HIPAA Breach News

Nuance Communications Decides Not to Report NotPetya Attack to OCR

Posted by HIPAA Journal

As the Department of Health and Human Services’ Office for Civil Rights has previously explained in its ransomware guidance, if ePHI is encrypted, ransomware attacks are usually HIPAA breaches and are reportable incidents.

OCR says out in its ransomware guidance that “Whether or not the presence of ransomware would be a breach under the HIPAA Rules is a fact-specific determination,” going on to explain that the definition of a breach in HIPAA is “the acquisition, access, use, or disclosure of PHI in a manner not permitted under the [HIPAA Privacy Rule] which compromises the security or privacy of the PHI.”

A ransomware attack qualifies as a HIPAA breach because the actions of the attackers have resulted in the acquisition of PHI, in the sense that unauthorized individuals have taken control of the data.

The only time that a breach report – and notifications to patients – would not be required would be if the covered entity can demonstrate “a low probability that the PHI has been compromised.” OCR suggest covered entities can make that determination after a risk assessment has been performed, basing the decision on the nature of PHI involved, who used the PHI or to whom PHI was disclosed, whether PHI was actually viewed or acquired and the extent to which risk has been mitigated.

However, what about the recent NotPetya ransomware attacks? Many organizations were attacked, including some healthcare organizations in the United States that are HIPAA covered entities. One of those organizations is Nuance Communications, a business associate of several healthcare providers.

Nuance Communications has previously announced it had been attacked with NotPetya, and severely. More than three weeks after the attack, only 75% of its clients had regained access to its systems. The disruption to business services has been considerable.

Since Nuance Communications holds PHI, the incident would appear to require a breach notice to be submitted to OCR and for affected individuals to be notified. However, the decision was taken not to report the incident or to send notification letters.

Interestingly, rather than simply not sending notices, Nuance Communications has published a notice that states it will not be sending notifications. In that notice, Nuance Communications explains the rationale behind the decision.

A ransomware incident may usually be a HIPAA breach, although Nuance Communications has explained that NotPetya was not ransomware. In the letter, Nuance said the malware “was not designed to give its perpetrators any capability to control data on affected systems. To date, we have seen no indication that the malware functioned differently in practice on affected Nuance systems.”

Nuance also pointed out that the malware had not been developed to provide access to data on affected systems and neither was it developed to copy any information nor target the types of PHI that Nuance holds.

Nuance said, “Accordingly, based on facts presently known, while Nuance has determined that the incident constitutes a security incident for purposes of the HIPAA Security Rule, Nuance also has determined the incident does not constitute a breach of unsecured PHI for purposes of the Breach Notification Rule.”

Nuance explained that the notice and explanation were provided as a courtesy and to explain to its healthcare customers that a security incident had occurred, fulfilling its obligations under the business associate agreements the firm had signed. However, OCR will not be notified and individuals will not receive breach notification letters in the mail.

The post Nuance Communications Decides Not to Report NotPetya Attack to OCR appeared first on HIPAA Journal.

47% of Healthcare Organizations Have Experienced A HIPAA Data Breach in the Past 2 Years

Posted by HIPAA Journal

The KPMG 2017 Cyber Healthcare & Life Sciences Survey shows there has been a 10 percentage point increase in reported HIPAA data breaches in the past two years.

The survey was conducted on 100 C-suite information security executives including CIOs, CSOs, CISOs and CTOs from healthcare providers and health plans generating more than $500 in annual revenue.

47% of healthcare organizations have reported a HIPAA data breach in the past two years, whereas in 2015, when the survey was last conducted, 37% of healthcare organizations said they had experienced a security-related HIPAA breach in the past two years.

Preparedness for data breaches has improved over the past two years. When asked whether they were ready to deal with a HIPAA data breach, only 16% of organizations said they were completely ready in 2015. This year, 35% of healthcare providers and health plans said they were completely ready to deal with a breach if one occurred.

Ransomware has become a major threat since the survey was last conducted. 32% of all respondents said they had experienced a security breach in the past two years that involved ransomware. 41% of those respondents said they paid the ransom to unlock their data.

