HIPAA Breach News

MedEvolve Notifies Patients of PHI Exposure Through Unsecured FTP Server

Posted by HIPAA Journal

MedEvolve, a provider of electronic billing and record services to healthcare providers, has announced that an FTP server used by the firm had been left unsecured between March 29, 2018 and May 4, 2018.

The FTP server contained a file that included the protected health information of patients. On March 29, the day that the protection was removed, the file was accessed by an unauthorized individual. MedEvolve discovered the breach on May 11, 2018.

According to the breach notice submitted to the California Attorney General, the file contained the data of patients of Premier Immediate Medical Care.

MedEvolve did not mention in the breach notice how many patients had been affected and the incident has yet to appear of the Department of Health and Human Services’ Breach Portal. However, in May, databreaches.net was alerted to the exposure of data by a security researcher who discovered the unprotected FTP server. According to the report, the file contained approximately 205,000 lines of patient data, each corresponding to a different patient. More than 11,000 Social Security number were included in the data.

Patient information from a second client, Beverly, L. Held, M.D, a corpus Christi dermatologist, was also present on the server in three separate .dat files according to the databreaches.net report. Those files allegedly included an estimated 12,000 Social Security numbers. No mention of this client was made in the MedEvolve breach notice.

MedEvolve explained in its breach notice that names, billing addresses, telephone numbers, health insurer names, health insurance numbers, and Social Security numbers were present in the file. No financial data, treatment information or health data were exposed.

MedEvolve said that upon discovery of the breach, the FTP server was secured to prevent any further unauthorized access and a third-party forensic investigator was hired to conduct a full investigation. The investigation into the breach is ongoing and further security controls are being implemented to enhance the privacy and security of its information systems.

Due to the sensitive nature of the data that were exposed, MedEvolve is offering affected patients 24 months of complimentary credit monitoring services through myTrueIdentity, which includes up to $1,000,000 of identity theft insurance.

The post MedEvolve Notifies Patients of PHI Exposure Through Unsecured FTP Server appeared first on HIPAA Journal.

Cass Regional Medical Center EHR Out of Action Due to Ransomware Attack

Posted by HIPAA Journal

Around 11am on Monday July 9, Cass Regional Medical Center in Harrisonville, MO, experienced a ransomware attack that affected its communication system and prevented staff from accessing its electronic medical record (EHR) system.

The medical center had policies in place for such an emergency situation. Its incident response protocol was initiated within 30 minutes of the discovery of the attack and staff met to develop detailed plans to minimize the impact to patients.

Ransomware attacks typically do not involve the attackers gaining access to data, although as a precaution, it’s EHR vendor – Meditech – shut down the EHR system while the attack was investigated and remediated. At this stage, no evidence has been uncovered to suggest patient data have been accessed.

As an additional precautionary measure, ambulances for trauma and stroke have been redirected to other medical facilities. Without access to the EHR system, staff resorted to pen and paper while its IT staff worked to decrypt data and bring its systems back online. A leading international forensics firm was called in to assist with the remediation of the attack and on July 10, one day after the attack, around 50% of the encrypted files had been restored.

The type of ransomware used in the attack has not been disclosed and it is currently unclear exactly how the ransomware was installed on its systems. It is unknown whether the ransom was paid to obtain the keys to unlock the encryption or if files are being recovered from backups.

The EHR system remains offline while the investigation into the security breach is conducted. The third-party forensics firm will determine whether any patient data were accessed by the attackers prior to the system being brought back online. Cass Regional Medical Center expects the system to be brought back online within 72 hours. At this stage, trauma and stroke patients are still being diverted to other facilities.

The fast response to the attack and the minimal disruption to medical services underscores just how important it is to plan for ransomware attacks and to develop incident response procedures that can be implemented as soon as an attack is detected. Without such plans in place, valuable time can be lost at the most critical stage of the incident response process.

“I am extremely proud of our staff for the manner in which they have rallied to make sure we can still take the very best care of our patients,” said Chris Lang, CEO, in a post on the Cass Regional Medical Center Facebook page. “It has not been easy, but their dedication and can-do attitude is inspiring.”

The post Cass Regional Medical Center EHR Out of Action Due to Ransomware Attack appeared first on HIPAA Journal.

