A round up of healthcare data security incidents reported in the past few days that have resulted in the protected health information of patients being obtained by unauthorized individuals.

Blue Cross Blue Shield of Illinois Discovers PHI was Provided to an Imposter

Blue Cross Blue Shield of Illinois has discovered the protected health information of some plan members has been disclosed to a doctor who was impersonating another physician. The doctor was employed by its business associate Dane Street and conducted peer to peer reviews for the firm – Further reviews when requests for services have been denied by an insurance company.

Dane Street was notified by law enforcement on April 9, 2018 that the doctor had been fraudulently impersonating another physician in order to perform peer to peer reviews. Those reviews required the doctor to view information such as names, addresses, dates of birth, phone numbers, medical service information, and Social Security numbers.

Since Social Security numbers were disclosed, affected patients have been offered complimentary credit monitoring services for one year. Dane Street no longer employs the doctor the matter is in the hands of law enforcement.

Dane Street has implemented additional credentialing procedures to prevent incidents of this nature from occurring in the future.

Around 3,000 Patients of Quality Care Pharmacy Notified of PHI Exposure

Approximately 3,000 patients of Quality Care Pharmacy in San Marcos, CA have been notified that some of their protected health information has been obtained by thieves.

Professional thieves targeted the pharmacy, located in a San Marcos strip mall, and stole hundreds of thousands of dollars of medications and a computer containing unencrypted protected health information. According to a 10News report, the thieves also drilled the safe and stole its contents and managed to circumvent all security measures put in place by the pharmacy.

Security protections had been improved following two previous burglaries at the pharmacy, although they proved insufficient to prevent the break-in.

Patients impacted by the breach have now been notified by mail, although it allegedly took nine weeks for some patients to receive their notification letters.

Hacker Gain Access to Elmcroft Senior Living Inc., Servers

A hacker has gained access to servers used by Elmcroft Senior Living Inc., and potentially viewed and copied the protected health information of patients and current and former residents. The breach occurred on May 10, 2018 and was detected two days later on May 12.

The types of information potentially accessed includes residents’ names, names of family members, birth dates, addresses, demographic information, and Social Security numbers. The PHI of former residents and patients of its healthcare facilities were also potentially accessed. All individuals affected by the breach have been notified and offered credit and identity theft monitoring services.

Care Partners Hospice and Palliative Care Reports Email Breach

The PHI of 600 patients of Care Partners Hospice and Palliative Care has potentially been accessed by an unauthorized individual who gained access to the email account of one of its employees.  The breach was detected on April 11, 2018 prompting a full investigation. A third-party cybersecurity expert was called in to assist with the investigation and determine how access to the email account was gained and which patients were potentially affected.

Data theft was not confirmed, although could not be ruled out with a high degree of certainty. The breach was limited to the email account and no other systems were compromised. No reports have been received to suggest any information in the email account has been misused.

The incident has prompted Care Partners Hospice and Palliative Care to augment its email security protections and improve system and network security.

The post Impostor, Burglar, and Hackers Obtain PHI of Patients appeared first on HIPAA Journal.

Dignity Health has discovered multiple data breaches and violations of HIPAA Rules in the past few weeks. One incident involved an employee accessing the PHI of patients without authorization, an error occurred that allowed a business associate to receive PHI without a valid BAA being in place, and most recently, a 55,947-record unauthorized access/disclosure incident has been reported to the Department of Health and Human Services’ Office for Civil Rights (OCR).

Business Associate Agreement Error Discovered

On May 10, 2018, Dignity Health notified OCR of a data breach affecting patients of its St. Rose Dominican Hospitals at the San Martin, Siena, and Rose de Lima campuses in Nevada. Dignity Health reports that on April 6, 2018, St Rose Dominican Hospitals shared the protected health information of 6,036 patients with a third-party contractor to process health-related court documents for hearings.

The contractor had been used for ten years and a valid business associate agreement was previously in place; however, that document had expired and data continued to be shared with the contractor due to a clerical error. Dignity Health reports that the manner in which the PHI was shared did not differ in any way to when the BAA was in place.

The matter has been rectified and further controls have been put in place to prevent similar errors from occurring in the future.

Inappropriate Accessing of PHI by St. Joseph’s Hospital and Medical Center Employee

On June 2, Dignity Health’s St. Joseph’s Hospital and Medical Center announced it had discovered an employee had been accessing the health information of patients without authorization for five months. During that time, portions of 229 patients’ records were inappropriately accessed.

