HIPAA Breach News

Texas Health Resources Notifies 4,000 Patients of Email Account Breach

Posted by HIPAA Journal

Arlington-based Texas Health Resources, a provider group serving more than 1.7 million patients in North Texas, is notifying ‘fewer than 4,000 patients’ that some of their sensitive information may have been accessed by an unauthorized individual. The data breach occurred as early as October 2017, although it was not discovered until January 17, 2018, when the health system was notified of a breach by law enforcement. The potentially compromised data was saved in email accounts that the attacker had access to for up to three months.

The delay in issuing breach notification letters, which would normally have to be issued within 60 days of the discovery of the breach under HIPAA Rules, was at the request of law enforcement. HIPAA covered entities are permitted to delay the issuing of notifications if law enforcement believes such an act would impede an investigation. Law enforcement has only recently given the OK to start sending notifications. It is unclear whether the law enforcement investigation resulted in the apprehension of a suspect.

Texas Health Resources explained in its substitute breach notice that the incident was part of a larger attack that affected multiple entities across the United States. It is currently unclear which other healthcare organizations were also targeted by the attacker and therefore the true scale of the campaign.

Texas Health Resources conducted its own internal investigation into the breach and determined that the compromised email accounts contained information such as names, dates of birth, Social Security numbers, medical record numbers, drivers’ license numbers, state ID numbers, insurance information, and clinical information. Most of the affected individuals had received medical services at Texas Health Resources facilities in 2017.

Individuals whose Social Security numbers were exposed have been offered complimentary identity theft and credit monitoring services for one year without charge. No reports have been received to suggest any of the information has been misused.

Texas Health continuously works on improving its safeguards to keep protected health information confidential and secure and will be enhancing security monitoring to ensure any future security incidents are detected rapidly in the future.

The post Texas Health Resources Notifies 4,000 Patients of Email Account Breach appeared first on HIPAA Journal.

Analysis of March 2018 Healthcare Data Breaches

Posted by HIPAA Journal

There has been a month-over-month increase in healthcare data breaches. In March 2018, 29 security incidents were reported by HIPAA covered entities compared to 25 incidents in February.

March 2018 Healthcare Data Breaches

Even though more data breaches were reported in March, there was a fall in the number of individuals impacted by breaches. March 2018 healthcare data breaches saw 268,210 healthcare records exposed – a 13.13% decrease from the 308,780 records exposed in incidents in February.

Records exposed by Healthcare Data Breaches (March 2018)

Causes of March 2018 Healthcare Data Breaches

March saw the publication of the Verizon Data Breach Investigations Report which confirmed the healthcare industry is the only vertical where more data breaches are caused by insiders than hackers. That trend continued in March. Unauthorized access/disclosures, loss of devices/records, and improper disposal incidents were behind 19 of the 29 incidents reported – 65.5% of all incidents reported in March.

The main cause of healthcare data breaches in March 2018 was unauthorized access/disclosure incidents. 14 incidents were reported, with theft/loss incidents the second main cause with 9 incidents, followed by hacking/IT incidents with 5 breaches reported.

Severity of Breaches by Breach Cause

Breach Cause Total Records Exposed in March Median Records Exposed Mean Records Exposed
Unauthorized Access/Disclosure 166,859 3,551 11,919
Hacking/IT Incident 54,814 5,207 10,963
Theft 40,018 1,424 8,004
Loss 5,107 1,096 1,277
Improper Disposal 1,412 1,412 1,412

Largest Healthcare Data Breaches Reported in March 2018

There were ten healthcare data breaches reported in March that impacted more than 10,000 individuals. The largest data breach resulted in the exposure of 63,551 individuals’ PHI. That incident occurred and was discovered in December 2016, although the incident has only just been reported to the HHS’ Office for Civil Rights.

While hacking incidents usually result in the highest number of exposed/compromised records, in March it was unauthorized access/disclosure incidents that dominated the breach reports.

