HIPAA Breach News

Scrub Nurse Fired for Photographing Employee-Patient’s Genitals

Posted by HIPAA Journal

A scrub nurse who took photographs of a patient’s genitals and shared the images with colleagues has been fired, while the patient, who is also an employee at the same hospital, has filed a lawsuit seeking damages for the harm caused by the incident.

The employee-patient was undergoing incisional hernia surgery at Washington Hospital. She alleges in a complaint filed in Washington County Court, that while she was unconscious, a scrub nurse took photographs of her genitals on a mobile phone and shared the photographs with co-workers.

Photographing patients without their consent is a violation of HIPAA Rules, and one that can attract a significant financial penalty. Last Year, New York Hospital settled a HIPAA violation case with the Department of Health and Human Services’ Office for Rights and paid a financial penalty of $2.2 million. In that case, a television crew had been authorized to film in the hospital, but consent from the patients in the footage had not been obtained.

In the Washington Hospital HIPAA breach, the patient, identified in the lawsuit only as Jane Doe, claims she became aware that photos had been shared the day after her operation. She also claims the scrub nurse showed her the photographs that had been taken. Horrified at the violation of her privacy, she reported the incident to her supervisors. The scrub nurse was subsequently fired for the HIPAA violation.

However, in the lawsuit Jane Doe claims that was not the end of the matter. She said, taking action against the scrub nurse resulted in her “being treated like the wrongdoer, not the victim.” As a result of the complaint she was “forced to endure harassment, humiliation and backlash,” and “extreme hostility” at work. That harassment has allegedly continued outside the hospital.

Jane Doe was given two weeks of paid leave as a healing period, and returned to her unit in the same position. However, she suffered migraines, anxiety, and insomnia as a result of the incident. She requested further paid leave of 3 months, as recommended by her physician, but the request was denied. She subsequently took unpaid leave under the Family Medical Leave Act and was terminated in October.

The lawsuit names the hospital, a doctor who was in the operating room but failed to stop the scrub nurse from taking photos and did not report the incident, and several other workers at the hospital. Jane Doe seeks in excess of $75,000 in damages for the “severe physical, emotional and psychological stress” caused. The patient’s husband is also a plaintiff and is suing for loss of consortium.

The post Scrub Nurse Fired for Photographing Employee-Patient’s Genitals appeared first on HIPAA Journal.

Children’s Hospital Los Angeles Alerts Parents to Impermissible Disclosure of Children’s PHI

Posted by HIPAA Journal

Children’s Hospital Los Angeles is notifying parents of a privacy breach that saw the protected health information (PHI) of children disclosed to incorrect insurance payors.

The privacy breach was discovered on November 29, 2017, with notifications sent to affected patients on December 19.

The impermissible disclosure of PHI included names, addresses, medical record numbers, birth dates, dates of service, and descriptions of the services provided.

Upon discovery of the privacy breach, the insurance payors were contacted and instructed to delete the information. Satisfactory assurances have been received that the information has now been deleted and the medical records of affected patients have been updated to include correct payor information.

No reports have been received to suggest any of the disclosed information has been used inappropriately; however, out of an abundance of caution, affected patients have been offered credit monitoring/protection services with ID Experts without charge.

In the breach notification letters, parents have been advised to monitor insurance communications, including Explanation of Benefits statements, for any services that have not been received by their children and to be alert to the possibility of inappropriate use of their child’s PHI.

The incident has prompted Children’s Hospital Los Angeles to re-enforce education of vendors and staff on the importance of safeguarding patient information.

The incident has been reported to the California Attorney General’s Office and will be reported to the HHS’ Office for Civil Rights. At this stage it is unclear exactly how many individuals have been impacted by the incident.

The post Children’s Hospital Los Angeles Alerts Parents to Impermissible Disclosure of Children’s PHI appeared first on HIPAA Journal.

Phishing Attack on Colorado Mental Health Institute Sees PHI Exposed

Posted by HIPAA Journal

The Colorado Mental Health Institute at Pueblo has discovered one of its employees has fallen for a phishing scam that potentially allowed the attacker to gain access to the protected health information of as many as 650 patients.

The Colorado Mental Health Institute at Pueblo is a 449-bed hospital providing inpatient care for patients. The hospital serves patients with pending criminal charges that require competency evaluations, individuals found by the courts to be incompetent to proceed, and individuals found not guilty of crimes due to insanity.

