HIPAA Breach News

Chesapeake Regional Healthcare Reports PHI of 2,100 Patients Was Stored on Lost Hard Drives

Posted by HIPAA Journal

Body:

Chesapeake Regional Healthcare has discovered two hard drives containing the protected health information (PHI) of approximately 2,100 patients are missing from the Chesapeake Regional Medical Center campus in Chesapeake, Virginia.

The data stored on the devices relates to individuals who took part in studies at its Sleep Center between April 2015 and February 2018.

It is currently unclear exactly when the hard drives went missing. Chesapeake Regional Healthcare discovered the devices were missing on February 6, 2018. An internal investigation was launched, and a full search of the facility was conducted, but the devices could not be located. The missing hard drives have been reported as lost/stolen to law enforcement, but Chesapeake Regional Healthcare said the probability of the devices being recovered is low and it does not expect the devices to be found.

The hard drives were not encrypted. If obtained by a third party, the protected health information of patients could potentially be accessed. The types of information stored on the devices includes names, demographic information, birth dates, unique patient identifiers, details of the procedures and tests performed at the Sleep Center, and information on medications that were prescribed. Social Security numbers, addresses, insurance information, and financial data were not stored on the device.

Chesapeake Regional Healthcare is taking steps to ensure similar breaches do not occur in the future. Those steps include improving policies related to the security of PHI stored on portable electronic devices. It is not clear whether the new measures will include data encryption.

Chesapeake Regional Healthcare is currently in the process of sending notifications to patients, who are being offered 12 months of complimentary credit monitoring and identity theft protection services. In the event that patients discover their health information has been used inappropriately, assistance will be offered to help mitigate any harm caused.

The post Chesapeake Regional Healthcare Reports PHI of 2,100 Patients Was Stored on Lost Hard Drives appeared first on HIPAA Journal.

Oregon Data Breach Notification and Information Security Laws Updated

Posted by HIPAA Journal

Oregon has updated its data breach notification law to improve protections for state residents whose personal information is exposed in a data breach. State governor Kate Brown added her signature to Senate Bill (SB 1551) last month, which updates several regulations, notably Oregon’s Breach Notification Law, O.R.S. 646A.604 and Information Security Law, O.R.S. 646A.622. The updates will become effective in June 2018.

Prior to the update, Oregon data breach notification law only applied to persons who own or license personal information. Now, the definition of a person is “an individual, private or public corporation, partnership, cooperative, association, estate, limited liability company, organization or other entity, whether or not organized to operate at a profit, or a public body as defined in ORS 174.109.”

A data breach is defined as “an unauthorized acquisition of computerized data that materially compromises the security, confidentiality or integrity of personal information that a person maintains.”

The definition of personal information has been expanded to include a first name or first initial and last name, in combination with any of the following data elements:

  • Social Security number
  • Driver’s license number
  • State identification card number from the Department of Transportation
  • Passport number
  • Other U.S. identification numbers
  • Data from automatic measurements of physical characteristics (including iris and retina scans and fingerprints) that are used to authenticate transactions
  • A health insurance policy number or subscriber ID number in combination with any unique identifier that can identify an individual
  • Details of mental or health conditions
  • Medical histories
  • Financial information that includes an access code or passwords that would permit an unauthorized individual to gain access to the financial account

While timely notifications were required when personal information was exposed or stolen as a result of a security breach, there is now a maximum time frame for issuing notifications. Notifications must be issued without unreasonable delay, but no later than 45 days following the discovery of a breach. Breach notifications can be delayed at the request of law enforcement if the issuing of notifications would impede an investigation.

While there is some overlap between the definition of personal information under state law and the definition of protected health information under HIPAA, HIPAA-covered entities are exempt from complying with the 45-day breach notice deadline and are deemed to be in compliance with that aspect of state law if they meet the requirements of the HIPAA Breach Notification Rule and issue notifications no later than 60 days from the discovery of a breach. All breached entities, including HIPAA covered entities, must send a copy of the consumer breach notice to the Oregon attorney general if the breach impacts more than 250 individuals.

The update also introduced the requirement that credit monitoring services and identity theft protection services cannot be conditioned on accepting any other services that require a fee to be paid, and neither should require the provision of a credit or debit card. The law does not require a breached entity to provide these services in the event of a breach of personal information.

