HIPAA Breach News

Data Breach Impacts Almost 14,000 Family Members of Subscribers

Posted by HIPAA Journal

The Special Agents Mutual Benefit Association (SAMBA) health plan is alerting almost 14,000 individuals about a February 2018 breach of protected health information.

The breach affects eligible family members of subscribers who were covered by the Federal Employees Health Benefits Plan in 2017.

It is an Internal Revenue Service (IRS) requirement for SAMBA to mail a copy of Form 1095-B to all plan subscribers each tax year. The form supports plan members’ and covered family members’ compliance with the Affordable Care Act’s individual mandate.

The forms for the 2017 tax year were mailed on or soon after February 19, 2018; however, a programming error resulted in the forms being populated with information relating to other subscribers’ family members.

Instead of detailing the subscribers’ family members covered by their health plan, the forms included the names and Social Security numbers of other subscribers’ family members and the dates of health insurance coverage in 2017.  The forms were also incorrectly dated 2016.

SAMBA notes that no subscribers’ Social Security numbers were disclosed. The breach was restricted to subscribers’ family members. An investigation into the error revealed the incorrect mailing affected 13,942 individuals.

The error was detected on February 22, 2018, and a second mailing was sent with the correct tax year and family members’ details on the forms. Notification letters have also been sent to family members impacted by the breach, and subscribers who received an incorrect copy of Form 1095-B have also been notified and instructed to destroy the 2016 version of the form.

SAMBA has not received any reports to suggest the impermissibly disclosed information has been misused in any way; however, as a precaution against identity theft, all affected individuals have been advised to exercise caution and obtain credit reports and check them and their Explanation of Benefits statements carefully for any sign of fraud.

“We are taking steps to prevent any future data incident, and as always will continue to review and improve our processes, policies, and procedures that address data privacy,” said SAMBA’s Executive Director, Walter E. Wilson.

The post Data Breach Impacts Almost 14,000 Family Members of Subscribers appeared first on HIPAA Journal.

Server Misconfiguration Results in the Exposure of 42,000 Patients’ PHI

Posted by HIPAA Journal

Tens of thousands of patients of a New York medical practice have had their protected health information exposed online due to a misconfigured server. It is currently unclear if anyone other than the security researcher who discovered the problem has accessed the data.

The server misconfiguration was identified on January 25, 2018 by Chris Vickery, director of cyber risk research at Upguard. In a March 26 blog post Vickery explained that he identified an exposed port typically used for remote synchronization (rsync).

While access should have been limited to specific whitelisted IP addresses, the port was misconfigured and allowed anyone to access the data. All that was required to access the server was its IP address.

Vickery identified two sections in the repository, one of which – named backupwscohen – was publicly accessible and contained several files that included highly sensitive information. A virtual hard drive was also accessible that was discovered to contain staff details, including spouse information, children’s names, and in some cases, Social Security numbers. An Outlook pst file was also left unsecured. The file contained a large number of email communications.

Vickery also found a database with more than 42,000 patients’ names, dates of birth, health insurance information, phone numbers, addresses, Social Security numbers, email addresses, ethnicities, and clinical notes. The clinical notes included more than 3 million observations.

Vickery traced the data to the Huntington, New York medical practice of Cohen, Bergman, Klepper & Romano MDs PC. Starting on February 12, Vickery made several attempts to contact the doctors to alert them about the problem. Direct contact was attempted and via a local hospital, with Databreaches.net contacted to assist with locating the physicians.

It took until March 19 for a message to reach the physicians and action to be taken to secure the leaky server. The PHI of all patients has now been secured.

The post Server Misconfiguration Results in the Exposure of 42,000 Patients’ PHI appeared first on HIPAA Journal.

Research Suggests Healthcare Data Breaches Cause 2,100 Deaths a Year

Posted by HIPAA Journal

A researcher at Vanderbilt University has conducted a study that suggests mortality rates at hospitals increase following a data breach as a result of a drop in the standard of care. The researcher estimates healthcare data breaches may cause as many as 2,100 deaths a year in the United States.

The study was conducted by Owen Graduate School of Management researcher, Dr. Sung Choi. The findings of the study were presented at a recent cyberrisk quantification conference at Philadelphia’s Drexel University LeBow College of Business.

