 14,239 individuals. A further email account breach was detected by Lakewood, CO-based Personal Assistance Services of Colorado, which has resulted in the exposure of 1,839 individuals’ PHI.

The post Summary of Recent Healthcare Data Breaches appeared first on HIPAA Journal.

PHI of 1,800 Patients Found Abandoned in Houston Street

Posted by HIPAA Journal

Paperwork containing the protected health information of approximately 1,800 patients has been discovered abandoned in a Midtown, Houston street by an employee of the CBS-affiliated television station KBOU 11.

The paperwork contained information such as patients’ names, birth dates, diagnoses, treatment information, medications, vital signs, and admission dates. KBOU launched an investigation into the breach and determined the paperwork related to patients from five Houston hospitals – MD Anderson Cancer Center, LBJ Hospital, Children’s Memorial Hermann, Memorial Hermann Hospital, and TIRR Memorial Hermann. The investigation led to UT Health.

According to the report, the records were stolen from the locked trunk of a vehicle belonging of a medical resident who, while studying at UTHealth’s McGovern Medical School, had worked at the above hospitals. The records were stolen from his vehicle in July.

Officials at UT Health confirmed to KBOU that they are aware of the breach. Reporters spoke to the medical graduate and confirmed that the incident had not been reported to the police until after he had been contacted by KBOU reporters.

A spokesperson for UTHealth issued a statement saying, “We promptly took steps to investigate the circumstances of the disclosure, which revealed that the stolen documents had been discarded on a city street and found a day later by an employee of KHOU-TV Channel 11.” The records were collected by that employee and were returned to UTHealth and have now been secured. UTHealth found no evidence to suggest that any information in the documents was viewed by unauthorized individuals.

It is unclear why the records were removed from the hospitals in the first place, why the theft was not reported to law enforcement immediately, and why the hospitals concerned had not been informed about the breach until after the records were discovered by KBOU. According to UTHealth, the affected hospitals will be issuing notifications to all affected patients in due course.

The post PHI of 1,800 Patients Found Abandoned in Houston Street appeared first on HIPAA Journal.

Study Reveals 70% Increase in Healthcare Data Breaches Between 2010 and 2017

Posted by HIPAA Journal

There has been a 70% increase in healthcare data breaches between 2010 and 2017, according to a study conducted by two physicians at the Massachusetts General Hospital Center for Quantitative Health.

The study, published in the Journal of the American Medical Association on September 25, involved a review of 2,149 healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights between 2010 and 2017.

“While we conduct scientific programs designed to recognize the enormous research potential of large, centralized electronic health record databases, we designed this study to better understand the potential downsides for our patients – in this case the risk of data disclosure,” said Dr. Thomas McCoy Jr, director of research at Massachusetts General Hospital’s Center for Quantitative Health in Boston and lead author of the study.

Every year, with the exception of 2015, the number of healthcare data breaches has increased, rising from 199 breaches in 2010 to 344 breaches in 2017. Those breaches have resulted in the loss, theft, exposure, or impermissible disclosure of 176.4 million healthcare records. 75% of those records were exposed or stolen as a result of hacking or IT incidents.

While the number of hacking and IT incidents continues to increase each year, the number of theft incidents has declined by two thirds since 2010 when it was the leading cause of healthcare data breaches. This is due to healthcare organizations transitioning to electronic health records and encrypting health data stored on portable electronic devices.

In 2010, the most common location of breached health data was laptop computers followed by paper records and films. In 2017, the most common locations of breached health data were network servers and email, both of which are targeted by hackers.

The study covered healthcare providers, health plans and business associates of HIPAA covered entities. Healthcare providers experienced the most breaches (70%) over the period of study, which stands to reason given that there are many more healthcare providers than health plans in the United States. However, while there were fewer health plan data breaches – 13% of the total – they resulted in the exposure of more records – 63% of all breached records between 2010 and 2017.

“More breaches happen—for the sake of argument—in doctor’s offices, quote-on-quote ‘healthcare providers,’ but more records get lost by big insurance companies,” said McCoy.

