Medicaid recipients in Indiana are being notified that some of their protected health information was accessible over the Internet between February and May this year.

The fiscal agent for the Indiana Health Coverage Program (IHCP), DXC Technology, says a hyperlink to an IHCP report containing patient information was accessible online. The report was an internal document used for administrative functions.

The information exposed was limited to names, Medicaid ID numbers, patient numbers, procedure codes, dates of service, payment amounts and names/addresses of health care providers. At no point was it possible for Social Security numbers, addresses or financial information to be accessed.

While protected health information could potentially have been accessed via the Internet, no evidence has been uncovered to suggest the link was clicked or that any information was stolen.

DXC Technology is contacting all affected individuals by mail to alert them to the potential data breach to allow them to take precautions to protect their identities and to satisfy state and federal regulatory requirements. As an additional precaution, all affected individuals are being offered complimentary credit protection services for 12 months, even though DXC Technology does not believe any information has been, or will be, used inappropriately.

DXC Technology says the issue has now been mitigated and the report is no longer accessible.

Employee of Professional Counseling and Medical Associates Stole Patients PHI

Paris, TN-based Professional Counseling and Medical Associates has discovered a former employee copied information from its electronic health record system on or around May 14, 2017.

The data theft was discovered on May 22 and the incident was reported to law enforcement and state and federal agencies. The counselling service does not believe the individual disseminated the information publicly, but the possibility cannot be ruled out.

The stolen data include names, dates of birth, home addresses and insurance information, with some individuals’ medical notes and counselling records also believed to have been copied.

The post Indiana Medicaid Recipients Alerted to Potential Data Breach appeared first on HIPAA Journal.

Tampa Bay Surgery Center has started notifying almost 26,000 patients that some of their protected health information was stolen by an unauthorized individual who subsequently posted the information on a file sharing website.

Law enforcement contacted Tampa Bay Surgery Center on May 5, 2017 alerting the healthcare provider to the data dump. The file had been uploaded to the file sharing website the previous day. The file contained sensitive data that had been obtained from a database maintained by Tampa Bay Surgery Center. Data stolen and exposed online by the malicious third party included the full names of patients along with dates of birth, home addresses and social security numbers. A link to the file was also distributed on Twitter by the individual who claimed to have stolen the data.

Tampa Bay Surgery Center has notified the Department of Health and Human Services’ Office for Civil Rights of the breach. The breach report indicates 25,848 patients were affected by the incident. Those individuals are being offered identity theft protection services without charge, although patients have been informed that no evidence has been uncovered to suggest any of the stolen protected health information has been misused.

An investigation into the breach is ongoing and processes and procedures are being updated to ensure similar incidents do not occur in the future.

While the breach will come as news to many patients, the incident was reported in May by Databreaches.net, which has been following the activities of the individual/group responsible for the attack – The Dark Overlord (TDO). TDO has conducted numerous attacks on healthcare organizations over the past few months.

TDO steals data, threatens to publish the information online and advises organizations that they can stop the data dump by paying a ransom. If the ransom is paid, TDO claims data will not be released online. As has happened on numerous occasions already, if the ransom demand is not paid or the request is ignored, data are published. TDO was behind attacks on OC Gastrocare, Aesthetic Dentistry, Dougherty Laser Vision, Peachtree Orthopedics, Midwest Orthopedic Pain & Spine, Athens Orthopedic Clinic and many others, including an unnamed third-party health insurer from which 9.3 million records were stolen.

According to Databreaches.net, the data dump appeared to include 142,000 records. The tweet sent by TDO, from an account that has subsequently been suspended, was ““Into the hundred thousand range we go. However, this clinic didn’t do anything wrong except annoy us.” The file has since been taken down and is no longer accessible online.  

The post Tampa Bay Surgery Center Notifies 26,000 of PHI Theft appeared first on HIPAA Journal.

