An unauthorized individual has gained access to the email account of an employee of Scenic Bluffs Community Health Centers and potentially viewed the protected health information of up to 2,9889 patients.

The email account breach was discovered by the health centers on March 1, 2018, the day after access to the account was gained. The attacker had set up a mail forwarder on the account, which had forwarded 44 messages to an email address controlled by the attacker.

None of the forwarded emails contained any protected health information and following the discovery of the mail forwarding rule it was deleted, the account was closed, and all PHI was secured. While no PHI appeared to have been obtained by the attacker, it is possible that during the time that access to the email account was possible, PHI detailed in the emails could potentially have been viewed.

It is unclear how access to the email account was gained. Typically email accounts are compromised after employees respond to phishing emails and inadvertently disclose their login credentials, or via brute force attacks that take advantage of weak passwords.

Scenic Bluffs Community Health Centers has hired an external cybersecurity firm to evaluate its systems and provide recommendations on suitable security solutions that can be deployed to further protect patient privacy and prevent future security breaches.

Breach notification letters were mailed on April 23 to patients whose PHI was potentially viewed.

The post 2,889 Patients of Scenic Bluffs Community Health Centers Notified of PHI Breach appeared first on HIPAA Journal.

Maximus Inc, a provider of business process management and technology solutions to government health and human services agencies, is alerting more than 3,000 individuals that some of their protected health information has been accidentally disclosed to other individuals as a result of a printing error on a recent mailing.

The mailing was prepared and sent by its business associate, Business Ink, between February 10 and February 13, 2018. The mailing was sent to approximately 1,100 families in Texas who participated in Medicaid and the Children’s Health Insurance Program (CHIP). The error was discovered by Maximus on February 16.

The 6-page letter included one mismatched page that included information relating to another individual. The types of information detailed on the page were limited to names, addresses, group numbers, case numbers, and program type. No highly sensitive information such as Social Security numbers, birth dates, insurance information, or financial information was exposed, and none of the information detailed on the mismatched pages would allow another individual to gain access to another person’s program account.

Since the information exposed was extremely limited, affected individuals do not need to take any action to mitigate risk. Notifications were issued out of an abundance of caution.

Maximus has investigated the incident and has received assurances that its mailing vendor has strengthened its printing processes to ensure similar errors are prevented in the future. No reports have been received to suggest any of the disclosed information has been misused in any way.

According to Databreaches.net, 3,029 individuals had information impermissibly disclosed as a result of the printing and mailing error.

The post PHI of 3,000 Patients Exposed Due to Mailing Printing Error appeared first on HIPAA Journal.

Three websites used by Florida Hospital have been infected with malware that has potentially allowed the threat actors behind the attack to obtain patients’ protected health information.

PHI access has not been confirmed and no reports have been received to suggest any protected health information has been misused. Patients are being informed of the breach and, out of an abundance of caution, have been offered complimentary credit monitoring services. The websites impacted are FloridaBariatric.com, FHOrthoInstitute.com and FHExecutiveHealth.com.

The data potentially compromised was limited and did not involve any financial information. Potentially, patients’ names, birth dates, email addresses, phone numbers, insurance carriers, the last four digits of their social security numbers, any comments uploaded via the sites, and their height and weight have potentially been obtained by the attackers. The malware attack was limited to the above websites and no other systems were affected.

It is unclear what type of malware was uploaded to the websites and how long the malware was present on the websites before it was detected. Florida Hospital released a statement on Wednesday about the malware infection and all three websites have been taken offline while the malware is removed and the sites are sanitized.

The incident has yet to be reported to the Department of Health and Human Services’ Office for Civil Rights, so it is currently unclear exactly how many patients have been impacted. All patients affected by the security breach will be notified by mail if any of their protected health information is believed to have been compromised.

Florida Hospital is taking all appropriate steps to ensure similar security breaches are prevented and vulnerabilities across all of its online networks are addressed.

The post Malware Installed on Florida Hospital Websites May Have Provided Access to PHI appeared first on HIPAA Journal.

A bizarre mistake by the Texas Health and Human Services Commission (HHSC) has seen a former employee sent the protected health information of approximately 100 patients after she had been fired. The boxes contained items that had been collected from her old desk, but also benefits application forms.

