HIPAA Breach News

LabCorp Cyberattack Forces Shutdown of Systems: Investigators Currently Determining Scale of Breach

Posted by HIPAA Journal

LabCorp, one of the largest clinical laboratories in the United States, has experienced a cyberattack that has potentially resulted in hackers gaining access to patients’ sensitive information.

The Burlington, NC-based company runs 36 primary testing laboratories throughout the United States and the Los Angeles National Genetics Institute. The company performs standard blood and urine tests, HIV tests and specialty diagnostic testing services and holds vast quantities of highly sensitive data.

The cyberattack occurred over the weekend of July 14, 2018 when suspicious system activity was identified by LabCorp’s intrusion detection system. Prompt action was taken to terminate access to its servers and systems were taken offline to contain the attack.

With its systems offline, this naturally affected test processing and customers have been prevented from accessing their test results online. LabCorp expects some of its systems to remain offline for several days while efforts continue to restore system functionality and those systems are fully tested. Delays in processing lab test results are expected to continue to be experienced until its systems are fully restored and patients may continue to experience delays receiving their test results.

The investigation into the breach is still in the early stages and it has yet to be confirmed whether the hackers behind the attack managed to gain access to patients’ medical information. So far, no evidence has been uncovered to suggest any patient information was transferred outside its system.

LabCorp is involved in several drug development programs, although the attack is believed to be limited to LabCorp’s Diagnostics systems. The systems used by Covance Drug Development are not believed to have been affected.

The cyberattack has been reported to the Securities and Exchange Commission (SEC) and other relevant authorities have also been notified.

Once the nature of the breach has been established and the likelihood of unauthorized access to patient data has been determined, patient will be notified if appropriate.

LabCorp has followed standard breach protocol to contain the attack and prevent data exfiltration and limit harm, and the shutting down of its systems is no indication that patient data has been accessed. However, the UL’s the Daily Mail newspaper claims to have contacted a company insider who said the hackers potentially had access to the medical records of millions of patients.

The post LabCorp Cyberattack Forces Shutdown of Systems: Investigators Currently Determining Scale of Breach appeared first on HIPAA Journal.

Two Employees of the Alive Hospice in Tennessee Fooled by Phishing Scam

Posted by HIPAA Journal

The email accounts of two employees of the Alive Hospice in Tennessee have been compromised as a result of the employees falling for phishing attacks.

The email account breaches were identified during a review of the email system on May 15, 2018. During the review, ongoing unauthorized access to the email accounts was detected. Alive Hospice immediately took steps to block third-party access by performing a password reset, and third-party forensics investigators were called in to determine the nature and scope of the breach.

The investigation revealed the first email account was compromised on or around December 20, 2018, with the second account compromised on or around April 5, 2018. An analysis of both email accounts revealed they contained the protected health information of patients, which may have been accessed by the person(s) responsible for the attacks.

The types of information that may have been accessed varied for each patient and included names, dates of birth, Social Security numbers, driver’s license numbers, passport numbers, financial account numbers, copies of birth/death certificates, medical histories, prescription information, treatment information, health insurance numbers, biometric identifiers, IRS PIN numbers, digital signatures, security questions and answers, username/email and password information.

The investigation into the breach revealed no evidence to suggest any of the information was viewed or downloaded by the attacker, and neither have any reports been received to suggest there has been any misuse of patients’ PHI.

All individuals impacted by the breach were sent breach notification letters on June 12, 2018 and have been offered 12 months of credit monitoring and identity theft protection services without charge.

Due to the extensive range of sensitive information that has potentially been compromised, patients should carefully monitor their account statements and explanation of benefits forms for any sign of fraudulent activity.

Alive Hospice had “stringent security measures in place” to protect against the unauthorized accessing of PHI, although in this case those measures were undone by phishing emails. Alive Hospice has said it is implementing additional safeguards to improve its security posture and protect against further attacks.

It is currently unclear how many patients have been impacted as the incident has yet to be uploaded to the HHS’ Office for Civil Rights breach portal. No mention was made of the number of people impacted in Alive Hospice’s substitute breach notice.

