HIPAA Breach News

4,271 UC Health Patients Notified of Insider Data Breach

Posted by HIPAA Journal

Cincinnati’s UC Health has discovered a former employee of its Daniel Drake Center for Post-Acute Care had been accessing the medical records of its patients without authorization for almost two years.

The first recorded instance of inappropriate access occurred on July 29, 2015, with periodic access continuing until June 2, 2017. During that time, the medical records of 4,271 patients had been accessed without authorization or any legitimate work reason for doing so.

The types of information accessed by the individual included patients’ names, medical record numbers, birth dates, lab test results, diagnoses, treatment information and other clinical data. However, financial information and Social Security numbers were stored separately and were not accessed.

Due to the range of data that was accessed, patients have been offered credit monitoring and identity theft protection services through Experian for a period of one year without charge. Patients affected by the privacy breach were notified by mail on August 1.

UC Health reports that the employee was terminated as soon as it was confirmed that medical records had been inappropriately viewed. Action has also been taken to prevent future insider breaches from occurring, including the implementation of additional access controls and the provision of further training to staff members on hospital policies covering medical record access and patient confidentiality.

UC Health will also now be monitoring employee ePHI access more proactively to ensure any future privacy breaches are identified quickly.

As the Protenus Mid-Year Breach Barometer report shows, insiders cause more healthcare data breaches than cyberattacks by hackers. In the first six months of 2017, 41% of healthcare breaches were caused by insiders, resulting in the privacy of 1.17 million patients being violated.

Detecting insider breaches promptly can greatly reduce the number of patients whose privacy is violated and the harm caused to those individuals.

Software solutions capable of detecting improper access can be expensive to implement, although they are an effective deterrent that can prevent many breaches. Detecting privacy violations promptly also reduces the cost of breach mitigation.

Healthcare organizations are required by HIPAA to regularly monitor ePHI access logs for improper access. While HIPAA does not state how often checks should be completed, healthcare organizations should consider conducting a bi-annual review to check for inappropriate access and should not wait for a privacy incident to occur to update their policies.

The post 4,271 UC Health Patients Notified of Insider Data Breach appeared first on HIPAA Journal.

Northwest Rheumatology Discovers PHI Potentially Accessed During Ransomware Attack

Posted by HIPAA Journal

Northwest Rheumatology of Tuscon, Arizona has announced that some of its computer systems were taken out of action following a ransomware infection on April 10, 2017.

Following any ransomware attack, HIPAA-covered entities must conduct an investigation to determine the extent of the attack and whether patient’s protected health information has been compromised. If a covered entity can determine with a high degree of certainty that protected health information has not been accessed, viewed or stolen – or in the case of ransomware ePHI was not encrypted – patients do not need to be notified and a report does not need to be sent to Office for Civil Rights.

When the attack was discovered, Northwest Rheumatology called on its computer security vendor to complete a full investigation into the attack to determine the extent to which data had been encrypted and if any PHI had been compromised.

Northwest Rheumatology was informed by its vendor that the ransomware attack was limited and no protected health information had been encrypted, accessed or copied. Consequently, patient notifications and an OCR breach report were not issued.

However, on June 18, 2017, the healthcare provider uncovered evidence to suggest its systems had been compromised. Northwest Rheumatology hired an independent computer forensics firm to conduct an investigation and the firm confirmed on July 6 that system access had been gained, and potentially, ePHI could have been accessed.

Northwest Rheumatology reports no evidence was uncovered to suggest unauthorized individuals gained access to ePHI or that ePHI was stolen, but the possibility could not be ruled out.

Patients whose protected health information was exposed have now been notified of the security incident by mail and have been offered credit monitoring and identity theft restoration services for 12 months without charge.

The incident has now been reported to Office for Civil Rights, although it has yet to appear on the OCR breach portal so it is currently unclear how many patients have been impacted.

This is one of three recent incidents involving ransomware that were initially thought to have only resulted in file encryption, only to be later discovered that system access was also gained. An investigation into a ransomware attack on Women’s Health Care Group of Pennsylvania revealed access to its systems had been gained four months previously. An investigation into a ransomware attack on Peachtree Neurological Clinic revealed its systems had been compromised for 15 months.

