HIPAA Breach News

Oklahoma State University Center for Health Sciences Informs Patients of PHI Breach

Posted by HIPAA Journal

Oklahoma State University Center for Health Sciences (OSUCHS) has discovered an unauthorized individual has gained access to parts of its computer network and potentially accessed files containing billing information of Medicaid patients.

The security breach was discovered on November 7, 2017 with access to the network terminated the following day. Third party computer forensics experts were called upon to conduct a comprehensive investigation to determine which parts of the network had been accessed, and whether patient health information had been accessed or stolen.

The investigation confirmed that patient health information could potentially have been viewed, although it was not possible to determine whether patient information had been accessed or stolen. OSUCHS reports that it has not received conclusive information to suggest any patient information has been misused.

Out of an abundance of caution, all individuals potentially impacted by the incident have been notified of the breach by mail and advised that they should be alert to the possibility that their personal information could potentially be misused.

OSUCHS says medical records were not compromised and the breach was limited to names, healthcare provider names, Medicaid numbers, dates of service, and a limited amount of treatment information. Only one Social Security number was present on the compromised server.

The breach has prompted OSUCHS to conduct a review of security protections and additional measures have now been implanted to better protect patient information in the future.

The incident has yet to appear on the Department of Health and Human Services’ Office for Civil Rights breach portal so it is currently unclear exactly how many individuals have been impacted.

The post Oklahoma State University Center for Health Sciences Informs Patients of PHI Breach appeared first on HIPAA Journal.

Phishing Attack on Florida Agency for Health Care Administration Impacts 30,000 Medicaid Recipients

Posted by HIPAA Journal

The Agency for Health Care Administration in Florida has discovered an unauthorized individual has gained access to a single email account as a result of an employee falling for a phishing scam.

The employee received and responded to the malicious phishing email on November 15, 2017 and disclosed login credentials that allowed the attacker to remotely access his/her email account and, potentially, the protected health information of as many as 30,000 Medicaid enrollees.

The agency discovered the security breach on November 20 and performed a password reset to prevent further access. The incident was also reported to the agency’s inspector general, who launched an investigation into the attack. Preliminary findings of that investigation were released late last week.

According to an agency press release issued on Friday, the unauthorized individual may have partially or fully accessed information such as names, Medicaid ID numbers, addresses, dates of birth, diagnoses, medical conditions, and Social Security numbers. Approximately 6% of individuals impacted by the incident had either their Medicaid ID or Social Security number exposed.

While data access was possible, Florida’s Agency for Health Care Administration has not uncovered any evidence to suggest the compromised protected health information has been misused. Since sensitive information has potentially been viewed and stolen, individuals impacted by the incident have been told to be vigilant and check their accounts for signs of fraudulent activity. All individuals impacted by the breach have been offered complimentary credit monitoring services for 12 months.

Prior to the phishing attack, the Florida Agency for Health Care Administration had implemented an ongoing staff training program, although the incident has prompted a review of that program and staff have now been reeducated on proper security protocols and the dangers of phishing. The agency is also considering additional security controls to reduce the risk from phishing in the future.

The post Phishing Attack on Florida Agency for Health Care Administration Impacts 30,000 Medicaid Recipients appeared first on HIPAA Journal.

Compassion Care Hospice Hack Impacts 1,128 Patients

Posted by HIPAA Journal

Compassionate Care Hospice Las Vegas (CCHLV) has discovered an unauthorized individual gained access to its network and server and potentially viewed 1,128 patients’ protected health information.

On October 28, 2017, CCHLV discovered its network had been accessed by an unauthorized individual. Upon discovery of the breach, CCHLV hired third-party forensics experts to conduct a thorough investigation to determine the nature of the breach and to identify all patients who were potentially affected.

While the investigation confirmed access to data was possible, no evidence was uncovered to suggest any sensitive information was viewed or stolen by the attacker. However, it was not possible to rule out data access and theft with 100% certainty.

