HIPAA Breach News

Missouri Care Notifies Medicaid Recipients of Subcontractor Breach

Posted by HIPAA Journal

A mailing error by a subcontractor of Missouri Care Inc., has resulted in the protected health information of 1,223 participants being impermissibly disclosed to other individuals. The MO HealthNet-managed care plan was informed of the breach by O’Neil Printing on July 20, 2017. The privacy breach has been attributed to a software programming error.

The error potentially resulted in the names, birth dates, MO HealthNet ID numbers and Missouri Care member ID numbers of Medicaid recipients being mailed to incorrect recipients. The Missouri Department of Social Services has confirmed that Social Security numbers, financial information and medical information were not involved.

O’Neil Printing identified the cause of the error and has since corrected its software to prevent further mis-mailings. The error only affected mailings on July 11 and July 13, 2017.

Missouri Care has been working closely with MO HealthNet to ensure affected individuals were notified promptly. Letters informing participants of the privacy breach were recently sent in the mail, well within the deadline of the HIPAA Breach Notification Rule.

There is no reason to suggest any of the disclosed information has been misused in any way, although out of an abundance of caution, all affected individuals have been offered complimentary credit monitoring services for 12 months, the cost of which will be absorbed by Missouri Care. Further information on measures that can be taken to reduce the risk of identity theft and fraud have also been provided to the privacy breach victims, such as monitoring Explanation of Benefits statements for any sign of fraudulent activity.

The post Missouri Care Notifies Medicaid Recipients of Subcontractor Breach appeared first on HIPAA Journal.

3,400 Patients’ PHI Potentially Compromised in City of Hope Phishing Attack

Posted by HIPAA Journal

A phishing attack on City of Hope has resulted in cybercriminals gaining access to the email accounts of four employees.

The emails made it past spam filtering controls and were delivered to employees on May 31 and June 2, 2017. Four employees responded to the requests and disclosed their login credentials to the attackers. City of Hope says the emails appeared to have been sent from a trustworthy source.

The attackers used the login credentials to access the accounts, although City of Hope was unable to determine the scope or nature of access. On July 21, City of Hope confirmed that three of the accounts contained patients’ protected health information.

The protected health information in the emails included names, addresses, email addresses, contact telephone numbers, dates of birth, dates of service, diagnoses, test results, medication information, and other clinical data. No financial information, insurance details, or Social Security numbers were exposed or accessed.

Phishing attacks such as this are not always concerned with obtaining protected health information. Oftentimes, access to the email accounts is gained in order to use the accounts to send spam emails. City of Hope believes that was the intention of the phishers in this case.

However, since PHI access cannot be ruled out, patients affected by the incident have been advised to remain cautious and monitor their accounts for any sign of suspicious activity. The incident has been reported to law enforcement and a leading forensic information technology firm has been retained to assist with the investigation. The firm will also evaluate City of Hope systems and processes and will assist with strengthening existing security protections to prevent future incidents of this nature from occurring.

The breach has now been reported to the Department of Health and Human Services’ Office for Civil Rights (OCR). The breach summary indicates 3,400 patients have been impacted by the incident.

OCR Highlights the Importance of Regular Security Awareness Training for Healthcare Employees

In its July Cybersecurity Newsletter, OCR reminded covered entities of the importance of providing security awareness training to employees to help prevent attacks such as this from resulting in PHI being compromised.

Security awareness training for the workforce is a requirement of the HIPAA Security Rule and employees should receive regular training to help them identify phishing attacks and other security threats.

OCR suggested the frequency of training should be dictated by the findings of risk analyses, although it was pointed out that many healthcare organizations are conducting biannual training and are issuing monthly security bulletins to employees on the latest threats.

OCR suggests employee security awareness training should include computer-based training, classroom sessions, monthly newsletters, security bulletins, posters, and team discussions, although which training methods are used is left to the discretion of the covered entity.

Security awareness training should be documented, with attestations obtained from employees to prove training has been received. Documentation will be required by OCR if a covered entity is selected for an audit or as part of an investigation into a data breach.

The post 3,400 Patients’ PHI Potentially Compromised in City of Hope Phishing Attack appeared first on HIPAA Journal.

Maryland Data Breach Notification Law Updated

Posted by HIPAA Journal

Maryland data breach notification law has been updated, with the definition of personal information expanded. The current data breach notification statute in Maryland does not include health insurance information or data covered under the definition of the Health Insurance Portability and Accountability Act (HIPAA), although from January 1, 2018 that will change.

