HIPAA Breach News

47GB of Medical Records and Test Results Found in Unsecured Amazon S3 Bucket

Posted by HIPAA Journal

Researchers at Kromtech Security have identified another unsecured Amazon S3 bucket used by a HIPAA-covered entity. The unsecured Amazon S3 bucket contained 47.5GB of medical data relating to an estimated 150,000 patients.

The medical data in the files included blood test results, physician’s names, case management notes, and the personal information of patients, including their names, addresses, and contact telephone numbers. The researchers said many of the stored documents were PDF files, containing information on multiple patients that were having weekly blood tests performed.

In total, approximately 316,000 PDF files were freely accessible. The tests had been performed in patient’s homes, as requested by physicians, by Patient Home Monitoring Corporation. Kromtech researchers said the data could be accessed without a password. Anyone with an Internet connection, that knew where to look, could have accessed all 316,000 files. Whether any unauthorized individuals viewed or downloaded the files is not known. The researchers were also unable to tell how long the Amazon S3 bucket had remained unsecured.

The unsecured Amazon S3 bucket was found by Kromtech researchers on September 29. It took some time to identify the company concerned and find contact details. They were located on October 5 and a notification was sent. While no response was forthcoming, by the following day, all data were secured and files could no longer be accessed online without authentication.

The cloud offers healthcare organizations cost effective and convenient data storage. Provided HIPAA-compliant cloud platforms are used and a business associate agreement is obtained prior to the cloud being used to store ePHI, HIPAA permits use of the cloud. However, having a BAA does not guarantee HIPAA compliance. The actions of users can still result in HIPAA violations and the exposure of sensitive data.

The failure to implement controls to prevent cloud-stored data from being accessed by unauthorized individuals is an easy mistake to make, but one that can have serious consequences, not only for the patients whose PHI has been exposed, but also for the covered entity or business associate.

The failure to implement safeguards to ensure the confidentiality, integrity, and availability of ePHI can result in severe financial penalties from OCR and state attorneys general. A data breach can also result in lawsuits from patients seeking damages to cover the lifelong risk of harm from the exposure of their PHI.

Mistakes are inevitable, and oftentimes those mistakes will result in PHI being exposed, but in the case of unsecured Amazon S3 buckets, it is also easy to check for configuration errors. Kromtech, for example, offers a free software tool – S3 Inspector – that can be used by healthcare organizations to check whether their AWS S3 bucket permissions have been configured correctly to prevent access by the public.

The post 47GB of Medical Records and Test Results Found in Unsecured Amazon S3 Bucket appeared first on HIPAA Journal.

Summary of September 2017 Healthcare Data Breaches

Posted by HIPAA Journal

There were 35 healthcare data breaches involving more than 500 records reported to the Department of Health and Human Services’ Office for Civil Rights in September 2017. Those breaches resulting in the theft/exposure of 435,202 patients’ protected health information.

September 2017 Healthcare Data Breaches

September 2017 healthcare data breaches followed a similar pattern to previous months. Healthcare providers suffered the most breaches with 25 reported incidents, followed by health plans with 8 breaches, and 2 breaches reported by business associates of covered entities.

There was a fairly even split between unauthorized access/disclosures (16 incidents) and hacking/IT incidents (15 incidents). There were three theft incidents and one lost device, all of which involved laptop computers. One incident also involved a desktop computer and another the theft of physical records. There were no reported cases of improper disposal of PHI.

 

September 2017 Healthcare Data Breaches - Breach Type

There were five attacks on network servers in September, but email attacks topped the list with 13 incidents. 6 were attributed to hacking, including two confirmed phishing attacks and one ransomware incident. The ransomware attack is also understood to have occurred as a result of an employee responding to a phishing email.

There were 7 cases of unauthorized access/disclosures via email. One of those incidents involved an employee emailing PHI to a personal email account. Another saw a healthcare employee email PHI to a relative to receive assistance with a work-related action.

September 2017 Healthcare Data Breaches - Breach Location

 

Healthcare organizations in 24 states reported data breaches in September. The worst affected states were California, Florida and Texas, with three breaches each. Arkansas, Minnesota, North Carolina, Pennsylvania, Washington and Wisconsin each had two reported incidents.

