HIPAA Breach News

July 2018 Healthcare Data Breach Report

Posted by HIPAA Journal

July 2018 was the worst month of 2018 for healthcare data breaches by a considerable distance. There were 33 breaches reported in July – the same number of breaches as in June – although 543.6% more records were exposed in July than the previous month.

Healthcare Data Breaches by Month (Feb-July 2018)

The breaches reported in July 2018 impacted 2,292,552 patients and health plan members, which is 202,859 more records than were exposed in April, May, and July combined.

Healthcare Records Exposed by Month

A Bad Year for Patient Privacy

So far in 2018 there have been 221 data breaches of more than 500 records reported to the Department of Health and Human Services’ Office for Civil Rights. Those breaches have resulted in the protected health information of 6,112,867 individuals being exposed, stolen, or impermissibly disclosed.

To put that figure into perspective, it is 974,688 more records than were exposed in healthcare data breaches in all of 2017 and there are still five months left of 2018.

Largest Healthcare Data Breaches of 2018 (Jan-July)

Entity Name Entity Type Records Exposed Breach Type
UnityPoint Health Business Associate 1,421,107 Hacking/IT Incident
CA Department of Developmental Services Health Plan 582,174 Theft
MSK Group Healthcare Provider 566,236 Hacking/IT Incident
LifeBridge Health, Inc Healthcare Provider 538,127 Hacking/IT Incident
SSM Health St. Mary’s Hospital – Jefferson City Healthcare Provider 301,000 Improper Disposal
Oklahoma State University Center for Health Sciences Healthcare Provider 279,865 Hacking/IT Incident
Med Associates, Inc. Business Associate 276,057 Hacking/IT Incident
MedEvolve Business Associate 205,434 Unauthorized Access/Disclosure
St. Peter’s Surgery & Endoscopy Center Healthcare Provider 134,512 Hacking/IT Incident
Boys Town National Research Hospital Healthcare Provider 105,309 Hacking/IT Incident

Causes of Healthcare Data Breaches in July 2018

Unauthorized accessing of PHI by employees and impermissible disclosures of PHI are commonplace in healthcare, although in July there was a major reduction in these types of breaches, falling by 46.6% from July. There was also a significant drop in the number of incidents involving the loss or theft of unencrypted electronic devices and physical PHI, which fell 50% month over month.

Causes of Healthcare Data Breaches July 2018

Hacking incidents, ransomware attacks and other IT incidents such as malware infections and phishing attacks significantly increased in July. There were 66.7% more hacking/IT incidents than June. Hacking/IT incidents also resulted in the exposure of more healthcare records than all other types of breaches combined.

Healthcare Records Exposed by Breach Type (July 2018)

7 of the top 15 data breaches (46.7%) in July were phishing attacks, two were ransomware attacks, three were failures to secure electronic PHI and two were improper disposal incidents involving physical PHI. The improper disposal incidents were the second biggest cause of exposed PHI, largely due to the 301,000-record breach at SSM Health. In that breach, physical records were left behind when St. Mary’s Hospital moved to a new location.

In July, more healthcare records were exposed through phishing attacks than any other breach cause. The phishing incidents resulted in the exposure and possible theft of than 1.6 million healthcare records.

Largest Healthcare Data Breaches in July 2018

In July, there were 12 healthcare data breaches of more than 10,000 records and four breaches impacted more than 100,000 individuals. There were 14 breaches of between 1,000 and 9,999 records and 7 breaches of between 500 and 999 records. Four of the ten largest healthcare data breaches of 2018 were reported in July.

The largest healthcare data breach of July, and the largest breach of 2018 to date, was a phishing attack on Iowa Health System doing business as UnityPoint Health.

The threat actor responsible for the UnityPoint Health phishing attack spoofed an executive’s email account and sent messages to UnityPoint Health employees. Several members of staff were fooled by the emails and disclosed their login credentials giving the attacker access to their email accounts. Those email accounts contained the protected health information of more than 1.4 million patients.

Four of the ten largest healthcare data breaches of 2018 were reported in July.