The post Two Employees of the Alive Hospice in Tennessee Fooled by Phishing Scam appeared first on HIPAA Journal.

Email Account of Billings Clinic Worker Hacked During Overseas Trip

Posted by HIPAA Journal

The email account of an employee of Billings Clinic in Billings, MT, that contained the protected health information of approximately 8,400 patients has been compromised.

The breach was detected by the clinic’s cybersecurity systems on May 14, 2018, with unusual activity triggering an alert. Rapid action was taken to secure the account, although it is possible that the PHI of patients could have been viewed or copied.

The information in the account was limited. No financial information was exposed, access to medical records was not gained, and no Social Security numbers were stored in the account. Data in the account had been used for scheduling purposes and related to patients who received medical services between 2008 and 2011.

The breach was limited to names, dates of birth, contact information, diagnoses, descriptions of medical services provided, medical record numbers, and internal financial control numbers. The investigation confirmed that the breach was limited to a single email account.

While data breaches such as this can easily be caused as a result of employees responding to phishing attacks, in this case access is believed to have been gained by another means. The employee concerned had recently travelled overseas on a medical mission. The email credentials were obtained by the unauthorized individual while the employee was away on the trip.

Login credentials can easily be intercepted when connecting to unsecured public Wi-Fi networks, or if a connection is made to a rogue Wi-Fi hotspot.

Any healthcare organization that permits employees to take devices containing PHI overseas, or allows workers to access protected health information remotely, should ensure employees undergo security awareness training and are made aware of the risks of connecting to public Wi-Fi networks.

Policies should also be created that require those employees to only connect to the Internet via a virtual private network (VPN). It is also important to ensure VPN software is kept up to date and it is advisable to implement a web filtering solution to protect workers when not on the corporate network.

The post Email Account of Billings Clinic Worker Hacked During Overseas Trip appeared first on HIPAA Journal.

Children’s Mercy Hospital Sued for 63,000-Record Data Breach

Posted by HIPAA Journal

Legal action has been taken over a phishing attack on Children’s Mercy that resulted in the theft of 63,049 patients’ protected health information.

In total, five email accounts were compromised between December 2017 and January 2018. On December, 2, 2017  two email accounts were discovered to have been accessed by an unauthorized individual as a result of employees responding to phishing emails. Links in the emails directed the employees to a website where they were fooled into disclosing their email account credentials. Two weeks later, two more email accounts were compromised in a similar attack, with a fifth and final account compromised in early January.

The mailbox accounts of four of those compromised email accounts were downloaded by the attacker, resulting in the unauthorized disclosure of patients’ protected health information. Patients were notified of the breach via a substitute breach notice on the Children’s Mercy website and notification letters were sent by mail. Due to the number of people impacted, the letters were sent out in batches. According to a recent article in the Kansas City Star, some patients have only just been notified that their PHI was stolen.

In addition to the phishing attack, Children’s Mercy Hospital reported a further breach of 1,463 patients’ PHI to the Department of Health and Human Services’ Office for Civil Rights on June 27, 1018 – an unauthorized access disclosure incident. That incident related to the interception of unencrypted pages sent by physicians at the hospital. The pages were viewed by a radio hobbyist using an antenna and a software-defined radio (SDR) on a laptop computer. Children’s Mercy was not the only hospital affected by that incident.

An unauthorized access/disclosure incident was also reported to OCR by Children’s Mercy Hospital on May 19, 2017. That incident impacted 5,511 patients. In that case, PHI had been uploaded to a website by a physician. The website was unauthorized and lacked appropriate security controls.

Earlier this week, Kansas City law firm McShane and Brady filed a class action lawsuit over the phishing incident. In the lawsuit it is claimed that Children’s Mercy violated Missouri law and breached its fiduciary duty to patients.

“Patients trust health care providers with our medical information and when that is released without our authorization, they’re breaking our trust and breaching what we’ve asked them to do,” said Maureen Brady, partner at McShane and Brady. “When we pay them for our treatment, part of that price point goes to training and computer software and records maintenance and making sure our privacy is kept.”

