HIPAA Breach News

Medical Records from New Mexico Hospital Found Scattered in Street

Posted by HIPAA Journal

The New Mexico Department of Health is currently investigating how the private medical records of some of its patients came to fall from a truck during transportation from the hospital to a secure storage facility.

The records came from Turquoise Lodge Hospital, a rehabilitation center run by the New Mexico Department of Health that specializes in the treatment of parents and pregnant women who are recovering from substance abuse.

The hospital had arranged for patients’ medical records to be collected and transported to a new location for storage. The paperwork was collected from the hospital on Thursday August 30; however, during transit some of those records fell out of the delivery truck onto a busy Albuquerque street.

KRQE News 13 sent reporters to the scene who discovered medical records strewn along Avenida Cesar Chavez at I-25. Some of the paperwork had been collected by members of the public.

The paperwork contained highly sensitive personally identifiable information (PII) and protected health information (PHI), including patients’ names, their medical histories, billing information, and Social Security numbers.

The New Mexico Department of Health was notified about the incident and sent a cleanup crew to collect the remaining paperwork on Friday August 31, at least 12 hours after the records had fallen off the truck. It is currently unclear whether all the records have been recovered.

An investigation has been launched to determine why the medical records were not secured in transit and how they were able to fall from the delivery truck. At this stage it is unclear exactly how many patients have had their health information exposed.

When those individuals are identified, the New Mexico Department of Health will send out notification letters in the mail. A report will also be submitted to the Department of Health and Human Services’ Office for Civil Rights and state authorities.

The post Medical Records from New Mexico Hospital Found Scattered in Street appeared first on HIPAA Journal.

Plaintiffs in Class Action Claim Premera Blue Cross Destroyed Key Evidence

Posted by HIPAA Journal

There has been a twist in the class action lawsuit filed by victims of the 2015 Premera Blue Cross data breach. The plaintiffs allege Premera Blue Cross willfully destroyed evidence of data theft.

In 2015, Premera Blue Cross announced it was the victim of a cyberattack that resulted in cybercriminals gaining access to plan members’ protected health information.

The data breach was the second largest data breach ever to be reported by a healthcare organization, behind only the 78.8 million-record Anthem Inc., data breach that was also discovered in 2015. The protected health information of 11 million individuals was exposed as a result of the hack.

The Premera data breach was detected in January 2015, although the investigation revealed hackers had gained access to its network in May 2014. The attackers potentially had access to plan members’ protected health information (PHI) and personally identifiable information (PII) for 8 months before the intrusion was detected and access to data was blocked.

Unsurprisingly, given the scale of the breach, several class action lawsuits were filed by the breach victims. As was the case with the lawsuits filed in the wake of the Anthem data breach, they were consolidated into a single class action lawsuit. Anthem settled its class action lawsuit earlier this year, but the Premera Blue Cross lawsuit is ongoing.

A resolution does not appear to be getting closer. In fact, there has been a new twist in the case which is likely to delay an outcome further still. The plaintiffs have alleged that Premera Blue Cross destroyed key evidence that would have helped their case.

Alleged Destruction of Evidence of Data Theft

A third-party computer forensics firm, Mandiant, was retained to conduct an investigation into the breach. Mandiant determined that the hackers had compromised 35 Premera computers in the attack, and through those computers the attackers potentially had access to the records of 11 million plan members.

The cyberattack was not the work of amateurs. A well-known hacking group had conducted the attack and that group had succeeded in stealing data from other entities that it had attacked in the past.

While concrete evidence was allegedly not found to confirm that data had been exfiltrated, Mandiant did find fragments of RAR files on one of the computers that had been compromised. RAR files are compressed files that are used to make data transmission easier. The presence of the file fragments, which it is alleged were created by the attackers, suggests the hackers used RAR files to exfiltrate data and deleted the files to cover their tracks.

The plaintiffs requested all evidence uncovered during the Mandiant investigation be handed over, including the hard drives and forensic images of the 35 compromised computers. Premera responded to that request but claimed that it was only able to provide images for 34 out of the 35 computers as one computer, referred to in the court documents as A23567-D, had been destroyed. The computer was destroyed on December 16, 2016 – around a year after the litigation had started.

