HIPAA Breach News

Hospital Employee Fired Over 26,000-Record Arkansas DHS Privacy Breach

Posted by HIPAA Journal

A former employee of the Arkansas Department of Human Services (DHS) has been fired from her new position at the state hospital for emailing spreadsheets containing the protected health information of patients to a personal email account.

Yolanda Farrar worked as a payment integrity coding analyst for the DHS, but was fired on March 24, 2017. According to a statement issued by DHS spokesperson Amy Webb, Farrar was fired for “violations of DHS policy on professionalism, teamwork and diligent and professional performance.”

The day previously, Farrar had spoken with her supervisor about issues relating to her performance and learned that she was about to be terminated. Within minutes of that conversation, Farrar emailed spreadsheets from her work email account to a personal email address.

Farrar decided to take legal action against DHS for unfair dismissal. Attorneys working for DHS were preparing to represent the agency in court and were checking emails sent by Farrar through her work email account. They discovered the emails and spreadsheets on August 7. The DHS privacy officer was immediately notified of the discovery and an internal investigation into the incident was launched.

The spreadsheets were found to contain a range of sensitive information of patients including names, birth dates, linked Medicaid identification numbers, diagnoses, codes for medical procedures, and some Social Security numbers. Each record in the spreadsheet was manually checked and after duplicates were removed, DHS determined that the protected health information of 26,044 patients had been emailed to the personal account.

By emailing the spreadsheets, Farrar breached DHS policies, state and federal laws. Farrar had since been employed at the state hospital; however, the discovery of the emails resulted in her being fired from that position. The investigation into the privacy breach is ongoing and the DHS intends to pursue criminal charges against Farrar.

The DHS already requires employees to undergo privacy training. All employees are required to pass a test on that training before they are allowed Internet access and are made aware that emailing confidential information outside the agency is prohibited.  A review of policies and procedures is being conducted to determine whether any further actions can be taken to reduce the potential for similar incidents from occurring in the future.

DHS has confirmed that all individuals impacted by the incident will be notified of the privacy breach by mail this week.

The post Hospital Employee Fired Over 26,000-Record Arkansas DHS Privacy Breach appeared first on HIPAA Journal.

Hospital Staff Discovered to Have Taken and Shared Photographs of Patient’s Genital Injury

Posted by HIPAA Journal

An investigation has been conducted into a privacy violation at the University of Pittsburgh Medical Center’s Bedford Memorial hospital, in which photographs and videos of a patient’s genitals were taken by hospital staff and in some cases, were shared with other individuals including non-hospital staff. The patient was admitted to the hospital in late December 2017, with photos/videos shared over the following few weeks.

The patient was admitted to the hospital on December 23, 2017 with a genital injury – a foreign object had been inserted into the patient’s penis and was protruding from the end. The bizarre injury attracted a lot of attention and several staff members not involved with the treatment of the patient were called into the operating room to view the injury. Multiple staff members took photographs and videos of the patient’s genitals while the patient was sedated and unconscious.

The privacy breach was reported by one hospital employee who alleged images/videos were being shared with other staff members not involved in the treatment of the patient. The complaint was investigated by the Pennsylvania Department of Health and Human Services on May 23, 2017.

While HIPAA violations appear to have occurred, the investigation only confirmed violations of the Social Security Act had occurred. According to the published report of the investigation, multiple areas of non-compliance with the Social Security Act – 42 CFR, Title 42, Part 482-Conditions of Participation for Hospitals were discovered: 482.13 – Patient rights; 482.22(c) Medical Staff Bylaws; 482.42 Infection Control; and 482.51 Surgical Services.

According to a statement obtained from a member of staff who was interviewed, a request was made for photographs to be taken of the patient’s injury for use in future medical lectures. That individual said, “We have a camera in the OR for that purpose, but it was reportedly broken and so personal phones were used. Initially, we thought there was only one picture taken but later we learned of others. We also had the camera checked out, it is working, it is just too complicated to use.”

One physician said, “At one point when I looked up, there were so many people it looked like a cheerleader type pyramid.”