While the lawsuit seeks damages for all patients impacted by the breach, those damages have not been stated in the lawsuit.

This is not the first time that legal action has been taken against Children’s Mercy Hospital over a privacy breach, and neither is it the first time McShane and Brady has sued the hospital. The law firm also filed a class action lawsuit over the 5,511-record breach in 2017.

There is no private cause of action in HIPAA, so it is not possible for patients to take legal action for the exposure of protected health information as a result of a HIPAA violation, although it is possible to sue healthcare providers over violations of state laws.

The post Children’s Mercy Hospital Sued for 63,000-Record Data Breach appeared first on HIPAA Journal.

UMC Physicians Discovers Hacker Accessed PHI of Up to 18,000 Patients

Posted by HIPAA Journal

A summary of hacking incidents and employee data breaches recently discovered by healthcare organizations.

Hacked Email Account Contained PHI of 18,000 UMC Physicians’ Patients

UMC Physicians in Texas is notifying approximately 18,000 patients that some of their protected health information has been exposed as a result of the hacking of a physicians’ email account. The breach occurred on March 15, 2018, although it was not discovered by the UMC Physicians’ IT team until May 18, giving the hacker two months to access the data stored in the account.

While the investigation did not uncover any evidence of actual or attempted misuse of PHI, it was not possible to determine with a high degree of certainty that PHI had not been compromised. Consequently, all patients whose PHI was potentially accessed have been offered complimentary credit monitoring and identity theft protection services for 12 months.

An analysis of the email account revealed the following information was potentially viewed/obtained by the hacker: Patients’ full names, addresses, phone numbers, medical record numbers, diagnoses, Social Security numbers, birthdates, dates of service and health insurance information.

Steps have now been taken to strengthen security to prevent similar breaches from occurring in the future.

Former VCU Health System Employee Accessed PHI of 4,686 Patients Without Authorization

VCU Health System in Virginia has discovered one of its employees accessed the protected health information of thousands of patients without authorization. The data breach was discovered on May 9, 2018, when an unusual pattern of electronic medical record activity was discovered.

A full review of the employee’s EHR access logs confirmed the unauthorized accessing of patients’ health information. The employee joined VCU Health System on January 3, 2003 and was terminated for inappropriate PHI access on May 10, 2018. During that period, the protected health information of 4,686 patients was accessed with no legitimate work reason for doing so.

The types of information the employee was able to view included patients’ names, addresses, birthdates, medical record numbers, healthcare providers, health insurance information, visit dates, and medical information. Some patients’ Social Security numbers may also have been viewed.

VCU Health System does not believe the records were accessed with any malicious intent, only out of curiosity. Patients whose Social Security numbers were potentially viewed have been offered 12 months of credit monitoring and identity theft protection services without charge.

HIPAA requires healthcare organizations to conduct periodic reviews of EHR access logs. It is therefore unclear why it took so long for the unauthorized access to be discovered.

MSK Group Informs Patients of PHI Breach

MSK Group, an an integrated orthopaedic practice in Tennessee that includes Tabor Orthopedics, OrthoMemphis, and Memphis Orthopaedic Group, has discovered a hacker gained access to its systems and intermittently accessed its network over a period of several months.

The breach was detected on May 7, 2018 when the IT team investigated a security event. Third-party information security consultants were hired to conduct a forensic investigation and assess and mitigate the breach. That investigation did not uncover evidence to suggest any information was stolen by the hacker, although the consultants were able to confirm that access was gained to certain parts of the network that contained the protected health information of patients.

The types of information that could potentially have been accessed included patients’ names, addresses, contact telephone numbers, fax numbers, email addresses, dates of birth, photographs, diagnostic images, driver’s license numbers, Social Security numbers, and medical record information.

Breach notification letters were sent on July 9, and all patients affected have been offered 12 months of complimentary credit monitoring and identity theft protection services. MSK Group has not disclosed how many patients have been affected.

MSK Group is continuing to work with the security consultants who are helping to strengthen security on its network.

