HIPAA Breach News

Texas and Pennsylvania Data Breaches Exposed More than 5,000 Patients’ PHI

Posted by HIPAA Journal

Midland Memorial Hospital in Midland, TX, and Washington Health System Greene in Waynesburg, PA, have announced they have discovered patients’ protected health information has been exposed.

Washington Health System Greene Discovers Hard Drive Missing

Washington Health System Greene is alerting 4,145 patients that some of their protected health information has been exposed after a hard drive was discovered to be missing.

A portable hard drive used with a bone densitometry machine in the Radiology department was discovered to be missing on October 11, 2017. While it is possible that the hard drive may have been misplaced, a search of the hospital did not uncover the device, and the missing device has been reported to the Pennsylvania State Police Department as a potential theft.

The device contained information on patients who visited the hospital for bone density scans between 2007 and October 11, 2017. The information stored on the device was limited to names, height, weight, race, and gender, while some patients also had details of health issues, the name of their prescribing physician, and medical record numbers stored on the device. No financial information, Social Security numbers, insurance details, or other highly sensitive information was exposed.

As required by HIPAA, patients have been notified of the breach. Due to the limited nature of data exposed, even if the device has been stolen, Washington Health Greene does not believe patients are at risk of identity theft or fraud.

Midland Memorial Hospital Discovers Email Account Compromise

Midland Memorial Hospital has experienced a breach of a limited amount of patients’ protected health information. More than 1,000 patients are understood to have been affected.

Midland Memorial Hospital discovered an unauthorized individual gained access to the email account of an employee at the hospital, in what appears to be an attempted Business Email Compromise (BEC) attack. The aim of the attacker appeared to be to fool employees into making bank account transfers to an inappropriate bank account.

The breach was discovered on October 13, 2017, with access to the email account believed to have been gained on or around October 10.  Upon discovery of the security breach, access the email account was terminated and a full investigation was conducted. The email account was determined to contain some protected health information including first and last names, medical record numbers, account numbers, and information relating to radiology procedures that had been performed at the hospital between August and September 2017. No financial information, driver’s license numbers, or Social Security numbers were exposed, and no evidence has been uncovered to suggest any patient information has been used inappropriately.

Midland Memorial Hospital has taken steps to prevent further incidents of this nature from occurring, including revising policies and procedures and retraining staff.

The post Texas and Pennsylvania Data Breaches Exposed More than 5,000 Patients’ PHI appeared first on HIPAA Journal.

Illinois Physicians Network Discovers Paper Records Missing from Storage Facility

Posted by HIPAA Journal

Over the past two months there have been several data breaches reported by HIPAA-covered entities involving the loss or theft of physical records. In November, 7 breaches involving paper records were reported to the HHS’ Office for Civil Rights, and a further 5 incidents were reported the previous month.

Now another incident has been reported in Illinois. Franciscan Physician Network of Illinois and Specialty Physicians of Illinois LLC have discovered payment records that were kept in a storage facility are missing. The storage facility in Chicago Heights was shared by both physician groups.

The loss/theft of the paperwork is one of the largest breaches of the past few months, potentially impacting as many as 22,000 patients. The payment records were from 2015-2017 and 2010.

The boxes of files were confirmed as missing on November 21, 2017, with notifications issued on December 13, 2017. The loss of files was discovered following a routine records request, but the records could not be located. An inventory of the storage facility was conducted, and 40 boxes of files were determined to be missing and potentially stolen.

The records only contained a limited amount of patient information related to payments received, and included names and addresses, payment methods, payment amounts, office location, and the last four digits of credit card numbers. For a limited number of patients who paid their bill by check, their routing number, bank account number and Social Security number were also present in the files.

Some of the records from 2010 may also have included insurance ID numbers, facility-assigned account numbers, dates of birth, type of visit, diagnoses, provider names and addresses, dates of service, descriptions of services provided, and procedure codes.

While it is a possibility that the files have been stolen, foul play is not suspected. Out of an abundance of caution, individuals impacted by the incident have been offered two years of identity theft protection services without charge.

