HIPAA Breach News

106,000 Mid-Michigan Physicians’ Patients Potentially Impacted by Breach

Posted by HIPAA Journal

The protected health information of 106,000 current and former patients of the radiology center of Mid-Michigan Physicians has potentially been compromised.

McLaren Medical Group, which manages Mid-Michigan Physicians, has announced that the breach affected a system that stored scanned internal documents such as physician orders and scheduling information, which included protected health information such as names, addresses, telephone numbers, dates of birth, Social Security numbers, medical record numbers, and diagnoses.

McLaren Medical Group discovered the breach in March this year, although the investigation into the security breach was protracted and notifications were delayed until the investigation was completed.

That investigation confirmed the protected health information of seven individuals was definitely accessed, although potentially, the records of 106,000 patients could also have been viewed as a result of the radiology center’s system being compromised.

McLaren Medical Group says its computer system has been reconstructed with additional security protections in place to prevent further incidents of this nature from occurring. All patients affected by the incident have been offered credit monitoring and identity theft services without charge.

Breach notification letters have now been issued to all individuals potentially impacted by the security breach, although it has taken five months for those notification letters to be sent. The HIPAA Breach Notification Rule requires individuals impacted by a PHI breach to be notified as soon as possible, and certainly within 60 days of the discovery of the breach.

This year, Presense Health settled potential HIPAA Breach Notification Rule violations with OCR for $475.,000 after impermissibly delaying the issuing of breach notification letters to patients by one month. It was the first time OCR has settled a case with a covered entity solely for delaying breach notification letters.

Recently, Deven McGraw, deputy director for health information privacy at OCR, confirmed that waiting 60 days to send breach notification letters is a violation of HIPAA Rules. Letters must be sent as soon as possible after a breach. A five-month delay will certainly be scrutinized by OCR and a financial penalty may be deemed appropriate.

The post 106,000 Mid-Michigan Physicians’ Patients Potentially Impacted by Breach appeared first on HIPAA Journal.

Lawsuit Filed Against Aetna for Disclosure of HIV Status of Patients

Posted by HIPAA Journal

A class action lawsuit has been filed against Aetna following a privacy breach that saw the HIV positive status of up to 12,000 individuals impermissibly disclosed. The incident occurred during a recent mailing, when details of prescribed HIV medications were visible through the clear plastic windows of envelopes, along with individuals’ names and addresses.

The letters related to pharmacy benefits and information on how HIV medications could be received. As a result of an error, which has been attributed to letters slipping inside the envelopes, many individuals had had their HIV status disclosed to neighbors, family members and roommates. While breach notification letters have been sent to 12,000 individuals who received the mailing, it is unclear exactly how many individuals had details of their HIV medications disclosed.

Last week, Aetna announced that “this type of mistake is unacceptable,” and confirmed action was being taken to ensure proper safeguards are put in place to prevent similar incidents from happening. However, for individuals affected by the error, serious and irreparable harm has been caused.

The Legal Action Center and AIDS Law Project of Pennsylvania sent a letter to Aetna last week demanding the insurer stop sending mail that “illegally discloses” plan members are taking HIV medication.” Now, a class-action lawsuit has been filed in the U.S. District Court for the Eastern District of Pennsylvania by both organizations and their legal team from Berger & Montague, P.C. The lawsuit demands that Aetna cease the practice of sending information relating to HIV medications in the mail and that it reforms procedures and pays damages.

In a recent press release, the AIDS Law Project explained that the disclosure has caused turmoil for some Aetna members whose HIV positive status was disclosed. The press release cited one example of a couple in Florida who have been forced to move home as a result of the disclosure out of fear and embarrassment.

In another example, the sister of a 52-year old man from Bucks County, PA found out he was taking HIV medication after viewing the information through the envelope. That man is the lead plaintiff in the class action lawsuit. In his case, he does not have HIV, but takes the medication as part of a regimen of pre-exposure prophylaxis to prevent him from contracting the virus.

The purpose of the Aetna correspondence was to address alleged privacy violations raised in two lawsuits in 2014 and 2015, which were filed after the company required customers to receive their HIV medications in the mail. The plaintiffs claimed such actions could breach their privacy. The cases were settled, and the letter was sent on July 28, 2017 in relation to the change in its HIV medication procedures.

When the press release was issued, six AIDS service organizations across the United States had received “dozens” of complaints from customers about the mailing.

Sally Friedman, legal director of the Legal Action Center said, “Some have lost housing, and others have been shunned by loved ones because of the enormous stigma that HIV still carries. This case seeks justice for these individuals. Insurers like Aetna must be held accountable when they fail to vigorously protect people’s most private health information.”