White Blossom Care Center in San Jose, CA has started notifying approximately 800 of its residents that some of their protected health information has been inappropriately accessed and acquired by a former employee.

The care center was recently alerted to the potential data security incident and launched an investigation to determine whether a data breach had occurred. A third party technical security expert was brought in to assist with the investigation.

The investigation confirmed that data had been obtained by the former employee, although it was not possible to tell when data were accessed and acquired.

The types of information accessed and acquired by the former employee includes residents’ full names, along with insurance provider names and account numbers, dates of birth, Social Security numbers and medical information such as diagnoses, procedures performed and details of medications. White Blossom Care Center believes only a limited number of the acquired files contain the above information. Based on the information available, the care center believes that credit card/debit card information of other financial data were not accessed or acquired.

The incident has been reported to law enforcement and the care center is continuing to assist in the law enforcement investigation. Appropriate state and federal agencies have also been notified of the incident.

No evidence has been uncovered to suggest any of the information obtained by the former employee has been used inappropriately, but out of an abundance of caution, all affected residents have been offered identity theft protection services for a period of 12 months without charge.

The care center has advised all residents that safeguards had been introduced prior to this incident to prevent unauthorized access and keep personal information secure. However, the incident has prompted the care center to review its safeguards and improvements will be made as appropriate. Employee computer user accounts and passwords have also been reconfigured to further restrict access to sensitive information.

The post White Blossom Care Center Notifies Residents of Improper PHI Access appeared first on HIPAA Journal.

Another healthcare organization has experienced a ransomware attack in which the protected health information of patients was potentially accessed. Ransomware is typically installed for the purpose of extortion rather than the theft of data; however, even if data theft is not suspected, ransomware attacks are reportable security incidents under HIPAA Rules and patients must be notified per the HIPAA Breach Notification Rule.

Cleveland Medical Associates does not believe any data were stolen in its attack and no evidence has been uncovered to suggest that the PHI of patients was compromised. However, since it is not possible to rule out the possibility of a PHI being accessed with a high degree of certainty, the incident has been reported to the HHS’ Office for Civil Rights and patients are being notified of the cyberattack.

The ransomware attack was discovered on April 21, 2017 with ransomware believed to have been installed the previous evening.  The ransomware was installed on a server than contained the protected health information of 22,000 patients. Medical services were not disrupted as a result of the attack.

A third-party cybersecurity firm was contracted to conduct a forensic investigation of the attack to determine which data were potentially compromised and the extent of the infection. That investigation revealed the server contained names, addresses, contact telephone numbers, Social Security numbers, insurance billing information, email addresses, medical records and other clinical information.

The incident was reported to the FBI and appropriate state and federal agencies have been notified. While data theft is not suspected, as a precautionary measure Cleveland Medical Associates is offering all patients 12 months of complimentary credit monitoring services through Equifax, which include an identity theft insurance policy.

The incident has prompted the healthcare provider to conduct a full review of its security procedures and a new medical record system is now being implemented.

The post Cleveland Medical Associates Attacked with Ransomware appeared first on HIPAA Journal.

The Family Tree Health Clinic in League City, Texas is alerting 13,402 patients that their protected health information was potentially viewed by unauthorized individuals. The attackers gained access to the IT systems of the clinic and downloaded ransomware.

The clinic reports that this was a ‘sophisticated ransomware-encryption’ attack that was quickly remediated. The attack occurred on April 24, 2017 preventing the clinic from accessing its systems. The clinic was prepared for ransomware attacks and had a backup of patients’ protected health information. All encrypted data was restored from those backups and no ransom payment was made.

The clinic has received no reports that any PHI has been misused, although data were potentially accessed by the individuals behind the attack. The types of data that could have been viewed included the patients’ names, addresses, dates of birth, Social Security numbers, medical information including claims and diagnosis codes and health insurance information. Financial information, including credit/debit card numbers, were not stored in the system and remained secured.