The post Illinois Physicians Network Discovers Paper Records Missing from Storage Facility appeared first on HIPAA Journal.

November 2017 Healthcare Data Breach Report

Posted by HIPAA Journal

In November 2017, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) received 21 reports of healthcare data breaches that impacted more than 500 individuals; the second consecutive month when reported breaches have fallen.

healthcare data breaches by month (November 2017)

While the number of breaches was down month on month, the number of individuals impacted by healthcare data breaches increased from 71,377 to 107,143.

breached healthcare records November 2017

Main Causes of November 2017 Healthcare Data Breaches

In November there was an even spread between hacking/IT incidents, unauthorized disclosures, and theft/loss of paper records or devices containing ePHI, with six breaches each. There were also three breaches reported involving the improper disposal of PHI and ePHI. Two of those incidents involved paper records and one involved a portable electronic device.

The two largest data breaches reported in November – the 32,000-record breach at Pulmonary Specialists of Louisville and the 16,474-record breach at Hackensack Sleep and Pulmonary Center – were both hacking/IT incidents. The former involved an unauthorized individual potentially gaining access to electronic medical records, while the latter was a ransomware attack.

Seven of the 21 breaches reported in November impacted more than 5,000 individuals. The mean breach size was 5,102 records. The median breach size was 1,551 records.

 

causes of healthcare data breaches November 2017

records exposed by breach type

Location of Exposed and Stolen Protected Health Information

The OCR breach reports show the importance of implementing physical safeguards to ensure the confidentiality of paper records. In November, one third of reported data breaches (7 incidents) involved paper/films. Last month there were five reported incidents involving paper records.

A recent Accenture/HIMSS Analytics survey revealed email was the most common vector in cyberattacks on healthcare organizations. That was the case in October when email was the common location of breached data. In November, email was the second most common location of breached PHI behind paper films, with four email-related breaches reported.  There was an even spread between all other locations of breached PHI.

Location of PHI in November 2017 healthcare data breaches

 

November 2017 Healthcare Data Breaches by Covered Entity Type

November 2017 saw 19 data breaches reported by healthcare providers and two breaches affecting health plans. The breach reports indicate no business associates of covered entities were involved in any incidents reported in November.

 November 2017 Healthcare Data Breaches by Covered Entity Type

 

Largest Healthcare Data Breaches of November 2017

 

Breached Entity Entity Type Breach Type Individuals Affected
Pulmonary Specialists of Louisville, PSC Healthcare Provider Hacking/IT Incident 32,000
Hackensack Sleep and Pulmonary Center Healthcare Provider Hacking/IT Incident 16,474
Shop-Rite Supermarkets, Incorporated Healthcare Provider Improper Disposal 12,172
The Medical College of Wisconsin, Inc. Healthcare Provider Hacking/IT Incident 9,500
Valley Family Medicine Healthcare Provider Unauthorized Access/Disclosure 8,450
Sports Medicine & Rehabilitation Therapy, Inc. Healthcare Provider Hacking/IT Incident 7,000
Humana Inc Health Plan Unauthorized Access/Disclosure 5,764
Alere Toxicology Healthcare Provider Unauthorized Access/Disclosure 2,146
Family & Cosmetic Dentistry of the Rockies Healthcare Provider Improper Disposal 1,850
Aetna Inc. Health Plan Unauthorized Access/Disclosure 1,600

 

November 2017 Healthcare Data Breaches by State

The reported breaches in November were spread across 15 states. The states worst affected were Kentucky and Massachusetts with 3 breaches apiece, followed by Colorado and New Jersey each with 2 breaches. One breach was reported by healthcare organizations based in Alabama, California, Connecticut, Florida, Indiana, New York, Pennsylvania, Texas, Virginia, Washington, and Wisconsin.

The post November 2017 Healthcare Data Breach Report appeared first on HIPAA Journal.

