HIPAA Breach News

Unencrypted Hospital Pager Messages Intercepted and Viewed by Radio Hobbyist

Posted by HIPAA Journal

Many healthcare organizations have now transitioned to secure messaging systems and have retired their outdated pager systems.

Healthcare organizations that have not yet made the switch to secure text messaging platforms should take note of a recent security breach that saw pages from multiple hospitals intercepted by a ‘radio hobbyist’ in Missouri.

Intercepting pages using software defined radio (SDR) is nothing new. There are various websites that explain how the SDR can be used and its capabilities, including the interception of private communications. The risk of PHI being obtained by hackers using this tactic has been well documented.  All that is required is some easily obtained hardware that can be bought for around $30, a computer, and some free software.

In this case, an IT worker from Johnson County, MO purchased an antenna and connected it to his laptop in order to pick up TV channels. However, he discovered he could pick up much more. By accident, he intercepted pages sent by physicians at several hospitals. The man told the Kansas City Star he intercepted pages containing highly sensitive information including the page below:

“RQSTD RTM: (patient’s name) 19 M Origin Unit: EDOF Admitting: (doctor’s name) Level of Care: 1st Avail Medical Diagnosis: TONSILAR BLEED, ANEMIA, THROMBOCYTOPENIA”

It was not necessary to be in close vicinity of a hospital to intercept the pages and view PHI. Pages were picked up from hospitals and medical centers in Blue Springs, MO; Harrisonville, MO; Liberty, MO; Kansas City, KS; Wichita, KS; and even hospitals further away in Kentucky and Michigan.

Reporters from the Kansas City Star made contact with several of the patients whose information was exposed to confirm the information was correct. Understandably, the patients were shocked to find out that their sensitive information had been obtained by unauthorized individuals, as were the hospitals.

While not all hospitals responded, some of those that did said they are working with their vendors to correct the problem to ensure that pages cannot be intercepted in the future.

Intercepting pages is illegal under the Electronic Communications Protection Act, although hacking healthcare networks or conducting phishing campaigns to obtain protected health information is similarly illegal, yet that does not stop hackers.

HIPAA-covered entities should take note of the recent privacy violations and should consider implementing a secure messaging solution in place of pagers; however, in the meantime they should contact their vendors and explore the options for encrypting pages to prevent ePHI from being intercepted.

The post Unencrypted Hospital Pager Messages Intercepted and Viewed by Radio Hobbyist appeared first on HIPAA Journal.

Washington Health System Suspends Several Employees for Inappropriate PHI Access

Posted by HIPAA Journal

Following the alleged inappropriate accessing of patient health records by employees, Washington Health System has taken the decision to suspend several employees while the privacy breach is investigated.

While it has not been confirmed how many employees have been suspended, Washington Health System VP of strategy and clinical services, Larry Pantuso, issued a statement to the Observer Reporter indicating around a dozen employees have been suspended, although at this stage, no employees have been fired for inappropriate medical record access.

The privacy breaches are believed to relate to the death of an employee of the WHS Neighbor Health Center. Kimberly Dollard, 57, was killed when an out of control car driven by Chad Spence, 43, rammed into the building where she worked. Spence and one other individual were admitted to the hospital after sustaining injuries in the accident.

Pantuso did not confirm that this was the incident that prompted the employees to access patients’ medical records, although he did confirm that the alleged inappropriate access related to a “high profile case.”

The accessing of medical records without any legitimate work reason for doing so is a violation of the Health Insurance Portability and Accountability Act (HIPAA). HIPAA only permits the accessing of PHI by employees for treatment, payment, or healthcare operations.

Any healthcare employee discovered to have violated HIPAA Rules faces disciplinary action which can involve suspension, termination, loss of license and, potentially, criminal charges.

There have been several recent cases where employees have been fired snooping on the medical records of high profile patients.

In February 2018, 13 employees of the Medical University of South Carolina were fired for HIPAA violations after they accessed the medical records of patients without authorization, many of whom accessed the medical records of high profile patients.

One of the most recent actions taken against a healthcare employee for a HIPAA violation was taken by the New York nursing board’s Office for Professional Discipline. Martha Smith-Lightfoot was provided with a list of patients prior to leaving her employment at University of Rochester Medical Center (URMC) to take up a new position at Greater Rochester Neurology. Smith-Lightfoot provided that list to her new employer and patients were contacted in an attempt to solicit business.

