A ransomware attack on Peachtree Neurological Clinic (PNC) in Atlanta, GA resulted in the encryption of sensitive data. Since PNC had backed up its data, it was possible to restore the affected files without paying the ransom.

Following any ransomware attack it is important to conduct a forensic analysis of systems to ensure all traces of the ransomware have been removed and no backdoors have been installed. PNC performed scans of its system and confirmed that the malware had been removed; however, the scans revealed that its systems had been accessed by unauthorized individuals between February 2016 and May 2017.

Cybercriminals have been known to gain access to organizations’ systems and install ransomware when there is no further need for access, but it is unclear whether the same individuals were responsible for both security breaches.

PNC found no evidence to suggest that the ransomware attack involved the exfiltration of data, but it was not possible to determine with any degree of certainty whether access to protected health information was gained in the initial attack. PNC was only able to confirm that its systems had been accessed.

The types of protected health information stored on the compromised system included names, telephone numbers, addresses, dates of birth, Social Security numbers, driver’s license numbers, prescription information, details of treatments/procedures and health insurance information.

Due to the sensitive nature of the data that were potentially accessed, PNC has offered all affected individuals complimentary identity theft protection services. The attacks have been reported to law enforcement and all affected individuals have been notified of the incidents by mail.

Dr. Lawrence Seiden, M.D., managing partner of PNC, said, “We take patient privacy seriously, and are very sorry for any concern or inconvenience this incident has caused or may cause to anyone who has been affected.”

The security breaches have yet to appear on the Department of Health and Human Services’ Office for Civil Rights Breach portal so it is unclear how many individuals have been impacted.

The post Ransomware Attack Investigation Reveals 15-Month Security Breach appeared first on HIPAA Journal.

The protected health information of 859 patients of Rosalind Franklin University of Medicine and Science (RFU) has been compromised and potentially been viewed/stolen. The information was stored in two email accounts that were accessed by unauthorized individuals in May.

Access to the email accounts was gained after employees responded to phishing emails. The phishing attack occurred on May 10, 2017 prompting a full investigation. The malicious actors behind the phishing scam gained access to one email account for less than a day and the second email account for a period of 9 days. Access to the second email account was blocked on May 19.

Third party security experts were brought in to assist with the investigation to help determine the full extent of the security breach. RFU is now certain that unauthorized access to sensitive data has been blocked. Part of the investigation involved checking all messages in the compromised email accounts for protected health information.

The investigation confirmed that the compromised PHI was limited to patients’ names, addresses, dates of birth, telephone numbers, medical record numbers, diagnostic information and lab test results. No social security numbers or financial information were compromised.

RFU says it has received no reports of any misuse of information in the accounts, although affected individuals have been advised to remain vigilant and to check their credit reports, account statements and Explanation of Benefits statements for any sign of fraudulent activity.

RFU has reassured patients that security measures had been introduced prior to the attack to protect data stored in its systems and proactive steps have now been taken to address the incident and strengthen security to prevent further successful phishing attacks. RFU has reported the incident to the FBI which is investigating.

An RFU spokesperson said, “The confidentiality, privacy, and security of information within our care is one of our highest priorities.”

The post Rosalind Franklin University of Medicine and Science Phishing Attack Sees PHI Compromised appeared first on HIPAA Journal.

Detroit Medical Center has discovered an employee has stolen the protected health information of as many as 1,529 patients and impermissibly disclosed that information to a third party.

Detroit Medical Center became aware of the security breach when the staffing agency that supplied the employee contacted DMC to report that it had discovered protected health information had been obtained and provided to an third party.

DMC is part of the Tenet Healthcare system and runs eight hospitals and institutions in Detroit and southeast Michigan. DMC has not released information on the specific medical center where the employee worked or that individual’s role.

The types of information that were stolen and disclosed were also not made public. However, DMC has issued a statement confirming the data theft and disclosure have been reported to law enforcement and that the hospital is cooperating fully with the police investigation.

Upon hearing of the unauthorized disclosure, Detroit Medical Center conducted a thorough internal investigation, which included a review of all medical records that could potentially have been accessed by the employee. The employee’s login to systems containing PHI has been blocked and the employee has been terminated.

Detroit Medical Center determined that patients impacted by the security breach had visited a DMC facility for treatment between March 2015 and May 2016. Those individuals have now been notified by mail that their PHI has been compromised and have been offered credit monitoring services for 12 months without charge through AllClear.

