HIPAA Breach News

11,350 Sinai Health System Patients Potentially Impacted by Phishing Attack

Posted by HIPAA Journal

The email accounts of two employees of Chicago’s Sinai Health System have been compromised in a recent phishing attack.

Sinai Health System reports that the phishing attack occurred on October 2, and that it was quickly identified and mitigated. Access to the compromised accounts was possible only for a matter of hours. Cybersecurity experts were called in to assist with the investigation, and while the possibility of PHI access cannot be ruled out, the risk faced by patients is believed to be low.

No evidence has been uncovered to suggest any financial information was accessed, although an analysis of the email accounts revealed a range of protected health information of 11,350 patients was contained in the email accounts and could potentially have been viewed.

As a precaution against identity theft and fraud, patients impacted by the breach have been offered identity theft protection and credit monitoring services free of charge for 12 months.

Mitigating the Ever-present Threat from Phishing

Phishing is the biggest cybersecurity threat faced by organizations, with the healthcare industry often targeted by cybercriminals.

A recent study from IronScales shows that between 90% and 95% of successful breaches are the result of phishing. Research conducted by anti-phishing vendor PhishMe similarly suggest more than 90% of data breaches start with a phishing email.

Even with multi-layered phishing defenses, some emails will make it past perimeter defenses and will be delivered to end users’ inboxes. It is therefore important to provide security awareness training to employees. Not only will training help to improve the phishing email identification skills of employees and will help to prevent costly data breaches, it is also a requirement of HIPAA.

In its July Cybersecurity Newsletter, OCR reminded HIPAA-covered entities of the importance of providing regular training to employees. The newsletter came after a spate of phishing incidents reported by healthcare providers. The past couple of weeks have several further data breaches caused by phishing, underscoring the need for continuous training of healthcare employees.

While HIPAA does not stipulate how often security awareness training should be provided, OCR suggests that many healthcare organizations are providing biannual training sessions, with regular newsletters issued on specific threats and to maintain awareness of the risks from phishing. Using a combination of computer-based training, classroom sessions, newsletters, posters, and phishing simulation exercises, covered entities and their business associates can improve security awareness of the workforce.  Alongside spam filters and other anti-phishing technologies, organizations can reduce the risk from phishing to a low and acceptable level.

A recent State of the Phish Report from Wombat Security Technologies suggests that while employees are getting better at identifying phishing emails as a result of security awareness training, many organizations are failing to implement effective employee security awareness training programs.

24% of respondents of a recent survey failed to identify phishing emails – An improvement from the 28% of failures last year, but still a major cause for concern. The State of the Phish report also highlighted the need for continuous security awareness training. Last year when the survey was conducted, respondents scored particularly highly on questions relating to safe Internet access, yet there was a sharp fall in risk awareness in this category a year later. If training is not regularly reinforced, basic security practices can be all too easily forgotten.

The post 11,350 Sinai Health System Patients Potentially Impacted by Phishing Attack appeared first on HIPAA Journal.

New Jersey Sleep Medicine Specialists Experience Ransomware Attack

Posted by HIPAA Journal

The New Jersey-based Hackensack Sleep and Pulmonary Center, specialists in sleep disorders and pulmonary conditions and diseases, has experienced a ransomware attack that resulted in the protected health information of certain patients being encrypted.

The ransomware attack occurred on September 24, 2017 and resulted in medical record files being encrypted by the virus. The attack was discovered the following day. As is typical in these attacks, the attackers issued a ransom demand, the payment of which was necessary in order to obtain the keys to unlock the encryption.

Hackensack Sleep and Pulmonary Center was prepared for ransomware attacks, and had made backups of all files, and the backups were stored securely offline. The backups were used to recover all encrypted data without paying the ransom.

While data access is a possibility with ransomware attacks, the purpose of ransomware is usually to make data inaccessible and force victims to pay for the key to unlock the encryption. Ransomware attacks typically do not involve data access or data theft. Hackensack Sleep and Pulmonary Center has no reason to believe this attack was any different. No evidence was uncovered to suggest that any data were removed from its system or viewed by the attackers.

The types of information encrypted included diagnoses, notes, procedures, and patient reports, along with names, addresses, Social Security numbers, dates of birth, insurance information, credit card numbers, and account information.

Hackensack Sleep and Pulmonary Center called in a forensic expert to assist with the investigation, and recommendations have been received on additional security protections that can be deployed to prevent future incidents from occurring. Those recommendations are being considered and additional security measures will be implemented to improve security and prevent future attacks.

