HIPAA Breach News

Massachusetts Online Breach Reporting Tool Launched: Data Breaches Soon to Be Publicly Listed

Posted by HIPAA Journal

Massachusetts Attorney General Maura Healey has announced the launch of a new online data breach reporting tool. The aim is to make it as easy as possible for breached entities to submit breach notifications to the Attorney General’s office.

Under Massachusetts data breach notification law (M.G.L. c. 93H), organizations experiencing a breach of personal information must submit a notification to the Massachusetts attorney general’s office as soon as it is practicable to do so and without unnecessary delay. Breaches must also be reported to the Director of the Office of Consumer Affairs and Business Regulation (OCABR) and notifications must be issued to affected individuals.

“Data breaches are damaging, costly and put Massachusetts residents at risk of identity theft and financial fraud – so it’s vital that businesses come forward quickly after a breach to inform consumers and law enforcement,” said Healey. “This new feature allows businesses to more efficiently report data breaches so we can take action and share information with the public.”

Regarding the latter, the Mass. Attorney general’s office will soon be uploading a database to its website that will allow the public to view a summary of data breaches affecting state residents, similar to the breach portal maintained by the Department of Health and Human Services’ Office for Civil Rights. The Massachusetts Attorney General’s “Wall of Shame” will list the organizations that have experienced data breaches, the date the breaches are believed to have occurred, and the number of state residents that are believed to have been impacted.

The new online portal and breach listings are part of the state’s commitment to make sure state residents are promptly notified about data breaches to enable them to take rapid action to mitigate risk.

Massachusetts is also committed to holding businesses accountable when security breaches are experienced that could easily have been prevented.

Last year, following notification of a breach by Equifax, Attorney General Healey filed an enforcement action against the credit monitoring firm seeking civil penalties, disgorgement of profits, restitution, costs, and attorneys’ fees in addition to injunctive relief to prevent harm to state residents. Massachusetts was the first state to launch such an enforcement action against the firm.

At the time, Healey said, “We are suing because Equifax needs to pay for its mistakes, make our residents whole, and fix the problem so it never happens again.”

Massachusetts is also one of a handful of states that has exercised the right to pursue financial penalties when healthcare organizations violate HIPAA Rules and expose patients’ health information. The state will continue to punish firms that fail to address vulnerabilities and do not implement reasonable safeguards to keep the personal information of state residents secure.

The post Massachusetts Online Breach Reporting Tool Launched: Data Breaches Soon to Be Publicly Listed appeared first on HIPAA Journal.

Class Action Lawsuit against Allscripts Filed following Ransomware Attack

Posted by HIPAA Journal

Last week, a ransomware attack against the EHR vendor Allscripts resulted in thousands of healthcare providers being unable to access patient data or use the e-prescription service. Already, a class action lawsuit against Allscripts has been filed by Florida-based Surfside Non-Surgical Orthopedics.

Allscripts provides EHR and e-prescription services to 2,500 hospitals and 19,000 post-acute care organizations. Last week, a new variant of SamSam ransomware infected the company´s data centers in Raleigh and Charlotte, NC, leaving several application offline for up to 1,500 clients.

Microsoft and Cisco incident response teams helped the company restore its e-prescribing service by Saturday; but, for many clients, the Allscripts PRO EHR system is still unavailable or experiencing outages. An Allscripts spokesperson has been unable to confirm when a full restore will be completed.

The Class Action Lawsuit against AllScripts

The class action lawsuit against Allscripts was filed in the United States District Court for the Northern District of Illinois where the company is based. It alleges Allscripts was negligent in failing to secure its systems against cyberattacks and that the company was aware of vulnerabilities in its online security. The complaint quotes the company´s most recent 10-K filing which notes: “If our security is breached, we could be subject to liability, and our clients could be deterred from using our products and services”.