The phishing attack occurred on November 1, 2017. The employee inadvertently disclosed login credentials that allowed the attacker to gain access to a state-issued computer. Unauthorized activity on the computer was detected the following day and access to the device was promptly blocked.

The forensic investigation did not uncover any evidence to suggest the protected health information of patients had been accessed or stolen, although the possibility of unauthorized access and data theft could not be ruled out with complete certainty.

All patients impacted by the incident have been notified of the security breach, as is required by HIPAA. They have been informed that potentially compromised information “could include, but is not limited to name, date of birth, Social Security number, address, phone number, insurance information, admission and discharge dates.”

The phishing attack has prompted the Colorado Mental Health Institute to implement new technical safeguards to prevent future phishing attacks. Privacy policies and procedures have also been reviewed and updated and staff have received further training on the risks from phishing. The Colorado Mental Health Institute said the individual who fell for the phishing scam has been dealt with “in accordance with CDHS policy and applicable law.”

The post Phishing Attack on Colorado Mental Health Institute Sees PHI Exposed appeared first on HIPAA Journal.

Access to Dental Records Lost for 5 Days Due to Ransomware

Posted by HIPAA Journal

A dental practice in Reno, NV has experienced a ransomware attack that prevented dental records and images from being accessed for five days.

Wager Evans Dental experienced the ransomware attack on October 30, 2017. The malicious software was installed on one computer and one server used by the practice.

Ransomware can be installed in a number of ways, although most commonly attacks occur via email. That appears to be the case with this attack, with the practice suspecting ransomware was downloaded when an employee clicked on a malicious hyperlink or email attachment.

IT staff and other experts were able to restore the encrypted files and remove the ransomware, although the process took five days. Access to patient records and images was not regained until November 4.

The files encrypted by the ransomware contained sensitive information such as names, dates of birth, addresses, diagnoses, treatment plans, images, health insurance information, and Social Security numbers.

A comprehensive investigation of the attack was conducted and while it is possible that data could have been viewed by the attackers, the sole intention of the attack appears to be an attempt to extort money from the practice.

The investigation into the breach is ongoing, although so far there are no indications that the attackers viewed or stole PHI. Since it is not possible to determine with absolute certainty that data access/theft did not occur, all patients have been notified of the attack, and out of an abundance of caution, those individuals have been offered credit monitoring services for one year without cost.

The attack has prompted the practice to enhance its security to prevent similar incidents from occurring in the future. In the breach notification letter, Brian E. Evans, DDS, said “We have retained security experts and made significant upgrades to our network and computer security.

The post Access to Dental Records Lost for 5 Days Due to Ransomware appeared first on HIPAA Journal.

Protenus Releases November Healthcare Data Breach Report

Posted by HIPAA Journal

Protenus has released its November healthcare data breach report – a summary of healthcare data breaches reported by HIPAA-covered entities. The report shows there has been a month on month fall in healthcare data breaches, and a major reduction in the number of records exposed by data breaches.

November saw the lowest total of the year to date for breaches with 28 incidents included in the report – four incidents fewer than February, the previous best month when 32 breaches were reported. This is the second consecutive month when reported breaches have fallen. There were 46 breaches reported in September and 37 in October.

November was also the best month of the year in terms of the number of records exposed. 83,925 individuals were impacted by healthcare data breaches in November. The previous lowest total was May, when 138,957 records were exposed. November was the third consecutive month where the number of breached records fell.

While the November healthcare data breach report offers some good news, the fall in breaches and breached records should be taken with a large pinch of salt. Healthcare organizations have a maximum of 60 days to report breaches, so the figures do not indicate there has been a reduction in incidents. Also, figures have only been obtained for 25 of the 28 breaches. As Kira Caban, Director of Public Relations at Protenus, notes, “The number of both data breach incidents and affected patient records are lower than any other month thus far in 2017, but it may also just indicate that people wanted to get ready for Thanksgiving, so they delayed reporting.”

In November, insider breaches outnumbered hacking incidents with nine incidents (32%) due to insiders with eight incidents attributed to hacking (28%). 25% of breaches involved the loss or theft or records or devices containing ePHI. Seven of the breaches involved paper records.

The November healthcare data breach report shows hacking incidents resulted in the highest number of exposed records by a nose -36,804 records. Insider incidents resulted in the exposure of 36,447 records: 27,228 due to insider error and 9,219 due to insider wrongdoing. 5,324 records were exposed due to the theft or loss of physical records or devices containing unencrypted ePHI.