The incident has been reported to the Department of Health and Human Services’ Office for Civil Rights (OCR) and the New Jersey State Police Cyber Crimes Unit, and affected individuals have been notified of the breach by mail.

The OCR breach portal indicates 16,474 patients have been impacted by the incident.

The post New Jersey Sleep Medicine Specialists Experience Ransomware Attack appeared first on HIPAA Journal.

880 Patients Potentially Impacted by Baptist Health Louisville Phishing Attack

Posted by HIPAA Journal

Baptist Health in Louisville, KY has notified 880 patients that some of their protected health information has potentially been accessed and stolen.

The security breach was discovered on October 3, 2017, when irregular activity was detected on the email account of an employee. Baptist Health was able to determine that a third party sent a phishing email to the employee, who responded and disclosed login credentials allowing the email account to be accessed.

Those login credentials were subsequently used by an unknown individual to gain access the email account. The email account contained the protected health information of 880 patients, although it is unclear whether any of the emails were viewed. The motive behind the attack may not have been to gain access to sensitive information.

What is known, is access was used to send further phishing emails to other email accounts. Following the discovery of the breach, Baptist Health responded quickly to limit the potential for harm and disabled the affected email accounts and performed a password reset to prevent further unauthorized access.

Due to the actions taken by the hacker once access to the account was gained, Baptist Health does not believe any information contained in the emails has been used inappropriately.

A review of all emails in the account showed the types of information potentially compromised included names, medical record numbers, dates of birth, clinical information, and treatment information. A limited number of Social Security numbers were also exposed.

Since the possibility of PHI access and misuse cannot be ruled out with a high degree of certainty, all 880 patients impacted by the breach have been notified and patients whose Social Security numbers were exposed have been offered complimentary credit monitoring and identity theft protection services for one year without charge.

Staff have also received additional training in relation to phishing emails, and the login process for remote access has been strengthened to prevent similar breaches from occurring in the future.

The post 880 Patients Potentially Impacted by Baptist Health Louisville Phishing Attack appeared first on HIPAA Journal.

18,500 Patients PHI Exposed After Multiple Email Accounts Were Compromised

Posted by HIPAA Journal

The Detroit-based Henry Ford Health System has started notifying almost 18,500 patients that some of their protected health information has potentially been accessed by an unauthorized individual.

The breach was detected on October 3, 2017 when unauthorized access to the email accounts of several employees was detected. While protected health information was potentially accessed or stolen, the health system’s EHR system was not compromised at any point. All data was confined to the compromised email accounts.

It is currently unclear exactly how access to the email accounts was gained. Typically, breaches such as this involve phishing attacks, where multiple emails are sent to healthcare employees that fool them into disclosing their login credentials. An internal investigation into the breach is ongoing to determine the cause of the attack and how the login credentials of some of its employees were stolen.

Henry Ford Health System has conducted a review of all emails in the accounts and has determined that 18,470 patients have been affected. The emails contained a range of information on patients including names, medical record numbers, dates of birth, provider’s name, department’s name, location, dates of service, medical diagnoses, and the name of health insurers. Each patient impacted by the breach had some or all of the above information exposed. Financial information and Social Security numbers were not present in any of the compromised email accounts.

At this stage in the investigation it is unclear whether the person who accessed the accounts viewed or stole any information, and whether any of the PHI has been used inappropriately.

A spokesperson for Henry Ford Health System said, “We take very seriously any misuse of patient information, and we are continuing our own internal investigation to determine how this happened and to ensure no other patients are impacted,” and “To reduce future risk of this happening again, we are strengthening our security protections for employees, all of whom will be educated about this measure in the coming weeks.”

Henry Ford Health System will also be reviewing its policies on email retention and the use of two-factor authentication.

The post 18,500 Patients PHI Exposed After Multiple Email Accounts Were Compromised appeared first on HIPAA Journal.

Hospital Employee Fired for Accessing Medical Records Without Authorization

Posted by HIPAA Journal

Lowell General Hospital in Massachusetts has discovered the medical records of 769 patients have been accessed by an employee without any legitimate work reason for doing so.

By accessing the medical records, the employee breached hospital policies and violated the privacy of patients. Upon discovery of the breach, and completion of the subsequent investigation, the employee was terminated. Lowell General Hospital was satisfied that only one person was involved, and that this was not a widespread problem at the hospital.