Smith-Lightfoot signed a consent order with the nursing board admitting the violation and had her license to practice suspended for one year, received a stayed suspension for another year, and three years of probation when she returns to practice.

Snooping on medical records is likely to be discovered as logs are created when health records are accessed. Those logs are periodically checked and if inappropriate PHI access is discovered it is likely to result in termination and will make it hard to obtain future employment in healthcare.

The post Washington Health System Suspends Several Employees for Inappropriate PHI Access appeared first on HIPAA Journal.

Florida Agency for Persons with Disabilities and Black River Medical Center Report Phishing Incidents

Posted by HIPAA Journal

Two HIPAA-covered entities have recently disclosed they have been victims of phishing attacks that have potentially resulted in the exposure of patients’ protected health information (PHI).

 

Further Phishing Attack Reported by Florida Agency for Persons with Disabilities

The Florida Agency for Persons with Disabilities (FAPD), which provides support services for people with disabilities such as autism, cerebral palsy, spina bifida, and Downs syndrome, has experienced another phishing attack

The phishing attack occurred on April 10, 2018 and was limited to a single email account; however, that account contained the PHI of 1,951 customers or guardians.

While no evidence was uncovered to suggest any PHI was viewed or copied by the attacker, PHI access could not be ruled out with 100% certainty. The compromised email account contained information such as names, birth dates, addresses, telephone numbers, health information, and Social Security numbers.

All patients have now been notified of the breach and have been offered credit monitoring services for a year without charge.

Three days after the attack, FAPD implemented a security upgrade to prevent unauthorized individuals from accessing its email system and further training on email security protocols was provided.

This is not the first phishing attack to be reported by the agency in 2018. In February, a more extensive phishing attack occurred that resulted in multiple email accounts being compromised. That phishing attack affected more than 55,000 customers, whose names, birth dates, and Social Security numbers were potentially compromised.

Following the February attack, FAPD said it had implemented multi-factor authentication to prevent unauthorized accessing of its email accounts and provided further training for employees on email security protocols.

Patients Notified of Black River Medical Center Phishing Attack

Poplar Bluff, MO-based Black River Medical Center is alerting some of its patients that their protected health information has potentially been accessed by an unauthorized individual.

On April 23, 2018, a response to a phishing email allowed a hacker to gain access to the email account of a single employee. The email account contained a limited amount of protected health information, but not financial information or Social Security numbers. The breach was limited to names, addresses, phone numbers, and in some cases, treatment information.

The investigation confirmed that the incident was limited to the email account and no other systems were affected. No evidence was uncovered to suggest any PHI was accessed, obtained, or misused by the attacker.

Patients were notified of the incident on June 13, 2018, and a notice was posted on the healthcare provider’s website. The breach has yet to appear on the Department of Health and Human Services’ Office for Civil Rights breach portal, so it is currently unclear exactly how many patients have been impacted.

The post Florida Agency for Persons with Disabilities and Black River Medical Center Report Phishing Incidents appeared first on HIPAA Journal.

May 2018 Healthcare Data Breach Report

Posted by HIPAA Journal

April was a particularly bad month for healthcare data breaches with 41 reported incidents. While it is certainly good news that there has been a month-over-month reduction in healthcare data breaches, the severity of some of the breaches reported last month puts May on a par with April.

Healthcare Data Breaches (May 2018)

There were 29 healthcare data breaches reported by healthcare providers, health plans, and business associates of covered entities in May – a 29.27% month-over month reduction in reported breaches. However, 838,587 healthcare records were exposed or stolen in those incidents – only 56,287 records fewer than the 41 incidents in April.

Healthcare Data Breaches - Records (May 2018)

In May, the mean breach size was 28,917 records and the median was 2,793 records. In April the mean breach size was 21,826 records and the median was 2,553 records.

Causes of May 2018 Healthcare Data Breaches

Unauthorized access/disclosure incidents were the most numerous type of breach in May 2018 with 15 reported incidents (51.72%). There were 12 hacking/IT incidents reported (41.38%) and two theft incidents (6.9%). There were no lost unencrypted electronic devices reported in May and no improper disposal incidents.

