HIPAA Breach News

Michigan Medicine Informs Hundreds of Patients of PHI Exposure

Posted by HIPAA Journal

An unencrypted laptop computer containing the protected health information (PHI) of 870 patients of Michigan Medicine has been stolen.

The PHI was saved on a personal laptop computer which had been left unattended in an employee’s vehicle. A thief broke into the car and stole the employee’s bag, which contacted the device. The theft occurred on June 3, 2018 and it was immediately reported to law enforcement. Michigan Medicine was informed of the theft the following day on June 4.

The laptop contained a range of protected health information of patients who had participated in research studies. The types of information exposed varied depending on the type of research the patients had participated in. Highly sensitive information such as Social Security numbers, health plan ID numbers, and financial information were not stored on the device and addresses and contact telephone numbers were not exposed. The information exposed was limited to names, medical record numbers, gender, race, diagnoses, and treatment information.

All of the research studies had been approved by the Institutional Review Board (IRB) at Michigan Medicine and consent to collect the data and use the information for research had been obtained from the patients. The IRB requires all research studies involving human subjects to comply with strict regulatory requirements, which includes implementing safeguards to ensure patient confidentiality is assured.

While Michigan Medicine complied with all regulations and had implemented appropriate security controls to prevent the exposure of patient data, the employee violated IRB approvals and Michigan Medicine policies by downloading the research data to his personal laptop computer.

Michigan Medicine has policies in place that require all patient data stored on portable electronic devices such as laptop computers to be encrypted to prevent exposure of the data in case of loss or theft of a device. However, since the data were downloaded to a personally owned device without the knowledge of Michigan Medicine, the data were not encrypted; although, the employee’s laptop was protected with a password.

Patients have been notified of the breach and have been advised to monitor their insurance statements for signs of fraudulent activity, although the risk of misuse of data is believed to be low as the device did not contain the types of information necessary for identity theft or insurance fraud.

HIPAA requires patients to be notified of breaches of PHI without unnecessary delay and no later than 60 days following the discovery of a breach. Michigan Medicine should be commended for issuing notifications promptly – within three weeks of the discovery of the breach.

Michigan Medicine has conducted further training of the workforce to reiterate its patient privacy policies and educational materials are being improved “to further enhance key messages about the prohibited use of personal, unencrypted devices for storage of research data.”

The post Michigan Medicine Informs Hundreds of Patients of PHI Exposure appeared first on HIPAA Journal.

Protected Health Information Sent to Incorrect Fax Recipient Over Several Months

Posted by HIPAA Journal

Faxes containing the protected health information (PHI) of a patient have been sent to an incorrect recipient by OhioHealth’s Grant Medical Center over a period of several months – A violation of patient privacy and the Health Insurance Portability and Accountability Act (HIPAA).

The recipient of the faxes, Elizabeth Spilker, tried on numerous occasions to notify Grant Medical Center about the problem and stop the faxes being sent, but her efforts were unsuccessful. She tried faxing back a message on the same number requesting a change to the programmed fax number and tried contacting the medical center by telephone.

Spilker later notified ABC6 about the issue and the story was covered in a June 18 report. In the report, Spilker explained that faxes had been received from Grant Medical Center for more than a year. The messages contained a range of protected health information including name, age, weight, medical history, medications prescribed, and other sensitive health information.

Typically, the faxes were received at the end of the day. Repeated attempts were made to send the information. The only way to stop the calls was to plug in the fax machine and receive the fax message.

ABC6 reporters spoke with Grant Medical Center in Columbus, OH, and alerted staff to the problem. Subsequently, a statement was issued confirming the matter had been looked into and resolved. OhioHealth also confirmed that the faxes had been sent over a 6-month period, and not for a year as Elizabeth Spilker had explained in the ABC6 news report.

“We conducted a thorough review and audit of our fax system logs and found that three faxes were sent to the individual in error due to a transposed fax number in one patient’s medical record,” OhioHealth explained in a statement about the incident. “The fax number has been corrected and we’re reaching out to the patient involved to make him or her aware. Ensuring the privacy of our patients is a top priority at OhioHealth and we apologize for this error.” All faxes received by Ms. Spilker have now been shredded so there is no risk of further disclosures of PHI.

The post Protected Health Information Sent to Incorrect Fax Recipient Over Several Months appeared first on HIPAA Journal.

