HIPAA Breach News

Former Arkansas Children’s Hospital Employee Investigated Over Potential Theft of 4,500 Patients’ PHI

Posted by HIPAA Journal

A former employee of Arkansas Children’s Hospital is being investigated by law enforcement over the theft and misuse of patients’ protected health information. According to the breach notice submitted to the Department of Health and Human Services’ Office for Civil Rights, the former employee potentially viewed and copied the PHI of up to 4,521 patients.

That individual was employed at Arkansas Children’s Hospital for 15 months between November 7, 2016 and February 6, 2018. During that time the employee was provided with access to patient health information to perform essential functions of the job.

On May 9, 2018, law enforcement notified Arkansas Children’s Hospital that an investigation had been launched over the possible theft of patients’ Social Security numbers and personal information and the misuse of that information for personal gain.

Arkansas Children’s Hospital immediately launched an investigation to determine the types of information that were potentially accessed and whether patients’ PHI had been accessed without authorization. While that internal investigation confirmed the types of information that were potentially accessed, it was not possible to determine whether the information was accessed for work purposes or other reasons.

Consequently, the incident has been treated as a data breach and all patients have now been notified of the possible theft and misuse of their PHI. The types of information potentially stolen includes full names, dates of birth, addresses, contact telephone numbers, Social Security numbers, health insurance information, charge amounts, descriptions of services received, and some clinical information.

As a precaution against identity theft and fraud, all 4,521 patients have been offered complimentary credit monitoring and identity theft protection services for 12 months. Patients have been advised to monitor their credit reports, financial statements, and Explanation of Benefits statements for any sign of fraudulent activity.

The employee has been terminated and Arkansas Children’s Hospital has now implemented additional hiring controls and has retrained its employees on internal policies and procedures and HIPAA Rules covering the accessing of patient information.

The post Former Arkansas Children’s Hospital Employee Investigated Over Potential Theft of 4,500 Patients’ PHI appeared first on HIPAA Journal.

PHI Stolen As a Result of Manitowoc County Phishing Attack

Posted by HIPAA Journal

Manitowoc County in Wisconsin has announced protected health information has been stolen as a result of a successful phishing attack. The incident occurred on or around January 14, 2018, although the attack and data breach was not discovered until April 24. While the account was immediately secured to prevent any further access, the attacker had well over two months to view and obtain sensitive data stored in the email account.

During the time that the attacker had email account access, emails sent to that account were diverted to a different email account to which Manitowoc County staff had no access. While County officials have not uncovered any evidence to suggest any of the information in the emails has been misused, they have similarly not been able to establish that sensitive data have not been misused or sold on.

The types of information that were stolen include names, telephone numbers, email addresses, addresses, and dates of birth. Individuals who received services through the County have also had their health information, insurance information, details of prescriptions, client ID numbers, diagnoses, and other treatment related information stolen by the attacker.

Manitowoc County has not publicly disclosed how many individuals have been impacted and the incident has yet to be listed on the Department of Health and Human Services’ Office for Civil Right breach portal. However, Manitowoc County has now issued notifications to all individuals impacted by the phishing attack.

Breach victims have been warned that they should be alert to phishing emails that claim to be from Manitowoc County. County officials have confirmed that they will not send any emails or make calls to people impacted by this incident and request further personal information. Individuals impacted by the breach have also been told to be wary of any emails containing hyperlinks, to exercise caution opening any emails, and not to disclose sensitive information to individuals over the telephone.

The phishing attack has prompted the County to take further steps to enhance security controls and additional investments will be made in new protocols, technology and training to prevent further successful phishing attacks from occurring.

The post PHI Stolen As a Result of Manitowoc County Phishing Attack appeared first on HIPAA Journal.

Sophisticated Cyber Spoofing Attack Reported by Humana

Posted by HIPAA Journal

Humana is notifying members in several states that their PHI has potentially been accessed during a ‘sophisticated’ spoofing attack.

A spoofing attack is an attempt by a threat actor or bot to gain access to a system or data using stolen or spoofed login credentials. Humana became aware of the attack on June 3, when large numbers of failed login attempts were detected from foreign IP addresses. Prompt action was taken to block the attack, with the foreign IP addresses blocked from accessing its Humana.com and Go365.com websites on June 4.

Humana suggests “the nature of the attack and observed behaviors indicated the attacker had a large database of user identifiers (IDs).” It is possible the login credentials are old and that they were obtained in a separate third-party breach, although Humana notes that “the excessive number of log in failures strongly suggests the ID and password combinations did not originate from Humana.”