If employees are given access to PHI in order to complete work duties there is always a risk that data access rights will be abused. It is therefore important for healthcare organizations to monitor PHI access logs regularly to check for inappropriate access. Detroit Medical Center did have monitoring systems in place, although the security breach has prompted DMC to modify monitoring programs to ensure any future incidents are detected rapidly.

The post Detroit Medical Center Discovers Agency Employee Disclosed Patients’ PHI appeared first on HIPAA Journal.

A data breach experienced by FastHealth, a vendor of website services, has impacted more than 500 patients of Ivinson Memorial Hospital in Laramie, WY.

Access was gained to a web server used by FastHealth and the attackers altered code on the website to capture billing and health information submitted by patients in online forms.

The breach does not affect all patients, only those that used the online bill-pay platform or completed new patient intake forms between January 14, 2016 and December 20, 2016. The security breach was discovered by FastHealth on December 21, 2016 and a third-party security firm was contracted to conduct an investigation. Forensic investigations can take some time to conduct, although it is unclear why it took almost 5 months for FastHealth to notify organizations about the breach.

The Laramie Boomerang reports that Ivinson Memorial Hospital was informed about the security breach on May 15, 2017. Patients are just being notified of the breach as it took time for Ivinson Memorial Hospital to verify the information sent by FastHealth. Ivinson Memorial Hospital says it wanted to make sure that the information it received about the breach was correct before making an announcement and notifying its patients.

The breach has prompted Ivinson Memorial Hospital to look for a new website vendor and will be terminating the contract with FastHealth as soon as possible.

The Fast Health data breach does not only impact individuals from Ivinson Memorial Hospital. Fast Health provides website services to many healthcare organizations with more than 100 hospitals across the United States understood to have been affected by the security breach, according to the Laramie Boomerang.

Heart of the Rockies Regional Medical Center in Salida, CO was also impacted by the breach and was recently notified by FastHealth. Its patients have been informed that their names, dates of birth, email addresses, billing addresses, phone numbers, account numbers, payment card numbers, expiration dates and CVV security codes were compromised as a result of the breach.   Heart of the Rockies Regional Medical Center has now found an alternate vendor to provide its online payment and registration platform.

The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates 9,289 individuals were impacted by the security breach at FastHealth.

The post Ivinson Memorial Hospital Affected by FastHealth Security Breach appeared first on HIPAA Journal.

University of California Davis Health is alerting almost 15,000 patients that their PHI may have been viewed as a result of an employee falling for a phishing scam.

The incident occurred on May 15, 2017. A phishing email was sent to a UC Davis Health employee who responded and unwittingly gave the attacker login credentials to his/her email account. That email account was accessed by the attacker on May 17.

It is possible that the attacker accessed the employee’s email messages and viewed and/or obtained patients’ PHI. The investigation did not uncover any evidence to suggest that any patients’ PHI was viewed, although it was not possible to rule out the possibility with a high degree of confidence.

On May 17, the attacker used the email account to send emails to other staff members requesting bank transfers for large sums of money. The emails were recognized as fraudulent and were reported to the data security team which secured the email account to prevent further access. Since access to the email account was rapidly blocked it is possible that PHI was not viewed or copied by the attacker. However, out of an abundance of caution, affected individuals have been notified of the breach.

The employee had previously conducted various informational mailings and was required to perform other actions that required a limited amount of patients’ PHI. Consequently, the email account contained some PHI.

In most cases, the PHI in the email account was limited to patients’ names’ addresses, and phone numbers, although some patients’ Social Security numbers, medical record numbers and diagnoses were also potentially compromised.

Individuals whose sensitive information was exposed have been offered credit monitoring and identity theft protection services without charge for 12 months.

UC Davis Health says the phishing email was delivered to the employee’s inbox even though security measures had been introduced to block spam and phishing emails. An intrusion detection solution had been installed, but failed to detect fraudulent use of the email account. Staff at UC Davis Health are also provided with security awareness training to raise awareness of phishing and other threats.

UC Davis Health is now evaluating its security controls and training program and is considering augmenting its security protections to improve resilience against phishing attacks.

The incident has been reported to the Department of Health and Human Services’ Office for Civil Rights. The breach report indicates 14,900 individuals were impacted by the security breach.