After PHI had been restored and the ransomware infection removed, Family Tree Health corrected the security vulnerability that allowed the attackers to gain access to its system. Steps have also been taken to prevent future ransomware attacks from occurring.

The incident was reported to the FBI and the Department of Health and Human Services’ Office for Civil Rights has now been notified of the potential data breach.

Breach notification letters were sent to all affected patients on June 19. No credit monitoring services have been offered, although patients have been provided with further information on how they can secure their accounts and monitor for fraudulent use of their information.

A spokesperson for the clinic said, “Privacy and protection of patient information is a top priority for us, and we deeply regret any inconvenience or concern this incident may cause.”

The post Family Tree Health Clinic Announces Ransomware Attack appeared first on HIPAA Journal.

Experian Health has discovered the protected health information of some patients has been accidentally disclosed to incorrect individuals due to a technical error that occurred during a server migration.

The disclosed data including names, addresses, genders, dates of birth, Medicare ID/HIC numbers, member ID numbers, insurance/payer company names, group numbers/group policy numbers and Medicaid case numbers. The data were shared with incorrect HIPAA covered entities. No information was sent to or otherwise shared with members of the public.

Experian Health took immediate action to address what it refers to as ‘an isolated error’ and reports that the mistake has been corrected. The error affected two platforms used by Experian Health, with data disclosed between February 13 and March 13, 2017.

The information disclosed could only have been accessed or saved by HIPAA-covered entities, who are bound by HIPAA Rules. Therefore, the risk of protected health information being misused is likely to be low.

Experian Health notified affected healthcare institutions of the error on April 28, 2017. One of those entities was Southern Illinois Healthcare (SIH), which was told that 600 of its patients were impacted. Experian Health is a business associate of SIH and performs insurance eligibility verification during patient registration. Experian Health also works with other healthcare organizations.

At present, it is unclear exactly how many patients have been impacted in total since the incident has yet to appear on the Department of Health and Human Services’ Office for Civil Rights breach portal. It is possible that breach notices will be submitted separately by all of the covered entities impacted by the incident.

SIH has made the decision to offer credit monitoring and credit repair services to all affected individuals as a precautionary measure. Those services, which are being provided through AllClear ID, are available for 24 months without charge.

The post Experian Health Accidentally Sends PHI to Incorrect Individuals appeared first on HIPAA Journal.

Hartford, CT-based health insurer Aetna has discovered the protected health information of more than 5,000 plan members has been exposed online and was accessible through search engines.

Aetna started investigating a security issue affecting two computer services on April 27, 2017. Those services were intended to show documents containing PHI to plan members and other authorized individuals, although it was discovered that the documents had been indexed by search engines and could be viewed by unauthorized individuals.

On May 10, the investigation had uncovered evidence that confirmed a data breach had occurred, with the investigation concluding on June 9. While the investigation into security issues was launched in April, Aetna first became aware of exposed PHI on February 1, according to the San Antonio Express-News. It is unclear why it took almost three months for an investigation to be launched.

Aetna says Social Security numbers, financial information and credit/debit card information was not exposed. The PHI in the documents only included names, identification numbers, member numbers, provider information and claim payment amounts. Some individuals also had dates of service, procedure codes and service codes exposed.

1,708 Ohio and 522 Texas residents are known to have been affected by the breach. In total, the PHI of 5,002 individuals was exposed online, according to the breach report submitted to the Department of Health and Human Services’ Office for Civil Rights.

Aetna has not uncovered evidence to suggest any information has been misused as a result of its exposure online. Action has already been taken to deindex the documents to prevent them from being displayed in search engine results and for cached data to be removed from search engines. Steps have also been taken to prevent the documents from being re-indexed by search engines.

Affected individuals and plan sponsors are now being notified of the data breach by mail.

The post Aetna Error Sees PHI of 5,000 Individuals Exposed Online appeared first on HIPAA Journal.