Patients impacted by the security incident have been notified and a breach notice has been placed on the hospital website. Patients have been informed that the types of information accessed by the former employee included names, dates of birth, medical diagnoses, and information relating to treatments provided to patients.

No financial information, health insurance details, or Social Security numbers were viewed by the employee, and the investigation uncovered no evidence to suggest that any of the information that was accessed has been misused.

Lowell General Hospital provides training to all staff members, and clearly instructs employees that the accessing of medical records without a legitimate reason is strictly prohibited. While checks are performed to ensure that employees are abiding by hospital policies, the incident has prompted Lowell General Hospital to conduct a review of its privacy and security policies relating to its medical record system. Improvements will be made to ensure that any future instances of snooping are identified rapidly. The hospital will continue to provide ongoing training to staff on patient privacy.

What is not clear is how long the employee was able to improperly access medical records before the privacy violations were discovered. The number of patients impacted by the incident suggests the improper access had been ongoing for several months.

HIPAA required covered entities and their business associates to regularly monitor PHI access logs for unauthorized access. While “regularly” is open to interpretation, it is a good best practice to conduct ongoing audits of access logs to help identify unauthorized activity.

These audits can be conducted manually, although tools are available to reduce the administrative burden. Those tools are either rule-based or behavior-based. The former requires rules to be set which will trigger alerts if they are violated, while behavior based systems learn about normal access and trigger alerts if any anomalies are detected. These automated solutions can help to detect improper activity much more quickly, allowing rapid action to be taken when employees snoop on medical records.

The post Hospital Employee Fired for Accessing Medical Records Without Authorization appeared first on HIPAA Journal.

PHI of 28,000 Mental Health Patients Stolen by Healthcare Employee

Posted by HIPAA Journal

Center for Health Care Services (CHCS) in San Antonio, a provider of mental health treatment and support services for individuals with intellectual and developmental disabilities, has discovered documents containing the protected health information of patients have been stolen by a former employee.

Breach notification letters have been sent to 28,434 patients who received services at CHCS before the summer of 2016 informing them of the breach.

The breach was only discovered on November 7, 2017, but the data theft occurred more than 17 months ago. The former employee was terminated on May 31, 2016, with the data downloaded onto a personal laptop after the individual was fired, according to a recent CHCS press release.

The breach came to light during discovery in a litigation case between the former employee and CHCS. No details have been released about the nature of the litigation.

The stolen documents contained a wide range of highly sensitive data on patients, including adults and children. The data included names, dates of birth, addresses, Social Security numbers, dates and types of services, medical record numbers, referral information, progress notes, medical diagnoses, medications prescribed, treatment plans, laboratory and toxicology reports, death certificates, autopsy reports, discharge dates, death summaries, and collateral hospital information.

The reason why the former employee took the data is unclear, although it does not appear that the information has been used for malicious purposes. CHCS believes the information has not been shared with any unauthorized individuals, other than the former employee’s attorneys. CHCS attorneys have also reportedly obtained a copy of the data.

According to the CHCS news release, patients are not believed to be at risk and there are no actions that need to be taken by patients as a result of the breach. Patients will be informed if the situation changes.

A spokesperson for CHCS said, “Attorneys for CHCS are seeking a protective order to prevent further disclosure of the information, and to verify deletion of the information as soon as the court permits.” CHCS is also taking steps to ensure security is improved to prevent future breaches of this nature from occurring.

The post PHI of 28,000 Mental Health Patients Stolen by Healthcare Employee appeared first on HIPAA Journal.

Medical Records from Pennsylvania Obs/Gyn Clinic Found at Public Recycling Center

Posted by HIPAA Journal

Paper files containing names, Social Security numbers, and medical histories, including details of cancer diagnoses and sexually transmitted diseases, have been dumped at a recycling center in Allentown, Pennsylvania.

The files appear to have come from Women’s Health Consultants, an obstetrics and gynecology practice that had centers in South Whitehall Township and Hanover Township, PA. Women’s Health Consultants is no longer in business.

How the records came to be dumped at the recycling center is unknown as the container where the records were disposed of was not covered by surveillance cameras.

The center does have a locked recycling container where sensitive documents containing confidential information can be disposed of securely, but that container was not used. The records were dumped in a container where they could be accessed by unauthorized individuals.

The person who discovered the files left an anonymous tip on the non-emergency line of the Allentown communication center. According to The Morning Call, a city employee visited the recycling center and pushed the records further into the container, so they were no longer visible. The container has since been loaded onto a truck and is no longer accessible by the public. The container will be sent on to a recycling company.