The website accounts did not contain Social Security numbers or financial information; however, the following types of information could potentially have been accessed by the attackers: Details of medical, dental, and vision claims, provider name, dates of service, services performed, charge amounts, paid amounts, spending account information, balance information, wellness information, and biometric screening data.

Humana says it has not uncovered any evidence to suggest any members’ data were stolen in the attack; however, as a precaution, all members whose accounts could potentially have been accessed have been offered 12 months of credit monitoring and identity theft protection services through the Equifax Credit Watch Gold service. A password reset has been performed on all accounts.

Humana is currently deploying new controls to improve the security of its websites and has implemented a new system for alerts of successful and failed login attempts.

This attack could simply be a brute force attempt to gain access to users’ accounts with just a username obtained in a previous breach and a list of possible passwords. To reduce the potential for such an attack resulting in unauthorized account access, strong, complex passwords should be used for accounts that have not previously been used on any other account.

If possible, two-factor authentication should also be activated. This requires an additional piece of information – a code sent to a mobile phone for instance – to be entered when an unfamiliar device or IP attempts to gain access to an account.

The post Sophisticated Cyber Spoofing Attack Reported by Humana appeared first on HIPAA Journal.

Zeus Trojan Infection Potentially Resulted in Theft of PHI from Alaska DHSS

Posted by HIPAA Journal

The Alaska Department of Health and Social Services (ADHSS) is notifying ‘more than 500’ individuals that some of their protected health information (PHI) has potentially been accessed and stolen by hackers.

On April 26, the ADHSS discovered malware had been installed on an employee’s computer after suspicious behavior was detected. The investigation revealed malware had been installed – a variant of the Zeus/Zbot Trojan – which is known to be used to steal sensitive information.

The malware was discovered to have communicated with IP addresses in Russia, although it is not known whether the attackers are based in Russia or just using Russian IP addresses. ADHSS has not confirmed whether protected health information was exfiltrated to those IP addresses, although data access and theft of PHI is a possibility.

Under the Health Insurance Portability and Accountability Act, HIPAA-covered entities must report data breaches as soon as possible, but no later than 60 days following the discovery of a breach. AHDSS chose to delay the issuing of notifications until just before the deadline to allow investigators to determine the nature and extent of the breach.

The infected computer contained a range of documents that included sensitive information of individuals in the Northern region of Alaska. Patients affected by the breach had previously had dealings with the ADHSS division of Public Assistance (DPA) through the DPA Northern regional offices.

The types of information potentially stolen include first and last names, phone numbers, dates of birth, pregnancy status, death status, incarceration status, Medicaid/Medicare billing codes, Social Security numbers, driver’s license numbers, and other confidential information.

In its breach notice, ADHSS explained it had multiple layers of security in place to prevent malware infections, but in this instance those defenses had been bypassed.

Immediately after the virus was discovered the computer was taken offline to prevent any further data access. The ADHSS Information Technology and Security team is continuing to investigate the breach and will be implementing additional protections to prevent further breaches of this nature.

The post Zeus Trojan Infection Potentially Resulted in Theft of PHI from Alaska DHSS appeared first on HIPAA Journal.

Healthcare Worker Charged with Criminally Violating HIPAA Rules

Posted by HIPAA Journal

A former University of Pittsburgh Medical Center patient information coordinator has been indicted by a federal grand jury over criminal violations of HIPAA Rules, according to an announcement by the Department of Justice on June 29, 2018.

Linda Sue Kalina, 61, of Butler, Pennsylvania, has been charged in a six-count indictment that includes wrongfully obtaining and disclosing the protected health information of 111 patients.

Kalina worked at the University of Pittsburgh Medical Center and the Allegheny Health Network between March 30, 2016 and August 14, 2017. While employed at the healthcare organizations, Kalina is alleged to have accessed the protected health information (PHI) of those patients without authorization or any legitimate work reason for doing so.

Additionally, Kalina is alleged to have stolen PHI and, on four separate occasions between December 30, 2016, and August 11, 2017, disclosed that information to three individuals with intent to cause malicious harm.

Kalina was arrested following an investigation by the Federal Bureau of Investigation. The case was taken up by the Department of Justice and she is being prosecuted by Assistant United States Attorney, Carolyn Bloch, on behalf of the federal government.