The story was originally reported on Pennlive, which received an emailed statement from UPMC saying, “The behavior reported in this case is abhorrent and violates the mission of UPMC Bedford and the overall values of UPMC. Upon discovery, UPMC quickly self-reported the incident to the Pennsylvania Department of Health and took appropriate disciplinary action with the individuals involved.”

Those actions included suspensions and firings of staff who were discovered to have violated the patient’s privacy. The patient, who was not identified, has also been informed of the privacy breach.

The post Hospital Staff Discovered to Have Taken and Shared Photographs of Patient’s Genital Injury appeared first on HIPAA Journal.

Hand Rehabilitation Specialists Suffers Breach of Almost 13,000 Patients’ PHI

Posted by HIPAA Journal

Hand & Upper Extremity Centers has announced a security breach has potentially impacted almost 13,000 patients.

The breach occurred at Thousand Oaks, CA-based Hand Rehabilitation Specialists (HRS). While it is unclear when the breach actually occurred, HRS was notified about a potential security incident on July 5, 2017.

According to the substitute breach notice uploaded to the HBS website, an unauthorized individual is believed to have gained access to HBS systems and potentially viewed and exfiltrated patient data. As soon as HBS became aware of the incident, law enforcement was contacted and the Ventura County Sherriff’s Office conducted a forensic investigation of the computer system used by HBS. The incident was also reported to the Federal Bureau of Investigation.

Law enforcement found no evidence to suggest any patient data had been exfiltrated, although it was not possible to rule out data theft with a high degree of certainty.

The breach affects patients seen between 2004 and 2013, as well as their payment guarantors. The types of information potentially accessed include names, addresses, phone numbers, dates of birth, dates of service, Social Security numbers, medical diagnoses, billing codes, cost of medical services, co-pay amounts made, medical insurance companies, insurance group numbers and contact information, check numbers, and HRS’s name and practice contact information.

To protect affected individuals from identity theft and fraud, all have been offered credit monitoring/identity theft protection services free of charge. HBS is also revising office policies and procedures to prevent similar incidents from occurring in the future.

The report submitted to the Department of Health and Human Services Office for Civil Rights indicates 12,806 patients have been impacted by the breach and have potentially had their protected health information exposed.

Databreaches.net has published additional information on the incident. While the identity of the individual(s) behind the attack is unknown, the individual/group was responsible for the intrusion appears to have been confirmed – A hacker/hacking group known as TheDarkOverlord (TDO).

According to the report, TDO admitted the hack and provided a sample of 10 patients’ records which were used to verify the claim. TDO also informed the site that an extortion demand was issued.

The post Hand Rehabilitation Specialists Suffers Breach of Almost 13,000 Patients’ PHI appeared first on HIPAA Journal.

New York Hospital Sued for Disclosing Patient’s HIV Status to Employer

Posted by HIPAA Journal

Earlier this year, the Department of Health and Human Services’ Office for Civil Rights settled a case with Mount Sinai St. Luke’s Hospital to resolve alleged HIPAA violations over a 2014 impermissible disclosure of a patient’s HIV positive status to his employer.

St. Luke’s Hospital had faxed a document to the mailroom of the patient’s employer, rather than sending the information to a post office box as requested by the patient via his Authorization for Release of Medical Information form.

The hospital, formerly known as the Spencer Cox Center for Health, also faxed the PHI of another patient to an office where he volunteered. St. Luke’s Hospital agreed to pay OCR $387,000 to resolve the case.

St. Luke’s Hospital also agreed to a corrective action plan that required a review of its policies and procedures concerning PHI disclosures and further training of its employees. St. Luke’s Hospital accepted a mistake was made and the measures being undertaken will help to ensure similar incidents do not occur in the future. However, the hospital has refused to enter into a settlement agreement with the patient whose HIV positive status was disclosed.

The patient, a man in his 30s identified as John Doe and represented by the Law Offices of Jeffrey Lichtman, is suing St. Luke’s Hospital for negligence and negligent infliction of emotional distress.