A23567-D is alleged to have contained important evidence that could confirm that data had been exfiltrated. That computer was the only one out of the 35 to contain a type of malware referred to by Mandiant as PHOTO. The malware was capable of registry modification, executing programs, and crucially, uploading and downloading files. The attackers communicated with that computer on a daily basis from July 2014 until January 2015 when the cyberattack was discovered and remote access was blocked.

“The destroyed computer was perfectly positioned to be the one-and-only staging computer hackers needed to create vast staging files for the purpose of shipping even more data outside of Premera’s network,” wrote the plaintiffs’ attorneys in the motion. “This computer functioned as the development machine for a software programmer, and as such was pre-loaded with a vast array of legitimate utilities that could be turned to any purpose.”

The computer appears to have been sent for destruction in error. It was deemed to be of no further interest to Premera and had reached end of life.

The problem for the plaintiffs is without any evidence of data theft, the case is unlikely to succeed. According to the motion, “Essentially, Premera maintains a ‘no harm, no foul’ defense, contending there can be no damage to any plaintiff unless he or she can prove confidential information was exfiltrated from Premera’s system.”

Whether accidental or willful, the destruction of the computer is extremely damaging to the case. The motion states that “Without access to that hard drive, trying to prove that the hackers removed plaintiffs PII and PHI through that computer is impossible.”

Additionally, the motion, filed in the U.S. District Court in Portland, claims that Premera Blue Cross failed to preserve data loss logs from its Bluecoat Data Loss Prevention (DLP) system, which potentially could have confirmed that plan members’ data had been stolen. It is alleged that those files were also deleted after the lawsuit was filed.

Premera Blue Cross issued a a statement to ZDNet in which it was confirmed that Premera disagrees with the motion and does not believe the facts of the case justify the relief the plaintiffs have requested. A response to the motion will be filed by Premera’s attorneys by September 28, 2018.

If the motion is granted, a federal judge would then instruct a jury that key evidence has been destroyed and that it should be assumed that the evidence confirmed data exfiltration had occurred. It would also not be possible for Premera to call in computer experts to testify that no data had been exfiltrated.

Even a favorable ruling would be no guarantee of success nor of a settlement being reached. In order for damages to be awarded, plaintiffs in the suit would still need to establish that they have suffered losses as a result of the data breach.

The post Plaintiffs in Class Action Claim Premera Blue Cross Destroyed Key Evidence appeared first on HIPAA Journal.

Plaintiffs in Class Action Claim Premera Blue Cross Destroyed Key Evidence

Posted by HIPAA Journal

There has been a twist in the class action lawsuit filed by victims of the 2015 Premera Blue Cross data breach. The plaintiffs allege Premera Blue Cross willfully destroyed evidence of data theft.

In 2015, Premera Blue Cross announced it was the victim of a cyberattack that resulted in cybercriminals gaining access to plan members’ protected health information.

The data breach was the second largest data breach ever to be reported by a healthcare organization, behind only the 78.8 million-record Anthem Inc., data breach that was also discovered in 2015. The protected health information of 11 million individuals was exposed as a result of the hack.

The Premera data breach was detected in January 2015, although the investigation revealed hackers had gained access to its network in May 2014. The attackers potentially had access to plan members’ protected health information (PHI) and personally identifiable information (PII) for 8 months before the intrusion was detected and access to data was blocked.

Unsurprisingly, given the scale of the breach, several class action lawsuits were filed by the breach victims. As was the case with the lawsuits filed in the wake of the Anthem data breach, they were consolidated into a single class action lawsuit. Anthem settled its class action lawsuit earlier this year, but the Premera Blue Cross lawsuit is ongoing.

A resolution does not appear to be getting closer. In fact, there has been a new twist in the case which is likely to delay an outcome further still. The plaintiffs have alleged that Premera Blue Cross destroyed key evidence that would have helped their case.

