HIPAA Breach News

Flowers Hospital Proposes $150,000 Settlement for 2014 Data Breach

Posted by HIPAA Journal

A class action lawsuit filed in the wake of an employee-related data breach at Flowers Hospital in Dothan, Alabama in 2014 is heading towards being settled. The settlement has yet to receive final court approval, although approval seems likely and a resolution to this four-year legal battle is now in sight.

In contrast to most class action lawsuits filed over the exposure/theft of PHI, this case involved the theft of data by an insider rather than a hacker. Further, the former employee used PHI for identity theft and fraud and was convicted of those crimes.

The breach in question involved a former lab technician, Kamarian D. Millender, who was found in possession of paper records containing patients protected health information. Millender admitted to using the information for identity theft and for filing false tax returns in victims’ names. In December 2014, Millender was sentenced to serve two years in jail.

In the class action lawsuit, filed the same year, it was claimed that between June 2013 and December 2014, paper records were left unprotected and unguarded at the hospital and could have been taken by employees or third parties. In the case of Millender, that is exactly what happened.

Flowers Hospital attempted to have the lawsuit dismissed, although that attempt failed and the lawsuit was awarded class action status in 2017. The decision has now been taken to settle the case. The hospital has offered a fund of up to $150,000 to cover out-of-pocket expenses incurred by the 1,208 victims of the breach. The settlement would provide each class member with up to $250 each, although claims up to a total value of $5,000 would be considered.

In order to be eligible to receive the compensation, class members would need to submit valid claims. A valid claim would require a breach victim to prove that they purchased credit monitoring or identity theft protection services in response to being notified about the breach.

Additionally, breach victims would be allowed to claim money for the time they spent arranging those services – up to four hours of documented lost time – the cost of obtaining credit reports, and any un-reimbursed interest as a result of a delayed tax refund as a result of there being a fraudulent tax return filed between June 2013 and the claims deadline. The settlement does not include any punitive damages.

In the event that valid claims are received, and the total claims amount exceeds the allocated $150,000, all claims would be reduced, pro rata, so that the total claims value would not exceed $150,000.

The post Flowers Hospital Proposes $150,000 Settlement for 2014 Data Breach appeared first on HIPAA Journal.

Flowers Hospital Proposes $150,000 Settlement for 2014 Data Breach

Posted by HIPAA Journal

A class action lawsuit filed in the wake of an employee-related data breach at Flowers Hospital in Dothan, Alabama in 2014 is heading towards being settled. The settlement has yet to receive final court approval, although approval seems likely and a resolution to this four-year legal battle is now in sight.

In contrast to most class action lawsuits filed over the exposure/theft of PHI, this case involved the theft of data by an insider rather than a hacker. Further, the former employee used PHI for identity theft and fraud and was convicted of those crimes.

The breach in question involved a former lab technician, Kamarian D. Millender, who was found in possession of paper records containing patients protected health information. Millender admitted to using the information for identity theft and for filing false tax returns in victims’ names. In December 2014, Millender was sentenced to serve two years in jail.

In the class action lawsuit, filed the same year, it was claimed that between June 2013 and December 2014, paper records were left unprotected and unguarded at the hospital and could have been taken by employees or third parties. In the case of Millender, that is exactly what happened.

Flowers Hospital attempted to have the lawsuit dismissed, although that attempt failed and the lawsuit was awarded class action status in 2017. The decision has now been taken to settle the case. The hospital has offered a fund of up to $150,000 to cover out-of-pocket expenses incurred by the 1,208 victims of the breach. The settlement would provide each class member with up to $250 each, although claims up to a total value of $5,000 would be considered.

In order to be eligible to receive the compensation, class members would need to submit valid claims. A valid claim would require a breach victim to prove that they purchased credit monitoring or identity theft protection services in response to being notified about the breach.