Former Arkansas Children’s Hospital Employee Investigated Over Potential Theft of 4,500 Patients’ PHI

Posted by HIPAA Journal

A former employee of Arkansas Children’s Hospital is being investigated by law enforcement over the theft and misuse of patients’ protected health information. According to the breach notice submitted to the Department of Health and Human Services’ Office for Civil Rights, the former employee potentially viewed and copied the PHI of up to 4,521 patients.

That individual was employed at Arkansas Children’s Hospital for 15 months between November 7, 2016 and February 6, 2018. During that time the employee was provided with access to patient health information to perform essential functions of the job.

On May 9, 2018, law enforcement notified Arkansas Children’s Hospital that an investigation had been launched over the possible theft of patients’ Social Security numbers and personal information and the misuse of that information for personal gain.

Arkansas Children’s Hospital immediately launched an investigation to determine the types of information that were potentially accessed and whether patients’ PHI had been accessed without authorization. While that internal investigation confirmed the types of information that were potentially accessed, it was not possible to determine whether the information was accessed for work purposes or other reasons.

Consequently, the incident has been treated as a data breach and all patients have now been notified of the possible theft and misuse of their PHI. The types of information potentially stolen includes full names, dates of birth, addresses, contact telephone numbers, Social Security numbers, health insurance information, charge amounts, descriptions of services received, and some clinical information.

As a precaution against identity theft and fraud, all 4,521 patients have been offered complimentary credit monitoring and identity theft protection services for 12 months. Patients have been advised to monitor their credit reports, financial statements, and Explanation of Benefits statements for any sign of fraudulent activity.

The employee has been terminated and Arkansas Children’s Hospital has now implemented additional hiring controls and has retrained its employees on internal policies and procedures and HIPAA Rules covering the accessing of patient information.

The post Former Arkansas Children’s Hospital Employee Investigated Over Potential Theft of 4,500 Patients’ PHI appeared first on HIPAA Journal.

PHI Stolen As a Result of Manitowoc County Phishing Attack

Posted by HIPAA Journal

Manitowoc County in Wisconsin has announced protected health information has been stolen as a result of a successful phishing attack. The incident occurred on or around January 14, 2018, although the attack and data breach was not discovered until April 24. While the account was immediately secured to prevent any further access, the attacker had well over two months to view and obtain sensitive data stored in the email account.

During the time that the attacker had email account access, emails sent to that account were diverted to a different email account to which Manitowoc County staff had no access. While County officials have not uncovered any evidence to suggest any of the information in the emails has been misused, they have similarly not been able to establish that sensitive data have not been misused or sold on.

The types of information that were stolen include names, telephone numbers, email addresses, addresses, and dates of birth. Individuals who received services through the County have also had their health information, insurance information, details of prescriptions, client ID numbers, diagnoses, and other treatment related information stolen by the attacker.

Manitowoc County has not publicly disclosed how many individuals have been impacted and the incident has yet to be listed on the Department of Health and Human Services’ Office for Civil Right breach portal. However, Manitowoc County has now issued notifications to all individuals impacted by the phishing attack.

Breach victims have been warned that they should be alert to phishing emails that claim to be from Manitowoc County. County officials have confirmed that they will not send any emails or make calls to people impacted by this incident and request further personal information. Individuals impacted by the breach have also been told to be wary of any emails containing hyperlinks, to exercise caution opening any emails, and not to disclose sensitive information to individuals over the telephone.

The phishing attack has prompted the County to take further steps to enhance security controls and additional investments will be made in new protocols, technology and training to prevent further successful phishing attacks from occurring.

The post PHI Stolen As a Result of Manitowoc County Phishing Attack appeared first on HIPAA Journal.

Sophisticated Cyber Spoofing Attack Reported by Humana

Posted by HIPAA Journal

Humana is notifying members in several states that their PHI has potentially been accessed during a ‘sophisticated’ spoofing attack.

A spoofing attack is an attempt by a threat actor or bot to gain access to a system or data using stolen or spoofed login credentials. Humana became aware of the attack on June 3, when large numbers of failed login attempts were detected from foreign IP addresses. Prompt action was taken to block the attack, with the foreign IP addresses blocked from accessing its Humana.com and Go365.com websites on June 4.

Humana suggests “the nature of the attack and observed behaviors indicated the attacker had a large database of user identifiers (IDs).” It is possible the login credentials are old and that they were obtained in a separate third-party breach, although Humana notes that “the excessive number of log in failures strongly suggests the ID and password combinations did not originate from Humana.”

