A former employee of the emergency department of Brooklyn’s Kings County Hospital is alleged to have stolen the protected health information of at least 100 individuals while working at the hospital and disclosed that information to another individual using an encrypted smartphone app.

Orlando Jemmott, 52, was employed at the hospital for 12 years between March 2006 and April 2018 and was given access to patient health records in order to complete his work duties. Jemmott was required to enter patient information into the hospital’s system such as demographic data and information on patients’ symptoms and health complaints.

In June 2017, the FBI received a tip that Jemmott was stealing patient information and selling the data to another individual. The woman claimed the information was being sent via the WhatsApp encrypted messaging app. The woman took Jemmott’s mobile phone from his house and handed it over to the FBI along with a photo from his WhatsApp profile. A warrant was then obtained by the FBI to search the phone. The search revealed hundreds of communications between Jemmott and an individual in Pennsylvania who was subsequently identified as Ron Pruitt.

Those communications included more than 180 combinations of patient names and phone numbers, which were sent by Jemmott to Pruitt between December 2014 and April 2015. According to court documents, the identities of at least 100 individuals have been confirmed. The hospital has confirmed that 98 of those individuals were patients at the hospital at the time of the disclosure. The hospital also confirmed that in 88 of the 98 cases, the records of patients had been accessed without authorization.

The tipster also provided paper copies of health information to the FBI which had been printed out between December 2016 and June 2017. The printouts contained the protected health information of 49 individuals, which the hospital confirmed was obtained from its electronic health record system.

Jemmott was arrested in February 2018, was fired by the hospital in April, and has been released on an $80,000 bond. Pruitt was arrested by the FBI in early September. Both are attempting to negotiate plea deals.  It is currently unclear what the disclosed protected health information was used for.

It is a requirement of HIPAA to record and maintain PHI access logs and to review those logs regularly for signs of unauthorized access. It may not be possible to prevent unauthorized accessing of PHI by healthcare employees, but it is possible to detect breaches promptly and limit the harm caused. There have been many cases of insider breaches continuing for years before the breach was detected, during which time the records of thousands of patients were accessed.

The post Brooklyn Emergency Room Worker Accused of Stealing and Selling Patients’ PHI appeared first on HIPAA Journal.

Blue Cross and Blue Shield of Rhode Island (BCBSRI) is alerting 1,567 plan members that some of their protected health information has been impermissibly disclosed by one of its business associates.

A BCBSRI vendor was contracted to sent explanation of benefits statements to plan members which contain summaries of the healthcare services members have received under their health plan.

However, an error was made which resulted in statements being sent to incorrect individuals. The explanation of benefits statements included members’ BCBSRI ID number, their service provider(s), the service(s) provided, and the cost of the claims.

The impermissible disclosure of PHI was attributed to an error made by the vendor when combining the explanation of benefits statements for certain individuals who are covered under the same policy. Combining the statements was intended to reduce the number of summaries received by some members.

The error resulted in some explanation of benefits statements being incorrectly combined in the mid-July mailings, which resulted in the summaries being sent to incorrect family members or other individuals in the household that were covered by the same policy.

Upon discovery of the error, BCBSRI instructed the vendor to stop combining the statements and individual summaries will continue to be sent to members while BCBSRI looks for a different solution.

BCBSRI issued a statement about the incident confirming that the error only resulted in the disclosure of PHI to family members or other individuals in the same household covered by the policy, not to any other members.

Since members’ Social Security numbers and dates of birth are not detailed in the summaries, and only family members received the summaries, the risk of any information being misused is believed to be very low.

All individuals who have been impacted by the incident will be notified about the privacy breach by mail in the next few days.

The post Mailing Vendor Blamed for Blue Cross and Blue Shield of Rhode Island Privacy Breach appeared first on HIPAA Journal.

Independence Blue Cross is notifying thousands of plan members that some of their protected health information has been exposed online and has potentially been accessed by unauthorized individuals.

The Independence Blue Cross privacy office was informed about the exposed information on July 19 and immediately launched an investigation. A leading forensics investigation firm was hired to investigate the incident and establish whether any plan members’ information was accessed during the time it was exposed.

Independence Blue Cross said an employee had uploaded a file containing plan members’ protected health information to a public facing website on April 23, 2018. The file remained accessible until July 20 when it was removed from the website.