According to lawyers representing the plaintiff – Florida-based Surfside Non-Surgical Orthopedics – Allscripts forecast the ransomware attack in the K-10 filing; and, as a result of the attack, their client suffered “significant business interruption and disruption, and lost revenues”. The class action lawsuit against Allscripts also alleges breach of contract, unjust enrichment, and violations of Illinois´ Uniform Deception Trade Practices Act and Consumer Fraud Act.

Steven Tapper – a member of the team that filed the class action lawsuit against Allscripts – believes the ransomware attack could have affected many more clients than the company is admitting. He told reporters: “We really don’t know. Allscripts hasn’t disclosed the full extent of the impact”. His colleague – John Yanchunis – added it could take as long as eighteen months to resolve the case, but Allscripts may choose to seek an immediate resolution. “I would hope that would be the case here,” he said.

Allscripts Could Also Face Penalties for Violating HIPAA

According to the Department of Health and Human Services´ “Fact Sheet: Ransomware and HIPAA” (PDF), when ePHI is encrypted by ransomware, unauthorized individuals are presumed to have taken control of the ePHI. This is an unauthorized disclosure of PHI under the HIPAA Privacy Rule and will have to be reported to HHS, unless it can be demonstrated there is a low probability that the PHI has been compromised. It is not known whether Allscripts maintained ePHI in an encrypted format.

Even if the company escapes a penalty for the unauthorized disclosure of ePHI, the HHS may well launch an investigation following the revelations made in the class action lawsuit against Allscripts. The likely aspects of HIPAA compliance that would go under HHS scrutiny include employee security training (for example, how did the ransomware attack breach network defenses), ransomware recognition, security incident reporting and – considering the delay in fully restoring its systems – disaster recovery plans.

The post Class Action Lawsuit against Allscripts Filed following Ransomware Attack appeared first on HIPAA Journal.

Malware Causes 5,200-Record Data Breach at DC Assisted Living Facility

Posted by HIPAA Journal

A malware infection at Westminster Ingleside King Farm Presbyterian Retirement Communities has potentially enabled the attackers to gain access to the protected health information of thousands of its residents.

The Washington D.C., based assisted living facility had implemented a wide range of security solutions to prevent unauthorized access to its systems, although in this instance they were unable to block the attack.

The malware was discovered on November 21, 2017, with rapid action taken to identify all instances of the malware on its network and remove the malicious code to prevent further access. While the malware was successfully removed, assistance was sought from third party experts to determine how the attackers had managed to bypass its security defenses, and whether access to the protected health information of its residents had been gained.

The investigation into the breach highlighted a number of areas where security could be improved to further protect its systems from attack. Ingleside has now implemented a new firewall, upgraded its antimalware and antivirus software, and has adopted two-factor authentication on user accounts. New user credentials have been issued and strong passwords set. Staff have also received additional training to help them identify unauthorized access.

While no evidence was uncovered to suggest the protected health information of its residents was accessed, it was not possible to rule out data access and data theft with 100% certainty. Consequently, all affected individuals have been notified about the potential breach and, out of an abundance of caution, residents have been offered credit monitoring and identity theft protection services via Kroll for 12 months without charge.

No financial information was compromised as a result of the malware infection, although names, addresses, Social Security numbers, and other protected health information were potentially compromised.

The breach notice submitted to the Department of Health and Human Services’ Office for Civil Rights indicates up to 5,228 residents were impacted by the security breach.

The post Malware Causes 5,200-Record Data Breach at DC Assisted Living Facility appeared first on HIPAA Journal.

Aetna Agrees to Pay $115 Million Settlement to Resolve NY Attorney General Data Breach Case

Posted by HIPAA Journal

Last July, Aetna sent a mailing to members in which details of HIV medications were clearly visible through the plastic windows of envelopes, inadvertently disclosing highly sensitive HIV information to individuals’ house mates, friends, families, and loved ones.