The post Lawsuit Filed Against Aetna for Disclosure of HIV Status of Patients appeared first on HIPAA Journal.

Lawsuit Filed Against Aetna for Disclosure of HIV Status of Patients

Posted by HIPAA Journal

A class action lawsuit has been filed against Aetna following a privacy breach that saw the HIV positive status of up to 12,000 individuals impermissibly disclosed. The incident occurred during a recent mailing, when details of prescribed HIV medications were visible through the clear plastic windows of envelopes, along with individuals’ names and addresses.

The letters related to pharmacy benefits and information on how HIV medications could be received. As a result of an error, which has been attributed to letters slipping inside the envelopes, many individuals had had their HIV status disclosed to neighbors, family members and roommates. While breach notification letters have been sent to 12,000 individuals who received the mailing, it is unclear exactly how many individuals had details of their HIV medications disclosed.

Last week, Aetna announced that “this type of mistake is unacceptable,” and confirmed action was being taken to ensure proper safeguards are put in place to prevent similar incidents from happening. However, for individuals affected by the error, serious and irreparable harm has been caused.

The Legal Action Center and AIDS Law Project of Pennsylvania sent a letter to Aetna last week demanding the insurer stop sending mail that “illegally discloses” plan members are taking HIV medication.” Now, a class-action lawsuit has been filed in the U.S. District Court for the Eastern District of Pennsylvania by both organizations and their legal team from Berger & Montague, P.C. The lawsuit demands that Aetna cease the practice of sending information relating to HIV medications in the mail and that it reforms procedures and pays damages.

In a recent press release, the AIDS Law Project explained that the disclosure has caused turmoil for some Aetna members whose HIV positive status was disclosed. The press release cited one example of a couple in Florida who have been forced to move home as a result of the disclosure out of fear and embarrassment.

In another example, the sister of a 52-year old man from Bucks County, PA found out he was taking HIV medication after viewing the information through the envelope. That man is the lead plaintiff in the class action lawsuit. In his case, he does not have HIV, but takes the medication as part of a regimen of pre-exposure prophylaxis to prevent him from contracting the virus.

The purpose of the Aetna correspondence was to address alleged privacy violations raised in two lawsuits in 2014 and 2015, which were filed after the company required customers to receive their HIV medications in the mail. The plaintiffs claimed such actions could breach their privacy. The cases were settled, and the letter was sent on July 28, 2017 in relation to the change in its HIV medication procedures.

When the press release was issued, six AIDS service organizations across the United States had received “dozens” of complaints from customers about the mailing.

Sally Friedman, legal director of the Legal Action Center said, “Some have lost housing, and others have been shunned by loved ones because of the enormous stigma that HIV still carries. This case seeks justice for these individuals. Insurers like Aetna must be held accountable when they fail to vigorously protect people’s most private health information.”

The post Lawsuit Filed Against Aetna for Disclosure of HIV Status of Patients appeared first on HIPAA Journal.

Website Update Exposes PHI of 8,800 Silver Cross Hospital Patients

Posted by HIPAA Journal

Silver Cross Hospital in New Lenox, IL, has learned that the protected health information of 8,862 patients has been exposed as a result of a software update performed by a business associate that manages certain parts of its website.

The software upgrade was performed on the website in November 2016, which resulted in security settings being inadvertently reconfigured. As a result, information entered by patients in webforms was made available over the Internet and could potentially have been accessed by unauthorized individuals. Silver Cross Hospital said change to the security settings was discovered internally on June 14, 2017. The vendor was immediately contacted and the site was rapidly secured.

A computer forensics firm was contracted to perform an analysis of the website to establish whether any of the exposed information had been accessed by unauthorized individuals during the seven months that data were accessible. The investigation did not uncover any evidence to suggest unauthorized individuals navigated to the forms and viewed patient health information, although the possibility could not be ruled out.

At no point did the security incident affect the hospital’s electronic health record system or any data stored by the hospital. The only information that could potentially be viewed was information entered via the forms and stored by its vendor.

The breach affects patients who used a range of forms on the website. Those forms collected a range of sensitive information including names, addresses, telephone numbers, email addresses, dates of birth, IP addresses and patients’ marital status. Some patients also had their Social Security number, insurance details and some health information exposed, but only if that information had been submitted via the webforms. While the software update occurred in late November, the breach impacts patients who used the webforms between January 2013 and June 14, 2017. In some cases, patients and payment guarantors may have had their information entered into the webforms by a third party and may therefore not be aware that they have been impacted by the incident.

Silver Cross Hospital has now notified all impacted individuals for whom valid contact addresses are held. All individuals affected by the breach have been offered complimentary credit monitoring services for 12 months.

