HIPAA Breach News

Summary of Healthcare Data Breaches in December 2017

Posted by HIPAA Journal

There was a sharp rise in healthcare data breaches in December, reversing a two-month downward trend. There were 38 healthcare data breaches in December 2017 that impacted more than 500 individuals: An increase of 81% from last month.

 

December 2017 Healthcare Data Breaches

 

Unsurprisingly given the sharp increase in reported breaches, the number of records exposed in December also increased month over month. The records of 341,621 individuals were exposed or stolen in December: An increase of 219% from last month.

 

Records Exposed in December 2017 Healthcare Data Breaches

 

December saw a similar pattern of breaches to past months, with healthcare providers experiencing the most data breaches; however, there was a notable increase in breaches reported by health plans in December – rising from 2 in November to six in December.

 

December 2017 Healthcare Data Breaches by Covered Entity Type

Causes of Healthcare Data Breaches in December 2017

As was the case last month, hacking/IT incidents and unauthorized access/disclosures were the most common causes of healthcare data breaches in December, although there was a notable increase in theft/loss incidents involving portable electronic devices and paper records.

 

December 2017 healthcare data breaches by incident type

 

While hacking incidents usually result in the greatest number of records being exposed/stolen, this month saw a major increase in records exposed due to the theft of portable electronic devices. The theft of devices containing PHI – and paper records – resulted in 122,921 patients’ protected health information being exposed. The mean number of records exposed in theft incidents was 20,487 and the median was 15,857 – Both higher than any other cause of data breach.

 

Causes of Healthcare Data Breaches (Dec 2017)

 

Records Exposed by Breach Type (Dec 2017)

 

Network server incidents were the most numerous in December with 12 incidents, although there were 9 incidents involving paper records, showing that while healthcare organizations must ensure appropriate technological defenses are in place to protect electronic data, physical security is also essential to ensure paper records are secured.

 

Location of Breached PHI (Dec 2017)

 

10 Largest Healthcare Data Breaches in December 2017

In December, there were 9 data breaches that impacted more than 10,000 individuals reported to the Office for Civil Rights by HIPAA covered entities. In contrast to past months when hacking incidents dominated the top ten breach list, there was an even spread between hacking incidents, unauthorized access/disclosures, and theft of healthcare records and electronic devices.

The largest data breach reported in December affected Oklahoma Department of Human Services. However, this was not a recent data breach. The breach occurred in April 2016, but a breach report was not submitted to the Office for Civil Rights at the time of discovery. It took 18 months after the 60-day deadline for the breach to be reported.

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach
Oklahoma Department of Human Services Health Plan 47000 Hacking/IT Incident
Henry Ford Health System Healthcare Provider 43563 Theft
Coplin Health Systems Healthcare Provider 43000 Theft
SSM Health Healthcare Provider 29579 Unauthorized Access/Disclosure
UNC Health Care System Healthcare Provider 27113 Theft
Emory Healthcare Healthcare Provider 24000 Unauthorized Access/Disclosure
Franciscan Physician Network of Illinois and Specialty Physicians of Illinois Healthcare Provider 22000 Loss
Longs Peak Family Practice, P.C. Healthcare Provider 16238 Hacking/IT Incident
Sinai Health System Healthcare Provider 11347 Hacking/IT Incident
Golden Rule Insurance Company Health Plan 9305 Unauthorized Access/Disclosure

December 2017 Healthcare Data Breaches by State

California experienced the most healthcare data breaches in December with 5 reported incidents, followed by Michigan with 4 data breaches.

Eight states experienced two data breaches each – Florida, Illinois, Minnesota, New England, Nevada, New York, Philadelphia and Texas.

13 states each had one reported breach: Colorado, Georgia, Iowa, Indiana, Massachusetts, Missouri, New Jersey, North Carolina, Ohio, Oklahoma, Oregon, Tennessee, and West Virginia.

Data source: Department of Health and Human Services’ Office for Civil Rights.

The post Summary of Healthcare Data Breaches in December 2017 appeared first on HIPAA Journal.

Aetna Settles Class Action Lawsuit Filed by Victims of HIV Status Data Breach

Posted by HIPAA Journal

Aetna has agreed to settle a class action lawsuit filed by victims of a mailing error that resulted in details of HIV medications prescribed to patients being visible through the clear plastic windows of the envelopes. Aetna was not directly responsible for the mailing, instead an error was made by a third-party vendor.

