HIPAA Breach News

Healthcare Hacking Incidents Overtook Insider Breaches in July

Posted by HIPAA Journal

Throughout 2017, the leading cause of healthcare data breaches has been insiders; however, in July hacking incidents dominated the breach reports.

Almost half of the breaches (17 incidents) reported in July for which the cause of the breach is known were attributed to hacking, which includes ransomware and malware attacks. Ransomware was involved in 10 of the 17 incidents.

The Protenus Breach Barometer report for July shows there were 36 reported breaches – The third lowest monthly total in 2017 and a major reduction from the previous month when 52 data breaches were reported – the worst month of the year to date by some distance.

In July, 575,142 individuals are known to have been impacted by healthcare data breaches, although figures have only been released for 29 of the incidents. The worst breach reported in July – a ransomware attack on
Women’s Health Care Group of PA – impacted 300,000 individuals.

While hacking incidents are usually lower than insider breaches, they typically result in the theft or exposure of the most healthcare records. July was no exception. Protenus reports that 21 times more records were exposed/stolen as a result of hacking incidents than breaches involving insiders. Hacking incidents impacted 516,053 of the 575,142 known victims in July.

There were 8 confirmed insider breaches (22.2% of the total) which resulted in the theft/exposure of 24,212 records. Three were attributed to errors by insiders with five caused by insider wrongdoing. 8.3% of the breaches were due to loss or theft, with three incidents involving the theft of physical records.

At the end of July, the Department of Health and Human Services’ Office for Civil Rights’ cybersecurity newsletter highlighted the risk from phishing attacks, reminding HIPAA-covered entities of the need to conduct security awareness training. July was a particularly bad month for phishing, with 5 phishing incidents reported.

The majority of breaches were experienced by healthcare providers (80.5%) followed by health plans (8.3%) and business associates (5.5%). More business associates may have been involved in the breaches according to Protenus, although insufficient data was available to confirm this. 5.5% of the breaches were attributed to other entities, including one fire dispatch center.

Over the past few months, the time taken by covered entities to report data breaches has improved, with June seeing virtually all breaches reported inside the 60-day window stipulated by the HIPAA Breach Notification Rule. However, there was a slight deterioration in July. The average time to report the breaches was 67.5 days, although the median was 60 days.

It should be noted that unnecessarily delaying breach reports is a violation of HIPAA Rules. Healthcare organizations should not wait until the 60-day deadline arrives before sending notification letters to patients/plan members and informing OCR.

The time taken to discover data breaches is poor in the healthcare industry. In July, the average time to discover a breach was 503 days (median was 79.5 days). The average time was skewed by a single breach that took an astonishing 14 years to discover – a breach involving an insider who had been snooping on patient records.

California, Georgia, and Indiana topped the list for the states worst affected by healthcare data breaches with three incidents apiece.

The post Healthcare Hacking Incidents Overtook Insider Breaches in July appeared first on HIPAA Journal.

Lake Health Informs OB Patients of TriPoint Medical Center Breach

Posted by HIPAA Journal

A log book containing the protected health information of approximately 750 obstetrics patients of TriPoint Medical Center in Concord Township, Ohio has been discovered to be missing.

All obstetrics departments are required by the Ohio Department of Health to maintain a log book detailing deliveries. The log book contained only limited protected health information of patients and the loss/theft of the logbook did not result in the exposure of any highly sensitive information such as Social Security numbers, financial information, or details of health insurance.

However, out of an abundance of caution, all individuals affected by the incident have been notified of the breach by mail and have been offered membership to an identity theft protection program for 12 months without charge.

Lake Health, which operates the medical center, was informed of the lost logbook in June and launched an investigation and conducted a risk assessment the same day. While the logbook has not been located, Lake Health has confirmed that none of the information in the log book has been lost. All information is transferred from the log book to its computer system and the digital copies are stored securely.

The Ohio Department of Health does not stipulate that log books be maintained in physical form. To improve security, Lake Health has updated its policies and procedures and the log book is now maintained in secure, digital form. Additionally, the incident has prompted Lake Health to provide further training for all obstetrics department employees on privacy and security.