Largest Healthcare Data Breaches in September 2017

The largest healthcare data breaches in September 2017 have been detailed in the table below. Six of the top ten breaches in September were the result of hacking/IT incidents. Hacking/IT incidents resulted in the exposure of 355,084 records – 81.6% of the records exposed in all reported breaches in September. Unauthorized access/disclosures resulted in the exposure of 73,409 records – 16.87% of the total.

The largest reported data breach in September was a ransomware attack that potentially affected 128,000 patients. Data theft was not suspected, although it could not be ruled out with a high degree of certainty.

Covered Entity Entity Type Breached Records Breach Type Breach Information
Arkansas Oral & Facial Surgery Center Healthcare Provider 128,000 Hacking/IT Incident Ransomware attack
Morehead Memorial Hospital Healthcare Provider 66,000 Hacking/IT Incident Phishing attack
Network Health Health Plan 51,232 Hacking/IT Incident Phishing attack
ABB, Inc. Healthcare Provider 28,012 Hacking/IT Incident
Arkansas Department of Human Services Health Plan 26,000 Unauthorized Access/Disclosure Employee emailed PHI to a personal account
CBS Consolidated, Inc. Business Associate 21,856 Hacking/IT Incident Server hacked
MetroPlus Health Plan, Inc. Health Plan 15,212 Unauthorized Access/Disclosure Employee emailed PHI outside company
Mercy Health Love County Hospital and Clinic Healthcare Provider 13,004 Theft Paper records stolen from a storage unit
The Neurology Foundation, Inc. Healthcare Provider 12,861 Unauthorized Access/Disclosure Employee stole PHI
Hand & Upper Extremity Centers dba Hand Rehabilitation Specialists Healthcare Provider 12,806 Hacking/IT Incident Data theft and extortion attempt

The post Summary of September 2017 Healthcare Data Breaches appeared first on HIPAA Journal.

Network Health Phishing Attack Impacts 51,000 Plan Members

Posted by HIPAA Journal

Wisconsin-based insurer Network Health has notified 51,232 of its plan members that some of their protected health information (PHI) has potentially been accessed by unauthorized individuals.

In August 2017, some Network Health employees received sophisticated phishing emails. Two of those employees responded to the scam email and divulged their login credentials to the attackers, who used the details to gain access to their email accounts.

The compromised email accounts contained a range of sensitive information including names, phone numbers, addresses, dates of birth, ID numbers, and provider information. No financial information or Social Security numbers were included in the compromised accounts, although certain individuals’ health insurance claim numbers and claim information was potentially accessed.

The breach was detected rapidly and the affected accounts were shut down to limit the harm caused. An external cybersecurity consultant was brought in to assess the extent of the attack and perform a forensic analysis to determine whether access to other parts of the network had been gained. The incident was also reported to law enforcement which is also investigating the breach.

Penny Ransom, Network Health’s Chief Administrative Officer said, “As a result of this attack, steps are underway to further improve the security of operations and prevent future incidents.”

Those measures include re-training the workforce to help employees recognize and report phishing emails. A full review of security processes and procedures is also being conducted. All individuals impacted by the attack have been offered one year of credit monitoring and identity theft protection services without charge.

Network Health was one of three healthcare organizations to report phishing attacks in September.  Morehead Memorial Hospital experienced a phishing attack that potentially resulted in the exposure of 66,000 patients’ PHI. Arkansas Oral & Facial Surgery Center also fell victim to a phishing attack that saw ransomware installed. That attack potentially impacted 128,000 individuals.

The post Network Health Phishing Attack Impacts 51,000 Plan Members appeared first on HIPAA Journal.

Resold Fax Machine Prints Documents Containing PHI

Posted by HIPAA Journal

A fax machine used by a physician at Grand Rapids, MI, based Spectrum Health System was recently discovered to contain the PHI of around 20 patients. The fax machine was purchased from resale shop by a local resident, who discovered documents were still stored in the memory of the machine.

When attempting to print off a fax transmission report, the device started printing documents containing sensitive patient information such as names, addresses, dates of birth, details of dependents, diagnoses, test results, and insurance information.