Maryland data breach notification law – specifically the Maryland Personal Information Protection Act – requires breach notification letters to be sent to all Maryland residents affected by a breach of personal information. Those notifications must be issued as soon as it is practicable to do so, but no later than 45 days after the discovery of a data breach that has resulted in personal information being misused or if it is likely that data could be misused.

The current definition of personal information includes a Maryland resident’s first and last name or initial and last name along with either a driver’s license number, Social Security number, financial account number, credit or debit card number (with a security code, expiry date or password that would allow the card to be used) or taxpayer identification number.

The new definition of personal information also includes, passport numbers, other federal government-issued ID numbers, state identification card numbers, any information covered by HIPAA laws, biometric data, an email address in combination with a password or security question that permits access to the account, and health insurance policy information, certificate numbers, or subscriber ID numbers in combination with an identifier that allows the information to be used.

Businesses must implement and maintain reasonable security procedures and practices to protect the confidentiality of personal information. If personal information is disclosed to a third party, the business must state in its contracts with those third parties that reasonable security procedures and practices must be implemented and maintained.

However, “reasonable security procedures and practices” have not been defined in the new statue.

The post Maryland Data Breach Notification Law Updated appeared first on HIPAA Journal.

4,271 UC Health Patients Notified of Insider Data Breach

Posted by HIPAA Journal

Cincinnati’s UC Health has discovered a former employee of its Daniel Drake Center for Post-Acute Care had been accessing the medical records of its patients without authorization for almost two years.

The first recorded instance of inappropriate access occurred on July 29, 2015, with periodic access continuing until June 2, 2017. During that time, the medical records of 4,271 patients had been accessed without authorization or any legitimate work reason for doing so.

The types of information accessed by the individual included patients’ names, medical record numbers, birth dates, lab test results, diagnoses, treatment information and other clinical data. However, financial information and Social Security numbers were stored separately and were not accessed.

Due to the range of data that was accessed, patients have been offered credit monitoring and identity theft protection services through Experian for a period of one year without charge. Patients affected by the privacy breach were notified by mail on August 1.

UC Health reports that the employee was terminated as soon as it was confirmed that medical records had been inappropriately viewed. Action has also been taken to prevent future insider breaches from occurring, including the implementation of additional access controls and the provision of further training to staff members on hospital policies covering medical record access and patient confidentiality.

UC Health will also now be monitoring employee ePHI access more proactively to ensure any future privacy breaches are identified quickly.

As the Protenus Mid-Year Breach Barometer report shows, insiders cause more healthcare data breaches than cyberattacks by hackers. In the first six months of 2017, 41% of healthcare breaches were caused by insiders, resulting in the privacy of 1.17 million patients being violated.

Detecting insider breaches promptly can greatly reduce the number of patients whose privacy is violated and the harm caused to those individuals.

Software solutions capable of detecting improper access can be expensive to implement, although they are an effective deterrent that can prevent many breaches. Detecting privacy violations promptly also reduces the cost of breach mitigation.

Healthcare organizations are required by HIPAA to regularly monitor ePHI access logs for improper access. While HIPAA does not state how often checks should be completed, healthcare organizations should consider conducting a bi-annual review to check for inappropriate access and should not wait for a privacy incident to occur to update their policies.

The post 4,271 UC Health Patients Notified of Insider Data Breach appeared first on HIPAA Journal.

Northwest Rheumatology Discovers PHI Potentially Accessed During Ransomware Attack

Posted by HIPAA Journal

Northwest Rheumatology of Tuscon, Arizona has announced that some of its computer systems were taken out of action following a ransomware infection on April 10, 2017.

Following any ransomware attack, HIPAA-covered entities must conduct an investigation to determine the extent of the attack and whether patient’s protected health information has been compromised. If a covered entity can determine with a high degree of certainty that protected health information has not been accessed, viewed or stolen – or in the case of ransomware ePHI was not encrypted – patients do not need to be notified and a report does not need to be sent to Office for Civil Rights.

When the attack was discovered, Northwest Rheumatology called on its computer security vendor to complete a full investigation into the attack to determine the extent to which data had been encrypted and if any PHI had been compromised.

Northwest Rheumatology was informed by its vendor that the ransomware attack was limited and no protected health information had been encrypted, accessed or copied. Consequently, patient notifications and an OCR breach report were not issued.

