HIPAA Breach News

7,000 Patients Impacted by Extortion Attempt on Sports Medicine Provider

Posted by HIPAA Journal

Massachusetts-based Sports Medicine & Rehabilitation Therapy (SMART) has alerted 7,000 patients to a breach of their protected health information. Potentially, the breach impacted all patients whose information was recorded during a visit to a SMART center prior to December 31, 2016.

The breach, which occurred in September 2017, was an extortion attempt. Hackers gained access to SMART systems, allegedly stole data, and demanded a ransom payment to prevent the information from being released online.

No indication was provided in the breach notification letters to suggest the ransom was paid, although SMART has informed its patients that there is “no reason to believe that the data has been or will be used for further nefarious purposes.”

The matter has been investigated by the FBI and Homeland Security although the details of the investigations have not been released. An attempt was made by SMART to obtain a copy of the police report through the Freedom of Information Act, although at the time the notifications were sent, no copy had been received.

The information potentially stolen by the hackers did not include financial data or Social Security numbers, but insurance numbers and diagnostic codes were included in the stolen data set.

North Carolina DHHS Notifies 6,000 Patients of an Accidental Disclosure of PHI

The North Carolina Department of Health and Human Services has discovered a spreadsheet containing the protected health information of approximately 6,000 individuals was accidentally sent to a vendor in an unencrypted email. The breach was discovered on September 27, 2017.

The vendor in question was contacted and instructed to securely delete the spreadsheet attached to the email. NC DHHS has confirmed that the spreadsheet has been securely deleted, although affected individuals have been informed that potentially, the email could have been intercepted in transit by unauthorized individuals. The risk of interception of the email or the misuse of any information in the spreadsheet is believed to be low.

The spreadsheet contained information such as names, test results, and Social Security numbers of individuals who had undergone routine drug screening tests. The tests were conducted on individuals who had applied to NC DHHS for employment or intern and volunteer opportunities.

NC DHHS is conducting a review of policies and procedures to ensure similar incidents are prevented in the future.

The post 7,000 Patients Impacted by Extortion Attempt on Sports Medicine Provider appeared first on HIPAA Journal.

Cottage Health Fined $2 Million By California Attorney General’s Office

Posted by HIPAA Journal

Santa Barbara-based Cottage Health has agreed to settle a data breach case with the California attorney general’s office. Cottage Health will pay $2 million to resolve multiple violations of state and federal laws.

Cottage Health was investigated by the California attorney general’s office over a breach of confidential patient data in 2013. The breach was discovered by Cottage Health on December 2, 2013, when someone contacted the healthcare network and left a message on its voicemail system warning that sensitive patient information had been indexed by the search engines and was freely available via Google.

The sensitive information of more than 50,000 patients was available online, without any need for authentication such as a password and the server on which the information was stored was not protected by a firewall. The types of information exposed included names, medical histories, diagnoses, prescriptions, and lab test results. In addition to the individual who alerted Cottage Health to the breach, the server had been accessed by other individuals during the time that it was unsecured.

As is required under state laws, the incident was reported to state attorney general Kamala D. Harris. Two years later, while the attorney general’s office was investigating the incident, Cottage Health experienced a second breach. The second breach involved the records of 4,596 patients, and similarly, were left exposed and accessible online without any need for authentication.

The information was accessible for almost two weeks before the error was identified and protections put in place to prevent unauthorised access. The information exposed in the second breach included personally identifiable information and protected health information such as names, addresses, medical record numbers, account numbers, employment information, Social Security numbers, and admission and discharge dates.

Cottage Health claims that while both incidents resulted in the exposure of patient data, there are no indications to suggest any patient information was used inappropriately. The breaches prompted Cottage Health to review its information security controls and strengthen its policies, procedures, and security protections to prevent similar breaches from occurring in the future. In each case, the health network’s security teams acted quickly to limit harm and secure the exposed information. New system monitoring tools have now been implemented, and advanced security solutions are in place that allow vulnerabilities to be identified and mitigated much more rapidly.