The incident was brought to the attention of Wood TV’s Target 8 team, which investigated and traced the device to Spectrum Health’s Dr. Wendy Zink.

Spectrum Health was contacted about the breach and Chief Privacy Officer Leah Voigt confirmed that all electronic equipment containing ePHI is sent to a business associate that ensures ePHI on the devices is permanently erased in accordance with HIPAA Rules. Spectrum Health has certification to prove that was the case and that the vendor also confirmed data had been permanently destroyed. The fax machine has since been recovered by Spectrum Health and all copies of PHI have been permanently destroyed. The privacy violation is being viewed as an anomaly.

HIPAA and Electronic Media Containing ePHI

The HIPAA Security Rule – 45 CFR 164.310(d)(1) – requires HIPAA covered entities to implement policies governing the removal of hardware containing electronic protected health information from their facilities, and the movement of those devices within their facilities.

The standard naturally applies to portable storage devices such as zip drives, hard drives, and laptop computers, but it also applies to digital photocopiers, printers, scanners, and faxes. Digital photocopiers, printers, scanners, and faxes often store electronic copies of documents that have been copied or transmitted.

Movement of those devices must therefore be controlled and technical safeguards implemented to prevent any electronic protected health information in stored documents from being viewed by unauthorized individuals.

As well as controlling the movement and keeping track of those devices, covered entities must ensure that when the devices are no longer required, any data stored on hard drives, or in the memory, are permanently erased.

HIPAA Rules on Disposal of PHI

45 CFR 164.310(d)(2)(i) and (ii) cover the disposal of electronic equipment, which require policies and procedures to be developed and implemented to address the final disposition of ePHI, and the media on which it is stored. ePHI must be removed from electronic devices before they are re-used, scrapped, or recycled.

Prior to disposing of electronic media, all ePHI on the devices must be rendered unreadable, indecipherable, and incapable of being reconstructed. OCR suggests “clearing (using software or hardware products to overwrite media with non-sensitive data) or purging (degaussing or exposing the media to a strong magnetic field in order to disrupt the recorded magnetic domains) the information from the electronic media.”

If a covered entity is unable to perform these actions, a vendor can be used. That vendor would naturally be a business associate, and a HIPAA-compliant business associate agreement would need to be signed by both parties before any devices are handed over.

The failure to remove ePHI prior to disposal is a violation of HIPAA Rules, and one that could potentially result in an impermissible disclosure of protected health information. It could also lead to a financial penalty for noncompliance with HIPAA Rules.

The post Resold Fax Machine Prints Documents Containing PHI appeared first on HIPAA Journal.

Texas Patients Just Informed of 2015 CoPilot Data Breach

Posted by HIPAA Journal

Patients of a Texas orthopedic clinic are just finding out that some of their protected health information was exposed in a 2015 CoPilot data breach.

In October 2015, a website maintained by CoPilot Provider Support Services was accessed by an unauthorized individual. That individual gained access to, and downloaded, the PHI of more than 220,000 patients. The website was used by providers to find out whether two drugs – ORTHOVISC® and MONOVISC® – were covered by the patients’ health insurance.

CoPilot discovered its website had been breached on December 23, 2015, and launched an investigation. The individual who accessed the data was identified and the matter was reported to law enforcement. No information was believed to have been accessible by the public.

While the incident was resolved, CoPilot delayed issuing breach notifications until January 2017. That delay resulted in a $130,000 fine from the New York Attorney General in June 2017.

It has been two years since the breach, and eight months from when notifications were issued, but some breach victims are only just discovering they have been impacted. 653 patients of Kraig R. Pepper, D.O., P.A. were only notified of the breach in late September.

Dr. Pepper did not become aware of the breach until July 31, 2017, when he found out some of his patients’ data had been exposed in the 2015 CoPilot data breach. The breached information did not include any medical records, X-rays, or test results held by Dr. Pepper, only information that was provided to DePuy Mitek, Inc., the company from which the drugs were purchased. The information disclosed to that company and was exposed included names, addresses, Social Security numbers, dates of birth, phone numbers, gender, ID numbers, Group numbers, medical insurance information, prescription information, and some clinical information.