Cyberattacks can have a direct impact on patient care, which has been clearly highlighted on numerous occasions over the past 12 months. Ransomware and wiper malware attacks have crippled information systems and have forced healthcare providers to cancel appointments, while the lack of access to patient health records can cause treatment delays. Notable attacks that caused major disruption were the NotPetya wiper and WannaCry ransomware attacks last year, with the latter causing major problems for the National Health Service in the UK.

Choi explained that data breaches can be a distraction for physicians and the after affects of breaches can last for years. HIPAA covered entities face investigations and litigation which Choi suggests could result in disruption to medical services and delays in providing treatment. The cost of mitigating attacks, including purchasing additional security solutions and dealing with the fallout from data breaches can see resources diverted away from patient care.

For the study, Choi compared mortality rates at hospitals before and immediately after a data breach had occurred. One of the metrics used to assess a potential fall in the quality of care was the percentage of heart attack patients who died within 30 days of admission to hospital.

Choi notes that the control group and breached hospitals had similar mortality rates, although after a data breach, the mortality rate for the control group remained the same but increased at hospitals that had experienced a breach. Choi’s analysis showed there was a 0.23% increase in the mortality rate one year following a data breach and an increase of 0.36% two years after a breach. That equates to 2,160 deaths a year.

Choi also noted that the time taken to administer electrocardiographs was longer for newly admitted patients after a hospital had experienced a data breach.

The study was presented just a few days before the Department of Health and Human Services’ Office for Civil Rights issued a reminder to HIPAA covered entities about the need to develop contingency plans for emergencies such as cyberattacks and ransomware incidents. OCR explained that HIPAA Rules on contingency planning help to ensure a fast recovery from a natural disaster, cyberattack, or other emergency situation.

This research suggests that the development of an effective contingency plan and a rapid response to data breaches can save lives.

The post Research Suggests Healthcare Data Breaches Cause 2,100 Deaths a Year appeared first on HIPAA Journal.

Class Action Lawsuit Seeks Damages for Victims of CVS Caremark Data Breach

Posted by HIPAA Journal

An alleged healthcare data breach that saw the protected health information of patients of CVS Caremark exposed has resulted in legal action against CVS, Caremark, and its mailing vendor, Fiserv.

The lawsuit, which was filed in Ohio federal court on March 21, 2018, relates to an alleged privacy breach that occurred as a result of an error that affected a July/August 2017 mailing sent to approximately 6,000 patients.

In July 2017, CVS Caremark was contracted to operate as the pharmacy benefits manager for the Ohio HIV Drug Assistance Program (PhDAP), and under that program, CVS Caremark provides eligible patients with HIV medications and communicates with them about prescriptions.

In July/August 2017, CSV Caremark’s mailing vendor Fiserve sent letters to patients containing their membership cards and information about how they could obtain their HIV medications.

In the lawsuit the complaint alleges HIV-related information was clearly visible through the plastic windows of the envelopes, allowing the information to be viewed by postal service workers, family members, and roommates. It is alleged the mailing resulted in the disclosure of the recipient’s HIV status.

According to Ohio Department of Health policies, information related to HIV should only be sent in non-window envelopes. The mailing would have violated those policies and Health Information Portability and Accountability Act (HIPAA) Rules.

Such a HIPAA breach would need to be reported to the Department of Health and Human Services’ Office for Civil Rights within 60 days of discovery of the breach; however, the complainant alleges no breach report was submitted to OCR and notifications were not sent to affected individuals – A further breach of HIPAA Rules.

Plaintiffs are seeking punitive and compensatory damages and coverage of their legal costs.

There have been other breaches of HIV information in recent weeks, including a mailing error by a vendor of Aetna. In that case, HIV-related information was visible through the clear plastic windows of envelopes in a mailing to 12,000 individuals. Aetna settled a class action lawsuit filed on behalf of victims of the breach for $17,161,200 and is currently suing its mailing vendor to recover the costs. Aetna was also fined by the New York Attorney General over the breach and settled that case for $1.15 million.

The post Class Action Lawsuit Seeks Damages for Victims of CVS Caremark Data Breach appeared first on HIPAA Journal.

Theft of Unencrypted Laptop Sees Pathology Lab Patients’ PHI Exposed

Posted by HIPAA Journal

An unencrypted laptop computer issued to an employee of Clinical Pathology Laboratories Southeast, Inc., (CPLSE) has been stolen, exposing the protected health information of certain patients and their payment guarantors.