The post Northwest Rheumatology Discovers PHI Potentially Accessed During Ransomware Attack appeared first on HIPAA Journal.

Phishing Email Response Compromises PHI of 2,800 Patients

Posted by HIPAA Journal

A response to a phishing email has resulted in the PHI of 2,789 Kaleida Health patients being made accessible to cybercriminals.

Kaleida Health discovered the attack on May 24, 2017, prompting a full investigation which involved hiring a third-party computer forensic firm. An analysis of its systems showed that by responding to the phishing email, the employee had provided access to his/her email account.

While access to Kaleida Health’s EHR was not gained, the email account contained a range of protected health information of a small subset of its patients. The types of data in the account varied for each patient, but may have included names, dates of birth, medical record numbers, diagnoses, treatment and other clinical data. However, no financial information or Social Security numbers were exposed at any time.

While access to the email account was possible, no evidence was uncovered to suggest that the emails were accessed or any protected health information was viewed or copied. However, since the possibility of data access could not be ruled out with a high degree of certainty, all affected patients have been notified of the incident by mail.

Phishing has grown to be one of the most serious threats to healthcare organizations. As we have already seen this year, record numbers of successful W-2 phishing attacks have been reported and many healthcare employees have fallen for these phishing scams.

Providing security awareness training to employees can help to reduce risk, although a single training session every year is no longer sufficient. Training must be an ongoing process. As OCR suggested in its July Cybersecurity Newsletter, biannual training sessions should be provided along with monthly security bulletins that highlight the latest security threats.

Classroom-based training may not be the most effective way of raising awareness and developing a security culture in an organization. If computer-based training is provided and employees’ knowledge is tested with phishing simulation exercises, any phishing failures can be turned into training opportunities. These simulations also help to improve knowledge retention.

There are many solution providers that offer training programs and phishing simulation software, including PhishMe, KnowBe4, Wombat Security, PhishLabs, Agari, IronScales and PhishLine.

It may not be possible to reduce risk to zero, but several of those providers have been able to demonstrate that phishing simulation exercises along with employee awareness training can reduce susceptibility to phishing attacks by up to 95%.

The post Phishing Email Response Compromises PHI of 2,800 Patients appeared first on HIPAA Journal.

Protenus Provides Insight into 2017 Healthcare Data Breach Trends

Posted by HIPAA Journal

Protenus, in conjunction with Databreaches.net, has produced its Breach Barometer mid-year review. The report covers all healthcare data breaches reported over the past 6 months and provides valuable insights into 2017 data breach trends.

The Breach Barometer is a comprehensive review of healthcare data breaches, covering not only the data breaches reported through the Department of Health and Human Services’ Office for Civil Rights’ breach reporting tool, but also media reports of incidents and public findings. Prior to inclusion in the report, all breaches are independently confirmed by databreaches.net. The Breach Barometer reports delve into the main causes of data breaches reported by healthcare providers, health plans and their business associates.

In a webinar on Wednesday, Protenus Co-Founder and president Robert Lord and Dissent of databreaches.net discussed the findings of the mid-year review.

Lord explained that between January and June 2017 there have been 233 reported data breaches. Those breaches have impacted 3,159,236 patients. The largest reported breach in the first half of the year resulted in the theft of 697,800 records and was caused by a rogue insider – one of 96 incidents involving insiders.

Out of those 96 incidents, 57 were due to insider error – 423,000 records – and 36 incidents due to insider wrongdoing –743,665 records. The remaining three breaches could not be classified.

Insider incidents are likely to be far higher than the figures in the Breach Barometer report. Dissent explained that many incidents are not being disclosed publicly or reported to HHS. One of the best examples being misconfigured MongoDB databases. Dissent explained that many organizations have not reported that protected health information has been exposed online, even though security researchers have discovered data could be accessed, without authentication, via the Internet. When these incidents are reported, they are often reported to HHS as hacking incidents, even though the root cause is human error.

