HIPAA Breach News

16,000 Individuals Impacted by Two Email-Related Breaches

Posted by HIPAA Journal

Two email-related data breaches have been reported that have resulted in the disclosure of the protected health information of more than 16,000 individuals.

Flexible Benefit Service Corporation Breach Impacts 5,123 Individuals

Flexible Benefit Service Corporation (Flex), a Chicago-Il-based general agency and benefit administrator serving health insurance carriers, has announced the discovery of a phishing attack that resulted in an unauthorized individual gaining access to a corporate email account.

The security breach was detected on December 6, 2017 when an email account of a company employee was discovered to be sending phishing emails. The email account was compromised after a single employee responded to a phishing email and disclosed login credentials to the email account.

A third-party forensics firm was contracted to conduct an investigation into the breach and ascertain the extent of the attacker’s activities. The investigation highlighted the likely intentions of the attacker. Once access to the email account was gained, the attacker performed searches looking for details of invoices, wire transfers and wire payments.

This strongly suggests the aim of the attack was to use the account in a BEC attack rather than gain access to protected health information. The forensics firm could not confirm whether individual emails had been opened or if protected health information was viewed. Were that to be the case, the attacker could potentially have viewed information such as names, addresses, phone numbers, Social Security numbers, and birth dates.

Individuals impacted by the incident have been offered identity theft protection, recovery, and credit monitoring services for 12 months without charge. Flex has responded by enhancing its internal security awareness and anti-phishing training program for employees.

Kansas Department for Aging and Disability Services Experiences 11,000-Record Breach

The Kansas Department for Aging and Disability Services (KDADS) has discovered an employee sent an unauthorized email to a group of KDADS business associates containing the protected health information of approximately 11,000 consumers.

All of the email recipients have already signed a business associate agreement with KDADS which prohibits them from disclosures or inappropriate use of any emailed protected health information.

KDADs has contacted all the business associates who received the information to advise them of the error and request they delete or destroy the email and any printed copies of the information. No reports have been received to suggest the information has been spread any further nor that any of the information has been misused.

The types of information in the attached document included names, dates of birth, addresses, Social Security numbers, genders, Medicaid identification numbers, and in-home services program participation information.

The incident has prompted KDADS to revise its policies and procedures to prevent similar incidents from occurring in the future. The employee responsible for the error has been terminated.

The post 16,000 Individuals Impacted by Two Email-Related Breaches appeared first on HIPAA Journal.

How to Report a HIPAA Violation Anonymously

Posted by HIPAA Journal

One of the questions we are sometimes asked is how to report a HIPAA violation anonymously. This is because, in many cases, complaints and reports will not be reviewed or investigated without your contact details.

When you file a health information privacy complaint or a security rule violation complaint via the Office for Civil Rights´ (OCR) online Complaints Portal, the first page you are asked to complete is your name and contact details. The reason for this is because, if OCR reviews your complaint and decides to investigate it, the agency may want to contact you for further information.

You cannot go beyond the first page of the complaints process without entering any contact details; and, if you complete the form using fictitious contact details, OCR will be unable to contact you to obtain the information it needs to conduct an investigation. Consequently, it is not possible to report a HIPAA violation anonymously via the OCR Complaints Portal.

There are Other Ways of Filing a Complaint with OCR

The Complaints Portal is not the only way to file a complaint with OCR. You can download a complaint form, complete it, send it to OCR by mail or as an email attachment. The form allows you to deny consent for revealing your name or any identifying information – which is not the same as reporting a HIPAA violation anonymously and “may result in the closure of the investigation”.

You can also write anonymously to OCR, send an email from a disposable temporary email address, or call the agency directly on (800) 368-1019. If you find none of these approaches work because OCR does not want people to report a HIPAA violation anonymously, you could try one of OCR´s Regional Offices to see if one of these are willing to accept an anonymous report.

OCR is Not the Only Agency You Can Complain To

HHS´ Office for Civil Rights is not the only “enforcer” of HIPAA. Violations of the Administrative Requirements can be reported to the Centers for Medicare and Medicaid Services (CMS), violations of the Breach Notification Rule by organizations not covered by HIPAA can be reported to the Federal Trade Commission, and criminal violations can be reported to the Department of Justice.