Unencrypted Hospital Pager Messages Intercepted and Viewed by Radio Hobbyist

Posted by HIPAA Journal

Many healthcare organizations have now transitioned to secure messaging systems and have retired their outdated pager systems.

Healthcare organizations that have not yet made the switch to secure text messaging platforms should take note of a recent security breach that saw pages from multiple hospitals intercepted by a ‘radio hobbyist’ in Missouri.

Intercepting pages using software defined radio (SDR) is nothing new. There are various websites that explain how the SDR can be used and its capabilities, including the interception of private communications. The risk of PHI being obtained by hackers using this tactic has been well documented.  All that is required is some easily obtained hardware that can be bought for around $30, a computer, and some free software.

In this case, an IT worker from Johnson County, MO purchased an antenna and connected it to his laptop in order to pick up TV channels. However, he discovered he could pick up much more. By accident, he intercepted pages sent by physicians at several hospitals. The man told the Kansas City Star he intercepted pages containing highly sensitive information including the page below:

“RQSTD RTM: (patient’s name) 19 M Origin Unit: EDOF Admitting: (doctor’s name) Level of Care: 1st Avail Medical Diagnosis: TONSILAR BLEED, ANEMIA, THROMBOCYTOPENIA”

It was not necessary to be in close vicinity of a hospital to intercept the pages and view PHI. Pages were picked up from hospitals and medical centers in Blue Springs, MO; Harrisonville, MO; Liberty, MO; Kansas City, KS; Wichita, KS; and even hospitals further away in Kentucky and Michigan.

Reporters from the Kansas City Star made contact with several of the patients whose information was exposed to confirm the information was correct. Understandably, the patients were shocked to find out that their sensitive information had been obtained by unauthorized individuals, as were the hospitals.

While not all hospitals responded, some of those that did said they are working with their vendors to correct the problem to ensure that pages cannot be intercepted in the future.

Intercepting pages is illegal under the Electronic Communications Protection Act, although hacking healthcare networks or conducting phishing campaigns to obtain protected health information is similarly illegal, yet that does not stop hackers.

HIPAA-covered entities should take note of the recent privacy violations and should consider implementing a secure messaging solution in place of pagers; however, in the meantime they should contact their vendors and explore the options for encrypting pages to prevent ePHI from being intercepted.

The post Unencrypted Hospital Pager Messages Intercepted and Viewed by Radio Hobbyist appeared first on HIPAA Journal.

Washington Health System Suspends Several Employees for Inappropriate PHI Access

Posted by HIPAA Journal

Following the alleged inappropriate accessing of patient health records by employees, Washington Health System has taken the decision to suspend several employees while the privacy breach is investigated.

While it has not been confirmed how many employees have been suspended, Washington Health System VP of strategy and clinical services, Larry Pantuso, issued a statement to the Observer Reporter indicating around a dozen employees have been suspended, although at this stage, no employees have been fired for inappropriate medical record access.

The privacy breaches are believed to relate to the death of an employee of the WHS Neighbor Health Center. Kimberly Dollard, 57, was killed when an out of control car driven by Chad Spence, 43, rammed into the building where she worked. Spence and one other individual were admitted to the hospital after sustaining injuries in the accident.

Pantuso did not confirm that this was the incident that prompted the employees to access patients’ medical records, although he did confirm that the alleged inappropriate access related to a “high profile case.”

The accessing of medical records without any legitimate work reason for doing so is a violation of the Health Insurance Portability and Accountability Act (HIPAA). HIPAA only permits the accessing of PHI by employees for treatment, payment, or healthcare operations.

Any healthcare employee discovered to have violated HIPAA Rules faces disciplinary action which can involve suspension, termination, loss of license and, potentially, criminal charges.

There have been several recent cases where employees have been fired snooping on the medical records of high profile patients.

In February 2018, 13 employees of the Medical University of South Carolina were fired for HIPAA violations after they accessed the medical records of patients without authorization, many of whom accessed the medical records of high profile patients.

One of the most recent actions taken against a healthcare employee for a HIPAA violation was taken by the New York nursing board’s Office for Professional Discipline. Martha Smith-Lightfoot was provided with a list of patients prior to leaving her employment at University of Rochester Medical Center (URMC) to take up a new position at Greater Rochester Neurology. Smith-Lightfoot provided that list to her new employer and patients were contacted in an attempt to solicit business.

Smith-Lightfoot signed a consent order with the nursing board admitting the violation and had her license to practice suspended for one year, received a stayed suspension for another year, and three years of probation when she returns to practice.

