HIPAA Breach News

Florida Healthy Kids Corporation Announces 2,000 Patients’ Impacted by Phishing Scam

Posted by HIPAA Journal

Reports of phishing attacks on healthcare organizations are arriving thick and fast. The latest HIPAA-covered entity to announce it has fallen victim to a phishing scam is Florida Healthy Kids Corporation, an administrator of the Florida KidCare program.

On July 25, 2017, phishing emails started to arrive in the inboxes of members of staff, some of whom responded and inadvertently gave the attackers access to the sensitive information of members of the KidCare program. The phishing attack was identified the following day and access to the compromised email accounts was immediately blocked. While the incident was mitigated promptly, the attackers had access to email accounts and data contained in those accounts for approximately 24 hours.

During that time, it is possible that the emails were accessed and sensitive information copied, although no reports of abuse of that information have been received and it is not clear whether any information was actually stolen.

An analysis of the compromised email accounts revealed the personal information of 2,000 individuals was potentially accessed. On September 7, 2017, 1,700 individuals were notified by mail that their information had potentially been compromised. The remaining 300 could not be contacted as no valid contact information was held. A substitute breach notice has been uploaded to the healthykids.org website, and a notice added to all online accounts to alert affected individuals when they next login to their accounts.

The types of information exposed includes names, addresses, phone numbers, family account numbers, and Social Security numbers. Since passwords were not exposed, Florida KidCare online family accounts could not be accessed by the attackers. Individuals impacted by the breach have been offered credit monitoring services for 12 months without charge through LifeLock.

Florida Healthy Kids Corporation said policies and procedures will be updated to prevent similar breaches from occurring in the future.

The post Florida Healthy Kids Corporation Announces 2,000 Patients’ Impacted by Phishing Scam appeared first on HIPAA Journal.

Augusta University Medical Center Phishing Attack Took Three Months to Discover

Posted by HIPAA Journal

An Augusta University Medical Center phishing attack has resulted in an unauthorized individual gaining access to the email accounts of two employees.

It is unclear when the phishing attack was discovered, although an investigation into the breach was concluded on July 18, 2017. That investigation confirmed access to the employees’ email accounts was gained between April 20-21, 2017.

Upon discovery of the breach, access to the email accounts was disabled and passwords were reset. The investigation did not confirm whether any of the information in the accounts had been accessed or copied by the attackers.

Patients impacted by the breach have now been notified – five months after the breach occurred. Patients have been informed that the compromised email accounts contained sensitive information such as names, addresses, dates of birth, driver’s license numbers, financial account information, prescription details, diagnoses, treatment information, medical record numbers and Social Security numbers. The amount of information exposed varied for each patient.

It is currently unclear how many patients have been impacted, although a spokesperson for AU Medical Center said the breach impacted fewer than 1% of its patients. Credit monitoring and identity theft protection services are being offered to all patients whose Social Security number was compromised.

This is not the first time that employees at Augusta University have fallen for phishing scams. A similar breach occurred between September 7-9, 2016, resulting in similar data being exposed. In that case, “a small number” of employees responded to phishing emails and divulged their email logins.

While that breach was identified promptly – News Channel 6 reported that all AU employees were required to reset their passwords due to a significant risk following the phishing attack – the Augusta Chronicle reported in May that the investigation into the breach was only completed on March 29, 2017 – more than six months after the attack took place. Individuals impacted by the breach were notified within 60 days of the breach investigation being completed. The breach was reported to the HHS’ Office for Civil Rights on May 26,2017.

The Health Insurance Portability and Accountability Act’s Breach Notification Rule allows HIPAA-covered entities up to 60 days following the discovery of a breach to issue breach notification letters to patients and to alert OCR of the breach.

It should be noted that while HIPAA allows up to 60-days to report data breaches, covered entities must report incidents ‘without unreasonable delay’.  Failure to report incidents promptly can easily result in a HIPAA penalty, as Presense Health discovered earlier this year. In that case, breach notifications were issued three months after the breach was discovered, resulting in a settlement of $475,000.