The response to the breach may have been reasonable and appropriate, and protections now far better, but it is the lack of protections leading up to the data breaches that warranted a financial penalty. The California state attorney general’s office alleges that Cottage Health breached California’s Confidentiality of Medical Information Act, its Unfair Competition Law, and HIPAA Rules were also violated. According to the complaint, “Cottage failed to employ basic security safeguards.” Cottage Health was running outdated software, patches were not applied promptly, default configurations had not been changed, strong passwords were not used, access to sensitive PII was not limited, and regular risk assessments were not conducted.

Announcing the settlement, California Attorney General Xavier Becerra said, “When patients go to a hospital to seek medical care, the last thing they should have to worry about is having their personal medical information exposed,” Becerra explained that “The law requires health care providers to protect patients’ privacy. On both of these counts, Cottage Health failed.”

In addition to the $2 million settlement, Cottage Health is required to update and maintain information security controls and ensure security practices and procedures match industry standards.

Specifically, the judgement requires Cottage Health to:

  • Assess hardware and software for vulnerabilities to the confidentiality, integrity, and availability of patients’ medical information.
  • Update access controls and security settings as appropriate
  • Evaluate the response to and protections from external threats, including firewall security
  • Encrypt patients’ medical information in transit to industry standards
  • Maintain reasonable policies and protocols for all information practices regarding data retention, internal audits, security incident tracking reports, risk assessments, incident management, and remediation plan
  • Conduct periodic vulnerability scans and penetration tests to identify and assess vulnerabilities, and remediate any vulnerabilities discovered
  • Conduct employee training on the correct use and storage of patients’ medical information.

The post Cottage Health Fined $2 Million By California Attorney General’s Office appeared first on HIPAA Journal.

Second Unencrypted Laptop Stolen from Rocky Mountain Health Care Services

Posted by HIPAA Journal

Rocky Mountain Health Care Services of Colorado Springs has discovered an unencrypted laptop has been stolen from one of its employees. This is the second such incident to be discovered in the space of three months.

The latest incident was discovered on September 28. The laptop computer was discovered to contain the protected health information of a limited number of patients. The types of information stored on the device included first and last names, addresses, dates of birth, health insurance information, Medicare numbers, and limited treatment information.

The incident has been reported to law enforcement and patients impacted by the incident have been notified by mail.

Rocky Mountain Health Care Services, which also operates as Rocky Mountain PACE, BrainCare, HealthRide, and Rocky Mountain Options for Long Term Care, also discovered on June 18, 2017 that a mobile phone and laptop computer were stolen from a former employee. The devices contained names, dates of birth, addresses, limited treatment information, and health insurance details.

To date, only one of those incidents has appeared on the Department of Health and Human Services’ Office for Civil Rights breach portal. That incident, reported on November 16, indicates 909 patients were impacted. It is unclear whether this is the first or second laptop theft.

In response to the breaches, Rocky Mountain Health Care Services has been reviewing its policies and procedures with respect to the security of patient information and portable electronic devices, and is considering incorporating mobile device management technologies and data encryption for its portable electronic devices.

As the Office for Civil Rights breach portal shows, the loss and theft of unencrypted portable electronic devices is still a major cause of healthcare data breaches, and one that the use of data encryption technologies can easily prevent. So far in 2017, there have been 31 breaches reported by covered entities and business associates that have involved the loss or theft of unencrypted laptop computers and other portable electronic devices.

The post Second Unencrypted Laptop Stolen from Rocky Mountain Health Care Services appeared first on HIPAA Journal.

9,500 Patients Impacted by Medical College of Wisconsin Phishing Attack

Posted by HIPAA Journal

A Medical College of Wisconsin phishing attack has resulted in the exposure of approximately 9,500 patients’ protected health information. The attackers managed to gain access to several employees’ email accounts, which contained a range of sensitive information of patients and some faculty staff.

The types of information in the compromised email accounts included names, addresses, medical record numbers, dates of birth, health insurance details, medical diagnoses, treatment information, surgical information, and dates of service. A very limited number of individuals also had their Social Security numbers and bank account information exposed.

The incident occurred over the space of a week in the summer between July 21 and July 28 when spear phishing emails were sent to specific individuals at the Medical College of Wisconsin. Responding to those emails resulted in the attackers gaining access to email login credentials.