The post UMC Physicians Discovers Hacker Accessed PHI of Up to 18,000 Patients appeared first on HIPAA Journal.

Health Information of Thousands of HIV Patients Exposed by Employee Error

Posted by HIPAA Journal

An error by an employee of Metro Health has resulted in the exposure of highly sensitive information of patients diagnosed with HIV or AIDS, according to a recent report in the Tennessean.

The information was stored in a database which had been copied by the employee onto a server that was accessible by all employees in the Nashville Metro Public Health Department, even though the vast majority of those individuals were not authorized to access the information. The database was only supposed to be accessed by three government scientists.

The database was present on the server for nine months before the file was found by an employee and Metro Health officials were notified. During the time that the file was on the server, more than 500 employees could potentially have accessed the database.

The database contained information such as names, addresses, lab test results, HIV diagnoses, drug usage, sexual orientation, birth dates, and Social Security numbers. The data came from the Enhanced HIV/AIDS Reporting System – a national database that includes details of patients with HIV and AIDS going back to 1983, although the data was limited to individuals from 12 middle Tennessee counties.

The file was discovered on the server two months ago, prompting an investigation into how the file came to be on the server and whether any sensitive information had been viewed by staff. Some evidence was obtained to suggest the file had not been accessed during the time it was accessible; however, it was not possible to rule out data access with total certainty.

The metadata attached to the file showed it had not been modified since it was copied to the server; however, a server auditing feature should have been active that would have enabled Metro Health to determine whether the file had been accessed, but the feature had not been activated.

Without that feature, it would have been possible for the database to have been copied without leaving any trace that data had been stolen. The information could, for instance, have been copied onto a portable storage device by an employee.

According to a statement provided to the Tennessean, the file was copied onto the server by an employee to allow the data to be accessed by an epidemiologist, although the file was never opened.

The employee responsible for copying the file has not faced disciplinary action as the file was not moved with malicious intent. That individual has been provided with further training. Additional security controls have now been implemented to prevent similar incidents from occurring in the future.

The incident was reported to the Tennessee Department of Health, although not to the Department of Health and Human Services’ Office for Civil Rights (OCR) as Metro Health did not consider this to be a violation of HIPAA.

Consequently, patients whose PHI was exposed have not been individually notified. Larry Frampton, public policy director at Nashville CARES, has filed a complaint with OCR over the potential privacy breach requesting the incident be investigated.

The post Health Information of Thousands of HIV Patients Exposed by Employee Error appeared first on HIPAA Journal.

Healthcare Data Breach Costs Highest of Any Industry at $408 Per Record

Posted by HIPAA Journal

A recent study conducted by the Ponemon Institute on behalf of IBM Security has revealed the hidden cost of data breaches, and for the first time, the cost of mitigating 1 million-record+ data breaches.

The study provides insights into the costs of resolving data breaches and the full financial impact on organizations’ bottom lines. For the global study, 477 organizations were recruited and more than 2,200 individuals were interviewed and asked about the data breaches experienced at their organizations and the associated costs. The breach costs were calculated using the activity-based costing (ABC) methodology. The average number of records exposed or stolen in the breaches assessed in the study was 24,615 and 31,465 in the United States.

Last year, the Annual Cost of a Data Breach Study by the Ponemon Institute/IBM Security revealed the cost of breaches had fallen year over year to $3.62 million. The 2018 study, conducted between February 2017 and April 2018, showed data breach costs have risen once again.

The average cost of a data breach is now $3.86 million – An annual increase of 6.4%. The per capita cost of a data breach has risen by 4.8%, from $141 per record in 2017 to $148 per record in 2018.

Data breaches are costlier to resolve in the United States, where the average cost was $7.91 million. The cost of a data breach also varies considerably between industry sectors. The highest data breach resolution costs are for healthcare data breaches, which typically cost an average of $408 per record. This is considerably higher than financial services data breaches in second place, which cost an average of $206 per record. The lowest costs were in the public sector, with costs of $75 per record.

The type of breach has a bearing on the cost. Cyberattacks by malicious insiders and criminals cost an average of $157 per record, system glitches cost an average of $131 per record to resolve, while breaches caused by human error cost an average of $128 to resolve.

