HIPAA Breach News

The High Cost of SamSam Ransomware Attacks: $17 Million for the City of Atlanta

Posted by HIPAA Journal

The SamSam ransomware attack on the City of Atlanta was initially expected to cost around $6 million to resolve: Substantially more than the $51,000 ransom demand that was issued. However, city officials now believe the final cost could be around $11 million higher, according to a “confidential and privileged” document obtained by The Atlanta Journal-Constitution.

The attack has prompted a complete overhaul of the city’s software and systems, including system upgrades, new software, and the purchasing of new security services, computers, tablets, laptops, and mobile phones.

The Colorado Department of Transportation was also attacked with SamSam ransomware this year and was issued with a similar ransom demand. As with the City of Atlanta, the ransom was not paid. In its case, the cleanup is expected to cost around $2 million.

When faced with extensive disruption and a massive clean up bill it is no surprise that many victims choose to pay the ransom. Now new figures have been released that confirm just how many victims have paid to recover their files and regain control of their computer systems.

223 SamSam Ransoms Paid: Almost $6 Million Generated

A recent analysis of the cryptocurrency wallets used by the threat actor behind the SamSam ransomware has shown there have been 223 ransom payments made by victims in the two and a half years since the release of the first SamSam ransomware variant. The payments almost total $6 million, more that six times the amount previously thought to have been earned by the threat actor behind the attacks.

The figures come from Sophos, which has recently teamed up with a leading cryptocurrency tracking firm, to investigate the attacks.

It was initially thought that the attacks were primarily being conducted on healthcare organizations, educational institutions, and government agencies, although the recent analysis has shown the private sector has attracted the majority of attacks. Healthcare organizations are obliged to report the attacks under HIPAA Rules, which is why it seemed like they were extensively targeted.

26% of all attacks have been on healthcare firms. The majority of attacks have been on private companies and have not been reported. Many attacked firms have chosen to quietly pay the ransom demand.

No Sign of SamSam Ransomware Attacks Slowing Down

Several cybersecurity firms have reported a slowdown in ransomware attacks as threat actors switch to spreading cryptocurrency mining malware due to the higher potential for profits. However, there has not been any slowdown in SamSam ransomware attacks.

On average, one SamSam ransomware attack is conducted a day and the attacks have a high success rate. With ransom demands of around $50,000 issued for each infection, and an average of $187,500 earned each month, it is unlikely that the attacks will stop any time soon.

SamSam ransomware infections do not occur via spam or phishing emails, instead companies are attacked through the exploitation of vulnerabilities and recently through brute force attacks on remote desktop protocol connections.

Access is gained to the network and the attacker manually moves laterally using standard administration tools rather than NSA exploits. The malicious payload is deployed on as many computers and servers as possible before the encryption routine is started. The attacks tend to take place at night when there is less chance of them being detected and blocked.

This quiet, stealthy method of attack ensures a high rate of success compared to the noisy spam-delivered campaigns. Sophos believes the attacks are the work of a single individual.

How to Block SamSam Ransomware Attacks

Vulnerability scans and penetration testing can help to identify vulnerabilities before they are exploited and prompt patching is essential. Multi-factor authentication should be implemented, intrusion detection systems deployed and correctly configured, access logs should be routinely checked, admin privileges should be limited, and regular backups should be made with at least one copy stored off-site and offline.

Access to RDP needs to be restricted and remote connections should ideally only be made through VPNs, which also need to be kept up to date. If RDP is not required it should be disabled.

If RDP is enabled, rate limiting should be used to lock out users after a set number of failed attempts to block brute force attempts to gain access. Naturally practicing good password hygiene is also important, default passwords should be changed, strong passwords or passphrases used, and passwords should be changed at regular intervals.

It is also wise to change RDP connections from the standard TCP/3389 port and it is similarly advisable not to have RDP connections public-facing to the internet.