Alleged Destruction of Evidence of Data Theft

A third-party computer forensics firm, Mandiant, was retained to conduct an investigation into the breach. Mandiant determined that the hackers had compromised 35 Premera computers in the attack, and through those computers the attackers potentially had access to the records of 11 million plan members.

The cyberattack was not the work of amateurs. A well-known hacking group had conducted the attack and that group had succeeded in stealing data from other entities that it had attacked in the past.

While concrete evidence was allegedly not found to confirm that data had been exfiltrated, Mandiant did find fragments of RAR files on one of the computers that had been compromised. RAR files are compressed files that are used to make data transmission easier. The presence of the file fragments, which it is alleged were created by the attackers, suggests the hackers used RAR files to exfiltrate data and deleted the files to cover their tracks.

The plaintiffs requested all evidence uncovered during the Mandiant investigation be handed over, including the hard drives and forensic images of the 35 compromised computers. Premera responded to that request but claimed that it was only able to provide images for 34 out of the 35 computers as one computer, referred to in the court documents as A23567-D, had been destroyed. The computer was destroyed on December 16, 2016 – around a year after the litigation had started.

A23567-D is alleged to have contained important evidence that could confirm that data had been exfiltrated. That computer was the only one out of the 35 to contain a type of malware referred to by Mandiant as PHOTO. The malware was capable of registry modification, executing programs, and crucially, uploading and downloading files. The attackers communicated with that computer on a daily basis from July 2014 until January 2015 when the cyberattack was discovered and remote access was blocked.

“The destroyed computer was perfectly positioned to be the one-and-only staging computer hackers needed to create vast staging files for the purpose of shipping even more data outside of Premera’s network,” wrote the plaintiffs’ attorneys in the motion. “This computer functioned as the development machine for a software programmer, and as such was pre-loaded with a vast array of legitimate utilities that could be turned to any purpose.”

The computer appears to have been sent for destruction in error. It was deemed to be of no further interest to Premera and had reached end of life.

The problem for the plaintiffs is without any evidence of data theft, the case is unlikely to succeed. According to the motion, “Essentially, Premera maintains a ‘no harm, no foul’ defense, contending there can be no damage to any plaintiff unless he or she can prove confidential information was exfiltrated from Premera’s system.”

Whether accidental or willful, the destruction of the computer is extremely damaging to the case. The motion states that “Without access to that hard drive, trying to prove that the hackers removed plaintiffs PII and PHI through that computer is impossible.”

Additionally, the motion, filed in the U.S. District Court in Portland, claims that Premera Blue Cross failed to preserve data loss logs from its Bluecoat Data Loss Prevention (DLP) system, which potentially could have confirmed that plan members’ data had been stolen. It is alleged that those files were also deleted after the lawsuit was filed.

Premera Blue Cross issued a a statement to ZDNet in which it was confirmed that Premera disagrees with the motion and does not believe the facts of the case justify the relief the plaintiffs have requested. A response to the motion will be filed by Premera’s attorneys by September 28, 2018.

If the motion is granted, a federal judge would then instruct a jury that key evidence has been destroyed and that it should be assumed that the evidence confirmed data exfiltration had occurred. It would also not be possible for Premera to call in computer experts to testify that no data had been exfiltrated.

Even a favorable ruling would be no guarantee of success nor of a settlement being reached. In order for damages to be awarded, plaintiffs in the suit would still need to establish that they have suffered losses as a result of the data breach.

The post Plaintiffs in Class Action Claim Premera Blue Cross Destroyed Key Evidence appeared first on HIPAA Journal.

NY Attorney General Fines Arc of Erie County $200,000 for Security Breach

Posted by HIPAA Journal

The Arc of Erie County has been fined $200,000 by the New York Attorney General for violating HIPAA Rules by failing to secure the electronic protected health information (ePHI) of its clients.

In February 2018, The Arc of Erie County, a nonprofit social services agency and chapter of the The Arc Of New York, was notified by a member of the public that some of its clients’ sensitive personal information was accessible through its website. The information could also be found through search engines.