The inappropriate accessing of health information was discovered during periodic review of PHI access logs. That review revealed one employee had been accessing patients’ health information from October 13, 2017 to March 29, 2018. During that time, the records of 229 patients were accessed.

The types of information that could have been viewed by the employee were restricted to names, dates of birth, demographic information, physicians’ and nurses’ notes and diagnostic information. The accessing of the information appears to have taken place out of curiosity rather than malicious intent.

Since no financial data or Social Security numbers were accessed, patients have been told they do not need to take any actions to protect their identities. Notifications have been issued as a precaution and to satisfy the requirements of HIPAA.

Dignity Health reports that appropriate disciplinary action has been taken against the employee for the violation of hospital policies and HIPAA Rules.

55,947-Record Email Breach Reported

On May 31, Dignity Health submitted a breach report to OCR that has been listed as an unauthorized access/disclosure incident involving email. The breach report indicates there was some business associate involvement in the incident, although no further information on the breach is currently available.

HIPAA Journal has contacted Dignity Health for clarification on the nature of the breach, although a response has yet to be received. This post will be updated when further information becomes available.

The post Multiple Data Breaches Reported by Dignity Health appeared first on HIPAA Journal.

Two security breaches have been discovered by Purdue University’s security team that have potentially resulted in unauthorized individuals gaining access to the protected health information of patients.

In April, Purdue University’s security team discovered a file on computers used by Purdue University Pharmacy indicating the devices had been remotely accessed by an unauthorized individual. The file was placed on the devices around September 1, 2017.

The computers contained a limited amount of protected health information including patients’ names, dates of birth, dates of service, identification numbers, internal identification numbers, diagnoses, treatment information, and amounts billed. No personal financial information or Social Security numbers were stored on the computer.

An investigation into the breach did not uncover any evidence to suggest any patient information was stolen and no reports have been received to suggest any patient data have been misused. However, since it was not possible to rule out unauthorized PHI access with a high degree of certainty, patients have been notified of the breach.

During the course of the investigation, the security team also discovered a malware infection on a computer used by Family Health Clinic of Carrol County in Delphi, IN. The malware was detected on May 4. The investigation revealed it has been installed on the computer on or around March 15, 2018.

The type of malware used in the attack was not disclosed, although it is possible it allowed unauthorized individuals to gain access to PHI.

Information stored on the computer included patients’ names, health insurance numbers, and some patients’ driver’s license numbers and Medicare numbers. While data access was possible, no evidence was uncovered to suggest any PHI was viewed or stolen in the attack, although since this could not be totally ruled out patients have been notified. Patients whose driver’s license number and/or Medicare number were exposed have been offered free credit monitoring services for a year.

The breaches have prompted Purdue University’s security team to implement additional security controls and enhance monitoring. The network will also be segmented and full drive encryption will be implemented.

The post Purdue University Uncovers Data Security Incidents that Potentially Compromised PHI appeared first on HIPAA Journal.

Aultman Health Foundation, which runs Aultman Hospital in Canton, OH, is notifying approximately 42,600 patients that some of their protected health information may have been compromised as a result of a phishing attack.

Unauthorized and unknown individuals succeeded in gaining access to several email accounts used by employees of Aultman Hospital, its AultWorks Occupational Medicine division, and certain Aultman physician offices.

The unauthorized access was first detected on March 28, 2018 prompting a full investigation to determine the scope of the breach and whether any sensitive information was potentially accessed. Third-party information security experts were engaged to assist with the investigation and determined access to the email accounts occurred on several occasions starting in mid-February and continued until the breach was detected and remediated in late March.

The breach was limited to email accounts. The system that stores electronic medical records was not compromised. Email accounts used by Aultman hospital and certain physician practices contained names, addresses, clinical information, medical record numbers, and physicians’ names.

Individuals tested by AultWorks Occupational Medicine had a greater range of information exposed including name, address, date of birth, medical history, reports on physical examinations, the results of drug, hearing, and breathing tests, and other lab test results. Certain AultWorks Occupational Medicine patients also had their driver’s license number and/or Social Security number exposed. Social Security numbers were only exposed in cases where employers use Social Security numbers to identify employees/potential employees.