All these agencies have complaints processes similar to OCR inasmuch as it is difficult to report a HIPAA violation anonymously. This is also usually the case with Offices of State Attorneys General. However, if you have a strong case for an investigation and explain why you are unwilling to reveal your identity, you may be able to report a HIPAA violation anonymously to a state agency.

How Else to Report a HIPAA Violation Anonymously

State and federal agencies are not the only bodies you can approach with a health information privacy complaint or a security rule violation complaint. You can also directly approach the organization responsible for the HIPAA violation. This gives you more options to report a HIPAA violation anonymously and a greater likelihood the violation you are reporting is addressed.

It is important to note that, unless the complaint involves a data breach subsequently reported to OCR by the organization, there will be no enforcement action taken by any state or federal agency. However, while there will be no record of an organization “getting into trouble” for failing to comply with HIPAA, your anonymous report may prevent somebody else experiencing an adverse event attributable to a privacy or security violation.

How to Report a HIPAA Violation Anonymously FAQs

Why doesn´t OCR want people to report a HIPAA violation anonymously?

Not only does it make it very difficult to investigate a privacy complaint without knowing who the complaint relates to, but malicious individuals could make unsubstantiated complaints that waste the time of both OCR investigators and the organization being investigated. By insisting on verifiable contact details, OCR can prevent malicious and unsubstantiated complaints – even though this requirement could dissuade some individuals from making justifiable complaints.

If I have to give my name, what protection do I have against retaliation?

§160.316 of the HIPAA Administrative Simplification Regulations prohibits Covered Entities and Business Associates from threatening, intimidating, coercing, harassing, discriminating against, or taking any retaliatory action against an individual who reports a HIPAA violation. This not only applies to patients and health plan members, but to any individual – including members of a Covered Entity´s or Business Associate´s workforce.

Can I report a HIPAA violation anonymously if the violation affects someone else?

Even if you are reporting a HIPAA violation on behalf of another person, OCR, CMS, the Federal Trade Commission, and Department of Justice will require your verifiable contact details to ensure the report is not malicious and unsubstantiated. You may be able to report a HIPAA violation anonymously to a State Attorney General´s office; but the best way to make a report anonymously is to approach the noncompliant organization directly.

How do I report a criminal violation of HIPAA anonymously to the Department of Justice?

Unlike some crime “tip lines”, the Department of Justice does not accept anonymous reports. The only route to reporting a criminal violation anonymously is to contact the noncompliant organization´s Privacy Officer who should investigate your complaint (subject to you having a strong case). If the Privacy Officer believes a criminal violation has occurred, they will report it to OCR, who will refer it to the Department of Justice for investigation.

What should I do if I complain anonymously to an organization, but nothing happens?

It may be difficult to know if your complaint to an organization has been ignored because the organization has no way of contacting you to explain what it is doing to correct the violation – which may take some time if it involves the development of new policies and additional workforce training. However, if you are certain your complaint has been ignored and it is still within 180 days of the violation being identified, you can escalate your complaint to OCR – albeit not anonymously.

Are HIPAA complaints anonymous?

Although you can request that your name is withheld when you make a complaint to OCR, complaints made anonymously will not be investigated. This not only applies to complaints made to OCR, but also to State Attorneys General, county HHS offices, and – where applicable – CMS, and the FTC. The option exists to phone an agency and make a complaint anonymously, but without your name, it is unlikely any further action will be taken.

The post How to Report a HIPAA Violation Anonymously appeared first on HIPAA Journal.

New York Surgery & Endoscopy Center Discovers 135,000-Record Data Breach

Posted by HIPAA Journal

A malware infection at St. Peter’s Surgery & Endoscopy Center in New York has potentially allowed hackers to gain access to the medical records of as many as 135,000 patients.

This is the second largest healthcare data breach of 2018, the largest to hit New York state since the 3,466,120-record data breach at Newkirk Products, Inc. in August 2016, and the fifth largest healthcare data breach in New York since the Department of Health and Human Services’ Office for Civil Rights started publishing data breach summaries in October 2009.