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach
Middletown Medical P.C. Healthcare Provider 63,551 Unauthorized Access/Disclosure
ATI Holdings, LLC and its subsidiaries Healthcare Provider 35,136 Hacking/IT Incident
City of Houston Medical Plan Health Plan 34,637 Theft
Mississippi State Department of Health Healthcare Provider 30,799 Unauthorized Access/Disclosure
Barnes-Jewish Hospital Healthcare Provider 18,436 Unauthorized Access/Disclosure
Barnes-Jewish St. Peters Hospital Healthcare Provider 15,046 Unauthorized Access/Disclosure
Special Agents Mutual Benefit Association Health Plan 13,942 Unauthorized Access/Disclosure
Guardian Pharmacy of Jacksonville Healthcare Provider 11,521 Hacking/IT Incident
Primary Health Care, Inc. Healthcare Provider 10,313 Unauthorized Access/Disclosure

March 2018 Healthcare Data Breaches by Covered Entity Type

No data breaches were reported by business associates of HIPAA-covered entities in March. The breach summaries published by the HHS’ Office for Civil Rights suggest there was no business associate involvement in any of the 29 incidents reported.

However, the largest reported incident – the breach at Middletown Medical – is marked as having no business associate involvement, when the breach notice uploaded to the provider’s website indicates the incident was caused by a subcontractor of a business associate. It is possible there were more security breaches in March that had some business associate involvement.

March 2018 Healthcare Data Breaches by Covered Entity Type

Records Exposed by Covered Entity Type

Unsurprisingly, given the number of incidents reported by healthcare providers, these incidents resulted in the highest number of exposed records – 154,325 records – followed by breaches at business associates/subcontractors – 63,551 records – and health plans – 50,334 records.

Breaches at business associates/subcontractors saw the highest number of records exposed per incident (Median & Mean = 63,551 records), followed by health plans (Median=13,943 records / Mean = 16,778 records), and healthcare providers (Median = 1,843 records / Mean = 6,173 records).

Location of Breached Protected Health Information

The main location of breached protected health information in March was portable electronic devices (laptops /other portable devices) with 9 incidents reported. Had encryption been used to protect ePHI on these devices, a breach of PHI could have easily been avoided.

The second biggest problem area was email with 8 reported incidents. These breaches include misdirected emails and phishing incidents.

Securing physical records continues to be a problem. There were five incidents reported in March that involved physical records such as paper and films.

Location of Breached Protected Health Information

March 2018 Healthcare Data Breaches by State

In March 2018, six states experienced multiple healthcare data breaches. While California usually tops the list for the most number of breaches, this month it was Massachusetts-based healthcare organizations that were the hardest hit, with 5 incidents reported.

California was in second place with four security incidents, followed by Missouri and New York with three, and Maryland and Texas with two. The 10 other states where breaches occurred were Arkansas, Colorado, District of Columbia, Florida, Georgia, Iowa, Illinois, Minnesota, Mississippi, and West Virginia.

Financial Penalties for Breaches and HIPAA Violations

There were no civil monetary penalties issued by the Department of Health and Human Services’ Office for Civil Rights in March, and no settlements with HIPAA-covered entities or business associates to resolve HIPAA violations.

The New York attorney general’s office has continued to take a hard line on companies discovered to have violated HIPAA Rules and suffered data breaches as a result with one further settlement reached in March.

Virtua Medical Group agreed to settle violations of HIPAA and state laws for $417,816. That penalty relates to the failure to secure an FTP server, although it was not the healthcare provider that was directly responsible. The error was made by a business associate of Virtua Medical Group.

The post Analysis of March 2018 Healthcare Data Breaches appeared first on HIPAA Journal.

Several Employee Email Accounts Compromised in UnityPoint Health Phishing Attack

Posted by HIPAA Journal

UnityPoint Health has discovered the email accounts of several employees have been compromised and accessed by unauthorized individuals.

Access to the employee email accounts was first gained on November 1, 2017 and continued for a period of three months until February 7, 2018, when the phishing attack was detected and access to the compromised email accounts was blocked.