This latest breach was announced five months after the email accounts were compromised, with the investigation concluding three months after the initial breach. The earlier phishing attack appeared to take 6 months to investigate and report, with notifications sent to patients eight months after the breach.

Why the investigations took so long to conduct and why reporting the incidents was delayed is something of a mystery. According to OCR’s breach reporting portal, the September phishing attack is still under investigation. The latest incident has yet to appear on the OCR breach portal.

The post Augusta University Medical Center Phishing Attack Took Three Months to Discover appeared first on HIPAA Journal.

Phishing Attack Results in the Exposure of PHI at Morehead Memorial Hospital

Posted by HIPAA Journal

Morehead Memorial Hospital in Eden, NC has announced two employees have fallen victim to a phishing attack that resulted in an unauthorized individual gaining access to their email accounts. Those accounts contained the protected health information of patients and sensitive information on employees.

Upon discovery of the breach, access to the email accounts was blocked and the hospital performed a network-wide password reset. Leading computer forensics experts were hired to assist with the investigation and determine the extent of the breach. The investigation confirmed that access to the accounts was possible and sensitive patient and employee information could have been accessed.

While no reports have been received to suggest any information in the accounts has been misused, the possibility of data access and data theft could not be ruled out. The types of information exposed includes names, health insurance payment summaries, health insurance information, treatment overviews, and a limited number of Social Security numbers.

Phishing attacks such as this are common. Emails are sent to healthcare employees that appear to be legitimate communications. The emails typically include hyperlinks that, when clicked, require login details to email accounts to be entered. Entering in that information provides the credentials to the attackers, who then use the information to remotely login to email accounts.

Preventing phishing attacks requires a combination of spam filtering technology to prevent phishing emails from reaching inboxes and education to teach employees about the risk from phishing and how to identify phishing attacks.

In response to the breach, Morehead Memorial Hospital is providing staff members with additional training to help them identify fraudulent communications. An internal webpage has also been created to communicate further information about phishing and email attacks to keep staff better informed.

The incident has been reported to the FBI, Department of Homeland Security and Office for Civil Rights. Patients were notified of the breach by mail on Friday last week and all have been offered identity theft monitoring services for 12 months without charge.

Morehead Memorial Hospital has not disclosed how many patients and employees have been impacted by the breach.

The post Phishing Attack Results in the Exposure of PHI at Morehead Memorial Hospital appeared first on HIPAA Journal.

Hospital Employee Fired Over 26,000-Record Arkansas DHS Privacy Breach

Posted by HIPAA Journal

A former employee of the Arkansas Department of Human Services (DHS) has been fired from her new position at the state hospital for emailing spreadsheets containing the protected health information of patients to a personal email account.

Yolanda Farrar worked as a payment integrity coding analyst for the DHS, but was fired on March 24, 2017. According to a statement issued by DHS spokesperson Amy Webb, Farrar was fired for “violations of DHS policy on professionalism, teamwork and diligent and professional performance.”

The day previously, Farrar had spoken with her supervisor about issues relating to her performance and learned that she was about to be terminated. Within minutes of that conversation, Farrar emailed spreadsheets from her work email account to a personal email address.

Farrar decided to take legal action against DHS for unfair dismissal. Attorneys working for DHS were preparing to represent the agency in court and were checking emails sent by Farrar through her work email account. They discovered the emails and spreadsheets on August 7. The DHS privacy officer was immediately notified of the discovery and an internal investigation into the incident was launched.

The spreadsheets were found to contain a range of sensitive information of patients including names, birth dates, linked Medicaid identification numbers, diagnoses, codes for medical procedures, and some Social Security numbers. Each record in the spreadsheet was manually checked and after duplicates were removed, DHS determined that the protected health information of 26,044 patients had been emailed to the personal account.

By emailing the spreadsheets, Farrar breached DHS policies, state and federal laws. Farrar had since been employed at the state hospital; however, the discovery of the emails resulted in her being fired from that position. The investigation into the privacy breach is ongoing and the DHS intends to pursue criminal charges against Farrar.