The information contained in the file was limited. No financial information or Social Security numbers were exposed. Affected plan members only had their name, diagnosis codes, provider information, date of birth, and information used for processing claims exposed.

Despite a thorough investigation, it was not possible to determine whether any unauthorized individuals accessed the file during the time it was on the website. No reports have been received to date to suggest any protected health information has been misused.

According to a statement from the health insurer, the breach affects certain Independence Blue Cross members and members of its subsidiaries AmeriHealth HMO and AmeriHealth Insurance Co. of New Jersey. Fewer than 1% of plan members – approximately 17,000 individuals – were affected by the breach.

Affected individuals have now been notified of the breach and, out of an abundance of caution, Independence Blue Cross is offering all affected individuals 24 months of free triple-bureau credit monitoring and identity theft protection services.

The Philadelphia-based health insurer has taken steps to prevent further breaches of this nature and ‘appropriate action’ has been taken with the employee who uploaded the file to the website.

The post Independence Blue Cross Notifies 17,000 Members of Online Exposure of Their PHI appeared first on HIPAA Journal.

The Fetal Diagnostic Institute of the Pacific (FDIP) in Honolulu, HI, experienced a ransomware attack on June 30, 2018. File-encrypting software was installed on an FDIP server and encrypted a wide range of file types, including patient medical records.

FDIP engaged the services of a leading cybersecurity company to conduct a full investigation into the breach to determine whether patient data was accessed by the attackers and also to assist with breach remediation. The investigation did not uncover any evidence to suggest that patients’ protected health information was accessed, viewed, or stolen by the individuals behind the attack, although it was not possible to rule out data access and data theft with a high level of confidence.

Consequently, the incident is being treated as a HIPAA breach, patients are being notified, and the Department of Health and Human Services’ Office for Civil Rights (OCR) has been informed.

An analysis of the files encrypted by the ransomware revealed they contained a range of protected health information. Patients affected by the security breach may have had their full name, home address, date of birth, account number, diagnoses, and “other types of information” exposed. No financial information was exposed as a result of the attack. The breach report submitted to OCR indicates 40,800 current and former patients have been affected by the breach.

FDIP reports that prompt action was taken to address the breach and remove the malicious software and restore all encrypted files. Its systems have now been cleansed and no trace of any malware remains. Steps have also been taken to improve security protections to prevent any further security breaches and unauthorized disclosures of patient data.

FDIP does not expect patients to experience any harm as a result of the ransomware attack, although patients have been urged to get in touch with FDIP immediately if they become aware of any suspicious activity that they believe is related to the breach.

This is only the fifth data breach of more than 500 records to have been reported to OCR by a Hawaii-based covered entity since data breach summaries first started being published by OCR in 2009.

The post Fetal Diagnostic Institute of the Pacific Experiences Ransomware Attack appeared first on HIPAA Journal.

Hopebridge, an Indiana-based network of 28 autism treatment centers throughout the Midwest, has discovered it has been the victim of a phishing attack that has potentially resulted in an unauthorized individual gaining access to the protected health information (PHI) of its patients.

A security breach was detected on July 19, 2018 prompting a thorough investigation. A leading third-party computer forensics firm was engaged to assess the nature and scope of the breach and all accounts and systems were immediately secured to lock out the attacker.

The investigation revealed several employees had been fooled by phishing emails that had been sent between March and July 2018. Several email accounts were compromised as a result of employees’ responses to those emails. An analysis of the compromised email accounts revealed they contained a limited amount of patients’ PHI – Their names, the services they received from Hopebridge, and an inferred autism diagnosis.

The results of the forensic investigation suggest that it was not the intention of the attacker to gain access to PHI, instead the attacks appear to have been an attempt to gain access to employees’ financial information.

The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates 1,411 patients have been impacted by the incident. Hopebridge says there is no indication that any patient information has been misused.

The breach has prompted Hopebridge to implement stronger access controls, IP address whitelisting, and 2-factor authentication on email accounts. Hopebridge is also now masking patient names on internal emails and reports

Former Employee Stole Information of United Methodist Homes Residents

United Methodist Homes, a network of Independent and Assisted Living facilities for seniors in New York, has discovered an employee stole the protected health information of some of its current and former residents.

A spreadsheet containing information on 843 current and former residents of its Elizabeth Church and Hilltop campuses was emailed to the employee’s personal email account. The spreadsheet contained information such as residents’ names, addresses, phone numbers for residents’ contact person(s) and the relationship of those individuals to the residents. No highly sensitive information such as financial data, health data, health insurance information, or Social Security numbers were recorded in the spreadsheet.