The update to Information Security Law, O.R.S. 646A.622 requires “a person that owns, maintains or otherwise possesses,  or  has  control  over  or access  to, data that includes a  consumer’s personal information that the person uses in the course of the person’s business, vocation, occupation or volunteer activities” to implement and maintain reasonable safeguards to protect the confidentiality, integrity, and security of personal information.

HIPAA-covered entities will be deemed to be in compliance with that aspect of O.R.S. 646A.622 provided they are in compliance with HIPAA 45 C.F.R. 160 and 164.

The post Oregon Data Breach Notification and Information Security Laws Updated appeared first on HIPAA Journal.

Verizon PHI Breach Report Confirms Healthcare Has Major Problem with Insider Breaches

Posted by HIPAA Journal

Verizon has released its annual Protected Health Information Breach Report which delves deep into the main causes of breaches, why they occur, the motivations of internal and external threat actors, and the main threats to the confidentiality, integrity, and availability of PHI.

For the report, Verizon analyzed 1,368 healthcare data breaches and incidents where protected health information (PHI) was exposed but not necessarily compromised. The data came from 27 countries, although three quarters of the breached entities were based in the United States where there are stricter requirements for reporting PHI incidents.

In contrast to all other industry sectors, the healthcare industry is unique as the biggest security threat comes from within. Insiders were responsible for almost 58% of all breaches with external actors confirmed as responsible for just 42% of incidents.

The main reason for insider breaches is financial gain. PHI is stolen to commit identity theft, credit card fraud, insurance fraud, and tax fraud. Verizon determined that 48% of all internal incidents were conducted for financial gain. 31% involved accessing medical data out of curiosity or for fun, 10% of incidents were attributed to easy access to data, with 3% of incidents occurring due to a grudge and a further 3% for espionage. External attacks are primarily conducted for financial gain – extortion and the theft and sale of data.

Verizon also looked at the actions that lead to PHI incidents and data branches, with the most common problem being errors. Errors were behind 33.5% of incidents within this category, which included the misdelivery of emails and mailings, errors made disposing of PHI, publishing errors, loss of PHI, misconfigurations, programming mistakes and data entry errors. The main incident cause was misdelivery of documents, which accounted for 20% of all incidents in the error category.

The second biggest breach category is misuse, accounting for 29.5% of all incidents. 66% of incidents in this category were attributed to privilege abuse – accessing records without authorization. Data mishandling was behind 21.6% of incidents and possession abuse – the misuse of access to physical records – was behind 16.9% of incidents in the misuse category.

The physical category includes theft of records and devices, snooping, tampering, disabled controls, and surveillance. 16.3% of all healthcare PHI incidents were placed in this category, with theft accounting for 95.2% of all incidents. The theft of laptops was the main incident type. Almost half (47%) of laptop theft incidents involved the devices being taken from employees’ vehicles. The use of encryption would prevent the majority of these incidents from exposing PHI.

Hacking may make the headlines, but it accounted for relatively few breaches – just 14.8% of all healthcare PHI incidents were placed in this category. The main cause of breaches in the hacking category was the use of stolen credentials (49.3% of incidents), with credentials often stolen via phishing attacks. Brute force attacks taking advantage of weak passwords were behind 20.9% of incidents. 17.9% of hacking breaches involved the use of backdoors.

Malware was involved in 10.8% of all PHI incidents. While there were a wide range of malware types and variants used in attacks, by far the biggest category was ransomware, which accounted for 70.5% of attacks.

Social attacks accounted for 8% of all incidents. This category involves attacks on employees. Phishing was involved in 69.9% of incidents in this category, followed by pretexting (11.7%), and bribery (7.8%). Pretexting is the next stage on from phishing, when access to email accounts is used to send further emails – BEC attacks for example.

Verizon offers three suggestions which in the short term will help to reduce the number of PHI related incidents and data breaches.

Full disk encryption should be deployed on all portable electronic devices used to store PHI. This simple measure would prevent PHI from being accessed in the event of loss or theft of an electronic device.

The routine monitoring of medical record access – a requirement of HIPAA – will not prevent breaches, but it will reduce the severity of insider incidents and allow healthcare organizations to take corrective action quickly. When employees are aware that records are routinely monitored it can also act as a deterrent and reduce theft and unauthorized access incidents.

The final course of action is to implement solutions to combat ransomware and malware. While defenses can and should involve the use of spam filters and web filters, simple measures can also be taken such as not allowing laptops to access the Internet if they are used to store large quantities of PHI.

The post Verizon PHI Breach Report Confirms Healthcare Has Major Problem with Insider Breaches appeared first on HIPAA Journal.

