HIPAA Breach News

Healthcare Industry Tops List for Class Action Data Breach Lawsuits

Posted by HIPAA Journal

In 2016, the healthcare industry faced the most class-action data breach lawsuits, according to a new analysis of data breach class action lawsuits by the law firm, Bryan Cave, LLP, although the risk of litigation following a breach is still relatively low.

To produce the 2017 data breach litigation report, Bryan Cave conducted a comprehensive review and analysis of all class action lawsuits filed by victims of data security breaches in 2016.

The report explains that while there is always a threat of legal action being taken by data breach victims, the risk of a company facing litigation following a data breach is fairly low due to the difficult plaintiffs have establishing an injury has been caused.

Year over year, there was a slight (7%) increase in class action lawsuits filed against companies that have experienced a data breach although there was a fall in the number of breaches that resulted in lawsuits. The report shows only 3.3% of data breaches in 2016 resulted in class action lawsuits compared to between 4%-5% in previous years.

In total, 76 class actions were filed in 2016 as a result of data breaches. Bryan Cave points out that those lawsuits were clustered around the same breaches – High-profile data breaches affecting individuals throughout the country. Out of those 76 lawsuits, there were 27 unique defendants.

The report confirms that the healthcare industry reported the most data breaches of any industry – 70% of the total – yet only 34% of class action lawsuits name healthcare organizations as the defendants. Healthcare was the leading industry for class action data breach lawsuits (26 complaints), closely followed by email providers with 33%. The figures for email service providers was heavily influenced by the disclosure of two massive data breaches by Yahoo! Restaurants were in third place with 11% of the total followed by the retail industry with 7%. Healthcare data breach lawsuits fell slightly year over year.

Lawsuits are most commonly filed following the exposure or theft of sensitive information such as Social Security numbers, medical data, health insurance information, and security Q&As – 89% of class action lawsuits resulted from data breaches where these types of information were exposed or stolen. 65% of the lawsuits alleged negligence as the primary theory.

Data breach lawsuits are most commonly filed in the Northern District of California (32%), followed by the Middle District of Florida (11%), the District of Arizona (11%), and the Western District of Pennsylvania (7%).

The 2017 Data Breach Litigation Report can be found on this link.

The post Healthcare Industry Tops List for Class Action Data Breach Lawsuits appeared first on HIPAA Journal.

3,400 Patients of Children’s Hospital Colorado Potentially Impacted by Email Hack

Posted by HIPAA Journal

Almost 3,400 patients of Children’s Hospital Colorado are being notified that some of their protected health information has potentially been accessed by an unauthorized individual who gained access to the email account of a staffer.

The incident was discovered by the Aurora, CO hospital on July 11, 2017, prompting a full investigation to determine the scale and scope of the breach. A third-party computer forensics firm was hired to assist with the investigation to help identify how access to the email account was gained, whether any other systems had been compromised, and to identify any actions taken by the attacker.

An analysis of data in the email account showed a limited amount of PHI was potentially compromised, including names, addresses, dates of birth, telephone numbers, medical diagnoses, treatment information and other clinical information. No financial information, insurance details, Social Security numbers or other highly sensitive data were exposed.

The investigation confirmed the breach was limited to a single email account and its EHR was not affected. While access to the email account was possible, the investigation uncovered no evidence to suggest any emails were accessed no that any PHI was viewed. Children’s Hospital Colorado also said no reports have been received to suggest any information has been misused in any way.

Children’s Hospital Colorado said, “Protecting the security and confidentiality of patient personal and medical information is of the utmost importance.” To prevent future incidents of this nature from occurring, existing safeguards have been enhanced and a review of its systems is underway to identify any additional controls that can be implemented to further protect patient health information.

Notifications were sent to all affected individuals by mail on Friday and the incident has been reported to appropriate authorities, including the Department of Health and Human Services’ Office for Civil Rights.

The post 3,400 Patients of Children’s Hospital Colorado Potentially Impacted by Email Hack appeared first on HIPAA Journal.

Mailing Error and PHI Breach Underscores Need for Greater Oversight

Posted by HIPAA Journal

Healthcare organizations must take care not to expose protected health information in mailings. Recently, there have been two incidents reported that involved sensitive information being disclosed as a result of a lack of oversight when corresponding with patients by mail.

