HIPAA Breach News

Ron’s Pharmacy Services Notifies Patients of Email Account Breach

Posted by HIPAA Journal

San Diego, CA-based Ron’s Pharmacy Services has discovered an email account containing limited protected health information has been compromised by an unknown individual.

Suspicious activity was identified on an employee’s email account on October 3, 2017 prompting an investigation; however, it was not until December 21, 2017 that it was determined that an unauthorized individual had accessed messages in the email account containing patient information.

An analysis of the emails in the account showed only a limited amount of PHI was compromised: Names, internal account numbers, and payment adjustment information, while a small number of patients also had details of their prescription medications compromised. While PHI access was confirmed, Ron’s Pharmacy is unaware of any misuse of patient information. Ron’s Pharmacy has now notified patients about the breach and reported the incident to the appropriate authorities.

In its Feb 2 substitute breach notice, Ron’s Pharmacy explained that rapid action was taken to secure the account and prevent further access. Login credentials were changed, and a third-party computer forensics firm was contracted to conduct a thorough investigation to determine the nature of the attack, its scope, and how access to the account was gained.

Employees have received additional training and policies and procedures have been updated to improve defenses against future cyberattacks of this nature.

Breach Highlights the Importance of Enforcing the Setting of Strong Passwords

The incident highlights the importance of implementing controls to ensure strong passwords are created by all employees. Ron’s Pharmacy, with assistance from the computer forensics firm, determined that the employees email account was compromised as a result of the attacker using software to conduct a brute force attack, which resulted in the correct password being guessed.

The use of complex passwords containing upper and lower-case letters, numbers, and special characters is recommended. Since short complex passwords are prone to brute force attacks, passwords should have a minimum length of 8 characters.

However, in its new Digital Identity Guidelines, NIST suggests using long passphrases. Long passphrases are resistant to brute force attacks and are easier for employees to remember than complex passwords of random characters.

Covered entities should also consider using rate limiting to restrict the number of incorrect attempts before access to accounts is blocked.

The post Ron’s Pharmacy Services Notifies Patients of Email Account Breach appeared first on HIPAA Journal.

24,000 Decatur County General Hospital Patients Notified About Malware-Related Data Breach

Posted by HIPAA Journal

Decatur County General Hospital in Tennessee has discovered malware has been installed on a server housing its electronic medical record system. The attacker potentially gained access to the medical records of up to 24,000 patients.

An unauthorized software installation was discovered on November 27, 2017 by the hospital’s medical record system vendor, which is also responsible for maintaining the server on which the system is installed. An investigation revealed the software was a form of malware known as a cryptocurrency miner.

Crytptocurrency mining is the use of computer processors to verify cryptocurrency transactions and add them to the public ledger containing details of all transactions since the currency was created. The process of verifying transactions requires computers to solve complex computational problems.

Cryptocurrency mining can be performed by anyone with a computer, and in return for solving those computational problems, the miner is rewarded with a small payment for verifying the transaction.

A single computer can be used to earn a few dollars a day performing cryptocurrency mining. Large numbers of computers can generate reasonable profits. An army of cryptocurrency mining slave computers, such as those infected with cryptocurrency mining malware, can generate substantial earnings. Cryptocurrency malware campaigns and infections have soared in recent months.

Since cryptocurrency mining requires a considerable amount of processing power, computers infected with the malware may slow considerably, although it may not always be apparent that infection has occurred. In the case of Decatur County General Hospital, the malware infection was not identified by its EMR vendor for more than two months. The malware is believed to have been installed on or before September 22, 2017.

Cryptocurrency mining malware typically only has one function. The malware is not normally associated with data theft. However, in this instance, the attacker is believed to have gained access to the server in order to install the malware. Access to patient data was therefore possible.

Decatur County General Hospital conducted an in-depth investigation into the server breach and malware infection, and while no evidence of data access or data theft was uncovered, it was not possible to reasonably verify that data access had not occurred. Therefore, the decision was made to issue notifications to patients that protected health information had potentially been compromised.