However, on June 18, 2017, the healthcare provider uncovered evidence to suggest its systems had been compromised. Northwest Rheumatology hired an independent computer forensics firm to conduct an investigation and the firm confirmed on July 6 that system access had been gained, and potentially, ePHI could have been accessed.

Northwest Rheumatology reports no evidence was uncovered to suggest unauthorized individuals gained access to ePHI or that ePHI was stolen, but the possibility could not be ruled out.

Patients whose protected health information was exposed have now been notified of the security incident by mail and have been offered credit monitoring and identity theft restoration services for 12 months without charge.

The incident has now been reported to Office for Civil Rights, although it has yet to appear on the OCR breach portal so it is currently unclear how many patients have been impacted.

This is one of three recent incidents involving ransomware that were initially thought to have only resulted in file encryption, only to be later discovered that system access was also gained. An investigation into a ransomware attack on Women’s Health Care Group of Pennsylvania revealed access to its systems had been gained four months previously. An investigation into a ransomware attack on Peachtree Neurological Clinic revealed its systems had been compromised for 15 months.

The post Northwest Rheumatology Discovers PHI Potentially Accessed During Ransomware Attack appeared first on HIPAA Journal.

Phishing Email Response Compromises PHI of 2,800 Patients

Posted by HIPAA Journal

A response to a phishing email has resulted in the PHI of 2,789 Kaleida Health patients being made accessible to cybercriminals.

Kaleida Health discovered the attack on May 24, 2017, prompting a full investigation which involved hiring a third-party computer forensic firm. An analysis of its systems showed that by responding to the phishing email, the employee had provided access to his/her email account.

While access to Kaleida Health’s EHR was not gained, the email account contained a range of protected health information of a small subset of its patients. The types of data in the account varied for each patient, but may have included names, dates of birth, medical record numbers, diagnoses, treatment and other clinical data. However, no financial information or Social Security numbers were exposed at any time.

While access to the email account was possible, no evidence was uncovered to suggest that the emails were accessed or any protected health information was viewed or copied. However, since the possibility of data access could not be ruled out with a high degree of certainty, all affected patients have been notified of the incident by mail.

Phishing has grown to be one of the most serious threats to healthcare organizations. As we have already seen this year, record numbers of successful W-2 phishing attacks have been reported and many healthcare employees have fallen for these phishing scams.

Providing security awareness training to employees can help to reduce risk, although a single training session every year is no longer sufficient. Training must be an ongoing process. As OCR suggested in its July Cybersecurity Newsletter, biannual training sessions should be provided along with monthly security bulletins that highlight the latest security threats.

Classroom-based training may not be the most effective way of raising awareness and developing a security culture in an organization. If computer-based training is provided and employees’ knowledge is tested with phishing simulation exercises, any phishing failures can be turned into training opportunities. These simulations also help to improve knowledge retention.

There are many solution providers that offer training programs and phishing simulation software, including PhishMe, KnowBe4, Wombat Security, PhishLabs, Agari, IronScales and PhishLine.

It may not be possible to reduce risk to zero, but several of those providers have been able to demonstrate that phishing simulation exercises along with employee awareness training can reduce susceptibility to phishing attacks by up to 95%.

The post Phishing Email Response Compromises PHI of 2,800 Patients appeared first on HIPAA Journal.

Protenus Provides Insight into 2017 Healthcare Data Breach Trends

Posted by HIPAA Journal

Protenus, in conjunction with Databreaches.net, has produced its Breach Barometer mid-year review. The report covers all healthcare data breaches reported over the past 6 months and provides valuable insights into 2017 data breach trends.

The Breach Barometer is a comprehensive review of healthcare data breaches, covering not only the data breaches reported through the Department of Health and Human Services’ Office for Civil Rights’ breach reporting tool, but also media reports of incidents and public findings. Prior to inclusion in the report, all breaches are independently confirmed by databreaches.net. The Breach Barometer reports delve into the main causes of data breaches reported by healthcare providers, health plans and their business associates.

In a webinar on Wednesday, Protenus Co-Founder and president Robert Lord and Dissent of databreaches.net discussed the findings of the mid-year review.

Lord explained that between January and June 2017 there have been 233 reported data breaches. Those breaches have impacted 3,159,236 patients. The largest reported breach in the first half of the year resulted in the theft of 697,800 records and was caused by a rogue insider – one of 96 incidents involving insiders.