The types of information stored on the parts of the network that could have been accessed included names, dates of birth, addresses, Medicare numbers, medical treatment information, health insurance information, and archived electronic health records. Financial information was not stored on the part of the network compromised in the attack and remained secure at all times.

Once access to the network and server had been blocked, CCHLV conducted a comprehensive risk analysis to identify potential vulnerabilities to the confidentiality, integrity, and availability of PHI and has reviewed and revised network security policies accordingly. To ensure that any future cyberattacks are detected and mitigated rapidly, CCHLV has now implemented intrusion detection and monitoring systems.

CCHLV notified all affected individuals by mail on December 14, 2017 and reported the incident to the Department of Health and Human Services’ Office for Civil Rights. Upon discovery of the attack, law enforcement was notified and CCHLV is continuing to assist with the investigation.

Out of an abundance of caution, all patients impacted by the breach have been offered complimentary credit monitoring and identity theft restoration services for 12 months through Kroll.

The post Compassion Care Hospice Hack Impacts 1,128 Patients appeared first on HIPAA Journal.

Kaiser Permanente Reports Two Security Incidents Impacting 5,000 Members

Posted by HIPAA Journal

Kaiser Permanente has experienced two security incidents which have recently been reported to the Department of Health and Human Services’ Office for Civil Rights. In total, more than 5,000 individuals have been impacted by the breaches.

Both breaches affect members of the Kaiser Foundation Group Health Plan. The most serious incident, in terms of the number of individuals impacted, was an email-related breach affecting 4,389 health plan members in the San Bernardino County area of Southern California.

An unauthorized individual was discovered to have gained access to the email account of a Southern California Permanente physician, which contained a limited amount of protected health information.

Kaiser Permanente conducted an extensive investigation to determine the nature and full extent of the breach. While the email account was accessed, Kaiser Permanente believes the risk to plan members is low due to the nature of data contained in the email account.

The email account did not contain highly sensitive information such as bank account details, credit card numbers, insurance information, or Social Security numbers. The breach was limited to plan members’ names, ages, dates of service, medical record numbers, phone numbers, limited medical information, and flu shot data.

Affected members have been informed of the breach by mail and Kaiser Permanente is exploring additional technology that can be implemented to prevent similar breaches from occurring in the future.

One week later, Kaiser Permanente reported a second breach, this time involving the PHI of 638 plan members. The second breach occurred between October 9 and October 13, 2017 and was a mis-mailing incident. Letters containing a limited amount of protected health information were sent to incorrect plan members in the West Los Angeles area.

No Social Security numbers, medical record numbers, financial information, or other highly sensitive information was involved. Affected members have been notified and mailing workflow processes have been reviewed and updated to prevent a recurrence.

The post Kaiser Permanente Reports Two Security Incidents Impacting 5,000 Members appeared first on HIPAA Journal.

Largest Healthcare Data Breaches of 2017

Posted by HIPAA Journal

This article details the largest healthcare data breaches of 2017 and compares this year’s breach tally to the past two years, which were both record-breaking years for healthcare data breaches.

2015 was a particularly bad year for the healthcare industry, with some of the largest healthcare data breaches ever discovered. There was the massive data breach at Anthem Inc., the likes of which had never been seen before. 78.8 million healthcare records were compromised in that single cyberattack, and there were also two other healthcare data breaches involving 10 million or more records. 2015 was the worst ever year in terms of the number of healthcare records exposed or stolen.

2016 was a better year for the healthcare industry in terms of the number of healthcare records exposed in data breaches. There was no repeat of the mega data breaches of the previous year. Yet, the number of incidents increased significantly. 2016 was the worst ever year in terms of the number of breaches reported by HIPAA-covered entities and their business associates. So how have healthcare organizations fared in 2017? Was 2017 another record-breaking year?

Healthcare Data Breaches Increased in 2017

The mega data breaches of 2015 were fortunately not repeated in 2017, and the decline in massive data breaches continued in 2017.

