HIPAA Breach News

Phishing Attack on Legacy Health Results In Exposure of 38,000 Patients’ PHI

Posted by HIPAA Journal

Legacy Health has discovered an unauthorized individual has gained access to its email system and the protected health information (PHI) of approximately 38,000 patients.

The Portland, OR-based health system operates two regional hospitals, four community hospitals, and 70 clinics in Oregon, Southwest Washington, and the and the Mid-Willamette Valley and is the second largest health system in the Portland Metro Area.

The data breach was discovered on June 21, 2018, although the email accounts were first accessed by an unauthorized individual in May. Legacy Health determined that access was gained to the email accounts as a result of employees being duped by phishing emails.

Email breaches can take a considerable amount of time to investigate. While tools are available to scan email accounts for protected health information, many of the emails in compromised accounts need to be individually checked, which can involve manual checks of hundreds of thousands of messages.  According to Legacy Health Spokesperson Kelly Love, “We’ve been moving at as fast a pace as we can to be thorough and clear.”

To speed up the investigation, Legacy Health retained a leading computer forensics firm to investigate and assist with the breach response. That investigation revealed information such as names, birth dates, health insurance details, medical information relating to care provided at Legacy Health facilities, billing information, Driver’s license numbers and Social Security numbers may all have been accessed. Legacy Health is not aware of any patient information being misused.

Notifications were sent to affected individuals on August 20 and all patients whose driver’s license number or Social Security number was exposed have been offered credit monitoring services for 12 months without charge.

A media notice was provided to The Oregonian and the Department of Health and Human Services has been notified inside the 60-day window permitted by the HIPAA Breach Notification Rule. Steps are also being taken to improve email security and prevent any further breaches of PHI.

The post Phishing Attack on Legacy Health Results In Exposure of 38,000 Patients’ PHI appeared first on HIPAA Journal.

9,350 Patients of Gordon Schanzlin New Vision Institute Notified of Data Breach

Posted by HIPAA Journal

The Gordon Schanzlin New Vision Institute in La Jolla, CA, is alerting thousands of patients that their medical records may have been stolen after files containing protected health information were discovered in the possession of an individual unauthorized to hold the information.

The data breach came to light following an investigation conducted by the U.S. Postal Inspection Service. A raid was conducted on a property in Southern California and a box of medical records was discovered in the property.

The files contained information such as names, dates of service, addresses, health insurance information, Social Security numbers, and health and clinical information.

Gordon Schanzlin was notified of the discovery on June 15, 2018, and an internal investigation was immediately launched to determine the nature and scope of the breach and how the medical records had been stolen.

While it could not be confirmed with 100% certainty, Gordon Schanzlin believes the medical records were part of a batch of files that were stolen from a storage unit that was broken into in October 2017.

The boxes in the storage unit contained the medical records of 9,351 patients. While only a small number of files were recovered following the raid, Gordon Schanzlin took the decision to notify all 9,351 patients about the discovery out of an abundance of caution.

Due to the sensitive nature of data in the files, and the potential for the information to be used for identity theft and fraud, Gordon Schanzlin is offering all patients potentially affected by the breach one year of credit monitoring services through Experian. Those services are provided at no cost to patients. Breach notification letters were mailed on August 14, 2018.

In response to the breach, staff have received additional training and additional safeguards are being implemented to better protect all stored protected health information.

The post 9,350 Patients of Gordon Schanzlin New Vision Institute Notified of Data Breach appeared first on HIPAA Journal.

Court Approves Anthem $115 Million Data Breach Settlement

Posted by HIPAA Journal

The $115 million settlement proposed by Anthem Inc., in 2017 to resolve the class action lawsuits filed by victims of its 78.8 million-record data breach in 2015 received final approval on Thursday, August 16.

The Anthem cyberattack resulted in plan members’ names, dates of birth, health insurance information, Social Security numbers and other data elements stolen by cybercriminals. Several class-action lawsuits were filed in the wake of the breach, which were consolidated into a single lawsuit by the Judicial Panel for Multidistrict Litigation in June 2015. The case was assigned to the U.S District Court for the Northern District of California, where a large proportion of the class members reside.

While 78.8 million individuals had protected health information (PHI) exposed when Anthem’s network was hacked, there are only 19.1 million members of the class action lawsuit, all of whom were able to demonstrate that their personal information was stored in the data center that was attacked by hackers.