The website accounts did not contain Social Security numbers or financial information; however, the following types of information could potentially have been accessed by the attackers: Details of medical, dental, and vision claims, provider name, dates of service, services performed, charge amounts, paid amounts, spending account information, balance information, wellness information, and biometric screening data.

Humana says it has not uncovered any evidence to suggest any members’ data were stolen in the attack; however, as a precaution, all members whose accounts could potentially have been accessed have been offered 12 months of credit monitoring and identity theft protection services through the Equifax Credit Watch Gold service. A password reset has been performed on all accounts.

Humana is currently deploying new controls to improve the security of its websites and has implemented a new system for alerts of successful and failed login attempts.

This attack could simply be a brute force attempt to gain access to users’ accounts with just a username obtained in a previous breach and a list of possible passwords. To reduce the potential for such an attack resulting in unauthorized account access, strong, complex passwords should be used for accounts that have not previously been used on any other account.

If possible, two-factor authentication should also be activated. This requires an additional piece of information – a code sent to a mobile phone for instance – to be entered when an unfamiliar device or IP attempts to gain access to an account.

The post Sophisticated Cyber Spoofing Attack Reported by Humana appeared first on HIPAA Journal.

Zeus Trojan Infection Potentially Resulted in Theft of PHI from Alaska DHSS

Posted by HIPAA Journal

The Alaska Department of Health and Social Services (ADHSS) is notifying ‘more than 500’ individuals that some of their protected health information (PHI) has potentially been accessed and stolen by hackers.

On April 26, the ADHSS discovered malware had been installed on an employee’s computer after suspicious behavior was detected. The investigation revealed malware had been installed – a variant of the Zeus/Zbot Trojan – which is known to be used to steal sensitive information.

The malware was discovered to have communicated with IP addresses in Russia, although it is not known whether the attackers are based in Russia or just using Russian IP addresses. ADHSS has not confirmed whether protected health information was exfiltrated to those IP addresses, although data access and theft of PHI is a possibility.

Under the Health Insurance Portability and Accountability Act, HIPAA-covered entities must report data breaches as soon as possible, but no later than 60 days following the discovery of a breach. AHDSS chose to delay the issuing of notifications until just before the deadline to allow investigators to determine the nature and extent of the breach.

The infected computer contained a range of documents that included sensitive information of individuals in the Northern region of Alaska. Patients affected by the breach had previously had dealings with the ADHSS division of Public Assistance (DPA) through the DPA Northern regional offices.

The types of information potentially stolen include first and last names, phone numbers, dates of birth, pregnancy status, death status, incarceration status, Medicaid/Medicare billing codes, Social Security numbers, driver’s license numbers, and other confidential information.

In its breach notice, ADHSS explained it had multiple layers of security in place to prevent malware infections, but in this instance those defenses had been bypassed.

Immediately after the virus was discovered the computer was taken offline to prevent any further data access. The ADHSS Information Technology and Security team is continuing to investigate the breach and will be implementing additional protections to prevent further breaches of this nature.

The post Zeus Trojan Infection Potentially Resulted in Theft of PHI from Alaska DHSS appeared first on HIPAA Journal.

Healthcare Worker Charged with Criminally Violating HIPAA Rules

Posted by HIPAA Journal

A former University of Pittsburgh Medical Center patient information coordinator has been indicted by a federal grand jury over criminal violations of HIPAA Rules, according to an announcement by the Department of Justice on June 29, 2018.

Linda Sue Kalina, 61, of Butler, Pennsylvania, has been charged in a six-count indictment that includes wrongfully obtaining and disclosing the protected health information of 111 patients.

Kalina worked at the University of Pittsburgh Medical Center and the Allegheny Health Network between March 30, 2016 and August 14, 2017. While employed at the healthcare organizations, Kalina is alleged to have accessed the protected health information (PHI) of those patients without authorization or any legitimate work reason for doing so.

Additionally, Kalina is alleged to have stolen PHI and, on four separate occasions between December 30, 2016, and August 11, 2017, disclosed that information to three individuals with intent to cause malicious harm.

Kalina was arrested following an investigation by the Federal Bureau of Investigation. The case was taken up by the Department of Justice and she is being prosecuted by Assistant United States Attorney, Carolyn Bloch, on behalf of the federal government.

If found guilty on all counts, Kalina faces up to 11 years in jail and could be ordered to pay a fine of up to $350,000. The sentence will be dictated by the seriousness of the offenses and any prior criminal history.