70% of organizations that experienced at least one security breach in the past 2 years said a malicious actor hacked their system as a result of an unaddressed vulnerability, 54% of respondents said they had experienced a single-system based malware incident and 36% said employees had responded to phishing emails resulting in a system compromise. 26% said they had experienced a breach of a third-party device or service, while 20% said they had experienced a breach as a result of an insider.

The probability of organizations experiencing a security breach has increased considerably in the past two years, yet there was a decrease in organizations that believed cybersecurity was a board matter. In 2015, 87% of organizations believed cybersecurity was a board issue. This year, only 79% of respondents said they thought cybersecurity was a C-level issue.

KPMG Healthcare Advisory Leader Dion Sheidy said, “There needs to be a higher degree of vigilance among boards and executive suites as attacks become much more sophisticated, especially as doctors need to share information to improve quality and as connected medical devices and wearables proliferate.”

Investment in cybersecurity protections has also decreased. In 2015, 88% of organizations said they had invested in information protection measures in the past 12 months. This year, only 66% said they had made such an investment.

When it comes to investment, organizations appear to be favoring technology rather than staff. Only 15% believe increases in staff numbers and higher quality staff are important for improving their security posture.

Only 41% of respondents said they were planning on investing in hiring or training staff, with 76% saying they were planning on investment more in technology. Budgets for training staff were low, with a quarter of respondents saying they were investing less than $1,000 per cybersecurity team member. 83% said improvements would be made to policies and data access controls and processes.

KPMG Cyber Security Group in Healthcare & Life Sciences Leader Michael Ebert said, “A solid cyber security program needs people, processes and technology and short-changing staff and the process structure needed to adequately govern, manage and monitor the technology is a faulty approach,” explaining that “Software can only protect you so far and staff is important when it comes time to respond to a data breach.

When asked what they thought the main targeted asset was, only 30% believed it was patient data. Financial information was seen as the data most likely targeted (69%), followed by patient/clinical research (63%) competitive market analysis (49%) and the PII of employees (45%).

The biggest threats were seen to be state-sponsored actors (53%), individual hackers (49%) and hactivists (47%).

The post 47% of Healthcare Organizations Have Experienced A HIPAA Data Breach in the Past 2 Years appeared first on HIPAA Journal.

10,000 Plastic Surgery Patients Informed of Ransomware-Related PHI Breach

Posted by HIPAA Journal

10,200 patients of Plastic Surgery Associates of South Dakota are being notified that some of their protected health information was potentially compromised as a result of a ransomware attack in February this year.

Plastic Surgery Associates of South Dakota discovered ransomware had been installed on some of its systems on February 12, 2017. Rapid action was taken to remove the ransomware and third-party forensics experts were brought in to investigate and determine the extent of the breach and which, if any, patients had been impacted.

Fortunately, while data were encrypted, the majority of its patients were not impacted by the incident and did not have any of their data accessed or encrypted. However, the process of restoring data resulted in critical files being lost.

Those files contained evidence that could have been used to confirm that some patients had not been impacted by the incident. On April 24, Plastic Surgery Associates of South Dakota decided that without access to that evidence it was not possible to rule out PHI access for 10,200 of its patients with a high degree of certainty. Consequently, all of those individuals have now been notified that their PHI has potentially been compromised.

The system that the ransomware was installed on contained names, Social Security numbers, driver’s license numbers, state ID numbers, credit and debit card information, lab test results, medical diagnoses, birth dates, health insurance information and details of medical conditions.

While evidence was destroyed during data recovery, Plastic Surgery Associates of South Dakota has confirmed that no reports of misuse or attempted misuse of patients’ PHI have been received. Out of an abundance of caution, affected individuals have been offered complimentary membership of Equifax Credit Watch Silver credit monitoring and identity theft protection services for 12 months.

Plastic Surgery Associates of South Dakota has said it already employs stringent security controls to protect the privacy of patients and the confidentiality of their PHI, and that “the confidentiality, privacy, and security of our patient information is one of our highest priorities.” The incident has prompted the company to enhance security and additional security measures will be employed to prevent future incidents of this nature from occurring.