Due to the sensitive nature of data stored on the server – names, addresses, birth dates, Social Security numbers, diagnoses, treatment information, and insurance billing information – all patients impacted by the incident have been offered credit monitoring services for 12 months through True Identity without charge.

No evidence of misuse of patient information has been reported to date and the hospital believes the sole purpose of the attacker was to install the malware, not to steal patient data. However, patients have been advised to exercise caution and monitor their accounts, credit, and EoB statements for any sign of fraudulent activity and to be wary of any communications received via the telephone, mail, or email about the incident.

The post 24,000 Decatur County General Hospital Patients Notified About Malware-Related Data Breach appeared first on HIPAA Journal.

Aetna Seeks At Least $20 Million in Damages from Firm Responsible for HIV Status Data Breach

Posted by HIPAA Journal

Aetna has taken legal action against an administrative support company over a July 2017 data breach that saw details of HIV medications visible through the clear plastic windows of envelopes in a mailing. Letters inside some of the envelopes had slipped, making the words ““when filling prescriptions for HIV medications” clearly visible to anyone who saw the envelopes.

The privacy breach was condemned by the Legal Action Center and AIDS Law Project of Pennsylvania, who along with Berger & Montague, P.C., filed a class action lawsuit against Aetna seeking damages for breach victims. In January, Aetna settled the lawsuit for $17.16 million. Last month, Aetna also settled violations of HIPAA and state laws for $1.15 million with the New York attorney general over the same breach.

The class action was only one of seven filed against the health insurer, and further fines from state attorneys general are to be expected. Several other attorneys general have opened investigations into the breach and may also determine that state laws have been violated.

The costs associated with the privacy breach are mounting and Aetna does not believe it should have to cover costs resulting from the (alleged) negligence of a third-party. The health insurer is seeking at least $20 million in damages from the administrative support company – Kurtzman Carson Consultants (KCC) – whose error resulted in the privacy breach.

In the lawsuit, Aetna claims the firm’s errors and omissions amounted to gross negligence and that KCC should have been aware that HIV medication information was detailed under the names and addresses of its plan members. Aetna claims no checks were performed to determine how much information was visible through the windows of the envelopes. Aetna also claims KCC did not communicate to Aetna that envelopes with clear plastic windows were being used for the mailing, and that Aetna’s lawyers were not consulted to give their approval of the mailing.

Aetna did try to resolve matters directly with KCC and sought indemnification; however, the talks failed prompting Aetna to take legal action.

Aetna is seeking a ‘hold harmless’ ruling which will see the Aetna protected from all liability, damages, payments and claims related to the mailing. With the outcome of other lawsuits pending, further investigations being conducted by state attorneys general, and a potential HIPAA breach penalty from the Department of Health and Human Services’ office for Civil Rights, the final cost of the mailing error is likely to be well in excess of $20 million.

In addition to seeking damages, Aetna is also trying to get KCC to return or destroy all confidential information provided to allow the firm to process the mailing.

KCC denies the allegations and its general counsel, Drake Foster, said Aetna’s claims are ‘demonstrably false.’

It is not only Aetna taking legal action against KCC over the mailing fiasco. A subsidiary of KCC has also filed a lawsuit against Aetna claiming the health insurer failed to protect the privacy of its plan members. The lawsuit was filed in Los Angeles federal court the day after Aetna’s lawsuit was filed in Philadelphia federal court.

In its lawsuit, KCC claims Aetna and its lawyers at Gibson Dunn & Crutcher were provided with samples of the letters and were aware that envelopes with clear plastic windows were being used. KCC claims the letters and the use of the envelopes were both approved.

KCC also claims the confidential information it received in order to send the mailing was not subject to a protection order, and neither was all of the information encrypted during transit to KCC via Gibson Dunn. KCC also claims Aetna shared more information than was necessary to send the mailing: A breach of the minimum necessary standard of HIPAA.

KCC is seeking a declaration that it is not responsible for any of the costs arising from the privacy breach and that all of its legal costs should be covered by Aetna.

The post Aetna Seeks At Least $20 Million in Damages from Firm Responsible for HIV Status Data Breach appeared first on HIPAA Journal.

