University of Arkansas Medical Sciences (UAMS) has fired three employees over alleged HIPAA violations that saw a patient’s protected health information impermissibly disclosed and published on Facebook.

UAMS provides training to all employees to make them aware of their responsibilities with respect to patient privacy and the requirements of HIPAA, yet despite that training, one employee violated the privacy of a patient by disclosing that individual’s name, age, HIV status, employment information, and surgical history to a colleague.

That employee shared the information with a friend who uploaded the PHI to Facebook. A third employee allegedly played no part in the violation but was aware of the disclosures yet failed to report the incident to the hospital.

The hospital took prompt action when the HIPAA violations were discovered and terminated all three employees for violating HIPAA Rules and the hospital’s code of conduct. The hospital is taking steps to ensure similar incidents are prevented and is working with the patient to resolve the privacy violation.

The motives of the employees are unclear, but their responsibilities to ensure patient privacy was protected had been clearly explained and there can be no doubt that they were aware that their actions were in breach of federal regulations.

In addition to losing their jobs, the matter has been referred to the U.S. attorney’s office and criminal charges for the HIPAA violation are being considered.

The privacy violation should serve as a warning to all healthcare employees about the potential repercussions of HIPAA violations, and also that the failure to report a HIPAA violation by a co-worker could also result in loss of employment.

If a HIPAA violation is discovered in the workplace, the incident should be reported to the organization’s privacy officer to ensure prompt action can be taken to limit the harm caused.

The post 3 University of Arkansas Medical Sciences Employees Fired for Violation of Patient Privacy appeared first on HIPAA Journal.

The quarterly breach barometer report from Proteuns provides interesting insights into the extent to which insiders are violating HIPAA Rules and snooping on patient health information.

The Breach Barometer report is compiled using breach data supplied by Databreaches.net and proprietary data collected through the artificial intelligence platform developed by Protenus that allows healthcare organizations to track and analyze employee HER activity.

Insider breaches are a major problem in healthcare, yet many insider breaches go undetected. When insider breaches are identified, it is often months after the breach has occurred. One healthcare employee was recently discovered to have been accessing medical records without authorization for 14 years.

1.13 Million Patient Records Exposed in Q1, 2018

The latest Breach Barometer report shows the records of 1,129,744 patients and health plan members has been viewed by unauthorized individuals, exposed, or stolen in the first quarter of 2018. Data breaches occurred at a rate of more than one per day, with 110 healthcare data breaches reported in Q1.

Data breaches are typically only announced publicly if they have affected more than 500 individuals. Smaller data breaches still need to be reported to the HHS’ Office for Civil Rights to comply with HIPAA Rules, although the information is not made available to the public.

An analysis of the data collected from the Protenus platform suggests only one thousandth of data breaches are actually disclosed to the public, and inappropriate accessing of medical records by healthcare employees is a major problem throughout the industry.

Most commonly, healthcare employees snoop on the medical records of family members. 77.10% of all insider snooping incidents in Q1, 2018 involved the unauthorized accessing of family members’ health records. In second place was inappropriate accessing of co-workers’ health records, followed by snooping on neighbors’ health information and VIPs’ medical records.

The Protenus report shows just how important it is to detect these incidents promptly to prevent further privacy violations. Data analyses by Protenus show there is a 20% chance that a healthcare employee will inappropriately view medical records again within three months of the first incident, and a 54% chance that they will repeat the violation at least once in the following 12 months. “Healthcare organizations accumulate risk that compounds over time when proper detection, reporting, and education do not occur,” said Kira Caban, Protenus Director of Public Relations.

Unfortunately, most healthcare providers lack visibility into who is accessing medical records and privacy violations take many months to detected. The average time take to identify a breach of patient privacy is 244 days.

The Quarterly Breach Barometer report can be downloaded on this link.

The post Protenus Report Highlights Extent of Insider Breaches in Healthcare appeared first on HIPAA Journal.

An unauthorized individual has gained access to the email account of an employee of Scenic Bluffs Community Health Centers and potentially viewed the protected health information of up to 2,9889 patients.

The email account breach was discovered by the health centers on March 1, 2018, the day after access to the account was gained. The attacker had set up a mail forwarder on the account, which had forwarded 44 messages to an email address controlled by the attacker.