Noncompliance with HIPAA Costs Healthcare Organizations Dearly

Posted by HIPAA Journal

Noncompliance with HIPAA can carry a significant cost for healthcare organizations, yet even though the penalties for HIPAA violations can be considerable, many healthcare organizations have substandard compliance programs and are violating multiple aspects of HIPAA Rules.

The Department of Health and Human Services’ Office for Civil Rights (OCR) commenced the much delayed second phase of HIPAA compliance audits last year with a round of desk audits, first on healthcare organizations and secondly on business associates of covered entities.

Those desk audits revealed many healthcare organizations are either struggling with HIPAA compliance, or are simply not doing enough to ensure HIPAA Rules are followed.

The preliminary results of the desk audits, released by OCR in September, showed healthcare organizations’ compliance efforts were largely inadequate. 94% of organizations had inadequate risk management plans, 89% were rated as inadequate on patients’ right to access their PHI, and 83% had performed inadequate risk analyses. It would appear that for many healthcare organizations, little has changed since the first phase of compliance audits were conducted in 2011/2012. Noncompliance with HIPAA is still widespread.

A few years ago, the risk of the discovery of a HIPAA violation was relatively low. Even when HIPAA violations were discovered, OCR rarely issued financial penalties. Similarly, even though the HITECH Act permits state attorneys general to issue fines for HIPAA violations, relatively few have exercised that right.

Today, the risk of HIPAA violations being discovered is significantly higher. Patients are now much more knowledgeable about their rights under HIPAA, and OCR has made it easy for them to file complaints about suspected HIPAA violations. HIPAA complaints are investigated by OCR.

The rise in cyberattacks on healthcare organizations mean data breaches are now far more likely to occur. A recent study by HIMSS Analytics/Mimecast showed 78% of healthcare organizations have experienced a ransomware or malware attack in the past 12 months, while an Accenture/AMA report showed 83% of physicians have experienced a cyberattack.

OCR investigates all breaches of more than 500 records to determine whether HIPAA Rules are being followed. When a breach occurs, organizations’ HIPAA compliance programs will be scrutinized.

OCR has also stepped up enforcement of HIPAA Rules and financial penalties are far more common. Since January 1, 2016, there have been 20 settlements reached between OCR and HIPAA covered entities and their business associates, and two civil monetary penalties issued.

OCR has yet to state whether financial penalties will be pursued as a result of the HIPAA audits, but OCR is not expected to turn a blind eye to major HIPAA failures. Multiple violations of HIPAA Rules could well see financial penalties pursued.

The higher likelihood of a data breach occurring or a complaint being filed means noncompliance with HIPAA is likely to be discovered. But what are the costs of noncompliance with HIPAA? What are the incentives for ensuring all HIPAA Rules are followed?

The Cost of Noncompliance with HIPAA

The high cost of HIPAA noncompliance has been summarized in the infographic below:

 

The Cost of Noncompliance with HIPAA

The post Noncompliance with HIPAA Costs Healthcare Organizations Dearly appeared first on HIPAA Journal.

AMA Study Reveals 83% of Physicians Have Experienced a Cyberattack

Posted by HIPAA Journal

Following the HIMSS Analytics/Mimecast survey that revealed 78% of healthcare organizations have experienced a ransomware or malware attack in the past 12 months, comes a new report on healthcare cybersecurity from the American Medical Association (AMA) and Accenture.

The Accenture/AMA survey was conducted on 1,300 physicians across the United States and aimed to take the ‘physician’s pulse on cybersecurity.’ The survey confirmed that it is no longer a case of whether a cyberattack will be experienced, it is just a matter of when cyberattacks will occur and how frequently.

83% of physicians who took part in the survey said they had previously experienced a cyberattack. When asked about the nature of the cyberattacks, the most common type was phishing. 55% of physicians who had experienced a cyberattack said the incident involved phishing – A similar finding to the HIMSS Analytics survey which revealed email was the top attack vector in healthcare.

48% of physicians who experienced a cyberattack said computer viruses such as malware and ransomware were involved. Physicians at medium to large practices were twice as likely to experience those types of cyberattacks than those at small practices.