A third-party error resulted in details of HIV medications used by Aetna plan members being improperly disclosed. Letters were sent in sealed envelopes, although prescribed HIV medications were clearly visible through the clear plastic windows of the envelopes.

Last year, Emblem Health sent a mailing in which patients’ Social Security numbers were accidentally printed on the outside of envelopes and the Ohio Department of Mental Health and Addiction Services sent a survey to patients on a postcard rather than using letters in sealed envelopes. In that case, the fact that the patient was, or had been, undergoing treatment for mental health issues was disclosed to any individual who happened to view the postcard.

A similar incident has recently affected patients of University of Wisconsin-Madison’s Department of Family Medicine and Community Health. UW-Madison took the decision to ask its patients how it could improve the quality of its services.

A request to take part in a survey was sent via mail, but rather than sending letters inside sealed envelopes, the decision was taken to send postcards. Printed on the postcards, in plain sight, were references to prescribed medications and family planning services: A violation of patient privacy and breach of HIPAA Rules.

UW-Madison has mailed all individuals affected by the privacy breach alerting them to the error and informing them that workflows have been reviewed and improved to prevent further privacy breaches. Additional reviews will be performed before any correspondence is sent in the future.

All of the above mailing errors have involved simple oversights, but the consequences can be severe for patients. The third-party error that resulted in the HIV medications of Aetna plan members being exposed has caused serious harm for several patients. Some plan members had their HIV positive status disclosed to family members and roommates. Some have been forced to move home out of embarrassment and fear.

These incidents serve as a reminder to all covered entities of the risk of privacy violations from mailings. Covered entities must ensure policies and procedures are implemented to ensure all mailings are reviewed prior to dispatch to ensure sensitive data is not accidentally exposed.

The post Mailing Error and PHI Breach Underscores Need for Greater Oversight appeared first on HIPAA Journal.

Community Memorial Health System Phishing Attack Reported

Posted by HIPAA Journal

The protected health information of almost 1,000 patients has potentially been accessed as a result of a recent Community Memorial Health System phishing attack.

On June 22, 2017, a Community Memorial Health System employee responded to a phishing email and divulged his/her login credentials, allowing an unauthorized individual to gain access to a single email account. The employee realized the mistake the following day and reported the breach to the IT department, which launched an investigation to determine whether any patient information could have been accessed.

The email account was discovered to contain a selection of protected health information including patients’ names, medical record numbers, dates of services, and a limited amount of health information. The Social Security numbers of some patients were also potentially compromised. No bank account information or credit/debit card numbers were exposed.

The discovery of protected health information in the email account prompted Community Memorial Health System to bring in a computer forensics expert to determine whether any emails had been accessed and whether PHI had been stolen.

While the possibility of PHI access could not be ruled out, the consultant concluded the probability of PHI being accessed was low. However, out of an abundance of caution, Community Memorial Health System is offering 24 months of credit monitoring and identity theft protection services to all 959 patients impacted by the breach. All patients affected by the breach have now been notified by mail and the incident has been reported to the Department of Health and Human Services’ Office for Civil Rights.

The phishing attack has prompted Community Memorial Health System to provide its employees with further training to reduce the likelihood of further successful phishing attacks occurring.

This is one of several phishing attacks to be reported by healthcare organizations in the past few weeks. Covered entities can improve their defenses against phishing attacks by implementing an advanced spam filtering solution and conducting phishing awareness training. Research from PhishMe, a provider of a phishing training and simulation platform, suggests phishing simulation exercises can reduce susceptibility to phishing attacks by up to 95%.

The post Community Memorial Health System Phishing Attack Reported appeared first on HIPAA Journal.

OCR Head Expects Major HIPAA Settlement for a Big, Juicy, Egregious Breach in 2017

Posted by HIPAA Journal

Roger Severino, the Director of the Department of Health and Human Services’ Office for Civil Rights (OCR) has stated his main enforcement priority for 2017 is to find a “big, juicy, egregious” HIPAA breach and to use it as an example for other healthcare organizations of the dangers of failing to follow HIPAA Rules.