The high number of records exposed by health plan data breaches is largely due to three health plan data breaches which resulted in the theft of 99.8 million records: The 78.8 million record breach at Anthem Inc., the 11 million record breach at Premera Blue Cross, and the 10 million record breach at Excellus Blue Cross Blue Shield. Those three breaches accounted for more than half of all exposed health records between 2010 and 2017.

The most serious healthcare data breaches involve records stored on network servers. There were 410 data breaches involving network servers over the period of study and they impacted almost 140 million patients, compared to 510 breaches involving paper/films which impacted 3.4 million patients.

“For me, the message is that working with big data carries big responsibility. This is an area where health plans, health systems, clinicians and patients need to work together. We hear a lot about the huge opportunity to improve how we care for patients – but there is also risk, which we need to manage responsibly,” said Roy Perlis, MD, MSc, director of the Center for Quantitative Health, and co-author of the study.

The post Study Reveals 70% Increase in Healthcare Data Breaches Between 2010 and 2017 appeared first on HIPAA Journal.

Claxton-Hepburn Medical Center Fires Several Employees for Inappropriate PHI Access

Posted by HIPAA Journal

Claxton-Hepburn Medical Center, a not-for-profit 115-bed community hospital in Ogdensburg, NY, has fired several employees for accessing patient health records without authorization.

The PHI breaches were discovered during an internal investigation. It is unclear whether that investigation was launched following a complaint that had been received or if the patient privacy violations were uncovered during a routine audit of PHI access logs – A requirement of HIPAA.

Claxton-Hepburn Medical Center has not publicly disclosed how many employees were terminated over the violations, only reporting that all employees who purposely committed the acts were terminated. It is also currently unclear exactly how many patients’ PHI was breached.

Claxton-Hepburn Medical Center has confirmed that training is given to all employees on the first day of employment detailing the requirements of HIPAA and the importance of protecting the privacy of patients. All employees are made aware that accessing patient health information is only permitted when PHI needs to be viewed to complete work duties or when patient records need to be updated, as per the requirements of the HIPAA Privacy Rule. Employees are also made aware that any unauthorized accessing of PHI will result in disciplinary action. It would have been clear to the employees concerned that their actions were in violation of HIPAA Rules.

The discovery of the privacy breaches has prompted the hospital to implement further safeguards to reduce the likelihood of future HIPAA violations of this nature occurring. Claxton-Hepburn Medical Center has also notified all patients by mail whose records were inappropriately accessed.

While it is possible for criminal charges to be filed against healthcare employees for HIPAA Privacy Rule violations, in this instance Claxton-Hepburn Medical Center has not involved the police.

The post Claxton-Hepburn Medical Center Fires Several Employees for Inappropriate PHI Access appeared first on HIPAA Journal.

Protected Health Information Stolen in Aspire Health Phishing Attack

Posted by HIPAA Journal

Aspire Health, a Nashville, TN-based provider of in-home services for patients diagnosed with serious illnesses, has experienced a phishing attack that resulted in the email account of an employee being accessed by an unauthorized individual.

Once access to the email account was gained, the attacker forwarded 124 emails to an external email account. Several of the forwarded email messages contained the protected health information of patients and “confidential and proprietary information and files”.

According to a statement issued by a spokesperson for Aspire Health, breach notification letters have already been sent to a “small handful” of its patients, although the exact number affected by the breach has not been disclosed. The data breach has yet to appear on the Department of Health and Human Services’ Office for Civil Rights’ breach portal.

As is the case with many phishing scams, an email was sent to the employee which contained a hyperlink to a website which requested login credentials. The website, created on August 28, 2018, is hosted in the Russian Federation and was accessed by the employee on or around September 3, 2018. The employee’s email account was breached on September 3. The website has since been marked as potentially malicious by Google.

Aspire Health has launched an internal investigation into the breach, is attempting to determine whether any of the forwarded PHI has been accessed and is trying to identify the individual responsible for the attack. Part of that process has involved filing a federal court motion to get Google to reveal more information about the hacker.

