HIPAA Breach News

August 2018 Healthcare Data Breach Report

Posted by HIPAA Journal

August was a much better month for the healthcare industry with fewer data breaches reported than in July. In August, 28 healthcare data breaches were reported to the HHS’ Office for Civil Rights, a 17.86% month-over-month reduction in data breaches.

Healthcare Data Breaches by Month

There was also a major reduction in the number of healthcare records that were exposed or stolen. In August, 623,688 healthcare records were exposed or stolen – A 267.56% reduction from August, when 2,292,522 healthcare records were breached.

HEalthcare Records Exposed by Month

Causes of Healthcare Data Breaches in August 2018

Hacking incidents dominated the breach reports in August, accounting for 53.57% of all reported data breaches and 95.73% of all records exposed or disclosed in August. Eight of the top ten breaches were the result of hacks, malware, or ransomware attacks.

Causes of Healthcare Data Breaches in August 2018

Insider breaches are a major problem in the healthcare industry, more so than other verticals. In August there were nine insider breaches – 32.14% of the healthcare data breaches in August. Those breaches involved the unauthorized access or impermissible disclosure of 18,488 healthcare records – 2.96% of the monthly total.

There were two breaches involving the loss of PHI, one case of lost physical records and one lost portable electronic device containing electronic protected health information. The two theft incidents in August involved paper records.

Largest Healthcare Data Breaches in August 2018

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach
AU Medical Center, INC Healthcare Provider 417000 Hacking/IT Incident
Fetal Diagnostic Institute of the Pacific Healthcare Provider 40800 Hacking/IT Incident
Legacy Health Healthcare Provider 38000 Hacking/IT Incident
Acadiana Computer Systems, Inc. Business Associate 31151 Hacking/IT Incident
Carpenters Benefit Funds of Philadelphia Health Plan 20015 Hacking/IT Incident
University Medical Center Physicians Healthcare Provider 18500 Hacking/IT Incident
Simon Orthodontics Healthcare Provider 15129 Hacking/IT Incident
Wells Pharmacy Network Healthcare Provider 10000 Unauthorized Access/Disclosure
St. Joseph’s Medical Center Healthcare Provider 4984 Loss
Central Colorado Dermatology, PC Healthcare Provider 4065 Hacking/IT Incident

Location of Breached PHI

Email-related data breaches continue to dominate the healthcare data breach reports. A further 14 email-related data breaches were reported in August, the majority of which saw email accounts accessed by unauthorized individuals as a result of healthcare employees falling for phishing emails. Phishing attacks on healthcare providers are being reported regularly, highlighting just how important it is for healthcare organizations to provide ongoing security awareness training for employees to teach them the skills they need to identify phishing attempts.
There were six incidents involving PHI stored on network servers in August, including two confirmed ransomware attacks. There were five breaches involving paper records.
Location of Breached PHI in August 2018 Healthcare Data Breaches

August Data Breaches by Covered Entity Type

Healthcare providers experienced the lion’s share of data breaches in August with 21 reported breaches. There were two health plan breaches and business associates of HIPAA-covered entities reported 5 breaches, with one further breach having some business associate involvement.

 

August Healthcare Data Breaches by State

Healthcare organizations based in 19 states experienced data breaches in August. While California and Texas usually top the list for data breaches due to the number of healthcare organizations based in those states, atypically, in August Oregon was the worst affected state with four breaches reported.

California and Florida each had three breaches reported, Colorado and Texas had two, and there was one breach reported in Arizona, Georgia, Hawaii, Illinois, Indiana. Louisiana, Maryland, Michigan, Nevada, New York, Ohio, Pennsylvania, Tennessee, and Virginia.

HIPAA Enforcement Actions in August

In 2016 and 2017, the HHS’ Office for Civil Rights took a hard line on enforcement of HIPAA Rules and agreed 21 settlements with HIPAA-covered entities and issued two civil monetary penalties. There have only been three financial settlements reached between OCR and HIPAA-covered entities in 2018 and no further fines or settlements were announced in August.  While OCR enforcement activity appears to have slowed, that is not the case with state attorneys general, in particular New York. The New York attorney general’s office has agreed two settlements with HIPAA-covered entities in 2018 with a third agreed in August.