Additionally, breach victims would be allowed to claim money for the time they spent arranging those services – up to four hours of documented lost time – the cost of obtaining credit reports, and any un-reimbursed interest as a result of a delayed tax refund as a result of there being a fraudulent tax return filed between June 2013 and the claims deadline. The settlement does not include any punitive damages.

In the event that valid claims are received, and the total claims amount exceeds the allocated $150,000, all claims would be reduced, pro rata, so that the total claims value would not exceed $150,000.

The post Flowers Hospital Proposes $150,000 Settlement for 2014 Data Breach appeared first on HIPAA Journal.

Blue Springs Family Care Ransomware Attack Impacts 45,000 Patients

Posted by HIPAA Journal

Blue Springs Family Care in Missouri has experienced a ransomware attack that has resulted in the encryption of sensitive data.

The attack was detected by the healthcare provider’s computer vendor on May 12, 2018.  An investigation was launched the same day by the computer vendor with assistance provided by a contracted third-party computer forensics firm.

In contrast to many ransomware attacks which involve a single ransomware variant being downloaded and blind file encryption, the attacker managed to gain access to Blue Springs Family Care systems and installed a variety of malicious software programs in addition to the ransomware.

Those malware programs would have given the attacker full access to all Blue Springs Family Care computer systems, including access to all patients protected health information. At the time of issuing notifications to patients, Blue Springs Family Care had not received any reports to suggest that any PHI was stolen and misused by the attacker. However, data access and data theft could not be ruled out.

The types of information potentially accessed included full names, home addresses, dates of birth, Social Security numbers, account numbers, driver’s license numbers, disability codes, and diagnoses.

The computer forensics firm was able to quarantine the entire system and prevent any further unauthorized data access. New software has now been installed which monitors for unauthorized access, and a new intrusion prevention system has also been implemented, which includes a new firewall.

Additionally, Blue Springs Family Care is changing over to a new electronic medical record system that encrypts all data at rest to ensure PHI cannot be accessed in the event that another data breach is experienced.

The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates 44,979 patients were affected by the breach.

The post Blue Springs Family Care Ransomware Attack Impacts 45,000 Patients appeared first on HIPAA Journal.

Boys Town National Research Hospital and NorthStar Anesthesia Discover PHI Compromised in Phishing Attacks

Posted by HIPAA Journal

The phishing attacks on healthcare organizations continue… The past few days have seen two further healthcare organizations announce that email accounts were breached when employees responded to phishing emails.

Email Account Compromised at Boys Town National Research Hospital

Boys Town National Research Hospital (Boys Town), an Omaha, NE hospital specializing in pediatric deafness, visual and communication disorders, has announced that a recent phishing campaign has resulted in the email account of an employee being accessed by an unauthorized individual.

Boys Town first became aware of a security breach on May 23, 2018 when unusual email account activity was detected. Computer forensics experts were called in to investigate and a breach was confirmed to have occurred on May 23.

Boys Town painstakingly examined the account email-by-email to determine which patients potentially had their PHI exposed and the amount of PHI that was potentially compromised.

The breach was confirmed as being confined to a single email account, which contained sensitive information of current and former patients and employees.

The information in the email accounts varied by individual, but may have included names, dates of birth, Social Security numbers, driver’s license numbers, employer ID numbers, health insurance information, disability codes, birth certificate information, marriage certificate information, passport information, banking and other financial information, medical record numbers, usernames and passwords, Medicare/Medicaid ID numbers, diagnosis and treatment information, and billing/claims information.

No evidence of data exfiltration was uncovered, although it is possible that PHI was accessed and potentially obtained. Individuals impacted by the incident have been offered complimentary identity theft protection services for 12 months. A review of policies and procedures is being conducted and additional safeguards will be implemented to help prevent further phishing attacks.

NorthStar Anesthesia Discovers Multiple Email Accounts Accessed by Unauthorized Individuals

An email phishing campaign targeting Irving, TX-based NorthStar Anesthesia, a provider of outsourced anesthesia services, was conducted between April 3 and May 24, 2018. The phishing campaign was identified on May 23, 2018 with access to all compromised account blocked on May 24, 2018.