Sophos notes that the nature of SamSam ransomware attacks mean that simply backing up files is not enough to ensure a quick recovery. SamSam ransomware not only encrypts files, but also application configuration files. Even if files are restored it is likely that applications will fail to work.

The only way of ensuring a full recovery apart from paying the ransom is to rebuild affected machines. It is therefore important that companies have a plan for such an eventuality if they are to avoid having to pay the ransom.

The post The High Cost of SamSam Ransomware Attacks: $17 Million for the City of Atlanta appeared first on HIPAA Journal.

Protected Health Information of Three Hundred Thousand SSM Health Patients Exposed

Posted by HIPAA Journal

SSM Health St. Mary’s Hospital in Jefferson City, Missouri is informing hundreds of thousands of patients that some of their protected health information has been left unprotected and could potentially have been viewed by unauthorized individuals.

On November 16, 2014, St. Mary’s Hospital moved to new premises and all patients’ medical records were transferred to the new facility and were secured at all times. However, on June 1, 2018, the hospital discovered many documents containing protected health information had been left behind.

The documents were mostly administrative and operational supporting documents and contained only a limited amount of protected health information. For the majority of patients, the only information that was exposed was their name and medical record number. Some patients also had some clinical data, demographic information, and financial information exposed.

Due to the number of documents involved, the hospital has retained a document services firm to catalogue all the documents and determine which patients have had some of their PHI exposed. It has taken some time for that process to be completed and for St. Mary’s to be provided with a reliable figure of the number of patients affected. The breach report submitted to the Department of Health and Human Services Office for Civil Rights indicates 301,000 patients have had some of their PHI exposed.

Security safeguards and deterrents were in place at the old facility, although after investigating, SSM Health determined that those safeguards were insufficient to ensure the security of patient information and it was not possible to say, with absolute confidence, that the documents were not viewed by unauthorized individuals during the three and a half years when they were inadequately protected.

While the incident constitutes a data breach and warrants notifications to be sent to patients, SSM Health does not believe patients face a significant risk of misuse of their information due to the limited amount of PHI that was exposed and the age of the data.

The hospital has now taken steps to ensure that further privacy breaches do not occur including reviewing and revising policies and procedures for record storage, retention, and destruction.

The post Protected Health Information of Three Hundred Thousand SSM Health Patients Exposed appeared first on HIPAA Journal.

Hacktivist Convicted for DDoS Attack on Children’s Mercy Hospital

Posted by HIPAA Journal

A hacktivist who conducted a Distributed Denial of Service (DDoS) attack on Boston’s Children’s Mercy Hospital in 2014 has been convicted on two counts – conspiracy to intentionally damage protected computers and damaging protected computers – by a jury in the U.S. District Court in Boston.

Martin Gottesfeld, 32, of Somerville, MA, conducted the DDoS attacks in March and April of 2014. He first conducted a DDoS attack on Wayside Youth and Family Support Network in Framingham, MA. The attack crippled its systems and took them out of action for more than a week. The attack cost the healthcare facility $18,000 to resolve.

Following that attack, Gottesfeld conducted a much larger attack on Boston Children’s Hospital using 40,000 malware-infected network routers that he controlled from his home computer. The attack was planned for a week and occurred on April 19, 2014.

Such was the scale of the attack that the hospital and several others in the Longwood medical area were knocked off the internet. 65,000 IP addresses used by the hospital and other healthcare facilities in the area were prevented from being available for legitimate communications. The attack affected the hospitals’ ability to communicate, use the internet, and even provide care to certain patients.

The attack disrupted operations at Boston Children’s Hospital for two weeks and cost an estimated $300,000. A further $300,000 was lost donations as its fundraising portal was also taken offline as a result of the attack.

Gottesfeld claimed he conducted the DDoS attacks on behalf of the hacktivist group Anonymous in response to the way the hospital had behaved over a child custody case.