The Arc of Erie County resolved violations of HIPAA Rules and state laws by paying a penalty of $200,000 to the New York attorney general’s office following the exposure of 3,751 individual’s PHI. The PHI had been uploaded to a website and could be accessed without authentication.

The post August 2018 Healthcare Data Breach Report appeared first on HIPAA Journal.

$999,000 in HIPAA Penalties for Three Hospitals for Boston Med HIPAA Violations

Posted by HIPAA Journal

Three hospitals that allowed an ABC film crew to record footage of patients as part of the Boston Med TV series have been fined $999,000 by the Department of Health and Human Services’ Office for Civil Rights (OCR) for violating Health Insurance Portability and Accountability Act (HIPAA) Rules.

This is the second HIPAA violation case investigated by OCR related to the Boston Med TV series. On April 16, 2016, New York Presbyterian Hospital settled its HIPAA violation case with OCR for $2.2 million to resolve the impermissible disclosure of PHI to the ABC film crew during the recording of the series and for failing to obtain consent from patients.

Fines for Boston Medical Center, Brigham and Women’s Hospital, & Massachusetts General Hospital

Boston Medical Center (BMC) settled its HIPAA violations with OCR for $100,000. OCR investigators determined that BMC had impermissibly disclosed the PHI of patients to ABC employees during production and filming of the TV series, violating 45 C.F.R. § 164.502(a).

Brigham and Women’s Hospital (BWH) settled its HIPAA violations with OCR for $384,000. BWH allowed an ABC film crew to record footage between October 2014 and January 2015. Prior to filming, BWH conducted a review of patient privacy issues and provided the ABC film crew with HIPAA privacy training – The same training that was provided to its workforce. BWH also obtained written authorizations from patients. However, OCR determined that despite those measures, HIPAA Rules were still violated. In the resolution agreement, OCR wrote, “Based on the timing of when BWH received some written patient authorizations, BWH impermissibly disclosed the PHI of patients to ABC employees,” in violation of 45 C.F.R. § I64.502(a). BWH also failed to reasonably safeguard the PHI of patients: A violation of 45 C.F.R. § 164.530(c).

Massachusetts General Hospital (MGH) settled its HIPAA violations with OCR for $515,000. The hospital similarly allowed a film crew to record footage between October 2014 and January 2015. A review of patient privacy issues was also conducted, and the film crew was provided with the same HIPAA privacy training that MGH provides to its employees.

As was the case with BWH, OCR determined that 45 C.F.R. § I64.502(a) was violated as authorizations were received after an impermissible disclosure and MGH failed to appropriately and reasonably safeguard patients’ PHI from disclosure during the filming of the series in violation of 45 C.F.R. § 164.530(c).

In addition to covering the financial penalty, each of the three hospitals must adopt a corrective action plan which includes providing further training to staff on the allowable uses and disclosures of PHI to film and media.

“Patients in hospitals expect to encounter doctors and nurses when getting treatment, not film crews recording them at their most private and vulnerable moments,” said Roger Severino, OCR director. “Hospitals must get authorization from patients before allowing strangers to have access to patients and their medical information.”

HIPAA Enforcement in 2018

OCR had a record year for HIPAA penalties in 2016 when it agreed 12 settlements to resolve HIPAA violations and issued one civil monetary penalty. 2017 saw 9 settlements reached with HIPAA-covered entities and one civil monetary penalty issued.

2018 has seen a reduction in financial penalties for HIPAA violations, with only three penalties issued prior the September 20, 2018 announcement. These latest three settlements bring the total number of OCR HIPAA violation penalties for the year up to six.

HIPAA Penalties and Settlements Agreed with OCR in 2018

Entity Penalty Penalty Type Reason for Penalty
Boston Medical Center $100,000 Settlement Filming patients without consent
Brigham and Women’s Hospital $384,000 Settlement Filming patients without consent
Massachusetts General Hospital $515,000 Settlement Filming patients without consent
University of Texas MD Anderson Cancer Center $4,348,000 Civil Monetary Penalty Lack of encryption and impermissible disclosure of ePHI
Filefax, Inc. $100,000 Settlement Impermissible disclosure of PHI
Fresenius Medical Care North America $3,500,000 Settlement Multiple HIPAA Violations

 

HIPAA Settlements with State Attorneys General in 2018

In addition to the penalties issued by OCR, there have been four settlements reached between HIPAA covered entities and state attorneys general in 2018.