For some of the patients, the letters had slipped inside the envelope revealing the patient had been prescribed HIV drugs. In many cases, those envelopes were viewed by flat mates, family members, neighbors, friends, and other individuals, thus disclosing each patient’s HIV information. Is not known how many patients had their HIV information disclosed, although the mailing was sent to 13,487 individuals. Some of the patients were being prescribed medications to treat HIV, others were taking the medication as Pre-exposure Prophylaxis (PrEP) to prevent contracting the disease.

Many of the patients who were outed as a result of the breach have faced considerable hardship and discrimination. Several patients have had to seek alternative accommodation after been forced to leave their homes by flat mates and relatives. Others have had personal and family relationships severely damaged as a result of the disclosure.

The Legal Action Center, AIDS Law Project of Pennsylvania, and Berger & Montague, P.C., filed a lawsuit in August seeking damages for the victims of the breach. That lawsuit has been settled for $17,161,200 by Aetna, pending Court approval, with no admission of liability. The settlement also requires Aetna to update its policies and procedures to ensure similar privacy breaches are prevented in the future.

There were two alleged breaches of privacy. There was an improper disclosure of protected health information to Aetna’s legal counsel in July, in addition to the mailing of the Benefit Notices that revealed patients were taking HIV medications. Those privacy breaches violated the Health Insurance Portability and Accountability Act (HIPAA) and several state laws according to the lawsuit.

Individuals who had their PHI improperly disclosed will receive a base payment of $75, while class members who were sent the envelopes with the clear plastic windows will receive a base payment of $500. There are almost 1,600 individuals who will receive the $75 payment and almost 12,000 who will receive a payment of $500.

A fund has also been set up for individuals who have suffered additional harm or losses as a result of the disclosure. Those individuals can apply for additional funds by completing a claim form documenting the financial and non-financial harm they have suffered as a result of the privacy breach.

“Through our outreach efforts, immediate relief program, and this settlement we have worked to address the potential impact to members following this unfortunate incident,” said a spokesperson for Aetna. “In addition, we are implementing measures designed to ensure something like this does not happen again as part of our commitment to best practices in protecting sensitive health information.”

The post Aetna Settles Class Action Lawsuit Filed by Victims of HIV Status Data Breach appeared first on HIPAA Journal.

Deadline for Reporting 2017 HIPAA Data Breaches Approaches

Posted by HIPAA Journal

The deadline for reporting 2017 HIPAA data breaches to the Department of Health and Human Services’ Office for Civil Rights is fast approaching.

HIPAA-covered entities have a maximum of 60 days from the discovery of a data breach to report security incidents to OCR and notify affected patients. Smaller breaches of PHI do not need to be reported to OCR within this time frame, instead covered entities can delay reporting those breaches to OCR until the end of the calendar year.

The maximum allowable time for reporting breaches impacting fewer than 500 individuals is 60 days from the end of the year in which the breach was experienced. The final day for reporting 2017 HIPAA data breaches to OCR is therefore March 1, 2018.

A HIPAA data breach is defined as an “acquisition, access, use, or disclosure” of unsecured protected health information (PHI) that is not permitted by the HIPAA Privacy Rule. Unsecured PHI is defined as PHI that is “not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology,” such as encryption. A breach of encrypted PHI is not reportable unless the key to unlock the encryption is also reasonably believed to have also been compromised.

Covered entities should be aware that ransomware incidents are usually reportable HIPAA data breaches, even if PHI has not been stolen in the attack. To avoid reporting a ransomware incident, a covered entity must be able to demonstrate a low probability of PHI being compromised in the attack. That determination must be based on a risk assessment (See 45 CFR § 164.402)

While covered entities can submit details of all ‘small’ PHI breaches at the same time, each breach must be reported as a separate event. They can not all be uploaded to the breach portal together.

While the HIPAA Breach Notification Rule allows covered entities additional time to report data breaches impacting fewer than 500 individuals, notifications for individuals impacted by those data breaches cannot be delayed. They must be issued within 60 days of the discovery of the breach, and without unnecessary delay, regardless how many individuals have been impacted by the breach.