While there has been a considerable delay in receiving notification, affected patients have been offered identity theft protection services without charge for 12 months.

The post Texas Patients Just Informed of 2015 CoPilot Data Breach appeared first on HIPAA Journal.

What are the HIPAA Breach Notification Requirements?

Posted by HIPAA Journal

All HIPAA covered entities must familiarize themselves with the HIPAA breach notification requirements and develop a breach response plan that can be implemented as soon as a breach of unsecured protected health information (PHI) is discovered. HIPAA training for staff must also include the procedures for reporting breaches of unsecured PHI.

While most HIPAA covered entities should understand the HIPAA breach notification requirements, organizations that have yet to experience a data breach may not have a good working knowledge of the requirements of the Breach Notification Rule. Vendors that have only just started providing a service to Covered Entities may similarly be unsure of the reporting requirements and actions that must be taken following a breach.

The issuing of notifications following a breach of unencrypted PHI is an important element of HIPAA compliance. The failure to comply with HIPAA breach notification requirements can result in a significant financial penalty in additional to that impose for the data breach itself. With this in mind, we have compiled a summary of the HIPAA breach notification requirements for covered entities and their business associates.

Summary of the HIPAA Breach Notification Rule

The HIPAA Breach Notification Rule – 45 CFR §§ 164.400-414 – requires covered entities and their business associates to report breaches of unsecured electronic protected health information and physical copies of protected health information. A breach is defined as the acquisition, access, use, or disclosure of unsecured protected health information in a manner not permitted by HIPAA Rules.

According to the HHS´ guidance on the HIPAA Breach Notification Rule, an impermissible use or disclosure of unsecured protected health information is presumed to be a breach unless the covered entity or business associate demonstrates there is a low probability the protected health information has been compromised based on a risk assessment of at least the following factors:

  1. The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
  2. The unauthorized person who used the protected health information or to whom the disclosure was made;
  3. Whether the protected health information was actually acquired or viewed; and
  4. The extent to which the risk to the protected health information has been mitigated.

HIPAA breaches include unauthorized access by employees as well as third parties, improper disclosures, the exposure of protected health information, and ransomware attacks. Exceptions include: Breaches of secured protected health information such as encrypted data when the key to unlock the encryption has not been obtained; “any unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or a business associate, if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure;” An inadvertent disclosure by a person who is authorized to access PHI, to another member of the workforce at the organization who is also authorized to access PHI; When the covered entity or business associate makes a disclosure and has a good faith belief that the information could not have been retained by the person to whom it was disclosed.

In the event of a reportable HIPAA breach being experienced, the HIPAA breach notification requirements are:

Notify Individuals Impacted – or Potentially Impacted – by the Breach

All individuals impacted by a data breach, who have had unsecured protected health information accessed, acquired, used, or disclosed, must be notified of the breach. Breach notifications are also required for any individual who is reasonably believed to have been affected by the breach.

Breach notification letters must be sent within 60 days of the discovery of a breach unless a request to delay notifications has been made by law enforcement. In such cases, notifications should be sent as soon as that request has expired. While it is permissible to delay reporting of a breach to the HHS for breaches impacting fewer than 500 individuals (see below), that delay does not apply to notifications to breach victims.

Breach notification letters should be sent by first class mail to the last known address of breach victims, or by email if individuals have given authorization to be contacted electronically.

The HIPAA breach notification requirements for letters include writing in plain language, explaining what has happened, what information has been exposed/stolen, providing a brief explanation of what the covered entity is doing/has done in response to the breach to mitigate harm, providing a summary of the actions that will be taken to prevent future breaches, and giving instructions on how breach victims can limit harm. Breach victims should also be provided with a toll-free number to contact the breached entity for further information, together with a postal address and an email address.

Notify the Department of Health and Human Services

Notifications must be issued to the Secretary of the Department of Health and Human Services, via the Office for Civil Rights breach reporting tool. The HIPAA breach notification requirements differ depending on how many individuals have been impacted by the breach.