When cyberattacks occur, they can result in considerable downtime. 64% of physicians said they experienced up to 4 hours of downtime following an attack, while 29% of physicians at medium-sized practices experienced downtime of up to one day.

Given the frequency of cyberattacks and the difficulty physician practices have at preventing those attacks, it is not surprising that the threat of attack is a major cause of concern. 55% of physicians were very or extremely worried about further cyberattacks at their practice. 74% said they were most concerned that future attacks would disrupt clinical practices and the same percentage were concerned that cyberattacks would result in breaches of patients’ protected health information. 53% were concerned that cyberattacks would have an impact on patient safety.

Physicians are aware that HIPAA compliance is important for cybersecurity, but simply doing the minimum and ensuring HIPAA requirements are met is not sufficient to prevent attacks. 83% of physicians said a more holistic approach to prioritizing risks is required than simply complying with HIPAA.

Kaveh Safavi, head of Accenture’s global practice said “Physician practices should not rely on compliance alone to enhance their security profile. Keeping pace with the sophistication of cyberattacks demands that physicians strengthen their capabilities, build resilience and invest in new technologies to support a foundation of digital trust with patients.”

Interestingly, while 87% of physicians believed their practice was compliant with HIPAA Rules, two thirds of physicians still have basic questions about HIPAA, suggesting their compliance programs may not be quite as comprehensive as they believe.

While the sharing of ePHI can introduce new risks, 85% believed PHI sharing was important, and 2 in 3 physicians thought that more access to patient data could improve the care provided to patients.

“New research shows that most physicians think that securely exchanging electronic data is important to improve health care. More support from the government, technology and medical sectors would help physicians with a proactive cybersecurity defense to better ensure the availability, confidentially and integrity of health care data,” said AMA President David. O. Barbe.

The post AMA Study Reveals 83% of Physicians Have Experienced a Cyberattack appeared first on HIPAA Journal.

Email Top Attack Vector in Healthcare Cyberattacks

Posted by HIPAA Journal

A recent study conducted by HIMSS Analytics for email security firm Mimecast has revealed 78% of healthcare organizations have experienced a ransomware or malware attack in the past 12 months.

Far from ransomware or malware attacks being occasional events, many of the healthcare organizations that participated in the survey have experienced more than a dozen malware or ransomware attacks in the past year.

While there are several possible ways that ransomware and malware can be installed, healthcare providers rated email as the number one attack vector.

When asked to rank attack vectors, Email was rated as the most likely source of a data breach by 37% of respondents, with the second most likely source of a data breach being ‘other portable devices’, ranked as the main threat by 10% of organizations.

59% of organizations ranked email first, second, or third as the most likely attack vector. In second place was laptops, which were ranked 1, 2, or 3 by 44% of organizations.

Given the frequency of email based attacks this year, it is no surprise that healthcare organizations believe email-related security attacks will continue to cause problems, and that they are likely to increase or significantly increase in the future.

A recent study conducted by Malwarebytes showed ransomware attacks are already 62% more prevalent that 2016, and have occurred at almost 2,000 times the rate in 2015. The 2017 Verizon Data Breach Report suggests 72% of all malware used to target the healthcare industry is ransomware.

Those findings were backed up by the HIMSS Analytics survey. Ransomware was seen as the most serious threat by 83% of respondents. Malware was rated second, followed by spear phishing attacks and Business Email Compromise (BEC) attacks.

The importance of securing email is clear. Email is used to communicate protected health information by approximately 80% of healthcare organization. Email is also rated as an essential communication tool and is considered critical by 93% of respondents, while 43% said email was mission critical and that their organization could not tolerate email downtime.

It is understandable given the frequency of email-based attacks and the importance of email in healthcare that organizations have a high level of concern about cybersecurity and their ability to repel email-based attacks.

Resilience to ransomware and malware attacks was rated as the top initiative for building a cyber resilience strategy, while training employees to be more security aware is the second highest priority over the following 12 months. Securing email was third.

