HIPAA Breach News

Anthem Business Associate Data Breach Impacts 18,500 Plan Holders

Posted by HIPAA Journal

Anthem Inc., has only recently settled the lawsuit arising from its 2015 data breach that affected 78.8 million plan holders. Now, thousands of its members are being notified that their protected health information has been exposed in another incident.

This time it was not a cyberattack, but a data breach involving an employee of one of its business associates, Indiana-based LaunchPoint Ventures LLC. LaunchPoint is contracted to provide coordination services, for which it required to be provided with access to plan members’ protected health information.

On April 12, 2017, LaunchPoint became aware that one of its employees was alleged to have been involved in identity theft related activities, prompting the firm to launch an investigation into the possibility of data theft. The business associate hired the services of a third-party forensic firm to assist with the investigation.

On May 28, 2017, LaunchPoint learned that other ‘non-Anthem’ data may also have been compromised. On June 12, 2017, it was confirmed that the PHI of 18,580 Anthem health plan members had been accessed. The information had also been emailed to the employee’s personal email account in July 2016. Anthem was notified of the incident on June 14, 2017.

LaunchPoint has confirmed that the information stolen by the employee includes Medicare ID numbers, Social Security numbers, Medicare contract numbers, health plan ID numbers and dates of enrollment, with ‘a very limited number’ of last names and birth dates also included in the emailed data set.

The employee has been terminated for breaching company polices and LaunchPoint is working closely with law enforcement and assisting with a criminal investigation. Anthem reports that the employee is now behind bars for crimes unrelated to the theft of plan member data. LaunchPoint is assessing its policies and protocols and will be implementing additional safeguards to prevent future security breaches.

Anthem has reported the data breach to the Department of Health and Human Services’ Office for Civil Rights and has issued media notices. The breach impacts individuals in all states where it does business.

LaunchPoint will be sending breach notification letters to all individuals impacted by the incident. Those individuals will be offered credit monitoring and identity theft restoration services without charge for a period of two years.

The post Anthem Business Associate Data Breach Impacts 18,500 Plan Holders appeared first on HIPAA Journal.

Phishing Scam Fools University of Vermont Medical Center Employees into Revealing Login Credentials

Posted by HIPAA Journal

A phishing campaign targeting University of Vermont Medical Center (UVMC) has resulted in criminals gaining access to UVMC email accounts. The phishing emails were sent in late May and two employees responded. Doing so allowed the attackers to temporarily gain access to their email accounts. The phishing emails were part of a large campaign sent to many UVMC employees. Fortunately, only two individuals responded. The emails appeared to have been sent from within the organization.

The accounts were compromised on May 22, and on May 24 UVMC detected spam emails being sent from the accounts and shut them down to minimise the damage caused.

The electronic medical record system was not compromised, although the email accounts did contain protected health information (PHI) such as names, medical record numbers, addresses, details of medications, medical diagnoses and treatment information.  No Social Security numbers, insurance information or financial data were compromised.

It is possible that the purpose of the attack was not to gain access to PHI, only to use the email accounts to send spam emails. The spam emails included links to external websites. UVM Health Network’s Head of Internet Security, Heather Roszkowski, suggests the attack may have been conducted to boost traffic to those websites to increase advertising income.

No reports have been received to suggest any information was accessed and misused in any way. However, all affected individuals should exercise caution and monitor their accounts and Explanation of Benefits statements for any sign of fraudulent activity.

All patients impacted by the attack have now been notified of the incident by mail and a substitute breach notice has been uploaded to the UVMC website. That notice indicates approximately 2,300 patients were impacted.

UVMC says that it already has robust security measures in place to prevent attacks such as this, although it will be reviewing those measures to determine whether improvements can be made. UVMC will also be reinforcing training to reduce the probability of employees falling for this type of phishing scam again.

The post Phishing Scam Fools University of Vermont Medical Center Employees into Revealing Login Credentials appeared first on HIPAA Journal.

4-Month Data Breach Discovered During Ransomware Investigation: 300,000 Patients Impacted

Posted by HIPAA Journal

Women’s Health Care Group of Pennsylvania, one of the largest healthcare networks in the state, has alerted approximately 300,000 patients that some of their sensitive protected health information has been compromised.

The types of data exposed – and potentially stolen – include names, addresses, dates of birth, lab test orders, lab test results, blood types, race, gender, pregnancy status, medical record numbers, employer information, insurance details, medical diagnoses, physicians’ names and Social Security numbers.

Identity theft protection services are being offered to all affected patients. Those individuals would do well to activate those services promptly, as hackers gained access to a server and workstation containing the above information in January this year, with access to systems possible until at least May.