The custody case in question received national media attention and resulted in the parents of Connecticut teenager Justina Pelletier losing custody of their daughter. Children’s Mercy Hospital alleged Justina’s parents were medically abusing their daughter and custody was passed over to the commonwealth of Massachusetts.

Justina was receiving treatment for mitochondrial disease at Boston’s New England Medical Center but was transferred to Children’s Mercy Hospital where she was diagnosed as having somatoform disorder. Justina’s parents disagreed with the diagnosis and attempted to get their daughter discharged. The hospital refused, and in the subsequent legal battle, Justina’s parents lost custody of their child.

Gottesfeld was suspected of conducting the DDoS attacks and his home was searched by federal law enforcement officers in October 2014. Several servers, computers and hard drives were seized although Gottesfeld was not officially charged at the time.

Gottesfeld went missing in February 2016 but was found after getting into difficulty when sailing in a small boat. He was rescued off the coast of Cuba by a passing cruise ship and was arrested when the cruise ship docked in Miami. The FBI claimed Gottesfeld was attempting to flee the United States.

Gottesfeld will be sentenced on Nov. 14, 2018 and potentially faces a fine of up to $500,000, plus restitution, and up to 15 years in jail – A maximum of 5 years for the conspiracy charge and up to 10 years for the criminal damage charge, with a further 3 years of supervised release.

The post Hacktivist Convicted for DDoS Attack on Children’s Mercy Hospital appeared first on HIPAA Journal.

Phishing Attack, Lost Devices, and System Error Exposed PHI of 9,400 Patients

Posted by HIPAA Journal

A round up of data breaches recently disclosed to the media and the Department of Health and Human Services’ Office for Civil Rights

System Error Exposed Data at Pennsylvania Department of Human Services

Pennsylvania Department of Human Services has discovered a system error in its Compass system allowed certain individuals to view the protected health information of others who, at some point, were part of the same benefit household but are now part of a different active case record.

The types of information that could have been viewed included names, citizenship, date of birth, and all information reported about employment, although not Social Security numbers. No reports have been received to date to suggest any of the information was accessed and misused. The system glitch was detected on May 23, 2018 and has now been corrected. All 2,130 individuals potentially impacted have been notified of the breach by mail.

Lost Laptop Exposes PHI of Ambercare Patients

The Ambercare Corporation, a provider of hospice and home care services in New Mexico, has announced that an unencrypted laptop computer containing the protected health information of 2,284 patients has been lost and possibly stolen.

The laptop, which had been issued to an Ambercare employee, was discovered to be missing on May 30, 2018. The laptop was password-protected, but not encrypted. The protected health information stored on the device was required by the employee to perform work functions and included names, addresses, dates of birth, diagnostic information, clinical information, and Social Security numbers.

The loss/theft has been reported to law enforcement and employees have received further training on physical security. Since Social Security numbers were exposed, affected patients have been offered complimentary credit monitoring services through Experian for 12 months.

Email Account Compromise Discovered by San Francisco Institute on Aging

The San Francisco, CA-based Institute on Aging has discovered an unauthorized individual has gained access to the email accounts of some of its employees. The breach was discovered on May 28, 2018, although it is currently unclear for how long the email accounts were compromised.

The Institute on Aging employed expert data security response professionals to secure its systems and manage the breach response. Messages in the compromised email accounts were checked and found to contain the protected health information of 3,907 patients. Information contained in emails and email attachments included the names of patients and employees along with email addresses, birth dates, financial records, diagnoses, treatment information, and medical payment information.

Affected individuals were notified on July 20 and were offered 12 months credit monitoring and identity theft protection services without charge.

Lost Laptop Sees PHI of Rocky Mountain Health Care Services Patients Exposed

Colorado Springs-based Rocky Mountain Health Care Services has discovered an unencrypted laptop computer issued to an employee has been stolen. The laptop contained the protected health information of 1,087 patients.