The investigation into the security breach revealed sensitive information had been accessible online for two and a half years, from July 2015 to February 2018 when the error was corrected. The forensic investigation into the security incident revealed multiple individuals from outside the United States had accessed the information on several occasions. The webpage should only have been accessible internally by staff authorized to view ePHI and should have required a username and password to be entered before access to the data could be gained.

In total, 3,751 clients in New York had information such as their full name, address, phone number, age, date of birth, gender, race, primary diagnosis code, IQ, health insurance information, and Social Security number exposed. Those individuals were notified of the breach on March 9, 2018, the Department of Health and Human Services’ Office for Civil Rights was informed, and a breach report was submitted to the New York Attorney General’s office.

Under HIPAA, The Arc of Erie County is required to safeguard the ePHI of its clients and prevent that information from being accessed by unauthorized individuals. The investigation into the breach by the New York Attorney General’s office confirmed that HIPAA Rules had been violated as appropriate physical, technical, and administrative safeguards had not been implemented to ensure the confidentiality, integrity, and availability of ePHI. As a result of that failure, there had been an impermissible disclosure of clients ePHI.

“The Arc of Erie County’s work serves our most vulnerable New Yorkers – and that comes with the responsibility to protect them and their sensitive personal information,” said New York Attorney General Barbara. D. Underwood. “This settlement should provide a model to all charities in protecting their communities’ personal information online.”

In addition to paying a financial penalty of $200,000, The Arc of Erie County has agreed to adopt a Corrective Action Plan (CAP) that includes the requirement to conduct a thorough risk analysis to identify all security risks and vulnerabilities affecting its electronic equipment and data systems. A report of that assessment must be submitted to the New York Attorney General’s office within 180 days. Any vulnerabilities identified must be corrected through a HIPAA-compliance risk management process and policies and procedures must also be reviewed and revised, based on the findings of the risk analysis.

The post NY Attorney General Fines Arc of Erie County $200,000 for Security Breach appeared first on HIPAA Journal.

Mailing Error Resulted in Impermissible Disclosure of 19,570 Missouri Care Members’ PHI

Posted by HIPAA Journal

An error in a mailing to Missouri Care members reminding them to book well-child visits has resulted in the accidental disclosure of the personal information of almost 20,000 children to other Missouri Care members.

The personal information detailed in the letters was limited to children’s names, ages, and the names of their provider’s. Health information and other sensitive data was not exposed, so the potential for the information to be misused is low. However, out of an abundance of caution, parents and legal guardians of affected children have been advised to monitor their credit card bills and account statements for any suspicious activity and told not to respond to any email requests asking for further personal information. Free credit monitoring services have been offered to all individuals affected by the breach.

WellCare Health Plans Inc., discovered the error on July 25, 2018 and launched an investigation to determine how the error occurred and the individuals that were impacted. The mailing had been sent to 19,570 individuals, although it is unclear how many of those letters were incorrectly addressed.

The personal information that was exposed is classed as protected health information under HIPAA, and as such, the exposure of the information requires notifications to be mailed to all affected individuals. Since the incident involved more than 500 individuals, a media notice about the breach was also warranted and was sent to the Kansas City Star.

In the letter, WellCare Health Plans VP and chief security and privacy officer said, “Missouri Care is deeply committed to protecting our members’ privacy, and we apologize for any inconvenience this incident may have caused.”

WellCare Health Plans Inc., said policies and procedures for mailings have been reviewed and updated to prevent similar incidents from occurring in the future.

This is the second mis-mailing incident to affect Missouri Care members in the past year. A similar mis-mailing error occurred in August 2017, which resulted in the accidental disclosure of the PHI of 1,223 plan members. In that case, the error was made by a subcontractor used for the mailing.

The post Mailing Error Resulted in Impermissible Disclosure of 19,570 Missouri Care Members’ PHI appeared first on HIPAA Journal.