Prompt action was taken by CPLSE to prevent the laptop from being used to connect to its network and the theft was reported to law enforcement; however, it is possible that the protected health information stored on the laptop could have been viewed by unauthorized individuals.

An internal investigation was conducted to determine the types of information stored on the device which indicated the following PHI elements were potentially exposed: Names, addresses, driver’s license numbers, Social Security numbers, government ID numbers, medical record numbers, and medical treatment information.

Patients have now been notified of the breach and advised of the steps they can take to protect themselves against misuse of their data. Complimentary credit monitoring and identity theft protection services have been offered to affected individuals.

Steps have also been taken to prevent similar incidents from occurring in the future, which include retraining staff on data security, updating appropriate policies and procedures, and using encryption technology on portable electronic devices used to store ePHI.

The laptop was stolen on September 20, 2017 and the substitute breach notice uploaded to the CPLSE website on March 21, 2018. It is unclear why it took 6 months for the incident to be announced. HIPAA requires notifications to be issued within 60 days of the discovery of a breach.

The incident has yet to appear on the Department of Health and Human Services’ Office for Civil Rights Breach Portal. The number of individuals affected has not yet been confirmed.

The post Theft of Unencrypted Laptop Sees Pathology Lab Patients’ PHI Exposed appeared first on HIPAA Journal.

ATI Physical Therapy Data Breach Impacts 35,000 Patients

Posted by HIPAA Journal

ATI Physical Therapy has discovered the protected health information of more than 35,000 patients has potentially been accessed after threat actors gained access to the email accounts of some of its employees.

A security breach was identified on January 18, 2018 when ATI Physical Therapy discovered the direct deposit information of some of its employees had been changed in its payroll platform. Prompt action was taken to protect its employees and external forensic investigators were called in to determine the full extent and scope of the breach.

The investigation revealed the email accounts of certain employees had been compromised and were accessed by unauthorized individuals between January 9 and January 12, 2018. An analysis of the emails in the accounts revealed they contained the protected health information of tens of thousands of patients.

The types of information potentially compromised varied per impacted individual, but may have included names, dates of birth, credit/debit card numbers, driver’s license numbers, state ID numbers, Social Security numbers, Medicare/Medicaid information, health insurance information, billing/claims information, medical record numbers, patient ID numbers, financial account numbers, disability codes, diagnoses, treatment information, prescription information, and physicians’ and therapists’ names.

ATI Physical Therapy reports that only a small number of patients had their Social Security numbers exposed.

Patients impacted by the phishing incident have now been notified by mail and have been offered credit monitoring services without charge. Patients will also be protected by a $1 million identity theft insurance policy. No evidence of misuse of information has been uncovered by ATI Physical Therapy of the forensic investigators.

ATI Physical Therapy’s investigation into the breach is ongoing and steps have been taken to strengthen email security to prevent future breaches and employees have been provided with training to help them identify phishing emails.

The Department of Health and Human Services’ Office for Civil Rights breach report indicates 35,136 patients have potentially have their protected health information accessed.

The post ATI Physical Therapy Data Breach Impacts 35,000 Patients appeared first on HIPAA Journal.

Insider Data Breaches Continue to Plague the Healthcare Industry

Posted by HIPAA Journal

Protenus has published its February Healthcare Breach Barometer Report. The report includes healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights or disclosed to the media in February 2018.

The report, compiled from data collected from databreaches.net, indicates at least 348,889 healthcare records were confirmed as breached in February, although that figure will be considerably higher as the number of people affected by 11 breaches is not yet known. There were 39 security breaches involving protected health information in February – a slight rise from the 37 breaches reported in January, although the number of records exposed was down from January’s total of 473,807 records.

Insider breaches continue to pose problems for healthcare providers with 16/39 incidents (41%) involving insiders. Those incidents resulted in the exposure/theft of 51% of all records confirmed as having been exposed or stolen in February. Protenus notes that 94% of insider breaches were the result of errors by healthcare employees, with only one confirmed breach involving insider wrongdoing.

Hacking accounted for 33% of data breaches and resulted in the exposure of 46% of the records exposed in February, although the number of people affected by five hacking incidents is not yet known. Out of the hacking/IT incidents, four were confirmed as involving malware or ransomware, including the largest breach of the month – the 135,000-record breach at St. Peter’s Surgery & Endoscopy Center in New York. There were two incidents confirmed as involving phishing. Theft/loss incidents accounted for 13% of all breaches and the cause of 13% of breaches is currently unknown.