The post 10,000 Plastic Surgery Patients Informed of Ransomware-Related PHI Breach appeared first on HIPAA Journal.

Anthem Business Associate Data Breach Impacts 18,500 Plan Holders

Posted by HIPAA Journal

Anthem Inc., has only recently settled the lawsuit arising from its 2015 data breach that affected 78.8 million plan holders. Now, thousands of its members are being notified that their protected health information has been exposed in another incident.

This time it was not a cyberattack, but a data breach involving an employee of one of its business associates, Indiana-based LaunchPoint Ventures LLC. LaunchPoint is contracted to provide coordination services, for which it required to be provided with access to plan members’ protected health information.

On April 12, 2017, LaunchPoint became aware that one of its employees was alleged to have been involved in identity theft related activities, prompting the firm to launch an investigation into the possibility of data theft. The business associate hired the services of a third-party forensic firm to assist with the investigation.

On May 28, 2017, LaunchPoint learned that other ‘non-Anthem’ data may also have been compromised. On June 12, 2017, it was confirmed that the PHI of 18,580 Anthem health plan members had been accessed. The information had also been emailed to the employee’s personal email account in July 2016. Anthem was notified of the incident on June 14, 2017.

LaunchPoint has confirmed that the information stolen by the employee includes Medicare ID numbers, Social Security numbers, Medicare contract numbers, health plan ID numbers and dates of enrollment, with ‘a very limited number’ of last names and birth dates also included in the emailed data set.

The employee has been terminated for breaching company polices and LaunchPoint is working closely with law enforcement and assisting with a criminal investigation. Anthem reports that the employee is now behind bars for crimes unrelated to the theft of plan member data. LaunchPoint is assessing its policies and protocols and will be implementing additional safeguards to prevent future security breaches.

Anthem has reported the data breach to the Department of Health and Human Services’ Office for Civil Rights and has issued media notices. The breach impacts individuals in all states where it does business.

LaunchPoint will be sending breach notification letters to all individuals impacted by the incident. Those individuals will be offered credit monitoring and identity theft restoration services without charge for a period of two years.

The post Anthem Business Associate Data Breach Impacts 18,500 Plan Holders appeared first on HIPAA Journal.

Phishing Scam Fools University of Vermont Medical Center Employees into Revealing Login Credentials

Posted by HIPAA Journal

A phishing campaign targeting University of Vermont Medical Center (UVMC) has resulted in criminals gaining access to UVMC email accounts. The phishing emails were sent in late May and two employees responded. Doing so allowed the attackers to temporarily gain access to their email accounts. The phishing emails were part of a large campaign sent to many UVMC employees. Fortunately, only two individuals responded. The emails appeared to have been sent from within the organization.

The accounts were compromised on May 22, and on May 24 UVMC detected spam emails being sent from the accounts and shut them down to minimise the damage caused.

The electronic medical record system was not compromised, although the email accounts did contain protected health information (PHI) such as names, medical record numbers, addresses, details of medications, medical diagnoses and treatment information.  No Social Security numbers, insurance information or financial data were compromised.

It is possible that the purpose of the attack was not to gain access to PHI, only to use the email accounts to send spam emails. The spam emails included links to external websites. UVM Health Network’s Head of Internet Security, Heather Roszkowski, suggests the attack may have been conducted to boost traffic to those websites to increase advertising income.

No reports have been received to suggest any information was accessed and misused in any way. However, all affected individuals should exercise caution and monitor their accounts and Explanation of Benefits statements for any sign of fraudulent activity.

All patients impacted by the attack have now been notified of the incident by mail and a substitute breach notice has been uploaded to the UVMC website. That notice indicates approximately 2,300 patients were impacted.

UVMC says that it already has robust security measures in place to prevent attacks such as this, although it will be reviewing those measures to determine whether improvements can be made. UVMC will also be reinforcing training to reduce the probability of employees falling for this type of phishing scam again.