Upon discovery of the phishing attack, UnityPoint Health engaged the services of a computer forensics firm to investigate the scope of the breach and the number of patients impacted. The investigation revealed a wide range of protected health information had potentially been obtained by the attackers, which included names in combination with one or more of the following data elements:

Medical record number, date of birth, service dates, treatment information, surgical information, lab test results, diagnoses, provider information, and insurance information.

The security breach has yet to appear on the Department of Health and Human Services’ breach portal, so it is currently unclear exactly how many patients have been affected by the breach. Notifications to individuals impacted by the breach started to be mailed on April 16, 2018.

To date there have been no reports of any health information being used inappropriately. However, since PHI may have been obtained by the attackers, UnityPoint Health has recommended affected individuals take steps to protect against insurance fraud an identity theft. Those steps include reviewing insurers’ Explanation of Benefits statements, monitoring accounts for fraudulent activity, and contacting insurers for a full list of all medical services paid under their insurance policy and to carefully check the list for any services that have not been received.

The incident has prompted UnityPoint Health to strengthen security controls to prevent similar incidents from occurring in the future.

The post Several Employee Email Accounts Compromised in UnityPoint Health Phishing Attack appeared first on HIPAA Journal.

Oxygen Equipment Manufacturer Discovers Credential Theft Incident Potentially Impacts 30,000

Posted by HIPAA Journal

Inogen, a manufacturer of portable oxygen concentrators, has discovered an unauthorized individual has obtained the credentials of an employee and has used them to gain access to the employee’s email account.

Phishing and other credentials theft incidents are common in the healthcare sector, although what makes this incident stand out is the number of individuals impacted by the attack. The compromised email account contained the personal information of approximately 30,000 individuals who had previously been provided with oxygen supply devices.

The types of information potentially viewed and obtained by the attacker include name, telephone number, address, email address, date of birth, date of death, types of equipment provided, Medicare ID number and health insurance information. Medical records, Social Security numbers, and payment card information were not compromised.

Also notable is the length of time it took to discover the breach. Inogen reports that access to the email account was first gained on January 2, 2018 and continued until March 14. Forensic investigators were hired to determine exactly how the breach occurred, its extent, and the number of patients impacted. The forensics firm confirmed the account was accessed and based on the IP address used to access the account, the perpetrator was located in a foreign country.

While stolen credentials were used in the attack, it is currently unclear exactly how those credentials were obtained. While phishing is a possibility, the credentials could also have been obtained by other means, such as a man-in-the-middle attack.

Since there is potential for insurance information to be misused by the attacker, Inogen has offered credit monitoring services to affected individuals and they will be protected by an insurance reimbursement policy. While that policy will cover losses in the event of insurance information misuse, Inogen has said that the policy may not cover all expenses related to the misuse of information.

Inogen is required to comply with Health Insurance Portability and Accountability Act Rules and has reported to the security breach to the Department of Health and Human Services’ Office for Civil Rights. Affected individuals have been notified by mail and relevant state attorneys general have been sent a data breach summary.

Security has been strengthened following the attack, which includes the use of two-factor authentication. If an unfamiliar device is used to access an account, a second form of authentication will be required before access to the account is granted. Additionally, all passwords have been reset, further electronic tools deployed to prevent unauthorized access, and employee training has been enhanced.

The post Oxygen Equipment Manufacturer Discovers Credential Theft Incident Potentially Impacts 30,000 appeared first on HIPAA Journal.

Integrated Rehab Consultants Takes 16 Months to Notify Patients of PHI Breach

Posted by HIPAA Journal

The Chicago, IL-based physiatry group Integrated Rehab Consultants is sending notification letters to certain patients alerting them to the exposure of some of their protected health information, as is required by HIPAA. However, the breach was not discovered in the past 60 days. Integrated Rehab Consultants (IRC) first became aware of the exposure of PHI on December 2, 2016 – 16 months ago.