None of the forwarded emails contained any protected health information and following the discovery of the mail forwarding rule it was deleted, the account was closed, and all PHI was secured. While no PHI appeared to have been obtained by the attacker, it is possible that during the time that access to the email account was possible, PHI detailed in the emails could potentially have been viewed.

It is unclear how access to the email account was gained. Typically email accounts are compromised after employees respond to phishing emails and inadvertently disclose their login credentials, or via brute force attacks that take advantage of weak passwords.

Scenic Bluffs Community Health Centers has hired an external cybersecurity firm to evaluate its systems and provide recommendations on suitable security solutions that can be deployed to further protect patient privacy and prevent future security breaches.

Breach notification letters were mailed on April 23 to patients whose PHI was potentially viewed.

The post 2,889 Patients of Scenic Bluffs Community Health Centers Notified of PHI Breach appeared first on HIPAA Journal.

Maximus Inc, a provider of business process management and technology solutions to government health and human services agencies, is alerting more than 3,000 individuals that some of their protected health information has been accidentally disclosed to other individuals as a result of a printing error on a recent mailing.

The mailing was prepared and sent by its business associate, Business Ink, between February 10 and February 13, 2018. The mailing was sent to approximately 1,100 families in Texas who participated in Medicaid and the Children’s Health Insurance Program (CHIP). The error was discovered by Maximus on February 16.

The 6-page letter included one mismatched page that included information relating to another individual. The types of information detailed on the page were limited to names, addresses, group numbers, case numbers, and program type. No highly sensitive information such as Social Security numbers, birth dates, insurance information, or financial information was exposed, and none of the information detailed on the mismatched pages would allow another individual to gain access to another person’s program account.

Since the information exposed was extremely limited, affected individuals do not need to take any action to mitigate risk. Notifications were issued out of an abundance of caution.

Maximus has investigated the incident and has received assurances that its mailing vendor has strengthened its printing processes to ensure similar errors are prevented in the future. No reports have been received to suggest any of the disclosed information has been misused in any way.

According to Databreaches.net, 3,029 individuals had information impermissibly disclosed as a result of the printing and mailing error.

The post PHI of 3,000 Patients Exposed Due to Mailing Printing Error appeared first on HIPAA Journal.

Three websites used by Florida Hospital have been infected with malware that has potentially allowed the threat actors behind the attack to obtain patients’ protected health information.

PHI access has not been confirmed and no reports have been received to suggest any protected health information has been misused. Patients are being informed of the breach and, out of an abundance of caution, have been offered complimentary credit monitoring services. The websites impacted are FloridaBariatric.com, FHOrthoInstitute.com and FHExecutiveHealth.com.

The data potentially compromised was limited and did not involve any financial information. Potentially, patients’ names, birth dates, email addresses, phone numbers, insurance carriers, the last four digits of their social security numbers, any comments uploaded via the sites, and their height and weight have potentially been obtained by the attackers. The malware attack was limited to the above websites and no other systems were affected.

It is unclear what type of malware was uploaded to the websites and how long the malware was present on the websites before it was detected. Florida Hospital released a statement on Wednesday about the malware infection and all three websites have been taken offline while the malware is removed and the sites are sanitized.

The incident has yet to be reported to the Department of Health and Human Services’ Office for Civil Rights, so it is currently unclear exactly how many patients have been impacted. All patients affected by the security breach will be notified by mail if any of their protected health information is believed to have been compromised.

Florida Hospital is taking all appropriate steps to ensure similar security breaches are prevented and vulnerabilities across all of its online networks are addressed.

The post Malware Installed on Florida Hospital Websites May Have Provided Access to PHI appeared first on HIPAA Journal.

A bizarre mistake by the Texas Health and Human Services Commission (HHSC) has seen a former employee sent the protected health information of approximately 100 patients after she had been fired. The boxes contained items that had been collected from her old desk, but also benefits application forms.

After Tracy Ryans, 51, of Houston, was terminated, HHSC mailed her two boxes containing her personal items, which were left on her porch by the delivery driver. One of the boxes contained personal belongings that included pens, a coffee cup, and old shoes. The other box contained paperwork.

Ryans told the Texas Tribune that one of the boxes contained personal items that did not belong to her. They had been taken from a desk she shared with coworkers. The other box was full of paperwork containing highly sensitive personal information of clients.

