HIPAA Breach News

2,859 Patients Impacted by Improper Disposal at St. Thomas Rutherford Hospital

Posted by HIPAA Journal

This month, North Dakota Department of Human Services and Texas Health and Human Services have both reported that patients’ protected health information has been disposed of improperly. Today, another HIPAA-covered entity – Saint Thomas Rutherford Hospital in Murfreesboro, TN – has reported a similar incident.

Documents containing the protected health information of almost 3,000 patients were discovered to have been abandoned by the side of a remote, rural road in DeKalb County in April. The documents were discovered by a member of the public.

Upon being notified of the discarded reports, St Thomas Rutherford Hospital immediately launched an investigation but it is currently unclear how the documents were discarded and who was responsible.

The documents were reports on a sample of 2,859 patient census reports and date between 2009 and 2010.  Affected patients have now been notified of the privacy breach by mail and the incident has been reported to all appropriate authorities.

The documents contained no medical records or Social Security numbers, only each patient’s name, admitting diagnosis, date of birth, physician’s name and account number. Due to the limited nature of data in the documents, Saint Thomas Rutherford hospital does not believe patients face any additional financial risk as a result of the breach.

Cynthia Figaro, Corporate Responsibility Officer and Corporate Privacy Officer of Saint Thomas Health issued a statement about the incident in which she confirmed, “Protecting the privacy of our patient’s information is always a top priority for us at Saint Thomas Health and Ascension,” and sincerely apologized to patients for the privacy violation.

The investigation confirmed that no further disclosures of patient information have occurred and a third-party firm has been contracted to ensure all storage files are appropriately secured until they can be permanently destroyed in accordance with Health Insurance Portability and Accountability Act Rules.

The post 2,859 Patients Impacted by Improper Disposal at St. Thomas Rutherford Hospital appeared first on HIPAA Journal.

Texas Health and Human Services Commission Reports Improper Disposal of 1,800 Patient Records

Posted by HIPAA Journal

A box of paper forms has been discovered to have been improperly disposed of by the Texas Health and Human Services Commission. The Texas Health and Human Services Commission recently announced that the paperwork was discovered in a box next to a dumpster used by one of its eligibility offices in the E. 40th St. complex in Houston.

An investigation into the improper disposal has been launched and steps are being taken to prevent similar incidents from occurring in the future. Those steps will include a review of the processes and procedures for permanently destroying documents containing protected health information.

Texas Health and Human Services Commission is in the process of issuing breach notification letters to all affected individuals. The breach summary on the Department of Health and Human Services breach portal indicates 1,842 patients were impacted. Those individuals all reside in the Houston area.

The Texas Health and Human Services Commission says the forms contained protected health information such as names, dates of birth, client numbers, case numbers and telephone numbers, and potentially also mailing addresses, health information, bank account numbers and Social Security numbers.

All individuals impacted by the breach have been offered credit monitoring services for a period of 12 months without charge, although the commission pointed out that no evidence has been uncovered to suggest any of the forms have been accessed by unauthorized individuals.

This is the second data breach in the space of a year reported by the Texas Health and Human Services Commission. In June last year, the commission was informed by Iron Mountain that boxes had been removed from three of its storage facilities. The boxes contained forms relating to individuals who had applied for medical assistance, with the incident impacting 600 individuals.

The post Texas Health and Human Services Commission Reports Improper Disposal of 1,800 Patient Records appeared first on HIPAA Journal.

Healthcare Data Breach Costs Fall to $380 Per Record

Posted by HIPAA Journal

Healthcare data breach costs have fallen year-over year according to the latest IBM Security/Ponemon Institute study. However, for the seventh straight year, healthcare data breach costs were higher than any other industry sector.

This year, the Ponemon Institute calculated the average healthcare data breach costs to be $380 per record. The average global cost per record for all industries is now $141, with healthcare data breach costs more than 2.5 times the global average. Last year, average healthcare data breach costs were $402 per record. The average cost of a breach in the United States across all industries is $225 per record, up from $221 in 2016.

Data breach costs have risen substantially over the past seven years, although the latest report shows there was a 10% reduction in data breach costs across all industry sectors. This was the first year that data breach costs have shown a decline. The average global cost of a data breach now stands at $3.62 million, having reduced from $4 million last year.