State Covered Entity Amount Reason for Penalty
New York Arc of Erie County $200,000 Online Exposure of PHI
New Jersey Virtua Medical Group $417,816 Online Exposure of PHI
New York EmblemHealth $575,000 Exposure of PHI in Mailing
New York Aetna $1,150,000 Exposure of PHI in Mailing

The post $999,000 in HIPAA Penalties for Three Hospitals for Boston Med HIPAA Violations appeared first on HIPAA Journal.

Phishing Attack on Ohio Living Exposed PHI of 6,500 Individuals

Posted by HIPAA Journal

Ohio Living, a provider of life plan communities and home health services in Ohio, has discovered an unauthorized individual has gained access to the email accounts of some of its employees.

Ohio Living detected suspicious activity related to an employee’s email account on July 10, 2018. An investigation was immediately launched, and a third-party computer forensics expert was hired to investigate the breach and determine how access to the account was gained. On July 19, 2018, Ohio Living was informed that several email accounts had been compromised on July 10 and that those accounts had been accessed by an unauthorized individual.

It was not possible to determine whether any emails were opened or if any emails were downloaded by the attacker. A review of the compromised accounts revealed they contained the protected health information of 6,510 individuals.

Upon discovery of the breach, passwords were reset on all accounts known to have been compromised and a full password reset was performed on all other employees’ email accounts. Ohio Living has also provided further training to its employees to improve security awareness and prevent further email breaches in the future.

Ohio Living was informed on September 4, 2018, that the emails contained names, contact information, financial information, Social Security numbers, birth dates, medical record numbers, Patient ID numbers, clinical information, medical information, diagnosis and treatment information, and health insurance details. The information exposed varied for each patient.

No reports have been received to suggest any PHI has been misused, but out of an abundance of caution, all individuals affected have been offered complementary credit monitoring and identity theft protection services.

PHI of 1,100 Patients of Guardant Exposed in Phishing Attack

Guardiant, a Redwood City, CA-based liquid biopsy specialist, has discovered an unauthorized individual gained access to the email account of one of its employees. Access to the email account was gained as a result of the employee responding to a phishing email in July 2018.

An investigation into the breach revealed the attacker had access to the account for five days before the password was changed and access to the account was blocked. An analysis of the emails in the account revealed they contained the protected health information of approximately 1,100 patients.

The types of information potentially accessed was limited to patients’ names, contact details, dates of birth, medical codes, and for a small number of patients, Social Security numbers.

Tucson Medical Center Discovers Paper Files Containing PHI Were Left Unsecured

TMC Healthcare, which runs Tucson Medical Center in Arizona, has discovered that paper files containing the PHI of 1,776 patients were accidentally left unsecured in a suite used for storage. While the facility is usually locked and secured, on July 12, 2018, the door to the suite was discovered to be unlocked.

The suite was immediately secured to ensure files could not be accessed and an investigation was launched to determine how long files had been left unsecured, and which patients’ PHI had been exposed.

TMC Healthcare determined that the records were potentially accessible for a period of no more than 15 days. Files stored in the suite contained patients’ names, addresses, medical record numbers, dates of birth, insurance ID numbers, Social Security numbers, provider information, diagnoses, treatment information, medications, test results and other clinical information.

TMC Healthcare does not believe any files were accessed by unauthorized individuals during the time they were left unsecured.

Since the incident constitutes a data breach, all individuals potentially affected have been notified by mail and a breach report has been submitted to the HHS’ Office for Civil Rights.

Further training has now been given to the employees responsible for the secure storage and maintenance of files containing PHI. As a precaution against identity theft and fraud, all patients whose records were exposed have been offered credit monitoring and identity theft protection services for 12 months without charge.

The post Phishing Attack on Ohio Living Exposed PHI of 6,500 Individuals appeared first on HIPAA Journal.