The data – which included patients’ full names, address, date of birth, gender, medical provider information, visit date, visit status, admission date, appointment visit ID, treatment location, procedure code, and diagnosis codes – had been uploaded to a publicly accessible repository. The PHI was discovered by a healthcare security researcher who notified IRC about the breach.

Prompt action was taken to remove and secure the data and an investigation was launched to determine how and why the data had been uploaded to an insecure location. That investigation determined that a business associate who had been provided with the PHI had disclosed the information to a third party. It was that subcontractor that made the error and uploaded the data to the public repository.

At the time, IRC only believed the data had been accessed by the security researcher. However, in its substitute breach notice, IRC explained that in the fall of 2017 it became apparent that other individuals may also have gained access to the data.

Patients potentially impacted have been offered complimentary credit monitoring and identity restoration services for 12 months without charge and notified about the incident ‘out of an abundance of caution.’ ICR has not received any reports to suggest any patient information has been misused, although affected individuals have been urged to check their credit reports and EoB statements carefully and to remain vigilant against incidents of identity theft and fraud.

It is unclear why patients were not notified of the exposure of their PHI within 60 days of the initial discovery that their PHI had been exposed, nether why there was a further delay in issuing notifications when it was suspected that other individuals may have gained access to the data.

The post Integrated Rehab Consultants Takes 16 Months to Notify Patients of PHI Breach appeared first on HIPAA Journal.

Baptist Health Alerts Almost 1,500 Patients to Possible Abuse of Credit Card Details

Posted by HIPAA Journal

A former employee of Baptist Health’s West Kendall Baptist Hospital in Miami, FL has been discovered to have stolen the credit card details of at least one patient and used the information to make fraudulent purchases.

The misuse of credit cards was discovered by Baptist Health on March 9, 2018 and the matter was referred to Miami-Dade law enforcement and the employee was terminated.

Baptist Health has not specified exactly how many patients have been confirmed to have been defrauded by the employee, although 1,480 patients have been sent breach notification letters to alert them to the possibility that their credit card details may have been misused.

Any patient who paid for medical services using a credit card with the registration employee between August 2014 and March 2018 have potentially had their name, date of birth, and credit card details stolen and misused.

As a precaution, all 1,480 patients have been offered identity theft protection and credit monitoring services for 12 months without charge and have been advised to check their credit card statements carefully for any unauthorized purchases.

Baptist Health is exploring options to further protect patient health information and prevent any further breaches of this nature from occurring in the future.

The post Baptist Health Alerts Almost 1,500 Patients to Possible Abuse of Credit Card Details appeared first on HIPAA Journal.

63,500 Patients Impacted by Middletown Medical Data Breach

Posted by HIPAA Journal

A misconfigured security setting on a radiology interface has resulted in the exposure of tens of thousands of patients’ protected health information.

Middletown Medical, a multi-specialty physicians’ group based in Middleton, NY, discovered the misconfigured security setting on January 29, 2018.

The following day the interface was secured to ensure unauthorized individuals were prevented from accessing patient information. It is unclear for how long patient data was accessible. Middletown Medical says only a limited number of patients’ PHI could have been accessed by unauthorized individuals.

Highly sensitive information such as financial data, Social Security numbers, and insurance information were not exposed. The breach was limited to names, client identification numbers, birth dates, confirmation that radiology services had been received by patients, and the dates those services were provided. A limited number of patients also had diagnosis codes, radiology images, and radiology reports exposed.

The discovery of the error prompted Middletown Medical to review its polices and procedures and implement additional safeguards to ensure the confidentiality of documents containing PHI. Additional training has been provided to staff on securing information systems and modifications have been made to interfaces to ensure all information remains secure.

No reports of misuse of PHI have been received although, out of an abundance of caution, all patients impacted by the breach have been offered complimentary identity theft recovery services for 12 months and have been advised to carefully review their account statements and Explanation of Benefits statements for any sign or fraudulent activity.

The data breach summary submitted to the Department of Health and Human Services’ Office for Civil Rights indicates up to 63,551 patients had their PHI exposed, making this one of the largest healthcare security incidents to be reported so far this year.