Entity Name Entity Type Records Exposed Breach Type
UnityPoint Health Business Associate 1,421,107 Hacking/IT Incident
SSM Health St. Mary’s Hospital – Jefferson City Healthcare Provider 301,000 Improper Disposal
MedEvolve Business Associate 205,434 Unauthorized Access/Disclosure
Boys Town National Research Hospital Healthcare Provider 105,309 Hacking/IT Incident
Blue Springs Family Care, P.C. Healthcare Provider 44,979 Hacking/IT Incident
Golden Heart Administrative Professionals Business Associate 44,600 Hacking/IT Incident
Confluence Health Healthcare Provider 33,821 Hacking/IT Incident
NorthStar Anesthesia Healthcare Provider 19,807 Hacking/IT Incident
Orlando Orthopaedic Center Healthcare Provider 19,101 Unauthorized Access/Disclosure
New England Dermatology, P.C. Healthcare Provider 16,154 Improper Disposal
MedSpring of Texas, PA Healthcare Provider 13,034 Hacking/IT Incident
Longwood Orthopedic Associates, Inc. Healthcare Provider 10,000 Unauthorized Access/Disclosure

Location of Breached PHI

Unsurprisingly, given the high number of successful phishing attacks in July, email-related breached dominated the breach reports and was the main location of breached PHI, as has been the case in March, April, May and June. There were seven network server breaches in July, which were a combination of ransomware attacks, accidental removal of security protections, malware infections, and hacking incidents.

Location of Breached PHI (July 2018)

Data Breaches by Covered Entity Type

Healthcare providers were hit the hardest in July with 28 breaches reported by providers. Only two health plans reported data breaches in July. Three business associates reported breaches, although nine reported data breaches had at least some business associate involvement.

July 2018 Healthcare Data Breaches by Covered Entity

Healthcare Data Breaches by State

Healthcare organizations based in 22 states reported data breaches in July. California usually tops the list for the most data breaches each month due to the number of healthcare organizations based in the state, although in July it was Florida and Massachusetts than had the most breaches with three apiece.

Alaska, Missouri, New York, Pennsylvania, Texas, Virginia, and Washington each had two breaches reported, and there was one breach reported in each of Arkansas, California, Colorado, Idaho, Indiana, Illinois, Maryland, Michigan, Montana, Nebraska, New Jersey, New Mexico, and Tennessee.

The post July 2018 Healthcare Data Breach Report appeared first on HIPAA Journal.

Central Colorado Dermatology Ransomware Attack Potentially Resulted in PHI Access

Posted by HIPAA Journal

Central Colorado Dermatology (CCD) has notified more than 4,000 patients that some of their protected health information (PHI) has potentially been accessed by hackers during a ransomware attack on its computer network.

An unauthorized individual gained access to CCD’s computer network and deployed ransomware on a server. Medical records and patients’ medical charts were not accessed, although certain files and scanned fax communications were encrypted. Some of those files contained PHI.

An investigation was launched to determine whether protected health information was accessed or stolen although it was not possible to determine with a high degree of certainty whether any PHI was viewed or copied. CCD did not uncover any evidence to suggest that PHI had been accessed or stolen, although some of the software that had been installed on its network could have allowed files to be downloaded.

The files that could have been accessed including the following information: Names, addresses, contact telephone numbers, dates of birth, email addresses, Insurance information, Social Security numbers, insurance payment codes and costs, dates of service, clinical information, medical conditions, diagnoses, treatment information, lab test results, diagnostic studies, copies of CCD reports and notes, and information sent to CCD from other healthcare providers by fax.

The investigation determined that remote access was gained to a single server on June 5, 2018 and ransomware was deployed the same day.

Upon discovery of the attack, steps were taken to secure the network and block remote access and a cybersecurity firm was retained to investigate the attack. After systems were secured and the malicious software was removed, the cybersecurity firm continued to monitor the network for several weeks to ensure that no further attempts were made to access the system. During that time, no further intrusions were detected and no suspicious network activity was identified.