1,790 Patients Impacted by Phishing Attack on Los Angeles Drug and Alcohol Treatment Center

Posted by HIPAA Journal

The West Los Angeles-based drug and alcohol treatment center, Authentic Recovery Center, is alerting 1,790 individuals that some of their personally identifiable information (PII) and protected health information (PHI) has potentially been obtained by an unauthorized individual as a result of a phishing attack.

The phishing attack was discovered on June 21, 2018 prompting a full investigation. The investigation confirmed that the breach was limited to a single email account. All other email accounts and systems remained secure at all times.

Access was first gained the email account on June 7, 2018 and continued until the breach was detected on June 21 and the account was secured.

An email-by-email analysis of the compromised account revealed it contained the PII and PHI of clients and employees. Employee information accessible through the account was limited to name and driver’s license number, with the exception of two individuals who also had their address, contact telephone number, date of birth, and Social Security number exposed.

Clients impacted by the incident had their name exposed, the fact that they were clients of Authentic Recovery Center, and a limited amount of clinical information. Only one individual had payment card information exposed.

While the account was accessed, no evidence has been uncovered to suggest any information was obtained or misused by the attacker.

For the majority of individuals impacted by the breach, the risk of identity theft and fraud is low due to the types of information that were exposed. Out of an abundance of caution, all individuals affected by the breach have been offered complimentary credit monitoring services for 12 months. It was also recommended that impacted individuals check their credit reports for any sign of fraudulent activity.

The breach has prompted Authentic Recover Center to implement further controls to secure its email accounts and employees have been provided with further training about how they can secure information systems.

The post 1,790 Patients Impacted by Phishing Attack on Los Angeles Drug and Alcohol Treatment Center appeared first on HIPAA Journal.

July 2018 Healthcare Data Breach Report

Posted by HIPAA Journal

July 2018 was the worst month of 2018 for healthcare data breaches by a considerable distance. There were 33 breaches reported in July – the same number of breaches as in June – although 543.6% more records were exposed in July than the previous month.

Healthcare Data Breaches by Month (Feb-July 2018)

The breaches reported in July 2018 impacted 2,292,552 patients and health plan members, which is 202,859 more records than were exposed in April, May, and July combined.

Healthcare Records Exposed by Month

A Bad Year for Patient Privacy

So far in 2018 there have been 221 data breaches of more than 500 records reported to the Department of Health and Human Services’ Office for Civil Rights. Those breaches have resulted in the protected health information of 6,112,867 individuals being exposed, stolen, or impermissibly disclosed.

To put that figure into perspective, it is 974,688 more records than were exposed in healthcare data breaches in all of 2017 and there are still five months left of 2018.

Largest Healthcare Data Breaches of 2018 (Jan-July)

Entity Name Entity Type Records Exposed Breach Type
UnityPoint Health Business Associate 1,421,107 Hacking/IT Incident
CA Department of Developmental Services Health Plan 582,174 Theft
MSK Group Healthcare Provider 566,236 Hacking/IT Incident
LifeBridge Health, Inc Healthcare Provider 538,127 Hacking/IT Incident
SSM Health St. Mary’s Hospital – Jefferson City Healthcare Provider 301,000 Improper Disposal
Oklahoma State University Center for Health Sciences Healthcare Provider 279,865 Hacking/IT Incident
Med Associates, Inc. Business Associate 276,057 Hacking/IT Incident
MedEvolve Business Associate 205,434 Unauthorized Access/Disclosure
St. Peter’s Surgery & Endoscopy Center Healthcare Provider 134,512 Hacking/IT Incident
Boys Town National Research Hospital Healthcare Provider 105,309 Hacking/IT Incident

Causes of Healthcare Data Breaches in July 2018

Unauthorized accessing of PHI by employees and impermissible disclosures of PHI are commonplace in healthcare, although in July there was a major reduction in these types of breaches, falling by 46.6% from July. There was also a significant drop in the number of incidents involving the loss or theft of unencrypted electronic devices and physical PHI, which fell 50% month over month.