The DHS already requires employees to undergo privacy training. All employees are required to pass a test on that training before they are allowed Internet access and are made aware that emailing confidential information outside the agency is prohibited.  A review of policies and procedures is being conducted to determine whether any further actions can be taken to reduce the potential for similar incidents from occurring in the future.

DHS has confirmed that all individuals impacted by the incident will be notified of the privacy breach by mail this week.

The post Hospital Employee Fired Over 26,000-Record Arkansas DHS Privacy Breach appeared first on HIPAA Journal.

Hospital Staff Discovered to Have Taken and Shared Photographs of Patient’s Genital Injury

Posted by HIPAA Journal

An investigation has been conducted into a privacy violation at the University of Pittsburgh Medical Center’s Bedford Memorial hospital, in which photographs and videos of a patient’s genitals were taken by hospital staff and in some cases, were shared with other individuals including non-hospital staff. The patient was admitted to the hospital in late December 2017, with photos/videos shared over the following few weeks.

The patient was admitted to the hospital on December 23, 2017 with a genital injury – a foreign object had been inserted into the patient’s penis and was protruding from the end. The bizarre injury attracted a lot of attention and several staff members not involved with the treatment of the patient were called into the operating room to view the injury. Multiple staff members took photographs and videos of the patient’s genitals while the patient was sedated and unconscious.

The privacy breach was reported by one hospital employee who alleged images/videos were being shared with other staff members not involved in the treatment of the patient. The complaint was investigated by the Pennsylvania Department of Health and Human Services on May 23, 2017.

While HIPAA violations appear to have occurred, the investigation only confirmed violations of the Social Security Act had occurred. According to the published report of the investigation, multiple areas of non-compliance with the Social Security Act – 42 CFR, Title 42, Part 482-Conditions of Participation for Hospitals were discovered: 482.13 – Patient rights; 482.22(c) Medical Staff Bylaws; 482.42 Infection Control; and 482.51 Surgical Services.

According to a statement obtained from a member of staff who was interviewed, a request was made for photographs to be taken of the patient’s injury for use in future medical lectures. That individual said, “We have a camera in the OR for that purpose, but it was reportedly broken and so personal phones were used. Initially, we thought there was only one picture taken but later we learned of others. We also had the camera checked out, it is working, it is just too complicated to use.”

One physician said, “At one point when I looked up, there were so many people it looked like a cheerleader type pyramid.”

The story was originally reported on Pennlive, which received an emailed statement from UPMC saying, “The behavior reported in this case is abhorrent and violates the mission of UPMC Bedford and the overall values of UPMC. Upon discovery, UPMC quickly self-reported the incident to the Pennsylvania Department of Health and took appropriate disciplinary action with the individuals involved.”

Those actions included suspensions and firings of staff who were discovered to have violated the patient’s privacy. The patient, who was not identified, has also been informed of the privacy breach.

The post Hospital Staff Discovered to Have Taken and Shared Photographs of Patient’s Genital Injury appeared first on HIPAA Journal.

Hand Rehabilitation Specialists Suffers Breach of Almost 13,000 Patients’ PHI

Posted by HIPAA Journal

Hand & Upper Extremity Centers has announced a security breach has potentially impacted almost 13,000 patients.

The breach occurred at Thousand Oaks, CA-based Hand Rehabilitation Specialists (HRS). While it is unclear when the breach actually occurred, HRS was notified about a potential security incident on July 5, 2017.

According to the substitute breach notice uploaded to the HBS website, an unauthorized individual is believed to have gained access to HBS systems and potentially viewed and exfiltrated patient data. As soon as HBS became aware of the incident, law enforcement was contacted and the Ventura County Sherriff’s Office conducted a forensic investigation of the computer system used by HBS. The incident was also reported to the Federal Bureau of Investigation.

Law enforcement found no evidence to suggest any patient data had been exfiltrated, although it was not possible to rule out data theft with a high degree of certainty.

The breach affects patients seen between 2004 and 2013, as well as their payment guarantors. The types of information potentially accessed include names, addresses, phone numbers, dates of birth, dates of service, Social Security numbers, medical diagnoses, billing codes, cost of medical services, co-pay amounts made, medical insurance companies, insurance group numbers and contact information, check numbers, and HRS’s name and practice contact information.