Third-party forensic investigators were called in to assist with the investigation and determine the extent of the attack and whether emails containing patients’ protected health information were accessed. The investigators determined that the compromised email accounts contained a range of protected health information which included names, health insurance application or claims information, birth dates, health insurance policy/subscriber numbers, taxpayer ID numbers, IRS identity protection numbers, medical histories, diagnosis and treatment information, medical record numbers, and for a limited number of individuals, Social Security numbers.

NorthStar Anesthesia is implementing additional safeguards to prevent further phishing attacks and affected individuals have been offered complimentary credit monitoring and identity restoration services for two years.

The post Boys Town National Research Hospital and NorthStar Anesthesia Discover PHI Compromised in Phishing Attacks appeared first on HIPAA Journal.

Golden Heart Administrative Professionals Ransomware Attack Impacts 44,600 Patients

Posted by HIPAA Journal

Golden Heart Administrative Professionals, a Fairbanks, AK-based billing company and business associate of several healthcare providers in Alaska, is notifying 44,600 individuals that some of their protected health information has potentially been accessed by unauthorized individuals as a result of a recent ransomware attack.

The ransomware was downloaded to a server containing the PHI of patients. According to a press release issued by the company, “All client patient information must assume to be compromised.”

Local and federal law enforcement agencies have been notified about the cyberattack and efforts are continuing to recover files.

The Golden Heart Administrative Professionals ransomware attack is the largest data breach reported by a healthcare organization in July, and the second major data breach to be reported by an Alaska-based healthcare organization in July.

In early July, the Alaska Department of Health and Social Services announced that it had suffered a data breach as a result of a malware infection. The Zeus/Zbot Trojan – an information stealer – had been downloaded which potentially allowed the attackers to gain access to the protected health information of ‘more than 500’ individuals.

Recent reports suggest ransomware attacks are declining, with many cybercriminal gangs switching operations to cryptocurrency mining; however, there does not appear to be any let up in ransomware attacks on healthcare organizations.

Last week, LabCorp, the national network of clinical testing laboratories, experienced a SamSam ransomware attack. The attack was detected within 50 minutes and systems were shut down to prevent widespread file encryption. The ransomware was downloaded following a brute force remote desktop protocol (RDP) attack. It is not currently known how many patients have been impacted by the attack, although some reports suggest millions of patients’ PHI may have been compromised.

On Monday, July 9, Cass Regional Medical Center in Harrisonville, MO, experienced a ransomware attack that resulted in its communications system and electronic medical record system being taken out of action. The medical center took the decision to redirect ambulances for stroke and trauma victims to alternate healthcare facilities. As with the LabCorp attack, the ransomware was downloaded to the server following a brute force RDP attack. The electronic medical record systems remained offline for 10 days as a result of the attack.

The post Golden Heart Administrative Professionals Ransomware Attack Impacts 44,600 Patients appeared first on HIPAA Journal.

New York Physician Notifies Patients of Exposure of their PHI

Posted by HIPAA Journal

A New York physician has started notifying patients that their protected health information has been exposed and has been potentially accessed unauthorized individuals.

Ruben U. Carvajal, MD was alerted to a possible privacy breach on January 3, 2018 and was informed that some of his patients’ health information was accessible over the Internet. An investigation into the possible privacy breach was launched and the matter was reported to the New York Police Department and the Federal Bureau of Investigation (FBI).

FBI investigators visited his office and examined his computer. On February 18, 2018, the FBI confirmed that the EMR program on his computer had been accessed by an unauthorized individual. A forensic investigator was called in to conduct a thorough investigation to determine the nature and scope of the breach.

On May 22, 2018 the forensic investigator determined that the physician’s computer had been accessed by an unauthorized individual between December 16, 2017 and January 3, 2018.

Any individual that gained access to the physicians’ computer could have gained access to the EMR system, although the forensic investigation did not confirm whether the program was accessed, although based on the findings of the FBI it can be assumed that this was the case.