PHI of 842 Western Washington Medical Group Patients Exposed

Posted by HIPAA Journal

The protected health information of 842 patients of Western Washington Medical Group was exposed in November 2017. Documents containing sensitive health information were accidentally disposed of with regular trash.

On November 13, 2017, the janitorial service used by the medical group emptied shredding bins with regular trash. Instead of sensitive documents being permanently destroyed in accordance with HIPAA Rules, they were emptied into regular trash bins. Western Washington Medical Group discovered the error the following day, but too late to recover the documents as the trash had already been collected and taken to landfill sites for disposal.

The breach was limited, but individuals impacted have had a range of sensitive information exposed including names, addresses, medical history forms, diagnoses, medical histories, appointment dates, and health insurance billing information.

Patients impacted by the breach had previously visited WWMG Orthopedic, Sports and Spine centers for medical services. Notification letters were sent to all affected individuals by first class mail on January 12, 2018.

The paperwork could potentially have been accessed by unauthorized individuals although the risk to patients is believed to be low. No reports have been received that suggest any PHI has been misused. However, despite the low level of risk and out of an abundance of caution, affected patients have been offered complimentary identity theft protection services for 12 months through ID Experts.

Janitorial employees have received further training to prevent similar privacy breaches from occurring in the future.

The post PHI of 842 Western Washington Medical Group Patients Exposed appeared first on HIPAA Journal.

Partners HealthCare Notifies 2,600 Patients About May 2017 Breach of PHI

Posted by HIPAA Journal

Partners HealthCare System is alerting approximately 2,600 patients that some of their protected health information has been compromised.

While HIPAA covered entities have up to 60 days following the discovery of a breach to report the incident to OCR (if the breach impacts 500 or more individuals) and notify breach victims, this incident occurred and was discovered in May 2017. The delay in reporting the incident was due to difficulty identifying patient data which was mixed together with computer code.

The breach was a malware incident that was discovered on May 8, 2017 when the healthcare system’s intrusion monitoring system detected suspicious activity. Prompt action was taken to block the malware and third-party forensics consultants were called in to assist with the investigation.

The investigators concluded that this was not a targeted attack on Partners HealthCare, and the malware did not provide the attackers with access to its electronic medical record system. However, the investigation did reveal access to certain data was possible as a result of user activity on computers infected with the malware. That access was possible for 11 days between May 8 and May 17, 2017.

As computers were identified as being impacted by the malware attack, action was taken to contain those devices and prevent further access to data. However, it took until July 11, 2017 before it was confirmed that the attackers potentially gained access to the protected health information of some of its patients, and a further five months to determine all of the patients that had been impacted by the malware attack.

In order to determine which patients had been impacted, and the range of data that had been compromised, a manual data analysis was necessary. Partners HealthCare reports that it was difficult to identify exposed data as it “was not in any specific format, and it was mixed in together with computer code, dates, numbers and other data, making it very difficult to read or decipher.”

The types of information that could potentially have been accessed included names, service dates, and limited clinical information such as diagnoses, procedure types, and medications. Some patients also had their Social Security and financial information exposed.

The malware attack has prompted Partners HealthCare to improve its security defenses and new controls and procedures have now been introduced.

The format of the exposed data means any attacker would similarly have had difficulty extracting information. Partners HealthCare says it has received no reports to suggest there has been any misuse of data.

The Department of Health and Human Services’ Office for Civil Rights may take an interest in this breach. Partners HealthCare knew in July that PHI was possibly involved, and it should have been clear during the following five months that was definitely the case. Further, Partners HealthCare said in its breach notice that the data analysis was completed in December, yet it took a further two months before notification letters were sent to affected patients.

The post Partners HealthCare Notifies 2,600 Patients About May 2017 Breach of PHI appeared first on HIPAA Journal.

11,200 CarePlus Health Plan Members Notified of PHI Breach

Posted by HIPAA Journal

A privacy incident has been experienced by Miami, FL-based CarePlus Health Plans which has seen certain plan members’ protected health information accidentally disclosed to other plan members.