Marketing and Business Development Senior Vice President Richard D. Cicero issued a statement saying Lake Health “deeply regrets this incident” and is committed to protecting the privacy and security of patients’ sensitive information. He explained, “We have rigorous processes and procedures in place to detect breaches of patients’ rights and to protect patients in the event of a breach.”

The post Lake Health Informs OB Patients of TriPoint Medical Center Breach appeared first on HIPAA Journal.

Ransomware Attack Suffered by Cove Family and Sports Medicine

Posted by HIPAA Journal

A ransomware attack on Cove Family and Sports Medicine and Krichev Family Medicine, P.C., in Huntsville, Alabama resulted in the medical records and personal information of 4,300 patients being encrypted.

Ransomware was installed on April 14, 2017. Cove Medicine had backed up its data and was able to reinstall its operating system and recover encrypted files from backups, without having to resort to paying the ransom.

However, while the majority of PHI could be recovered, the backup devices were connected to its system at the time of the attack and some data were encrypted. Consequently, some information could not be recovered. Lost data was restricted to internal notes taken during visits dating back two years. Cove Medicine believes all other data have been recovered and the ability to provide medical services to patients has not been affected.

Some ransomware attacks have involved data theft although, in this case, no evidence of data theft has been uncovered and there was no indication systems were accessed prior to the deployment of ransomware. The purpose of the attack is believed to have solely been an attempt to extort money from the practice.

Notifications have been sent to patients to alert them to the ransomware attack out of an abundance of caution, even though ePHI access is not suspected. The types of information encrypted in the attack included names, addresses, dates of birth, Social Security numbers, patient ID numbers, diagnoses, procedure information, times and dates of treatment, and prescription information.

As with all breaches involving more than 500 records, the Department of Health and Human Services’ Office for Civil Rights conducts an investigation. Provided organizations have implemented controls to reduce the risk of malware and ransomware attacks to the standard required by HIPAA, no further action is likely to be taken.

In this case, OCR was satisfied that Cove Family and Sports Medicine had implemented all appropriate controls and HIPAA Rules had not been violated. The investigation was closed with no further action required.

This ransomware attack clearly demonstrates how important it is for healthcare organizations to ensure back up devices are disconnected after backups have been performed. If backup devices are not air-gapped, backup files can be encrypted along with all other files on the infected computer and network.

If backups are encrypted, healthcare organizations will have little alternative but to pay the ransom. As the NotPetya (ExPetr) wiper attacks clearly showed, it may not be possible to recover data even if a ransom is paid.

The post Ransomware Attack Suffered by Cove Family and Sports Medicine appeared first on HIPAA Journal.

August Sees OCR Breach Reports Surpass 2,000 Incidents

Posted by HIPAA Journal

Following the introduction of the HITECH Act in 2009, the Department of Health and Human Services’ Office for Civil Rights has been publishing summaries of healthcare data breaches on its Wall of Shame.  August saw an unwanted milestone reached. There have now been more than 2,000 healthcare data breaches (impacting more than 500 individuals) reported to OCR since 2009.

As of today, there have been 2,022 healthcare data breaches reported. Those breaches have resulted in the theft/exposure of 174,993,734 individuals’ protected health information. Healthcare organizations are getting better at discovering and reporting breaches, but the figures clearly show a major hike in security incidents. In the past three years, the total has jumped from around 1,000 breaches to more than 2,000.

The recent KPMG 2017 Cyber Healthcare & Life Sciences Survey showed that 47% of healthcare organizations have experienced a data breach in the past two years, up from 37% in 2015 when the survey was last conducted. An ITRC/CyberScout study showed there has been a 29% increase in data breaches so far in 2017.

In contrast to other industries, the biggest cause of data breaches is insiders (Protenus/databreaches.net): Both deliberate actions by ‘bad apples’ and accidental breaches as a result of simple errors and negligence. Hacking (including malware/ransomware attacks) is the second biggest cause.