Causes of Healthcare Data Breaches July 2018

Hacking incidents, ransomware attacks and other IT incidents such as malware infections and phishing attacks significantly increased in July. There were 66.7% more hacking/IT incidents than June. Hacking/IT incidents also resulted in the exposure of more healthcare records than all other types of breaches combined.

Healthcare Records Exposed by Breach Type (July 2018)

7 of the top 15 data breaches (46.7%) in July were phishing attacks, two were ransomware attacks, three were failures to secure electronic PHI and two were improper disposal incidents involving physical PHI. The improper disposal incidents were the second biggest cause of exposed PHI, largely due to the 301,000-record breach at SSM Health. In that breach, physical records were left behind when St. Mary’s Hospital moved to a new location.

In July, more healthcare records were exposed through phishing attacks than any other breach cause. The phishing incidents resulted in the exposure and possible theft of than 1.6 million healthcare records.

Largest Healthcare Data Breaches in July 2018

In July, there were 12 healthcare data breaches of more than 10,000 records and four breaches impacted more than 100,000 individuals. There were 14 breaches of between 1,000 and 9,999 records and 7 breaches of between 500 and 999 records. Four of the ten largest healthcare data breaches of 2018 were reported in July.

The largest healthcare data breach of July, and the largest breach of 2018 to date, was a phishing attack on Iowa Health System doing business as UnityPoint Health.

The threat actor responsible for the UnityPoint Health phishing attack spoofed an executive’s email account and sent messages to UnityPoint Health employees. Several members of staff were fooled by the emails and disclosed their login credentials giving the attacker access to their email accounts. Those email accounts contained the protected health information of more than 1.4 million patients.

Four of the ten largest healthcare data breaches of 2018 were reported in July.

Entity Name Entity Type Records Exposed Breach Type
UnityPoint Health Business Associate 1,421,107 Hacking/IT Incident
SSM Health St. Mary’s Hospital – Jefferson City Healthcare Provider 301,000 Improper Disposal
MedEvolve Business Associate 205,434 Unauthorized Access/Disclosure
Boys Town National Research Hospital Healthcare Provider 105,309 Hacking/IT Incident
Blue Springs Family Care, P.C. Healthcare Provider 44,979 Hacking/IT Incident
Golden Heart Administrative Professionals Business Associate 44,600 Hacking/IT Incident
Confluence Health Healthcare Provider 33,821 Hacking/IT Incident
NorthStar Anesthesia Healthcare Provider 19,807 Hacking/IT Incident
Orlando Orthopaedic Center Healthcare Provider 19,101 Unauthorized Access/Disclosure
New England Dermatology, P.C. Healthcare Provider 16,154 Improper Disposal
MedSpring of Texas, PA Healthcare Provider 13,034 Hacking/IT Incident
Longwood Orthopedic Associates, Inc. Healthcare Provider 10,000 Unauthorized Access/Disclosure

Location of Breached PHI

Unsurprisingly, given the high number of successful phishing attacks in July, email-related breached dominated the breach reports and was the main location of breached PHI, as has been the case in March, April, May and June. There were seven network server breaches in July, which were a combination of ransomware attacks, accidental removal of security protections, malware infections, and hacking incidents.

Location of Breached PHI (July 2018)

Data Breaches by Covered Entity Type

Healthcare providers were hit the hardest in July with 28 breaches reported by providers. Only two health plans reported data breaches in July. Three business associates reported breaches, although nine reported data breaches had at least some business associate involvement.

July 2018 Healthcare Data Breaches by Covered Entity

Healthcare Data Breaches by State

Healthcare organizations based in 22 states reported data breaches in July. California usually tops the list for the most data breaches each month due to the number of healthcare organizations based in the state, although in July it was Florida and Massachusetts than had the most breaches with three apiece.

Alaska, Missouri, New York, Pennsylvania, Texas, Virginia, and Washington each had two breaches reported, and there was one breach reported in each of Arkansas, California, Colorado, Idaho, Indiana, Illinois, Maryland, Michigan, Montana, Nebraska, New Jersey, New Mexico, and Tennessee.