The email account to which the messages were forwarded is a Gmail account and Aspire Health believes that Google could provide vital information that could allow the hacker to be identified and also help to determine whether any of the forwarded messages have been opened. According to The Tennessean, Aspire Health made informal attempts to get Google to release information about the owner of the website and the subscriber to the email account but was advised that a subpoena would be required.

Should Aspire Health’s efforts prove successful, the attacker could be identified; however, bringing that individual to justice for the attack is likely to be a much more difficult task.

The post Protected Health Information Stolen in Aspire Health Phishing Attack appeared first on HIPAA Journal.

UMass Memorial Health Care Pays $230,000 to Resolve Alleged HIPAA Violations

Posted by HIPAA Journal

Mass Memorial Health Care has been fined $230,000 by the Massachusetts attorney general for HIPAA failures related to two data breaches that exposed the protected health information (PHI) of more than 15,000 state residents.

A lawsuit was filed against UMass Memorial Health Care in which attorney general Maura Healey claimed UMass Memorial Medical Group Inc., and UMass Memorial Medical Center Inc., failed to implement sufficient measures to protect patients’ sensitive health information.

In two separate incidents, employees accessed and copied patient health information without authorization and used that information to open cell phone and credit card accounts in the victims’ names.

It was also alleged that UMass Memorial Medical Group Inc., and UMass Memorial Medical Center Inc., were both aware of employee misconduct, yet failed to properly investigate complaints related to data breaches and discipline the employees concerned in a timely manner. Both entities also failed to ensure that patients’ PHI was properly safeguarded. These failures violated Massachusetts data security laws, the Consumer Protection Act, and the Health Insurance Portability and Accountability Act.

UMass Memorial Health Care cooperated fully with the state attorney general’s investigation into the data breaches and agreed to settle the resulting lawsuit. In addition to paying the $230,000 fine, UMass Memorial Health Care will ensure that employee background checks are conducted prior to hiring new staff, all employees will receive further training on the correct handling of PHI, employee access to patient health information will be limited, risk analyses will be conducted to identify potential security issues, and any issues that are found will be subjected to a HIPAA-compliant risk management process. UMass Memorial Health Care will also ensure proper employee discipline and any suspected cases of improper accessing of ePHI will be investigated promptly.

Both UMass Memorial Medical Group Inc., and UMass Memorial Medical Center Inc., are also required to hire an independent firm to conduct a thorough review of data security policies and procedures and must report back to the Mass attorney general’s office on the findings of those reviews.

“Massachusetts residents rely on their health care providers to keep private health information safe and secure,” said Maura Healey. “This resolution ensures UMass Memorial implements important measures to prevent this type of breach from happening again.”

“In the four years since [these breaches] took place we have taken steps aimed at further strengthening our privacy and information security program,” said a UMass Memorial Health Care spokesperson in a written statement. “This includes the implementation of additional technical tools that safeguard patient information, and enhancement of our existing privacy and information security procedures.”

State Attorneys General Pick Up the Slack in HIPAA Enforcement

After two years of increased enforcement of HIPAA Rules the HHS’ Office for Civil Rights has eased up on settlements and civil monetary penalties to resolve HIPAA violations, with only five settlements reached in 2018 and one civil monetary penalty issued. While OCR has eased up on financial penalties for HIPAA violations, state attorneys general fines are on track to make 2018 a record year for HIPAA enforcement.

UMass Memorial Health Care is the fifth healthcare organization to settle a HIPAA violation case with a state attorney general in 2018, joining The Arc of Erie County ($200,000), EmblemHealth ($575,000), and Aetna ($1,150,000) which have all been fined by the New York AG this year, and Virtua Medical Group which settled HIPAA violations with the New Jersey AG for $417,816 in April.

The post UMass Memorial Health Care Pays $230,000 to Resolve Alleged HIPAA Violations appeared first on HIPAA Journal.

August 2018 Healthcare Data Breach Report

Posted by HIPAA Journal

August was a much better month for the healthcare industry with fewer data breaches reported than in July. In August, 28 healthcare data breaches were reported to the HHS’ Office for Civil Rights, a 17.86% month-over-month reduction in data breaches.