Two months later, a similar privacy breach occurred. This time the mailing related to a research study regarding atrial fibrillation (AFib) in which the term IMACT-AFIB was visible through the window of the envelope. Anyone who saw the envelope could have deduced the intended recipient had an AFib diagnosis.

The July breach triggered a class action lawsuit which was recently settled by Aetna for $17.2 million. Aetna must now also cover a $115 million settlement with the New York Attorney General to resolve violations of federal and state laws.

Attorney General Schneiderman launched an investigation following the breach of HIV information in July, which violated the privacy of 2,460 Aetna members in New York. The September privacy breach was discovered during the course of that investigation. 163 New York Aetna members had their privacy violated by the September mailing.

The settlement agreement explains that more than 90% of patients diagnosed with HIV face discrimination and prejudice, and approximately one in eight individuals with HIV are denied health services as a result of the stigma associated with HIV and AIDS. A breach of HIV information can therefore have severe repercussions for the victims.

New York has implemented strict laws that require HIV information to be kept secure and confidential to ensure its residents are not discouraged from coming forward to be tested and treated for HIV. It is therefore important that action is taken against organizations and individuals who violate state laws by disclosing HIV information.

As a HIPAA-covered entity, Aetna is bound by the regulations and is required to implement safeguards to ensure the confidentiality of health and HIV information. Several laws in New York also require safeguards to be implemented to protect personal health information and personally identifiable information.

Not only were state and federal laws violated by the mailing, Aetna provided the personal health information of its members to outside counsel who in turn gave that information to a settlement administrator. While the outside counsel was a business associate of Aetna and had signed a business associate agreement, its subcontractor, the settlement administrator, was also a business associate yet no business associate agreement was entered into prior to the disclosure of PHI. A further violation of HIPAA Rules.

The office of the attorney general determined Aetna’s two mailings violated 45 C.F.R § 164.502; 42 U.S.C. § 1320d-5 of HIPAA, N.Y General Business Law § 349, N.Y Public Health Law § 18(6), and N.Y Executive Law § 63(12).

The settlement agreement also draws attention to the fact that Aetna had reported a further three HIPAA breaches to the Office for Civil Rights in the past 24 months, which in total impacted more than 25,000 individuals.

In addition to the financial penalty, Aetna has agreed to update its policies, procedures and controls to enhance the privacy protections for its members and protect them from negligent disclosures of personal health information and personally identifiable information through its mailings.

“Through its own carelessness, Aetna blatantly violated its promise to safeguard members’ private health information,” said Attorney General Eric T. Schneiderman. “Health insurance companies handle personal health information on a daily basis and have a fundamental responsibility to be vigilant in protecting their members. We won’t hesitate to act to ensure that insurance companies live up to their responsibilities to the New Yorkers they serve.”

This may not be the last financial penalty Aetna has to cover in relation to the mailings. This $115 million settlement only resolves the privacy violations of 2,460 Aetna members in New York state. The mailing was sent to around 13,000 Aetna members across the United States. It is possible that other states will similarly take action over the privacy violations. The Department of Health and Human Services’ Office for Civil Rights is also investigating the data breach and may choose to penalize the insurer for violating HIPAA Rules.

The post Aetna Agrees to Pay $115 Million Settlement to Resolve NY Attorney General Data Breach Case appeared first on HIPAA Journal.

Analysis of Healthcare Data Breaches in 2017

Posted by HIPAA Journal

A summary and analysis of healthcare data breaches in 2017 has been published by Protenus. Data for the report is obtained from Databreaches.net, which tracks healthcare data breaches reported to OCR, the media, and other sources. The 2017 breach report gives an indication of the state of healthcare cybersecurity.  So how has 2017 been?

There Were at Least 477 Healthcare Data Breaches in 2017

In some respects, 2017 was a good year. The super-massive data breaches of 2015 were not repeated, and even the large-scale breaches of 2016 were avoided. However, healthcare data breaches in 2017 occurred at rate of more than one per day.