Explanation of benefits statements were mailed to its plan members on January 9 and January 16, 2018, although on January 17, CarePlus became aware that some of the statements had been sent to incorrect individuals.

The EoB statements included names, addresses, dates of service, providers of services, the services that had been provided, CarePlus identification numbers and CarePlus health plan names. Highly sensitive information such as Social Security numbers and financial information were not detailed on the EoB statements. CarePlus has not received any reports to suggest any of the disclosed information has been misused.

The mismailing incident has been investigated by CarePlus and action has been taken to prevent any similar privacy incidents from occurring in the future. CarePlus says the mismailing incident was due to a series of programming and printing errors. Breach notification letters are now being mailed to all individuals impacted by the breach to advise them about the accidental disclosure of their PHI.

The incident has yet to appear on the Department of Health and Human Services’ Office for Civil Rights data breach portal, although WFLA has reported that incident impacts approximately 11,200 plan members.

This is the second mismailing incident to be reported by CarePlus Health Plans in the past three years. In September 2015, CarePlus announced more than 1,400 of its plan members had been impacted by a mailing incident that saw two EoB statements accidentally inserted into envelopes – The correct EoB statement and the statement of another plan member.

The post 11,200 CarePlus Health Plan Members Notified of PHI Breach appeared first on HIPAA Journal.

Lawsuit Over HIPAA Breach by Mail Service Survives Motion to Dismiss

Posted by HIPAA Journal

A mail service – Press America, Inc – used by a pharmacy benefit manager – CVS Pharmacy – is being sued over an accidental disclosure of 41 individuals’ protected health information.

CVS Pharmacy is a business associate of a health plan and is contracted to provide a mail-order pharmacy service for the health plan. The mail service is a subcontractor of CVS Pharmacy, and both entities are bound by HIPAA Rules.

CVS Pharmacy signed a business associate agreement with the health plan, and Press America did likewise with CVS Pharmacy as PHI was required in order to perform the mailings.

CVS Pharmacy alleges the HIPAA Privacy Rule was violated by Press America when it inadvertently disclosed PHI to unauthorized individuals due to a mismailing incident.

The disclosure of some plan members’ PHI was accidental, but the privacy breach violated a performance standard in the CVS Pharmacy’s contract with the health plan. By violating the performance standard, the CVS Pharmacy was required to pay the health plan $1.8 million.

A lawsuit was filed by the CVS Pharmacy seeking indemnification from the mail service under the terms of its BAA and common law principles. CVS Pharmacy alleges the mismailing was due to negligence by its subcontractor, and the $1.8 payment was made as a direct result of that negligence. CVS Pharmacy maintains the breach was fully under the control of its subcontractor.

CVS Pharmacy alleged the mail service owed it a duty of reasonable care and that duty of care was breached. Since PHI was improperly disclosed and the HIPAA Privacy Rule was violated, CVS Pharmacy was required to send notifications to the 41 plan members, which the complainant claims caused damage its reputation.

The mail service sought to dismiss the claim of negligence, and in its motion to dismiss the lawsuit, challenged the validity of the contractual obligation CVS Pharmacy had to the health plan that required the $1.8 million payment. The mail service also contended that its indemnification provisions were not intended to cover this type of payment.

However, the federal court declined to dismiss the CVS Pharmacy’s lawsuit. The court ruled that the indemnification provisions of the subcontractor were broad enough to encompass CVS Pharmacy’s payment to the health plan, and the subcontractor had no right to challenge the contractual obligation since it was not a party or third-party beneficiary to the contact. The court also ruled that CVS Pharmacy sufficiently alleged negligence based on the breach of duty.

Losses were also suffered as a result of that negligence, as CVS Pharmacy had to make a sizeable payment to the health plan in addition to covering the cost of issuing notifications to the plan members whose PHI was disclosed. Consequently, the motion to dismiss the case was denied.

The post Lawsuit Over HIPAA Breach by Mail Service Survives Motion to Dismiss appeared first on HIPAA Journal.