The 12 hacking/IT incidents reported in May resulted in the exposure/theft of 738,883 healthcare records – 88.11% of the total for May. Unauthorized access/disclosure incidents affected 97,439 patients and health plan members – 11.62% of the total. Theft incidents resulted in unauthorized individuals obtaining the PHI of 2,265 individuals – 0.27% of the monthly total.

Causes of Healthcare Data Breaches (May 2018)

Largest Healthcare Data Breaches Reported in May 2018

The largest healthcare data breach reported in May 2018 – by some distance – was the 538,127-record breach at the Baltimore, MD-based healthcare provider LifeBridge Health Inc. The breach was reported in May, although it occurred more than a year and a half earlier in September 2016, when malware was installed on its server that hosts electronic health records.

In addition to names and contact information, clinical and treatment information, insurance information, and, in some instances, Social Security numbers, were compromised. The scale of the breach and the types of information exposed makes it one of the most serious healthcare data breaches discovered in 2018.

As the table below shows, hacks and IT incidents were behind the most serious breaches in May.

Breached Entity Entity Type Records Breached Breach Type
LifeBridge Health, Inc Healthcare Provider 538127 Hacking/IT Incident
The Oregon Clinic, P.C. Healthcare Provider 64487 Hacking/IT Incident
Dignity Health Healthcare Provider 55947 Unauthorized Access/Disclosure
Aultman Hospital Healthcare Provider 42625 Hacking/IT Incident
Holland Eye Surgery and Laser Center Healthcare Provider 42200 Hacking/IT Incident
USACS Management Group, Ltd. Business Associate 15552 Hacking/IT Incident
Florida Hospital Healthcare Provider 12724 Hacking/IT Incident
Aflac Health Plan 10396 Hacking/IT Incident
Cerebral Palsy Research Foundation of Kansas, Inc. Healthcare Provider 8300 Unauthorized Access/Disclosure
Associates in Psychiatry and Psychology Healthcare Provider 6546 Hacking/IT Incident

 

Records Exposed in Healthcare Data Breaches (May 2018)

Location of Breached Protected Health Information

In May, the most common location of breached protected health information was email. 11 of the 29 reported breaches involved hacks of email accounts and misdirected emails. It was a similar story in April, when email was also the main location of breached PHI.

In May there were 7 incidents affecting network servers – hacks, malware infections, and ransomware incidents – and 7 incidents involving paper records.

Healthcare Data Breaches (May 2018) - Location of Breached PHI

Data Breaches by Covered Entity Type

Healthcare providers experienced the lion’s share of the healthcare data breaches in May 2018, with 22 incidents reported. Only two health plans suffered a data breach in May.

Five business associates of HIPAA-covered entities reported a breach, although a further four breaches had some business associate involvement.

Healthcare Data Breaches (May 2018) - Breaches by Covered Entity Type

Healthcare Data Breaches by State

California and Ohio were the worst affected by healthcare data breaches in May 2018, with each state having four breaches. Oregon and Texas each experienced two data breaches in May. Nevada saw four breaches reported, but three of those were the same incident, only reported separately by each of the three Dignity Health hospitals affected.

One healthcare data breach was reported by a HIPAA-covered entity or business associate based in Arkansas, Arizona, Colorado, Florida, Georgia, Indiana, Kansas, Massachusetts, Maryland, Michigan, Minnesota, Nebraska, and New York.

Financial Penalties for HIPAA Violations

While OCR and state attorneys general continue to enforce HIPAA Rules and take action against covered entities and business associates for noncompliance, there were no financial settlements announced by either in May 2018.

Data Source: The Department of Health and Human Services’ Office for Civil Rights.

The post May 2018 Healthcare Data Breach Report appeared first on HIPAA Journal.

3-Year Jail Term for VA Employee Who Stole Patient Data

Posted by HIPAA Journal

A former employee of the Veteran Affairs Medical Center in Long Beach, CA who stole the protected health information (PHI) of more than 1,000 patients has been sentenced to three years in jail.

Albert Torres, 51, was employed as a clerk in the Long Beach Health System-run medical center – a position he held for less than a year. Torres was pulled over by police officers on April 12 after a check of his license plates revealed an anomaly – plates had been used on a private vehicle, which were typically reserved for commercial vehicles.