When deciding on which cases to pursue, OCR considers the opportunity to use the case as an educational tool to remind covered entities of the need to comply with specific aspects of HIPAA Rules.

At the recent ‘Safeguarding Health Information’ conference run by OCR and NIST, Severino explained that “I have to balance that law enforcement instinct with the educational component that we do.” Severino went on to say, “I really want to make sure people come into compliance without us having to enforce. I want to underscore that.”

Severino did not explain what aspect of noncompliance with HIPAA Rules OCR is hoping to highlight with its next big, juicy settlement, although no healthcare organization is immune to a HIPAA penalty if they are found to have violated HIPAA Rules. Severino said, “Just because you are small doesn’t mean we’re not looking and that you are safe if you are violating the law. You won’t be.”

Severino also explained that the number of complaints OCR is now receiving is colossal. More than 20,000 complaints about security incidents and privacy violations are received each year. OCR has many staff issuing technical assistance to help covered entities with their compliance programs.  The goal is to significantly reduce the number of complaints and enjoy a “culture of compliance” throughout the country.

The majority of HIPAA violations are resolved through technical assistance and voluntary compliance, but financial penalties are appropriate for egregious breaches of HIPAA Rules.

Already this year, OCR has agreed eight settlements with covered entities to resolve HIPAA violations discovered during investigations of complaints and data breaches and has issued one civil monetary penalty:

2017 HIPAA Enforcement Actions

  • Memorial Healthcare System – $5.5 million
  • Children’s Medical Center of Dallas- $3.2 million (Civil monetary penalty)
  • Cardionet – $2.5 million
  • Memorial Hermann Health System (MHHS) – $2.4 million
  • MAPFRE Life Insurance Company of Puerto Rico – $2.2 million
  • Presense Health – $475,000
  • Metro Community Provider Network – $400,000
  • Luke’s-Roosevelt Hospital Center Inc. – $387,000
  • The Center for Children’s Digestive Health – $31,000

The largest HIPAA settlement of 2017 was agreed with Memorial Healthcare System – a health system consisting of 6 hospitals and various other facilities in South Florida. The settlement of $5.5 million resolved potential violations of HIPAA Rules relating to the impermissible accessing of ePHI by employees and the impermissible disclosure of PHI to affiliated physician office staff.  The settlement underscored the importance of audit controls and the need to carefully control who has access to the ePHI.

The second largest HIPAA settlement of 2017 was for $2.5 million and resolved multiple potential violations of HIPAA Rules that contributed to a breach of 1,391 patient records. The incident involved the theft of an unencrypted laptop computer from healthcare services provider Cardionet. The settlement underscored the importance of conducting a comprehensive risk assessment and of addressing vulnerabilities to the confidentiality of ePHI.

In May, OCR announced a $2.4 million settlement with Memorial Hermann Health System. The settlement resolved HIPAA violations discovered during the investigation of an impermissible disclosure of a patient’s ePHI in a press release and during subsequent meetings with advocacy groups and state representatives.

In January, a $2.2 million settlement was agreed with MAPFRE Life Insurance Company of Puerto Rico. The incident that triggered the investigation involved the theft of an unencrypted pen drive containing the PHI of 2,209 individuals. The investigation revealed multiple violations of HIPAA Rules including the failure to conduct a thorough and accurate risk assessment, the failure to implement a security awareness training program, the failure to encrypt ePHI and the failure to implement appropriate policies to safeguard ePHI.

The civil monetary penalty against Children’s Medical Center of Dallas was issued for the impermissible disclosure of ePHI and multiple failures to comply with the HIPAA Security Rule over several years. The settlement resolves HIPAA failures that contributed to a breach of 3,800 records involving the loss of an unencrypted Blackberry device in 2009 and the loss of an unencrypted laptop containing 2,462 records in 2013.

There has been a period of quiet on the enforcement front over the summer, with the last settlement announced in May. The fall is likely to see more settlements announced and this year looks on track to be another record year for HIPAA enforcement. The big, juicy egregious breach that OCR is looking for may prove to be the largest HIPAA penalty yet.

The post OCR Head Expects Major HIPAA Settlement for a Big, Juicy, Egregious Breach in 2017 appeared first on HIPAA Journal.