Law Enforcement Notifies Cambridge Health Alliance About PHI Breach

Posted by HIPAA Journal

Cambridge Health Alliance (CHA) in Massachusetts has been notified by law enforcement that the protected health information of some of its patients has been discovered in the possession of an unauthorized individual.

On January 31, 2018, Everett Massachusetts Police Department notified CHA that files containing the PHI of some of its patients had been discovered in the possession of an individual unauthorized to have the information. After being notified of the breach, CHA conducted an internal investigation into the breach and examined the files.

At least one of the files contained PHI related to billing which included patients’ names, addresses, dates of birth, Social Security numbers, employer information, charges for healthcare services, and discharge dates. The data related to billing from 2013.

According to a breach notice sent to affected individuals by the law firm BakerHostetler on behalf of CHA, the breach impacted four individuals in New Hampshire, all of whom have been offered complimentary credit monitoring and identity theft protection services through Experian.

While the breach notice states that only four individuals were impacted, the Boston Globe has reported that notification letters have been sent to approximately 2,500 patients. The details of the breach are the same apart from the number of individuals impacted.

According to the Boston Globe, CHA spokesman David Cecere confirmed that the incident is still being investigated and it is currently unclear how the information came to be stolen. Cecere said it could have been a hack or the information could have accidentally been made public.

In addition to the internal investigation, CHA has retained a computer forensics firm to provide assistance and attempt to determine exactly how the data was stolen.

The post Law Enforcement Notifies Cambridge Health Alliance About PHI Breach appeared first on HIPAA Journal.

6,800 CareFirst BCBS Members Impacted by Phishing Attack

Posted by HIPAA Journal

A phishing attack on CareFirst Blue Cross Blue Shield has resulted in the exposure of 6,800 plan members’ protected health information.

The attack was detected by CareFirst on March 12, 2018, prompting a thorough investigation, which included a forensic analysis of the email system and CareFirst’s systems in general. In addition to the internal investigation by the CareFirst IT security team, a third-party information security firm also investigated the attack.

The analyses did not uncover any evidence to suggest emails in the compromised account had been opened by the attacker; however, the emails in the account did contain some protected health information and data access could not be ruled out with a high degree of certainty.

Once access to the account was gained, the attacker sent phishing emails to individuals in a contact list. Those individuals were not employed by or affiliated with CareFirst BCBS. The emails were sent with the intention of gaining further login credentials. No malware was involved.

While 6,800 individuals have potentially been impacted by the incident, only 8 Social Security numbers were exposed. Other types of information that could potentially have been viewed include members’ names, birth dates, and member ID numbers. No financial information was exposed and neither any health information.

The potential for the information in the account to be used for identity theft and fraud is low, but to ensure plan members are protected, all have been offered identity theft protection and credit monitoring services for two years without charge.

CareFirst BCBS explained in its breach notice that it is already mandatory for employees to undergo annual security awareness training. All employees are educated on the risks of cyberattacks, the tactics used to gain access to sensitive data, and told how they must remain vigilant for potential phishing attacks. In addition to the formal training sessions, CareFirst provides ongoing security awareness training throughout the year.

The post 6,800 CareFirst BCBS Members Impacted by Phishing Attack appeared first on HIPAA Journal.

Security Breaches in Healthcare in the Last Three Years

Posted by HIPAA Journal

There have been 955 major security breaches in healthcare in the last three years that have resulted in the exposure/theft of 135,060,443 healthcare records. More than 41% of the population of the United States have had some of their protected health information exposed as a result of those breaches, which have been occurring at a rate of almost one a day over the past three years.

There has been a steady rise in reported security beaches in healthcare in the last three years. In 2015 there were 270 data breaches involving more than 500 records reported to the Department of Health and Human Services’ Office for Civil Rights. The figure rose to 327 security breaches in 2016, and 342 security breaches in 2017.

reported healthcare data breaches in 2017

More healthcare security breaches are being reported than at any other time since HIPAA required covered entities to disclose data breaches, although the number of individuals affected by healthcare data breaches has been declining year-over year for the past three years.

In 2015, a particularly bad year for healthcare industry data breaches, 112,107,579 healthcare records were exposed or stolen. The majority of those records were exposed in three data breaches. The 78.8 million-record data breach at Anthem Inc., the 11 million-record breach at Premera Blue Cross, and the 10 million-record breach at Excellus Health Plan.