Snooping on medical records is likely to be discovered as logs are created when health records are accessed. Those logs are periodically checked and if inappropriate PHI access is discovered it is likely to result in termination and will make it hard to obtain future employment in healthcare.

The post Washington Health System Suspends Several Employees for Inappropriate PHI Access appeared first on HIPAA Journal.

Florida Agency for Persons with Disabilities and Black River Medical Center Report Phishing Incidents

Posted by HIPAA Journal

Two HIPAA-covered entities have recently disclosed they have been victims of phishing attacks that have potentially resulted in the exposure of patients’ protected health information (PHI).

 

Further Phishing Attack Reported by Florida Agency for Persons with Disabilities

The Florida Agency for Persons with Disabilities (FAPD), which provides support services for people with disabilities such as autism, cerebral palsy, spina bifida, and Downs syndrome, has experienced another phishing attack

The phishing attack occurred on April 10, 2018 and was limited to a single email account; however, that account contained the PHI of 1,951 customers or guardians.

While no evidence was uncovered to suggest any PHI was viewed or copied by the attacker, PHI access could not be ruled out with 100% certainty. The compromised email account contained information such as names, birth dates, addresses, telephone numbers, health information, and Social Security numbers.

All patients have now been notified of the breach and have been offered credit monitoring services for a year without charge.

Three days after the attack, FAPD implemented a security upgrade to prevent unauthorized individuals from accessing its email system and further training on email security protocols was provided.

This is not the first phishing attack to be reported by the agency in 2018. In February, a more extensive phishing attack occurred that resulted in multiple email accounts being compromised. That phishing attack affected more than 55,000 customers, whose names, birth dates, and Social Security numbers were potentially compromised.

Following the February attack, FAPD said it had implemented multi-factor authentication to prevent unauthorized accessing of its email accounts and provided further training for employees on email security protocols.

Patients Notified of Black River Medical Center Phishing Attack

Poplar Bluff, MO-based Black River Medical Center is alerting some of its patients that their protected health information has potentially been accessed by an unauthorized individual.

On April 23, 2018, a response to a phishing email allowed a hacker to gain access to the email account of a single employee. The email account contained a limited amount of protected health information, but not financial information or Social Security numbers. The breach was limited to names, addresses, phone numbers, and in some cases, treatment information.

The investigation confirmed that the incident was limited to the email account and no other systems were affected. No evidence was uncovered to suggest any PHI was accessed, obtained, or misused by the attacker.

Patients were notified of the incident on June 13, 2018, and a notice was posted on the healthcare provider’s website. The breach has yet to appear on the Department of Health and Human Services’ Office for Civil Rights breach portal, so it is currently unclear exactly how many patients have been impacted.

The post Florida Agency for Persons with Disabilities and Black River Medical Center Report Phishing Incidents appeared first on HIPAA Journal.

May 2018 Healthcare Data Breach Report

Posted by HIPAA Journal

April was a particularly bad month for healthcare data breaches with 41 reported incidents. While it is certainly good news that there has been a month-over-month reduction in healthcare data breaches, the severity of some of the breaches reported last month puts May on a par with April.

Healthcare Data Breaches (May 2018)

There were 29 healthcare data breaches reported by healthcare providers, health plans, and business associates of covered entities in May – a 29.27% month-over month reduction in reported breaches. However, 838,587 healthcare records were exposed or stolen in those incidents – only 56,287 records fewer than the 41 incidents in April.

Healthcare Data Breaches - Records (May 2018)

In May, the mean breach size was 28,917 records and the median was 2,793 records. In April the mean breach size was 21,826 records and the median was 2,553 records.

Causes of May 2018 Healthcare Data Breaches

Unauthorized access/disclosure incidents were the most numerous type of breach in May 2018 with 15 reported incidents (51.72%). There were 12 hacking/IT incidents reported (41.38%) and two theft incidents (6.9%). There were no lost unencrypted electronic devices reported in May and no improper disposal incidents.

The 12 hacking/IT incidents reported in May resulted in the exposure/theft of 738,883 healthcare records – 88.11% of the total for May. Unauthorized access/disclosure incidents affected 97,439 patients and health plan members – 11.62% of the total. Theft incidents resulted in unauthorized individuals obtaining the PHI of 2,265 individuals – 0.27% of the monthly total.