It is a good best practice to report all breaches of PHI within 60 days of discovery. Oftentimes, full information about the breach is not available at the time of reporting, but it is possible to add further information to the OCR data breach reports when further information becomes available. If the number of individuals affected by the breach has not been confirmed, estimates should be provided. The final total can then be submitted to OCR as an update to the breach report when the number of individuals impacting has been determined.

The penalties for the late reporting of data breaches can be severe, and OCR made it clear in January 2017 that ignoring the deadline for reporting breaches, or unnecessarily delaying breach reports, is a HIPAA violation that will not be ignored. Presense Health became the first covered entity to be fined solely for delaying breach notifications and settled the HIPAA violation with OCR for $475,000.

OCR has yet to issue a financial penalty to a covered entity for the late reporting of small data breaches, but since OCR tends to set examples with its breach settlements, 2018 could well see the first penalty issued.

To avoid a HIPAA penalty, ensure all small breaches of PHI are reported to OCR between now and the end of February 2018 and no later than midnight on March 1.

The post Deadline for Reporting 2017 HIPAA Data Breaches Approaches appeared first on HIPAA Journal.

1,300 Patients’ Medical Records Viewed Without Authorization by Palomar Health Nurse

Posted by HIPAA Journal

More than 1,300 patients of Palomar Medical Center Escondido are being notified that a former nurse viewed their medical records without authorization while they were receiving treatment at the hospital.

The privacy violations occurred over a 15-month period between February 10, 2016 and May 7, 2017. The unauthorized access was discovered when access logs were reviewed. The audit revealed a pattern of access that was not consistent with the nurse’s work duties.

The audit showed the nurse had viewed the records of patients that had been assigned to her, in addition to patients assigned to another nurse in the same unit.

The incident appears to be a case of snooping, rather than data access with malicious intent. Palomar Health has uncovered no evidence to suggest any information was recorded and removed from the hospital, and no reports have been received to suggest any patient information has been misused. Following an internal investigation into the privacy violations, the nurse resigned.

The information viewed was limited to names, dates of birth, genders, medical record numbers, treatment locations, diagnoses, allergies, and medications for 1,309 patients. Financial information, insurance details, and Social Security numbers of four patients were present in a part of the medical record system that was accessed by the nurse. Those four patients have been offered identity theft protection services.

Palomar Health is currently implementing a new system that will automatically audit the logs created when medical records are viewed and when access attempts are made. The system will allow the health system to rapidly identify cases of snooping and data theft. Staff at the hospital will also receive additional privacy and security awareness training.

The post 1,300 Patients’ Medical Records Viewed Without Authorization by Palomar Health Nurse appeared first on HIPAA Journal.

Indiana Health System Pays $55K Ransom to Recover Files

Posted by HIPAA Journal

A ransomware attack on Greenfield, Indiana-based Hancock Health on Thursday forced staff at the hospital to switch to pen and paper to record patient health information, while IT staff attempted to block the attack and regain access to encrypted files.

The attack started around 9.30pm on Thursday night when files on its network started to be encrypted. The attack initially caused the network to run slowly, with ransom notes appearing on screens indicating files had been encrypted. The IT team responded rapidly and started shutting down the network to limit the extent of the attack and a third-party incident response firm was called upon to help mitigate the attack.

An attack such as this has potential to cause major disruption to patient services, although Hancock Health said patient services were unaffected and appointments and operations continued as normal.

An analysis of the attack uncovered no evidence to suggest any patient health information was stolen by the attacker(s). The purpose of the attack was solely to cause disruption and lock files to force the hospital to pay a ransom to recover its files.

According to a report in the Greenfield Reporter, the attack involved a variant of ransomware called SamSam. The ransomware variant has been used in numerous attacks on healthcare organizations in the United States over the past 12 months. The unknown attacker(s) demanded a payment of 4 Bitcoin to supply the keys to unlock the encryption.

As required by HIPAA, Hancock Health had performed backups and no data would have been lost as a result of the attack; however, the process of recovering files from backups takes a considerable amount of time. The hospital would not have had access to files and information systems for several days – potentially even weeks – if backups were used to recover data. On Saturday, the decision was taken to pay the ransom.

The decision to pay the ransom was not taken lightly. While patient services were not affected, restoring files from backups would almost certainly have impacted patients and paying the ransom was seen to be the best option to avoid disruption. The keys to unlock the encryption were supplied within two hours of the ransom being paid and the network was brought back online on Sunday.