Phishing Attack on Business Associate Exposes Forrest General Hospital Patients’ PHI

Posted by HIPAA Journal

The management consulting company HORNE LLP, a business associate of Forrest Health’s Forrest General Hospital, is notifying certain hospital patients that some of their protected health information (PHI) has potentially been obtained by a third party after access was gained to the email account of one of its employees.

HORNE provides certain Medicare reimbursement services to Forrest General Hospital and as such, requires access to patients’ PHI.

HORNE became aware of an email account breach on November 1, 2017 when it discovered the email account of an employee was being used to send phishing emails. The discovery prompted the shut down of the email account and an investigation into a potential breach was launched. That investigation revealed an unauthorized individual had gained access to the employee’s email account the previous day as a result of the employee responding to a phishing email.

The phishing attack was investigated by a third-party investigator to determine the nature and extent of the breach and whether the PHI of any patients had been exposed. The investigation confirmed the attack was limited to a single email account. An analysis of the emails in the account revealed some Forrest General Hospital patients’ PHI could potentially have been accessed.

According to the breach notice obtained by databreaches.net, “certain emails within the employee’s email account were subject to unauthorized access.” On November 27, HORNE determined that some of those emails contained attachments that included PHI including names, birth dates, Medicaid ID numbers, patient account numbers, service dates, and Social Security numbers.

While emails could potentially have been opened and the attachments acquired by the attacker, no evidence was uncovered to suggest that was the case. However, it was also not possible to rule out data theft with a high degree of certainty.

Consequently, in accordance with HIPAA Rules, affected patients are being notified of the breach, albeit somewhat late. HORNE says in its breach notice that the letters are being sent beginning February 1, 2018, when the email account breach was discovered on November 1 and PHI was confirmed to have been exposed on November 27.

The breach notices are being sent by HORNE on behalf of Forrest General Hospital. All patients impacted have been offered complimentary credit monitoring and identity theft restoration services through Experian for 12 months as a precaution against misuse of their data.

HORNE is implementing additional safeguards and security measures to enhance the security of its systems and better protect the privacy of any patients whose PHI has been provided to the firm.

The incident has yet to appear on the Department of Health and Human Services’ Office for Civil Rights breach portal. It is currently unclear exactly how many patients of Forrest Health Hospital have been impacted by the phishing attack.

The post Phishing Attack on Business Associate Exposes Forrest General Hospital Patients’ PHI appeared first on HIPAA Journal.

PHI of 660 Eastern Maine Medical Center Patients Exposed

Posted by HIPAA Journal

Eastern Maine Medical Center is notifying 660 patients that some of their protected health information has been exposed. The sensitive information was stored on a portable hard drive that has gone missing from its State Street facility, in Bangor, ME.

The device lacked encryption and data on the device could be accessed without the need for a password. Theft has not been confirmed, but the device could not be located during a search of its facility. The drive was last seen in its usual place on December 19, 2017 and was noticed to be missing on December 22.

The device belonged to a business associate of Eastern Maine Medical Center and contained limited patient information. No Social Security numbers, financial information, or health insurance details were present on the device, only full names, birth dates, dates of service, medical record numbers, one-word condition descriptors, and procedural images.

The patients impacted by the breach had visited the medical center for cardiac ablation procedures between January 3, 2011 and December 11, 2017. Not all patients who visited the medical center for those procedures were affected. Some patients had their data stored elsewhere.

The potential theft has been reported to law enforcement and investigations into the circumstances surrounding the loss/theft of the hard drive are continuing. A comprehensive search of the facility was conducted although the device has now been officially declared lost and patients are now being notified of the breach by mail.

The delay in issuing breach notification letters was due to the time taken to search the facility and discover which patients’ PHI was stored on the device.

Even though the types of information required to commit identity theft were not exposed, all patients impacted by the incident have been offered complimentary identity theft monitoring and protection services for 12 months out of “an abundance of caution”.

Donna Russell-Cook, Eastern Maine Medical Center president, said “We take our commitment to uphold our patients’ privacy very seriously and are reviewing our processes to strengthen data security.”

The post PHI of 660 Eastern Maine Medical Center Patients Exposed appeared first on HIPAA Journal.