Causes of Healthcare Data Breaches (May 2018)

Largest Healthcare Data Breaches Reported in May 2018

The largest healthcare data breach reported in May 2018 – by some distance – was the 538,127-record breach at the Baltimore, MD-based healthcare provider LifeBridge Health Inc. The breach was reported in May, although it occurred more than a year and a half earlier in September 2016, when malware was installed on its server that hosts electronic health records.

In addition to names and contact information, clinical and treatment information, insurance information, and, in some instances, Social Security numbers, were compromised. The scale of the breach and the types of information exposed makes it one of the most serious healthcare data breaches discovered in 2018.

As the table below shows, hacks and IT incidents were behind the most serious breaches in May.

Breached Entity Entity Type Records Breached Breach Type
LifeBridge Health, Inc Healthcare Provider 538127 Hacking/IT Incident
The Oregon Clinic, P.C. Healthcare Provider 64487 Hacking/IT Incident
Dignity Health Healthcare Provider 55947 Unauthorized Access/Disclosure
Aultman Hospital Healthcare Provider 42625 Hacking/IT Incident
Holland Eye Surgery and Laser Center Healthcare Provider 42200 Hacking/IT Incident
USACS Management Group, Ltd. Business Associate 15552 Hacking/IT Incident
Florida Hospital Healthcare Provider 12724 Hacking/IT Incident
Aflac Health Plan 10396 Hacking/IT Incident
Cerebral Palsy Research Foundation of Kansas, Inc. Healthcare Provider 8300 Unauthorized Access/Disclosure
Associates in Psychiatry and Psychology Healthcare Provider 6546 Hacking/IT Incident

 

Records Exposed in Healthcare Data Breaches (May 2018)

Location of Breached Protected Health Information

In May, the most common location of breached protected health information was email. 11 of the 29 reported breaches involved hacks of email accounts and misdirected emails. It was a similar story in April, when email was also the main location of breached PHI.

In May there were 7 incidents affecting network servers – hacks, malware infections, and ransomware incidents – and 7 incidents involving paper records.

Healthcare Data Breaches (May 2018) - Location of Breached PHI

Data Breaches by Covered Entity Type

Healthcare providers experienced the lion’s share of the healthcare data breaches in May 2018, with 22 incidents reported. Only two health plans suffered a data breach in May.

Five business associates of HIPAA-covered entities reported a breach, although a further four breaches had some business associate involvement.

Healthcare Data Breaches (May 2018) - Breaches by Covered Entity Type

Healthcare Data Breaches by State

California and Ohio were the worst affected by healthcare data breaches in May 2018, with each state having four breaches. Oregon and Texas each experienced two data breaches in May. Nevada saw four breaches reported, but three of those were the same incident, only reported separately by each of the three Dignity Health hospitals affected.

One healthcare data breach was reported by a HIPAA-covered entity or business associate based in Arkansas, Arizona, Colorado, Florida, Georgia, Indiana, Kansas, Massachusetts, Maryland, Michigan, Minnesota, Nebraska, and New York.

Financial Penalties for HIPAA Violations

While OCR and state attorneys general continue to enforce HIPAA Rules and take action against covered entities and business associates for noncompliance, there were no financial settlements announced by either in May 2018.

Data Source: The Department of Health and Human Services’ Office for Civil Rights.

The post May 2018 Healthcare Data Breach Report appeared first on HIPAA Journal.

3-Year Jail Term for VA Employee Who Stole Patient Data

Posted by HIPAA Journal

A former employee of the Veteran Affairs Medical Center in Long Beach, CA who stole the protected health information (PHI) of more than 1,000 patients has been sentenced to three years in jail.

Albert Torres, 51, was employed as a clerk in the Long Beach Health System-run medical center – a position he held for less than a year. Torres was pulled over by police officers on April 12 after a check of his license plates revealed an anomaly – plates had been used on a private vehicle, which were typically reserved for commercial vehicles.

The police officers found prescription medications which Torres’ did not have a prescription for and the Social Security numbers and other PHI of 14 patients in his vehicle. A subsequent search of Torres’ apartment revealed he had hard drives and zip drives containing the PHI of 1,030 patients and more than $1,000 in cleaning supplies that had been stolen from the hospital.

After pleading guilty to several crimes, including identity theft and grand theft, Torres was sentenced to three years in state penitentiary on June 4.

Sutter Health Fires Employees for Attempted PHI Access

An undisclosed number of employees of Sutter Health have been fired for accessing the medical records of patients without authorization.