The post Phishing Scam Fools University of Vermont Medical Center Employees into Revealing Login Credentials appeared first on HIPAA Journal.

4-Month Data Breach Discovered During Ransomware Investigation: 300,000 Patients Impacted

Posted by HIPAA Journal

Women’s Health Care Group of Pennsylvania, one of the largest healthcare networks in the state, has alerted approximately 300,000 patients that some of their sensitive protected health information has been compromised.

The types of data exposed – and potentially stolen – include names, addresses, dates of birth, lab test orders, lab test results, blood types, race, gender, pregnancy status, medical record numbers, employer information, insurance details, medical diagnoses, physicians’ names and Social Security numbers.

Identity theft protection services are being offered to all affected patients. Those individuals would do well to activate those services promptly, as hackers gained access to a server and workstation containing the above information in January this year, with access to systems possible until at least May.

In May, a virus was installed on a server/workstation preventing the hospital from accessing patient data. While ransomware can be installed as a result of a phishing email or software vulnerability, in this case it appears to have been deployed by individuals who already had access to its systems. This is not atypical. If hackers manage to gain access to a healthcare network, it is becoming increasingly common for ransomware to be deployed when access to the system is no longer required – Once all useful data have been exfiltrated, for instance.

Women’s Health Care Group of Pennsylvania rapidly isolated the affected devices to prevent the spread of the infection and external cybersecurity experts were called in to conduct a forensic investigation to determine the nature and scope of the security breach. The Federal Bureau of Investigation was also notified.

While a ransom demand had been issued by the attackers, no money was paid as all data could be recovered from a backup. Women’s Health Care Group of Pennsylvania says no protected health information was lost.

The investigation revealed that hackers had first gained access to its systems in January 2017 after taking advantage of a security vulnerability, with the same vulnerability believed to have been used to install ransomware. While Women’s Health Care Group of Pennsylvania did not find any evidence to suggest information on the server or workstation had been viewed or stolen, data access and theft could not be ruled out.

This is the second such incident to be reported in the past few weeks. Earlier this month, Peachtree Neurological Clinic of Atlanta, GA announced that an investigation into a ransomware attack revealed its systems had been compromised 15 months previously.

The post 4-Month Data Breach Discovered During Ransomware Investigation: 300,000 Patients Impacted appeared first on HIPAA Journal.

Protected Health Information Stolen in Vision Care Specialists Burglary

Posted by HIPAA Journal

The price of medical information on the black market may be high, but it is relatively rare for paper records to be stolen during break-ins. However, a burglary at Vision Care Specialists’ administrative offices in Denver, CO saw paperwork containing the PHI of patients taken by thieves.

The burglary was discovered on May 22, 2017 and law enforcement was called in to investigate. An inventory was conducted to determine what items were taken by the thieves and third party forensic investigators were called in to ascertain whether its systems had been accessed. That investigation did not uncover any evidence to suggest electronic medical information had been accessed, although on July 5, Vision Care Specialists discovered that paperwork containing the protected health information of some of its patients had been removed from its offices.

The documents contained a range of sensitive information including names, dates of birth, Social Security numbers, medical information, health conditions/diagnoses, financial information and health insurance details. While no reports have been received to suggest any of the information has been used inappropriately, it can be safely assumed that the information was taken for nefarious purposes.

Vision Care Specialists has now contacted all individuals whose information was obtained by the thieves and all affected patients have been offered complimentary credit monitoring services for 12 months.

Patients affected by the incident have been advised to exercise caution and to monitor their accounts, credit reports and Explanation of Benefits statements and to be alert for identity theft and fraud.

Vision Care Specialists has responded to the incident by enhancing security at its office to prevent any further incidents of this nature from occurring.

The post Protected Health Information Stolen in Vision Care Specialists Burglary appeared first on HIPAA Journal.

Hospital Employee Discovered to Have Accessed Medical Records Without Authorization for 14 Years

Posted by HIPAA Journal

Cases of employees snooping on medical records are relatively common, although an incident at Tewksbury Hospital in Massachusetts stands out due to the length of time that an employee was accessing medical records without authorization before being caught.