After completing the Authorization for Release of Medical Information and requesting the records were sent to a private mailbox, a fax was sent to the patient’s place of work. The medical records were seen by mailroom staff and were handed to the patient’s supervisor.

According to the suit, “The documents delivered to our client contained information on his HIV status and care, previous diagnoses for other sexually-transmitted diseases, history of physical abuse, sexual orientation information, mental health history, prescription drug information, and social security number.”

The patient was devastated by the disclosure. He was still coming to terms with his diagnosis and had not told most of his family and friends. The stress caused by knowing his coworkers were aware of his diagnosis forced him to quit his job and lose substantial health benefits and insurance.  The increased cost of medical insurance at his new job placed him under severe financial pressure, forcing him to discontinue seeing his therapist, who was helping him cope with the exposure of his health information.

According to the lawsuit, St. Luke’s Hospital accepted this was an egregious breach and “tried to assuage our client by claiming that he was lucky just a mail room employee had received the fax with his health issues contained therein,” although no attempt was made to compensate the patient in any way for the error. The lawsuit seeks $2.5 million in damages.

This is not the only case of this nature to be filed in recent weeks. Recently, a mailing sent by a third-party vendor on behalf of Aetna resulted details of HIV medications being impermissibly disclosed. The information was visible through the clear plastic windows of envelopes. Up to 12,000 patients were affected by the error.

A lawsuit has been filed in the U.S. District Court for the Eastern District of Pennsylvania by The Legal Action Center, AIDS Law Project of Pennsylvania, and Berger & Montague, P.C., over the impermissible disclosure.

The post New York Hospital Sued for Disclosing Patient’s HIV Status to Employer appeared first on HIPAA Journal.

Patient Health Records Discovered in a Denver Alley

Posted by HIPAA Journal

Approximately 70 patient files containing sensitive personal and medical information have been discovered in an alley in Denver, CO.

The files contained details of patients’ medical histories, insurance information, and Social Security numbers – The types of information sought by identity thieves and fraudsters. The paperwork had been disposed of in a dumpster accessible by the public.

The records came from the Blue Skies Clinic in Boulder, CO., which was purchased more than a decade ago from chiropractor Otsie Stowell, according to Fox31, Denver. Two chiropractors took control of the records of approximately 800-1000 patients when they bought the practice.

Some of those records were stored in the basement of the practice, which was recently cleared. It is unclear how many records were disposed in the alley, although only 70 files were recovered.

The records were disposed of by mistake and no one at the clinic was aware that sensitive information was being stored in the basement, according to a statement provided to FOX31 by one of the chiropractors, Rory Lee. Lee also apologized for the mistake and said the clinic will be doing all it can to rectify the mistake.

HIPAA Rules require physical records containing PHI to be disposed of securely when they are no longer required. While HIPAA Rules do not specify the method that must be used to dispose of medical information, whatever method chosen must ensure the information is “unreadable, indecipherable, and otherwise cannot be reconstructed.” For physical records, HIPAA recommends “shredding, burning, pulping, or pulverizing” prior to disposal.

Similar rules apply to the disposal of electronic protected health information. HIPAA suggests clearing, purging, degaussing, exposing media to strong magnetic fields, or destroying electronic media by disintegration, pulverization, melting, incinerating, or shredding.

When a business is closing or about to be sold, OCR suggests covered entities should consider contacting patients and offering them the opportunity to collect their medical records. If medical records are handed over to the new owners of the business, they become their responsibility and must be safeguarded in accordance with the requirements of the HIPAA Security Rule.

The post Patient Health Records Discovered in a Denver Alley appeared first on HIPAA Journal.

CareFirst Data Breach Lawsuit May be Heading to the Supreme Court

Posted by HIPAA Journal

In June 2014, hackers succeeded in gaining access to a database maintained by CareFirst BlueCross BlueShield and the protected health information of 1.1 million of its members. The types of information exposed as a result of the hack included names, email addresses, dates of birth, and subscriber ID numbers.