When the breach has impacted more than 500 individuals, the maximum permitted time for issuing the notification to the HHS is 60 days from the discovery of the breach, although breach notices should be issued without unnecessary delay. In the case of breaches impacting fewer than 500 individuals, HIPAA breach notification requirements are for notifications to be issued to the HHS within 60 days of the end of the calendar year in which the breach was discovered.

Notify the Media

HIPAA breach notification requirements include issuing a notice to the media. Many covered entities that have experienced a breach of protected health information notify the HHS, relevant state attorneys general, and the patients and health plan members impacted by the breach, but fail to issue a media notice – a violation of the HIPAA Breach Notification Rule.

A breach of unsecured protected health information impacting more than 500 individuals must be reported to prominent media outlets in the states and jurisdictions where the breach victims reside – See 45 CFR §§ 164.406. This is an important requirement, as up-to-date contact information may not be held on all breach victims. By notifying the media, it will help to ensure that all breach victims are made aware of the potential exposure of their sensitive information. As with the notifications to the HHS and breach victims, the media notification must be issued within 60 days of the discovery of the breach.

Post a Substitute Breach Notice on the Home Page of the Breach Entity’s Website

In the event that up-to-date contact information is not held on 10 or more individuals that have been impacted by the breach, the covered entity is required to upload a substitute breach notice to their website and link to the notice from the home page. The link to the breach notice should be displayed prominently and should remain on the website for a period of 90 consecutive days. In cases where fewer than 10 individuals’ contact information is not up-to-date, alternative means can be used for the substitute notice, such as a written notice or notification by telephone.

Data Breaches Experienced by HIPAA Business Associates

Business associates of HIPAA-covered entities must also comply with the HIPAA breach notification requirements and can be fined directly by the HHS’ Office for Civil Rights and state attorney generals for a HIPAA Breach Notification Rule violation.

Any breach of unsecured protected health information must be reported to the covered entity within 60 days of the discovery of a breach. While this is the absolute deadline, business associates must not delay notification unnecessarily. Unnecessarily delaying notifications is a violation of the HIPAA Breach Notification Rule.

It is usually the covered entity that will issue breach notifications to affected individuals, so any breach notification will need to be accompanied with details of the individuals impacted. It is a good practice to issue a breach notification to a covered entity rapidly, and to provide further information on the individuals impacted once the investigation has been completed. Under the terms of a HIPAA-compliant Business Associate Agreement (BAA), a business associate may be required to issue breach notifications to affected individuals.

Timeline for Issuing Breach Notifications

Breach notifications should be issued as soon as possible and no later than 60 days after the discovery of the breach, except when a delay is requested by law enforcement. Investigating a breach of protected health information can take some time, but once all the necessary information has been obtained to allow breach notifications to be sent they should be mailed.

HIPAA-covered entities must not delay sending breach notification letters. It is possible to receive a HIPAA violation penalty for delaying notifications, even if they are sent within 60 days of the discovery of the breach. There have been several recent cases of HIPAA breach notification requirements not being followed within the appropriate time frame, which can potentially result in financial penalties.

State Breach Notification Laws May Be Stricter than HIPAA

U.S. states have their own breach notification laws. Typically, notifications must be issued to breach victims promptly and a notice also submitted to the state attorney general’s office. Some states require breach notifications to be issued well within the HIPAA deadline.

Delaying breach notifications until the 60-day limit of HIPAA could well see state laws violated, leading to financial penalties from state attorney generals. State laws frequently change so it is important to keep up to date on breach notification laws in the states in which you operate.

Penalties for Violations of HIPAA Breach Notification Requirements

HIPAA covered entities must ensure the HIPAA breach notification requirements are followed or they risk incurring financial penalties from state attorneys general and the HHS’ Office for Civil Rights.

In 2017, Presense Health became the first HIPAA-covered entity to settle a case with the Office for Civil Rights solely for a HIPAA Breach Notification Rule violation – after it exceeded the 60-day maximum time frame for issuing breach notifications. Presense Health took three months from the discovery of the breach to issue notifications – A delay that cost the health system $475,000. The maximum penalty for a HIPAA Breach Notification Rule violation is $1,500,000, or more if the delay is for more than 12 months.

Responding to a Healthcare Data Breach

how-to-respond-to-a-healthcare-data-breach

HIPAA Breach Notification Requirements FAQs

What is the difference between a HIPAA breach and a HIPAA violation?