In response to the attack, CCD has changed its password requirements and how its network can be accessed, new anti-virus software has been installed, and further upgrades to system security have been made. That process is continuing, guided by IT security specialists. Changes have also been made to its fax software to ensure that digital copies of faxes are not automatically stored on its network.

Because unauthorized PHI access and theft of files could not be ruled out, notification letters were sent to all 4,065 patients whose PHI could potentially have been accessed. All patients affected by the breach have been offered one year of credit monitoring services.

The post Central Colorado Dermatology Ransomware Attack Potentially Resulted in PHI Access appeared first on HIPAA Journal.

Phishing Attack on Legacy Health Results In Exposure of 38,000 Patients’ PHI

Posted by HIPAA Journal

Legacy Health has discovered an unauthorized individual has gained access to its email system and the protected health information (PHI) of approximately 38,000 patients.

The Portland, OR-based health system operates two regional hospitals, four community hospitals, and 70 clinics in Oregon, Southwest Washington, and the and the Mid-Willamette Valley and is the second largest health system in the Portland Metro Area.

The data breach was discovered on June 21, 2018, although the email accounts were first accessed by an unauthorized individual in May. Legacy Health determined that access was gained to the email accounts as a result of employees being duped by phishing emails.

Email breaches can take a considerable amount of time to investigate. While tools are available to scan email accounts for protected health information, many of the emails in compromised accounts need to be individually checked, which can involve manual checks of hundreds of thousands of messages.  According to Legacy Health Spokesperson Kelly Love, “We’ve been moving at as fast a pace as we can to be thorough and clear.”

To speed up the investigation, Legacy Health retained a leading computer forensics firm to investigate and assist with the breach response. That investigation revealed information such as names, birth dates, health insurance details, medical information relating to care provided at Legacy Health facilities, billing information, Driver’s license numbers and Social Security numbers may all have been accessed. Legacy Health is not aware of any patient information being misused.

Notifications were sent to affected individuals on August 20 and all patients whose driver’s license number or Social Security number was exposed have been offered credit monitoring services for 12 months without charge.

A media notice was provided to The Oregonian and the Department of Health and Human Services has been notified inside the 60-day window permitted by the HIPAA Breach Notification Rule. Steps are also being taken to improve email security and prevent any further breaches of PHI.

The post Phishing Attack on Legacy Health Results In Exposure of 38,000 Patients’ PHI appeared first on HIPAA Journal.

9,350 Patients of Gordon Schanzlin New Vision Institute Notified of Data Breach

Posted by HIPAA Journal

The Gordon Schanzlin New Vision Institute in La Jolla, CA, is alerting thousands of patients that their medical records may have been stolen after files containing protected health information were discovered in the possession of an individual unauthorized to hold the information.

The data breach came to light following an investigation conducted by the U.S. Postal Inspection Service. A raid was conducted on a property in Southern California and a box of medical records was discovered in the property.

The files contained information such as names, dates of service, addresses, health insurance information, Social Security numbers, and health and clinical information.

Gordon Schanzlin was notified of the discovery on June 15, 2018, and an internal investigation was immediately launched to determine the nature and scope of the breach and how the medical records had been stolen.

While it could not be confirmed with 100% certainty, Gordon Schanzlin believes the medical records were part of a batch of files that were stolen from a storage unit that was broken into in October 2017.

The boxes in the storage unit contained the medical records of 9,351 patients. While only a small number of files were recovered following the raid, Gordon Schanzlin took the decision to notify all 9,351 patients about the discovery out of an abundance of caution.

Due to the sensitive nature of data in the files, and the potential for the information to be used for identity theft and fraud, Gordon Schanzlin is offering all patients potentially affected by the breach one year of credit monitoring services through Experian. Those services are provided at no cost to patients. Breach notification letters were mailed on August 14, 2018.

In response to the breach, staff have received additional training and additional safeguards are being implemented to better protect all stored protected health information.

The post 9,350 Patients of Gordon Schanzlin New Vision Institute Notified of Data Breach appeared first on HIPAA Journal.