After Tracy Ryans, 51, of Houston, was terminated, HHSC mailed her two boxes containing her personal items, which were left on her porch by the delivery driver. One of the boxes contained personal belongings that included pens, a coffee cup, and old shoes. The other box contained paperwork.

Ryans told the Texas Tribune that one of the boxes contained personal items that did not belong to her. They had been taken from a desk she shared with coworkers. The other box was full of paperwork containing highly sensitive personal information of clients.

The paperwork included benefits applications that included the Social Security numbers, billing statements, copies of driver’s licenses, and check stubs relating to approximately 100 individuals. The documents were dated April 13, 2018 – 15 days after Ryans had been terminated.

Ryans contacted the Texas State Employees Union to seek advice about what she should do with the paperwork, after becoming concerned that she might be accused of stealing the documents. She was given assistance returning the paperwork to HHSC.

The reason for Ryans termination after 9 years working for HHSC was an alleged failure to ensure the security of client information and violating HIPAA Rules – something Ryans denies. The mailing of PHI to Ryans, who had no legal right to hold the information, would be considered a violation of HIPAA Rules in itself. However, at this stage HHSC has yet to confirm what sensitive information was detailed in the documents and whether HIPAA Rules had been accidentally violated.

The incident is currently being investigated by HHSC and the potential privacy breach has been reported to the Office of Inspector General. If it is confirmed that sensitive information was exposed and HIPAA Rules were violated, steps will be taken to remedy the breach and affected individuals will be notified.

The post Employee Sent PHI After Being Fired appeared first on HIPAA Journal.

Center for Orthopaedic Specialists is notifying its patients that some of their protected health information was potentially accessed by unauthorized individuals who installed ransomware on its network.

The attack impacts all current and former patients of three of its facilities in West Hills, Simi Valley and Westlake Village in California. According to Databreaches.net, 85,000 patients have potentially been impacted.

Center for Orthopaedic Specialists was notified by its IT vendor that an unauthorized individual began attempting to access its network on February 18, 2018. Access to the network was gained and ransomware was installed, which was used to encrypt a wide range of files, many of which contained the protected health information of patients. The types of information encrypted by the ransomware included names, details about medical records, dates of birth, and Social Security numbers.

Prompt action was taken by the IT vendor to limit the harm caused and the affected system was taken offline rapidly to prevent any exfiltration of data.

An investigation into the breach has not uncovered any evidence to suggest that patients’ protected health information was viewed or copied by the individuals responsible for the attack, although data theft could not be ruled out with 100% certainty. Out of an abundance of caution, all patients whose PHI was encrypted by the ransomware have been notified of the breach to allow them to take precautions to protect against identity theft and fraud.

Even though data theft is not suspected, out of an abundance of caution, Center for Orthopaedic Specialists is offering all affected individuals identity theft protection and credit monitoring services through ID Experts for 24 months without charge. Patients will also be protected by a $1,000,000 insurance policy.

The post 85,000 Patients Impacted by California Ransomware Attack appeared first on HIPAA Journal.

A transcription service provider has inadvertently left medical records and patient notes unsecured and freely accessible via a physician portal, which should have been password protected. The error has resulted in the exposure of thousands of patients’ PHI.

MEDantex provides medical transcription services to many hospitals and physicians, many of whom choose to upload audio files to the MEDantex website. The audio files are accessed by the firm’s employees and transcribed, and documents containing the transcribed notes are uploaded to the portal where they can be downloaded by providers. In order to gain access the portal, a user must be authenticated by means of a password.

According to a report on KrebsOnSecurity, certain portions of the website were recently discovered to lack any authentication controls. Anyone visiting the website could, through their browser, gain access to patient data stored on the site. Brian Krebs reports that several of the tools used by MEDantex staff and could also be accessed and used by unauthorized individuals. Those tools allowed unauthorized individuals to add and remove users, search for patients of specific physicians, and find information about patients by name.

Brian Krebs notes that a search of the site revealed the names of 2,300 physicians from across the country. Each provider had a directory which contained audio files and documents of transcribed medical notes, all of which could be freely downloaded.