Last year, there were three breaches reported that impacted more than one million individuals and 14 breaches of more than 100,000 records.

In 2017, there was only one reported data breach that impacted more than 500,000 people and 8 breaches that impacted 100,000 or more individuals. The final total for individuals impacted by breaches last year was 14,679,461 – considerably less than the 112,107,579 total the previous year.

The final figures for 2017 cannot yet be calculated as there is still time for breaches to be reported to OCR. The HIPAA Breach Notification Rules allows covered entities up to 60 days to report data breaches of more than 500 records, so the final figures for 2017 will not be known until March 1, 2018. However, based on current data, 2017 has been a reasonably good year in terms of the number of exposed healthcare records. The current total stands at 3,286,498 records – A 347% reduction in breached records year on year.

While it is certainly good news that the severity of breaches has reduced, that only tells part of the story. Breaches of hundreds of thousands of records have reduced, but breaches of more than 10,000 records have remained fairly constant year over year. In 2015, there were 52 breaches of 10,000 or more records. That figure jumped to 82 in 2016. There were 78 healthcare data breaches in 2017 involving more than 10,000 records.

The bad news is there has been a significant rise in the number of healthcare data breaches in 2017.  As of January 4, 2017, there have been 342 healthcare security breaches listed on the OCR breach portal for 2017. It is likely more incidents will be added in the next few days.

The final total for 2015 was 270 breaches, and there were 327 breaches reported in 2016. The severity of healthcare security incidents may have fallen, but the number of incidents continues to rise year on year.

 

reported healthcare data breaches in 2017

 

Unfortunately, there is little evidence to suggest that the annual rise in healthcare data breaches will stop in 2018. Many cybersecurity firms have made predictions for the coming year, and they are united in the view that healthcare data breaches will continue to increase.

The 20 Largest Healthcare Breaches of 2017

The list of the 20 largest healthcare data breaches of 2017 is listed below.

Position Breached Entity Entity Type Records Exposed Cause of Breach
1 Commonwealth Health Corporation Healthcare Provider 697,800 Theft
2 Airway Oxygen, Inc. Healthcare Provider 500,000 Hacking/IT Incident
3 Women’s Health Care Group of PA, LLC Healthcare Provider 300,000 Hacking/IT Incident
4 Urology Austin, PLLC Healthcare Provider 279,663 Hacking/IT Incident
5 Pacific Alliance Medical Center Healthcare Provider 266,123 Hacking/IT Incident
6 Peachtree Neurological Clinic, P.C. Healthcare Provider 176,295 Hacking/IT Incident
7 Arkansas Oral & Facial Surgery Center Healthcare Provider 128,000 Hacking/IT Incident
8 McLaren Medical Group, Mid-Michigan Physicians Imaging Center Healthcare Provider 106,008 Hacking/IT Incident
9 Harrisburg Gastroenterology Ltd Healthcare Provider 93,323 Hacking/IT Incident
10 VisionQuest Eyecare Healthcare Provider 85,995 Hacking/IT Incident
11 Washington University School of Medicine Healthcare Provider 80,270 Hacking/IT Incident
12 Emory Healthcare Healthcare Provider 79,930 Hacking/IT Incident
13 Salina Family Healthcare Center Healthcare Provider 77,337 Hacking/IT Incident
14 Stephenville Medical & Surgical Clinic Healthcare Provider 75,000 Unauthorized Access/Disclosure
15 Morehead Memorial Hospital Healthcare Provider 66,000 Hacking/IT Incident
16 Primary Care Specialists, Inc. Healthcare Provider 65,000 Hacking/IT Incident
17 Enterprise Services LLC Business Associate 56,075 Unauthorized Access/Disclosure
18 ABCD Pediatrics, P.A. Healthcare Provider 55,447 Hacking/IT Incident
19 Network Health Health Plan 51,232 Hacking/IT Incident
20 Oklahoma Department of Human Services Health Plan 47,000 Hacking/IT Incident

The Largest Healthcare Data Breaches of 2017 Were Due to Hacking

One thing is abundantly clear from the list of the largest healthcare data breaches of 2017 is hacking/IT incidents affect more individuals than any other breach type. Hacking/IT incidents accounted for all but three of the largest healthcare data breaches of 2017.