A HIPAA breach is when unsecured PHI is acquired, accessed, used, or disclosed in a manner not permitted by the Privacy and Security Rules. A HIPAA violation occurs when a Covered Entity, Business Associate, or a member of the workforce fails to comply with any standard in the Privacy, Security, or Breach Notification Rules. It is not necessary for a breach to occur in order for there to be a HIPAA violation – for example, the failure to respond to a patient access request within 30 days is a HIPAA violation, but not a HIPAA breach.

Why must staff be trained on reporting HIPAA breaches?

Staff must be trained on reporting HIPAA violations to their supervisors, managers, or the Privacy Officer. It is not necessary for staff to know the mechanics of the HIPAA breach notification requirements beyond that point, but they must be aware of the consequences of delaying a report in terms of the impact it will have on patients impacted by the breach, the consequences for their employer if notifications are delayed longer than necessary, and on their own jobs if a breach comes to light weeks after it has happened.

What is the difference between secured PHI and unsecured PHI?

Secured PHI is generally defined as Protected Health Information that has been rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of technologies or methodologies specified in § 13402 of the HITECH Act. HIPAA is technology neutral, but the implementation specifications relating to Access Controls and Transmission Security state encryption is required unless an equivalent protection is implemented, or the use of encryption is unreasonable and inappropriate in the circumstances.

What is an example of a “good faith belief” that PHI has not been retained?

If, for example, a healthcare professional shows an X-ray image to a person not authorized to view the image but realizes a mistake has been made before it is likely any information relating to the image has been read, it is highly likely that PHI has not been retained and the Covered Entity can reasonably accept – in good faith – there has been no disclosure of unsecured PHI. In this scenario, it is important the healthcare professional reports the unauthorized disclosure to a higher authority, and that the report – along with the good faith determination – is documented.

Why do individuals have to give authorization before they receive email notifications?

Because email is not a secure communication channel, Covered Entities must obtain the authorization of an individual before sending an email that contains PHI. (If the email does not contain PHI, no authorization is necessary). Breach notifications have to inform individuals what PHI was accessed, so therefore Covered Entities can only communicate a breach by email if they have a prior authorization.

When must a HIPAA breach be reported?

A HIPAA breach must be reported whenever unsecured PHI or ePHI has been used or disclosed impermissibly unless there is a low probability that data has been comprised based on the risk assessment mentioned above. Also mentioned above was the timetable for reporting HIPAA breaches – within sixty days if the breach involves 500 or more records, and by the end of the calendar year if the breach involves fewer than 500 records.

The post What are the HIPAA Breach Notification Requirements? appeared first on HIPAA Journal.

13,000 Patients Potentially Impacted by Mercy Health Love County Hospital Breach

Posted by HIPAA Journal

A Mercy Health Love County Hospital breach has potentially impacted more than 13,000 patients in Oklahoma.

On June 23, 2017, the hospital discovered an employee had stolen a laptop computer and paper records from a storage unit used by the hospital. According to the breach notice issued by Mercy Health, the records of 10 patients were taken from the storage unit along with the laptop.

The theft of PHI was initially investigated by the Love County Sheriff’s Office. That investigation revealed the former employee had used the stolen information to fraudulently obtain credit cards in the patients’ names. A second individual is also understood to have been involved.

While Mercy Health had up to 60 days to notify patients of the breach under HIPAA Rules, all ten patients were notified immediately. Mercy Health is working with the Love County Sherriff’s Office, the United States Postal Services, and the U.S. Secret Service which are all investigating the incident.

Mercy Health said in its breach notice, “Although there is no evidence that files belonging to patients aside from the ten patients originally identified were accessed or acquired without authorization, Mercy is nonetheless informing the public of the incident.” All affected patients have been offered 12 months of credit monitoring and identity theft repair services without charge.

Mercy Health Love County Hospital and Clinic Administrator Richard Barker said, “We are taking steps to secure all patient information to prevent anything similar from happening.”

While it would appear that the records of only 10 patients were stolen, a report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates a breach has been experienced involving 13,004 paper/film records.