The exposure of patient health information was reportedly due to a glitch in the portal that is believed to have been incorporated during a rebuild of the portal. MEDantex suffered a ransomware attack that resulted data on its portal being encrypted. The recovery process involved rebuilding the portal, although an error meant password protection was removed.

Brian Krebs notified MEDantex of the error and the portal was immediately taken offline pending a thorough investigation. According to Krebs, a Google cache of the site shows the records were accessible since at least April 10, 2018.

It is currently unclear exactly how many patients’ PHI was exposed, although it is likely to number in the thousands. It is also unknown whether any unauthorized individuals accessed and downloaded PHI during the time that the records were left exposed.

The post Web Portal of Transcription Service Provider Discovered to be Leaking PHI appeared first on HIPAA Journal.

1,071 patients who received medical services at the Des Moines Crisis Observation Center operated by Polk County Health Services Inc., have been informed that some of their protected health information has been “accidentally and unknowingly disseminated” over a period of three and a half years.

The breach was discovered on February 14, 2018, although the investigation revealed that information first started being disclosed on June 1, 2014 and continued until January 11, 2018. The types of information disclosed includes patients’ names along with Social Security numbers, home addresses, Medicaid ID numbers, admission dates, and discharge locations.

Through the Crisis Observation Center, Polk County Health Services provides mental health services for residents of Polk County, IA and is the regional administrator and governing board for mental health and disability services for the county.

Polk County Health Services is aware of the individual(s) to whom the information has been disclosed and was able to determine exactly the types of information that has been received by those individuals. The reason for the impermissible disclosure of protected health information and how PHI happened to be disclosed was not explained in the substitute breach notice uploaded to the Polk County Health Service website.

Steps have been taken to prevent any further disclosures of personal information or protected health information, and also to prevent any further dissemination of the information. The steps taken include providing further training to staff on the importance of protecting the privacy of patients and the implementation of additional computer security protections and protocols to prevent the unauthorized accessing and disclosure of PHI.

No reports have been received to suggest any patient’s PHI has been misused; however, as a precaution, all individuals affected by the breach have been offered complimentary credit monitoring services for 12 months. Notifications were mailed to affected individuals in April and the incident has been reported to the Department of Health and Human Services’ Office for Civil Rights.

The post 1,000 Mental Health Patients’ PHI Accidentally Disclosed for 3 and a Half Years appeared first on HIPAA Journal.

The California Department of Developmental Services (DDS) is notifying 582,174 patients that their protected health information has potentially been compromised.

On February 11, 2018, thieves broke into the DDS legal and audits offices in Sacramento, CA. During the time the thieves were in the offices they potentially had access to the sensitive information of approximately 15,000 employees, contractors, job applicants, and parents of minors who receive DDS services, in addition to the PHI of more than half a million patients. The thieves also stole 12 government computers.

It does not appear that the perpetrators were interested in paper records and all computers taken by the thieves were encrypted so data access was not possible. DDS has confirmed that none of the office computers were used to gain access to the department’s network and electronic protected health information remained secure at all times.

In its substitute breach notice, DDS explained that its offices were vandalized and a fire was started, which triggered the sprinkler system causing damage to documents and CDs.

The nature of the vandalism and the damage caused by the fire and sprinkler system has made it impossible to determine with 100% certainty whether any information was taken from the offices or if PHI has been compromised.

If PHI was viewed or stolen it would have been limited to names, medical records, unique state-issued client identifier numbers, service codes, service dates, units billed, and amounts paid for services.

The incident has been reported to law enforcement and the burglary has been investigated but the perpetrators have not been identified.

While it is unlikely that the thieves gained access to the protected health information of patients, notifications have been sent to affected individuals out of an abundance of caution and the incident has been reported to the Department of Health and Human Services’ Office for Civil Rights.

The security breach is the largest to be reported to OCR in 2018, eclipsing the 279,865 -record breach at Oklahoma State University Center for Health Sciences that was reported in January and the 134,512-record breach at St. Peter’s Surgery & Endoscopy Center, reported in February.

The post California Dept. of Developmental Services Notifies 582,000 Patients of Potential PHI Compromise appeared first on HIPAA Journal.