The study was conducted globally, with 63 organizations in the United States surveyed. Those organizations were spread across 16 industry sectors. The Ponemon Institute surveyed each company after they experienced the loss or theft of sensitive information and had issued breach notifications to affected individuals. Sensitive data was classed as “An individual’s name plus Social Security number, medical record and/or a financial record or debit card.”

In the United States, the surveyed companies experienced data breaches that resulted in the exposure or theft of between 5,563 and 99,500 records, with an average of 28,512 records per breach.

The Ponemon compared the total cost of a breach with the average cost over the past four years. In the United States, the total cost of a data breach rose from $7.01 million to $7.35 million. This was the highest total breach cost since IBM Security/Ponemon first started conducting the study.

Across all industry sectors, the cost of a data breach was higher for malicious or criminal attacks ($244 per record) followed by system glitches ($209 per record) and human error ($200 per record). The breakdown of the causes of the breaches were malicious or criminal attacks ($52%), system glitches (24%) and human error (24%).

How do Healthcare Data Breach Costs Compare to Other Industries?

 

United States Data Breach Costs
Industry Average Cost per Record (USD)
Healthcare 380
Financial Services 336
Services 274
Life Sciences 264
Industrial 259
Technology 251
Education 245
Transportation 240
Communications 239
Energy 228
Consumer 196
Retail 177
Hospitality 144
Entertainment 131
Research 123
Public Sector 110
Average Cost 225

 

The study showed the United States has higher breach costs than Europe, where the average cost of a data breach declined by 26% year-over-year. The Ponemon Institute attributed this, in part, to the centralized regulatory environment in Europe. In the United States, organizations have to comply with federal regulations as well as separate regulations in 48 of the 50 states. This makes the breach response labor intensive and extremely costly.

The report suggests the reason for the rise in breach costs in the United States was the result of compliance failures and a rush to notify individuals, with the latter costing organizations 50% more than in Europe. The study revealed the cost of issuing breach notifications was $690,000 on average in the United States – twice the figure of any other country.

The study showed that when third parties were involved in a breach there was an increase in data breach costs, typically adding an extra $17 per record.

As in previous years, a rapid response to a data breach saw organizations limit the cost. When an incident response plan was in place prior to a breach, organizations were able to save an average of $19 per record. There was an average reduction in breach costs of $1 million when organizations were able to contain the breach within 30 days. However, on average, companies took more than six months to discover a breach and more than 66 days to contain it.

Other factors that led to a reduction in breach costs were the use of encryption, which saw a $16 reduction in costs per record and employee education which saw breach costs reduced by $12.50 per record.

Dr. Larry Ponemon, Chairman and Founder of the Ponemon Institute said, “Data breaches and the implications associated continue to be an unfortunate reality for today’s businesses,” explaining, “Year-over-year we see the tremendous cost burden that organizations face following a data breach.

The post Healthcare Data Breach Costs Fall to $380 Per Record appeared first on HIPAA Journal.

May’s Healthcare Data Breach Report Shows Some Incidents Took 3 Years to Discover

Posted by HIPAA Journal

The May 2017 healthcare Breach Barometer Report from Protenus shows there was an increase in reported data breaches last month. May was the second worst month of the year to date for healthcare data breaches with 37 reported incidents, approaching the 39 data breaches reported in March. In April, there were 34 incidents reported.

So far, each month of 2017 has seen more than 30 data breaches reported – That’s one reported breach per day, as was the case in 2016.

In May, there were 255,108 exposed healthcare records representing a 10% increase in victims from the previous month; however, it is not yet known how many records were exposed in 8 of the breaches reported in May. The number of individuals affected could rise significantly.

The largest incident reported in May was the theft of data by TheDarkOverlord, a hacking group/hacker known for stealing data and demanding a ransom in exchange for not publishing the data. The latest incident saw the data dumped online when the organization refused to pay the ransom.

While April saw a majority of healthcare data breaches caused by hackers, in May it was insiders that caused the most data breaches. Insiders were responsible for 40.54% of data breaches (15 incidents) in May, with 10 the result of insider errors and 5 incidents the result of insider wrongdoing. In total, 39,491 healthcare records were exposed as the result of insiders.