Alaska DHSS Discovers Malware Infection and Possible PHI Breach

Posted by HIPAA Journal

A Trojan horse virus has been discovered on two computers used by the Alaska Department of Health and Social Services. The virus potentially allowed malicious actors to gain access to the data stored on the devices.

Katie Marquette, Communications Director of the Alaska DHSS, issued a statement confirming there was “a potential HIPAA breach of more than 500 individuals.” At present, the exact number of individuals affected has not been disclosed.

An analysis of the two malware-infected computers revealed the attackers, who are believed to be located in the Western region, may have been able to obtain sensitive information such as Office of Children’s Services (OCS) documents and reports. Those documents contained details of family case files, medical diagnoses and observations, personal information and other related information.

The investigation into the breach is ongoing and the DHSS Information Technology and Security team is currently attempting to determine the exact nature of the breach and whether any sensitive data were accessed or exfiltrated.

Individuals impacted by the breach will be notified in due course and will be provided with up-to-date information as the investigation progresses. At present, the breach appears to be limited to individuals who had prior contact with the Office of Children’s Services.

Due to the potential for data misuse, those individuals have been advised to protect themselves against identity theft and fraud and should carefully review their accounts, Explanation of Benefits statements, and obtain a credit report from one of the three credit monitoring agencies (Experian, Equifax, TransUnion) and to look for any signs of fraudulent activity.

Kaiser Permanente Alerts Members to Email Incident

Kaiser Permanente is notifying approximately 600 members from the Riverside, CA area about privacy breach that saw some of their protected health information emailed to an incorrect recipient.

The email contained a document that included names, medical record numbers and details of procedures performed. No Social Security numbers, financial information or other sensitive data were disclosed.

The incident occurred on August 9, 2017, with the privacy breach believed to have resulted from an error made by an employee when entering an email address. The owner of the email address to which the information was sent is unknown at this time. Kaiser Permanente believes this was an error and there was no malicious intent, although an investigation is ongoing to rule out the possibility of foul play.

The post Alaska DHSS Discovers Malware Infection and Possible PHI Breach appeared first on HIPAA Journal.

Former Employee of The Neurology Foundation Discovered to Have Obtained Patient Data

Posted by HIPAA Journal

The Neurology Foundation in Providence, RI has investigated an employee who had been discovered to be using a company credit card to make unauthorized purchases. The investigation revealed that individual copied and removed a range of sensitive patient information from the organization.

In breach of the Neurology Foundation’s policies, the former employee copied data relating to the Foundation’s patients onto an external hard drive which was stored in the employee’s home.

The Neurology Foundation discovered the employee had copied data onto the hard drive during an exit interview on May 3, 2017. That revelation prompted the Foundation to retain a computer forensics firm to conduct an investigation into the employee’s activities and determine the types of data copied to the storage device and the number of patients impacted.

That investigation also revealed the former employee had breached company policies by copying sensitive data onto his/her desktop computer and several zip drives.

The information copied to the external storage device included patients’ names, addresses, phone numbers, dates of birth, email addresses, health insurance policy numbers, medical record numbers, bank account numbers, medical diagnoses, Social Security numbers, details of treatments and medications, and patients’ race and sex.

While the data could potentially have been misused, the Neurology Foundation has uncovered no evidence to suggest that was the case. The portable hard drive has now been recovered and the data have been secured.

The unauthorized credit card purchases were discovered in April and the HIPAA breach discovered in May; however, patients have only just been informed that their protected health information was compromised.

The delaying of breach notifications is a breach of HIPAA Rules; however, in certain cases, law enforcement may request that the disclosure of the breach to patients, state and federal authorities, and the media be delayed so as not to interfere with a criminal investigation.  That was the case with this breach. Law enforcement requested a delay while the investigation was conducted. The investigation is ongoing, but the law enforcement request to delay notification has now elapsed and notifications are being sent.

All patients impacted by the breach are being offered 12 months of credit monitoring services without charge and have been told to be vigilant to the possibility of identity theft and fraud.

The incident has been reported to the appropriate authorities, although it is currently unclear exactly how many patients have been impacted by the incident.