The police officers found prescription medications which Torres’ did not have a prescription for and the Social Security numbers and other PHI of 14 patients in his vehicle. A subsequent search of Torres’ apartment revealed he had hard drives and zip drives containing the PHI of 1,030 patients and more than $1,000 in cleaning supplies that had been stolen from the hospital.

After pleading guilty to several crimes, including identity theft and grand theft, Torres was sentenced to three years in state penitentiary on June 4.

Sutter Health Fires Employees for Attempted PHI Access

An undisclosed number of employees of Sutter Health have been fired for accessing the medical records of patients without authorization.

CBS 13 Sacramento reported that an anonymous source had confirmed that Sutter Health had fired two employees for searching for the medical records of the suspected Golden State Killer, Joseph DeAngelo.

Following the news report from CBS 13, Sutter Health spokesperson Gary Zavoral issued a statement confirming action had been taken in response to the improper accessing of PHI, according to the Sacramento Business Journal.

While Zavoral did not confirm the number of employees that had been terminated, nor the patient or patients whose medical records were accessed, he did confirm that the employees concerned had been terminated.

Sutter Health has a system in place that generates alerts when employees access medical records without authorization. When improper access is detected, it usually results in termination.

In addition to firing the employees concerned, Sutter Health has reminded all staff that the accessing of medical records is only permitted when there is a legitimate work reason for doing so. The person or persons whose medical records were accessed are being notified of the privacy breach.

The post 3-Year Jail Term for VA Employee Who Stole Patient Data appeared first on HIPAA Journal.

PHI Stolen in San Francisco and Corpus Christi Burglaries

Posted by HIPAA Journal

Two HIPAA-covered entities are alerting patients that some of their protected health information (PHI) has been obtained by thieves in recent burglaries.

PHI Taken from Employee of Christus Spohn Hospitals

The protected health information of patients of two Christus Spohn Hospitals in Corpus Christi has been stolen in a burglary.

A Christus Spohn employee was burgled on April 16, 2018 and PHI was taken including information such as names, birth dates, dates of service, medical record numbers, account numbers, ages, and other medical data. No financial information, driver’s license numbers, or Social Security numbers were compromised.

Patients affected by the breach had previously received treatment at Christus Spohn Health System’s Memorial or Shoreline hospitals. While PHI was obtained, the information does not appear to have been misused. Christus Spohn has confirmed that approximately 1,800 patients have been affected by the incident.

Steps have already been taken to prevent further incidents of this nature from occurring, and the employee in question has received further training on measures that need to be taken to ensure protected health information is safeguarded.

PHI of Patients of a San Francisco Acupuncturist Stolen

San Francisco acupuncturist Denise M. Bowden is notifying patients that some of their PHI was stolen from her Pacific Heights office. The acupuncturist discovered the burglary on April 30, 2018, with the offices ransacked at some point over the weekend of 28/29 April.

The thief stole a computer from her office that contained information such as patients’ names, addresses, contact telephone numbers, dates of service, diagnosis codes, and health insurance information. No financial information or Social Security numbers were stored on the computer.

While the computer was password protected, patient data were not encrypted and could therefore potentially be viewed by unauthorized individuals. No reports have been received to suggest any of the information on the computer has been accessed and misused. Patients were notified of the breach by mail on June 11, 2018.

The post PHI Stolen in San Francisco and Corpus Christi Burglaries appeared first on HIPAA Journal.

PHI Compromised in HealthEquity Phishing Attack

Posted by HIPAA Journal

A phishing attack on Draper, UT-based HealthEquity Inc., has resulted in the exposure of members’ protected health information. The data breach was limited to one email account, although an analysis of the messages in the account revealed a range of PHI was potentially obtained by the attacker.

Information possibly compromised in the attack was limited to names, email addresses, HealthEquity member ID numbers, employer ID numbers, employer names, health account type, deduction amounts, and for some Michigan-based employees, Social Security numbers.

The breach was identified on April 13, 2018 and was discovered to have occurred two days previously, giving the attacker 48 hours to access messages in the account. Access to the compromised account was immediately terminated to prevent any further unauthorized access.