The types of information that were potentially viewed and/or copied included names, addresses, birthdates, medical histories, diagnoses, treatment information, lab test results, medications, health insurance details, and claims information. Patients that receive Medicare also had their Medicare ID numbers and Social Security numbers exposed.

Dr. Carvajal started notifying patients about the breach on July 17, 2018 and patients have been offered complimentary credit monitoring and identity theft protection services. Steps have now been taken to improve security to prevent similar breaches from occurring in the future.

The incident has yet to appear on the Department of Health and Human Services’ Office for Civil Rights breach portal so it is currently unclear how many patients have been impacted by the data breach.

The post New York Physician Notifies Patients of Exposure of their PHI appeared first on HIPAA Journal.

Investigation Launched Over Snapchat Photo Sharing at M.M. Ewing Continuing Care Center

Posted by HIPAA Journal

Employees of a Canandaigua, NY nursing home have been using their smartphones to take and share images and videos of at least one resident and share the content with others via Snapchat – a violation of HIPAA and a serious violation of patient privacy.

The privacy breaches occurred at Thompson Health’s M.M. Ewing Continuing Care Center and involved multiple employees. Thompson Health has already taken action and has fired several workers over the violations. Now the New York Department of Health and the state attorney general’s office have got involved and are conducting investigations.

The state attorney general’s Deputy Press Secretary, Rachel Shippee confirmed to the Daily Messenger that an investigation has been launched, confirming “The Medicaid Fraud Control Unit’s mission includes the protection of nursing home residents from abuse, neglect and mistreatment, including acts that violate a resident’s rights to dignity and privacy.”

Thompson Health does not believe the images/videos were shared publicly and sharing was restricted to a group of employees at the care center. Thompson Health is contacting the families of the residents impacted by the breach to offer an apology.

This is not the first time that Thomson Health has discovered an employee had taken pictures and videos without people’s knowledge. In January, a camera was discovered in a unisex bathroom at Thompson Hospital. When the camera was taken down it was discovered that the memory card had been removed. The matter was reported to law enforcement although the employee responsible has not been identified.

M.M. Ewing Continuing Care Center is far from the only nursing home to discover that residents have been photographed and videoed without consent with videos and images shared on social media networks.

An investigation into the sharing of images of abuse of nursing home residents was launched by ProPublica in 2015. The investigation revealed the practice was commonplace, with several nursing home employees discovered to have performed similar acts. The investigation revealed there had been 22 cases of photo sharing on Snapchat and other social media platforms and 35 cases in total since 2012.

More recently, a nursing assistant at the Parkside Manor assisted-living facility in Kenosha, WI., was discovered to have taken photos of an Alzheimer’s patient and posted the images of SnapChat. When the violation was discovered, the nursing assistant was fired for the HIPAA breach.

The high number of cases involving these types of HIPAA violations prompted the CMS to take action in 2016. The CMS sent a memo to state health departments reminding them of their responsibilities to ensure nursing home residents were not subjected to any form of abuse, including mental abuse such as the taking of demeaning and degrading photos and videos and having the multimedia content shared on social media networks.

The post Investigation Launched Over Snapchat Photo Sharing at M.M. Ewing Continuing Care Center appeared first on HIPAA Journal.

June 2018 Healthcare Breach Report

Posted by HIPAA Journal

There was a 13.8% month-over-month increase in healthcare data breaches reported in June 2018, although the data breaches were far less severe in June with 42.48% fewer healthcare records exposed or stolen than the previous month.

In June there were 33 healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights and those breaches saw 356,232 healthcare records exposed or stolen – the lowest number of records exposed in healthcare data breaches since March 2018.