Healthcare Data Breaches by Month

There was also a major reduction in the number of healthcare records that were exposed or stolen. In August, 623,688 healthcare records were exposed or stolen – A 267.56% reduction from August, when 2,292,522 healthcare records were breached.

HEalthcare Records Exposed by Month

Causes of Healthcare Data Breaches in August 2018

Hacking incidents dominated the breach reports in August, accounting for 53.57% of all reported data breaches and 95.73% of all records exposed or disclosed in August. Eight of the top ten breaches were the result of hacks, malware, or ransomware attacks.

Causes of Healthcare Data Breaches in August 2018

Insider breaches are a major problem in the healthcare industry, more so than other verticals. In August there were nine insider breaches – 32.14% of the healthcare data breaches in August. Those breaches involved the unauthorized access or impermissible disclosure of 18,488 healthcare records – 2.96% of the monthly total.

There were two breaches involving the loss of PHI, one case of lost physical records and one lost portable electronic device containing electronic protected health information. The two theft incidents in August involved paper records.

Largest Healthcare Data Breaches in August 2018

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach
AU Medical Center, INC Healthcare Provider 417000 Hacking/IT Incident
Fetal Diagnostic Institute of the Pacific Healthcare Provider 40800 Hacking/IT Incident
Legacy Health Healthcare Provider 38000 Hacking/IT Incident
Acadiana Computer Systems, Inc. Business Associate 31151 Hacking/IT Incident
Carpenters Benefit Funds of Philadelphia Health Plan 20015 Hacking/IT Incident
University Medical Center Physicians Healthcare Provider 18500 Hacking/IT Incident
Simon Orthodontics Healthcare Provider 15129 Hacking/IT Incident
Wells Pharmacy Network Healthcare Provider 10000 Unauthorized Access/Disclosure
St. Joseph’s Medical Center Healthcare Provider 4984 Loss
Central Colorado Dermatology, PC Healthcare Provider 4065 Hacking/IT Incident

Location of Breached PHI

Email-related data breaches continue to dominate the healthcare data breach reports. A further 14 email-related data breaches were reported in August, the majority of which saw email accounts accessed by unauthorized individuals as a result of healthcare employees falling for phishing emails. Phishing attacks on healthcare providers are being reported regularly, highlighting just how important it is for healthcare organizations to provide ongoing security awareness training for employees to teach them the skills they need to identify phishing attempts.
There were six incidents involving PHI stored on network servers in August, including two confirmed ransomware attacks. There were five breaches involving paper records.
Location of Breached PHI in August 2018 Healthcare Data Breaches

August Data Breaches by Covered Entity Type

Healthcare providers experienced the lion’s share of data breaches in August with 21 reported breaches. There were two health plan breaches and business associates of HIPAA-covered entities reported 5 breaches, with one further breach having some business associate involvement.

 

August Healthcare Data Breaches by State

Healthcare organizations based in 19 states experienced data breaches in August. While California and Texas usually top the list for data breaches due to the number of healthcare organizations based in those states, atypically, in August Oregon was the worst affected state with four breaches reported.

California and Florida each had three breaches reported, Colorado and Texas had two, and there was one breach reported in Arizona, Georgia, Hawaii, Illinois, Indiana. Louisiana, Maryland, Michigan, Nevada, New York, Ohio, Pennsylvania, Tennessee, and Virginia.

HIPAA Enforcement Actions in August

In 2016 and 2017, the HHS’ Office for Civil Rights took a hard line on enforcement of HIPAA Rules and agreed 21 settlements with HIPAA-covered entities and issued two civil monetary penalties. There have only been three financial settlements reached between OCR and HIPAA-covered entities in 2018 and no further fines or settlements were announced in August.  While OCR enforcement activity appears to have slowed, that is not the case with state attorneys general, in particular New York. The New York attorney general’s office has agreed two settlements with HIPAA-covered entities in 2018 with a third agreed in August.