Other major security breaches in 2015 include the University of California Los Angeles Health breach of 4.5 million records and Medical Informatics Engineering breach of 3.9 million records.

In 2016, 14,679,461 healthcare records were exposed or stolen, with three incidents involving more than 1 million records: The 3.62 million-record breach at Banner Health, the 3.46 million-record breach at Newkirk Products, Inc., and the 2.21 million-record breach at 21st Century Oncology.

In 2017, the worst year for healthcare security incidents in terms of the number of breaches reported, there were 3,286,498 healthcare records exposed or stolen. There were two breaches involving more than half a million records. The 500,000-record breach at Airway Oxygen, Inc., and the 697800-record breach at Commonwealth Health Corporation

15 Largest Security Breaches in Healthcare in the Last Three Years

 

Rank Year Covered Entity Entity Type Records Exposed/Stolen Breach Cause
1 2015 Anthem, Inc. Affiliated Covered Entity Health Plan 78800000 Hacking/IT Incident
2 2015 Premera Blue Cross Health Plan 11000000 Hacking/IT Incident
3 2015 Excellus Health Plan, Inc. Health Plan 10000000 Hacking/IT Incident
4 2015 University of California, Los Angeles Health Healthcare Provider 4500000 Hacking/IT Incident
5 2015 Medical Informatics Engineering Business Associate 3900000 Hacking/IT Incident
6 2016 Banner Health Healthcare Provider 3620000 Hacking/IT Incident
7 2016 Newkirk Products, Inc. Business Associate 3466120 Hacking/IT Incident
8 2016 21st Century Oncology Healthcare Provider 2213597 Hacking/IT Incident
9 2015 CareFirst BlueCross BlueShield Health Plan 1100000 Hacking/IT Incident
10 2016 Valley Anesthesiology Consultants, Inc. d/b/a Valley Anesthesiology and Pain Consultants Healthcare Provider 882590 Hacking/IT Incident
11 2016 County of Los Angeles Departments of Health and Mental Health Healthcare Provider 749017 Hacking/IT Incident
12 2017 Commonwealth Health Corporation Healthcare Provider 697800 Theft
13 2015 Virginia Department of Medical Assistance Services (VA-DMAS) Health Plan 697586 Hacking/IT Incident
14 2016 Bon Secours Health System Incorporated Healthcare Provider 651971 Unauthorized Access/Disclosure
15 2015 Georgia Department of Community Health Health Plan 557779 Hacking/IT Incident

 

Main Causes of Security Breaches in Healthcare in the Last Three Years

The three main causes of security breaches in healthcare in the last three years were hacking/IT incidents, unauthorized access and disclosure incidents, and the loss/theft of physical records and unencrypted electronic devices containing ePHI.

There has been a downward trend in the number of theft/loss incidents over the past three years as healthcare organizations have started encrypting records on portable electronic devices. However, improper disposal incidents have risen year over year as have hacking incidents. In 2017, hacking/IT incidents were the main cause of healthcare data breaches.

healthcare data breaches in 2017 (hacking)

healthcare data breaches in 2017 (Unauthorized access/disclosures)

Healthcare Data Breaches in 2017 (loss/theft)

Financial Penalties for Security Breaches in Healthcare in the Last Three Years

In addition to annual increases in data breaches, financial penalties for HIPAA violations have also been increasing, both in terms of number of settlements and civil monetary penalties issued and the penalty amounts.

The HHS’ Office for Civil Rights is now enforcing HIPAA Rules far more aggressively and multi-million-dollar fines are regularly issued. The last three years have seen 29 HIPAA covered entities and business associates financially penalized for data breaches that have occurred as a result of noncompliance with HIPAA Rules.

In the last three years, the HHS’ Office for Civil Rights has collected $49,091,700 in financial penalties from its enforcement actions. The average settlement amount in 2017 was $1.94 million.

The post Security Breaches in Healthcare in the Last Three Years appeared first on HIPAA Journal.

3,751 Patients’ PHI Exposed on Internet for More Than 30 Months

Posted by HIPAA Journal

The Arc of Erie County New York (The Arc), a provider of person-centered services to individuals with developmental disabilities, has discovered two spreadsheets containing the protected health information of 3,751 patients were accessible on the Internet without the need for authentication for more than 30 months.

Between July 2015 and February 2018, the two spreadsheets could be accessed over the Internet by unauthorized individuals as a result of a coding error on the website. The coding error saw a link included on the website that allowed the spreadsheets to be accessed.