Healthcare Data Breaches (January-June 2018)

Healthcare Data Breaches (January-June 2018)

Healthcare Records Exposed (January-June 2018)

Healthcare Records Exposed (January-June 2018)

Causes of Healthcare Data Breaches (June 2018)

Unauthorized access/disclosure incidents were the biggest problem area in June, followed by hacking IT incidents. As was the case in May, there were 15 unauthorized access/disclosure breaches and 12 hacking/IT incidents. The remaining six breaches involved the theft of electronic devices (4 incidents) and paper records (2 incidents). There were no reported losses of devices or paperwork and no improper disposal incidents.

Causes of Healthcare Data Breaches (June 2018)

Healthcare Records Exposed by Breach Type

While unauthorized access/disclosure incidents were more numerous than hacking/IT incidents, they resulted in the theft/exposure of far fewer records. Compared to May, 157.5% more records were obtained by unauthorized individuals in theft incidents. There was a 56% fall in the number of healthcare records exposed/stolen in hacking/IT incidents and almost 74% fewer healthcare records exposed or stolen in unauthorized access/disclosure incidents.

Healthcare Records Exposed by Breach Type

Largest Healthcare Data Breaches (June 2018)

Hacking and phishing incidents were behind most (8) of the largest healthcare data breaches reported in June.

The largest breach was reported by the Med Associates, a provider of claims services to healthcare organizations. A computer used by one of the company’s employees was hacked and accessed remotely by an unauthorized individual. The device contained the PHI of 276,057 individuals.

HealthEquity Inc., Black River Medical Center, and InfuSystem Inc., all experienced phishing attacks that resulted in unauthorized individuals gaining access to email accounts containing ePHI.  The New England Baptist Health breach involved a patient list that was accidentally emailed to an individual unauthorized to receive the information.

The Arkansas Children’s Hospital breach was a case of snooping by a former employee, and the breach at RISE Wisconsin was a ransomware attack.

Breached Entity Entity Type Records Exposed Breach Type Location of PHI
Med Associates, Inc. Business Associate 276,057 Hacking/IT Incident Desktop Computer
HealthEquity, Inc. Business Associate 16,000 Hacking/IT Incident Email
Black River Medical Center Healthcare Provider 13,443 Hacking/IT Incident Email
New England Baptist Health Healthcare Provider 7,582 Unauthorized Access/Disclosure Email
Arkansas Children’s Hospital Healthcare Provider 4,521 Unauthorized Access/Disclosure Electronic Medical Record
InfuSystem, Inc. Healthcare Provider 3,882 Hacking/IT Incident Email
RISE Wisconsin, Inc. Healthcare Provider 3,731 Hacking/IT Incident Network Server
Gwenn S Robinson MD Healthcare Provider 2,500 Hacking/IT Incident Desktop Computer
Capitol Anesthesiology Association Healthcare Provider 2,231 Hacking/IT Incident Network Server
Massac County Surgery Center dba Orthopaedic Institute Surgery Center Healthcare Provider 2,000 Hacking/IT Incident Email

Location of Breached PHI (June 2018)

Email continues to be the most common location of breached PHI. In June, there were 9 email-related breaches reported to OCR. Seven of the nine email-related breaches involved unauthorized individuals accessing the email accounts of healthcare employees as a result of phishing attacks. One email-related breach involved PHI being sent to an individual unauthorized to receive the data and the cause of the other email-related breach has not been confirmed.

The high number of successful phishing attacks on healthcare organizations highlights the importance of ongoing security awareness training for all healthcare employees with email accounts. Once a year training sessions are no longer sufficient. Training programs should be ongoing, with phishing simulation exercises routinely conducted to reinforce training and condition employees to be more security aware. OCR reminded HIPAA-covered entities that security awareness training was a requirement of HIPAA and offered suggestions to increase resilience to phishing attacks in its July 2017 Cybersecurity Newsletter.

Unauthorized accessing and theft of paper records was behind 6 breaches, highlighting the need for physical controls to be implemented to keep physical records secure.

Location of Breached PHI (June 2018)

Data Breaches by Covered Entity Type

Healthcare providers experienced the most data breaches in June with 23 data security incidents reported. There was a marked month-over-month increase in health plan data breaches with six incidents reported compared to just two in May. Business associates reported six breaches in June, although in total, 10 incidents had some business associate involvement – on a par with May when 9 breaches involved business associates to some extent.