The Arc of Erie County resolved violations of HIPAA Rules and state laws by paying a penalty of $200,000 to the New York attorney general’s office following the exposure of 3,751 individual’s PHI. The PHI had been uploaded to a website and could be accessed without authentication.

The post August 2018 Healthcare Data Breach Report appeared first on HIPAA Journal.

$999,000 in HIPAA Penalties for Three Hospitals for Boston Med HIPAA Violations

Posted by HIPAA Journal

Three hospitals that allowed an ABC film crew to record footage of patients as part of the Boston Med TV series have been fined $999,000 by the Department of Health and Human Services’ Office for Civil Rights (OCR) for violating Health Insurance Portability and Accountability Act (HIPAA) Rules.

This is the second HIPAA violation case investigated by OCR related to the Boston Med TV series. On April 16, 2016, New York Presbyterian Hospital settled its HIPAA violation case with OCR for $2.2 million to resolve the impermissible disclosure of PHI to the ABC film crew during the recording of the series and for failing to obtain consent from patients.

Fines for Boston Medical Center, Brigham and Women’s Hospital, & Massachusetts General Hospital

Boston Medical Center (BMC) settled its HIPAA violations with OCR for $100,000. OCR investigators determined that BMC had impermissibly disclosed the PHI of patients to ABC employees during production and filming of the TV series, violating 45 C.F.R. § 164.502(a).

Brigham and Women’s Hospital (BWH) settled its HIPAA violations with OCR for $384,000. BWH allowed an ABC film crew to record footage between October 2014 and January 2015. Prior to filming, BWH conducted a review of patient privacy issues and provided the ABC film crew with HIPAA privacy training – The same training that was provided to its workforce. BWH also obtained written authorizations from patients. However, OCR determined that despite those measures, HIPAA Rules were still violated. In the resolution agreement, OCR wrote, “Based on the timing of when BWH received some written patient authorizations, BWH impermissibly disclosed the PHI of patients to ABC employees,” in violation of 45 C.F.R. § I64.502(a). BWH also failed to reasonably safeguard the PHI of patients: A violation of 45 C.F.R. § 164.530(c).

Massachusetts General Hospital (MGH) settled its HIPAA violations with OCR for $515,000. The hospital similarly allowed a film crew to record footage between October 2014 and January 2015. A review of patient privacy issues was also conducted, and the film crew was provided with the same HIPAA privacy training that MGH provides to its employees.

As was the case with BWH, OCR determined that 45 C.F.R. § I64.502(a) was violated as authorizations were received after an impermissible disclosure and MGH failed to appropriately and reasonably safeguard patients’ PHI from disclosure during the filming of the series in violation of 45 C.F.R. § 164.530(c).

In addition to covering the financial penalty, each of the three hospitals must adopt a corrective action plan which includes providing further training to staff on the allowable uses and disclosures of PHI to film and media.

“Patients in hospitals expect to encounter doctors and nurses when getting treatment, not film crews recording them at their most private and vulnerable moments,” said Roger Severino, OCR director. “Hospitals must get authorization from patients before allowing strangers to have access to patients and their medical information.”

HIPAA Enforcement in 2018

OCR had a record year for HIPAA penalties in 2016 when it agreed 12 settlements to resolve HIPAA violations and issued one civil monetary penalty. 2017 saw 9 settlements reached with HIPAA-covered entities and one civil monetary penalty issued.

2018 has seen a reduction in financial penalties for HIPAA violations, with only three penalties issued prior the September 20, 2018 announcement. These latest three settlements bring the total number of OCR HIPAA violation penalties for the year up to six.

HIPAA Penalties and Settlements Agreed with OCR in 2018

Entity Penalty Penalty Type Reason for Penalty
Boston Medical Center $100,000 Settlement Filming patients without consent
Brigham and Women’s Hospital $384,000 Settlement Filming patients without consent
Massachusetts General Hospital $515,000 Settlement Filming patients without consent
University of Texas MD Anderson Cancer Center $4,348,000 Civil Monetary Penalty Lack of encryption and impermissible disclosure of ePHI
Filefax, Inc. $100,000 Settlement Impermissible disclosure of PHI
Fresenius Medical Care North America $3,500,000 Settlement Multiple HIPAA Violations

 

HIPAA Settlements with State Attorneys General in 2018

In addition to the penalties issued by OCR, there have been four settlements reached between HIPAA covered entities and state attorneys general in 2018.