There were at least 477 healthcare data breaches in 2017 according to the report. While all those breaches have been reported via one source or another, details of the nature of all the breaches is not known. It is also unclear at this stage exactly how many healthcare records were exposed. Numbers have only been obtained for 407 of the breaches.

There was a slight increase (6%) in reported breaches in 2017, up from 450 incidents in 2016. However, there was a massive reduction in the number of breached records. In 2016, there were 27,314,647 records exposed/stolen. The 407 healthcare data breaches in 2017 resulted in the exposure/theft of 5,579,438 records.

In 2017, there were no million-record+ breaches. The largest security incident was a breach of 697,800 records. That breach was an insider incident where a healthcare employee downloaded PHI onto a USB drive and CD.

Main Causes of Healthcare Data Breaches in 2017

There were two causes of healthcare data breaches in 2017 that dominated the breach reports – Hacking/IT incidents and insider breaches, both of which were behind 37% of the year’s breaches. 178 incidents were attributed to hacking/IT incidents. There were 176 breaches caused by insider wrongdoing or insider errors.

Hacking/IT incidents resulted in the exposure/theft of 3,436,742 records, although detailed data is only available for 144 of those breaches. In 2016, 86% of breaches were attributed to hacking/IT incidents. In 2016, 120 hacking incidents were reported which resulted in the exposure/theft of 23,695,069 records. The severity of hacks/insider incidents was therefore far lower in 2017, even though hacking incidents were more numerous.

What is clear from the breach reports is a major increase in malware/ransomware attacks, which were at more than twice the level seen in 2016. This could be explained, in part, by the issuing of new guidance from OCR on ransomware attacks. OCR confirmed that ransomware attacks are usually reportable security incidents under HIPAA Rules. Until the issuing of that guidance, many healthcare organizations did not report ransomware attacks unless it was clear that data had been stolen or viewed prior to or during the attack.

Insider breaches continue to plague the healthcare industry. Data is available for 143 of the 176 data breaches attributed to insiders. 1,682,836 records were exposed/stolen in those incidents. While the totals are still high, there were fewer insider incidents in 2017 than 2016, and the incidents resulted in fewer exposed records. There were 192 insider-related incidents in 2016 and those incidents resulted in the exposure/theft of 2,000,262 records.

Protenus broke down the incidents into insider error – mistakes made by healthcare employees – and insider wrongdoing, which included theft and snooping. The breakdown was 102 insider errors and 70 cases of insider wrongdoing. Four incidents could not be classified as either. One of the cases of snooping lasted for an astonishing 14 years before it was discovered.

While theft of PHI by employees is difficult to eradicate, arguably the easiest cause of healthcare data breaches to prevent is theft of electronic devices containing unencrypted PHI. If devices are encrypted, if they are stolen the incidents do not need to be reported. There has been a steady reduction in theft breaches over the past few years as encryption has been more widely adopted. Even so, 58 breaches (16%) were due to theft. Data is available for 53 of those incidents, which resulted in the exposure of 217,942 records. The cause of 47 healthcare data breaches in 2017 could not be determined from the data available.

Breached Entities and Geographic Spread

The breaches affected 379 healthcare providers (80%), 56 health plans (12%), and 4% involved other types of covered entity. Business associate reported 23 incidents (5%) although a further 66 breaches (14%) reported by covered entities had some business associate involvement. Figures are known for 53 of those breaches, which resulted in the exposure/theft of 647,198 records.  Business associate breaches were lower than in 2016, as was the number of records exposed by those breaches.

There were breaches by covered entities and business associates based in 47 states, Puerto Rico and the District of Columbia. Interestingly, three states were free from healthcare data breaches in 2017 – Hawaii, Idaho, and New Mexico. California was the worst hit with 57, followed by Texas on 40, and Florida with 31.