Brooklyn Emergency Room Worker Accused of Stealing and Selling Patients’ PHI

Posted by HIPAA Journal

A former employee of the emergency department of Brooklyn’s Kings County Hospital is alleged to have stolen the protected health information of at least 100 individuals while working at the hospital and disclosed that information to another individual using an encrypted smartphone app.

Orlando Jemmott, 52, was employed at the hospital for 12 years between March 2006 and April 2018 and was given access to patient health records in order to complete his work duties. Jemmott was required to enter patient information into the hospital’s system such as demographic data and information on patients’ symptoms and health complaints.

In June 2017, the FBI received a tip that Jemmott was stealing patient information and selling the data to another individual. The woman claimed the information was being sent via the WhatsApp encrypted messaging app. The woman took Jemmott’s mobile phone from his house and handed it over to the FBI along with a photo from his WhatsApp profile. A warrant was then obtained by the FBI to search the phone. The search revealed hundreds of communications between Jemmott and an individual in Pennsylvania who was subsequently identified as Ron Pruitt.

Those communications included more than 180 combinations of patient names and phone numbers, which were sent by Jemmott to Pruitt between December 2014 and April 2015. According to court documents, the identities of at least 100 individuals have been confirmed. The hospital has confirmed that 98 of those individuals were patients at the hospital at the time of the disclosure. The hospital also confirmed that in 88 of the 98 cases, the records of patients had been accessed without authorization.

The tipster also provided paper copies of health information to the FBI which had been printed out between December 2016 and June 2017. The printouts contained the protected health information of 49 individuals, which the hospital confirmed was obtained from its electronic health record system.

Jemmott was arrested in February 2018, was fired by the hospital in April, and has been released on an $80,000 bond. Pruitt was arrested by the FBI in early September. Both are attempting to negotiate plea deals.  It is currently unclear what the disclosed protected health information was used for.

It is a requirement of HIPAA to record and maintain PHI access logs and to review those logs regularly for signs of unauthorized access. It may not be possible to prevent unauthorized accessing of PHI by healthcare employees, but it is possible to detect breaches promptly and limit the harm caused. There have been many cases of insider breaches continuing for years before the breach was detected, during which time the records of thousands of patients were accessed.

The post Brooklyn Emergency Room Worker Accused of Stealing and Selling Patients’ PHI appeared first on HIPAA Journal.

Mailing Vendor Blamed for Blue Cross and Blue Shield of Rhode Island Privacy Breach

Posted by HIPAA Journal

Blue Cross and Blue Shield of Rhode Island (BCBSRI) is alerting 1,567 plan members that some of their protected health information has been impermissibly disclosed by one of its business associates.

A BCBSRI vendor was contracted to sent explanation of benefits statements to plan members which contain summaries of the healthcare services members have received under their health plan.

However, an error was made which resulted in statements being sent to incorrect individuals. The explanation of benefits statements included members’ BCBSRI ID number, their service provider(s), the service(s) provided, and the cost of the claims.

The impermissible disclosure of PHI was attributed to an error made by the vendor when combining the explanation of benefits statements for certain individuals who are covered under the same policy. Combining the statements was intended to reduce the number of summaries received by some members.

The error resulted in some explanation of benefits statements being incorrectly combined in the mid-July mailings, which resulted in the summaries being sent to incorrect family members or other individuals in the household that were covered by the same policy.

Upon discovery of the error, BCBSRI instructed the vendor to stop combining the statements and individual summaries will continue to be sent to members while BCBSRI looks for a different solution.

BCBSRI issued a statement about the incident confirming that the error only resulted in the disclosure of PHI to family members or other individuals in the same household covered by the policy, not to any other members.

Since members’ Social Security numbers and dates of birth are not detailed in the summaries, and only family members received the summaries, the risk of any information being misused is believed to be very low.

All individuals who have been impacted by the incident will be notified about the privacy breach by mail in the next few days.

The post Mailing Vendor Blamed for Blue Cross and Blue Shield of Rhode Island Privacy Breach appeared first on HIPAA Journal.

Independence Blue Cross Notifies 17,000 Members of Online Exposure of Their PHI

Posted by HIPAA Journal

Independence Blue Cross is notifying thousands of plan members that some of their protected health information has been exposed online and has potentially been accessed by unauthorized individuals.