The post July 2018 Healthcare Data Breach Report appeared first on HIPAA Journal.

Central Colorado Dermatology Ransomware Attack Potentially Resulted in PHI Access

Posted by HIPAA Journal

Central Colorado Dermatology (CCD) has notified more than 4,000 patients that some of their protected health information (PHI) has potentially been accessed by hackers during a ransomware attack on its computer network.

An unauthorized individual gained access to CCD’s computer network and deployed ransomware on a server. Medical records and patients’ medical charts were not accessed, although certain files and scanned fax communications were encrypted. Some of those files contained PHI.

An investigation was launched to determine whether protected health information was accessed or stolen although it was not possible to determine with a high degree of certainty whether any PHI was viewed or copied. CCD did not uncover any evidence to suggest that PHI had been accessed or stolen, although some of the software that had been installed on its network could have allowed files to be downloaded.

The files that could have been accessed including the following information: Names, addresses, contact telephone numbers, dates of birth, email addresses, Insurance information, Social Security numbers, insurance payment codes and costs, dates of service, clinical information, medical conditions, diagnoses, treatment information, lab test results, diagnostic studies, copies of CCD reports and notes, and information sent to CCD from other healthcare providers by fax.

The investigation determined that remote access was gained to a single server on June 5, 2018 and ransomware was deployed the same day.

Upon discovery of the attack, steps were taken to secure the network and block remote access and a cybersecurity firm was retained to investigate the attack. After systems were secured and the malicious software was removed, the cybersecurity firm continued to monitor the network for several weeks to ensure that no further attempts were made to access the system. During that time, no further intrusions were detected and no suspicious network activity was identified.

In response to the attack, CCD has changed its password requirements and how its network can be accessed, new anti-virus software has been installed, and further upgrades to system security have been made. That process is continuing, guided by IT security specialists. Changes have also been made to its fax software to ensure that digital copies of faxes are not automatically stored on its network.

Because unauthorized PHI access and theft of files could not be ruled out, notification letters were sent to all 4,065 patients whose PHI could potentially have been accessed. All patients affected by the breach have been offered one year of credit monitoring services.

The post Central Colorado Dermatology Ransomware Attack Potentially Resulted in PHI Access appeared first on HIPAA Journal.

Phishing Attack on Legacy Health Results In Exposure of 38,000 Patients’ PHI

Posted by HIPAA Journal

Legacy Health has discovered an unauthorized individual has gained access to its email system and the protected health information (PHI) of approximately 38,000 patients.

The Portland, OR-based health system operates two regional hospitals, four community hospitals, and 70 clinics in Oregon, Southwest Washington, and the and the Mid-Willamette Valley and is the second largest health system in the Portland Metro Area.

The data breach was discovered on June 21, 2018, although the email accounts were first accessed by an unauthorized individual in May. Legacy Health determined that access was gained to the email accounts as a result of employees being duped by phishing emails.

Email breaches can take a considerable amount of time to investigate. While tools are available to scan email accounts for protected health information, many of the emails in compromised accounts need to be individually checked, which can involve manual checks of hundreds of thousands of messages.  According to Legacy Health Spokesperson Kelly Love, “We’ve been moving at as fast a pace as we can to be thorough and clear.”

To speed up the investigation, Legacy Health retained a leading computer forensics firm to investigate and assist with the breach response. That investigation revealed information such as names, birth dates, health insurance details, medical information relating to care provided at Legacy Health facilities, billing information, Driver’s license numbers and Social Security numbers may all have been accessed. Legacy Health is not aware of any patient information being misused.

Notifications were sent to affected individuals on August 20 and all patients whose driver’s license number or Social Security number was exposed have been offered credit monitoring services for 12 months without charge.

A media notice was provided to The Oregonian and the Department of Health and Human Services has been notified inside the 60-day window permitted by the HIPAA Breach Notification Rule. Steps are also being taken to improve email security and prevent any further breaches of PHI.

The post Phishing Attack on Legacy Health Results In Exposure of 38,000 Patients’ PHI appeared first on HIPAA Journal.