Slower Detection, Faster Notification

Reports of healthcare data breaches in 2017 show that in many cases, breaches are not detected until many months after the breach occurred. The average time to discover a breach, based on the 144 incidents for which the information is known, was 308 days. Last year the average time to discover a breach was 233 days. It should be noted that the data were skewed by some breaches that occurred more than a decade before discovery.

The Breach Notification Rule of the Health Insurance Portability and Accountability Act (HIPAA) allows up to 60 days from the discovery of a breach to report the incident. The average time to report a breach, based on the 220 breaches for which information was available, was 73 days. Last year the average was 344 days.

The faster reporting may have been helped by the OCR settlement with Presense Health in January for delaying breach notifications – The first HIPAA penalty solely for late breach notifications.

Overall there were several areas where the healthcare industry performed better in 2017, although the report shows there is still considerable room for improvement, especially in breach prevention, detection and reporting.

The post Analysis of Healthcare Data Breaches in 2017 appeared first on HIPAA Journal.

Pedes Orange County Discovers Physician Accessed and Disclosed PHI Without Authorization

Posted by HIPAA Journal

Pedes Orange County Inc., a California healthcare provider specializing in treatments for vascular disease, is alerting some of its patients that a physician accessed their medical records, without authorization, and provided some of that information to an attorney.

Pedes shares its facilities with another medical group, which conducts surgical procedures at the facility during the week. A scheduling tool is also shared with other physicians that use the same facility.

On November 14, 2017, Pedes became aware that a physician employed by a different medical group had accessed its electronic medical records database and viewed the records of some of its patients. Pedes did not provide authorization for the EMR to be accessed.

Pedes reports that the physician subsequently shared some of the information in the database with an attorney. After discovering the breach, the physician was contacted and Pedes has been working to ensure all copies of patients’ PHI that were obtained from its EMR system are securely destroyed and that no copies remain.

The types of information potentially compromised includes names, diagnoses, treatments, dates of service, and other treatment related data. No financial information or Social Security numbers were stored in the database and remained secure at all times.

While information was taken from the database, Pedes has no reason to believe any PHI has been misused. However, since the incident is classed as a security breach under HIPAA Rules, notifications about the breach must be sent to patients.

Although data misuse is not suspected, patients have been advised to take precautions and examine their Explanation of Benefits statements and other information from their health insurers for any medical treatments listed by not provided.

The incident has prompted Pedes to conduct a review of its security protocols, which will be updated to ensure that this type of security breach does not happen again.

The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates the PHI of up to 917 patients was accessed and potentially disclosed.

The post Pedes Orange County Discovers Physician Accessed and Disclosed PHI Without Authorization appeared first on HIPAA Journal.

Analysis of Q4 2017 Healthcare Security Breaches

Posted by HIPAA Journal

Q4, 2017 saw a 13% reduction in healthcare security breaches reported to the Department of Health and Human Services’ Office for Civil Rights. There were 99 data breaches reported in Q3, 2017. In Q4, there were 86 security breaches reported.

There were 27 healthcare security breaches reported in September, following by a major decline in breaches in November, when 21 incidents were reported. However, December saw a significant uptick in incidents with 38 reported breaches.

Q4 2017 Healthcare Security Breaches by Month

Accompanied by the quarterly decline in security incidents was a marked decrease in the severity of breaches. In Q3, there were 8 data breaches reported that impacted more than 50,000 individuals. In Q4, no breaches on that scale were reported. The largest incident in Q4 impacted 47,000 individuals.