Following the data breach, Anthem offered breach victims 24 months of credit monitoring services without charge; however, many class members personally paid for credit monitoring and identity theft protection services and incurred other out-of-pocket expenses as a result of the breach. “The settlement provides the class with a timely, certain, and meaningful recovery,” said Judge Koh. If the settlement was rejected, not only would the litigation come at a considerable cost, there would be no guarantee that the litigation would succeed. If it did, it would still result in substantial delays in any payment being made to the class members to cover costs associated with the breach.

Some of the class members believe the settlement is insufficient and that it has not sufficiently punished Anthem, although U.S. District Judge Lucy H. Koh believes the settlement is “fair, reasonable, and adequate”. While several objections were received, Judge Koh determined that none of them were valid.

Under the settlement, Anthem has paid for two years of credit monitoring services. This is in addition to the credit monitoring services previously offered by Anthem. Class members who do not have credit monitoring services in place will be able to sign up by submitting a straightforward form. Class members who have already signed up for credit monitoring services can claim a cash payment as an alternative, provided they provide proof of their current credit monitoring services. The fund is sufficient to allow each class member who has submitted a claim to receive a maximum payment of $50 as a cash alternative.

The settlement also includes a fund of $15 million for individuals who have already incurred out-of-pocket expenses as a result of the data breach. So far, only around 1.33 million individuals have submitted a claim. The settlement allows claims of up to $10,000 per individual to reimburse out of pocket expenses.

Anthem has also agreed to implement additional security controls to ensure sensitive information is better protected in the future, including the use of encryption for data at rest and enhancements to its data security procedures.

The post Court Approves Anthem $115 Million Data Breach Settlement appeared first on HIPAA Journal.

InterAct of Michigan Discovers Email Account Compromise

Posted by HIPAA Journal

InterAct of Michigan, a provider of mental health and substance abuse treatments through clinics in Kalamazoo and Grand Rapids, has discovered an unauthorized individual has gained access to the email account of an employee and potentially viewed and copied the protected health information of 1,290 patients.

The attack was discovered on June 8, 2018 prompting a thorough investigation to determine the nature and scope of the breach. Immediate action was taken to terminate access to the compromised account and an internal investigation was launched. A leading computer forensics company was retained to provide assistance with the investigation.

On July 30, 2018, InterAct of Michigan determined that the protected health information of certain patients had potentially been accessed. The information was present in emails and email attachments in the compromised account. The exposed PHI included clients’ names and Social Security numbers. For some patients, date of birth, prescription details, and treatment history may also have been accessed.

Due to the sensitive nature of the information that was compromised, all affected patients have been offered complimentary identity theft protection services for 12 months.

On August 7, 2018, notifications were mailed to affected individuals and Department of Health and Human Services’ Office for Civil Rights was notified of the breach.

InterAct of Michigan has taken steps to improve security to prevent further breaches and ensure that in the event of a further email account compromise, the breach will be detected much more rapidly.

Email access logs are now being reviewed on a weekly basis to identify any suspicious behavior and single user inbox rules are similarly being monitored. A rule has also been set up that prevents the forwarding of emails to external email accounts, which suggests such a rule may have been set up by the threat actor responsible for this attack.

The post InterAct of Michigan Discovers Email Account Compromise appeared first on HIPAA Journal.

258,000 Wisconsin Residents Notified of Adams County Government Data Breach

Posted by HIPAA Journal

More than 258,000 people have had their personal health information, personal identification information and/or tax information exposed as a result of a data security incident in Adams County, Wisconsin.

A potential security breach was detected on March 28, 2018 after questionable activity was identified on the Adams County computer system and network. An investigation was launched to determine whether any sensitive data had been accessed and on June 29, a data breach was confirmed to have occurred.

Some evidence has been found that suggests PHI and PII has been accessed and potentially obtained by an unauthorized individual. 258,102 individuals have potentially been affected.

The exposed data was collected between January 1, 2013 and March 28, 2018 and were stored on the systems used by the departments of Health and Human Services, Child Support, Veteran Service Office, Extension Office, Adams County Employees, Solid Waste, and the Sheriff’s Office.