Typically, these attacks occur as a result of employees responding to phishing emails or visiting malicious websites, although Hancock Health says this attack was not caused by an employee responding to a phishing email.

The attack was sophisticated. “This was not a 15-year-old kid sitting in his mother’s basement,” said Hancock Health CEO Steve Long.

Hancock Health has now implemented software that can detect atypical network activity indicative of an intrusion or ransomware attack, which will allow rapid action to be taken to block, and limit the severity, of any further attacks. Hancock Health is continuing to work with national law enforcement to learn more about the incident.

The post Indiana Health System Pays $55K Ransom to Recover Files appeared first on HIPAA Journal.

20% of RNs Had Breaches of Patient Data at Their Organization

Posted by HIPAA Journal

A recent survey conducted by the University of Phoenix College of Health Professions indicates registered nurses (RNs) are confident in their organization’s ability to prevent data breaches.

The survey was conducted on 504 full time RNs and administrative staff across the United States. Respondents had held their position for at least two years.

Almost half of RNs (48%) and 57% of administrative staff said they were very confident that their organization could prevent data breaches and protect against the theft of patient data, even though 19% of administrative staff and 20% of RNs said their organization had had a data breach in the past. 21% did not know if a breach had occurred.

The survey confirmed that healthcare organizations have made many changes over the years to better protect data and patient privacy, with most of the changes occurring in the past year, according to a quarter of RNs and 40% of administrative staff.

Those changes have occurred across the organization. The biggest areas for change were safety, quality of care, population health, data security and the digitalization of health records.

67% of RNs said privacy and data access policies were being implemented to better protect patient data, while data surveillance was an initiative to improve data privacy and security according to 56% of respondents. 59% of RNs said their organization was implementing role based access to medical records.

69% of administrative staff who took part in the survey said privacy and access policies were being updated, 60% said their organization was implementing role based access, and 55% said data surveillance was a major focus area.

Privacy and security training is being provided to RNs and administrative staff, although 34% of administrative staff and 23 of RNs do not recognize the benefit of such training; however, half of administrative staff respondents and two in five RNs felt they could benefit from further training in his area.

The post 20% of RNs Had Breaches of Patient Data at Their Organization appeared first on HIPAA Journal.

43,000 Patients of Coplin Health Systems Potentially Impacted by Laptop Theft

Posted by HIPAA Journal

West Virginia-based Coplin Health Systems has informed 43,000 patients that their PHI has potentially been exposed as a result of the theft of an unencrypted laptop computer from the vehicle of an employee.

Coplin Health was alerted to the theft on November 2, 2017. The theft was immediately reported to law enforcement and an investigation was launched, although at the time of issuing notifications, the laptop computer has not been recovered.

While it is possible that protected health information of patients was stored on the laptop, Coplin Health does not believe that was the case, although the possibility of data exposure cannot be ruled out with 100% certainty.

Coplin Health notes that the laptop had various security protections in place to ensure the privacy of patients in the event of the laptop being stolen. While the laptop could potentially be used to gain access to patient data, a password would have been required and it is not suspected that the thief had “the sophisticated knowledge and resources necessary to bypass the laptop’s security mechanisms.”

Further, Coplin Health’s IT department took rapid action to limit the potential for harm. The employee’s login credentials were changed to prevent the laptop from being used to access Coplin Health’s systems, and no attempts have been made to access its systems using the laptop since the device was stolen.

The chance of patient data being stored locally on the device is believed to be low, although if that was the case, the device would have contained files that included patient names, addresses, Social Security numbers, birth dates, financial information and health information. Out of an abundance of caution, 43,000 patients have been notified of the potential exposure of their PHI.

The incident has prompted Coplin Health to conduct a review of its security protections and actions have been taken to prevent a recurrence. Coplin Health will also increase monitoring to make sure policies and procedures are being following by its employees and any future breach of policies will result in disciplinary action being taken against the employees concerned.

The Health Insurance Portability and Accountability Act (HIPAA) requires covered entities to consider the use of encryption, although the use of encryption is not mandatory. The decision about the use of encryption should be based on a risk assessment. If encryption is not implemented, alternative, equivalent measures must be used in its place. Coplin Health has not said whether it plans to augment its security protections with encryption in the future.

The post 43,000 Patients of Coplin Health Systems Potentially Impacted by Laptop Theft appeared first on HIPAA Journal.