If found guilty on all counts, Kalina faces up to 11 years in jail and could be ordered to pay a fine of up to $350,000. The sentence will be dictated by the seriousness of the offenses and any prior criminal history.

The Department of Justice is taking a hard line on individuals who violate HIPAA Rules and impermissibly access and disclose PHI with malicious intent. There have been several other cases in 2018 that have seen former healthcare workers indicted for criminal HIPAA violations, with three cases resulting in imprisonment.

In June 2018, a former employee of the Veteran Affairs Medical Center in Long Beach, CA, Albert Torres, 51, was sentenced to serve 3 years in jail for the theft of protected health information and identity theft. Torres pleaded guilty to the charges after law enforcement officers discovered the records of 1,030 patients in his home.

In April, 2018, former receptionist at a New York dental practice, Annie Vuong, 31, was sentenced to serve 2 to 6 years in jail for stealing the PHI of 650 patients and providing that information to two individuals who used the data to rack up huge debt’s in patients’ names.

In February, a former behavioral analyst at the Transformations Autism Treatment Center in Bartlett, TN, Jeffrey Luke, 29, was sentenced to 30 days in jail, 3 years supervised release, and was ordered to pay $14,941.36 in restitution after downloading the PHI of 300 current and former patients onto his personal computer.

The post Healthcare Worker Charged with Criminally Violating HIPAA Rules appeared first on HIPAA Journal.

Associated Dermatology & Skin Cancer Clinic of Helena Discloses PHI Breach Impacting 1,254 Patients

Posted by HIPAA Journal

This week, Associated Dermatology & Skin Cancer Clinic of Helena, MT, has disclosed a breach of physical protected health information (PHI) affecting 1,254 patients.

A journal maintained by an employee of Associate Dermatology was stolen from her vehicle on May 26, 2018. A thief forcibly gained access to the vehicle and stole the personal journal, which contained information to help the employee with the provision of care to patients.

The types of information recorded in the journal included names and ages of patients, their referring physicians, brief notes on patients’ medical histories, reasons for visits, and visit notes. Patients whose PHI has been obtained by the thief had received medical services through Associated Dermatology between September 1, 2017 and May 24, 2018.

While highly sensitive information – the types that can be used to steal identities – were not stored in the journal, there is potential the information could be misused, although no reports have been received to date to suggest that is the case.

The biggest risk is the use of the information in social engineering or phishing scams that attempt to get patients to disclose further information such as Social Security numbers, dates of birth, and health insurance information. Patients have been warned to be alert to such scams.

The breach has prompted Associated Dermatology to implement further safeguards to ensure all forms of PHI are safeguarded and future incidents of this nature are prevented.

The theft has been reported to law enforcement authorities who are working to locate the journal. The incident will be reported to appropriate authorities, including the Department of Health and Human Services’ Office for Civil Rights, in due course.

The post Associated Dermatology & Skin Cancer Clinic of Helena Discloses PHI Breach Impacting 1,254 Patients appeared first on HIPAA Journal.

Business Email Compromise Attacks Dominate 2017 FBI Internet Crime Report

Posted by HIPAA Journal

The FBI has released its 2017 Internet Crime Report. Data for the report come from complaints made through its Internet Crime Complaints Center (IC3).

The report highlights the most common online scams, the scale of Internet crime, and the substantial losses suffered as a result of Internet-related crimes.

In 2017, there were 301,580 complaints made to IC3 about Internet crime, with total losses for the year exceeding $1.4 billion. Since 2013, when the first Internet Crime Report was first published, more than $5.52 billion has been lost in online scams and more than 1.4 million complaints have been received.

The leading types of online crime in 2017 were non-payment/non-delivery, personal data breaches, and phishing; however, the biggest losses came from business email compromise (BEC) attacks, confidence scams/romance fraud, and non-payment/non-delivery.

The losses from business email compromise scams (and email account compromise scams on consumers) exceeded $675 million. BEC/EAC scams resulted in more than three times the losses as confidence fraud/romance scams – the second biggest cause of losses by victims. The average loss per BEC/EAC incident was $43,094.

There were 25,344 reports of phishing incidents in 2017 resulting in losses of $29,703,421, although phishing likely played a part in many other categories of crime such as credit card fraud and corporate and personal data breaches.

There were 406 reported cases of health care-related crimes and $925,849 was lost to those scams. Health care related fraud includes attempts to defraud private and government health care programs, fake insurance cards, stolen health information, and diversion/pill mill practices.