The privacy breach has been reported to the Pennsylvania attorney general’s office, although it is unclear whether an investigation into the incident has been launched.

HIPAA requires all physical records containing patients’ protected health information to be disposed of securely, rendering all information unreadable and indecipherable, so that it cannot be reconstructed. For paper records, this typically involves shredding, pulping, or burning the files. If that process is to occur off-site, the records should be secured in transit to ensure they cannot be accessed by unauthorized individuals.

The failure to dispose of records securely can attract a significant financial penalty, ranging from $100 to $50,000 per instance, up to a maximum of $1,500,000.

The Department of Health and Human Services’ Office for Civil Rights has already punished healthcare organizations for improperly disposing of medical records. In 2015, Cornell Prescription Pharmacy settled an improper disposal case with OCR for $125,000.

The post Medical Records from Pennsylvania Obs/Gyn Clinic Found at Public Recycling Center appeared first on HIPAA Journal.

UAB Medicine Alerts 652 Patients of PHI Exposure

Posted by HIPAA Journal

The UAB Medicine Viral Hepatitis Clinic in Birmingham, AL has experienced a breach of patients’ protected health information (PHI).

UAB Medicine uses flash drives to transfer data from its Fibroscan machine to a computer. On October 25, 2017, two flash drives were discovered to be missing. The portable storage devices contained a limited amount of PHI of 652 patients.

Information stored on the devices included first and last names, gender, birth dates, images and numbers relating to test results, medical diagnosis, names of referring physician, and the dates and times of the examination.

UAB Medicine has confirmed that no Social Security numbers, financial information, insurance details, addresses, or phone numbers were stored on the flash drives.

An extensive search of Viral Hepatitis Clinic was conducted, but the flash drives could not be located. The investigation into the breach is continuing. It is not known whether the flash drives were accidentally disposed of, lost within the facility, or if they were stolen. UAB Medicine therefore cannot say whether the PHI on the devices has been viewed by unauthorized individuals.

The breach of PHI has prompted UAB Medicine to review its policies and procedures and measures have been implemented to prevent similar incidents from occurring in the future. All patients affected by the incident were notified of the breach by mail this week.

Due to the limited nature of data that was exposed, patients are not believed to face a high risk of identity theft and fraud. As a precaution, patients have been advised to monitor their credit reports for any sign of fraudulent activity.

Since the possibility of unauthorized access of PHI cannot be ruled out, UAB Medicine is also offering patients impacted by the incident 12 months of credit monitoring and reporting services without charge.

The post UAB Medicine Alerts 652 Patients of PHI Exposure appeared first on HIPAA Journal.

Personal Information of New York Pharmacy Customers Exposed in Improper Disposal Incident

Posted by HIPAA Journal

ShopRite Supermarkets, Inc., has announced that some of its pharmacy customers have been impacted by a security breach involving the improper disposal of a device used to capture customers’ signatures.

The device was used at the ShopRite, Kingston, NY location between 2005 and 2015 and stored personal and medical information. All customers who visited the pharmacy and had prescriptions filled between 2005 and 2015 have potentially been impacted by the incident. For those customers, the device stored information such as names, phone numbers, prescription numbers, dates and times of pickup or delivery, zip codes, medication names, and customers’ signatures.

The device was also used for customers who bought an over-the-counter product containing pseudoephedrine. Those customers have had their driver’s license number, zip code, details of the product purchased, and personal and medical information exposed.

In the substitute breach notice posted on the Wakefern Food Corp., website, customers have been advised that the device was disposed of by accident in February 2016, although ShopRite only confirmed that a data security incident had occurred on October 13, 2017.

ShopRight has not received any reports to suggest the information on the device has been accessed or misused in any way, although customers have been advised to monitor their Explanation of Benefits statements from their insurers for any sign of fraudulent use of their data. Customers have also been advised to monitor their financial accounts for any sign of fraud, although ShopRite does point out that their Social Security numbers and financial data were not exposed at any point.

ShopRite has responded to the incident by reviewing its security policies in relation to devices that store personal information and the removal and secure deletion of data from those devices prior to disposal. Privacy and security training has also been provided to all pharmacy staff to help prevent further security breaches of this nature.

All customers impacted by the security breach have now been notified by mail.

The post Personal Information of New York Pharmacy Customers Exposed in Improper Disposal Incident appeared first on HIPAA Journal.