Confluence Health, a not-for-profit health system that operates Central Washington Hospital, Wenatchee Valley Hospital and a dozen satellite clinics in Central and North Central Washington, has experienced a data security incident involving an employee’s email account that may have resulted in unauthorized accessing of patients’ protected health information.

The security breach was discovered on May 29, 2018. A digital forensics firm was called in to conduct an investigation, which revealed the email account had been accessed by an unauthorized individual on May 28 and May 30, 2018.

The email account only contained a limited amount of protected health information and no highly sensitive data such as Social Security numbers or financial information was exposed. Patients impacted by the incident have had information such as their names and treatment information exposed.

Confluence Health had multiple security solutions in place to prevent unauthorized account access and staff had received security awareness training, yet those measures were bypassed by the attacker.

While PHI access was possible, the investigation uncovered no evidence to suggest that PHI had been stolen and no reports have been received by Confluence Health to suggest there has been any misuse of PHI.

Patients affected by the breach have been notified by mail and additional safeguards have now been implemented to improve the security of its email system and ensure that any suspicious email and network activity is detected more rapidly in the future.

The breach had been reported to the Department of Health and Human Services Office for Civil Rights, although the number of patients impacted by the incident has not yet been publicly disclosed.

The incident is the latest in a spate of phishing attacks on healthcare organizations. In the past two months, phishing incidents have been reported by Sunspire Health in New Jersey, The Alive Hospice in Tennessee, the Terteling Co., Inc., Group Benefit Plan in Idaho, and Boys Town National Research Hospital. The latter incident was the eighth largest breach of 2018 and the largest breach at a pediatric hospital. The incident impacted more than 105,300 patients.

The post Confluence Health Informs Patients of Phishing Incident appeared first on HIPAA Journal.

The medical records of more than 17,000 patients have been exposed in two recent incidents in Oregon and Massachusetts.

Lane County Health and Human Services Alerts Patients to Loss of PHI

Lane County Health and Human Services in Oregon is notifying more than 700 patients that some of their protected health information has been lost and has potentially been destroyed.

49 boxes containing patient files were moved to a temporary storage facility while the Charnelton Clinic in Eugene was being renovated. During a routine search, the boxes of files were discovered to be missing from the storage facility on June 19.

Multiple teams conducted further searches for the missing boxes but they could not be located. Lane County Health and Human Services suspects the boxes of files have been destroyed along with other paperwork as part of its normal document management practice for non-medical records. However, it has not been possible to confirm whether that was definitely the case.

The files contained information such as patients’ full names, addresses, telephone numbers, medical histories and Social Security numbers. 566 files related to patients of Community Health Centers in Lane County, and 149 files were Lane County Developmental Disabilities client files.

Patients have been notified about the breach and an offer has been made to reimburse patients for 6 months’ membership of an accredited credit monitoring service. Lane County Health and Human Services has reviewed its record storage policies and procedures and has now obtained specialized, secure medical records storage services to ensure that similar breaches are prevented in the future.

16,154 Patients of New England Dermatology Informed of Possible Exposure of PHI

16,154 patients of New England Dermatology have been informed that some of their PHI may have been disposed of incorrectly.

Boxes of paper records were disposed of without the records first being rendered unreadable and undecipherable, as is required by HIPAA. Normally, paper records containing patients’ protected health information are shredded prior to disposal. In this case, New England Dermatology believes that the records were collected by its waste contractor before they were shredded.

New England Dermatology was not able to determine exactly what records were disposed of insecurely, so as a precaution, all patients who had visited its Northampton office between June 10, 2013 and May 23, 2018 have been notified about the potential exposure of their PHI.

The paperwork contained information such as names, mailing addresses, and health information recorded during visits to the office. Highly sensitive information such as bank account details, credit and debit card information, medical insurance details, and Social Security numbers were not exposed at any point.

New England Dermatology has since updated its waste disposal policies to prevent similar incidents from occurring in the future and further training has been provided to employees and its contractors.

The post Lane County Health and Human Services and New England Dermatology Alert Patients to PHI Exposure appeared first on HIPAA Journal.

Blue Springs Family Care in Missouri has experienced a ransomware attack that has resulted in the encryption of sensitive data.

The attack was detected by the healthcare provider’s computer vendor on May 12, 2018.  An investigation was launched the same day by the computer vendor with assistance provided by a contracted third-party computer forensics firm.

In contrast to many ransomware attacks which involve a single ransomware variant being downloaded and blind file encryption, the attacker managed to gain access to Blue Springs Family Care systems and installed a variety of malicious software programs in addition to the ransomware.

Those malware programs would have given the attacker full access to all Blue Springs Family Care computer systems, including access to all patients protected health information. At the time of issuing notifications to patients, Blue Springs Family Care had not received any reports to suggest that any PHI was stolen and misused by the attacker. However, data access and data theft could not be ruled out.

The types of information potentially accessed included full names, home addresses, dates of birth, Social Security numbers, account numbers, driver’s license numbers, disability codes, and diagnoses.