A criminal investigation has been launched into the breach and the suspect(s) have been prevented from accessing the entire Adams County network and accounts have been suspended pending a thorough investigation.

According to TV station WAOW, the prime suspect appears to be Adams County Clerk, Cindy Phillippi. Attempts are currently being made to have Phillippi removed from office.

A Verified Statement of Charges has been filed against Phillippi who is suspected of installing a keylogger on the network – a form of malware that logs all keystrokes entered on computers to capture passwords and other sensitive information. The keylogger was installed on almost all computers owned by the county.

Phillippi has been accused of the unauthorized accessing of confidential computer records, opening unauthorized checking accounts, deleting records, accessing the Health and Human Services building without authorization, disclosing confidential information to a former employee, and misleading an investigation into her actions. Phillippi’s laptop has been seized and is being forensically examined. Phillippi has not yet been charged with any crimes.

Phillippi has denied most of the allegations and claims she asked to be given access to confidential records to investigate a suspected case of pornography access by a department head. She also claimed that she did not login to the system and that other individuals had used her computer. The case is due to be heard by the Board of Supervisors on September 19.

Steps have already been taken to improve security and prevent any further breaches. The county has consulted with several different entities to identify possible vulnerabilities, security upgrades have been performed, and the County is working on enhancing its monitoring capabilities.

The County is currently investigating a long-term solution to improve security, although in the meantime software control mechanisms that had been manipulated have been disabled and administrative controls for system and data access have now been placed in the control of one individual.

Notifications will be sent to all individuals whose PHI, PII, or tax information was exposed in due course.

The post 258,000 Wisconsin Residents Notified of Adams County Government Data Breach appeared first on HIPAA Journal.

417,000 Individuals Affected by Augusta University Health Phishing Attack

Posted by HIPAA Journal

A serious data breach has been reported by Augusta University Health that has impacted an estimated 417,000 individuals including patients, faculty members and a limited number of students.

Most of the patients affected by the breach had previously received medical services at Augusta University Medical Center or Children’s Hospital of Georgia, although patients from over 80 outpatient clinics in Georgia have also been affected and had their personally identifiable information (PII) and protected health information (PHI) exposed.

A wide range of PII and PHI was exposed, including names, addresses, dates of birth, lab test results, diagnoses, medications, treatment information, dates of service, medical record numbers, surgical information, and health insurance details. Augusta University Health said only a small percentage of individuals had a driver’s license number or Social Security number exposed. The PII and PHI were saved in emails and email attachments.

Augusta University Health said a data security incident was discovered on September 11, 2017 following a phishing attack on some of its employees. Some employees responded to the messages and disclosed their login credentials, allowing their accounts to be accessed remotely. In total, the email accounts of 24 university administration and faculty staff members were compromised.

Upon discovery of the attack, the email accounts were disabled to prevent data access and misuse of the accounts. The investigation showed the breach had occurred on the same day or September 10. In addition to changing passwords on the accounts, affected accounts were monitored for any sign of suspicious activity.

Augusta University Health said in its substitute breach notice that it was notified on July 31, 2018 by external investigators that there had been a PHI/PII breach, more than 10 months after the breach was detected. The investigators had to manually sort through 364,000 emails and email attachments to determine whether they included any PII or PHI.

Breach notification letters are been sent to all individuals affected by the breach, and a second phishing attack that occurred on July 11, 2018. The second phishing attack is still under investigation, although it is not as severe. Free credit monitoring services are being offered to individuals whose Social Security number was exposed.

Even though the breach occurred in September 2017, no reports have been received by Augusta University Health to suggest that any PII or PHI has been misused. However, as a precaution, all individuals affected have been advised to carefully monitor their account statements and Explanation of Benefits statements for any sign of fraudulent activity.

These are not the only phishing incidents reported by Augusta University Health. In total, there have been four successful phishing attacks on Augusta University Health in the past two years. The previous two phishing attacks affected a total of approximately 10,300 individuals.

The post 417,000 Individuals Affected by Augusta University Health Phishing Attack appeared first on HIPAA Journal.

Lawmakers Accuse Oklahoma Department of Veteran Affairs of Violating HIPAA Rules

Posted by HIPAA Journal

The Oklahoma Department of Veteran Affairs has been accused of violating Health Insurance Portability and Accountability Act (HIPAA) Rules by three Democrat lawmakers, who have also called for two top Oklahoma VA officials to be fired over the incident.