A third-party computer forensics firm was engaged to conduct a full investigation into the attack. The investigation confirmed that the breach was limited to a single email account and access was gained due to human error – the employee responding to a phishing message. No other systems were compromised or affected by the phishing attack.

While PHI access was possible, no evidence was uncovered to suggest the emails in the account were opened or PHI was obtained by the attacker, although out of an abundance of caution, all affected individuals have been offered complimentary credit monitoring and identity theft protection services through ID Experts.

As a HIPAA covered entity, HealthEquity is required to send notifications about the breach and issue a media notice to a prominent media outlet within 60 days of discovery of a PHI breach. That notice was provided to ClickOnDetroit. The breach was limited to two companies, both of which have been notified about the security incident.

The incident has yet to appear on the Department of Health and Human Services’ Office for Civil Rights’ breach portal, so it is currently unclear how many individuals have been impacted by the incident.

The post PHI Compromised in HealthEquity Phishing Attack appeared first on HIPAA Journal.

1,600 Patients Potentially Impacted by Terros Health Phishing Attack

Posted by HIPAA Journal

An employee of Phoenix-based Terros Health was fooled by a phishing scam and inadvertently handed over login credentials to the attacker. That individual accessed the employee’s email account and potentially viewed or obtained a range of protected health information detailed in individual emails in the account. The breach was limited to one email account and access to other systems was not gained.

Terros Health learned of the phishing attack on April 12, 2018 and notified the media on June 8. All patients impacted by the breach have now been notified by mail.

An investigation into the attack revealed the employee responded to the phishing email on or around November 16, 2017, which was when the email account was first accessed by the attacker.

While almost 1,600 patients potentially had some of their PHI compromised as a result of the attack, for the majority of patients (1,241) the exposed information was limited to names and dates of birth. The remaining patients also had their addresses, email addresses, diagnoses, medical record numbers, and other protected health information exposed. 142 patients’ Social Security numbers were also present in the compromised email account and could potentially have been viewed or obtained. The majority of patients affected by the breach had previously received medical services at its 23rd/Dunlap Avenue clinic.

Patients whose Social Security number was exposed have been offered credit monitoring and identity theft protection services for 12 months without charge.

Prior to the attack, Terros Health had implemented safeguards to prevent the unauthorized accessing of PHI, although the phishing attack bypassed those controls. Further steps have now been taken to improve security, policies and procedures have been enhanced, and additional security awareness training is being provided to staff.

The company said this was the largest data breach it has experienced in the entire history of the company.

The post 1,600 Patients Potentially Impacted by Terros Health Phishing Attack appeared first on HIPAA Journal.

3,700 Rise Wisconsin Plan Participants Potentially Impacted by Ransomware Attack

Posted by HIPAA Journal

Rise Wisconsin is alerting more than 3,700 plan members that some of their protected health information was potentially accessed by unauthorized individuals during a recent ransomware attack.

The ransomware was installed on its network on or around April 8, 2018. The ransomware attack was detected rapidly, although not in time to prevent the encryption of data.

Rise Wisconsin (formerly Community Partnerships Inc., and Center for Families) called in third party computer forensics experts to assist with the breach investigation and recovery process. While the investigation did not uncover any evidence to suggest protected health information was accessed or stolen in the attack, it was not possible to rule out data access and data theft with a high degree of certainty.

Potentially, the types of data that could have been accessed by the attackers includes names, addresses, dates of birth, Social Security numbers and, for certain patients, a limited amount of health information.  No financial information was compromised.

Rise Wisconsin has not disclosed how much the attackers demanded for the security keys to unlock the encrypted data or whether that ransom demand was paid.

Rise Wisconsin takes the security of health information very seriously and had implemented a range of security controls to prevent the unauthorized accessing of PHI. In this case those controls proved insufficient; however, steps have now been taken to enhance security and prevent further incidents of this nature from occurring. Those steps include placing further restrictions on network access and increasing staff information security awareness training.

The incident has been reported to appropriate authorities and law enforcement is investigating the attack. The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates 3,731 plan members have been impacted by the incident.

The post 3,700 Rise Wisconsin Plan Participants Potentially Impacted by Ransomware Attack appeared first on HIPAA Journal.