In 2016, hacking incidents only accounted for 11 out of the top 20 data breaches and 12 of the top 20 in 2015. Hacking incidents therefore appear to be rising.

 

healthcare data breaches in 2017 (hacking)

 

The rise in hacking incidents can partly be explained by the increase in ransomware attacks on healthcare providers in 2017. Healthcare organizations are also getting better at discovering breaches.

Other Major Causes of Healthcare Data Breaches in 2017

Unauthorized access/disclosures continue to be a leading cause of healthcare data breaches, although there was a slight fall in numbers of these incidents in 2017. That decrease is offset by an increase in incidents involving the improper disposal of physical records and electronic devices used to store ePHI.

 

healthcare data breaches of 2017 (Unauthorized access/disclosures)

 

The use of encryption for stored data is more widespread, with many healthcare organizations having implemented encryption on all portable storage devices and laptops, which has helped to reduce the exposure of ePHI when electronic devices are stolen.

 

Healthcare Data Breaches of 2017 (loss/theft)

Minimizing the Risk of Healthcare Data Breaches

This year saw OCR publish the preliminary findings of its HIPAA compliance audits on HIPAA-covered entities. The audits revealed there is still widespread non-compliance with HIPAA Rules.

One of the biggest problems was not a lack of cybersecurity defenses, but the failure to conduct an enterprise-wide risk analysis.

Even with several layers of security, vulnerabilities are still likely to exist. Unless a comprehensive risk analysis is performed to identify security gaps, and those gaps are addressed, it will only be a matter of time before they are exploited.

Complying with HIPAA Rules will not prevent all data breaches, but it will ensure healthcare organizations achieve at least the minimum standard for data security, which will prevent the majority of healthcare data breaches.

There is a tendency to invest cybersecurity budgets in new technology, but it is important not to forget the basics. Many healthcare data breaches in 2017 could have been prevented had patches been applied promptly, if secure passwords had been chosen, and if cloud storage services and databases had been configured correctly. Many data breaches were caused as a result of employees leaving unencrypted laptops in risky locations – in unattended vehicles for instance.

Phishing remains one of the main ways that malicious actors gain access to protected health information, yet security awareness training is still not being provided frequently. As a result, employees are continuing to fall for phishing and social engineering scams. Technological solutions to block phishing emails are important, but healthcare organizations must also educate employees about the risks, teach them how to recognize scams, and reinforce training regularly. Only then will organizations be able to reduce the risk from phishing to an acceptable and appropriate level.

Insiders continue to be a major threat in healthcare. The value of data on the black market is high, and cash-strapped healthcare employees can be tempted to steal data to sell to identity thieves. Healthcare organizations can hammer the message home that data theft will be discovered and reported to law enforcement, but it is the responsibility of healthcare organizations to ensure policies and technologies are implemented to ensure that the unauthorized accessing of records – theft or snooping – is identified rapidly.  That means frequent audits of access logs and the use of automated monitoring solutions and user behavior analytics.

2017 was a bad year for ransomware attacks and extortion attempts on healthcare organizations. There is no sign that these attacks will slow in 2018, and if anything, they are likely to increase. Ensuring data is backed up will allow organizations to recover files in the event of an attack without having to pay a ransom. The rise in sabotage attacks – NotPetya for example – mean data loss is a real possibility if backups are not created.

By getting the basics right and investing in new technologies, it will be possible for the year on year rise in data breaches to be stopped. But until healthcare organizations get the basics right and comply with HIPAA Rules, healthcare data breaches are likely to continue to rise.

The post Largest Healthcare Data Breaches of 2017 appeared first on HIPAA Journal.