The mean time to identify a breach was 197 days and the mean time to contain a breach was 69 days. The time taken to identify and contain breaches both increased in the past year, which has been attributed to an increase in the severity of cyberattacks in this year’s sample.

Suffering one breach is bad enough, although many companies experience multiple breaches. IBM determined that companies that experience a data breach have a 27.9% chance of experiencing a second material breach within two years.

The Cost of Mega Data Breaches

For the first time, Ponemon/IBM analyzed the costs of mega data breaches, which are data breaches that have resulted in the theft or exposure of more than 1 million records. The number of mega data breaches experienced has nearly doubled in the past five years from 9 in 2013 to 16 in 2017.

The average time to detect and contain these mega data breaches was 365 days – almost 100 days longer than smaller data breaches which took an average of 266 days to detect and contain.

These mega data breaches can prove to be incredibly costly to resolve. The average cost of a mega data breach involving 1 million records is $40 million. That figure rises to an average of $350 million for a breach involving the exposure/theft of 50 million records. The biggest cost of these mega data breaches is loss of customers, typically costing $118 million for a 50-million record breach.

For the study, the costs of breach mitigation were divide into four areas; Detection and escalation, notification, post data breach response, and lost business cost. The costs for mega data breaches are detailed in the table below:

 

Source: IBM Security

Factors that Affect the Cost of a Data Breach

As with previous studies, Ponemon/IBM identified several factors that can have an impact on the cost of data breaches.

“Knowing where the costs lie, and how to reduce them, can help companies invest their resources more strategically and lower the huge financial risks at stake,” said Wendi Whitmore, Global Lead for IBM X-Force Incident Response and Intelligence Services (IRIS).

The time taken to identify and contain a breach has a significant bearing on cost. When companies can contain a breach within 30 days they typically save around $1 million in breach resolution costs.  Companies that identified and contained a breach within 100 days spent around $1 million less than those that took longer than 100 days.

The most important factor affecting the cost of a data breach is having an incident response team in place, which reduces the breach cost by an average of $14 per compromised record. In second place is the widespread use of encryption, which reduces the cost of a data breach by $13 per record.

Business continuity management reduced the per capita cost by $9.3 as did employee training. Participation in threat sharing reduced the per capita cost by $8.7 and use of an artificial intelligence cybersecurity platform reduced the cost by $8.2.

One of the biggest costs following a data breach is loss of customers. All businesses experience churn following a breach, although steps can be taken to reduce churn. Organizations that implement programs to preserve trust and loyalty before a breach experience lower churn rates, as do companies that have a chief Privacy Office (CPO) or Chief Information Security Officer (CISO) to direct initiatives to improve customer trust in the guardianship of personal information. When businesses offer identify theft protection and credit monitoring services to breach victims, churn rate is reduced.

Companies that lost 1% of their customers as a result of a breach had an average total cost of $2.8 million, whereas a loss of 4% or more customers saw breach costs rise to an average of $6 million – a difference of $3.2 million.

When companies employ security automation the cost of data breaches falls to $2.88 million per breach, although without any security automation the average breach cost is $4.43 million – a difference of $1.55 million per breach.

The main factors that increase the cost of a data breach are third-party involvement, which increases the cost by $13.4 per record. If a company is experiencing a major cloud migration at the time of the breach the cost increases by $11.9 per record. Compliance failures also increase the breach cost by $11.9 per record.

Extensive use of mobile platforms increases the breach cost by $10 per record while companies that extensively use IoT devices add $5.4 per record to data breach costs.

While breach victims need to be notified as soon as possible, rushing to issue breach notifications before all the facts have been obtained increases the cost of the data breach by $4.9 per record.

The 2018 Cost of a Data Breach Study can be viewed on this link.

The post Healthcare Data Breach Costs Highest of Any Industry at $408 Per Record appeared first on HIPAA Journal.