The paperwork included benefits applications that included the Social Security numbers, billing statements, copies of driver’s licenses, and check stubs relating to approximately 100 individuals. The documents were dated April 13, 2018 – 15 days after Ryans had been terminated.

Ryans contacted the Texas State Employees Union to seek advice about what she should do with the paperwork, after becoming concerned that she might be accused of stealing the documents. She was given assistance returning the paperwork to HHSC.

The reason for Ryans termination after 9 years working for HHSC was an alleged failure to ensure the security of client information and violating HIPAA Rules – something Ryans denies. The mailing of PHI to Ryans, who had no legal right to hold the information, would be considered a violation of HIPAA Rules in itself. However, at this stage HHSC has yet to confirm what sensitive information was detailed in the documents and whether HIPAA Rules had been accidentally violated.

The incident is currently being investigated by HHSC and the potential privacy breach has been reported to the Office of Inspector General. If it is confirmed that sensitive information was exposed and HIPAA Rules were violated, steps will be taken to remedy the breach and affected individuals will be notified.

The post Employee Sent PHI After Being Fired appeared first on HIPAA Journal.

Center for Orthopaedic Specialists is notifying its patients that some of their protected health information was potentially accessed by unauthorized individuals who installed ransomware on its network.

The attack impacts all current and former patients of three of its facilities in West Hills, Simi Valley and Westlake Village in California. According to Databreaches.net, 85,000 patients have potentially been impacted.

Center for Orthopaedic Specialists was notified by its IT vendor that an unauthorized individual began attempting to access its network on February 18, 2018. Access to the network was gained and ransomware was installed, which was used to encrypt a wide range of files, many of which contained the protected health information of patients. The types of information encrypted by the ransomware included names, details about medical records, dates of birth, and Social Security numbers.

Prompt action was taken by the IT vendor to limit the harm caused and the affected system was taken offline rapidly to prevent any exfiltration of data.

An investigation into the breach has not uncovered any evidence to suggest that patients’ protected health information was viewed or copied by the individuals responsible for the attack, although data theft could not be ruled out with 100% certainty. Out of an abundance of caution, all patients whose PHI was encrypted by the ransomware have been notified of the breach to allow them to take precautions to protect against identity theft and fraud.

Even though data theft is not suspected, out of an abundance of caution, Center for Orthopaedic Specialists is offering all affected individuals identity theft protection and credit monitoring services through ID Experts for 24 months without charge. Patients will also be protected by a $1,000,000 insurance policy.

The post 85,000 Patients Impacted by California Ransomware Attack appeared first on HIPAA Journal.

A transcription service provider has inadvertently left medical records and patient notes unsecured and freely accessible via a physician portal, which should have been password protected. The error has resulted in the exposure of thousands of patients’ PHI.

MEDantex provides medical transcription services to many hospitals and physicians, many of whom choose to upload audio files to the MEDantex website. The audio files are accessed by the firm’s employees and transcribed, and documents containing the transcribed notes are uploaded to the portal where they can be downloaded by providers. In order to gain access the portal, a user must be authenticated by means of a password.

According to a report on KrebsOnSecurity, certain portions of the website were recently discovered to lack any authentication controls. Anyone visiting the website could, through their browser, gain access to patient data stored on the site. Brian Krebs reports that several of the tools used by MEDantex staff and could also be accessed and used by unauthorized individuals. Those tools allowed unauthorized individuals to add and remove users, search for patients of specific physicians, and find information about patients by name.

Brian Krebs notes that a search of the site revealed the names of 2,300 physicians from across the country. Each provider had a directory which contained audio files and documents of transcribed medical notes, all of which could be freely downloaded.

The exposure of patient health information was reportedly due to a glitch in the portal that is believed to have been incorporated during a rebuild of the portal. MEDantex suffered a ransomware attack that resulted data on its portal being encrypted. The recovery process involved rebuilding the portal, although an error meant password protection was removed.

Brian Krebs notified MEDantex of the error and the portal was immediately taken offline pending a thorough investigation. According to Krebs, a Google cache of the site shows the records were accessible since at least April 10, 2018.

It is currently unclear exactly how many patients’ PHI was exposed, although it is likely to number in the thousands. It is also unknown whether any unauthorized individuals accessed and downloaded PHI during the time that the records were left exposed.

The post Web Portal of Transcription Service Provider Discovered to be Leaking PHI appeared first on HIPAA Journal.