Court Approves Anthem $115 Million Data Breach Settlement

Posted by HIPAA Journal

The $115 million settlement proposed by Anthem Inc., in 2017 to resolve the class action lawsuits filed by victims of its 78.8 million-record data breach in 2015 received final approval on Thursday, August 16.

The Anthem cyberattack resulted in plan members’ names, dates of birth, health insurance information, Social Security numbers and other data elements stolen by cybercriminals. Several class-action lawsuits were filed in the wake of the breach, which were consolidated into a single lawsuit by the Judicial Panel for Multidistrict Litigation in June 2015. The case was assigned to the U.S District Court for the Northern District of California, where a large proportion of the class members reside.

While 78.8 million individuals had protected health information (PHI) exposed when Anthem’s network was hacked, there are only 19.1 million members of the class action lawsuit, all of whom were able to demonstrate that their personal information was stored in the data center that was attacked by hackers.

Following the data breach, Anthem offered breach victims 24 months of credit monitoring services without charge; however, many class members personally paid for credit monitoring and identity theft protection services and incurred other out-of-pocket expenses as a result of the breach. “The settlement provides the class with a timely, certain, and meaningful recovery,” said Judge Koh. If the settlement was rejected, not only would the litigation come at a considerable cost, there would be no guarantee that the litigation would succeed. If it did, it would still result in substantial delays in any payment being made to the class members to cover costs associated with the breach.

Some of the class members believe the settlement is insufficient and that it has not sufficiently punished Anthem, although U.S. District Judge Lucy H. Koh believes the settlement is “fair, reasonable, and adequate”. While several objections were received, Judge Koh determined that none of them were valid.

Under the settlement, Anthem has paid for two years of credit monitoring services. This is in addition to the credit monitoring services previously offered by Anthem. Class members who do not have credit monitoring services in place will be able to sign up by submitting a straightforward form. Class members who have already signed up for credit monitoring services can claim a cash payment as an alternative, provided they provide proof of their current credit monitoring services. The fund is sufficient to allow each class member who has submitted a claim to receive a maximum payment of $50 as a cash alternative.

The settlement also includes a fund of $15 million for individuals who have already incurred out-of-pocket expenses as a result of the data breach. So far, only around 1.33 million individuals have submitted a claim. The settlement allows claims of up to $10,000 per individual to reimburse out of pocket expenses.

Anthem has also agreed to implement additional security controls to ensure sensitive information is better protected in the future, including the use of encryption for data at rest and enhancements to its data security procedures.

The post Court Approves Anthem $115 Million Data Breach Settlement appeared first on HIPAA Journal.

InterAct of Michigan Discovers Email Account Compromise

Posted by HIPAA Journal

InterAct of Michigan, a provider of mental health and substance abuse treatments through clinics in Kalamazoo and Grand Rapids, has discovered an unauthorized individual has gained access to the email account of an employee and potentially viewed and copied the protected health information of 1,290 patients.

The attack was discovered on June 8, 2018 prompting a thorough investigation to determine the nature and scope of the breach. Immediate action was taken to terminate access to the compromised account and an internal investigation was launched. A leading computer forensics company was retained to provide assistance with the investigation.

On July 30, 2018, InterAct of Michigan determined that the protected health information of certain patients had potentially been accessed. The information was present in emails and email attachments in the compromised account. The exposed PHI included clients’ names and Social Security numbers. For some patients, date of birth, prescription details, and treatment history may also have been accessed.

Due to the sensitive nature of the information that was compromised, all affected patients have been offered complimentary identity theft protection services for 12 months.

On August 7, 2018, notifications were mailed to affected individuals and Department of Health and Human Services’ Office for Civil Rights was notified of the breach.

InterAct of Michigan has taken steps to improve security to prevent further breaches and ensure that in the event of a further email account compromise, the breach will be detected much more rapidly.