As is typical, healthcare providers reported the most breaches (82.1%), followed by health plans (10.7%). Three incidents (3.6%) are known to have involved business associates of HIPAA-covered entities.

It is difficult to make a determination whether healthcare organizations managed to discover breaches more quickly, as figures were only available for four incidents. The average time to detect a breach was 55 days, with a median of 33 days. One breach took 153 days to discover.

Data are better for the time to report breaches. The median time to report the incidents to HHS was 57 days, with an average time of 61 days. The figures show healthcare organizations are still waiting until the last minute to report breaches. It should be noted that while HIPAA allows up to 60 days to report data breaches, incidents should be reported without unnecessary delay, and well within that 60-day window.  At least three covered entities have risked a financial penalty for delayed breach notifications, with one taking 134 days to report the breach.

While California is usually the state with the most reported breaches, that unenviable accolade was taken by Kentucky in November, with three reported breaches. Healthcare organizations based in Massachusetts, Texas, Colorado, Indiana, Florida, and California each reported two breaches.

The post Protenus Releases November Healthcare Data Breach Report appeared first on HIPAA Journal.

Almost 10,000 Patients Impacted by Nebraska Ransomware Attack

Posted by HIPAA Journal

Columbus Surgery Center, LLC and Eye Physicians, P.C., in Columbus, Nebraska have experienced a ransomware attack that has potentially resulted in the protected health information of almost 10,000 patients being accessed by the attackers.

The ransomware attack occurred on October 7, 2017 and saw a wide range of files on some servers being encrypted by the ransomware. A ransom demand was issued by the attackers, although it was not paid. The encrypted files were restored from a recent backup to allow services to be continued to be offered to patients.

Third-party computer forensics professionals were called in to assist with the investigation of the attack to determine whether the attackers gained access to, viewed, or copied patient information and to investigate how access to the servers was gained and how the ransomware was installed.

The investigation did not uncover evidence to suggest any patient health information was stolen, but data access could not be ruled out with a high degree of confidence. Consequently, the incident was reportable to the Department of Health and Human Services’ Office for Civil Rights under HIPAA Rules and notifications to patients were warranted. Those notifications have now been mailed.

Eye Physicians reports that the breach involved information such as names, dates of birth, and ophthalmic imagery, and that no financial information or Social Security numbers were exposed.

As a result of the attack, an external IT security consultant was contracted to conduct a comprehensive security risk assessment to identify potential vulnerabilities, and hardware and software have been upgraded as a result of that assessment. It is hoped that the improvements to security will help to prevent similar incidents from occurring in the future.

The incident affected 7,721 patients of the Columbus Surgery Center and 2,620 patients of Eye Physicians, according to the breach reports submitted to OCR.

The post Almost 10,000 Patients Impacted by Nebraska Ransomware Attack appeared first on HIPAA Journal.

Potential Data Theft Incident Reported by Austin Manual Therapy

Posted by HIPAA Journal

1,750 patients of Austin Manual Therapy (AMT) have been notified that some of their protected health information may have been accessed and stolen by a criminal attacker who gained access to their system.

A forensic investigation by a leading national cybersecurity team revealed access was first gained on October 3, 2017 and continued until October 9, when the intrusion was detected and blocked. According to the breach notice posted on the AMT website, access was not gained to the company’s electronic medical record system. Only a limited portion of the network was accessed – one computer and a shared file system.

While the forensic investigation confirmed that access to some files had been gained, it was not clear how much information was viewed and which, if any, documents had been stolen. An analysis of the file system and computer showed that the following information could have been accessed: Names, addresses, dates of birth, phone numbers, dates of service, charge amounts, occupations, insurance coverage and policy information, health screening information, diagnoses, driver’s license information, referring physician information, and partial and full Social Security numbers.

The breach investigation has largely been completed, although TMD said it is continuing to actively work with forensic investigators and that the investigation will likely continue until the end of the year.

Additional security measures have now been implemented to prevent this type of attack from occurring in the future. While the exact nature of the attack was not detailed in the TMD breach report, Databreaches.net has reported that this was an extortion attempt by the hacking group TheDarkOverlord.

Individuals impacted by the breach have been advised that they can obtain free credit reports and place a fraud alert and security freeze on their accounts, but it would not appear that credit monitoring or identity theft protection services have been offered.