29,000 Patients Notified of Employee-Related Data Breach at SSM Health

Posted by HIPAA Journal

The St. Louis, MO-based not-for-profit health system SSM Health has discovered a former employee has been accessing the health records of patients without any legitimate work reason for doing so for 8 months.

The former employee worked in SSM Health’s customer service call center, and as such, did not have access to financial information, only demographic, health, and clinical information.

The improper access was detected by SSM health on October 30, prompting a thorough investigation to determine the records that had been accessed and which patients were potentially at risk. The investigation revealed the records of patients in multiple states were accessed by the employee between February 13 and October 20, 2017.

The employee was primarily interested in the records of patients of a primary care physician in the St. Louis area, specifically patients who had been prescribed a controlled substance. While that subset of patients was relatively small, it was not possible to determine the full scope of the privacy breach, so SSM Health took the decision to notify all patients whose records had been accessed by the former employee. In many cases, that access will have been for legitimate work purposes.

In total, 29,000 patients have been notified of the incident and warned that their protected health information may have been improperly accessed and could potentially have been misused. Those patients have been offered identity theft protection services without charge.

SSM Health has also changed its procedures to require an additional identifier to be used when patients request prescription refills via its call center. Internal policies and procedures have been reviewed and employee access monitoring tools have been strengthened to ensure any future illegal employee activity is identified more rapidly.

The incident has been reported to the Department of Health and Human Services’ Office for Civil Rights and law enforcement has been notified.

SSM Health privacy officer, Scott Didion, said, “We take very seriously our role of safeguarding our patients’ personal information, and we deeply regret any inconvenience or concern this situation may have caused our patients.”

This is the second incident to be reported by SSM Health this year. In May, SSM Health reported that an electromyography device containing the PHI of 836 patients had been stolen from DePaul Hospital St Louis in Bridgeton, MO.

The post 29,000 Patients Notified of Employee-Related Data Breach at SSM Health appeared first on HIPAA Journal.

Colorado Practice Hacked Twice in a Week

Posted by HIPAA Journal

A family and sports medicine practice in Colorado has discovered a hacker gained access to its systems and encrypted files with ransomware.

Longs Peak Family Practice (LPFP) in Longmont CO, identified suspicious activity on its network on November 5, 2017 and took rapid action to secure its systems. However, before that was possible, the attacker ran ransomware code which encrypted files on certain parts of its network.

LPFP was prepared for such attacks, and was able to recover the encrypted files and rebuild its systems from backups. However, five days after the initial intrusion was detected, LPFP discovered a second attack had occurred, and its systems had been accessed in a second attack. Ransomware was not involved in the second incident.

While the first incident was dealt with internally, when the second attack was discovered, LPFP called in a leading computer forensics form to assist with the investigation, conduct scans for malware and backdoors, and ensure that unauthorized access to its systems was blocked.

That investigation revealed that an unauthorized individual had accessed certain parts of LPFP’s network on November 5, 9, and 10th. The forensic investigation took until December 5 to complete, but did not uncover any specific evidence to suggest the attacker had opened any files or stolen data.

However, it was not possible to rule out data access and theft with 100% certainty, and while no evidence was uncovered to suggest the ransomware infection did anything other than blindly encrypt files, it is possible that the malware could have been used to download some computer files.

Files stored on the compromised computers included the following patient information: Names, addresses, email addresses, driver’s license details, Social Security numbers, dates of birth, internal patient ID numbers, insurance carriers, insurance payment codes and costs, dates of service, copies of notes made by LPFP physicians and other healthcare providers, medical conditions, medications, diagnoses, data from diagnostic studies, and lab test results.

Potentially, final statements for accounts that had been sent to a collection agency may have been compromised, but no financial information, invoices for medical services, or credit/debit card details were exposed.

LPFP had already implemented a range of defenses to prevent the unauthorized accessing of patient data, but these attacks revealed vulnerabilities existed in its defenses.  Those vulnerabilities have now been addressed and changes have been made to how its network can be accessed. A new, enhanced firewall has been purchased and implemented, further training is being provided to staff on privacy and security, and the practice is looking into further tools and procedures that will help to improve security.