Steps have also been taken to improve security and prevent similar incidents from occurring in the future. Those measures include reviewing and updating policies and procedures related to website security, the provision of additional training for staff members, and a detailed assessment of security practices by experts in the field.

The post Website Update Exposes PHI of 8,800 Silver Cross Hospital Patients appeared first on HIPAA Journal.

Website Update Exposes PHI of 8,800 Silver Cross Hospital Patients

Posted by HIPAA Journal

Silver Cross Hospital in New Lenox, IL, has learned that the protected health information of 8,862 patients has been exposed as a result of a software update performed by a business associate that manages certain parts of its website.

The software upgrade was performed on the website in November 2016, which resulted in security settings being inadvertently reconfigured. As a result, information entered by patients in webforms was made available over the Internet and could potentially have been accessed by unauthorized individuals. Silver Cross Hospital said change to the security settings was discovered internally on June 14, 2017. The vendor was immediately contacted and the site was rapidly secured.

A computer forensics firm was contracted to perform an analysis of the website to establish whether any of the exposed information had been accessed by unauthorized individuals during the seven months that data were accessible. The investigation did not uncover any evidence to suggest unauthorized individuals navigated to the forms and viewed patient health information, although the possibility could not be ruled out.

At no point did the security incident affect the hospital’s electronic health record system or any data stored by the hospital. The only information that could potentially be viewed was information entered via the forms and stored by its vendor.

The breach affects patients who used a range of forms on the website. Those forms collected a range of sensitive information including names, addresses, telephone numbers, email addresses, dates of birth, IP addresses and patients’ marital status. Some patients also had their Social Security number, insurance details and some health information exposed, but only if that information had been submitted via the webforms. While the software update occurred in late November, the breach impacts patients who used the webforms between January 2013 and June 14, 2017. In some cases, patients and payment guarantors may have had their information entered into the webforms by a third party and may therefore not be aware that they have been impacted by the incident.

Silver Cross Hospital has now notified all impacted individuals for whom valid contact addresses are held. All individuals affected by the breach have been offered complimentary credit monitoring services for 12 months.

Steps have also been taken to improve security and prevent similar incidents from occurring in the future. Those measures include reviewing and updating policies and procedures related to website security, the provision of additional training for staff members, and a detailed assessment of security practices by experts in the field.

The post Website Update Exposes PHI of 8,800 Silver Cross Hospital Patients appeared first on HIPAA Journal.

Ransomware Attack on Salina Family Healthcare Impacts 77,000 Patients

Posted by HIPAA Journal

In June, ransomware was installed on servers and workstations at Salina Family Healthcare in Kansas resulting in the encryption and potential disclosure of patients protected health information.

The attack occurred on June 18, 2017. Salina Family Healthcare was able to limit the extent of the attack by taking swift action to secure its systems. It was also possible to restore the encrypted data from recent backups so no ransom needed to be paid.

A third-party computer forensics firm was contracted to analyze its systems to determine how the ransomware was installed and whether the attackers succeeded in gaining access to or stealing patient data. While evidence of data theft was not uncovered, the firm was unable to rule out the possibility that the actors behind the attack viewed or copied patient data.

The protected health information potentially accessed includes names, addresses, dates of birth, Social Security numbers, medical treatment information, and health insurance details.

While data access was possible, no reports have been received to suggest any information has been stolen and misused, although patients should be alert to the possibility of data theft and should monitor their accounts and Explanation of Benefits statements closely for any sign of fraudulent activity.

Patients potentially impacted by the attack have now been notified of the security breach and have been offered credit monitoring and identity theft restoration services for 12 months without charge out of an abundance of caution.

Salina Family Healthcare has already taken a number of steps to improve security following the ransomware attack. Those measures include upgrading network servers, regularly scanning the network for viruses, providing the workforce with additional security training on malware threats, and limiting Internet access for staff to reduce exposure.

The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates 77,337 patients and payment guarantors have potentially been impacted by the security incident.

The post Ransomware Attack on Salina Family Healthcare Impacts 77,000 Patients appeared first on HIPAA Journal.

Ransomware Attack on Salina Family Healthcare Impacts 77,000 Patients

Posted by HIPAA Journal

In June, ransomware was installed on servers and workstations at Salina Family Healthcare in Kansas resulting in the encryption and potential disclosure of patients protected health information.

The attack occurred on June 18, 2017. Salina Family Healthcare was able to limit the extent of the attack by taking swift action to secure its systems. It was also possible to restore the encrypted data from recent backups so no ransom needed to be paid.