 Largest Q4, 2017 Healthcare Security Breaches

 

Covered Entity Entity Type Number of Records Breached Cause of Breach
Oklahoma Department of Human Services Health Plan 47000 Hacking/IT Incident
Henry Ford Health System Healthcare Provider 43563 Theft
Coplin Health Systems Healthcare Provider 43000 Theft
Pulmonary Specialists of Louisville, PSC Healthcare Provider 32000 Hacking/IT Incident
SSM Health Healthcare Provider 29579 Unauthorized Access/Disclosure
UNC Health Care System Healthcare Provider 27113 Theft
Emory Healthcare Healthcare Provider 24000 Unauthorized Access/Disclosure
Franciscan Physician Network of Illinois and Specialty Physicians of Illinois, LLC (formerly known as WellGroup Health Partners, LLC) Healthcare Provider 22000 Loss
Chase Brexton Health Care Healthcare Provider 16562 Hacking/IT Incident
Hackensack Sleep and Pulmonary Center Healthcare Provider 16474 Hacking/IT Incident
Longs Peak Family Practice, P.C. Healthcare Provider 16238 Hacking/IT Incident
Shop-Rite Supermarkets, Incorporated Healthcare Provider 12172 Improper Disposal
Sinai Health System Healthcare Provider 11347 Hacking/IT Incident
The Medical College of Wisconsin, Inc. Healthcare Provider 9500 Hacking/IT Incident
Golden Rule Insurance Company Health Plan 9305 Unauthorized Access/Disclosure

 

There was a steady increase in breached records each month in Q4. In October, 71,377 records were breached, rising to 107,143 records in November and 341,621 records in December. Even December’s high total was lower than any month in the previous quarter.

Q4 2017 Healthcare Security Breaches - breached records

 

Hacking/IT incidents tend to involve the highest number of exposed/stolen records and Q4 was no exception. 7 of the top 15 security incidents (47%) were due to hacks and IT incidents. Loss and theft incidents accounted for 27% of the worst healthcare security breaches in Q4, followed by unauthorized access/disclosures on 20%.

Causes of Q4 2017 Healthcare Security Breaches

 

While hacking/IT incidents resulted in the exposure/theft of the most records, unauthorized access/disclosure incidents were the most numerous. Out of the 86 reported healthcare security breaches in Q4, 33 were unauthorized access/disclosures (38.37%). There were 29 hacking/IT incidents (33.7%), and 20 incidents (23.3%) involving the loss/theft of PHI and electronic devices containing ePHI. Four incidents (4.7%) involved the improper disposal of PHI/ePHI.

In Q4, paper records/films were involved in the most breaches, showing how important it is to physically secure records. 21 incidents (24.4%) involved physical records. As was the case in Q3, email was also a top three cause of breaches, with many healthcare organizations suffering phishing attacks in Q4. Network server attacks completed the top three locations of breached PHI.

Q4 2017 Healthcare Security Breaches - location of breached PHI

 

 

Healthcare providers reported the most security breaches in Q4, following by health plans and business associates of HIPAA-covered entities, as was the case for most of 2017.

Q4 2017 Healthcare Security Breaches by covered entity

 

In Q4, 2017, healthcare organizations based in 35 states reported security breaches. Unsurprisingly, being the most populous state in the US, California topped the list for the most reported healthcare security breaches with 7 incidents in Q4.

In close second on 6 breaches were Florida and Maryland, followed by New York with 5 incidents. Kentucky, Michigan, and Texas each had four reported breaches, and Colorado, Illinois, New Jersey, and Pennsylvania each suffered 3 incidents.

Q4 2017 Healthcare Security Breaches - by state

 

 

 

The post Analysis of Q4 2017 Healthcare Security Breaches appeared first on HIPAA Journal.

Allscripts Ransomware Attack Impacts Cloud EHR and EPCS Services

Posted by HIPAA Journal

An Allscripts ransomware attack occurred on Thursday January 18, resulting in several of the firms applications being taken offline, including its cloud EHR and electronic prescriptions platform. The attack comes just a few days after two Indiana hospitals experienced SamSam ransomware attacks.

The Allscripts ransomware attack is also believed to have involved a variant of SamSam ransmware – a ransomware family extensively used in attacks on healthcare providers.