The laptop computer was stolen on May 15, 2018, prompting an immediate investigation to determine the types of information stored on the device. The investigation determined the breach was limited to names, addresses, birth dates, Social Security numbers, diagnoses, treatment plans, and prescription information. Affected individuals have been offered credit monitoring and identity theft restoration services for 12 months without charge.

This is the third laptop theft experienced by Rocky Mountain Health Care Services in the past 12 months. A laptop was discovered to have been stolen on September 28, 2017 and a mobile phone and laptop were discovered to have been stolen on June 18, 2017.

Rocky Mountain Health Care Services has now reviewed its policies and procedures on information security, has incorporated mobile device security controls, and is now encrypting data on all company laptops.

The post Phishing Attack, Lost Devices, and System Error Exposed PHI of 9,400 Patients appeared first on HIPAA Journal.

Email Account Compromises Continue Relentless Rise

Posted by HIPAA Journal

There has been a steady rise in the number of reported email data breaches over the past year. According to the July edition of the Beazley Breach Insights Report, email compromises accounted for 23% of all breaches reported to Beazley Breach Response (BBR) Services in Q2, 2018.

In Q2, 2018 there were 184 reported cases of email compromises, an increase from the 173 in Q1, 2018 and 120 in Q4, 2017. There were 45 such breaches in Q1, 2017, and each quarter has seen the number of email compromise breaches increase.

In Q2, 2018, the email account compromises were broadly distributed across a range of industry sectors, although the healthcare industry experienced more than its fair share.

Healthcare email accounts often contain a treasure trove of sensitive data that can be used for identity theft, medical identity theft, and other types of fraud. The accounts can contain the protected health information of thousands of patients. The recently discovered phishing attack on Boys Town National Research Hospital resulted in the attackers gaining access to the PHI of more than 105,000 patients.

Email Accounts Used for Further Attacks on an Organization

If hackers gain access to an email account, not only do they have access to the data stored in that mailbox, the account provides the hacker with a platform for conducting further attacks. The email account can be used to send messages to other employees, and since the messages are sent internally, they are unlikely to be flagged as malicious by email security solutions.

These internal emails are carefully crafted based on information gathered from the compromised mailbox. Rather than just sending a standard phishing email from the compromised account to other employees, targets are identified through reconnaissance, the account holder’s message style is copied, and messages are crafted based on past conversations between the account holder and the targets. This allows the attacker to conduct highly convincing spear phishing campaigns that are much more likely to be successful.

Once access to a single account is gained, it is difficult to prevent further email accounts from being compromised, although it is relatively easy to prevent the initial attack. Spam filtering solutions are a must, as they will block the vast majority of malicious messages and prevent them from reaching inboxes. Security awareness training is also essential for preparing employees for attacks and training them how to recognize phishing emails and other email threats. If two-factor authentication is used, an additional form of authentication is required in order for the account to be accessed remotely.

Beazley notes that organizations that use Office 365 are more susceptible to email account compromises. Microsoft’s PowerShell is often exploited and used to login to email accounts for reconnaissance, and if an email account is compromised with the right administrative privileges, the attacker could potentially be able to search every single inbox in an organization.

Beazley also recommends preventing third-party applications from accessing Office 365, as this can reduce the potential for PowerShell to be used for reconnaissance.

The High Cost of Email Account Compromises

BBR Services often discovers that organizations are only aware of half the inboxes that are compromised in an attack, and that it is not uncommon for hundreds of inboxes to have been compromised in a single phishing campaign.

These breaches can be extremely costly to resolve, as each message must be checked to determine whether it contains PHI or PHI. Even a small-scale email breach may cost $100,000 to resolve, while larger breached can easily cost in excess of $2 million. “Business email compromise attacks are among the more expensive data breaches we see,” said Katherine Keefe, head of BBR Services.