David Hood, Cyber Resilience Strategist for Healthcare at Mimecast said, “This survey clearly demonstrates that email is a mission-critical application for healthcare providers and that cyberthreats are real and growing – surprisingly, even more so than the threats to Electronic Medical Records (EMRs), laptops and other portable electronic devices. It’s encouraging that protecting the organization and training employees are top initiatives for next year, but the survey suggests the industry has work to do.”

Mimecast provided five suggestions on how healthcare organizations can reduce the risk of email-based threats:

  1. Train employees on the risks associated with email and provide real-time reminders rather than relying on an annual training session.
  2. Analyze all inbound email attachments and scan for malware and malware downloaders
  3. Implement a web filtering solution to check URLs when a user clicks, not just at the point emails enter the organization.
  4. Inspect outbound emails and check that protected health information is not being sent to individuals unauthorized to receive it, and also to check emails to determine whether email accounts may have been compromised.
  5. Finally, it is essential that data backups are regularly performed to ensure that in the event of a ransomware attack, healthcare organizations do not face data loss and are not forced to pay ransoms.

The post Email Top Attack Vector in Healthcare Cyberattacks appeared first on HIPAA Journal.

Oklahoma Health Department Re-Notifies 47,000 of 2016 Data Breach

Posted by HIPAA Journal

In April 2016, the Oklahoma Department of Human Services experienced a data breach, and while notifications were sent to affected individuals and the DHS’ Office of Inspector General shortly after the breach was detected, a breach notice was not submitted to the HHS’ Office for Civil Rights – A breach of HIPAA Rules.

Now, more than 18 months after the 60-day reporting window stipulated in the HIPAA Breach Notification Rule has passed, OCR has been notified. OCR has instructed the Oklahoma Department of Human Services to re-notify the 47,000 Temporary Assistance for Needy Families clients that were impacted by the breach to meet the requirements of HIPAA.

The breach in question occurred in April 2016 when an unauthorized individual gained access to a computer at Carl Albert State College in Poteau, Oklahoma. The computer contained records of current and former Temporary Assistance for Needy Families clients. The data on the server included names, addresses, dates of birth, and Social Security numbers.

Once the breach was identified, Carl Albert State College secured its systems to prevent further access and implemented new controls to monitor for potential breaches. In May 2016, the HHS Office of Inspector General was notified of the breach, and breach notification letters were sent to all individuals impacted by the attack in August 2016. However, no breach report was sent to the HHS’ Office for Civil Rights.

Now, not only must the Oklahoma Department of Human Services cover the cost of re-notifying 47,000 clients, overlooking the requirements of HIPAA to notify the HHS Secretary of the breach places the health department at risk of a considerable fine for non-compliance.

Earlier this year, OCR sent a message to all healthcare organizations that HIPAA Breach Notification Rule failures would not be tolerated when Presense Health was fined $475,000 for unnecessarily delaying the issuing of breach notification letters. Notifications were issued one month after the 60-day Breach Notification Rule deadline.

The post Oklahoma Health Department Re-Notifies 47,000 of 2016 Data Breach appeared first on HIPAA Journal.

UNC Health Care Breach Potentially Impacts 24,000 Patients

Posted by HIPAA Journal

A computer used by UNC Dermatology & Skin Cancer Center in Chapel Hill, NC, has been stolen, exposing the protected health information of approximately 24,000 patients.

The computer was stolen by thieves during a burglary on October 8, 2017. UNC Health Care said a database on the stolen computer contained the protected health information of patients who had previously visited the Burlington Dermatology Center at 1522 Vaughn Road. UNC Healthcare took over the practice in September 2015, and details of patients who had visited the center for treatment prior to September 2015 were stored in the password-protected database.

Since the database requires a password to gain access to patient information, it is possible that no PHI has been disclosed. However, since passwords can be guessed, and the database was not encrypted, patients are being notified of the potential privacy breach to meet HIPAA and N.C. Identity Theft Act requirements.

The database contained information such as names, addresses, phone numbers, dates of birth, Social Security numbers, and the employment status of patients and the names of employers at the time of their visit. While it is possible that diagnosis codes were also present in the database, UNC Health Care does not believe details of diagnoses, treatments, and prescriptions have been exposed.