Most Prevalent Internet Crimes and Losses by Crime Type

Crime Type Number of Complaints Crime Type Reported Losses
Non-Payment/Non-Delivery 84,079 BEC/EAC $676,151,185
Personal Data Breach 30,904 Confidence Fraud/Romance $211,382,989
Phishing/Vishing/Smishing/Pharming 25,344 Non-Payment/Non-Delivery $141,110,441
Overpayment 23,135 Investment $96,844,144
No Lead Value 20,241 Personal Data Breach $77,134,865
Identity Theft 17,636 Identity Theft $66,815,298
Advanced Fee 16,368 Corporate Data Breach $60,942,306
Harassment/Threats of Violence 16,194 Advanced Fee $57,861,324
Employment 15,784 Credit Card Fraud $57,207,248
BEC/EAC 15,690 Real Estate/Rental $56,231,333

Internet Crime Trends in 2017

In the report, the FBI draws attention to hot topics in 2017 –  types of crime that are on the rise and have resulted in extensive losses.

With business email compromise scams resulting in major losses, it is an area of major concern. Business email compromise scams often start with a phishing attempt on a senior executive such as the CEO or CFO. Social engineering techniques are used to convince that individual to part with login credentials. Once access to their email account is gained, an email conversation is initiated with an employee who has access to sensitive data or an individual responsible for making wire transfers. These individuals can often be identified via LinkedIn accounts and from messages contained in the compromised email account. The attacker convinces the target to make a wire transfer to their account or to send sensitive data such as W-2 Forms via email.

Access to an email account is not necessary for this type of attack. There have been many cases where fraudulent transfers have been made and W-2 data sent in response to spoofed emails.

Spam filtering solutions are not effective when emails are sent internally from a compromised account. One of the best defenses is 2-factor authentication, which requires an additional form of identification when an unfamiliar device is used to access an email account. Policies and procedures can be implemented to prevent these scams from being successful, such as requiring any transfer above a certain threshold to be verified by telephone and prohibiting the sending of sensitive data such as W2 forms via email.

Ransomware was also a hot topic in 2017. Ransomware attacks appear to be decreasing as cybercriminals switch to other methods of generating money such cryptocurrency mining; however, there were several major attacks in 2017, with the healthcare industry heavily targeted.

Spam filtering solutions, security awareness training, user-behavior monitoring solutions, and intrusion detection solutions helping to prevent attacks and reduce their severity when they do occur. Segmentation of networks can also help reduce the severity of attacks and good data backup policies are essential.

The FBI explains that it does not support the paying of a ransom, although appreciates that in cases where the business can no longer function, payment of the ransom should be considered.

Tech support scams were commonplace in 2017. These scams attempt to obtain payment to resolve fictional problems or to remove screen lockers and fake viruses. End users are convinced to provide fraudsters with remote access to their devices or to install software (malware) for this purpose. These scams often result in the theft of credentials and sensitive data as well as payment for software and technicians’ time. Losses to tech support scams have increased by 90% since 2016.

Elder fraud is a growing problem. In 2017, there were 49,523 complaints filed by victims over the age of 60, These scams resulted in adjusted losses of more than $342 million. In an effort to tackle the problem, the Justice Department launched the Elder Justice Initiative in February.

Attorney General Jeff Sessions explained that the Justice Department is taking unprecedented, coordinated action to protect elderly Americans. “When criminals steal the hard-earned life savings of older Americans, we will respond with all the tools at the Department’s disposal – criminal prosecutions to punish offenders, civil injunctions to shut the schemes down, and asset forfeiture to take back ill-gotten gains.” Local, state, and federal capacity to fight elder abuse is now being enhanced.

Extortion scams, loan schemes, impersonation schemes, sextortion, and hitman schemes are also on the rise. There were 14,938 extortion-related complaints received by IC3 in 2017 and losses exceeded $15 million.

States Worst Affected by Internet Crime

The states most affected by Internet crime closely match population levels, with the six most populated states featuring in the top seven states for reported Internet crimes.

State Number of Complaints State Reported Losses
California 41,974 California $214,217,307
Florida 21,877 Texas $115,680,902
Texas 21,852 Florida $110,620,330
New York 17,622 New York $88,633,788
Pennsylvania 11,348 Arizona $59,366,635
Virginia 9,436 Washington $42,991,213
Illinois 9,381 Illinois $42,894,106
Ohio 8,157 New Jersey $40,441,739

The post Business Email Compromise Attacks Dominate 2017 FBI Internet Crime Report appeared first on HIPAA Journal.