Healthcare Organizations Should Not Ignore the Threat from Phishing

Many healthcare data breaches occur as a result of phishing. Research conducted by PhishMe suggests 91% of data breaches start with a phishing email, with the attackers using phishing to obtain login credentials or install malware/ransomware.

A recent Global Threat Intelligence Report released by NTT Security showed the extent to which phishing is used to distribute malware. In Q2, 2017, 67% of malware attacks saw malware delivered via phishing emails.

Jon Heimerl, manager of the Threat Intelligence communications team, pointed out that while phishing is used extensively to spread malware, it isn’t often rated as one of the biggest threats. Heimerl said, “I have not seen any studies where CISOs are saying their No. 1 concern is phishing attacks. If you went around a room, it would likely be ransomware and DDoS as the No. 1 and No. 2 things on their mind, in my view.”

Countering the threat from phishing requires software solutions to block spam emails from being delivered to end users, security awareness training to teach employees how to identify email threats, and phishing simulations to put security awareness training to the test and identify vulnerable individuals in need of further training.

New Exploit Kit and Recent Ransomware Attacks Highlight Importance of Prompt Patching

Email remains the main delivery vector for malware, although the WannaCry attacks showed that malware can easily be installed if patch management practices are poor. The ransomware attacks were made possible thanks to the release of exploits by the hacking group Shadow Brokers and poor patching practices.  Prompt patching would have protected organizations against WannaCry.

Exploit kits also pose a threat. Exploit kits are web-based tools that probe for vulnerabilities in browsers and plugins. Exploits are loaded to the kit that are used to silently download malware when a visitor to a domain hosting the kit is discovered to have a vulnerable browser.

This week, a new exploit kit has started to be offered on underground forums at cut price rates. For as little as $80 a day, cybercriminals can rent the new Disdain exploit kit and use it to spread malware. Exploit kit activity has fallen over the past 12 months, although the threat of web-based attacks should not be ignored.

The Disdain exploit kit can leverage at least 15 vulnerabilities to download malicious payloads, including vulnerabilities in Firefox (CVE-2017-5375, CVE-2016-9078, CVE-2014-8636, CVE-2014-1510, CVE-2013-1710), Internet Explorer (CVE-2017-0037, CVE-2016-0189, CVE-2015-2419, CVE-2014-6332, CVE-2013-2551), IE and Edge (CVE-2016-7200), Adobe Flash (CVE-2016-4117, CVE-2016-1019, CVE-2015-5119), and Cisco Web Ex (CVE-2017-3823). While many of these vulnerabilities are relatively new, patches have been released to address all of the flaws.

 

To reduce the risk of exploit kit attacks, healthcare organizations should ensure all browsers are updated automatically and regular checks are performed to ensure all employees are using the latest versions. A web filtering solution is also beneficial to block access to domains known to be used for malware distribution, host exploit kits or phishing.

The post August Sees OCR Breach Reports Surpass 2,000 Incidents appeared first on HIPAA Journal.

Surgical Dermatology Group Informs Patients of Cloud Services Provider Breach

Posted by HIPAA Journal

Hackers have gained access to a server maintained by cloud hosting and server management provider TekLinks and have potentially accessed/copied the protected health information of patients of Surgical Dermatology Group in Birmingham, AL.

The intrusion was discovered on or around May 1, 2017, although the breach investigation revealed access to the server was first gained on March 23, 2017. TekLinks said access to the server was blocked on May 1, and its monitoring systems showed no access took place between April 22 and May 1, although it is possible data were viewed or copied in the previous four weeks.

Surgical Dermatology Group has been working with forensic investigators to determine the nature and scope of the breach and reports that a wide range of protected health information was potentially accessed. The types of data stored on the compromised server includes patients’ names, home and work telephone numbers, cell phone numbers, addresses, email addresses, medical record numbers, patient ID numbers, Social Security numbers, health plan numbers, details of charges and payments and physicians’ names. Financial information and credit/debit card numbers were not compromised as they were not stored on the server.

Surgical Dermatology Group has not received any reports to suggest any information on the server has been accessed or misused in any way, although due to the sensitive nature of data involved, all affected individuals have been offered credit monitoring and identity theft protection services for 12 months without charge.