The hospital was tipped off about the employee in April after a former patient made a complaint about their medical record being accessed inappropriately. In response to the complaint, the hospital conducted a full review which revealed the former patient’s medical records had been accessed by an employee without any legitimate reason for doing so.

Further investigation revealed it was far from a one off.  The employee had been accessing the records of patients without authorization for a period of 14 years. The first instance dated back to 2003 and the inappropriate access continued until May 2017. During that time, the employee accessed the records of more than 1,000 patients.

Tewksbury Hospital, which is run by the Department of Public Health, has now written to all patients whose medical records were inappropriately accessed, although many of those individuals are now former patients and the hospital no longer holds valid contact information. In an attempt to contact those individuals, a substitute data breach notice has been placed on the Mass.gov website.

The employee was a clerk at the hospital and was required to have access to medical records in order to complete work duties. Those access rights were abused and as a result, the employee was terminated and no longer has access to the EMR system.

The types of information that were potentially accessed includes names, phone numbers, addresses, gender, dates of birth, medical diagnoses, details of medical treatment provided at the hospital and in some cases, Social Security numbers.

Tewksbury Hospitals says steps have now been taken to reduce the probability of similar incidents occurring in the future and to make sure that if records are accessed inappropriately, incidents are detected promptly. Those steps included conducting a review of policies and procedures regarding access to its EMR system and a reassessment of how access logs to medical records are reviewed. Staff will also be provided with additional training on the privacy and security of protected health information.

Tewksbury Hospital says the investigation did not uncover any evidence to suggest protected health information was misused in any way.

The incident has been reported to the Department of Health and Human Services’ Office for Civil Rights, which investigates all data breaches that have impacted more than 500 individuals. If the investigation reveals HIPAA Rules have been violated by the hospital, the penalty is likely to be severe for a breach of this duration.

The post Hospital Employee Discovered to Have Accessed Medical Records Without Authorization for 14 Years appeared first on HIPAA Journal.

NotPetya Attack Continues to Disrupt Nuance Communications’ Services

Posted by HIPAA Journal

In late June, Nuance Communications, a provider of healthcare solutions and transcription services, was one of many organizations around the globe to have systems taken out of action by NotPetya ransomware.

While most ransomware attacks are conducted with the intention of obtaining ransom payments in exchange for the keys to unlock data, NotPetya was different. The aim was sabotage. Infection resulted in permanent encryption of master file tables, preventing infected computers from locating stored data. Data recovery was not possible even if the ransom demand was paid.

The attacks caused permanent damage at many organizations requiring the replacement of hardware and substantial portions of affected networks. Nuance Communications was no different.

Following the attack, Nuance Communications brought in external security experts to contain the infection and determine the extent of the attack. However, not in time to prevent widespread damage. Systems were taken out of action preventing hundreds of hospitals from using its services.

Premier Health was one of many hospital systems forced to switch transcription service providers. Boston’s Beth Israel Deaconess Medical Center was also impacted and has been prevented from using Nuance’s eScription service. University of Pittsburgh Medical Center was similarly affected and still cannot use the company’s transcription service.

It took Nuance Communications until July 3 to bring its eScription RH and Clinic 360 clients back online on the Emdat platform, and until July 5 to bring its eScription LH platform back online.  By July 11, almost 200 hospitals had started using its eScription LH platform again, although some company services continue to be disrupted.

Nuance Communications spokesperson Richard Mack announced yesterday that “We are doing everything within our power to support our health-care customers and provide them with the information and resources they need to provide quality patient care, including offering an alternative system and solutions.”

In addition to fixing its systems and working hard to bring customers back online, the company has been improving its security to prevent future attacks.

Even though most systems are now back online, it may be difficult to convince hospitals to return. Many have since switched to other service providers as a result of the attack and loss of its services. Many are unlikely to return. That is likely to make a serious dent in its Q3 profits at the very least. At present, the company’s share price has fallen 6% since the attack.

The post NotPetya Attack Continues to Disrupt Nuance Communications’ Services appeared first on HIPAA Journal.