Michigan Medicine Informs Hundreds of Patients of PHI Exposure

Posted by HIPAA Journal

An unencrypted laptop computer containing the protected health information (PHI) of 870 patients of Michigan Medicine has been stolen.

The PHI was saved on a personal laptop computer which had been left unattended in an employee’s vehicle. A thief broke into the car and stole the employee’s bag, which contacted the device. The theft occurred on June 3, 2018 and it was immediately reported to law enforcement. Michigan Medicine was informed of the theft the following day on June 4.

The laptop contained a range of protected health information of patients who had participated in research studies. The types of information exposed varied depending on the type of research the patients had participated in. Highly sensitive information such as Social Security numbers, health plan ID numbers, and financial information were not stored on the device and addresses and contact telephone numbers were not exposed. The information exposed was limited to names, medical record numbers, gender, race, diagnoses, and treatment information.

All of the research studies had been approved by the Institutional Review Board (IRB) at Michigan Medicine and consent to collect the data and use the information for research had been obtained from the patients. The IRB requires all research studies involving human subjects to comply with strict regulatory requirements, which includes implementing safeguards to ensure patient confidentiality is assured.

While Michigan Medicine complied with all regulations and had implemented appropriate security controls to prevent the exposure of patient data, the employee violated IRB approvals and Michigan Medicine policies by downloading the research data to his personal laptop computer.

Michigan Medicine has policies in place that require all patient data stored on portable electronic devices such as laptop computers to be encrypted to prevent exposure of the data in case of loss or theft of a device. However, since the data were downloaded to a personally owned device without the knowledge of Michigan Medicine, the data were not encrypted; although, the employee’s laptop was protected with a password.

Patients have been notified of the breach and have been advised to monitor their insurance statements for signs of fraudulent activity, although the risk of misuse of data is believed to be low as the device did not contain the types of information necessary for identity theft or insurance fraud.

HIPAA requires patients to be notified of breaches of PHI without unnecessary delay and no later than 60 days following the discovery of a breach. Michigan Medicine should be commended for issuing notifications promptly – within three weeks of the discovery of the breach.

Michigan Medicine has conducted further training of the workforce to reiterate its patient privacy policies and educational materials are being improved “to further enhance key messages about the prohibited use of personal, unencrypted devices for storage of research data.”

The post Michigan Medicine Informs Hundreds of Patients of PHI Exposure appeared first on HIPAA Journal.

Protected Health Information Sent to Incorrect Fax Recipient Over Several Months

Posted by HIPAA Journal

Faxes containing the protected health information (PHI) of a patient have been sent to an incorrect recipient by OhioHealth’s Grant Medical Center over a period of several months – A violation of patient privacy and the Health Insurance Portability and Accountability Act (HIPAA).

The recipient of the faxes, Elizabeth Spilker, tried on numerous occasions to notify Grant Medical Center about the problem and stop the faxes being sent, but her efforts were unsuccessful. She tried faxing back a message on the same number requesting a change to the programmed fax number and tried contacting the medical center by telephone.

Spilker later notified ABC6 about the issue and the story was covered in a June 18 report. In the report, Spilker explained that faxes had been received from Grant Medical Center for more than a year. The messages contained a range of protected health information including name, age, weight, medical history, medications prescribed, and other sensitive health information.

Typically, the faxes were received at the end of the day. Repeated attempts were made to send the information. The only way to stop the calls was to plug in the fax machine and receive the fax message.

ABC6 reporters spoke with Grant Medical Center in Columbus, OH, and alerted staff to the problem. Subsequently, a statement was issued confirming the matter had been looked into and resolved. OhioHealth also confirmed that the faxes had been sent over a 6-month period, and not for a year as Elizabeth Spilker had explained in the ABC6 news report.

“We conducted a thorough review and audit of our fax system logs and found that three faxes were sent to the individual in error due to a transposed fax number in one patient’s medical record,” OhioHealth explained in a statement about the incident. “The fax number has been corrected and we’re reaching out to the patient involved to make him or her aware. Ensuring the privacy of our patients is a top priority at OhioHealth and we apologize for this error.” All faxes received by Ms. Spilker have now been shredded so there is no risk of further disclosures of PHI.

The post Protected Health Information Sent to Incorrect Fax Recipient Over Several Months appeared first on HIPAA Journal.