The alleged HIPAA violation occurred during a scheduled internet outage, during which VA medical aides were prevented from gaining access to veterans’ medical records. The outage had potential to cause major disruption and prevent “hundreds” of veterans from being issued with their medications. To avoid this, the Oklahoma Department of Veteran Affairs allowed medical aides to access electronic medical records using their personal smartphones.

In a letter to Oklahoma Governor Mary Fallin, Reps. Brian Renegar, Chuck Hoskin, and David Perryman called for the VA Executive Director Doug Elliot and the clinical compliance director Tina Williams to be fired over the alleged HIPAA violation.

They claimed Elliot and Williams “have little regard for, and knowledge of, health care,” and allowing medical aides to access electronic medical records via personal smartphones was “a direct violation of HIPAA” and potentially placed millions of dollars of federal funding in jeopardy.

State CISO Mark Gower is adamant that HIPAA Rules were not violated. He explained that only a limited number of medical aides were allowed to access electronic health records using their smartphones, and access was only granted for a limited period of time until the problem was resolved. When the issue was over, access to medical records via smartphones was blocked. It was just a case of temporarily swapping a laptop or desktop computer for a smartphone.

Gower explained that accessing medical records using a smartphone did not result in medical records being copied to the devices. The medical records system does not create a cache or store any information locally. Gower also said that the records system and the smartphones met the VA’s security requirements.

The three lawmakers do not believe Gower’s explanation and claim that during the outage, employees at all seven of the state’s care centers were allowed to copy medical records onto their personal cellphones.

Doug Elliot said the medical aides were “the best and brightest” and that it was “Unfathomable that any of the med aides have disclosed that information to a third party.” He also said it was “unconscionable” for the legislators to suggest that VA employees had violated HIPAA Rules and patient privacy.

While Elliot does not believe the allegations have any merit, they are being taken seriously. Elliot has reported the matter to the state’s IT security team which will be conducting a full investigation. The Office of Management and Enterprise Services, which oversees IT for state agencies, is also looking into the allegations.

The legislators are not happy with the matter being investigated by a state agency and believe that this incident can only be impartially investigated by the federal government. The legislators have also reported the matter to the Department of Health and Human Services, the Department of Veteran Affairs, and U.S. Attorney Robert Troester.

“The federal government’s going to be the one to determine this, not some state agency helping another state agency wash their hands of what they did,” said Rep. Renegar.

The post Lawmakers Accuse Oklahoma Department of Veteran Affairs of Violating HIPAA Rules appeared first on HIPAA Journal.

MedSpring Urgent Care Breach Impacts 13,034 Patients

Posted by HIPAA Journal

MedSpring Urgent Care, a network of urgent care clinics in Atlanta, Chicago, Austin, Dallas, Fort Worth, and Houston, has discovered an unauthorized individual has gained access to an email account as a result of an employee being duped by a phishing email.

The email account was compromised on May 8, 2018 but the security breach was not detected until May 17. Upon discovery of the breach, the email account was secured to prevent further unauthorized access and a leading cybersecurity forensics firm was contracted to conduct an investigation into the breach and assist with the breach response.

MedSpring discovered on May 22, 2018 that the attacker potentially gained access to the protected health information of patients through the emails and email attachments. The breach was limited to a single email account and no other systems were compromised.

A full review of all messages in the account was conducted to determine which patients had been affected and the types of information that had been exposed. MedSpring says the breach was limited to patients who had previously visited its urgent care clinics in Illinois.

The email account contained information such as names, medical record numbers, account numbers, dates of services, and other information related to the medical services provided to patients. The investigation did not uncover any evidence to suggest that emails in the account were viewed and MedSpring has not been informed of any cases of misuse of patient information to date.

All patients potentially affected by the phishing attack have now been notified by mail and 12 months of complimentary credit monitoring, identity protection and fraud resolution services have been provided through Experian.

As is required under HIPAA Rules, the Department of Health and Human Services’ Office for Civil Rights has been notified about the breach. The breach report indicates 13,034 patients have been affected.

The post MedSpring Urgent Care Breach Impacts 13,034 Patients appeared first on HIPAA Journal.

