1,071 patients who received medical services at the Des Moines Crisis Observation Center operated by Polk County Health Services Inc., have been informed that some of their protected health information has been “accidentally and unknowingly disseminated” over a period of three and a half years.

The breach was discovered on February 14, 2018, although the investigation revealed that information first started being disclosed on June 1, 2014 and continued until January 11, 2018. The types of information disclosed includes patients’ names along with Social Security numbers, home addresses, Medicaid ID numbers, admission dates, and discharge locations.

Through the Crisis Observation Center, Polk County Health Services provides mental health services for residents of Polk County, IA and is the regional administrator and governing board for mental health and disability services for the county.

Polk County Health Services is aware of the individual(s) to whom the information has been disclosed and was able to determine exactly the types of information that has been received by those individuals. The reason for the impermissible disclosure of protected health information and how PHI happened to be disclosed was not explained in the substitute breach notice uploaded to the Polk County Health Service website.

Steps have been taken to prevent any further disclosures of personal information or protected health information, and also to prevent any further dissemination of the information. The steps taken include providing further training to staff on the importance of protecting the privacy of patients and the implementation of additional computer security protections and protocols to prevent the unauthorized accessing and disclosure of PHI.

No reports have been received to suggest any patient’s PHI has been misused; however, as a precaution, all individuals affected by the breach have been offered complimentary credit monitoring services for 12 months. Notifications were mailed to affected individuals in April and the incident has been reported to the Department of Health and Human Services’ Office for Civil Rights.

The post 1,000 Mental Health Patients’ PHI Accidentally Disclosed for 3 and a Half Years appeared first on HIPAA Journal.

The California Department of Developmental Services (DDS) is notifying 582,174 patients that their protected health information has potentially been compromised.

On February 11, 2018, thieves broke into the DDS legal and audits offices in Sacramento, CA. During the time the thieves were in the offices they potentially had access to the sensitive information of approximately 15,000 employees, contractors, job applicants, and parents of minors who receive DDS services, in addition to the PHI of more than half a million patients. The thieves also stole 12 government computers.

It does not appear that the perpetrators were interested in paper records and all computers taken by the thieves were encrypted so data access was not possible. DDS has confirmed that none of the office computers were used to gain access to the department’s network and electronic protected health information remained secure at all times.

In its substitute breach notice, DDS explained that its offices were vandalized and a fire was started, which triggered the sprinkler system causing damage to documents and CDs.

The nature of the vandalism and the damage caused by the fire and sprinkler system has made it impossible to determine with 100% certainty whether any information was taken from the offices or if PHI has been compromised.

If PHI was viewed or stolen it would have been limited to names, medical records, unique state-issued client identifier numbers, service codes, service dates, units billed, and amounts paid for services.

The incident has been reported to law enforcement and the burglary has been investigated but the perpetrators have not been identified.

While it is unlikely that the thieves gained access to the protected health information of patients, notifications have been sent to affected individuals out of an abundance of caution and the incident has been reported to the Department of Health and Human Services’ Office for Civil Rights.

The security breach is the largest to be reported to OCR in 2018, eclipsing the 279,865 -record breach at Oklahoma State University Center for Health Sciences that was reported in January and the 134,512-record breach at St. Peter’s Surgery & Endoscopy Center, reported in February.

The post California Dept. of Developmental Services Notifies 582,000 Patients of Potential PHI Compromise appeared first on HIPAA Journal.

Arlington-based Texas Health Resources, a provider group serving more than 1.7 million patients in North Texas, is notifying ‘fewer than 4,000 patients’ that some of their sensitive information may have been accessed by an unauthorized individual. The data breach occurred as early as October 2017, although it was not discovered until January 17, 2018, when the health system was notified of a breach by law enforcement. The potentially compromised data was saved in email accounts that the attacker had access to for up to three months.

The delay in issuing breach notification letters, which would normally have to be issued within 60 days of the discovery of the breach under HIPAA Rules, was at the request of law enforcement. HIPAA covered entities are permitted to delay the issuing of notifications if law enforcement believes such an act would impede an investigation. Law enforcement has only recently given the OK to start sending notifications. It is unclear whether the law enforcement investigation resulted in the apprehension of a suspect.

Texas Health Resources explained in its substitute breach notice that the incident was part of a larger attack that affected multiple entities across the United States. It is currently unclear which other healthcare organizations were also targeted by the attacker and therefore the true scale of the campaign.

Texas Health Resources conducted its own internal investigation into the breach and determined that the compromised email accounts contained information such as names, dates of birth, Social Security numbers, medical record numbers, drivers’ license numbers, state ID numbers, insurance information, and clinical information. Most of the affected individuals had received medical services at Texas Health Resources facilities in 2017.

Individuals whose Social Security numbers were exposed have been offered complimentary identity theft and credit monitoring services for one year without charge. No reports have been received to suggest any of the information has been misused.

Texas Health continuously works on improving its safeguards to keep protected health information confidential and secure and will be enhancing security monitoring to ensure any future security incidents are detected rapidly in the future.

The post Texas Health Resources Notifies 4,000 Patients of Email Account Breach appeared first on HIPAA Journal.

Inogen, a manufacturer of portable oxygen concentrators, has discovered an unauthorized individual has obtained the credentials of an employee and has used them to gain access to the employee’s email account.

Phishing and other credentials theft incidents are common in the healthcare sector, although what makes this incident stand out is the number of individuals impacted by the attack. The compromised email account contained the personal information of approximately 30,000 individuals who had previously been provided with oxygen supply devices.

The types of information potentially viewed and obtained by the attacker include name, telephone number, address, email address, date of birth, date of death, types of equipment provided, Medicare ID number and health insurance information. Medical records, Social Security numbers, and payment card information were not compromised.