CBS 13 Sacramento reported that an anonymous source had confirmed that Sutter Health had fired two employees for searching for the medical records of the suspected Golden State Killer, Joseph DeAngelo.

Following the news report from CBS 13, Sutter Health spokesperson Gary Zavoral issued a statement confirming action had been taken in response to the improper accessing of PHI, according to the Sacramento Business Journal.

While Zavoral did not confirm the number of employees that had been terminated, nor the patient or patients whose medical records were accessed, he did confirm that the employees concerned had been terminated.

Sutter Health has a system in place that generates alerts when employees access medical records without authorization. When improper access is detected, it usually results in termination.

In addition to firing the employees concerned, Sutter Health has reminded all staff that the accessing of medical records is only permitted when there is a legitimate work reason for doing so. The person or persons whose medical records were accessed are being notified of the privacy breach.

The post 3-Year Jail Term for VA Employee Who Stole Patient Data appeared first on HIPAA Journal.

PHI Stolen in San Francisco and Corpus Christi Burglaries

Posted by HIPAA Journal

Two HIPAA-covered entities are alerting patients that some of their protected health information (PHI) has been obtained by thieves in recent burglaries.

PHI Taken from Employee of Christus Spohn Hospitals

The protected health information of patients of two Christus Spohn Hospitals in Corpus Christi has been stolen in a burglary.

A Christus Spohn employee was burgled on April 16, 2018 and PHI was taken including information such as names, birth dates, dates of service, medical record numbers, account numbers, ages, and other medical data. No financial information, driver’s license numbers, or Social Security numbers were compromised.

Patients affected by the breach had previously received treatment at Christus Spohn Health System’s Memorial or Shoreline hospitals. While PHI was obtained, the information does not appear to have been misused. Christus Spohn has confirmed that approximately 1,800 patients have been affected by the incident.

Steps have already been taken to prevent further incidents of this nature from occurring, and the employee in question has received further training on measures that need to be taken to ensure protected health information is safeguarded.

PHI of Patients of a San Francisco Acupuncturist Stolen

San Francisco acupuncturist Denise M. Bowden is notifying patients that some of their PHI was stolen from her Pacific Heights office. The acupuncturist discovered the burglary on April 30, 2018, with the offices ransacked at some point over the weekend of 28/29 April.

The thief stole a computer from her office that contained information such as patients’ names, addresses, contact telephone numbers, dates of service, diagnosis codes, and health insurance information. No financial information or Social Security numbers were stored on the computer.

While the computer was password protected, patient data were not encrypted and could therefore potentially be viewed by unauthorized individuals. No reports have been received to suggest any of the information on the computer has been accessed and misused. Patients were notified of the breach by mail on June 11, 2018.

The post PHI Stolen in San Francisco and Corpus Christi Burglaries appeared first on HIPAA Journal.

PHI Compromised in HealthEquity Phishing Attack

Posted by HIPAA Journal

A phishing attack on Draper, UT-based HealthEquity Inc., has resulted in the exposure of members’ protected health information. The data breach was limited to one email account, although an analysis of the messages in the account revealed a range of PHI was potentially obtained by the attacker.

Information possibly compromised in the attack was limited to names, email addresses, HealthEquity member ID numbers, employer ID numbers, employer names, health account type, deduction amounts, and for some Michigan-based employees, Social Security numbers.

The breach was identified on April 13, 2018 and was discovered to have occurred two days previously, giving the attacker 48 hours to access messages in the account. Access to the compromised account was immediately terminated to prevent any further unauthorized access.

A third-party computer forensics firm was engaged to conduct a full investigation into the attack. The investigation confirmed that the breach was limited to a single email account and access was gained due to human error – the employee responding to a phishing message. No other systems were compromised or affected by the phishing attack.

While PHI access was possible, no evidence was uncovered to suggest the emails in the account were opened or PHI was obtained by the attacker, although out of an abundance of caution, all affected individuals have been offered complimentary credit monitoring and identity theft protection services through ID Experts.

As a HIPAA covered entity, HealthEquity is required to send notifications about the breach and issue a media notice to a prominent media outlet within 60 days of discovery of a PHI breach. That notice was provided to ClickOnDetroit. The breach was limited to two companies, both of which have been notified about the security incident.

The incident has yet to appear on the Department of Health and Human Services’ Office for Civil Rights’ breach portal, so it is currently unclear how many individuals have been impacted by the incident.

The post PHI Compromised in HealthEquity Phishing Attack appeared first on HIPAA Journal.