The post Former Employee of The Neurology Foundation Discovered to Have Obtained Patient Data appeared first on HIPAA Journal.

19,000 Impacted by Medical Oncology Hematology Consultants Ransowmare Incident

Posted by HIPAA Journal

A server and several workstations used by Newark, Delaware-based Medical Oncology Hematology Consultants (MOHC) have had sensitive data encrypted by ransomware.

The ransomware attack was discovered on July 7, 2017, although the attack first started around three weeks previously on June 17. The attack resulted in certain electronic files being encrypted, preventing access to data.

Upon discovery of the attack, MOHC launched an investigation to determine the extent of the attack, the files affected, and whether any protected health information had been accessed or stolen. In addition to the Internal investigation, a third-party cybersecurity firm was contracted to assist with the recovery of encrypted data.

MOHC determined that some of the encrypted files contained patients’ protected health information which could potentially have been accessed during the attack. The types of information potentially compromised were limited to patients’ names, phone numbers, dates of birth, health and treatment information. In total, 19,203 patients were potentially impacted by the incident.

MOHC notes in its substitute breach notification letter that no evidence of data access or data theft was uncovered during the investigation and no reports have been received to suggest any sensitive information has been misused.

Under HIPAA Rules, breaches of protected health information such as this must be reported to the Department of Health and Human Services’ Office for Civil Rights and breach notification letters must be sent to patients. Those notifications have now been issued.

While not required to do so under state law, MOHC has taken the decision to offer patients 12 months of free credit monitoring and related services out of an abundance of caution to protect them against identity theft and fraud.

HIPAA-covered entities should note that Delaware has recently updated its breach notification law which will require all businesses experiencing a breach of personal information to offer credit monitoring services to breach victims if their personal information is exposed. The new law has an effective date of April 14, 2018

The ransomware attack prompted MOHC to make several enhancements to its policies, procedures, and systems to improve data security. The updates included a full network password reset, revisions to its document retention policies and procedures, the implementation of a web filtering system, conducting phishing simulations on employees and providing them with further training, the implementation of a two-factor authentication system, a reevaluation of access privileges and consolidation of its servers to eliminate redundancies.

The post 19,000 Impacted by Medical Oncology Hematology Consultants Ransowmare Incident appeared first on HIPAA Journal.

106,000 Mid-Michigan Physicians’ Patients Potentially Impacted by Breach

Posted by HIPAA Journal

The protected health information of 106,000 current and former patients of the radiology center of Mid-Michigan Physicians has potentially been compromised.

McLaren Medical Group, which manages Mid-Michigan Physicians, has announced that the breach affected a system that stored scanned internal documents such as physician orders and scheduling information, which included protected health information such as names, addresses, telephone numbers, dates of birth, Social Security numbers, medical record numbers, and diagnoses.

McLaren Medical Group discovered the breach in March this year, although the investigation into the security breach was protracted and notifications were delayed until the investigation was completed.

That investigation confirmed the protected health information of seven individuals was definitely accessed, although potentially, the records of 106,000 patients could also have been viewed as a result of the radiology center’s system being compromised.

McLaren Medical Group says its computer system has been reconstructed with additional security protections in place to prevent further incidents of this nature from occurring. All patients affected by the incident have been offered credit monitoring and identity theft services without charge.

Breach notification letters have now been issued to all individuals potentially impacted by the security breach, although it has taken five months for those notification letters to be sent. The HIPAA Breach Notification Rule requires individuals impacted by a PHI breach to be notified as soon as possible, and certainly within 60 days of the discovery of the breach.

This year, Presense Health settled potential HIPAA Breach Notification Rule violations with OCR for $475.,000 after impermissibly delaying the issuing of breach notification letters to patients by one month. It was the first time OCR has settled a case with a covered entity solely for delaying breach notification letters.

Recently, Deven McGraw, deputy director for health information privacy at OCR, confirmed that waiting 60 days to send breach notification letters is a violation of HIPAA Rules. Letters must be sent as soon as possible after a breach. A five-month delay will certainly be scrutinized by OCR and a financial penalty may be deemed appropriate.

The post 106,000 Mid-Michigan Physicians’ Patients Potentially Impacted by Breach appeared first on HIPAA Journal.