The data breach at St. Peter’s Surgery & Endoscopy Center was discovered on January 8, 2018: The same day as hackers gained access to its server. The rapid detection of the malware limited the time the hackers had access to the server and potentially prevented patients’ data from being viewed or copied. However, while no evidence of data access or data theft was discovered, it was not possible to rule either out with a high degree of certainty.

In its substitute branch notice, St. Peter’s Surgery & Endoscopy Center says the servers it uses are separate from St. Peter’s Hospital and Albany Gastroenterology Consultants. Protected health information held by those medical centers was not compromised as a result of the malware infection. Only patients who have previously visited St. Peter’s Surgery & Endoscopy Center for medical treatment have potentially been affected. Letters to affected patients were mailed on February 28, 2018 and the incident has been reported to the HHS’ Office for Civil Rights.

The information potentially accessed/copied was limited to patients’ names, addresses, dates of birth, dates of service, diagnosis codes, procedure codes, and insurance information. Some patients also had Medicare information exposed. Patients without Medicare did not have their social security numbers exposed and no patients’ banking or credit/debit card numbers were exposed.

Patients whose Medicare information was exposed have been offered one year of credit monitoring and identity theft protection services without charge “out of an abundance of caution” and all patients have been advised to check their health insurance statements carefully for any sign of fraudulent use of their information.

No information has been released on the exact nature of the security breach, such as how the hackers gained access to the server to install malware. St. Peter’s Surgery & Endoscopy Center said action is being taken to bolster security, which includes further staff training. The purchase of additional – and more elaborate – anti-virus and anti-malware solutions is also being evaluated.

The post New York Surgery & Endoscopy Center Discovers 135,000-Record Data Breach appeared first on HIPAA Journal.

Window Envelope Privacy Breach Exposes ID Numbers of 70,320 Tufts Health Plan Members

Posted by HIPAA Journal

Tufts Health Plan is alerting 70,320 of its members that their health plan member ID numbers have been exposed.

A mailing vendor used by Tufts Health Plan sent Tufts Medicare Preferred ID cards to Medicare Advantage members between December 11, 2017 and January 2, 2018.

Window envelopes were used which naturally allowed plan members’ names and addresses to be seen, but Tufts Health Plan member IDs were also visible through the plastic windows of the envelopes. The mailing error was discovered by Tufts Health Plan on January 18.

Tufts Health Plan notes that its member IDs are not comprised of Social Security numbers or Medicare numbers, but potentially the member ID numbers could be misused by individuals to receive services covered by the health plan.

Legal experts were consulted about the breach to assess the potential risk to plan members. The risk of misuse of the numbers is believed to be very low as the only individuals likely to see the member IDs would be employees of the postal service. Plan members have been told that in the unlikely event that their member IDs are misused they will not be responsible for any charges.

Plan members should check their Explanation of Benefits statements carefully and should report any services detailed on the statements that have not been received.

The health plan reports that it has been working closely with its vendor to ensure similar incidents do not occur in the future. The mailing vendor has confirmed that the error that caused the privacy incident has now been fixed.

In this case, the privacy breach was limited and patients should not be adversely affected, but similar incidents have occurred at other healthcare organizations that have caused serious problems for some individuals.

On July 28, 2017, a business associate of Aetna sent a mailing to approximately 12,000 plan members detailing a change to pharmacy benefits for individuals who were receiving HIV medications. The medications are prescribed to treat HIV and as Pre-exposure Prophylaxis (PrEP) to prevent contraction of HIV. Information about those medications were clearly visible through the plastic windows of the envelopes. The disclosure was not limited to the postal service. In some cases, the information was inadvertently disclosed to family members and roommates.

A class-action lawsuit was filed against Aetna which was recently settled for $17 million. Aetna was also fined $1.15 million by the New York Attorney General over the privacy breach and further actions may be taken against the health insurer by other state attorneys general and the HHS’ Office for Civil Rights.

A similar privacy incident affected Amida Care in 2017, again involving information related to HIV. In that case, the words “Your HIV detecta” were visible through the clear plastic windows of envelopes next to the name and the address, even though an additional sheet of paper had been inserted to prevent information on the enclosed double-sided flyer from being visible.