Hacking was the second biggest cause of data breaches, accounting for 35.14% of the month’s reported breaches. As is typical, hacking resulted in the exposure of the most records – 203,394. At least three of those hacking incidents involved ransomware.

This month’s report proved problematic, as several hacking incidents were discovered after data were posted on black market websites, yet it is unclear whether the incidents are genuine as efforts to verify the data proved inconclusive.

Loss or theft of unencrypted devices and physical records accounted for 13.51% of breaches. Those incidents resulted in the exposure of 4,122 records, although it is unclear how many records were exposed in one of the 4 breaches involving theft/loss. The cause of the 10.81% of incidents is still unknown.

Healthcare providers reported 81% of the months’ breaches, followed by business associates (11%) and health plans (8%).

Over the past two months there has been an improvement in the reporting of healthcare data breaches, with more covered entities reporting incidents inside the 60-day limit of the HIPAA Breach Notification Rule. This month 83% of covered entities reported their breaches on time, an improvement from last month when just 66% of breaches were reported within 60 days. One covered entity took 77 days to report a breach while another took 140 days; more than twice the allowable time. The improvement could be due, in part, to OCR’s decision to fine a covered entity $475,000 for the late issuing of breach notifications to patients.

This month’s Breach Barometer report shows that while breach reporting is improving, breach detection remains a problem. April’s breaches took an average of 51 days to detect, whereas in May it took an average of 441 days for healthcare organizations to discover a breach had occurred. Three healthcare organizations took more than three years to discover a breach had occurred. One healthcare organization took almost three and a half years (1,260 days) to discover a breach, another took 1,125 days and one took 1,071 days.

California was once again the worst affected state with 6 breaches, closely followed by Florida with 5 incidents.

The post May’s Healthcare Data Breach Report Shows Some Incidents Took 3 Years to Discover appeared first on HIPAA Journal.

Torrance Memorial Medical Center Reports Email Account Compromise

Posted by HIPAA Journal

The danger of phishing has been highlighted by an incident reported by Torrance Memorial Medical Center in Claysburg, PA. The medical center discovered the email accounts of two staff members had been accessed by an unauthorized individual.

The incident was detected rapidly, with third party forensic investigators brought in to investigate the breach. The investigation revealed the accounts were accessed on April 18 and April 19.

The investigation revealed the email accounts contained the protected health information of some patients, including names, addresses, dates of birth, Social Security numbers, insurance details and treatment and diagnostic information. The forensic investigation did not uncover evidence to suggest any patient information has been misused, although it was not possible to rule out the possibility that data were accessed by the attackers. Torrance Memorial Medical Center says the breach investigation is ongoing and the incident has been reported to the FBI.

Since there is a risk that PHI was accessed, all affected individuals have been offered one year of credit monitoring and identity theft restoration services without charge.

Torrance Memorial Medical Center is currently working on improving its security controls to prevent future incidents, including retraining staff on safeguarding protected health information and maintaining the privacy and security of its systems.

The data breach has now been reported to the Department of Health and Human Services’ Office for Civil Rights, although no information has been released to indicate how many patients were affected by the incident.

Phishing attacks pose a major threat to healthcare organizations. Employees are targeted as they are a weak point in security defenses; however, employees’ security awareness can be greatly improved with regular training and phishing simulations.

Research conducted by PhishMe suggests organizations can reduce susceptibility to phishing attacks by up to 95% by using phishing simulations in addition to training. Other anti-phishing platform providers have released similar figures, showing how effective training can be.

The post Torrance Memorial Medical Center Reports Email Account Compromise appeared first on HIPAA Journal.

Delayed Breach Notification Sees CoPilot Fined $130,000 by NY AG

Posted by HIPAA Journal

A data breach that occurred in October 2015 should have seen affected individuals notified within 2 months, yet it took CoPilot Provider Support Services Inc., until January 2017 to issue breach notifications.

An administration website maintained by CoPilot was accessed by an unauthorized individual on October 26, 2015. That individual also downloaded the data of 221,178 individuals. The stolen data included names, dates of birth, phone numbers, addresses, and medical insurance details.