The first six months of the year saw 75 hacking incidents and 29 ransomware incidents reported. As was explained, ransomware incidents are similarly underreported, even though OCR has made it clear that ransomware attacks are reportable breaches. The true figure is likely to be far worse.

The breakdown for the year was 41% of incidents caused by insiders, 32% due to hacking, 18% due to loss/theft of records and devices and the cause of 9% of the breaches is still unknown.

Hacking may be the second biggest cause of breaches, but hacking has resulted in the exposure/theft of the most records. 1,684,904 records were exposed/stolen as a result of hacking, 1,166,674 records were exposed/stolen by insiders, 112,302 records exposed due to theft/loss and 178,420 records exposed in incidents with unknown causes.

To put the figures into perspective, between January and December 2016 there were 450 incidents reported. Data breaches have been occurring at a similar rate to last year. While the number of reported incidents has remained fairly constant, there has been an increase in the severity of those breaches with this year likely to see far more individuals impacted by breaches than last year.

Last year, approximately 2 million patients were affected by insider incidents. This year, 1.17 million individuals have already been impacted by insider incidents. Hacking incidents are also up. Last year there were 120 confirmed hacking incidents for the entire year. This year there have already been 75 reported incidents.

In June, 52 healthcare data breaches were reported, the highest total for any month of the year to date by some distance. The second biggest monthly breach total was 39 incidents. June also saw the third highest number of individuals impacted by the breaches, with 729,930 records confirmed as exposed or stolen.

Robert Lord explained that the time from the initial breach date to discovery is particularly bad in the healthcare industry. The mean time to discover a breach was 325.6 days, with a median of 53 days. Healthcare organizations are not discovering breaches quickly enough. Fast detection can greatly reduce the harm caused to patients, and as the Ponemon Institute has shown, also the cost of mitigation.

There is some good news however. The time taken to report breaches to OCR has improved over the past 6 months. The mean time to report breaches is 54.5 days and the median 57 days. HIPAA allows 60 days to report data breaches and notify affected individuals. In June, both the mean and the median were under the maximum time frame allowed by the HIPAA Breach Notification Rule.

So, what does the rest of 2017 has in store? Dissent explained that 2017 has been a “no good, horrible, very bad year.” Unfortunately, there is no indication that the rest of the year will be any better. The next six months are likely to be just as bad, and 2017 may surpass last year for both the number of breaches and the number of patients impacted by those incidents.

While other industry sectors have hacking/malware as the main breach cause, insider incidents are the biggest problem for the healthcare industry. Healthcare organizations need to take steps to prevent these breaches. As Robert Lord explained, technologies can be deployed to help prevent insider incidents and detect them promptly when they occur.

One of the most important take home messages from the report is that people’s lives are seriously affected by healthcare data breaches. More must be done to prevent breaches and ensure they are detected promptly. Fast detection and notification allows patients and health plan members to take action to reduce the harm caused.

The post Protenus Provides Insight into 2017 Healthcare Data Breach Trends appeared first on HIPAA Journal.

Beazley Insights: 133% Increase in Healthcare Ransomware Demands

Posted by HIPAA Journal

Beazley has released its half-yearly Insights report detailing the causes of data breaches experienced by its clients between January and June 2017.

Across the four industries covered by the report, hacks and malware – including ransomware- caused the highest percentage of breaches – 32% of the 1,330 incidents that the firm helped mitigate in the first half of 2017.

In the professional services industry, hacks/malware incidents accounted for 44% of the 1H total, in higher education it was 43% and the financial services was on 37%. Only healthcare bucked the trend with hacks/malware accounting for 18% of the total – the second biggest cause of incidents affecting the industry.

The report shows that the first six months of the year saw a 50% increase in ransomware attacks across all industries, with the healthcare sector experiencing the highest increase in ransomware demands, jumping 133% in those six months.

While malware/ransomware attacks may top the list of breach causes, they are closely followed by accidental breaches caused by employees or third-party suppliers, which accounted for 30% of the total. However, for the healthcare industry, accidental data breaches were the leading cause of data security incidents, accounting for 42% of all healthcare industry breaches.