Also notable is the length of time it took to discover the breach. Inogen reports that access to the email account was first gained on January 2, 2018 and continued until March 14. Forensic investigators were hired to determine exactly how the breach occurred, its extent, and the number of patients impacted. The forensics firm confirmed the account was accessed and based on the IP address used to access the account, the perpetrator was located in a foreign country.

While stolen credentials were used in the attack, it is currently unclear exactly how those credentials were obtained. While phishing is a possibility, the credentials could also have been obtained by other means, such as a man-in-the-middle attack.

Since there is potential for insurance information to be misused by the attacker, Inogen has offered credit monitoring services to affected individuals and they will be protected by an insurance reimbursement policy. While that policy will cover losses in the event of insurance information misuse, Inogen has said that the policy may not cover all expenses related to the misuse of information.

Inogen is required to comply with Health Insurance Portability and Accountability Act Rules and has reported to the security breach to the Department of Health and Human Services’ Office for Civil Rights. Affected individuals have been notified by mail and relevant state attorneys general have been sent a data breach summary.

Security has been strengthened following the attack, which includes the use of two-factor authentication. If an unfamiliar device is used to access an account, a second form of authentication will be required before access to the account is granted. Additionally, all passwords have been reset, further electronic tools deployed to prevent unauthorized access, and employee training has been enhanced.

The post Oxygen Equipment Manufacturer Discovers Credential Theft Incident Potentially Impacts 30,000 appeared first on HIPAA Journal.

The Chicago, IL-based physiatry group Integrated Rehab Consultants is sending notification letters to certain patients alerting them to the exposure of some of their protected health information, as is required by HIPAA. However, the breach was not discovered in the past 60 days. Integrated Rehab Consultants (IRC) first became aware of the exposure of PHI on December 2, 2016 – 16 months ago.

The data – which included patients’ full names, address, date of birth, gender, medical provider information, visit date, visit status, admission date, appointment visit ID, treatment location, procedure code, and diagnosis codes – had been uploaded to a publicly accessible repository. The PHI was discovered by a healthcare security researcher who notified IRC about the breach.

Prompt action was taken to remove and secure the data and an investigation was launched to determine how and why the data had been uploaded to an insecure location. That investigation determined that a business associate who had been provided with the PHI had disclosed the information to a third party. It was that subcontractor that made the error and uploaded the data to the public repository.

At the time, IRC only believed the data had been accessed by the security researcher. However, in its substitute breach notice, IRC explained that in the fall of 2017 it became apparent that other individuals may also have gained access to the data.

Patients potentially impacted have been offered complimentary credit monitoring and identity restoration services for 12 months without charge and notified about the incident ‘out of an abundance of caution.’ ICR has not received any reports to suggest any patient information has been misused, although affected individuals have been urged to check their credit reports and EoB statements carefully and to remain vigilant against incidents of identity theft and fraud.

It is unclear why patients were not notified of the exposure of their PHI within 60 days of the initial discovery that their PHI had been exposed, nether why there was a further delay in issuing notifications when it was suspected that other individuals may have gained access to the data.

The post Integrated Rehab Consultants Takes 16 Months to Notify Patients of PHI Breach appeared first on HIPAA Journal.

A former employee of Baptist Health’s West Kendall Baptist Hospital in Miami, FL has been discovered to have stolen the credit card details of at least one patient and used the information to make fraudulent purchases.

The misuse of credit cards was discovered by Baptist Health on March 9, 2018 and the matter was referred to Miami-Dade law enforcement and the employee was terminated.

Baptist Health has not specified exactly how many patients have been confirmed to have been defrauded by the employee, although 1,480 patients have been sent breach notification letters to alert them to the possibility that their credit card details may have been misused.

Any patient who paid for medical services using a credit card with the registration employee between August 2014 and March 2018 have potentially had their name, date of birth, and credit card details stolen and misused.

As a precaution, all 1,480 patients have been offered identity theft protection and credit monitoring services for 12 months without charge and have been advised to check their credit card statements carefully for any unauthorized purchases.

Baptist Health is exploring options to further protect patient health information and prevent any further breaches of this nature from occurring in the future.

The post Baptist Health Alerts Almost 1,500 Patients to Possible Abuse of Credit Card Details appeared first on HIPAA Journal.

A misconfigured security setting on a radiology interface has resulted in the exposure of tens of thousands of patients’ protected health information.

Middletown Medical, a multi-specialty physicians’ group based in Middleton, NY, discovered the misconfigured security setting on January 29, 2018.

The following day the interface was secured to ensure unauthorized individuals were prevented from accessing patient information. It is unclear for how long patient data was accessible. Middletown Medical says only a limited number of patients’ PHI could have been accessed by unauthorized individuals.

Highly sensitive information such as financial data, Social Security numbers, and insurance information were not exposed. The breach was limited to names, client identification numbers, birth dates, confirmation that radiology services had been received by patients, and the dates those services were provided. A limited number of patients also had diagnosis codes, radiology images, and radiology reports exposed.

The discovery of the error prompted Middletown Medical to review its polices and procedures and implement additional safeguards to ensure the confidentiality of documents containing PHI. Additional training has been provided to staff on securing information systems and modifications have been made to interfaces to ensure all information remains secure.

No reports of misuse of PHI have been received although, out of an abundance of caution, all patients impacted by the breach have been offered complimentary identity theft recovery services for 12 months and have been advised to carefully review their account statements and Explanation of Benefits statements for any sign or fraudulent activity.

The data breach summary submitted to the Department of Health and Human Services’ Office for Civil Rights indicates up to 63,551 patients had their PHI exposed, making this one of the largest healthcare security incidents to be reported so far this year.

The post 63,500 Patients Impacted by Middletown Medical Data Breach appeared first on HIPAA Journal.