All affected patients have now been notified of the breach and the incident has been reported to appropriate authorities, including the Federal Bureau of Investigation.

The forensic investigation team has confirmed that all servers are now secured and access is no longer possible. Steps have also been taken to improve security to prevent further breaches. A spokesperson for the company said, “Surgical Dermatology Group takes very seriously its responsibility to protect your information and deeply regrets this unfortunate incident.”

The post Surgical Dermatology Group Informs Patients of Cloud Services Provider Breach appeared first on HIPAA Journal.

Pacific Alliance Medical Center Announces Ransomware Attack

Posted by HIPAA Journal

A ransomware attack on the Los Angeles Pacific Alliance Medical Center has potentially resulted in the attackers gaining access to the protected health information of its patients.

The attack occurred on or around June 14, 2017. Pacific Alliance Medical Center became aware that its systems had been compromised when files started to be encrypted. The incident triggered Pacific Alliance Medical Center’s emergency response procedures and its networked computer systems were rapidly shut down to prevent the spread of the virus.

The Information Technology Department conducted an initial investigation which revealed several computer systems had been attacked. The forensic investigation has now been completed, the virus has been removed and data have been successfully decrypted. It is unclear whether a ransom was paid.

Efforts are continuing to restore its systems and improve protections to ensure incidents such as this are prevented in the future. Those measures include enhanced antivirus protection and other system safeguards.

All affected individuals have now been notified of the breach and the incident has been reported to the FBI. Pacific Alliance Medical Center states in its substitute breach notice that breach notification letters were not delayed as a result of the law enforcement investigation.

Ransomware attacks do not typically result in data being viewed or stolen by the attackers and Pacific Alliance Medical Center has uncovered no evidence to suggest data were viewed/stolen in this attack. However, since the possibility cannot be ruled out with a high degree of certainty, breach notification letters have been sent and all affected individuals have been offered membership to Experian Identity Works identity theft protection services for two years without charge.

The types of PHI stored on the systems affected by the recent attack includes names, dates of birth, demographic information, employment information and Social Security numbers. No financial information or health data were stored on the affected systems and remained secure at all times.

The incident has been reported to the Department of Health and Human Services’ Office for Civil Rights although it is currently unclear how many individuals have been impacted by the security breach.

The post Pacific Alliance Medical Center Announces Ransomware Attack appeared first on HIPAA Journal.

Missouri Care Notifies Medicaid Recipients of Subcontractor Breach

Posted by HIPAA Journal

A mailing error by a subcontractor of Missouri Care Inc., has resulted in the protected health information of 1,223 participants being impermissibly disclosed to other individuals. The MO HealthNet-managed care plan was informed of the breach by O’Neil Printing on July 20, 2017. The privacy breach has been attributed to a software programming error.

The error potentially resulted in the names, birth dates, MO HealthNet ID numbers and Missouri Care member ID numbers of Medicaid recipients being mailed to incorrect recipients. The Missouri Department of Social Services has confirmed that Social Security numbers, financial information and medical information were not involved.

O’Neil Printing identified the cause of the error and has since corrected its software to prevent further mis-mailings. The error only affected mailings on July 11 and July 13, 2017.

Missouri Care has been working closely with MO HealthNet to ensure affected individuals were notified promptly. Letters informing participants of the privacy breach were recently sent in the mail, well within the deadline of the HIPAA Breach Notification Rule.

There is no reason to suggest any of the disclosed information has been misused in any way, although out of an abundance of caution, all affected individuals have been offered complimentary credit monitoring services for 12 months, the cost of which will be absorbed by Missouri Care. Further information on measures that can be taken to reduce the risk of identity theft and fraud have also been provided to the privacy breach victims, such as monitoring Explanation of Benefits statements for any sign of fraudulent activity.

The post Missouri Care Notifies Medicaid Recipients of Subcontractor Breach appeared first on HIPAA Journal.

3,400 Patients’ PHI Potentially Compromised in City of Hope Phishing Attack

Posted by HIPAA Journal

A phishing attack on City of Hope has resulted in cybercriminals gaining access to the email accounts of four employees.