These accidental disclosures of PHI include a wide range of errors such as misdirected faxes and emails and the improper release of discharge papers. Beazley reports that the percentage of these incidents has not changed year over year.

The report authors point out that “This continuing high level of accidental data breaches suggests that organizations are still failing to put in place the robust measures needed to safeguard client data and confidentiality.”

The second biggest cause of healthcare data breaches was malware/ransomware incidents – One percentage point higher than last year’s report. Insider theft was in third place causing 14% of incidents, followed by the physical loss of records (8%) and portable device incidents (6%). Social engineering attacks accounted for 3% of the total with payment fraud on 1%. The remaining 8% of incidents were attributed to unknown/other causes.

The report authors point out that “This continuing high level of accidental data breaches suggests that organizations are still failing to put in place the robust measures needed to safeguard client data and confidentiality.”

The post Beazley Insights: 133% Increase in Healthcare Ransomware Demands appeared first on HIPAA Journal.

CareFirst Can Be Sued for Breach, Rules Court of Appeals

Posted by HIPAA Journal

The D.C. Circuit Court of Appeals has ruled that CareFirst can be sued for a 2014 data breach that saw the PHI of more than 1 million members exposed and potentially stolen.

Following the announcement of the data breach, a lawsuit was filed by seven plaintiffs to recover damages, although in August last year the case was dismissed by a district court judge for lack of standing.

The plaintiffs alleged that the breach had occurred as a result of the carelessness of CareFirst, and as a direct result of that carelessness, they faced an increased risk of suffering identity theft and fraud.

The district court judge dismissed the case as the plaintiffs failed to establish harm, or a significant threat of future harm. The judge explained that “merely having one’s personal information stolen in a data breach is insufficient to establish standing to sue the entity from whom the information was taken.”

However, the three-judge panel overturned the previous ruling claiming the interpretation of the law was ‘unduly narrow’, explaining that all the plaintiffs were required to establish at that point was their allegations were plausible and there was potential for future harm as a result of the breach.

The district court ruling was based on the fact that the plaintiffs had failed to establish how it would be possible for their identities to be stolen by the hackers if their Social Security numbers and/or credit card numbers were not stolen in the attack. CareFirst maintained that Social Security numbers and financial information were not compromised and were stored in a part of the network that was not compromised.

Court of Appeals Judge Thomas Griffith explained that the conclusion drawn by the district court “rested on an incorrect premise: that the complaint did not allege the theft of Social Security or credit card numbers in the data breach.” However, while that was the opinion of CareFirst, it was not the opinion of the plaintiffs, who did include Social Security numbers and financial information in their description of the information that was stolen in the CareFirst cyberattack. That does not mean that those data elements were stolen, only that the plaintiffs alleged that Social Security numbers and financial data had been compromised.

The plaintiffs also alleged separately that the types of information which CareFirst said were compromised – email addresses, names, birth dates and CareFirst account numbers – may not be of use to an identity thief on their own, but did create “a material risk of identity theft.” The appeals court believed the claim was plausible and that the theft of such information could open the door to medical identity theft.

While medical identity theft would result in financial harm for the insurer, fraudulent claims against insurance policies could potentially cause harm to the plaintiffs. The fraudulent claims would go on their accounts and this could be held against the plaintiffs, disqualifying them from certain types of employment or preventing them from taking out life insurance. Social Security numbers would not be required for harm to be caused were that to be the case.

That is not the only lawsuit to be filed against CareFirst for the 2014 breach. In July last year, a case filed by two plaintiffs was similarly dismissed for lack of standing by a Maryland Court. The case was dismissed as the plaintiffs failed to demonstrate harm had been suffered. While it is possible to allege an injury based on future harm, the threatened injury must be impending to constitute an injury in fact. However, the judge ruled that “the injury is too speculative to be certainly impending.” While the decision was appealed, the case was voluntarily dropped by the plaintiffs.

The post CareFirst Can Be Sued for Breach, Rules Court of Appeals appeared first on HIPAA Journal.