To protect affected individuals from identity theft and fraud, all have been offered credit monitoring/identity theft protection services free of charge. HBS is also revising office policies and procedures to prevent similar incidents from occurring in the future.

The report submitted to the Department of Health and Human Services Office for Civil Rights indicates 12,806 patients have been impacted by the breach and have potentially had their protected health information exposed.

Databreaches.net has published additional information on the incident. While the identity of the individual(s) behind the attack is unknown, the individual/group was responsible for the intrusion appears to have been confirmed – A hacker/hacking group known as TheDarkOverlord (TDO).

According to the report, TDO admitted the hack and provided a sample of 10 patients’ records which were used to verify the claim. TDO also informed the site that an extortion demand was issued.

The post Hand Rehabilitation Specialists Suffers Breach of Almost 13,000 Patients’ PHI appeared first on HIPAA Journal.

New York Hospital Sued for Disclosing Patient’s HIV Status to Employer

Posted by HIPAA Journal

Earlier this year, the Department of Health and Human Services’ Office for Civil Rights settled a case with Mount Sinai St. Luke’s Hospital to resolve alleged HIPAA violations over a 2014 impermissible disclosure of a patient’s HIV positive status to his employer.

St. Luke’s Hospital had faxed a document to the mailroom of the patient’s employer, rather than sending the information to a post office box as requested by the patient via his Authorization for Release of Medical Information form.

The hospital, formerly known as the Spencer Cox Center for Health, also faxed the PHI of another patient to an office where he volunteered. St. Luke’s Hospital agreed to pay OCR $387,000 to resolve the case.

St. Luke’s Hospital also agreed to a corrective action plan that required a review of its policies and procedures concerning PHI disclosures and further training of its employees. St. Luke’s Hospital accepted a mistake was made and the measures being undertaken will help to ensure similar incidents do not occur in the future. However, the hospital has refused to enter into a settlement agreement with the patient whose HIV positive status was disclosed.

The patient, a man in his 30s identified as John Doe and represented by the Law Offices of Jeffrey Lichtman, is suing St. Luke’s Hospital for negligence and negligent infliction of emotional distress.

After completing the Authorization for Release of Medical Information and requesting the records were sent to a private mailbox, a fax was sent to the patient’s place of work. The medical records were seen by mailroom staff and were handed to the patient’s supervisor.

According to the suit, “The documents delivered to our client contained information on his HIV status and care, previous diagnoses for other sexually-transmitted diseases, history of physical abuse, sexual orientation information, mental health history, prescription drug information, and social security number.”

The patient was devastated by the disclosure. He was still coming to terms with his diagnosis and had not told most of his family and friends. The stress caused by knowing his coworkers were aware of his diagnosis forced him to quit his job and lose substantial health benefits and insurance.  The increased cost of medical insurance at his new job placed him under severe financial pressure, forcing him to discontinue seeing his therapist, who was helping him cope with the exposure of his health information.

According to the lawsuit, St. Luke’s Hospital accepted this was an egregious breach and “tried to assuage our client by claiming that he was lucky just a mail room employee had received the fax with his health issues contained therein,” although no attempt was made to compensate the patient in any way for the error. The lawsuit seeks $2.5 million in damages.

This is not the only case of this nature to be filed in recent weeks. Recently, a mailing sent by a third-party vendor on behalf of Aetna resulted details of HIV medications being impermissibly disclosed. The information was visible through the clear plastic windows of envelopes. Up to 12,000 patients were affected by the error.

A lawsuit has been filed in the U.S. District Court for the Eastern District of Pennsylvania by The Legal Action Center, AIDS Law Project of Pennsylvania, and Berger & Montague, P.C., over the impermissible disclosure.

The post New York Hospital Sued for Disclosing Patient’s HIV Status to Employer appeared first on HIPAA Journal.

Patient Health Records Discovered in a Denver Alley

Posted by HIPAA Journal

Approximately 70 patient files containing sensitive personal and medical information have been discovered in an alley in Denver, CO.