Data Breaches by Covered Entity Type

Data Breaches by State

California was the state worst affected by healthcare data breaches in June 2018, with 5 data breaches reported by healthcare organizations in the state. Texas saw four breaches reported, with three security breaches reported by Michigan-based healthcare organizations and two breaches reported by healthcare organizations in Florida, Missouri, Utah, Wisconsin.

Arkansas, Arizona, Iowa, Illinois, Massachusetts, Minnesota, Montana, North Carolina, New Jersey, New Mexico, New York, Pennsylvania, Washington each had one breach reported.

Penalties for HIPAA Violations Issued in June 2018

OCR penalized one HIPAA-covered entity in June for HIPAA violations – The fourth largest HIPAA violation penalty issued to date.

OCR investigated MD Anderson after three data breaches were reported in 2012 and 2013 – The theft of a laptop computer from the vehicle of a physician and the theft of two unencrypted thumb drives. 34,883 healthcare records were impermissibly disclosed as a result of the breaches.

OCR determined a financial penalty was appropriate for the failure to encrypt ePHI and the resultant impermissible disclosures of patient health information. University of Texas MD Anderson Cancer Center (MD Anderson) contested the penalty, with the case going before and administrative law judge. The ALJ ruled in favor of OCR.

University of Texas MD Anderson Cancer Center was ordered to pay $4,348,000 to resolve the HIPPA violations that led to the breaches.

The post June 2018 Healthcare Breach Report appeared first on HIPAA Journal.

Several Email Accounts Compromised in Sunspire Health and UPMC Cole Phishing Attacks

Posted by HIPAA Journal

Two more healthcare organizations have reported phishing attacks that have resulted in cybercriminals gaining access to the protected health information of patients, both of which saw the attackers gain access to multiple email accounts.

Sunspire Health, which runs a national network of addition treatment facilities, saw several email accounts compromised as a result of a phishing campaign targeting its employees. The attacks were discovered between April 10, 2018 and May 17, 2018.

Forensic investigators were called in to determine the nature and scope of the incidents. The investigation revealed the first email account was compromised on March 1, 2018, with further accounts compromised and accessed by unauthorized individuals up until May 4.

No patients have reported misuse of protected health information to Sunspire Health to date, and no evidence was found to suggest the email accounts had been misused, although it is possible that protected health information in the compromised email accounts was accessed and may have been downloaded by the attacker(s).

The types of information present in the emails included patients’ names, dates of birth, diagnoses, treatment information, health insurance details and Social Security numbers.

Patients impacted by the phishing attacks have now been notified and a substitute breach notice was uploaded to the Sunspire Health website on July 16. Patients affected by the breach have been offered credit monitoring and identity theft protection services at no charge.

The Department of Health and Human Services’ Office for Civil Rights has been notified, but the incident has yet to appear on its breach portal so it is unclear at this stage exactly how many patients have been affected.

Phishing Attack on UPMC Cole Sees Two Email Accounts Compromised

UPMC Cole in Coudersport, Pennsylvania has discovered two of its employees have been duped by phishing emails resulting in the disclosure of their login credentials. The email accounts were compromised on June 7 and June 14, 2018 and were discovered when staff members started receiving suspicious emails sent from the compromised email accounts.

Prompt action was taken to block access to the email accounts and an investigation was launched to determine whether any patient health information was accessed. While data access was not confirmed, it could not be ruled out with a high degree of certainty.

The email accounts only contained a limited amount of PHI and no financial information or Social Security numbers were compromised. The types of data exposed was limited to names, dates of birth, medical procedures performed, general treatment information, names of healthcare providers, and scheduling information.

790 patients were affected by the breach and notification letters have now been mailed.

The post Several Email Accounts Compromised in Sunspire Health and UPMC Cole Phishing Attacks appeared first on HIPAA Journal.