At Least 3.14 Million Healthcare Records Were Exposed in Q2, 2018

Posted by HIPAA Journal

In total, there were 143 data breaches reported to the media or the Department of Health and Human Services’ Office for Civil Rights (OCR) in Q2, 2018 and the healthcare records of at least 3,143,642 patients were exposed, impermissibly disclosed, or stolen. Almost three times as many healthcare records were exposed or stolen in Q2, 2018 as Q1, 2018.

The figures come from the Q2 2018 Breach Barometer Report from Protenus. The data for the report came from OCR data breach reports, data collected and collated by Databreaches.net, and proprietary data collected through the Protenus compliance and analytics platform, which monitors the tens of trillions of EHR access attempts by its healthcare clients.

Q2 2018 Healthcare Data Breaches

Month Data Breaches Records Exposed
April 45 919,395
May 50 1,870,699
June 47 353,548

 

Q2, 2018 saw five of the top six breaches of 2018 reported. The largest breach reported – and largest breach of 2018 to date – was the 582,174-record breach at the California Department of Developmental Services – a burglary.

It is unclear if any healthcare records were stolen in the breach although data theft could not be ruled out. Many physical records were damaged by a fire started by the burglars which activated the sprinkler system which caused water damage. Electronic equipment was taken although it was encrypted.

The second largest data breach of 2018 was reported by MSK Group in May. The orthopedic group detected unauthorized access of parts of its network that contained the protected health information of 566,236 patients.

The third largest breach of 2018 involved the exposure and potential theft of 538,127 records from LifeBridge Health. Malware had been installed on a server on which billing information and medical records were stored.

The fifth and sixth largest breaches of the year to date were reported in June. Oklahoma State University Center for Health Sciences experienced a 279,865-record breach when its computer network was hacked and Med Associates, Inc., discovered a desktop computer had been hacked resulting in the exposure of 276,057 patients’ PHI.

The Threat from Within

Protenus has drawn attention to the threat from insider breaches and the importance of detecting privacy breaches promptly. When medical records are accessed by employees without authorization, there is a 30% chance of an employee violating patient privacy again within 3 months and a 66% chance they will do so again within 6 months. One of the main problems for hospitals is the time taken to investigate and respond to insider threats. On average, one investigator monitors the ePHI access attempts of 4,000 employees across an average of 2.5 hospitals – a significant burden.

Out of every 1,000 healthcare employees, Protenus determined than 9 will breach patient privacy, most commonly by snooping on the medical records of family members.  In Q2, 2018 71.4% of breaches involved employees snooping on family members’ medical records.

30.99% of breaches (44) reported to the Office for Civil Rights in Q2 were insider breaches, and out of the 27 incidents for which details have been disclosed, the records of 421,180 patients were known to have been compromised. There were 25 incidents involving insider error and 18 incidents involving insider wrongdoing.

Healthcare Hacking Incidents Increased in Q2 2018

The biggest cause of healthcare data breaches in Q2, 2018 was hacking/IT incidents which accounted for 36.6% of all reported breaches in the quarter. There were 52 hacking/IT incidents reported in Q2, compared to 30 in Q1 – a 73% increase. Those breaches resulted in the exposure/theft of at least 2,065,813 healthcare records.

Details were available for 44 breaches, ten of which were phishing-related breaches, 7 involved ransomware or malware, and one involved another form of extortion.

There were 23 reported cases of theft of physical or electronic records and a further 23 breaches that did not include enough information for them to be categorized.  Overall, 84% of breaches involved electronic records and 16% involved paper records.

Healthcare providers were the worst hit with 76.37% of reported breaches, following by health plans on 10.91%, business associates on 5.45%, and other entities on 7.27%.

The average time to discover a breach was 204 days and the median time was 18 days. The detection times ranged from one day to 1,587 days. From the available data, the average time to disclose breaches to the Office for Civil Rights was 71 days and the median time was 59 days. The maximum time frame under HIPAA for disclosing breaches is 60 days. California was the worst hit state with 20 incidents followed by Texas on 13.

The Protenus Q2 2018 healthcare data breach report can be downloaded on this link (PDF).

The post At Least 3.14 Million Healthcare Records Were Exposed in Q2, 2018 appeared first on HIPAA Journal.