A case study was included in the report detailing the high cost of healthcare phishing attacks. An employee received a phishing email with a link to a website that appeared official, which required that person to enter their email account credentials. That gave the attacker access to that individual’s email account, which was then used in further attacks on the organization.

A forensic investigation revealed the attacker gained access to 20 email accounts and that the method used would have allowed all 20 of those mailboxes to have been downloaded. The messages were programmatically searched for PHI, although 350,000 documents in the email accounts could not be searched and required a manual check. The cost of paying a vendor to search those documents cost $800,000. A further $150,000 was spent on notifications and credit monitoring services.

Main Causes of Data Breaches in Q2, 2018

Across all industry sectors, the main causes of data breaches were hacks and malware attacks (39%) and accidental disclosures (22%). Even though the number of email attacks increased, hacks and malware attacks decreased by 3% compared to Q1, 2018. The decline was attributed to a fall in ransomware attacks.

The Beazley report shows the main cause of healthcare data breaches was accidental disclosures, which accounted for 38% of all breaches reported to BBR Services in Q2, 2018. That represents an increase of 29% since Q1, 2018. Hacking and malware attacks accounted for 26% of healthcare data breaches. 14% of breaches were insider incidents, 7% involved loss of physical PHI, 6% were due to the loss/theft of portable devices and 4% were due to social engineering attacks.

The post Email Account Compromises Continue Relentless Rise appeared first on HIPAA Journal.

Orlando Orthopaedic Center Suffers 19,000-Record Breach Due to Business Associate Error

Posted by HIPAA Journal

An error made by a transcription service provider during a software upgrade on a server has resulted in the exposure of more than 19,000 patients’ protected health information (PHI).

Patients affected by the breach had received medical services at Orlando Orthopaedic Center clinics in Orlando, Florida prior to January 2018.

The software upgrade took place in December 2017 and throughout the month, PHI stored on the server became accessible over the Internet without any need for authentication. Orlando Orthopaedic Center only became aware of the exposure of patients’ PHI in February 2018.

The discovery of the breach prompted a full investigation, which revealed names, dates of birth, insurance information, employer details, and treatment types were accessible. A limited number of patients also had their Social Security numbers exposed.

It is unclear whether any PHI was accessed by unauthorized individuals during the time that the protections were removed. Orlando Orthopaedic Center said it has not received any reports from patients that indicate PHI has been misused and no evidence of unauthorized access or data theft has been uncovered; however, data theft and unauthorized access could not be ruled out.

Credit monitoring and identity theft protection services have been offered to all patients whose Social Security number was exposed. All patients have been advised to monitor their accounts and Explanation of Benefits Statements for any sign of fraudulent use of their PHI and have now been notified of the breach by mail.

Orlando Orthopaedic Center stated in a new release that its vendor has corrected the issue and all PHI has been secured. Ongoing cybersecurity awareness training is provided to all Orlando Orthopaedic Center staff and its own security solutions are regularly updated to ensure all PHI stored on its servers and endpoints remains secure.

The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights on July 20, 2018 indicates 19,101 patients had their PHI exposed.

It is unclear why it took 5 months from the discovery of the breach to issuing notifications and informing OCR when HIPAA requires notifications to be issued within 60 days of the discovery of a breach.

The post Orlando Orthopaedic Center Suffers 19,000-Record Breach Due to Business Associate Error appeared first on HIPAA Journal.

1.4 Million Patients Warned About UnityPoint Health Phishing Attack

Posted by HIPAA Journal

A massive UnityPoint Health phishing attack has been reported, one in which the protected health information of 1.4 million patients has potentially been obtained by hackers.

This phishing incident is the largest healthcare data breach of 2018 by some distance, involving more than twice the number of healthcare records as the California Department of Developmental Services data breach reported in April and the LifeBridge Health breach reported in May.

This is also the largest phishing incident to be reported by a healthcare provider since the HHS’ Office for Civil Rights (OCR) started publishing data breaches in 2009 and the largest healthcare breach since the 3,466,120-record breach reported by Newkirk Products, Inc., in August 2016.