The individual suspected of accessing the website and downloading data was a former employee. CoPilot contacted the FBI in February 2016 to receive help with the breach investigation and establish the identity of the unauthorized individual.

However, notifications were not sent by CoPilot until January 18, 2017. CoPilot says the delay was due to the time taken for the FBI to investigate the breach; however, since CoPilot was aware that reimbursement-related records had been stolen, notifications should have been sent sooner. Further, law enforcement did not instruct CoPilot to delay the issuing of breach notifications as doing so would not have impeded the investigation.

There is some debate as to whether CoPilot is a HIPAA covered entity. CoPilot has previously said it is not covered by HIPAA Rules, although a breach report was sent to the Department of Health and Human Services’ Office for Civil Rights. If CoPilot is a HIPAA covered entity, it would be necessary for breach notifications to be sent within 60 days of the discovery of the breach.

OCR is investigating and trying to determine whether CoPilot is classed as a business associate and therefore must comply with HIPAA Rules. If OCR determines CoPilot is a HIPAA-covered entity, the decision may be taken to issue a financial penalty for the delayed breach notifications. Earlier this year, OCR fined Presense Health $475,000 for delaying breach notifications for three months. A fine for CoPilot would likely be considerably higher considering the number of individuals impacted by the breach and the length of the delay.

HIPAA fines may or may not result from the notification delay, but the New York attorney general has now taken action. On Thursday last week, Eric Schneiderman announced that CoPilot has been fined $130,000 for the breach notification delay, not for a breach of HIPAA Rules but for a breach of General Business Law § 899-aa. The law requires businesses to send timely breach notifications to individuals impacted by a data breach. In addition to the fine, CoPilot is required to improve its notification and legal compliance program.

Announcing the fine, Schneiderman said, “Healthcare services providers have a duty to protect patient records as securely as possible and to provide notice when a breach occurs,” explaining that “Waiting over a year to provide notice is unacceptable.”

The financial penalty sends a message to all businesses that unnecessary breach notification delays will not be tolerated. Schneiderman said “My office will continue to hold businesses accountable to their responsibility to protect customers’ private information.”

The post Delayed Breach Notification Sees CoPilot Fined $130,000 by NY AG appeared first on HIPAA Journal.

OCR’s Wall of Shame Under Review by HHS

Posted by HIPAA Journal

Since 2009, the Department of Health and Human Services’ Office for Civil Rights has been publishing summaries of healthcare data breaches on its website. The data breach list is commonly referred to as OCR’s ‘Wall of Shame’.

The data breach list only provides a brief summary of data breaches, including the name of the covered entity, the state in which the covered entity is based, covered entity type, date of notification, type of breach, location of breach information, whether a business associate was involved and the number of individuals affected.

The list includes all reported data breaches, including those which occurred due to no fault of the healthcare organization. The list is not a record of HIPAA violations. Those are determined during OCR investigations of breaches.

Making brief details of the data breaches available to the public is an ‘unnecessarily punitive’ measure, according to Rep. Michael Burgess (R-Texas), who recently criticized OCR about its data breach list.

Burgess was informed at a cybersecurity hearing last week that HHS secretary Tom Price is currently reassessing the website and how the information is made public.

While the publication of information is under review, the publication of breach summaries is a requirement of the HITECH Act of 2009. Any decision to stop publishing breach summaries on the website would require assistance from Congress. However, it is possible for changes be made to how the information displayed and for how long the information is made available. HITECH Act only requires the information to be published. It does not stipulate the length of time that the covered entity remains on the list.

The reason behind the publication of breach information is to inform the public of data breaches and to provide some information on what has occurred. If there was a time limit placed on the length of time a covered entity remained on the list, it would not be possible for a member of the public to determine whether a breach was an isolated event or one of several suffered by a covered entity.

OCR Director Roger Severino issued a statement confirming the usefulness of the website saying, “The website provides an important source of information to the public, but we recognize that the format has become stale and can and should be improved,” explaining “OCR will continue to evaluate the best options for communicating this information as we meet statutory obligations, educate the regulated community (and the public) on lessons learned, and highlight actions taken in response.”