MedEvolve Notifies Patients of PHI Exposure Through Unsecured FTP Server

Posted by HIPAA Journal

MedEvolve, a provider of electronic billing and record services to healthcare providers, has announced that an FTP server used by the firm had been left unsecured between March 29, 2018 and May 4, 2018.

The FTP server contained a file that included the protected health information of patients. On March 29, the day that the protection was removed, the file was accessed by an unauthorized individual. MedEvolve discovered the breach on May 11, 2018.

According to the breach notice submitted to the California Attorney General, the file contained the data of patients of Premier Immediate Medical Care.

MedEvolve did not mention in the breach notice how many patients had been affected and the incident has yet to appear of the Department of Health and Human Services’ Breach Portal. However, in May, databreaches.net was alerted to the exposure of data by a security researcher who discovered the unprotected FTP server. According to the report, the file contained approximately 205,000 lines of patient data, each corresponding to a different patient. More than 11,000 Social Security number were included in the data.

Patient information from a second client, Beverly, L. Held, M.D, a corpus Christi dermatologist, was also present on the server in three separate .dat files according to the databreaches.net report. Those files allegedly included an estimated 12,000 Social Security numbers. No mention of this client was made in the MedEvolve breach notice.

MedEvolve explained in its breach notice that names, billing addresses, telephone numbers, health insurer names, health insurance numbers, and Social Security numbers were present in the file. No financial data, treatment information or health data were exposed.

MedEvolve said that upon discovery of the breach, the FTP server was secured to prevent any further unauthorized access and a third-party forensic investigator was hired to conduct a full investigation. The investigation into the breach is ongoing and further security controls are being implemented to enhance the privacy and security of its information systems.

Due to the sensitive nature of the data that were exposed, MedEvolve is offering affected patients 24 months of complimentary credit monitoring services through myTrueIdentity, which includes up to $1,000,000 of identity theft insurance.

The post MedEvolve Notifies Patients of PHI Exposure Through Unsecured FTP Server appeared first on HIPAA Journal.

Cass Regional Medical Center EHR Out of Action Due to Ransomware Attack

Posted by HIPAA Journal

Around 11am on Monday July 9, Cass Regional Medical Center in Harrisonville, MO, experienced a ransomware attack that affected its communication system and prevented staff from accessing its electronic medical record (EHR) system.

The medical center had policies in place for such an emergency situation. Its incident response protocol was initiated within 30 minutes of the discovery of the attack and staff met to develop detailed plans to minimize the impact to patients.

Ransomware attacks typically do not involve the attackers gaining access to data, although as a precaution, it’s EHR vendor – Meditech – shut down the EHR system while the attack was investigated and remediated. At this stage, no evidence has been uncovered to suggest patient data have been accessed.

As an additional precautionary measure, ambulances for trauma and stroke have been redirected to other medical facilities. Without access to the EHR system, staff resorted to pen and paper while its IT staff worked to decrypt data and bring its systems back online. A leading international forensics firm was called in to assist with the remediation of the attack and on July 10, one day after the attack, around 50% of the encrypted files had been restored.

The type of ransomware used in the attack has not been disclosed and it is currently unclear exactly how the ransomware was installed on its systems. It is unknown whether the ransom was paid to obtain the keys to unlock the encryption or if files are being recovered from backups.

The EHR system remains offline while the investigation into the security breach is conducted. The third-party forensics firm will determine whether any patient data were accessed by the attackers prior to the system being brought back online. Cass Regional Medical Center expects the system to be brought back online within 72 hours. At this stage, trauma and stroke patients are still being diverted to other facilities.

The fast response to the attack and the minimal disruption to medical services underscores just how important it is to plan for ransomware attacks and to develop incident response procedures that can be implemented as soon as an attack is detected. Without such plans in place, valuable time can be lost at the most critical stage of the incident response process.

“I am extremely proud of our staff for the manner in which they have rallied to make sure we can still take the very best care of our patients,” said Chris Lang, CEO, in a post on the Cass Regional Medical Center Facebook page. “It has not been easy, but their dedication and can-do attitude is inspiring.”

The post Cass Regional Medical Center EHR Out of Action Due to Ransomware Attack appeared first on HIPAA Journal.