Nuance Communications Decides Not to Report NotPetya Attack to OCR

Posted by HIPAA Journal

As the Department of Health and Human Services’ Office for Civil Rights has previously explained in its ransomware guidance, if ePHI is encrypted, ransomware attacks are usually HIPAA breaches and are reportable incidents.

OCR says out in its ransomware guidance that “Whether or not the presence of ransomware would be a breach under the HIPAA Rules is a fact-specific determination,” going on to explain that the definition of a breach in HIPAA is “the acquisition, access, use, or disclosure of PHI in a manner not permitted under the [HIPAA Privacy Rule] which compromises the security or privacy of the PHI.”

A ransomware attack qualifies as a HIPAA breach because the actions of the attackers have resulted in the acquisition of PHI, in the sense that unauthorized individuals have taken control of the data.

The only time that a breach report – and notifications to patients – would not be required would be if the covered entity can demonstrate “a low probability that the PHI has been compromised.” OCR suggest covered entities can make that determination after a risk assessment has been performed, basing the decision on the nature of PHI involved, who used the PHI or to whom PHI was disclosed, whether PHI was actually viewed or acquired and the extent to which risk has been mitigated.

However, what about the recent NotPetya ransomware attacks? Many organizations were attacked, including some healthcare organizations in the United States that are HIPAA covered entities. One of those organizations is Nuance Communications, a business associate of several healthcare providers.

Nuance Communications has previously announced it had been attacked with NotPetya, and severely. More than three weeks after the attack, only 75% of its clients had regained access to its systems. The disruption to business services has been considerable.

Since Nuance Communications holds PHI, the incident would appear to require a breach notice to be submitted to OCR and for affected individuals to be notified. However, the decision was taken not to report the incident or to send notification letters.

Interestingly, rather than simply not sending notices, Nuance Communications has published a notice that states it will not be sending notifications. In that notice, Nuance Communications explains the rationale behind the decision.

A ransomware incident may usually be a HIPAA breach, although Nuance Communications has explained that NotPetya was not ransomware. In the letter, Nuance said the malware “was not designed to give its perpetrators any capability to control data on affected systems. To date, we have seen no indication that the malware functioned differently in practice on affected Nuance systems.”

Nuance also pointed out that the malware had not been developed to provide access to data on affected systems and neither was it developed to copy any information nor target the types of PHI that Nuance holds.

Nuance said, “Accordingly, based on facts presently known, while Nuance has determined that the incident constitutes a security incident for purposes of the HIPAA Security Rule, Nuance also has determined the incident does not constitute a breach of unsecured PHI for purposes of the Breach Notification Rule.”

Nuance explained that the notice and explanation were provided as a courtesy and to explain to its healthcare customers that a security incident had occurred, fulfilling its obligations under the business associate agreements the firm had signed. However, OCR will not be notified and individuals will not receive breach notification letters in the mail.

The post Nuance Communications Decides Not to Report NotPetya Attack to OCR appeared first on HIPAA Journal.

47% of Healthcare Organizations Have Experienced A HIPAA Data Breach in the Past 2 Years

Posted by HIPAA Journal

The KPMG 2017 Cyber Healthcare & Life Sciences Survey shows there has been a 10 percentage point increase in reported HIPAA data breaches in the past two years.

The survey was conducted on 100 C-suite information security executives including CIOs, CSOs, CISOs and CTOs from healthcare providers and health plans generating more than $500 in annual revenue.

47% of healthcare organizations have reported a HIPAA data breach in the past two years, whereas in 2015, when the survey was last conducted, 37% of healthcare organizations said they had experienced a security-related HIPAA breach in the past two years.

Preparedness for data breaches has improved over the past two years. When asked whether they were ready to deal with a HIPAA data breach, only 16% of organizations said they were completely ready in 2015. This year, 35% of healthcare providers and health plans said they were completely ready to deal with a breach if one occurred.

Ransomware has become a major threat since the survey was last conducted. 32% of all respondents said they had experienced a security breach in the past two years that involved ransomware. 41% of those respondents said they paid the ransom to unlock their data.