When the phishing attack was discovered Aultman Health Foundation performed a password reset to prevent any further unauthorized accessing of email accounts and ensured only strong, complex passwords could be set. Security monitoring has been improved to detect any future breaches more quickly and further security controls have been applied to email accounts to block future attacks. Employees have also been provided with further training to improve resilience to phishing attacks.

Aultman Health Foundation explained in a security breach FAQ that it was not possible to determine whether emails and email attachments containing PHI were opened and read by the individual(s) behind the attack; however, no reports have been received to date to suggest any information in the accounts has been misused.

All patients impacted by the incident have been advised to check their credit reports and Explanation of Benefits statements carefully for any sign of fraudulent use of their information and individuals whose driver’s license number or Social Security number were exposed have been offered complimentary credit monitoring services.

The post 42,600 Patients Potentially Impacted by Aultman Health Foundation Phishing Attack appeared first on HIPAA Journal.

Rochester, MN-based Associates in Psychiatry and Psychology (APP) has experienced a ransomware attack that affected several computers containing patients’ protected health information.

The ransomware attack was discovered on March 31, 2018. Patient information stored on the affected computers was not in a “human-readable” format, and no evidence was uncovered to suggest any protected health information was accessed or copied by the attackers.

Since it was not possible to rule out data access with 100% certainty, all patients whose data were stored on the affected devices have been notified of the security breach. The types of information potentially accessed includes names, birth dates, addresses, Social Security numbers, insurance information, and treatment records.

APP acted promptly when the attack was discovered and took its systems offline to prevent the spread of the ransomware and limit the potential for further encryption of data and data theft. APP’s systems remained offline for four days while the attack was assessed.

APP notes in its Q&A about the incident that the attack is believed to have commenced between the evening of Friday, March 30 and the morning of Saturday, March 31. The type of ransomware used in the attack was “Triple-M.” APP explained that this variant of ransomware uses the RSA-2048 encryption protocol and extremely long keys to encrypt data. The system restore function was also disabled and the attackers reformatted the network storage device that was used to store backups.

APP’s IT Director, Steve Patton, confirmed to databreaches.net that the ransom was paid as it was not possible to restore files from backups due to the actions taken by the attackers. Initially, a ransom demand of 4 Bitcoin was issued – Around $30,000 – although the practice managed to negotiate with the attackers and paid 0.5 BTC (approx. $3,758) for the keys to recover the encrypted data.

All systems and data have now been restored, additional layers of security and encryption have been implemented, and APP’s remote access policies have been updated.

According to the breach report submitted to the Department of Health and Human Services’ Office for Civil Rights, 6,546 patients were potentially impacted. APP notes that there was clear evidence that protected health information was not viewed by the attackers; however, as a precautionary measure, APP has suggested affected individuals monitor their credit reports for any sign of fraudulent use of their information.

The post More than 6,500 Patients Potentially Impacted by Minnesota Ransomware Attack appeared first on HIPAA Journal.

Allied Physicians Group of Michiana has experienced a ransomware attack that took part of its network out of action.

The attack occurred on Thursday May 17, 2018 and resulted in the encryption of several files on its network. It is currently unclear whether any protected health information encrypted. An investigation into the security incident is continuing to determine whether any protected health information was compromised in the attack.

The attack was detected promptly and action was immediately taken to shut down its network to protect the PHI of patients. Allied Physicians Group of Michiana has been working with its incident responder, outside counsel, and other professionals to determine the scope of the breach and recover encrypted data.

The Indiana Physicians Group reports that all data have now been recovered in a secure format and the attack did not cause significant disruption to patients. Steps have already been taken to improve security and prevent future attacks of this nature from occurring.

CEO Shery Roussarie explained in a May 21 press release that the attack involved a variant of SamSam ransomware, which has been used in several cyberattacks so far this year, including the ransomware attack on the City of Atlanta.

The cybercriminal gang behind these SamSam ransomware attacks attempts to extort money from victims with ransom payments typically in the region of $45,000. While a ransom payment was issued by the attackers, it is not clear how much the ransom was and whether it was paid. In the press release Roussarie said, “The Company declines to confirm whether a ransom was paid or, if so, the amount.”

Allied Physicians Group of Michiana is working with the FBI and all relevant regulatory agencies to thoroughly define the scope of the incident. Further information will be released when it becomes available and patients will be notified if their PHI was compromised.

The post Indiana Physicians Group Suffers SamSam Ransomware Attack appeared first on HIPAA Journal.