Lawsuits were filed following the breach, with the plaintiffs seeking damages for the elevated risk of identity theft and fraud they faced as a result of the breach.

In 2016, the U.S. District Court for the District of Columbia and dismissed one punitive class action lawsuit against CareFirst – Chantal Attias vs. Carefirst, Inc. – for lack of standing. Further complaints were also dismissed by two federal district courts. However, on August 1, 2017, the case was revived when the U.S. District Court for the District of Columbia allowed the case to proceed, even though there was not a concrete, identifiable injury to plaintiffs.

CareFirst submitted a motion for a stay to allow an appeal to be filed with the Supreme Court. Last week, U.S. District Court for the District of Columbia granted a stay of 90 days pending the filing of a Petition for a Writ of Certiorari with the United States Supreme Court, agreeing there was ‘good cause’ and that a “substantial question” needed to be answered.

In the motion CareFirst explained, “The Supreme Court has yet to examine the issue of standing in the context of a data breach case.”

CareFirst wants the case heard by the Supreme Court as it believes guidance is required by federal district and appellate courts to help them sort cases where a cognizable injury-in-fact has been sustained from those where plaintiffs are not able to allege real or immediate harm.

Federal district and appellate courts have struggled to reach consensus when the prospect of future injury as a result of a data breach constitutes a substantial risk of actual harm.

The motion reads, “The fact that reasoned jurists have come to differing conclusions on the standing of plaintiffs from this same data breach, let alone the differences in application of the principles of standing among other jurisdictions in different data breaches, suggests that there is a reasonable probability that four members of the Supreme Court would consider the underlying issue sufficiently meritorious for a grant of certiorari.”

CareFirst explained that if the district court proceeds with the case, “It will encourage others to bring suits following other data breaches without allegations of real and immediate harm.

The post CareFirst Data Breach Lawsuit May be Heading to the Supreme Court appeared first on HIPAA Journal.

Healthcare Industry Tops List for Class Action Data Breach Lawsuits

Posted by HIPAA Journal

In 2016, the healthcare industry faced the most class-action data breach lawsuits, according to a new analysis of data breach class action lawsuits by the law firm, Bryan Cave, LLP, although the risk of litigation following a breach is still relatively low.

To produce the 2017 data breach litigation report, Bryan Cave conducted a comprehensive review and analysis of all class action lawsuits filed by victims of data security breaches in 2016.

The report explains that while there is always a threat of legal action being taken by data breach victims, the risk of a company facing litigation following a data breach is fairly low due to the difficult plaintiffs have establishing an injury has been caused.

Year over year, there was a slight (7%) increase in class action lawsuits filed against companies that have experienced a data breach although there was a fall in the number of breaches that resulted in lawsuits. The report shows only 3.3% of data breaches in 2016 resulted in class action lawsuits compared to between 4%-5% in previous years.

In total, 76 class actions were filed in 2016 as a result of data breaches. Bryan Cave points out that those lawsuits were clustered around the same breaches – High-profile data breaches affecting individuals throughout the country. Out of those 76 lawsuits, there were 27 unique defendants.

The report confirms that the healthcare industry reported the most data breaches of any industry – 70% of the total – yet only 34% of class action lawsuits name healthcare organizations as the defendants. Healthcare was the leading industry for class action data breach lawsuits (26 complaints), closely followed by email providers with 33%. The figures for email service providers was heavily influenced by the disclosure of two massive data breaches by Yahoo! Restaurants were in third place with 11% of the total followed by the retail industry with 7%. Healthcare data breach lawsuits fell slightly year over year.

Lawsuits are most commonly filed following the exposure or theft of sensitive information such as Social Security numbers, medical data, health insurance information, and security Q&As – 89% of class action lawsuits resulted from data breaches where these types of information were exposed or stolen. 65% of the lawsuits alleged negligence as the primary theory.

Data breach lawsuits are most commonly filed in the Northern District of California (32%), followed by the Middle District of Florida (11%), the District of Arizona (11%), and the Western District of Pennsylvania (7%).