Email access logs are now being reviewed on a weekly basis to identify any suspicious behavior and single user inbox rules are similarly being monitored. A rule has also been set up that prevents the forwarding of emails to external email accounts, which suggests such a rule may have been set up by the threat actor responsible for this attack.

The post InterAct of Michigan Discovers Email Account Compromise appeared first on HIPAA Journal.

258,000 Wisconsin Residents Notified of Adams County Government Data Breach

Posted by HIPAA Journal

More than 258,000 people have had their personal health information, personal identification information and/or tax information exposed as a result of a data security incident in Adams County, Wisconsin.

A potential security breach was detected on March 28, 2018 after questionable activity was identified on the Adams County computer system and network. An investigation was launched to determine whether any sensitive data had been accessed and on June 29, a data breach was confirmed to have occurred.

Some evidence has been found that suggests PHI and PII has been accessed and potentially obtained by an unauthorized individual. 258,102 individuals have potentially been affected.

The exposed data was collected between January 1, 2013 and March 28, 2018 and were stored on the systems used by the departments of Health and Human Services, Child Support, Veteran Service Office, Extension Office, Adams County Employees, Solid Waste, and the Sheriff’s Office.

A criminal investigation has been launched into the breach and the suspect(s) have been prevented from accessing the entire Adams County network and accounts have been suspended pending a thorough investigation.

According to TV station WAOW, the prime suspect appears to be Adams County Clerk, Cindy Phillippi. Attempts are currently being made to have Phillippi removed from office.

A Verified Statement of Charges has been filed against Phillippi who is suspected of installing a keylogger on the network – a form of malware that logs all keystrokes entered on computers to capture passwords and other sensitive information. The keylogger was installed on almost all computers owned by the county.

Phillippi has been accused of the unauthorized accessing of confidential computer records, opening unauthorized checking accounts, deleting records, accessing the Health and Human Services building without authorization, disclosing confidential information to a former employee, and misleading an investigation into her actions. Phillippi’s laptop has been seized and is being forensically examined. Phillippi has not yet been charged with any crimes.

Phillippi has denied most of the allegations and claims she asked to be given access to confidential records to investigate a suspected case of pornography access by a department head. She also claimed that she did not login to the system and that other individuals had used her computer. The case is due to be heard by the Board of Supervisors on September 19.

Steps have already been taken to improve security and prevent any further breaches. The county has consulted with several different entities to identify possible vulnerabilities, security upgrades have been performed, and the County is working on enhancing its monitoring capabilities.

The County is currently investigating a long-term solution to improve security, although in the meantime software control mechanisms that had been manipulated have been disabled and administrative controls for system and data access have now been placed in the control of one individual.

Notifications will be sent to all individuals whose PHI, PII, or tax information was exposed in due course.

The post 258,000 Wisconsin Residents Notified of Adams County Government Data Breach appeared first on HIPAA Journal.

417,000 Individuals Affected by Augusta University Health Phishing Attack

Posted by HIPAA Journal

A serious data breach has been reported by Augusta University Health that has impacted an estimated 417,000 individuals including patients, faculty members and a limited number of students.

Most of the patients affected by the breach had previously received medical services at Augusta University Medical Center or Children’s Hospital of Georgia, although patients from over 80 outpatient clinics in Georgia have also been affected and had their personally identifiable information (PII) and protected health information (PHI) exposed.

A wide range of PII and PHI was exposed, including names, addresses, dates of birth, lab test results, diagnoses, medications, treatment information, dates of service, medical record numbers, surgical information, and health insurance details. Augusta University Health said only a small percentage of individuals had a driver’s license number or Social Security number exposed. The PII and PHI were saved in emails and email attachments.

Augusta University Health said a data security incident was discovered on September 11, 2017 following a phishing attack on some of its employees. Some employees responded to the messages and disclosed their login credentials, allowing their accounts to be accessed remotely. In total, the email accounts of 24 university administration and faculty staff members were compromised.

Upon discovery of the attack, the email accounts were disabled to prevent data access and misuse of the accounts. The investigation showed the breach had occurred on the same day or September 10. In addition to changing passwords on the accounts, affected accounts were monitored for any sign of suspicious activity.