The emails made it past spam filtering controls and were delivered to employees on May 31 and June 2, 2017. Four employees responded to the requests and disclosed their login credentials to the attackers. City of Hope says the emails appeared to have been sent from a trustworthy source.

The attackers used the login credentials to access the accounts, although City of Hope was unable to determine the scope or nature of access. On July 21, City of Hope confirmed that three of the accounts contained patients’ protected health information.

The protected health information in the emails included names, addresses, email addresses, contact telephone numbers, dates of birth, dates of service, diagnoses, test results, medication information, and other clinical data. No financial information, insurance details, or Social Security numbers were exposed or accessed.

Phishing attacks such as this are not always concerned with obtaining protected health information. Oftentimes, access to the email accounts is gained in order to use the accounts to send spam emails. City of Hope believes that was the intention of the phishers in this case.

However, since PHI access cannot be ruled out, patients affected by the incident have been advised to remain cautious and monitor their accounts for any sign of suspicious activity. The incident has been reported to law enforcement and a leading forensic information technology firm has been retained to assist with the investigation. The firm will also evaluate City of Hope systems and processes and will assist with strengthening existing security protections to prevent future incidents of this nature from occurring.

The breach has now been reported to the Department of Health and Human Services’ Office for Civil Rights (OCR). The breach summary indicates 3,400 patients have been impacted by the incident.

OCR Highlights the Importance of Regular Security Awareness Training for Healthcare Employees

In its July Cybersecurity Newsletter, OCR reminded covered entities of the importance of providing security awareness training to employees to help prevent attacks such as this from resulting in PHI being compromised.

Security awareness training for the workforce is a requirement of the HIPAA Security Rule and employees should receive regular training to help them identify phishing attacks and other security threats.

OCR suggested the frequency of training should be dictated by the findings of risk analyses, although it was pointed out that many healthcare organizations are conducting biannual training and are issuing monthly security bulletins to employees on the latest threats.

OCR suggests employee security awareness training should include computer-based training, classroom sessions, monthly newsletters, security bulletins, posters, and team discussions, although which training methods are used is left to the discretion of the covered entity.

Security awareness training should be documented, with attestations obtained from employees to prove training has been received. Documentation will be required by OCR if a covered entity is selected for an audit or as part of an investigation into a data breach.

The post 3,400 Patients’ PHI Potentially Compromised in City of Hope Phishing Attack appeared first on HIPAA Journal.

Maryland Data Breach Notification Law Updated

Posted by HIPAA Journal

Maryland data breach notification law has been updated, with the definition of personal information expanded. The current data breach notification statute in Maryland does not include health insurance information or data covered under the definition of the Health Insurance Portability and Accountability Act (HIPAA), although from January 1, 2018 that will change.

Maryland data breach notification law – specifically the Maryland Personal Information Protection Act – requires breach notification letters to be sent to all Maryland residents affected by a breach of personal information. Those notifications must be issued as soon as it is practicable to do so, but no later than 45 days after the discovery of a data breach that has resulted in personal information being misused or if it is likely that data could be misused.

The current definition of personal information includes a Maryland resident’s first and last name or initial and last name along with either a driver’s license number, Social Security number, financial account number, credit or debit card number (with a security code, expiry date or password that would allow the card to be used) or taxpayer identification number.

The new definition of personal information also includes, passport numbers, other federal government-issued ID numbers, state identification card numbers, any information covered by HIPAA laws, biometric data, an email address in combination with a password or security question that permits access to the account, and health insurance policy information, certificate numbers, or subscriber ID numbers in combination with an identifier that allows the information to be used.

Businesses must implement and maintain reasonable security procedures and practices to protect the confidentiality of personal information. If personal information is disclosed to a third party, the business must state in its contracts with those third parties that reasonable security procedures and practices must be implemented and maintained.

However, “reasonable security procedures and practices” have not been defined in the new statue.

The post Maryland Data Breach Notification Law Updated appeared first on HIPAA Journal.