St. Rose Dominican Hospital Patients Impacted by DJO Global PHI Breach

Posted by HIPAA Journal

DJO Global, a provider of medical technologies to help patients maintain and regain natural motion, has discovered that some patients’ information has been exposed, and potentially disclosed, to unauthorized individuals.

Individuals who had received a DJO Global device in the emergency room, Urgent Care Site, or the Same Day Surgery Center of the Siena, San Martin or De Lima campuses of St. Rose Dominican Hospital in Las Vegas, NV between July 17 and October 16, 2017 have potentially been affected.

Those individuals are likely to have signed a DJO Global Patient Product Agreement confirming they had received one of the company’s devices. Those consent forms should have been sent to DJO Global; hhowever, a batch of consent forms was not received.

A DJO employee collected the forms from St. Rose Dominican Hospital and should have taken them to DHL to be delivered to DJO Global; however, the forms were lost in transit. They are believed to have been lost between collection from the hospital and delivery to DHL.

The forms contained the following information: Name, phone number, address, birth date, physician name and location, product order date, product information, date of injury, diagnosis code(s), health plan identification number, and health plan information. Some patients whose health plan uses Social Security number as patient identifiers would also have had their Social Security number exposed.

DJO Global has not received any reports to suggest patients’ exposed information has been misused, although since it is possible that the forms have been obtained by a third party, data misuse is a possibility. To ensure that patients are protected, all have been offered complimentary credit monitoring services for 12 months. Patients have also been advised to place a fraud alert on their credit files, to obtain copies of their credit reports, and to check their explanation of Benefits statements carefully for any sign of fraudulent activity.

DJO Global has responded to the incident by changing polices and procedures for mailing and has implemented new quality controls to prevent similar incidents from occurring in the future. Its vendor has also received further training on the importance of securing and protecting patient health information.

Patients impacted by the incident have now been notified by mail, and the Department of Justice and Department of Health and Human Services’ Office for Civil Rights have been notified of the incident.

The post St. Rose Dominican Hospital Patients Impacted by DJO Global PHI Breach appeared first on HIPAA Journal.

Lack of Encryption on Hard Drive Results in the Exposure of 9387 Patients’ PHI

Posted by HIPAA Journal

Framingham, MA-based Charles River Medical Associates has discovered the danger of failing to use encryption to protect data stored on portable hard drives.

In late November, the practice discovered one of its portable hard drives was missing. The device contained x-ray images, names, patient ID numbers, and birth dates. Every patient who had visited the Framingham radiology lab for a bone density scan since 2010 had their x-ray images exposed – almost 9,400 individuals.

The hard drive was used by the practice as a backup device and updated the stored data each month with bone density scans from the past four weeks. The last time the device was used was for the October data backup. In late November, when the monthly backup was scheduled to be made, the portable drive could not be found.

A full search of the premises was conducted, which took several weeks, but the device could not be located. All staff members were questioned about the whereabouts of the drive, but no one had seen the device in the past four weeks.

Charles River Medical Associates has now declared the device lost and the search has been called off. Brian Parillo, executive director of Charles River Medical Associates said, “It’s hard to speculate on what could have happened to it.”

The loss of any device containing unencrypted protected health information is a reportable incident under HIPAA Rules and patients must be notified of the potential breach of their information. In compliance with HIPAA Rules, the incident has now been reported to the Department of Health and Human Services’ Office for Civil Rights (OCR) and patients have been informed of the breach by mail.

While the drive is believed to have been lost rather than stolen, it is possible that the device has been found and the information stored on the drive viewed by unauthorized individuals. Patients have therefore been advised to take steps to guard against any negative impact from the incident, including obtaining credit reports and checking their credit accounts for any sign of fraudulent activity.

However, since no Social Security numbers, financial information, or health insurance details were stored on the device, the potential for identity theft and fraud is low.

As a result of the incident, the decision has been taken to stop using unencrypted portable drives to store backups. A full security review has also been conducted to identify other potential vulnerabilities to the confidentiality, integrity, and availability of PHI, a review of hardware has been conducted, and staff have been retrained on privacy workflows.

The breach report submitted to OCR indicates 9,387 patients have been impacted by the incident.

The post Lack of Encryption on Hard Drive Results in the Exposure of 9387 Patients’ PHI appeared first on HIPAA Journal.