The Independence Blue Cross privacy office was informed about the exposed information on July 19 and immediately launched an investigation. A leading forensics investigation firm was hired to investigate the incident and establish whether any plan members’ information was accessed during the time it was exposed.

Independence Blue Cross said an employee had uploaded a file containing plan members’ protected health information to a public facing website on April 23, 2018. The file remained accessible until July 20 when it was removed from the website.

The information contained in the file was limited. No financial information or Social Security numbers were exposed. Affected plan members only had their name, diagnosis codes, provider information, date of birth, and information used for processing claims exposed.

Despite a thorough investigation, it was not possible to determine whether any unauthorized individuals accessed the file during the time it was on the website. No reports have been received to date to suggest any protected health information has been misused.

According to a statement from the health insurer, the breach affects certain Independence Blue Cross members and members of its subsidiaries AmeriHealth HMO and AmeriHealth Insurance Co. of New Jersey. Fewer than 1% of plan members – approximately 17,000 individuals – were affected by the breach.

Affected individuals have now been notified of the breach and, out of an abundance of caution, Independence Blue Cross is offering all affected individuals 24 months of free triple-bureau credit monitoring and identity theft protection services.

The Philadelphia-based health insurer has taken steps to prevent further breaches of this nature and ‘appropriate action’ has been taken with the employee who uploaded the file to the website.

The post Independence Blue Cross Notifies 17,000 Members of Online Exposure of Their PHI appeared first on HIPAA Journal.

CMS: Fairview Southdale Hospital Videotaped Patients Without Knowledge or Consent

Posted by HIPAA Journal

The HHS’ Centers for Medicare and Medicaid Services (CMS) has investigated Fairview Southdale Hospital in Edina, MN over an alleged violation of patient privacy and discovered that some patients were videotaped during psychiatric evaluations in the emergency department without their knowledge or consent. The hospital was cited for violating patient privacy.

According to the Star Tribune, the CMS launched an investigation following a complaint from a patient who had been taken to the hospital for a psychiatric evaluation against her will in May 2017. The patient was escorted to the hospital as police officers were concerned about her state of mental health and feared she may cause harm to herself or others.

After being released, the patient took legal action over her admission to the hospital and how she was treated by the police. As part of that lawsuit, the patient requested a copy of the security camera footage from the hospital. While the patient expected to receive a copy of the videotape from the front of the hospital showing her entering the facility, the videotape showed her entire visit, including her psychiatric evaluation and her changing into hospital scrubs. The videotape only showed the patient’s back as she was getting changed.

The patient was horrified that the entire visit had been recorded without her knowledge and claimed that there were no warning signs in the emergency room advising patients that they were being recorded.

Fairview Southdale Hospital does indicate on its consent form for treatment that patients may be videotaped for the purpose of medical education, but in this case the patient refused to read to sign the consent form as she was not in the hospital of her own free will and had refused treatment.

Fairview Southdale Hospital cooperated fully with the investigation and informed the CMS that an additional 8 video cameras had been installed in rooms in the emergency department that were used for psychiatric evaluations following an increase in the number of incidents in which patients had become violent.

CMS found that cameras were used in those rooms, although there were no signs warning patients that they were being videotaped. The camera footage was visible in the nursing station but was out of public view.

Typically, footage from the cameras is permanently erased, although in this case the footage was retained as the patient had also made a complaint to the hospital about her visit.

Sue Abderholden, executive director of the Minnesota chapter of the National Alliance on Mental Illness, told the Star Tribune, “Healthcare facilities that videorecord patients for security reasons should notify them… If you’re going to do it, there should be a sign and you should orally tell the person.”

Following the investigation, the hospital retrained staff and informed its nurses to instruct patients that they may be filmed during their emergency room visits. Privacy screens have now been installed to prevent patients from being filmed while changing and from September, the hospital has discontinued recording video footage, but will continue to use the cameras for medical education purposes and for safety reasons.

The post CMS: Fairview Southdale Hospital Videotaped Patients Without Knowledge or Consent appeared first on HIPAA Journal.