These incidents clearly highlight the risks of using window envelopes for healthcare mailings. If the decision is taken to use this type of envelope, stringent checks should be conducted to ensure that the letters cannot slip to reveal sensitive information and that the content of the mailings cannot be seen.

The post Window Envelope Privacy Breach Exposes ID Numbers of 70,320 Tufts Health Plan Members appeared first on HIPAA Journal.

Hacking Responsible for 83% of Breached Healthcare Records in January

Posted by HIPAA Journal

The latest installment of the Protenus Healthcare Breach Barometer report has been released. Protenus reports that overall, at least 473,807 patient records were exposed or stolen in January, although the number of individuals affected by 11 of the 37 breaches is not yet known. The actual total is likely to be considerably higher, possibly taking the final total to more than half a million records.

The report shows insiders are continuing to cause problems for healthcare organizations. Insiders were the single biggest cause of healthcare data breaches in January. Out of the 37 healthcare data breaches reported in January 12 were attributed to insiders – 32% of all data breaches.

While insiders were the main cause of breaches, the incidents affected a relatively low number of individuals – just 1% of all records breached. Insiders exposed 6,805 patient records, although figures could only be obtained for 8 of the 12 breaches. 7 incidents were attributed to insider error and five were due to insider wrongdoing.

Protenus has drawn attention to one particular insider breach. A nurse was discovered to have accessed the health information of 1,309 patients without authorization over a period of 15 months. If the healthcare organization had technology in place to monitor for inappropriate access, the privacy of hundreds of patients would not have been violated.

The second biggest cause of healthcare data breaches in January were hacking/IT incidents. There were 11 hacking/IT incidents reported by healthcare organizations in January – 30% of all breaches. In contrast to insider incidents, these were not small breaches. They accounted for 83% of all breached records in January. One single hacking incident involved 279,865 records. That’s 59% of all breached records in the month.

In total, 393,766 healthcare records were exposed by hacks and other IT incidents. The final figure could be substantially higher as figures for five of those breaches have not been obtained. One of the incidents involving an unknown number of records was the ransomware attack on the EHR company Allscripts, which resulted in some of its applications being unavailable for several days. That incident could well be the biggest breach of the month.

Ransomware attacks are still a major problem in healthcare, with six of the 11 incidents involving ransomware or malware. Phishing – the subject of February’s cybersecurity letter from the HHS’ Office for Civil Rights – was involved in at least two breaches.

The loss or theft of electronic devices containing ePHI or physical records accounted for 22% of the breaches. Two incidents involving the loss of patient records impacted 10,590 individuals and four out of the six theft incidents impacted 50,929 individuals. The number of individuals affected by the other two theft incidents is unknown. The cause of 16% of January’s data breaches has not yet been disclosed.

The types of breached entities followed a similar pattern to previous months, with healthcare providers accounting for the majority of breaches (84%). 5% of the breaches had some BA involvement and 3% affected health plans. 8% affected other entities.

Information on the length of time it took to detect breaches was only obtained for 11 of the 37 incidents. The median time from the incident to detection was 34 days and the average was 252 days. The average was affected by one incident that took 1445 days to discover.

The median time from discovery of a breach to reporting the incident was 59 days; one day shy of the 60-day absolute limit of the Breach Notification Rule. The average was 96 days. Four healthcare organizations took longer than 60 days to report their breaches, with one taking more than 800 days.

The post Hacking Responsible for 83% of Breached Healthcare Records in January appeared first on HIPAA Journal.

Ransomware Attack Impacts 6,550 Jemison Internal Medicine Patients

Posted by HIPAA Journal

On December 20, 2017, a ransomware attack on Jemison Internal Medicine of Alabama resulted in electronic health records being encrypted, preventing the healthcare provider from gaining access to patient data.

A ransom demand was issued for the keys to unlock the encryption although no payment was made to the attacker. Jemison Internal Medicine had viable backups of electronic protected health information and restored data after reinstalling the operating system on affected computers. An analysis of its system post-data restoration revealed no traces of the malicious software remained.

While ransomware attacks are often indiscriminate and occur as a result of employees responding to phishing emails, this attack was more targeted. The investigation into the security breach revealed an unauthorized individual had gained access to Jemison Internal Medicine’s computer system and had access for a period of approximately 3 months.