Email Impersonation Attack Fools Several Employees into Disclosing Login Credentials

The UnityPoint Health phishing attack was detected on May 31, 2018. The forensic investigation revealed multiple email accounts had been compromised between March 14 and April 3, 2018 as a result of employees being fooled by email impersonation scams.

Business email compromise scams involve hackers gaining access to the email account of a senior executive and using that email account to send internal emails to try to obtain sensitive data such as W-2 Forms or to convince employees top make fraudulent wire transfers. However, access to an executive’s email account is not always necessary. If the attackers spoof an executive’s email account, it may be sufficient to fool employees into responding.

That is what appears to have happened in the UnityPoint Health phishing attack. A trusted executive’s email account was spoofed and several employees responded to the messages and disclosed their email credentials.

UnityPoint Health investigated the breach with assistance provided by a third-party digital forensics firm. The investigation suggested the primary purpose of the attack was to divert vendor payments and payroll funds to accounts controlled by criminals.

An analysis of the compromised email accounts revealed they contained a wide range of protected health information in the body of messages and attachments. That information could have been accessed by the hackers and downloaded.

The types of information exposed varied patient to patient, but may have included names, addresses, birth dates, medical record numbers, diagnosis information, treatment information, lab test results, health insurance information, surgical information, provider names, dates of service, driver’s license numbers, Social Security numbers and, for a limited number of patients, financial information such as credit card numbers.

A year of credit monitoring services has been offered to affected patients whose social security number, driver’s license numbers, or financial information has been exposed. UnityPoint Health says it has not received any reports of PHI misuse to date.

Second Major UnityPoint Health Phishing Attack to Be Detected in 2018

This is not the first UnityPoint Health phishing attack to be reported in 2018. In April, UnityPoint Health announced it had discovered several email accounts had been compromised resulting in the exposure of 16,400 patients’ PHI. Unauthorized individuals gained access to employees’ email accounts between November 1, 2017 and February 7, 2018. In response to that attack, UnityPoint Health said it had strengthened security controls to prevent further attacks. Whatever additional controls had been implemented clearly were not effective at protecting against email impersonation attacks.

The latest breach has prompted UnityPoint Health to implement further security controls, which include the use of two-factor authentication on employee’s email accounts, additional technological controls to detect suspicious emails from external sources, and further training has been conducted to help employees recognize phishing attempts.

When multiple data breaches are reported by a healthcare provider, especially breaches that involve large numbers of patient records, the Department of Health and Human Services’ Office for Civil Rights takes a keen interest. An investigation into these phishing attacks is likely to be conducted, with the UnityPoint Health’s security controls and security awareness training programs likely to be carefully scrutinized for evidence of compliance failures.

Even without fines for non-compliance, data breaches on this scale can prove incredibly costly. Recently, the Ponemon Institute/IBM Security released the results of its 2018 Cost of a Data Breach Study. This year’s study showed the average cost of a data breach has risen to $3.86 million for a breach of up to 100,000 records. The healthcare industry has the highest breach costs at an average of $408 per record.

For the first time, the study investigated the cost of ‘mega’ data breaches – Those that involve the exposure of more than 1 million records. The cost of resolving these mega data breaches was estimated to be $40 million when more than 1 million records have been exposed.

The post 1.4 Million Patients Warned About UnityPoint Health Phishing Attack appeared first on HIPAA Journal.

Confluence Health Informs Patients of Phishing Incident

Posted by HIPAA Journal

Confluence Health, a not-for-profit health system that operates Central Washington Hospital, Wenatchee Valley Hospital and a dozen satellite clinics in Central and North Central Washington, has experienced a data security incident involving an employee’s email account that may have resulted in unauthorized accessing of patients’ protected health information.