It is currently unclear whether the storage unit contained the records of 13,004 patients, but only 10 patients’ files were taken, or if this is a separate incident. HIPAA Journal contacted Mercy Health for clarification but has yet to receive a response.

This post will be updated with further information as it becomes available.

The post 13,000 Patients Potentially Impacted by Mercy Health Love County Hospital Breach appeared first on HIPAA Journal.

Our Lady of the Angels Hospital Breach Impacts 1,140 Patients

Posted by HIPAA Journal

Our Lady of the Angels Hospital has discovered a former employee accessed the medical records of 1,140 patients without authorization.

The employee had been granted access to the protected health information in order to conduct work duties; however, hospital staff became aware the employee was accessing medical records without any legitimate work reason for doing so.

The improper access was discovered on July 25, 2017, and the employee’s access to the medical record system was immediately terminated, as was the employee.

Rene Ragas, President and CEO, Our Lady of the Angels Hospital, said, “Patient privacy is a top priority and we have a zero-tolerance policy for employees who improperly access patient data.”

A thorough investigation was conducted to determine which patients had been impacted, which revealed the former employee had been inappropriately accessing the medical records of patients for more than three years.

The Bogalusa, LA hospital was acquired by the Franciscan Missionaries of Our Lady Health System on March 17, 2014, which is the date given for when the improper access first started. It is currently unclear whether the employee had been accessing medical records without authorization before that date, when the hospital was managed by LSU Health under the name LSU Bogalusa Medical Center.

The employee was questioned about the improper access and it does not appear that any patient health information was shared with any other individuals or was used improperly. This appears to be another case of a healthcare employee accessing medical records out of curiosity.

Even though data theft and misuse is not suspected, out of an abundance of caution, all patients whose privacy was violated have been offered 12 months of credit monitoring services without charge.

The types of information accessed by the former employee includes names, addresses, phone numbers, dates of birth, gender, insurance information, social security numbers, diagnoses, dates of services, places of services, and clinical information such as orders, test results, medications, and clinical abstracts.

Our Lady of the Angels Hospital is reviewing policies and procedures and will be revising its audit processes to ensure any future privacy breaches of this nature are identified more rapidly. Additional training is also being provided to employees regarding the privacy and security of PHI.

The post Our Lady of the Angels Hospital Breach Impacts 1,140 Patients appeared first on HIPAA Journal.

PeaceHealth Employee Accessed Medical Records Without Authorization for Almost 6 Years

Posted by HIPAA Journal

PeaceHealth, a not-for-profit Catholic health system based in Vancouver, WA, has discovered one of its former employees had accessed the medical records of almost 2,000 of its patients without any legitimate work reason for doing so.

The unauthorized access was discovered by PeaceHealth on August 9, 2017, triggering an investigation. PeaceHealth determined the improper access started in November 2011 and continued until July 2017.

The investigation confirmed Social Security numbers and financial information were not accessed by the employee, although patient names, medical record numbers, admission and discharge dates, medical diagnoses, and progress notes were all viewed.

Due to the nature of information that was accessed, and the results of the internal investigation, PeaceHealth does not believe any patients impacted by the breach are at risk of identity theft. However, all impacted individuals have been advised to remain vigilant and review their credit reports and account statements for any sign of fraudulent activity.

Patients impacted by the breach had visited either the PeaceHealth St. Joseph Medical Center or its Southwest Medical Center between November 2011 and July 2017. All individuals affected by the incident have now been notified of the breach by mail.

PeaceHealth issued a statement saying, “Patient privacy is among our highest priorities, and we take this [incident] very seriously.” The employee no longer works for PeaceHealth.

PeaceHealth already invests in technology to prevent data breaches, follows industry best practices for monitoring and safeguarding PHI, and provides training to staff on privacy and security. The incident has prompted PeaceHealth to reinforce education of its staff with respect to appropriate accessing of PHI.

The incident has now been reported to the Department of Health and Human Services’ Office for Civil Rights. The breach report indicates the PHI of 1,969 patients was improperly accessed.

The post PeaceHealth Employee Accessed Medical Records Without Authorization for Almost 6 Years appeared first on HIPAA Journal.