Allscripts is a popular electronic health record (EHR) system and Electronic Prescriptions for Controlled Substances (EPCS) provider, with its platform used by many U.S healthcare organizations, including 2,500 hospitals and 19,000 post-acute care organizations. More than 180,000 physicians, 100,000 electronic prescribing physicians, and 40,000 in-home clinicians use Allscripts.

The Allscripts ransomware attack commenced in the early hours of Thursday morning. Rapid action was taken to remove the ransomware and restore data, with the incident response teams at Microsoft and Cisco called in to assist. An investigation has also been launched by cybersecurity firm Mandiant to determine how the ransomware was installed.

Allscripts’ Pro EHR and EPCS services were most severely affected, although users of other applications also experienced some downtime. The Chicago-based firm is still experiencing issues with its Pro EHR system, although EPCS services were restored on Saturday. Some applications are likely to continue to be adversely affected throughout Monday, while efforts are made to restore the malware-encrypted data.

IT teams have been working round the clock to remove the infection and restore files from backups. Regular backups are performed so data loss is expected to be minimal.

This appears to have been a random ransomware attack. The purpose of the attack appears to have solely been an attempt to extort money from the company. Data theft is not suspected. Allscripts does not believe it was specifically targeted by cybercriminals.

Indiana Hospitals Attacked With SamSam Ransomware Variant

Adams Memorial Hospital in Decatur, IN, has also been attacked with ransomware – The second Indiana hospital to be attacked in the past few days. The ransomware attack occurred on January 11, 2017, and initially caused a slowing of the network before files became inaccessible. File extensions were allegedly renamed as ‘imsorry’.

The ransomware attack caused some disruption to services, with medical histories and appointment schedules rendered inaccessible. However, patients continued to be treated and there was no need to cancel appointments.  The Adams Health Network said at no point was patient care or safety affected.

Some parts of the system have been brought back online, although the IT department is still working on restoring the affected servers. It is unclear whether the Adams Health Network paid the ransom demand to regain access to data or if files were recovered from backups.

The attack happened on the same day as the ransomware attack on Greenfield, IN-based Hancock Health. Hancock Health made the decision to pay the 4 Bitcoin ransom. Approximately $50,000 was paid for the keys to unlock the encryption, even though backups existed. The cost of recovering files from backups was seen to be far higher than paying the ransom, due to downtime that would be experienced while that process took place.

Both of the Indiana attacks are believed to have involved a new variant of SamSam ransomware, although this is understood to be a different variant to the one used in the Allscripts ransomware attack.

The post Allscripts Ransomware Attack Impacts Cloud EHR and EPCS Services appeared first on HIPAA Journal.

Email Hack Sees PHI of 53,000 Pharmacy Patients Exposed

Posted by HIPAA Journal

53,173 patients who received services from Onco360 and CareMed Specialty Pharmacy have been notified that some of their protected health information has been compromised.

A security breach was suspected on November 14, 2017, when suspicious activity involving an employee’s email account was detected.

Third party computer forensics experts were called in to conduct an investigation to determine the nature and scope of the breach. On November 30, it was determined that the breach involved three email accounts.

An analysis of the emails in those accounts revealed some messages contained the PHI of patients, which could potentially have been accessed and stolen by the hacker.

The information potentially compromised included names, demographic information, clinical information, details of medications provided by the pharmacy, Social Security numbers, and health insurance information. A limited number of patients may also have had some financial information exposed.

No reports have been received to suggest any protected health information has been misused, although patients have been advised to exercise caution and check their credit reports, billing statements, and Explanation of Benefit statements for any sign of fraudulent activity. Patients have also been offered complimentary credit monitoring and identity theft protection services through ID Experts for 12 months.

The security breach appears to have occurred as a result of employees opening phishing emails. All staff have now received further training to help them recognize malicious emails and email security controls have been improved to prevent future attacks.

The post Email Hack Sees PHI of 53,000 Pharmacy Patients Exposed appeared first on HIPAA Journal.