Due to the sensitive nature of the information that was potentially accessed, LPFP is offering patients 12 months of identity theft repair and credit monitoring services through AllClear without charge.

The post Colorado Practice Hacked Twice in a Week appeared first on HIPAA Journal.

24,000 Patients Impacted by Emory Healthcare Data Breach

Posted by HIPAA Journal

Emory Healthcare (EHC) has discovered a former employee obtained the protected health information of several thousand EHC patients and uploaded the data to a Microsoft Office 365 OneDrive account, where it could potentially be accessed by other individuals.

The former employee was a physician at Emory Healthcare, who now works for the University of Arizona (UA) College of Medicine. EHC says patient information was taken without authorization and without its knowledge. EHC was alerted to the incident by the University of Arizona, and received a list of affected individuals on October 18, 2017.

The OneDrive account could only be accessed by the physician, other former EHC physicians now at UA, UA staff who investigated the incident, and potentially a limited number of other UA staff members who had a specific type of UA email account. PHI was not exposed on the Internet and no other individuals are believed to have been able to view the information.

UA hired a third-party forensic team to conduct an investigation, although no evidence was uncovered to suggest patient information was accessed or used in any way. UA has confirmed that all EHC patient information has been permanently and securely deleted from the account and its systems.

EHC says no Social Security numbers, financial information, addresses, phone numbers, driver’s license numbers, or credit card information was exposed. The data uploaded to the account was limited to names, dates of service at EHC, provider names, medical record numbers, diagnoses, treatment information, treatment locations, and in some cases, dates of birth. The information was largely restricted to patients who had received radiology services at EHC between 2004 and 2014.

EHC is now notifying patients by mail that their protected health information has been exposed, and potentially disclosed. EHC has received no reports to suggest any of the information has been misused; however, as a precautionary measure, patients have been advised to remain vigilant and to take steps to protect themselves against potential fraudulent use of their information.

EHC is now taking steps to prevent incidents such as this from occurring in the future, including enhancing its patient care team education programs and reviewing and improving security measures.

The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates 24,000 patients have been impacted by the breach.

The post 24,000 Patients Impacted by Emory Healthcare Data Breach appeared first on HIPAA Journal.

Jones Memorial Hospital Alerts Patients to Ongoing Cyberattack

Posted by HIPAA Journal

University of Rochester Medicine’s Jones Memorial Hospital in Wellsville, NY is currently experiencing a cyberattack that has caused unexpected downtime.

The attack is understood to have started on Wednesday December 27 and has caused disruption to some of its information services. At the time of writing, the nature of the cyberattack is unclear and it has yet to be resolved.  The cyberattack is limited to Jones Memorial Hospital. No other locations have been impacted.

While some systems are unavailable, Jones Memorial Hospital has announced on its website that the financial and medical information of its patients does not appear to have been compromised. If the investigation concludes that there has been a breach of health information, patients will be notified accordingly. Further information on the attack will also be posted on the hospital’s website as and when new information becomes available.

The hospital notified law enforcement and the New York State Department of the attack when its systems went down. Hospital IT staff are being assisted by the IT departments at the University of Rochester, St. James Hospital, and Noyes Health to restore all systems back to full functionality.

Jones Memorial Hospital has prepared for incidents such as this. Emergency procedures are regularly tested, and employees are trained how to respond to cyberattacks and system downtime. Consequently, medical services are continuing to be provided, with information being recorded manually on patient charts while its systems are offline.

However, without access to electronic patient health information, the hospital is advising all patients to bring their insurance card with them, as well as full lists of medications and if possible, details of their medical history.

Systems will be brought back online as soon as is possible, but in the meantime, the hospital is focused on maintaining patient safety and quality of care.

The post Jones Memorial Hospital Alerts Patients to Ongoing Cyberattack appeared first on HIPAA Journal.