The burglary has been reported to law enforcement and an investigation is ongoing, but the stolen computer has not been recovered to date.

As a precaution against identity theft and fraud, all patients impacted by the breach have been offered credit monitoring services for 12 months without charge.

CCRM Minneapolis Alerts Patients of Ransomware Attack

CCRM Minneapolis, P.C., has experienced a ransomware attack that has potentially allowed the attackers to gain access to the protected health information of 3,280 patients.

The attack occurred on or around October 3, 2017. While data access and PHI theft are not suspected, and no evidence was uncovered to suggest this was anything other than an extortion attempt involving the encryption of data, CCRM Minneapolis reports that data stored on the compromised server may have been viewed.

Data potentially exposed includes names, phone numbers, addresses, dates of birth, email addresses, driver’s license numbers, Social Security numbers, medical records, and insurance identification numbers.

The post UNC Health Care Breach Potentially Impacts 24,000 Patients appeared first on HIPAA Journal.

11,350 Sinai Health System Patients Potentially Impacted by Phishing Attack

Posted by HIPAA Journal

The email accounts of two employees of Chicago’s Sinai Health System have been compromised in a recent phishing attack.

Sinai Health System reports that the phishing attack occurred on October 2, and that it was quickly identified and mitigated. Access to the compromised accounts was possible only for a matter of hours. Cybersecurity experts were called in to assist with the investigation, and while the possibility of PHI access cannot be ruled out, the risk faced by patients is believed to be low.

No evidence has been uncovered to suggest any financial information was accessed, although an analysis of the email accounts revealed a range of protected health information of 11,350 patients was contained in the email accounts and could potentially have been viewed.

As a precaution against identity theft and fraud, patients impacted by the breach have been offered identity theft protection and credit monitoring services free of charge for 12 months.

Mitigating the Ever-present Threat from Phishing

Phishing is the biggest cybersecurity threat faced by organizations, with the healthcare industry often targeted by cybercriminals.

A recent study from IronScales shows that between 90% and 95% of successful breaches are the result of phishing. Research conducted by anti-phishing vendor PhishMe similarly suggest more than 90% of data breaches start with a phishing email.

Even with multi-layered phishing defenses, some emails will make it past perimeter defenses and will be delivered to end users’ inboxes. It is therefore important to provide security awareness training to employees. Not only will training help to improve the phishing email identification skills of employees and will help to prevent costly data breaches, it is also a requirement of HIPAA.

In its July Cybersecurity Newsletter, OCR reminded HIPAA-covered entities of the importance of providing regular training to employees. The newsletter came after a spate of phishing incidents reported by healthcare providers. The past couple of weeks have several further data breaches caused by phishing, underscoring the need for continuous training of healthcare employees.

While HIPAA does not stipulate how often security awareness training should be provided, OCR suggests that many healthcare organizations are providing biannual training sessions, with regular newsletters issued on specific threats and to maintain awareness of the risks from phishing. Using a combination of computer-based training, classroom sessions, newsletters, posters, and phishing simulation exercises, covered entities and their business associates can improve security awareness of the workforce.  Alongside spam filters and other anti-phishing technologies, organizations can reduce the risk from phishing to a low and acceptable level.

A recent State of the Phish Report from Wombat Security Technologies suggests that while employees are getting better at identifying phishing emails as a result of security awareness training, many organizations are failing to implement effective employee security awareness training programs.

24% of respondents of a recent survey failed to identify phishing emails – An improvement from the 28% of failures last year, but still a major cause for concern. The State of the Phish report also highlighted the need for continuous security awareness training. Last year when the survey was conducted, respondents scored particularly highly on questions relating to safe Internet access, yet there was a sharp fall in risk awareness in this category a year later. If training is not regularly reinforced, basic security practices can be all too easily forgotten.

The post 11,350 Sinai Health System Patients Potentially Impacted by Phishing Attack appeared first on HIPAA Journal.