Individuals affected by the breach, many of whom are developmentally disabled, had been enrolled in certain programs offered by The Arc. The Arc spreadsheets contained sensitive information such as names, Social Security numbers and diagnosis codes.

When the error was discovered in February, The Arc deactivated the link to prevent any further disclosures of PHI and contacted a computer forensics and data security firm to investigate the breach and help take corrective action to limit the harm caused to patients. The Arc has also contacted search engine providers to remove any reference to the information from the search engine listings. It is unclear whether the spreadsheets were accessed by unauthorized individuals and if any PHI has been viewed or copied.

All affected individuals have been notified of the breach and offered complimentary credit monitoring and identity theft protection services for 12 months.

To prevent further privacy breaches, The Arc has reviewed and updated its policies and practices and strengthened its privacy and data security practices. Additional training has also been given to appropriate staff.

The post 3,751 Patients’ PHI Exposed on Internet for More Than 30 Months appeared first on HIPAA Journal.

3,751 Patients’ PHI Exposed on Internet for More Than 30 Months

Posted by HIPAA Journal

The Arc of Erie County New York (The Arc), a provider of person-centered services to individuals with developmental disabilities, has discovered two spreadsheets containing the protected health information of 3,751 patients were accessible on the Internet without the need for authentication for more than 30 months.

Between July 2015 and February 2018, the two spreadsheets could be accessed over the Internet by unauthorized individuals as a result of a coding error on the website. The coding error saw a link included on the website that allowed the spreadsheets to be accessed.

Individuals affected by the breach, many of whom are developmentally disabled, had been enrolled in certain programs offered by The Arc. The Arc spreadsheets contained sensitive information such as names, Social Security numbers and diagnosis codes.

When the error was discovered in February, The Arc deactivated the link to prevent any further disclosures of PHI and contacted a computer forensics and data security firm to investigate the breach and help take corrective action to limit the harm caused to patients. The Arc has also contacted search engine providers to remove any reference to the information from the search engine listings. It is unclear whether the spreadsheets were accessed by unauthorized individuals and if any PHI has been viewed or copied.

All affected individuals have been notified of the breach and offered complimentary credit monitoring and identity theft protection services for 12 months.

To prevent further privacy breaches, The Arc has reviewed and updated its policies and practices and strengthened its privacy and data security practices. Additional training has also been given to appropriate staff.

The post 3,751 Patients’ PHI Exposed on Internet for More Than 30 Months appeared first on HIPAA Journal.

Data Breach Impacts Almost 14,000 Family Members of Subscribers

Posted by HIPAA Journal

The Special Agents Mutual Benefit Association (SAMBA) health plan is alerting almost 14,000 individuals about a February 2018 breach of protected health information.

The breach affects eligible family members of subscribers who were covered by the Federal Employees Health Benefits Plan in 2017.

It is an Internal Revenue Service (IRS) requirement for SAMBA to mail a copy of Form 1095-B to all plan subscribers each tax year. The form supports plan members’ and covered family members’ compliance with the Affordable Care Act’s individual mandate.

The forms for the 2017 tax year were mailed on or soon after February 19, 2018; however, a programming error resulted in the forms being populated with information relating to other subscribers’ family members.

Instead of detailing the subscribers’ family members covered by their health plan, the forms included the names and Social Security numbers of other subscribers’ family members and the dates of health insurance coverage in 2017.  The forms were also incorrectly dated 2016.

SAMBA notes that no subscribers’ Social Security numbers were disclosed. The breach was restricted to subscribers’ family members. An investigation into the error revealed the incorrect mailing affected 13,942 individuals.

The error was detected on February 22, 2018, and a second mailing was sent with the correct tax year and family members’ details on the forms. Notification letters have also been sent to family members impacted by the breach, and subscribers who received an incorrect copy of Form 1095-B have also been notified and instructed to destroy the 2016 version of the form.

SAMBA has not received any reports to suggest the impermissibly disclosed information has been misused in any way; however, as a precaution against identity theft, all affected individuals have been advised to exercise caution and obtain credit reports and check them and their Explanation of Benefits statements carefully for any sign of fraud.

“We are taking steps to prevent any future data incident, and as always will continue to review and improve our processes, policies, and procedures that address data privacy,” said SAMBA’s Executive Director, Walter E. Wilson.

The post Data Breach Impacts Almost 14,000 Family Members of Subscribers appeared first on HIPAA Journal.