The investigation did not uncover any evidence to suggest the EMR system was accessed by the attacker, although it was not possible to rule out data access with a high degree of certainty. The types of information that could potentially have been viewed or copied include names, telephone numbers, dates of birth, addresses, Social Security numbers, driver’s license numbers, prescription information, health insurance details, and treatment and procedure information.

The incident has prompted Jemison Internal Medicine to conduct a review of security, policies, and procedures and steps have been taken to secure its systems and prevent further attacks. Remote connectivity to its computers has been disabled, all passwords have been changed, and other measures have been implemented to strengthen security.

Patients affected by the security breach have now been notified by mail and the incident has been reported to the Department of Health and Human Service’ Office for Civil Rights. The OCR breach summary indicates the protected health information of 6,650 patients was potentially compromised.

The post Ransomware Attack Impacts 6,550 Jemison Internal Medicine Patients appeared first on HIPAA Journal.

Medical University of South Carolina’s Hard Line on HIPAA Violations Sees 13 Fired in a Year

Posted by HIPAA Journal

According to a recent report in the Post and Courier, the Medical University of South Carolina (MUSC) terminated 13 employees last year for violating HIPAA Rules by snooping on patient records. In total, there were 58 privacy violations in 2017 at MUSC, all of which have been reported to the Department of Health and Human Services’ Office for Civil Rights.

All of the breaches affected only small numbers of patients. Out of the 58 breaches, 11 incidents were categorized as snooping on medical records. Other breaches were unauthorized disclosures such as when the health information of a patient is accidentally sent or faxed to the wrong person.

Over the past five years, there have been 307 breaches detected at MUSC, resulting in 30 members of non-physician staff being fired. None of the breaches have been listed on the OCR breach portal, which only shows breaches impacting 500 or more individuals. Under HIPAA Rules, all PHI breaches must be reported, although it is only large breaches of more than 500 records that are made public and are detailed on the breach portal.

The revelations were made at a recent meeting of the hospital’s board of trustees. MUSC opted for transparency, which is considered important to help prevent future privacy breaches. The medical university has made it abundantly clear what actions will be taken against employees discovered to have violated HIPAA Rules.

According to the Post and Courier, one board member questioned whether the decision to terminate employees for minor privacy breaches was a Draconian measure; however, the threat of federal audits over data breaches involving employees has made such swift and decisive action necessary. Heavy fines can be imposed when audits reveal HIPAA Rules have not been followed. The actions taken by MUSC clearly show that it takes privacy and security seriously and that HIPAA violations by employees will not be tolerated.

OCR may be focused on pursuing financial penalties for serious breaches of PHI that affect large numbers of individuals, but that does not mean that investigations do not take place for smaller breaches. There have been multiple investigations of small breaches that have resulted in financial penalties for HIPAA violations by covered entities and their business associates.

The most recent example was in early February when a $3.5 million settlement between OCR and Fresenius Medical Care North America (FMCNA) was announced. FMCNA had experienced five small data breaches in a six-month period in 2012. In 2013, Hospice of North Idaho settled with OCR for $50,000 over a breach impacting 441 patients. Further, in 2016, OCR made it clear that it would be stepping up investigations of covered entities that had experienced small breaches of PHI.

While small breaches may not make the headlines, they are serious for the individuals concerned, which is something MUSC makes clear in its employee training sessions. Efforts to communicate the importance of privacy have also been stepped up, and it is made clear to employees that the hospital has a clear policy of terminating employees for violating HIPAA Rules.

It would be unreasonable to single out MUSC as having a poor record for privacy breaches, as many hospitals are likely to have similar stats. What is certainly commendable is the full transparency and swift and decisive action when patient privacy is violated with malicious intent or when the privacy of patients is violated by curious employees.

The post Medical University of South Carolina’s Hard Line on HIPAA Violations Sees 13 Fired in a Year appeared first on HIPAA Journal.

Patients Notified of White and Bright Family Dental Server Hack

Posted by HIPAA Journal

Fresno, CA-based White and Bright Family Dental has discovered one of its servers containing patients’ protected health information has been accessed by hackers. Access to the server was gained by the attackers on January 30, 2018.