70% of organizations that experienced at least one security breach in the past 2 years said a malicious actor hacked their system as a result of an unaddressed vulnerability, 54% of respondents said they had experienced a single-system based malware incident and 36% said employees had responded to phishing emails resulting in a system compromise. 26% said they had experienced a breach of a third-party device or service, while 20% said they had experienced a breach as a result of an insider.

The probability of organizations experiencing a security breach has increased considerably in the past two years, yet there was a decrease in organizations that believed cybersecurity was a board matter. In 2015, 87% of organizations believed cybersecurity was a board issue. This year, only 79% of respondents said they thought cybersecurity was a C-level issue.

KPMG Healthcare Advisory Leader Dion Sheidy said, “There needs to be a higher degree of vigilance among boards and executive suites as attacks become much more sophisticated, especially as doctors need to share information to improve quality and as connected medical devices and wearables proliferate.”

Investment in cybersecurity protections has also decreased. In 2015, 88% of organizations said they had invested in information protection measures in the past 12 months. This year, only 66% said they had made such an investment.

When it comes to investment, organizations appear to be favoring technology rather than staff. Only 15% believe increases in staff numbers and higher quality staff are important for improving their security posture.

Only 41% of respondents said they were planning on investing in hiring or training staff, with 76% saying they were planning on investment more in technology. Budgets for training staff were low, with a quarter of respondents saying they were investing less than $1,000 per cybersecurity team member. 83% said improvements would be made to policies and data access controls and processes.

KPMG Cyber Security Group in Healthcare & Life Sciences Leader Michael Ebert said, “A solid cyber security program needs people, processes and technology and short-changing staff and the process structure needed to adequately govern, manage and monitor the technology is a faulty approach,” explaining that “Software can only protect you so far and staff is important when it comes time to respond to a data breach.

When asked what they thought the main targeted asset was, only 30% believed it was patient data. Financial information was seen as the data most likely targeted (69%), followed by patient/clinical research (63%) competitive market analysis (49%) and the PII of employees (45%).

The biggest threats were seen to be state-sponsored actors (53%), individual hackers (49%) and hactivists (47%).

The post 47% of Healthcare Organizations Have Experienced A HIPAA Data Breach in the Past 2 Years appeared first on HIPAA Journal.

10,000 Plastic Surgery Patients Informed of Ransomware-Related PHI Breach

Posted by HIPAA Journal

10,200 patients of Plastic Surgery Associates of South Dakota are being notified that some of their protected health information was potentially compromised as a result of a ransomware attack in February this year.

Plastic Surgery Associates of South Dakota discovered ransomware had been installed on some of its systems on February 12, 2017. Rapid action was taken to remove the ransomware and third-party forensics experts were brought in to investigate and determine the extent of the breach and which, if any, patients had been impacted.

Fortunately, while data were encrypted, the majority of its patients were not impacted by the incident and did not have any of their data accessed or encrypted. However, the process of restoring data resulted in critical files being lost.

Those files contained evidence that could have been used to confirm that some patients had not been impacted by the incident. On April 24, Plastic Surgery Associates of South Dakota decided that without access to that evidence it was not possible to rule out PHI access for 10,200 of its patients with a high degree of certainty. Consequently, all of those individuals have now been notified that their PHI has potentially been compromised.

The system that the ransomware was installed on contained names, Social Security numbers, driver’s license numbers, state ID numbers, credit and debit card information, lab test results, medical diagnoses, birth dates, health insurance information and details of medical conditions.

While evidence was destroyed during data recovery, Plastic Surgery Associates of South Dakota has confirmed that no reports of misuse or attempted misuse of patients’ PHI have been received. Out of an abundance of caution, affected individuals have been offered complimentary membership of Equifax Credit Watch Silver credit monitoring and identity theft protection services for 12 months.

Plastic Surgery Associates of South Dakota has said it already employs stringent security controls to protect the privacy of patients and the confidentiality of their PHI, and that “the confidentiality, privacy, and security of our patient information is one of our highest priorities.” The incident has prompted the company to enhance security and additional security measures will be employed to prevent future incidents of this nature from occurring.

The post 10,000 Plastic Surgery Patients Informed of Ransomware-Related PHI Breach appeared first on HIPAA Journal.