A third-party computer forensics firm was contracted to analyze its systems to determine how the ransomware was installed and whether the attackers succeeded in gaining access to or stealing patient data. While evidence of data theft was not uncovered, the firm was unable to rule out the possibility that the actors behind the attack viewed or copied patient data.

The protected health information potentially accessed includes names, addresses, dates of birth, Social Security numbers, medical treatment information, and health insurance details.

While data access was possible, no reports have been received to suggest any information has been stolen and misused, although patients should be alert to the possibility of data theft and should monitor their accounts and Explanation of Benefits statements closely for any sign of fraudulent activity.

Patients potentially impacted by the attack have now been notified of the security breach and have been offered credit monitoring and identity theft restoration services for 12 months without charge out of an abundance of caution.

Salina Family Healthcare has already taken a number of steps to improve security following the ransomware attack. Those measures include upgrading network servers, regularly scanning the network for viruses, providing the workforce with additional security training on malware threats, and limiting Internet access for staff to reduce exposure.

The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates 77,337 patients and payment guarantors have potentially been impacted by the security incident.

The post Ransomware Attack on Salina Family Healthcare Impacts 77,000 Patients appeared first on HIPAA Journal.

Third-Party Mailing Error Sees Aetna Plan Members’ HIV Status Disclosed

Posted by HIPAA Journal

Aetna is in the news again for the wrong reasons, having experienced another protected health information breach. The latest incident impacts approximately 12,000 Aetna plan members and resulted in highly sensitive information being disclosed to unauthorized individuals.

An error was made in a recent mailing to plan members. That error resulted in the HIV positive of members being disclosed to other individuals. The letters advised plan members about their options for filling in their HIV prescriptions. However, some of that information was visible through the transparent plastic window in the envelope along with names and addresses. The mailing was sent by a third-party vendor on July 28, 2017.

Aetna was notified of the error by the Legal Action Center and the AIDS Law Project of Pennsylvania, which in turn were notified of the error by some individuals whose HIV status had been disclosed. Those individuals said that in addition to the information being visible to the mailman, the letters had been viewed by roommates, neighbors and family members.

The potential harm caused by an error such as this is considerable. As Ronda Goldfein, executive director of AIDS Law Project of Pennsylvania explained, “It creates a tangible risk of violence, discrimination and other trauma.”

All patients affected by the privacy breach have now been informed of the error by mail. Aetna explained that for some patients, the letter had slipped inside the envelope making the sensitive information visible. Aetna explained to patients that the “mistake is unacceptable” and that a review is now being conducted to ensure similar incidents do not occur in the future.

This breach comes just two months after Aetna announced the discovery of an error that resulted in the protected health information of approximately 5,000 individuals being indexed by search engines and made available to unauthorized individuals over the Internet.

The post Third-Party Mailing Error Sees Aetna Plan Members’ HIV Status Disclosed appeared first on HIPAA Journal.

Credit Monitoring Services Must Now Be Offered to Breach Victims in Delaware

Posted by HIPAA Journal

For the first time in the past 10 years, Delaware has amended its data breach notification law and has now introduced some of the strictest requirements of any state. Any ‘person’ operating in the state of Delaware must now notify individuals of the exposure or theft of their sensitive information and must offer breach victims complimentary credit monitoring services for 12 months. Connecticut was the first state to introduce similar laws, with California also requiring the provision of credit monitoring services to breach victims.

Breach victims must also be advised of security incidents involving their sensitive information ‘as soon as possible’ and no later than 60 days following the discovery of a breach. The new law also requires companies operating in the state to implement “reasonable” security measures to safeguard personal information – Delaware is the 14th state to require companies to adopt security measures to ensure sensitive information is protected.

The definition of ‘personal information’ has also been expanded and now includes usernames/email addresses in combination with a password/answers to security questions, password numbers, driver’s license numbers, mental health and physical condition, medical histories, health insurance policy numbers, subscriber identification numbers, medical treatment information, medical diagnoses, DNA profiles, unique biometric data (including fingerprints/retina scans), and tax payer identification numbers.

Companies can avoid sending notifications and providing credit monitoring services if data is encrypted prior to a cyberattack or other security incident, unless it is reasonably believed the breach also resulted in the encryption key being compromised.

Rep. Paul Baumbach, D-Newark, who sponsored the bill, said the new legislation is ” A meaningful step forward in addressing these breaches so that we guarantee better protections for our residents and help them rebuild their lives after a cyberattack.”

House Bill 180 was passed earlier this month. The new law has an effective date of April 14, 2018.

The post Credit Monitoring Services Must Now Be Offered to Breach Victims in Delaware appeared first on HIPAA Journal.