The computer forensics firm was able to quarantine the entire system and prevent any further unauthorized data access. New software has now been installed which monitors for unauthorized access, and a new intrusion prevention system has also been implemented, which includes a new firewall.

Additionally, Blue Springs Family Care is changing over to a new electronic medical record system that encrypts all data at rest to ensure PHI cannot be accessed in the event that another data breach is experienced.

The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates 44,979 patients were affected by the breach.

The post Blue Springs Family Care Ransomware Attack Impacts 45,000 Patients appeared first on HIPAA Journal.

The phishing attacks on healthcare organizations continue… The past few days have seen two further healthcare organizations announce that email accounts were breached when employees responded to phishing emails.

Email Account Compromised at Boys Town National Research Hospital

Boys Town National Research Hospital (Boys Town), an Omaha, NE hospital specializing in pediatric deafness, visual and communication disorders, has announced that a recent phishing campaign has resulted in the email account of an employee being accessed by an unauthorized individual.

Boys Town first became aware of a security breach on May 23, 2018 when unusual email account activity was detected. Computer forensics experts were called in to investigate and a breach was confirmed to have occurred on May 23.

Boys Town painstakingly examined the account email-by-email to determine which patients potentially had their PHI exposed and the amount of PHI that was potentially compromised.

The breach was confirmed as being confined to a single email account, which contained sensitive information of current and former patients and employees.

The information in the email accounts varied by individual, but may have included names, dates of birth, Social Security numbers, driver’s license numbers, employer ID numbers, health insurance information, disability codes, birth certificate information, marriage certificate information, passport information, banking and other financial information, medical record numbers, usernames and passwords, Medicare/Medicaid ID numbers, diagnosis and treatment information, and billing/claims information.

No evidence of data exfiltration was uncovered, although it is possible that PHI was accessed and potentially obtained. Individuals impacted by the incident have been offered complimentary identity theft protection services for 12 months. A review of policies and procedures is being conducted and additional safeguards will be implemented to help prevent further phishing attacks.

NorthStar Anesthesia Discovers Multiple Email Accounts Accessed by Unauthorized Individuals

An email phishing campaign targeting Irving, TX-based NorthStar Anesthesia, a provider of outsourced anesthesia services, was conducted between April 3 and May 24, 2018. The phishing campaign was identified on May 23, 2018 with access to all compromised account blocked on May 24, 2018.

Third-party forensic investigators were called in to assist with the investigation and determine the extent of the attack and whether emails containing patients’ protected health information were accessed. The investigators determined that the compromised email accounts contained a range of protected health information which included names, health insurance application or claims information, birth dates, health insurance policy/subscriber numbers, taxpayer ID numbers, IRS identity protection numbers, medical histories, diagnosis and treatment information, medical record numbers, and for a limited number of individuals, Social Security numbers.

NorthStar Anesthesia is implementing additional safeguards to prevent further phishing attacks and affected individuals have been offered complimentary credit monitoring and identity restoration services for two years.

The post Boys Town National Research Hospital and NorthStar Anesthesia Discover PHI Compromised in Phishing Attacks appeared first on HIPAA Journal.

Golden Heart Administrative Professionals, a Fairbanks, AK-based billing company and business associate of several healthcare providers in Alaska, is notifying 44,600 individuals that some of their protected health information has potentially been accessed by unauthorized individuals as a result of a recent ransomware attack.

The ransomware was downloaded to a server containing the PHI of patients. According to a press release issued by the company, “All client patient information must assume to be compromised.”

Local and federal law enforcement agencies have been notified about the cyberattack and efforts are continuing to recover files.

The Golden Heart Administrative Professionals ransomware attack is the largest data breach reported by a healthcare organization in July, and the second major data breach to be reported by an Alaska-based healthcare organization in July.

In early July, the Alaska Department of Health and Social Services announced that it had suffered a data breach as a result of a malware infection. The Zeus/Zbot Trojan – an information stealer – had been downloaded which potentially allowed the attackers to gain access to the protected health information of ‘more than 500’ individuals.

Recent reports suggest ransomware attacks are declining, with many cybercriminal gangs switching operations to cryptocurrency mining; however, there does not appear to be any let up in ransomware attacks on healthcare organizations.

Last week, LabCorp, the national network of clinical testing laboratories, experienced a SamSam ransomware attack. The attack was detected within 50 minutes and systems were shut down to prevent widespread file encryption. The ransomware was downloaded following a brute force remote desktop protocol (RDP) attack. It is not currently known how many patients have been impacted by the attack, although some reports suggest millions of patients’ PHI may have been compromised.

On Monday, July 9, Cass Regional Medical Center in Harrisonville, MO, experienced a ransomware attack that resulted in its communications system and electronic medical record system being taken out of action. The medical center took the decision to redirect ambulances for stroke and trauma victims to alternate healthcare facilities. As with the LabCorp attack, the ransomware was downloaded to the server following a brute force RDP attack. The electronic medical record systems remained offline for 10 days as a result of the attack.

The post Golden Heart Administrative Professionals Ransomware Attack Impacts 44,600 Patients appeared first on HIPAA Journal.