Healthcare providers reported 23 breaches, health plans reported eight incidents, business associates reported four incidents, and businesses/other vendors reported four breaches. The breach reports submitted to the Office for Civil Rights only suggest two business associate breaches occurred, although the Protenus report has revealed there were 11 incidents with some business associate/vendor involvement.

Protenus notes that it took an average of 325 days from the date of the breach to the incident being discovered with a median detection time of 34 days. The average was high due to one insider breach taking more than four years to discover. The average time from discovery to reporting was 68 days with a median of 59 days. Six organizations reported the breaches later than the 60-day maximum time frame allowed by HIPAA.

California was the worst affected by healthcare data breaches in February with six incidents followed by Wisconsin and Georgia on three. Healthcare data breaches were reported by organizations in 22 states and Puerto Rico in February.

Protenus notes that while the number of people affected by healthcare data breaches fell to a four year low in 2017, the number of data breaches has not reduced. Healthcare data breaches are still occurring at a rate of more than one per day.

The post Insider Data Breaches Continue to Plague the Healthcare Industry appeared first on HIPAA Journal.

Ransomware Attack on Finger Lakes Health Cripples Computers

Posted by HIPAA Journal

Geneva, NY-based Finger Lakes Health has experienced a ransomware attack that has crippled its computer system. Staff have been forced to work on pen and paper while the health system attempts to remove the malware and restore access to electronic data.

The ransomware attack on the health system started at around midnight on Sunday March 18, 2018, with staff becoming aware of the attack when a ransom demand was issued by the attackers.

Finger Lakes Health operates Geneva General Hospital and Soldiers & Sailors Memorial Hospital in Pen Yan and several specialty care practices, primary care physician practices, long-term health facilities, and day care centers in upstate New York. It is unclear exactly how many facilities have been impacted by the ransomware attack.

Finger Lakes Health has developed emergency procedures for attack scenarios such as this, which were immediately implemented when the attack was discovered. On March 20, the health system issued a statement to local media channels about the attack explaining that while some of its information systems were inaccessible, its manual downtime protocol had been implemented and its hospitals and care facilities continued to function. Such an attack will naturally have an impact on the provision of medical services, although patient care remains the main priority while the ransomware attack is mitigated.

Finger Lakes Health is working closely with law enforcement and IT teams to restore access to data and bring its systems back online. At this stage it appears that the attackers have only encrypted data. There is no indication that any patient or employee information has been compromised.

No information on the type of ransomware used in the attack has been released nor whether the decision has been made to pay the ransom to regain access to data.

The post Ransomware Attack on Finger Lakes Health Cripples Computers appeared first on HIPAA Journal.

RoxSan Pharmacy Notifies 1,049 Patients About 2015 Email Breach

Posted by HIPAA Journal

Beverly Hills, CA-based RoxSan Pharmacy has notified 1,049 patients that some of their protected health information has been disclosed to a business associate via unencrypted email.

The notification letters were mailed to affected individuals last month, although the incident occurred on January 20, 2015. In a recent press release, RoxSan explained that affected individuals are being notified in “as timely a manner as possible”. The delay in issuing notifications was due to “the protected nature of the forensic investigation”. It is unclear when RoxSan Pharmacy became aware of the error.

The protected health information was included in a data file that was sent to a single individual – A business associate of the pharmacy – who worked in the legal field. That individual had signed a business associate agreement with the pharmacy and was aware of the responsibilities of HIPAA with respect to patients’ PHI. However, the PHI was exposed as the data file was sent via unencrypted email.

The data file only contained a limited amount of protected health information and did not include patient names, personal identification information, Social Security numbers, or financial information.

The information related to patients who had prescriptions filled between April 2015 and August 2015 and was limited to prescription information, drug information, insurance information, physicians’ names, and patient identification numbers.

RoxSan has not received any reports that suggest the information has been intercepted and misused. Patients have been advised of the steps they can take to protect their identities and monitor for fraudulent use of their information as a precaution.

The pharmacy has already taken steps to improve its operational protections to prevent any further breaches of this nature from occurring.

The post RoxSan Pharmacy Notifies 1,049 Patients About 2015 Email Breach appeared first on HIPAA Journal.