The 2017 Data Breach Litigation Report can be found on this link.

The post Healthcare Industry Tops List for Class Action Data Breach Lawsuits appeared first on HIPAA Journal.

3,400 Patients of Children’s Hospital Colorado Potentially Impacted by Email Hack

Posted by HIPAA Journal

Almost 3,400 patients of Children’s Hospital Colorado are being notified that some of their protected health information has potentially been accessed by an unauthorized individual who gained access to the email account of a staffer.

The incident was discovered by the Aurora, CO hospital on July 11, 2017, prompting a full investigation to determine the scale and scope of the breach. A third-party computer forensics firm was hired to assist with the investigation to help identify how access to the email account was gained, whether any other systems had been compromised, and to identify any actions taken by the attacker.

An analysis of data in the email account showed a limited amount of PHI was potentially compromised, including names, addresses, dates of birth, telephone numbers, medical diagnoses, treatment information and other clinical information. No financial information, insurance details, Social Security numbers or other highly sensitive data were exposed.

The investigation confirmed the breach was limited to a single email account and its EHR was not affected. While access to the email account was possible, the investigation uncovered no evidence to suggest any emails were accessed no that any PHI was viewed. Children’s Hospital Colorado also said no reports have been received to suggest any information has been misused in any way.

Children’s Hospital Colorado said, “Protecting the security and confidentiality of patient personal and medical information is of the utmost importance.” To prevent future incidents of this nature from occurring, existing safeguards have been enhanced and a review of its systems is underway to identify any additional controls that can be implemented to further protect patient health information.

Notifications were sent to all affected individuals by mail on Friday and the incident has been reported to appropriate authorities, including the Department of Health and Human Services’ Office for Civil Rights.

The post 3,400 Patients of Children’s Hospital Colorado Potentially Impacted by Email Hack appeared first on HIPAA Journal.

Mailing Error and PHI Breach Underscores Need for Greater Oversight

Posted by HIPAA Journal

Healthcare organizations must take care not to expose protected health information in mailings. Recently, there have been two incidents reported that involved sensitive information being disclosed as a result of a lack of oversight when corresponding with patients by mail.

A third-party error resulted in details of HIV medications used by Aetna plan members being improperly disclosed. Letters were sent in sealed envelopes, although prescribed HIV medications were clearly visible through the clear plastic windows of the envelopes.

Last year, Emblem Health sent a mailing in which patients’ Social Security numbers were accidentally printed on the outside of envelopes and the Ohio Department of Mental Health and Addiction Services sent a survey to patients on a postcard rather than using letters in sealed envelopes. In that case, the fact that the patient was, or had been, undergoing treatment for mental health issues was disclosed to any individual who happened to view the postcard.

A similar incident has recently affected patients of University of Wisconsin-Madison’s Department of Family Medicine and Community Health. UW-Madison took the decision to ask its patients how it could improve the quality of its services.

A request to take part in a survey was sent via mail, but rather than sending letters inside sealed envelopes, the decision was taken to send postcards. Printed on the postcards, in plain sight, were references to prescribed medications and family planning services: A violation of patient privacy and breach of HIPAA Rules.

UW-Madison has mailed all individuals affected by the privacy breach alerting them to the error and informing them that workflows have been reviewed and improved to prevent further privacy breaches. Additional reviews will be performed before any correspondence is sent in the future.

All of the above mailing errors have involved simple oversights, but the consequences can be severe for patients. The third-party error that resulted in the HIV medications of Aetna plan members being exposed has caused serious harm for several patients. Some plan members had their HIV positive status disclosed to family members and roommates. Some have been forced to move home out of embarrassment and fear.

These incidents serve as a reminder to all covered entities of the risk of privacy violations from mailings. Covered entities must ensure policies and procedures are implemented to ensure all mailings are reviewed prior to dispatch to ensure sensitive data is not accidentally exposed.

The post Mailing Error and PHI Breach Underscores Need for Greater Oversight appeared first on HIPAA Journal.