Following the discovery of the incident on July 13, 2018, the employee was questioned, and United Methodist Homes observed the employee deleting the email and spreadsheet from his personal email account. The individual is no longer employed by United Methodist Homes.

Even though the information in the spreadsheet was extremely limited, United Methodist Homes has offered complimentary credit monitoring services to affected individuals for 12 months.

The post Email Security Breaches Reported by Hopebridge (IN) and United Methodist Homes (NY) appeared first on HIPAA Journal.

Acadiana Computer Services Inc., a Lafayette, LA-based provider of software and business solutions for the healthcare industry, has discovered an unauthorized individual has gained access to the email account of one of its employees.

The security breach was detected on July 6, 2018 and external access to the account was immediately disabled. An independent cybersecurity expert was retained to conduct a forensic analysis of the breach and determine the nature and scope of the attack.

An analysis of the emails in the compromised account revealed they contained the personal information of several of its clients’ patients. The information potentially accessed was limited to names, addresses, treatment information, billing information, and for a limited number of individuals, Social Security numbers.

The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates 31,151 individuals have had their protected health information exposed as a result of the email account breach.

Those individuals had previously received medical services from the following healthcare providers

• Radiology and Interventional Associates of Metairie
• LSU Healthcare Network
• LSU Health Sciences Center Shreveport
• Poly Ryon (Oakbend) Medical Group
• Oceans Acquisition, Inc.
• South Louisiana Medical Associates
• Southern Surgical
• Truman Medical Centers
• University Hospital and Clinics
• University of South Alabama
• Willis-Knighton Medical Center

Acadiana Computer Services is sending notification letters to all individuals whose protected health information was potentially accessed and is providing further information on the steps they can take to monitor and protect their personal information.

Out of an abundance of caution, Acadiana Computer Services is covering the cost of identity monitoring services for all affected patients.

Acadiana Computer Services has already taken steps to reduce the risk of further breaches, which include augmenting email account security, retraining staff, and reviewing and updating its policies and procedures.

The post Phishing Attack on Acadiana Computer Systems Exposed the PHI of 31,000 Individuals appeared first on HIPAA Journal.

The Norwood, MA-based respiratory care provider Reliable Respiratory has experienced a phishing attack that has affected several thousand of its patients.

A cyberattack was suspected on July 3, 2018, following the detection of usual activity in an employee’s email account. An investigation was launched to determine the cause of that activity, which revealed the employee had been targeted with a phishing campaign. The response to a phishing email resulted in the disclosure of that individual’s login credentials.

The unusual account activity was detected on July 3 and the account was immediately secured. Computer forensic specialists were retained to determine the nature and extent of the breach. The breach investigation confirmed that the account had been accessed by an unauthorized individual between June 28 and July 2. An analysis of the emails contained in the account showed a wide range of protected health information could potentially have been accessed by the attacker.

Patients are now being notified of the breach by mail and have been advised to monitor their account statements and explanation of benefits statements closely for signs of identity theft and fraud. No mention was made in its substitute breach notice about whether credit monitoring and identity theft protection services are being offered to affected patients.

Patients affected by the breach may have had the following types of protected health information exposed: Name, date of birth, medical record number, medical diagnosis, treatment information, medication/prescription information, username and password, patient claim/billing information, health insurance information, driver’s license number, state identification number, Social Security number, passport number, bank or financial account information, and credit or debit card information.

Reliable Respiratory will be implementing additional safeguards to improve the security of its systems and will update its policies and procedures to reduce the risk of experiencing future cyberattacks.

The report submitted to the Department of Health and Human Services’ Office for Civil Rights shows 21,311 patients were affected by the phishing attack.

Carpenters Benefit Funds of Philadelphia Email Security Incident

A similarly sized email breach was reported to OCR by Carpenters Benefit Funds of Philadelphia on August 31, 2018. The email hacking incident resulted in the exposure and possible theft of 20,015 plan members’ records.

A substitute breach notice has not yet been uploaded to the Carpenters Benefit Funds of Philadelphia website and a prominent media outlet does not appear to have been notified of the breach at the time of writing, so the exact nature of the breach is not yet known.

The post Reliable Respiratory Phishing Attack Impacts 21,000 Patients appeared first on HIPAA Journal.