The Department of Justice is taking a hard line on individuals who violate HIPAA Rules and impermissibly access and disclose PHI with malicious intent. There have been several other cases in 2018 that have seen former healthcare workers indicted for criminal HIPAA violations, with three cases resulting in imprisonment.

In June 2018, a former employee of the Veteran Affairs Medical Center in Long Beach, CA, Albert Torres, 51, was sentenced to serve 3 years in jail for the theft of protected health information and identity theft. Torres pleaded guilty to the charges after law enforcement officers discovered the records of 1,030 patients in his home.

In April, 2018, former receptionist at a New York dental practice, Annie Vuong, 31, was sentenced to serve 2 to 6 years in jail for stealing the PHI of 650 patients and providing that information to two individuals who used the data to rack up huge debt’s in patients’ names.

In February, a former behavioral analyst at the Transformations Autism Treatment Center in Bartlett, TN, Jeffrey Luke, 29, was sentenced to 30 days in jail, 3 years supervised release, and was ordered to pay $14,941.36 in restitution after downloading the PHI of 300 current and former patients onto his personal computer.

The post Healthcare Worker Charged with Criminally Violating HIPAA Rules appeared first on HIPAA Journal.

Associated Dermatology & Skin Cancer Clinic of Helena Discloses PHI Breach Impacting 1,254 Patients

Posted by HIPAA Journal

This week, Associated Dermatology & Skin Cancer Clinic of Helena, MT, has disclosed a breach of physical protected health information (PHI) affecting 1,254 patients.

A journal maintained by an employee of Associate Dermatology was stolen from her vehicle on May 26, 2018. A thief forcibly gained access to the vehicle and stole the personal journal, which contained information to help the employee with the provision of care to patients.

The types of information recorded in the journal included names and ages of patients, their referring physicians, brief notes on patients’ medical histories, reasons for visits, and visit notes. Patients whose PHI has been obtained by the thief had received medical services through Associated Dermatology between September 1, 2017 and May 24, 2018.

While highly sensitive information – the types that can be used to steal identities – were not stored in the journal, there is potential the information could be misused, although no reports have been received to date to suggest that is the case.

The biggest risk is the use of the information in social engineering or phishing scams that attempt to get patients to disclose further information such as Social Security numbers, dates of birth, and health insurance information. Patients have been warned to be alert to such scams.

The breach has prompted Associated Dermatology to implement further safeguards to ensure all forms of PHI are safeguarded and future incidents of this nature are prevented.

The theft has been reported to law enforcement authorities who are working to locate the journal. The incident will be reported to appropriate authorities, including the Department of Health and Human Services’ Office for Civil Rights, in due course.

The post Associated Dermatology & Skin Cancer Clinic of Helena Discloses PHI Breach Impacting 1,254 Patients appeared first on HIPAA Journal.

Business Email Compromise Attacks Dominate 2017 FBI Internet Crime Report

Posted by HIPAA Journal

The FBI has released its 2017 Internet Crime Report. Data for the report come from complaints made through its Internet Crime Complaints Center (IC3).

The report highlights the most common online scams, the scale of Internet crime, and the substantial losses suffered as a result of Internet-related crimes.

In 2017, there were 301,580 complaints made to IC3 about Internet crime, with total losses for the year exceeding $1.4 billion. Since 2013, when the first Internet Crime Report was first published, more than $5.52 billion has been lost in online scams and more than 1.4 million complaints have been received.

The leading types of online crime in 2017 were non-payment/non-delivery, personal data breaches, and phishing; however, the biggest losses came from business email compromise (BEC) attacks, confidence scams/romance fraud, and non-payment/non-delivery.

The losses from business email compromise scams (and email account compromise scams on consumers) exceeded $675 million. BEC/EAC scams resulted in more than three times the losses as confidence fraud/romance scams – the second biggest cause of losses by victims. The average loss per BEC/EAC incident was $43,094.

There were 25,344 reports of phishing incidents in 2017 resulting in losses of $29,703,421, although phishing likely played a part in many other categories of crime such as credit card fraud and corporate and personal data breaches.

There were 406 reported cases of health care-related crimes and $925,849 was lost to those scams. Health care related fraud includes attempts to defraud private and government health care programs, fake insurance cards, stolen health information, and diversion/pill mill practices.