The security breach was discovered on May 29, 2018. A digital forensics firm was called in to conduct an investigation, which revealed the email account had been accessed by an unauthorized individual on May 28 and May 30, 2018.

The email account only contained a limited amount of protected health information and no highly sensitive data such as Social Security numbers or financial information was exposed. Patients impacted by the incident have had information such as their names and treatment information exposed.

Confluence Health had multiple security solutions in place to prevent unauthorized account access and staff had received security awareness training, yet those measures were bypassed by the attacker.

While PHI access was possible, the investigation uncovered no evidence to suggest that PHI had been stolen and no reports have been received by Confluence Health to suggest there has been any misuse of PHI.

Patients affected by the breach have been notified by mail and additional safeguards have now been implemented to improve the security of its email system and ensure that any suspicious email and network activity is detected more rapidly in the future.

The breach had been reported to the Department of Health and Human Services Office for Civil Rights, although the number of patients impacted by the incident has not yet been publicly disclosed.

The incident is the latest in a spate of phishing attacks on healthcare organizations. In the past two months, phishing incidents have been reported by Sunspire Health in New Jersey, The Alive Hospice in Tennessee, the Terteling Co., Inc., Group Benefit Plan in Idaho, and Boys Town National Research Hospital. The latter incident was the eighth largest breach of 2018 and the largest breach at a pediatric hospital. The incident impacted more than 105,300 patients.

The post Confluence Health Informs Patients of Phishing Incident appeared first on HIPAA Journal.

Lane County Health and Human Services and New England Dermatology Alert Patients to PHI Exposure

Posted by HIPAA Journal

The medical records of more than 17,000 patients have been exposed in two recent incidents in Oregon and Massachusetts.

Lane County Health and Human Services Alerts Patients to Loss of PHI

Lane County Health and Human Services in Oregon is notifying more than 700 patients that some of their protected health information has been lost and has potentially been destroyed.

49 boxes containing patient files were moved to a temporary storage facility while the Charnelton Clinic in Eugene was being renovated. During a routine search, the boxes of files were discovered to be missing from the storage facility on June 19.

Multiple teams conducted further searches for the missing boxes but they could not be located. Lane County Health and Human Services suspects the boxes of files have been destroyed along with other paperwork as part of its normal document management practice for non-medical records. However, it has not been possible to confirm whether that was definitely the case.

The files contained information such as patients’ full names, addresses, telephone numbers, medical histories and Social Security numbers. 566 files related to patients of Community Health Centers in Lane County, and 149 files were Lane County Developmental Disabilities client files.

Patients have been notified about the breach and an offer has been made to reimburse patients for 6 months’ membership of an accredited credit monitoring service. Lane County Health and Human Services has reviewed its record storage policies and procedures and has now obtained specialized, secure medical records storage services to ensure that similar breaches are prevented in the future.

16,154 Patients of New England Dermatology Informed of Possible Exposure of PHI

16,154 patients of New England Dermatology have been informed that some of their PHI may have been disposed of incorrectly.

Boxes of paper records were disposed of without the records first being rendered unreadable and undecipherable, as is required by HIPAA. Normally, paper records containing patients’ protected health information are shredded prior to disposal. In this case, New England Dermatology believes that the records were collected by its waste contractor before they were shredded.

New England Dermatology was not able to determine exactly what records were disposed of insecurely, so as a precaution, all patients who had visited its Northampton office between June 10, 2013 and May 23, 2018 have been notified about the potential exposure of their PHI.

The paperwork contained information such as names, mailing addresses, and health information recorded during visits to the office. Highly sensitive information such as bank account details, credit and debit card information, medical insurance details, and Social Security numbers were not exposed at any point.

New England Dermatology has since updated its waste disposal policies to prevent similar incidents from occurring in the future and further training has been provided to employees and its contractors.

The post Lane County Health and Human Services and New England Dermatology Alert Patients to PHI Exposure appeared first on HIPAA Journal.