The post Potential Data Theft Incident Reported by Austin Manual Therapy appeared first on HIPAA Journal.

1,900 MidMichigan Medical Center Patients Notified After Documents Found in the Street

Posted by HIPAA Journal

MidMichigan Medical Center (MMC) in Alpena has alerted patients to a potential breach of their health information, which may have literally fallen into the hands of individuals unauthorized to view the information.

On the evening of November 18, a MMC cardiologist removed patient files from the Alpena cardiology office without authorization. The files were transported to the cardiologist’s vehicle in a storage container, but the container had not been properly secured.

Close to a parking lot near 12th Avenue/Chisholm Street, the container was dropped, spilling the contents on the ground. The documents were caught by the wind and started blowing round the street.

Some of the documents were picked up by members of the public, who informed the hospital that documents containing sensitive patient information was blowing around the street. The hospital contacted law enforcement to provide assistance collecting the paperwork.

Dr. Richard Bates, vice president of medical affairs at MMC issued a statement saying all of the paperwork is believed to have been retrieved, so the risk to patients is thought to be low. However, since it cannot be confirmed that every document has been recovered, patients have been notified of the potential breach of their PHI.

The reasons why the cardiologist, Dr. Christopher Walls, removed the records from the office is not known. However, removing documents containing patient information is a violation of hospital policies, and as a result of that violation, Dr. Walls is no longer employed at MMC.

Approximately 1,900 patients have been notified of the potential breach, which may have included names along with addresses, Social Security numbers, and clinical data. As a precautionary measure, affected patients have been offered complimentary identity theft protection services.

“We take matters related to the security of our patients’ personal information very seriously because it is our responsibility to protect their privacy. We have rigorous processes and procedures in place to detect breaches and to protect patients’ rights,” said Bates.

The post 1,900 MidMichigan Medical Center Patients Notified After Documents Found in the Street appeared first on HIPAA Journal.

Two Healthcare Providers Announce Incidents Involving the Improper Disposal of Patient Data

Posted by HIPAA Journal

Two healthcare providers have announced they have experienced incidents involving the improper disposal of protected health information; one involving paper records and the other a hard drive containing electronic health information.

NYU Langone Health System discovered a binder containing a log of presurgical insurance authorizations was accidentally recycled by a cleaning company in October. The binder contained records relating to around 2,000 patients.

Information in the binder included names, birth dates, dates of service, current procedural terminology code, diagnosis codes, insurer names, and insurance ID numbers. In some cases, brief notes may have been present, along with insurance approvals/denials and inpatient/outpatient status. No Social Security numbers were recorded in the paperwork, and neither any financial information.

As required by HIPAA, NYU Langone Health System had implemented a policy that requires all PHI to be disposed of securely when it is no longer required, typically by shredding documents. Since the binder was taken for recycling by accident, that did not occur.

Since insurance ID numbers were present in the logs, NYU Langone Health System has offered all affected patients complimentary identity theft protection services and cyber monitoring services through ID Experts for one year.

To prevent similar incidents from occurring in the future, staff have been reeducated on the importance of safeguarding patient information and practice workflow has been updated to improve the protections for sensitive patient information. No reports have been received to suggest any information has been used inappropriately.

The second incident was reported by the Pequannock, NJ Chilton Medical Center (CMC). In this case, patient records, including names, addresses, medical record numbers, dates of birth, details of allergies and medications received at CMC were stored on a hard drive that was discovered to have been removed by an employee and sold on the Internet.

The sale of the hard drive was not authorized by CMC and was in breach of the medical center’s policies. The incident has been reported as a theft and the Morris County Prosecutor’s Office has been notified. According to the breach notice placed on the medical center’s website, the employee no longer works at CMC.

Upon discovery of the incident, an internal investigation was launched, and it became apparent that this was not the first time that computer hardware and assets had been removed by the former employee and sold online. Those additional devices and assets are not believed to have contained any patient information, although the investigation is ongoing.

Patients impacted by the incident had visited CMC for medical services between May 1, 2008 and October 15, 2017. All patients impacted were notified of the security incident on December 15, 2017. CMC said additional processes and controls have been put in place to prevent incidents such as this from occurring in the future.

The incident has yet to appear on the breach portal of the Department of Health and Human’ Services Office for Civil Rights, it is currently unclear exactly how many patients have been affected.

The post Two Healthcare Providers Announce Incidents Involving the Improper Disposal of Patient Data appeared first on HIPAA Journal.