Out of those 96 incidents, 57 were due to insider error – 423,000 records – and 36 incidents due to insider wrongdoing –743,665 records. The remaining three breaches could not be classified.

Insider incidents are likely to be far higher than the figures in the Breach Barometer report. Dissent explained that many incidents are not being disclosed publicly or reported to HHS. One of the best examples being misconfigured MongoDB databases. Dissent explained that many organizations have not reported that protected health information has been exposed online, even though security researchers have discovered data could be accessed, without authentication, via the Internet. When these incidents are reported, they are often reported to HHS as hacking incidents, even though the root cause is human error.

The first six months of the year saw 75 hacking incidents and 29 ransomware incidents reported. As was explained, ransomware incidents are similarly underreported, even though OCR has made it clear that ransomware attacks are reportable breaches. The true figure is likely to be far worse.

The breakdown for the year was 41% of incidents caused by insiders, 32% due to hacking, 18% due to loss/theft of records and devices and the cause of 9% of the breaches is still unknown.

Hacking may be the second biggest cause of breaches, but hacking has resulted in the exposure/theft of the most records. 1,684,904 records were exposed/stolen as a result of hacking, 1,166,674 records were exposed/stolen by insiders, 112,302 records exposed due to theft/loss and 178,420 records exposed in incidents with unknown causes.

To put the figures into perspective, between January and December 2016 there were 450 incidents reported. Data breaches have been occurring at a similar rate to last year. While the number of reported incidents has remained fairly constant, there has been an increase in the severity of those breaches with this year likely to see far more individuals impacted by breaches than last year.

Last year, approximately 2 million patients were affected by insider incidents. This year, 1.17 million individuals have already been impacted by insider incidents. Hacking incidents are also up. Last year there were 120 confirmed hacking incidents for the entire year. This year there have already been 75 reported incidents.

In June, 52 healthcare data breaches were reported, the highest total for any month of the year to date by some distance. The second biggest monthly breach total was 39 incidents. June also saw the third highest number of individuals impacted by the breaches, with 729,930 records confirmed as exposed or stolen.

Robert Lord explained that the time from the initial breach date to discovery is particularly bad in the healthcare industry. The mean time to discover a breach was 325.6 days, with a median of 53 days. Healthcare organizations are not discovering breaches quickly enough. Fast detection can greatly reduce the harm caused to patients, and as the Ponemon Institute has shown, also the cost of mitigation.

There is some good news however. The time taken to report breaches to OCR has improved over the past 6 months. The mean time to report breaches is 54.5 days and the median 57 days. HIPAA allows 60 days to report data breaches and notify affected individuals. In June, both the mean and the median were under the maximum time frame allowed by the HIPAA Breach Notification Rule.

So, what does the rest of 2017 has in store? Dissent explained that 2017 has been a “no good, horrible, very bad year.” Unfortunately, there is no indication that the rest of the year will be any better. The next six months are likely to be just as bad, and 2017 may surpass last year for both the number of breaches and the number of patients impacted by those incidents.

While other industry sectors have hacking/malware as the main breach cause, insider incidents are the biggest problem for the healthcare industry. Healthcare organizations need to take steps to prevent these breaches. As Robert Lord explained, technologies can be deployed to help prevent insider incidents and detect them promptly when they occur.

One of the most important take home messages from the report is that people’s lives are seriously affected by healthcare data breaches. More must be done to prevent breaches and ensure they are detected promptly. Fast detection and notification allows patients and health plan members to take action to reduce the harm caused.

The post Protenus Provides Insight into 2017 Healthcare Data Breach Trends appeared first on HIPAA Journal.

Beazley Insights: 133% Increase in Healthcare Ransomware Demands

Posted by HIPAA Journal

Beazley has released its half-yearly Insights report detailing the causes of data breaches experienced by its clients between January and June 2017.

Across the four industries covered by the report, hacks and malware – including ransomware- caused the highest percentage of breaches – 32% of the 1,330 incidents that the firm helped mitigate in the first half of 2017.

In the professional services industry, hacks/malware incidents accounted for 44% of the 1H total, in higher education it was 43% and the financial services was on 37%. Only healthcare bucked the trend with hacks/malware accounting for 18% of the total – the second biggest cause of incidents affecting the industry.