Medical College of Wisconsin brought in a computer forensics firm to conduct an investigation into the phishing attack, and while that investigation established that access to the email accounts was gained by unauthorized individuals, it was not possible to determine whether emails containing protected health information had been accessed or viewed, or if any sensitive information was stolen. Since the attack occurred, no reports of misuse of patient information have been received.

To protect individuals against identity theft and fraud, credit monitoring and identity theft restoration services have been offered to breach victims free of charge, but only to those individuals whose Social Security numbers were compromised.

Medical College of Wisconsin reports that in addition to some faculty staff and Medical College of Wisconsin patients, some individuals who received treatment at Children’s Hospital of Wisconsin and Froedtert Health have also been impacted by the breach.

The latest Medical College of Wisconsin phishing attack comes just 10 months after a similar incident resulted in the exposure of 3,200 patients’ protected health information.

The post 9,500 Patients Impacted by Medical College of Wisconsin Phishing Attack appeared first on HIPAA Journal.

November Healthcare Breach Barometer Report Highlights Seriousness of Insider Data Breaches

Posted by HIPAA Journal

Protenus has released its November 2017 healthcare Breach Barometer Report. After a particularly bad September, healthcare data breach incidents fell to more typical levels, with 37 breaches tracked in October.

The monthly summary of healthcare data breaches includes incidents reported to the Department of Health and Human Services’ Office for Civil Rights (OCR), and incidents announced via the media and tracked by databreaches.net.

Those incidents include several breaches that have yet to be reported to OCR, including a major breach that has impacted at least 150,000 individuals – The actual number of individuals impacted will not be known until the investigation has been completed. The numbers of individuals impacted by 8 breaches have not yet been disclosed.

Including the 150,000 individuals impacted by largest breach of the month, there were 246,246 victims of healthcare data breaches in October 2017 – the lowest monthly total since May 2017.

The healthcare industry has historically recorded a higher than average number of data breaches due to insiders, although over the past few months hacking has been the leading cause of breaches. That trend has continued in October. Hacking was behind 35.1% of all incidents, insider incidents accounted for 29.7% of the total, with the loss and theft of devices behind 16.2% of incidents. The causes of the remaining 18.9% of breaches is not yet known.

While hacking incidents usually result in more records being exposed or stolen, in October insider errors exposed more healthcare data. 65% of all breached records involved insider errors.

157,737 individuals had their PHI exposed due to insider errors and insider wrongdoing, while hacks resulted in the theft of 56,837 individuals’ PHI. Protenus notes that three incidents were due to the hacking group TheDarkOverlord.

In total, there were 11 breaches that were the result of insiders – five  due to errors and six due to insider wrongdoing. The biggest breach involving insider error was the failure to secure an AWS S3 bucket, resulting in the exposure of 316,363 PDF reports – containing the PHI of at least 150,000 individuals: One of two such incidents reported in October that involved unsecured AWS S3 buckets.

Another insider incident involved the mailing of flyers to individuals where PHI was visible through the envelope – A major incident that potentially caused considerable harm, as the information viewable related to patients’ HIV status.

The average time taken from breach to discovery was 448 days in October. The median time was 304 days, showing healthcare organizations are still struggling to detect data breaches rapidly.

Two HIPAA-covered entities reported breaches to OCR well outside the 60-day deadline stipulated in the HIPAA Breach Notification Rule. One of those incidents was reported three years after the breach was detected. In that case, the breach involved a nurse who was stealing patient records and using the information to file false tax returns. The median time from discovery to reporting was 59 days.

Healthcare providers reported 29 incidents, there were 7 incidents reported by health plans, one breach was reported by a school. Four incidents were known to involve a business associate.

California and Florida were the worst hit states in October with four incidents apiece, followed by Texas and New York.

The post November Healthcare Breach Barometer Report Highlights Seriousness of Insider Data Breaches appeared first on HIPAA Journal.

Suspected Phishing Attack on UPMC Susquehanna Exposes 1,200 Patients’ PHI

Posted by HIPAA Journal

UPMC Susquehanna, a network of hospitals and medical centers in Williamsport, Wellsboro, and Muncy in Pennsylvania, has announced that the protected health information of 1,200 patients has potentially been accessed by unauthorized individuals. Access to patient information is believed to have been gained after an employee responded to a phishing email.