The files contained details of patients’ medical histories, insurance information, and Social Security numbers – The types of information sought by identity thieves and fraudsters. The paperwork had been disposed of in a dumpster accessible by the public.

The records came from the Blue Skies Clinic in Boulder, CO., which was purchased more than a decade ago from chiropractor Otsie Stowell, according to Fox31, Denver. Two chiropractors took control of the records of approximately 800-1000 patients when they bought the practice.

Some of those records were stored in the basement of the practice, which was recently cleared. It is unclear how many records were disposed in the alley, although only 70 files were recovered.

The records were disposed of by mistake and no one at the clinic was aware that sensitive information was being stored in the basement, according to a statement provided to FOX31 by one of the chiropractors, Rory Lee. Lee also apologized for the mistake and said the clinic will be doing all it can to rectify the mistake.

HIPAA Rules require physical records containing PHI to be disposed of securely when they are no longer required. While HIPAA Rules do not specify the method that must be used to dispose of medical information, whatever method chosen must ensure the information is “unreadable, indecipherable, and otherwise cannot be reconstructed.” For physical records, HIPAA recommends “shredding, burning, pulping, or pulverizing” prior to disposal.

Similar rules apply to the disposal of electronic protected health information. HIPAA suggests clearing, purging, degaussing, exposing media to strong magnetic fields, or destroying electronic media by disintegration, pulverization, melting, incinerating, or shredding.

When a business is closing or about to be sold, OCR suggests covered entities should consider contacting patients and offering them the opportunity to collect their medical records. If medical records are handed over to the new owners of the business, they become their responsibility and must be safeguarded in accordance with the requirements of the HIPAA Security Rule.

The post Patient Health Records Discovered in a Denver Alley appeared first on HIPAA Journal.

CareFirst Data Breach Lawsuit May be Heading to the Supreme Court

Posted by HIPAA Journal

In June 2014, hackers succeeded in gaining access to a database maintained by CareFirst BlueCross BlueShield and the protected health information of 1.1 million of its members. The types of information exposed as a result of the hack included names, email addresses, dates of birth, and subscriber ID numbers.

Lawsuits were filed following the breach, with the plaintiffs seeking damages for the elevated risk of identity theft and fraud they faced as a result of the breach.

In 2016, the U.S. District Court for the District of Columbia and dismissed one punitive class action lawsuit against CareFirst – Chantal Attias vs. Carefirst, Inc. – for lack of standing. Further complaints were also dismissed by two federal district courts. However, on August 1, 2017, the case was revived when the U.S. District Court for the District of Columbia allowed the case to proceed, even though there was not a concrete, identifiable injury to plaintiffs.

CareFirst submitted a motion for a stay to allow an appeal to be filed with the Supreme Court. Last week, U.S. District Court for the District of Columbia granted a stay of 90 days pending the filing of a Petition for a Writ of Certiorari with the United States Supreme Court, agreeing there was ‘good cause’ and that a “substantial question” needed to be answered.

In the motion CareFirst explained, “The Supreme Court has yet to examine the issue of standing in the context of a data breach case.”

CareFirst wants the case heard by the Supreme Court as it believes guidance is required by federal district and appellate courts to help them sort cases where a cognizable injury-in-fact has been sustained from those where plaintiffs are not able to allege real or immediate harm.

Federal district and appellate courts have struggled to reach consensus when the prospect of future injury as a result of a data breach constitutes a substantial risk of actual harm.

The motion reads, “The fact that reasoned jurists have come to differing conclusions on the standing of plaintiffs from this same data breach, let alone the differences in application of the principles of standing among other jurisdictions in different data breaches, suggests that there is a reasonable probability that four members of the Supreme Court would consider the underlying issue sufficiently meritorious for a grant of certiorari.”

CareFirst explained that if the district court proceeds with the case, “It will encourage others to bring suits following other data breaches without allegations of real and immediate harm.

The post CareFirst Data Breach Lawsuit May be Heading to the Supreme Court appeared first on HIPAA Journal.