Burgess told Fierce Healthcare, “I am interested in pursuing solutions that hold hospital systems accountable for maintaining patient privacy without defaming systems that may fall victim to large-scale ransomware attacks, such as WannaCry.”

Of course, in the case of the WannaCry attacks, healthcare organizations may not be blameless. The attacks were only possible as a result of the failure to apply patches promptly. However, in its current form, there would be no indication on the website that a covered entity had experienced a ransomware attack as the breach list does not go into that much detail.

While options are being considered, some privacy advocates argue that the breach portal does not go into nearly enough detail and suggest even more information should be uploaded to the site to better inform the public on exactly what has occurred.

The post OCR’s Wall of Shame Under Review by HHS appeared first on HIPAA Journal.

Sound Community Services Discovers Email Account Breach

Posted by HIPAA Journal

New London, CT-based Sound Community Services Inc., a not-for-profit provider of education, support and assistance for individuals with persistent mental illness and/or substance abuse disorders has discovered an unauthorized individual has gained access to an employee’s email account.

Suspicious activity was detected on the email account on January 13, 2017. An investigation was immediately launched and access to the email account was blocked. The investigators determined access to the email account had been gained the previous day.

A forensic investigation into the security breach was conducted, although the identity of the unauthorized individual could not be determined. The email account was discovered to contained the protected health information of 1,278 individuals.

No information has been released detailing how the unauthorized individual gained access to the email account, although this type of security breach is commonly caused as a result of employees responding to phishing emails and disclosing their email credentials.

While it is possible that patient information was accessed by the unauthorized individual, no evidence has been uncovered to suggest emails in the account were opened and viewed and no reports have been received to suggest any exposed information has been obtained and misused. Fortunately, the information in the emails was limited, with only names and client numbers exposed. One individual also had details of referring information exposed.

The review of the email accounts was only completed on April 18, hence the delay in issuing notifications. The Department of Health and Human Services’ Office for Civil Rights was notified of the breach on May 26.

Even though the information exposed was limited, all affected individuals have been offered 24 months of identity protection services without charge. Those individuals are being notified of the breach by mail and are being provided with background information on the incident.

Sound Community Services will be implementing new controls to ensure similar incidents are prevented in the future.

The post Sound Community Services Discovers Email Account Breach appeared first on HIPAA Journal.

Double Burglary Sees Connecticut Patients’ PHI Exposed

Posted by HIPAA Journal

SouthWest Community Health Center, a Bridgeport, CT network of health centers, has alerted patients that some of their protected health information has been exposed after burglars targeted two of its facilities.

Several computers were stolen in a double burglary at its 1046 Fairfield Avenue and 10 Clinton Avenue sites. Thieves first broke into the Fairfield Avenue facility on Saturday 8, April and stole four desktop computers and a laptop. The following weekend, the Clinton Avenue health center was broken into and two laptop computers were stolen.

Both facilities had security alarms which were triggered when the offices were entered. Law enforcement responded immediately in both cases, but the perpetrators had fled the scene.

The burglaries were not believed to have been conducted in order to gain access to patients’ protected health information, only for the value of the computer hardware that was stolen. However, it is possible that the thieves or other unauthorized individuals were able to view the information stored on the devices. The data stored locally on the devices were not encrypted.

SouthWest Community Health Center reconstructed the data stored on the computers to determine which patients’ protected health information had been exposed. The investigation revealed patients’ names, dates of birth, bank account numbers, Social Security numbers, insurance information and medical information, including diagnoses, treatment and admission information had been saved on the hard drives.

Due to the sensitive nature of exposed information, all affected patients have been offered identity theft monitoring and restoration services without charge for a period of 12 months. SouthWest Community Health Center is also reviewing security at its health centers to prevent future burglaries and is working closely with law enforcement and other third parties in this regard.

The incident has been reported to the Department of Health and Human Services’ Office for Civil Rights, although since the incident has yet to appear on the OCR breach portal it is unclear exactly how many patients have been impacted.

The post Double Burglary Sees Connecticut Patients’ PHI Exposed appeared first on HIPAA Journal.