Fetal Diagnostic Institute of the Pacific Experiences Ransomware Attack

Posted by HIPAA Journal

The Fetal Diagnostic Institute of the Pacific (FDIP) in Honolulu, HI, experienced a ransomware attack on June 30, 2018. File-encrypting software was installed on an FDIP server and encrypted a wide range of file types, including patient medical records.

FDIP engaged the services of a leading cybersecurity company to conduct a full investigation into the breach to determine whether patient data was accessed by the attackers and also to assist with breach remediation. The investigation did not uncover any evidence to suggest that patients’ protected health information was accessed, viewed, or stolen by the individuals behind the attack, although it was not possible to rule out data access and data theft with a high level of confidence.

Consequently, the incident is being treated as a HIPAA breach, patients are being notified, and the Department of Health and Human Services’ Office for Civil Rights (OCR) has been informed.

An analysis of the files encrypted by the ransomware revealed they contained a range of protected health information. Patients affected by the security breach may have had their full name, home address, date of birth, account number, diagnoses, and “other types of information” exposed. No financial information was exposed as a result of the attack. The breach report submitted to OCR indicates 40,800 current and former patients have been affected by the breach.

FDIP reports that prompt action was taken to address the breach and remove the malicious software and restore all encrypted files. Its systems have now been cleansed and no trace of any malware remains. Steps have also been taken to improve security protections to prevent any further security breaches and unauthorized disclosures of patient data.

FDIP does not expect patients to experience any harm as a result of the ransomware attack, although patients have been urged to get in touch with FDIP immediately if they become aware of any suspicious activity that they believe is related to the breach.

This is only the fifth data breach of more than 500 records to have been reported to OCR by a Hawaii-based covered entity since data breach summaries first started being published by OCR in 2009.

The post Fetal Diagnostic Institute of the Pacific Experiences Ransomware Attack appeared first on HIPAA Journal.

Email Security Breaches Reported by Hopebridge (IN) and United Methodist Homes (NY)

Posted by HIPAA Journal

Hopebridge, an Indiana-based network of 28 autism treatment centers throughout the Midwest, has discovered it has been the victim of a phishing attack that has potentially resulted in an unauthorized individual gaining access to the protected health information (PHI) of its patients.

A security breach was detected on July 19, 2018 prompting a thorough investigation. A leading third-party computer forensics firm was engaged to assess the nature and scope of the breach and all accounts and systems were immediately secured to lock out the attacker.

The investigation revealed several employees had been fooled by phishing emails that had been sent between March and July 2018. Several email accounts were compromised as a result of employees’ responses to those emails. An analysis of the compromised email accounts revealed they contained a limited amount of patients’ PHI – Their names, the services they received from Hopebridge, and an inferred autism diagnosis.

The results of the forensic investigation suggest that it was not the intention of the attacker to gain access to PHI, instead the attacks appear to have been an attempt to gain access to employees’ financial information.

The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates 1,411 patients have been impacted by the incident. Hopebridge says there is no indication that any patient information has been misused.

The breach has prompted Hopebridge to implement stronger access controls, IP address whitelisting, and 2-factor authentication on email accounts. Hopebridge is also now masking patient names on internal emails and reports

Former Employee Stole Information of United Methodist Homes Residents

United Methodist Homes, a network of Independent and Assisted Living facilities for seniors in New York, has discovered an employee stole the protected health information of some of its current and former residents.

A spreadsheet containing information on 843 current and former residents of its Elizabeth Church and Hilltop campuses was emailed to the employee’s personal email account. The spreadsheet contained information such as residents’ names, addresses, phone numbers for residents’ contact person(s) and the relationship of those individuals to the residents. No highly sensitive information such as financial data, health data, health insurance information, or Social Security numbers were recorded in the spreadsheet.

Following the discovery of the incident on July 13, 2018, the employee was questioned, and United Methodist Homes observed the employee deleting the email and spreadsheet from his personal email account. The individual is no longer employed by United Methodist Homes.

Even though the information in the spreadsheet was extremely limited, United Methodist Homes has offered complimentary credit monitoring services to affected individuals for 12 months.

The post Email Security Breaches Reported by Hopebridge (IN) and United Methodist Homes (NY) appeared first on HIPAA Journal.