State Covered Entity Amount Reason for Penalty
New York Arc of Erie County $200,000 Online Exposure of PHI
New Jersey Virtua Medical Group $417,816 Online Exposure of PHI
New York EmblemHealth $575,000 Exposure of PHI in Mailing
New York Aetna $1,150,000 Exposure of PHI in Mailing

The post $999,000 in HIPAA Penalties for Three Hospitals for Boston Med HIPAA Violations appeared first on HIPAA Journal.

Phishing Attack on Ohio Living Exposed PHI of 6,500 Individuals

Posted by HIPAA Journal

Ohio Living, a provider of life plan communities and home health services in Ohio, has discovered an unauthorized individual has gained access to the email accounts of some of its employees.

Ohio Living detected suspicious activity related to an employee’s email account on July 10, 2018. An investigation was immediately launched, and a third-party computer forensics expert was hired to investigate the breach and determine how access to the account was gained. On July 19, 2018, Ohio Living was informed that several email accounts had been compromised on July 10 and that those accounts had been accessed by an unauthorized individual.

It was not possible to determine whether any emails were opened or if any emails were downloaded by the attacker. A review of the compromised accounts revealed they contained the protected health information of 6,510 individuals.

Upon discovery of the breach, passwords were reset on all accounts known to have been compromised and a full password reset was performed on all other employees’ email accounts. Ohio Living has also provided further training to its employees to improve security awareness and prevent further email breaches in the future.

Ohio Living was informed on September 4, 2018, that the emails contained names, contact information, financial information, Social Security numbers, birth dates, medical record numbers, Patient ID numbers, clinical information, medical information, diagnosis and treatment information, and health insurance details. The information exposed varied for each patient.

No reports have been received to suggest any PHI has been misused, but out of an abundance of caution, all individuals affected have been offered complementary credit monitoring and identity theft protection services.

PHI of 1,100 Patients of Guardant Exposed in Phishing Attack

Guardiant, a Redwood City, CA-based liquid biopsy specialist, has discovered an unauthorized individual gained access to the email account of one of its employees. Access to the email account was gained as a result of the employee responding to a phishing email in July 2018.

An investigation into the breach revealed the attacker had access to the account for five days before the password was changed and access to the account was blocked. An analysis of the emails in the account revealed they contained the protected health information of approximately 1,100 patients.

The types of information potentially accessed was limited to patients’ names, contact details, dates of birth, medical codes, and for a small number of patients, Social Security numbers.

Tucson Medical Center Discovers Paper Files Containing PHI Were Left Unsecured

TMC Healthcare, which runs Tucson Medical Center in Arizona, has discovered that paper files containing the PHI of 1,776 patients were accidentally left unsecured in a suite used for storage. While the facility is usually locked and secured, on July 12, 2018, the door to the suite was discovered to be unlocked.

The suite was immediately secured to ensure files could not be accessed and an investigation was launched to determine how long files had been left unsecured, and which patients’ PHI had been exposed.

TMC Healthcare determined that the records were potentially accessible for a period of no more than 15 days. Files stored in the suite contained patients’ names, addresses, medical record numbers, dates of birth, insurance ID numbers, Social Security numbers, provider information, diagnoses, treatment information, medications, test results and other clinical information.

TMC Healthcare does not believe any files were accessed by unauthorized individuals during the time they were left unsecured.

Since the incident constitutes a data breach, all individuals potentially affected have been notified by mail and a breach report has been submitted to the HHS’ Office for Civil Rights.

Further training has now been given to the employees responsible for the secure storage and maintenance of files containing PHI. As a precaution against identity theft and fraud, all patients whose records were exposed have been offered credit monitoring and identity theft protection services for 12 months without charge.

The post Phishing Attack on Ohio Living Exposed PHI of 6,500 Individuals appeared first on HIPAA Journal.