Most Prevalent Internet Crimes and Losses by Crime Type

Crime Type Number of Complaints Crime Type Reported Losses
Non-Payment/Non-Delivery 84,079 BEC/EAC $676,151,185
Personal Data Breach 30,904 Confidence Fraud/Romance $211,382,989
Phishing/Vishing/Smishing/Pharming 25,344 Non-Payment/Non-Delivery $141,110,441
Overpayment 23,135 Investment $96,844,144
No Lead Value 20,241 Personal Data Breach $77,134,865
Identity Theft 17,636 Identity Theft $66,815,298
Advanced Fee 16,368 Corporate Data Breach $60,942,306
Harassment/Threats of Violence 16,194 Advanced Fee $57,861,324
Employment 15,784 Credit Card Fraud $57,207,248
BEC/EAC 15,690 Real Estate/Rental $56,231,333

Internet Crime Trends in 2017

In the report, the FBI draws attention to hot topics in 2017 –  types of crime that are on the rise and have resulted in extensive losses.

With business email compromise scams resulting in major losses, it is an area of major concern. Business email compromise scams often start with a phishing attempt on a senior executive such as the CEO or CFO. Social engineering techniques are used to convince that individual to part with login credentials. Once access to their email account is gained, an email conversation is initiated with an employee who has access to sensitive data or an individual responsible for making wire transfers. These individuals can often be identified via LinkedIn accounts and from messages contained in the compromised email account. The attacker convinces the target to make a wire transfer to their account or to send sensitive data such as W-2 Forms via email.

Access to an email account is not necessary for this type of attack. There have been many cases where fraudulent transfers have been made and W-2 data sent in response to spoofed emails.

Spam filtering solutions are not effective when emails are sent internally from a compromised account. One of the best defenses is 2-factor authentication, which requires an additional form of identification when an unfamiliar device is used to access an email account. Policies and procedures can be implemented to prevent these scams from being successful, such as requiring any transfer above a certain threshold to be verified by telephone and prohibiting the sending of sensitive data such as W2 forms via email.

Ransomware was also a hot topic in 2017. Ransomware attacks appear to be decreasing as cybercriminals switch to other methods of generating money such cryptocurrency mining; however, there were several major attacks in 2017, with the healthcare industry heavily targeted.

Spam filtering solutions, security awareness training, user-behavior monitoring solutions, and intrusion detection solutions helping to prevent attacks and reduce their severity when they do occur. Segmentation of networks can also help reduce the severity of attacks and good data backup policies are essential.

The FBI explains that it does not support the paying of a ransom, although appreciates that in cases where the business can no longer function, payment of the ransom should be considered.

Tech support scams were commonplace in 2017. These scams attempt to obtain payment to resolve fictional problems or to remove screen lockers and fake viruses. End users are convinced to provide fraudsters with remote access to their devices or to install software (malware) for this purpose. These scams often result in the theft of credentials and sensitive data as well as payment for software and technicians’ time. Losses to tech support scams have increased by 90% since 2016.

Elder fraud is a growing problem. In 2017, there were 49,523 complaints filed by victims over the age of 60, These scams resulted in adjusted losses of more than $342 million. In an effort to tackle the problem, the Justice Department launched the Elder Justice Initiative in February.

Attorney General Jeff Sessions explained that the Justice Department is taking unprecedented, coordinated action to protect elderly Americans. “When criminals steal the hard-earned life savings of older Americans, we will respond with all the tools at the Department’s disposal – criminal prosecutions to punish offenders, civil injunctions to shut the schemes down, and asset forfeiture to take back ill-gotten gains.” Local, state, and federal capacity to fight elder abuse is now being enhanced.

Extortion scams, loan schemes, impersonation schemes, sextortion, and hitman schemes are also on the rise. There were 14,938 extortion-related complaints received by IC3 in 2017 and losses exceeded $15 million.

States Worst Affected by Internet Crime

The states most affected by Internet crime closely match population levels, with the six most populated states featuring in the top seven states for reported Internet crimes.

State Number of Complaints State Reported Losses
California 41,974 California $214,217,307
Florida 21,877 Texas $115,680,902
Texas 21,852 Florida $110,620,330
New York 17,622 New York $88,633,788
Pennsylvania 11,348 Arizona $59,366,635
Virginia 9,436 Washington $42,991,213
Illinois 9,381 Illinois $42,894,106
Ohio 8,157 New Jersey $40,441,739

The post Business Email Compromise Attacks Dominate 2017 FBI Internet Crime Report appeared first on HIPAA Journal.