The Fresno Police Department was immediately notified of the incident “so that identification and prosecution of those involved could begin.” That investigation, along with the internal White and Bright Family Dental investigations, are continuing. The dental practice is also in the process of augmenting its security protections to prevent further incidents of this nature from occurring.

While HIPAA covered entities have up to 60 days following the discovery of a breach to issue notifications to patients and the Department of Health and Human Services, White and Bright Family Dental acted quickly and sent notifications in the shortest possible time frame to allow victims to take steps to protect their identities. Letters were sent to patients on February 16 and the state attorney general’s office was notified of the breach on February 19.

White and Bright Family Dental believes the protected health information of patients was accessed by the attackers, although no evidence has been uncovered to suggest any information has been copied, stolen or misused.

An analysis of the server revealed the following types of information were potentially accessed: Names, addresses, telephone numbers, birth dates, Social Security numbers, insurance information, driver’s license numbers, and dental histories.

Patients have been advised to be alert to the risk of identity theft and fraud and should monitor their health and account statements for any sign of fraudulent activity.

The incident has yet to appear on the HHS’ Office for Civil Rights’ breach portal so it is currently unclear how many patients have been impacted by the incident.

The post Patients Notified of White and Bright Family Dental Server Hack appeared first on HIPAA Journal.

1,900 UVA Patients’ PHI Accessed by Hacker Behind FruitFly Malware

Posted by HIPAA Journal

Almost 1,900 patients of University of Virginia Health System are being notified that an unauthorized individual has gained access to their medical records as a result of a malware infection.

The malware had been loaded onto the devices used by a physician at UVa Medical Center. When medical records were accessed by the physician, the malware allowed the hacker to view the data in real time. The malware was first loaded onto the physician’s electronic devices on May 3, 2015, with access possible until December 27, 2016. Over those 19 months, the hacker was able to view the medical records of 1,882 patients.

The types of information seen by the hacker included names, addresses, dates of birth, diagnoses, and treatment information, according to a UVa spokesperson. Financial information and Social Security numbers were not exposed as they were not accessible by the physician.

Access to the protected health information of its patients stopped in late 2016, although UVa did not discover the breach for almost a year. UVa was notified of the security breach by the FBI on December 23, 2017, following an extensive investigation into the hacker’s activities. Patients impacted by the breach were notified by mail this month.

UVa has since implemented a number of additional security controls to prevent further incidents of this nature from occurring.

Thousands of Victims’ Sensitive Information Viewed

fruitfly malware

Phillip R. Durachinsky

UVa is only one victim of the hacker. Other businesses were also affected and had information compromised, although the extent of the hacker’s activities have not fully been determined. The FBI investigation is continuing, although the hacker has been arrested and charged in a 16-count indictment for numerous computer offenses including violations of the Computer Fraud and Abuse Act and Wiretap Act, in addition to aggregated identity theft and the production of child pornography.

The hacker has been identified as Phillip R. Durachinsky, 28, of North Royalton, Ohio. Durachinsky allegedly developed a Mac malware called FruitFly more than 13 years ago and used the malware to spy on thousands of individuals and companies. The malware provided Durachinsky with full access to an infected device, including access to the webcam. The malware took screenshots, allowed the uploading and downloading of files, and could log keystrokes. Durachinsky also developed the malware to give him a live feed from multiple infected computers simultaneously.

Victims include schools, businesses, healthcare organizations, a police department, and local, state, and federal government officials. Over 13 years, Durachinsky spied on thousands of individuals, mainly using the Mac form of the malware, although a Windows-based variant was also used.

In addition to gaining access to UVa patients records, Durachinsky used the malware to view highly sensitive information of other non-UVa victims. He was able to gain access to financial accounts, photographs, tax records, and internet search histories. Durachinsky also allegedly surreptitiously took photographs of his victims via webcams and kept notes on what he was able to view.

The FBI discovered that an IP address associated with the malware was also used to access Durachinsky’s alumni email account at Case Western Reserve University, which led to his arrest. More than 20 million images were discovered on Durachinsky’s devices by the FBI agents.

The post 1,900 UVA Patients’ PHI Accessed by Hacker Behind FruitFly Malware appeared first on HIPAA Journal.