While details of the breach date have not been released, UPMC Susquehanna says it discovered the breach on September 21, when an employee reported suspicious activity on their computer. An investigation was launched, which revealed unauthorized individuals had gained access to that individual’s device.

It is not known whether the attacker viewed, stole, or misused any patient information, but the possibility of data access and misuse could not be ruled out. The information potentially accessed includes names, contact information, dates of birth, and Social Security numbers.

The individuals potentially impacted by the incident had previously received treatment at various UPMC Susquehanna hospitals including Muncy Valley Hospital, UPMC Susquehanna Lock Haven, Sunbury Community Hospital, Soldiers and Sailors Memorial Hospital in Wellsboro, Williamsport Regional Medical Center and Divine Providence Hospital in Williamsport.

UPMC Susquehanna responded quickly to the breach, terminating unauthorized access. Staff have also been provided with “intensive retraining” on hospital policies and appropriate federal and state laws to prevent any recurrence. UPMC Susquehanna stated this training was in addition to the annual training sessions already provided to all staff members on the privacy and confidentiality of patient health information. UPMC Susquehanna has also conducted a complete review of its policies and procedures for keeping patient information secure.

All patients impacted by the incident have been offered complimentary identity theft protection services and have now received notifications in the mail. Patients have also received instructions on the steps they can take to protect their accounts and credit in case their information is misused.

The post Suspected Phishing Attack on UPMC Susquehanna Exposes 1,200 Patients’ PHI appeared first on HIPAA Journal.

Florida Blue Data Breach Impacts 939 Individuals

Posted by HIPAA Journal

Blue Cross and Blue Shield of Florida, dba Florida Blue, has announced that the personally identifiable information of a limited number of insurance applicants has been exposed online.

Florida Blue was alerted to the exposure of patient data in late August and immediately launched an investigation. Florida Blue reports that the investigation revealed 475 insurance applications had been backed up to the cloud by an unaffiliated insurance agent, Real Time Health Quotes (RTHQ).

The data backup included agency files and copies of health, dental, and life insurance applications from 2009 to 2014. Those files were left vulnerable as an unsecured cloud server was used to store the backup files. Consequently, those files could have been accessed by the public via the Internet.

While data access and theft of personally identifiable information remains a possibility, Florida Blue has received no reports that any of the exposed information has been used for malicious purposes.

The files contained information such as the names of applicants, dates of birth, demographic information, medical histories, Social Security numbers, and limited banking and payment information. Following the discovery that information had been left unsecured, RTHQ took steps to address the vulnerability and the information is no longer accessible by unauthorized individuals.

The incident was discovered by Florida Blue on August 30, 2017, and patients were notified of the breach by mail in late October. Even though Florida Blue was not responsible for the breach, and has no affiliation with RTHQ, affected applicants have been contacted and offered two years of identity theft protection services without charge. Florida Blue said it is still investigating the incident, and is trying to find out how RTHQ acquired the application information and why the information was stored on an unsecured cloud server.

The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates 939 individuals have been impacted by the incident.

The post Florida Blue Data Breach Impacts 939 Individuals appeared first on HIPAA Journal.

Boxes of Medical Records Stolen from New Jersey Medical Practice

Posted by HIPAA Journal

Otolaryngology Associates of Central Jersey is alerting patients to a breach of their protected health information, following a burglary at an off-site storage facility in East Brunswick, NJ.

The thieves took 13 boxes of paper medical records from the facility, which included information such as names, addresses, health insurance account numbers, birth dates, dates of military service, and the names of treating physicians. A limited number of driver’s license numbers and Social Security numbers were also included in the stolen records.

The burglary was quickly identified and law enforcement was notified. An internal investigation was launched, and steps were taken to reduce the likelihood of similar breaches occurring in the future.

The medical records were being stored in accordance with state and federal laws, and related to past patients that had received treatment at either of Otolaryngology Associates of Central Jersey’s two facilities in East Brunswick and Franklin townships. All affected individuals have now been notified of the breach.

While the perpetrators of many burglaries are never caught, a suspect is now in custody. That individual, Fernando Rios, 33, of Sayreville, was arrested in connection with the burglary after law enforcement received a tip off after Rios attempted to sell the records. The person who Rios offered the records to contacted the U.S Department of Homeland Security and the records were handed over.