The report shows that the first six months of the year saw a 50% increase in ransomware attacks across all industries, with the healthcare sector experiencing the highest increase in ransomware demands, jumping 133% in those six months.

While malware/ransomware attacks may top the list of breach causes, they are closely followed by accidental breaches caused by employees or third-party suppliers, which accounted for 30% of the total. However, for the healthcare industry, accidental data breaches were the leading cause of data security incidents, accounting for 42% of all healthcare industry breaches.

These accidental disclosures of PHI include a wide range of errors such as misdirected faxes and emails and the improper release of discharge papers. Beazley reports that the percentage of these incidents has not changed year over year.

The report authors point out that “This continuing high level of accidental data breaches suggests that organizations are still failing to put in place the robust measures needed to safeguard client data and confidentiality.”

The second biggest cause of healthcare data breaches was malware/ransomware incidents – One percentage point higher than last year’s report. Insider theft was in third place causing 14% of incidents, followed by the physical loss of records (8%) and portable device incidents (6%). Social engineering attacks accounted for 3% of the total with payment fraud on 1%. The remaining 8% of incidents were attributed to unknown/other causes.

The report authors point out that “This continuing high level of accidental data breaches suggests that organizations are still failing to put in place the robust measures needed to safeguard client data and confidentiality.”

The post Beazley Insights: 133% Increase in Healthcare Ransomware Demands appeared first on HIPAA Journal.

CareFirst Can Be Sued for Breach, Rules Court of Appeals

Posted by HIPAA Journal

The D.C. Circuit Court of Appeals has ruled that CareFirst can be sued for a 2014 data breach that saw the PHI of more than 1 million members exposed and potentially stolen.

Following the announcement of the data breach, a lawsuit was filed by seven plaintiffs to recover damages, although in August last year the case was dismissed by a district court judge for lack of standing.

The plaintiffs alleged that the breach had occurred as a result of the carelessness of CareFirst, and as a direct result of that carelessness, they faced an increased risk of suffering identity theft and fraud.

The district court judge dismissed the case as the plaintiffs failed to establish harm, or a significant threat of future harm. The judge explained that “merely having one’s personal information stolen in a data breach is insufficient to establish standing to sue the entity from whom the information was taken.”

However, the three-judge panel overturned the previous ruling claiming the interpretation of the law was ‘unduly narrow’, explaining that all the plaintiffs were required to establish at that point was their allegations were plausible and there was potential for future harm as a result of the breach.

The district court ruling was based on the fact that the plaintiffs had failed to establish how it would be possible for their identities to be stolen by the hackers if their Social Security numbers and/or credit card numbers were not stolen in the attack. CareFirst maintained that Social Security numbers and financial information were not compromised and were stored in a part of the network that was not compromised.

Court of Appeals Judge Thomas Griffith explained that the conclusion drawn by the district court “rested on an incorrect premise: that the complaint did not allege the theft of Social Security or credit card numbers in the data breach.” However, while that was the opinion of CareFirst, it was not the opinion of the plaintiffs, who did include Social Security numbers and financial information in their description of the information that was stolen in the CareFirst cyberattack. That does not mean that those data elements were stolen, only that the plaintiffs alleged that Social Security numbers and financial data had been compromised.

The plaintiffs also alleged separately that the types of information which CareFirst said were compromised – email addresses, names, birth dates and CareFirst account numbers – may not be of use to an identity thief on their own, but did create “a material risk of identity theft.” The appeals court believed the claim was plausible and that the theft of such information could open the door to medical identity theft.

While medical identity theft would result in financial harm for the insurer, fraudulent claims against insurance policies could potentially cause harm to the plaintiffs. The fraudulent claims would go on their accounts and this could be held against the plaintiffs, disqualifying them from certain types of employment or preventing them from taking out life insurance. Social Security numbers would not be required for harm to be caused were that to be the case.

That is not the only lawsuit to be filed against CareFirst for the 2014 breach. In July last year, a case filed by two plaintiffs was similarly dismissed for lack of standing by a Maryland Court. The case was dismissed as the plaintiffs failed to demonstrate harm had been suffered. While it is possible to allege an injury based on future harm, the threatened injury must be impending to constitute an injury in fact. However, the judge ruled that “the injury is too speculative to be certainly impending.” While the decision was appealed, the case was voluntarily dropped by the plaintiffs.

The post CareFirst Can Be Sued for Breach, Rules Court of Appeals appeared first on HIPAA Journal.