Augusta University Health said in its substitute breach notice that it was notified on July 31, 2018 by external investigators that there had been a PHI/PII breach, more than 10 months after the breach was detected. The investigators had to manually sort through 364,000 emails and email attachments to determine whether they included any PII or PHI.

Breach notification letters are been sent to all individuals affected by the breach, and a second phishing attack that occurred on July 11, 2018. The second phishing attack is still under investigation, although it is not as severe. Free credit monitoring services are being offered to individuals whose Social Security number was exposed.

Even though the breach occurred in September 2017, no reports have been received by Augusta University Health to suggest that any PII or PHI has been misused. However, as a precaution, all individuals affected have been advised to carefully monitor their account statements and Explanation of Benefits statements for any sign of fraudulent activity.

These are not the only phishing incidents reported by Augusta University Health. In total, there have been four successful phishing attacks on Augusta University Health in the past two years. The previous two phishing attacks affected a total of approximately 10,300 individuals.

The post 417,000 Individuals Affected by Augusta University Health Phishing Attack appeared first on HIPAA Journal.

Lawmakers Accuse Oklahoma Department of Veteran Affairs of Violating HIPAA Rules

Posted by HIPAA Journal

The Oklahoma Department of Veteran Affairs has been accused of violating Health Insurance Portability and Accountability Act (HIPAA) Rules by three Democrat lawmakers, who have also called for two top Oklahoma VA officials to be fired over the incident.

The alleged HIPAA violation occurred during a scheduled internet outage, during which VA medical aides were prevented from gaining access to veterans’ medical records. The outage had potential to cause major disruption and prevent “hundreds” of veterans from being issued with their medications. To avoid this, the Oklahoma Department of Veteran Affairs allowed medical aides to access electronic medical records using their personal smartphones.

In a letter to Oklahoma Governor Mary Fallin, Reps. Brian Renegar, Chuck Hoskin, and David Perryman called for the VA Executive Director Doug Elliot and the clinical compliance director Tina Williams to be fired over the alleged HIPAA violation.

They claimed Elliot and Williams “have little regard for, and knowledge of, health care,” and allowing medical aides to access electronic medical records via personal smartphones was “a direct violation of HIPAA” and potentially placed millions of dollars of federal funding in jeopardy.

State CISO Mark Gower is adamant that HIPAA Rules were not violated. He explained that only a limited number of medical aides were allowed to access electronic health records using their smartphones, and access was only granted for a limited period of time until the problem was resolved. When the issue was over, access to medical records via smartphones was blocked. It was just a case of temporarily swapping a laptop or desktop computer for a smartphone.

Gower explained that accessing medical records using a smartphone did not result in medical records being copied to the devices. The medical records system does not create a cache or store any information locally. Gower also said that the records system and the smartphones met the VA’s security requirements.

The three lawmakers do not believe Gower’s explanation and claim that during the outage, employees at all seven of the state’s care centers were allowed to copy medical records onto their personal cellphones.

Doug Elliot said the medical aides were “the best and brightest” and that it was “Unfathomable that any of the med aides have disclosed that information to a third party.” He also said it was “unconscionable” for the legislators to suggest that VA employees had violated HIPAA Rules and patient privacy.

While Elliot does not believe the allegations have any merit, they are being taken seriously. Elliot has reported the matter to the state’s IT security team which will be conducting a full investigation. The Office of Management and Enterprise Services, which oversees IT for state agencies, is also looking into the allegations.

The legislators are not happy with the matter being investigated by a state agency and believe that this incident can only be impartially investigated by the federal government. The legislators have also reported the matter to the Department of Health and Human Services, the Department of Veteran Affairs, and U.S. Attorney Robert Troester.

“The federal government’s going to be the one to determine this, not some state agency helping another state agency wash their hands of what they did,” said Rep. Renegar.

The post Lawmakers Accuse Oklahoma Department of Veteran Affairs of Violating HIPAA Rules appeared first on HIPAA Journal.