Since the stolen records were promptly recovered, Otolaryngology Associates of Central Jersey believes the risk of patient data being used inappropriately is low.

Rios has been charged with second degree trafficking in personally identifiable information, second degree identity theft, and third-degree burglary. Rios faces a minimum jail term of 5 years.

The incident has been reported to the Department of Health and Human Services’ Office for Civil Rights, but has yet to appear on the OCR breach portal. Mycentraljersey.com claims the boxes of files contained approximately 1,000 patient records.

The post Boxes of Medical Records Stolen from New Jersey Medical Practice appeared first on HIPAA Journal.

October 2017 Healthcare Data Breaches

Posted by HIPAA Journal

In October 2017, there were 27 healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights. Those data breaches resulted in the theft/exposure of 71,377 patient and plan member records. October saw a significant fall in the number of reported breaches compared to September, and a major fall in the number of records exposed.

Healthcare data breaches by month (July-October 2017)

October saw a major reduction in the number of breached records, with the monthly total almost 85% lower than September and almost 88% lower than the average number of records breached over the preceding three months.

healthcare records breached July-October 2017

Healthcare providers were the worst hit in October with 19 reported data breaches. There were six data breaches reported by health plans and at least two incidents involved business associates of HIPAA-covered entities.

October 2017 Healthcare Data Breaches by Covered Entity Type

October 2017 healthcare data breaches by covered entity type

Main Causes of October 2017 Healthcare Data Breaches

Unauthorized access/disclosures were the biggest causes of healthcare data breaches in October. There were 14 breaches reported involving unauthorized access/disclosures, 8 hacking incidents, four cases of theft, and one unencrypted laptop computer was lost.

cause of october 2017 healthcare data breaches

Unauthorized access/disclosures were the leading causes of October 2017 healthcare data breaches, although hacking/IT incidents exposed more records – Over twice the number of records exposed by unauthorized access/disclosures and hacking/IT incidents exposed more records than all other breach types combined.

october 2017 healthcare data breaches - records exposed

Location of Exposed and Stolen Protected Health Information

Email was the most common location of breached PHI in October. Five of the nine incidents involving email were the result of hacking/IT incidents such as phishing. The remaining four incidents were unauthorized access/disclosures such as healthcare employees sending emails containing PHI to incorrect recipients. Five incidents involved paper records, highlighting the importance of securing physical records as well as electronic protected health information.

october 2017 healthcare data breaches - location of breached PHI

October 2017 Healthcare Data Breaches by State

In October, healthcare organizations based in 22 states reported data breaches. The state that experienced the most data breaches was Florida, with 3 reported breaches. Maryland, Massachusetts, and New York each had two breaches.

Alabama, Arizona, California, Connecticut, Georgia, Iowa, Illinois, Kansas, Kentucky, Louisiana, Missouri, North Carolina, Ohio, Rhode Island, Tennessee, Texas, Virginia, and Washington each had one reported breach.

Largest Healthcare Data Breaches in October 2017

 

Breached Entity Entity Type Breach Type Individuals Affected
Chase Brexton Health Care Healthcare Provider Hacking/IT Incident 16,562
East Central Kansas Area Agency on Aging Business Associate Hacking/IT Incident 8,750
Brevard Physician Associates Healthcare Provider Theft 7,976
MHC Coalition for Health and Wellness Healthcare Provider Theft 5,806
Catholic Charities of the Diocese of Albany Healthcare Provider Hacking/IT Incident 4,624
MGA Home Healthcare Colorado, Inc. Healthcare Provider Hacking/IT Incident 2,898
Orthopedics NY, LLP Healthcare Provider Unauthorized Access/Disclosure 2,493
Mann-Grandstaff VA Medical Center Healthcare Provider Theft 1,915
Arch City Dental, LLC Healthcare Provider Unauthorized Access/Disclosure 1,716
John Hancock Life Insurance Company (U.S.A.) Health Plan Unauthorized Access/Disclosure 1,715

The post October 2017 Healthcare Data Breaches appeared first on HIPAA Journal.