The post 63,500 Patients Impacted by Middletown Medical Data Breach appeared first on HIPAA Journal.

2 to 6 Year Jail Term for Receptionist Who Stole PHI from Dentist Office

Posted by HIPAA Journal

A former receptionist at a New York dental practice has been sentenced to serve 2 to 6 years in state penitentiary for stealing the protected health information of hundreds of patients.

Annie Vuong, 31, was given access to the computer system and dental records of patients in order to complete her work duties. Vuong abused the access rights and stole the PHI of more than 650 patients. That information was passed to her co-defendants who used the data to steal identities and make fraudulent purchases of high value items.

Vuong was arrested on February 2, 2015, following a two-and-a-half-year investigation into identity theft by the New York District Attorney’s Office.

The theft of data occurred between May and November 2012, when the PHI of 653 patients was taken from the dental office. The types of information stolen included names, birth dates, and Social Security numbers. That information was shared with co-defendant Devin Bazile in an email.

Bazile used the information to obtain credit lines from Barclaycard in the victims’ names. Credit ranged from $2,000 to $7,000 per individual. Bazile along with co-defendants Joshua Hamilton and Ahmeen Evans used the credit to purchase Apple gift cards that were used by buy tablets and laptop computers totaling more than $700,000.

Bazile and Haughton had already been convicted and sentenced to lengthy jail terms for their role in the identity theft scheme. Bazile and Haughton were convicted of Grand Larceny in the Second Degree in 2015 and were sentenced to serve 3 to 9 years and 1 and 1/3 to 4 years in jail respectively. Evans was also convicted of Grand Larceny in the Second Degree and was sentenced to 5 years’ probation.

Vuong was found guilty of 189 counts against her including one count of Grand Larceny in the Second Degree, 49 counts of Grand Larceny in the Third Degree, 63 counts of Identity Theft in the First Degree, 45 counts of Grand Larceny in the Fourth Degree, 30 counts of Identity Theft in the Second Degree, and one count of Unlawful Possession of Personal Identification Information in the Second Degree.

The post 2 to 6 Year Jail Term for Receptionist Who Stole PHI from Dentist Office appeared first on HIPAA Journal.

Chesapeake Regional Healthcare Reports PHI of 2,100 Patients Was Stored on Lost Hard Drives

Posted by HIPAA Journal

Body:

Chesapeake Regional Healthcare has discovered two hard drives containing the protected health information (PHI) of approximately 2,100 patients are missing from the Chesapeake Regional Medical Center campus in Chesapeake, Virginia.

The data stored on the devices relates to individuals who took part in studies at its Sleep Center between April 2015 and February 2018.

It is currently unclear exactly when the hard drives went missing. Chesapeake Regional Healthcare discovered the devices were missing on February 6, 2018. An internal investigation was launched, and a full search of the facility was conducted, but the devices could not be located. The missing hard drives have been reported as lost/stolen to law enforcement, but Chesapeake Regional Healthcare said the probability of the devices being recovered is low and it does not expect the devices to be found.

The hard drives were not encrypted. If obtained by a third party, the protected health information of patients could potentially be accessed. The types of information stored on the devices includes names, demographic information, birth dates, unique patient identifiers, details of the procedures and tests performed at the Sleep Center, and information on medications that were prescribed. Social Security numbers, addresses, insurance information, and financial data were not stored on the device.

Chesapeake Regional Healthcare is taking steps to ensure similar breaches do not occur in the future. Those steps include improving policies related to the security of PHI stored on portable electronic devices. It is not clear whether the new measures will include data encryption.

Chesapeake Regional Healthcare is currently in the process of sending notifications to patients, who are being offered 12 months of complimentary credit monitoring and identity theft protection services. In the event that patients discover their health information has been used inappropriately, assistance will be offered to help mitigate any harm caused.

The post Chesapeake Regional Healthcare Reports PHI of 2,100 Patients Was Stored on Lost Hard Drives appeared first on HIPAA Journal.