The post PHI of 15,000 UC Davis Health Patients Compromised in Phishing Attack appeared first on HIPAA Journal.

In the past two weeks, two further healthcare organizations have announced that they have experienced ransomware attacks that potentially resulted in the protected health information of patients being accessed by cybercriminals. A combined 11,843 patient records were exposed in the two attacks.

The first incident affects PVHS-ICM Employee Health and Wellness, LLC. Ransomware was installed on a server at a single UCHealth walk-in clinic in Fort Collins, CO. The ransomware attack was discovered on May 4, 2017, with the crypto-ransomware believed to have been installed the same day.

A third-party computer expert was called in to help remove the ransomware and conduct a forensic investigation of the affected server. That investigation revealed the data stored on the server dated back to September 23, 2014 and included the protected health information of 10,143 individuals. PVHS-ICM has not indicated whether the ransom was paid.

The protected health information on the server included patients’ names, home addresses and other demographic information along with health records, including diagnoses and treatment information. Some patients’ Social Security numbers were also stored on the server.

In its substitute breach notice, PVHS-ICM said the forensic investigation did not uncover any evidence to suggest the attackers gained access to the ePHI of patients and there were no signs that any data were stolen in the attack. However, as is often the case with ransomware attacks, it was not possible to rule out the possibility that data were accessed or stolen with a high degree of confidence.

As is required by HIPAA Rules in such cases, patients must be notified that their ePHI was potentially compromised. Out of an abundance of caution, all patients affected by the incident have been offered complementary identity monitoring and identity theft remediation services for 12 months through ID Experts.

PVHS-ICM has taken steps to prevent further ransomware attacks including taking the server offline and creating an encrypted backup of all sensitive information on the server. That backup will be stored in a secure location.

GI Care for Kids Endoscopy Center Suffers Ransomware Attack

The Atlanta, Georgia-based GI Care for Kids Endoscopy Center also recently announced it had discovered ransomware on its systems. The ransomware attack occurred on April 28, 2017 and was discovered the same day.

A forensic investigation by third-party security experts found no evidence of data access or theft, with the investigators believing the attackers only used the ransomware to encrypt patient records in order to extort money from the company. While the attackers are not believed to have stolen or viewed data, the possibility could not be totally ruled out.

The investigation revealed the ePHI of 1,700 patients was encrypted by the ransomware. The affected computers and servers did not contain any Social Security numbers or financial information; however, patients’ names, telephone numbers, addresses, birth dates, ages, and medical information such as health histories and diagnoses could potentially have been accessed.

Affected patients have now been notified of the incident in accordance with HIPAA Rules. GI Care for Kids Endoscopy Center told patients no further actions are required to protect against possible harm, although, affected patients can obtain credit reports, place fraud alerts on credit accounts and should monitor their financial accounts closely if they are concerned about fraud following the ransomware attack.

The post Almost 12,000 Records Compromised in Two New Ransomware Attacks appeared first on HIPAA Journal.

Baptist Medical Center South of Jacksonville, Florida has discovered a backup drive containing the electronic protected health information of 531 patients has gone missing. The portable storage drive was discovered to be missing on May 18, 2017. The device appears to have been taken from an EEG room.

A full search for the device was conducted but it could not be located. Baptist Medical Center South was unable to determine whether the portable drive had been borrowed by a member of staff and not returned, was misplaced, stolen or had been accidentally discarded. Baptist Medical Center South was also unable to determine when the device went missing.

An investigation was conducted which enabled the medical center to determine which data had been backed up on the device. The information stored on the drive was limited to names, dates of birth, physician’s orders, medical record numbers, diagnoses, reasons for study, images taken during EEG tests and patients’ room numbers. The data related to certain patients who had visited the medical center for EEG testing in 2015, 2016 and 2017. No financial information or Social Security numbers were stored on the device.

The device was not protected with encryption, although patients’ electronic protected health information could only be accessed using special software. If the device was taken, that would make it difficult for the thieves to access patients’ information.

No reports have been received to suggest any information on the device has been accessed or misused, although patients whose protected health information was exposed have now been notified by mail out of an abundance of caution and to satisfy regulatory requirements.

In order to prevent future security incidents of this nature from occurring, Baptist Medical Center South has reinforced and enhanced its security practices and has re-educated all staff that work in the EEG department.

The post Lost Backup Drive Contained PHI of More than 500 EEG Patients appeared first on HIPAA Journal.