In May, a virus was installed on a server/workstation preventing the hospital from accessing patient data. While ransomware can be installed as a result of a phishing email or software vulnerability, in this case it appears to have been deployed by individuals who already had access to its systems. This is not atypical. If hackers manage to gain access to a healthcare network, it is becoming increasingly common for ransomware to be deployed when access to the system is no longer required – Once all useful data have been exfiltrated, for instance.

Women’s Health Care Group of Pennsylvania rapidly isolated the affected devices to prevent the spread of the infection and external cybersecurity experts were called in to conduct a forensic investigation to determine the nature and scope of the security breach. The Federal Bureau of Investigation was also notified.

While a ransom demand had been issued by the attackers, no money was paid as all data could be recovered from a backup. Women’s Health Care Group of Pennsylvania says no protected health information was lost.

The investigation revealed that hackers had first gained access to its systems in January 2017 after taking advantage of a security vulnerability, with the same vulnerability believed to have been used to install ransomware. While Women’s Health Care Group of Pennsylvania did not find any evidence to suggest information on the server or workstation had been viewed or stolen, data access and theft could not be ruled out.

This is the second such incident to be reported in the past few weeks. Earlier this month, Peachtree Neurological Clinic of Atlanta, GA announced that an investigation into a ransomware attack revealed its systems had been compromised 15 months previously.

The post 4-Month Data Breach Discovered During Ransomware Investigation: 300,000 Patients Impacted appeared first on HIPAA Journal.

Protected Health Information Stolen in Vision Care Specialists Burglary

Posted by HIPAA Journal

The price of medical information on the black market may be high, but it is relatively rare for paper records to be stolen during break-ins. However, a burglary at Vision Care Specialists’ administrative offices in Denver, CO saw paperwork containing the PHI of patients taken by thieves.

The burglary was discovered on May 22, 2017 and law enforcement was called in to investigate. An inventory was conducted to determine what items were taken by the thieves and third party forensic investigators were called in to ascertain whether its systems had been accessed. That investigation did not uncover any evidence to suggest electronic medical information had been accessed, although on July 5, Vision Care Specialists discovered that paperwork containing the protected health information of some of its patients had been removed from its offices.

The documents contained a range of sensitive information including names, dates of birth, Social Security numbers, medical information, health conditions/diagnoses, financial information and health insurance details. While no reports have been received to suggest any of the information has been used inappropriately, it can be safely assumed that the information was taken for nefarious purposes.

Vision Care Specialists has now contacted all individuals whose information was obtained by the thieves and all affected patients have been offered complimentary credit monitoring services for 12 months.

Patients affected by the incident have been advised to exercise caution and to monitor their accounts, credit reports and Explanation of Benefits statements and to be alert for identity theft and fraud.

Vision Care Specialists has responded to the incident by enhancing security at its office to prevent any further incidents of this nature from occurring.

The post Protected Health Information Stolen in Vision Care Specialists Burglary appeared first on HIPAA Journal.

Hospital Employee Discovered to Have Accessed Medical Records Without Authorization for 14 Years

Posted by HIPAA Journal

Cases of employees snooping on medical records are relatively common, although an incident at Tewksbury Hospital in Massachusetts stands out due to the length of time that an employee was accessing medical records without authorization before being caught.

The hospital was tipped off about the employee in April after a former patient made a complaint about their medical record being accessed inappropriately. In response to the complaint, the hospital conducted a full review which revealed the former patient’s medical records had been accessed by an employee without any legitimate reason for doing so.

Further investigation revealed it was far from a one off.  The employee had been accessing the records of patients without authorization for a period of 14 years. The first instance dated back to 2003 and the inappropriate access continued until May 2017. During that time, the employee accessed the records of more than 1,000 patients.

Tewksbury Hospital, which is run by the Department of Public Health, has now written to all patients whose medical records were inappropriately accessed, although many of those individuals are now former patients and the hospital no longer holds valid contact information. In an attempt to contact those individuals, a substitute data breach notice has been placed on the Mass.gov website.

The employee was a clerk at the hospital and was required to have access to medical records in order to complete work duties. Those access rights were abused and as a result, the employee was terminated and no longer has access to the EMR system.

The types of information that were potentially accessed includes names, phone numbers, addresses, gender, dates of birth, medical diagnoses, details of medical treatment provided at the hospital and in some cases, Social Security numbers.

Tewksbury Hospitals says steps have now been taken to reduce the probability of similar incidents occurring in the future and to make sure that if records are accessed inappropriately, incidents are detected promptly. Those steps included conducting a review of policies and procedures regarding access to its EMR system and a reassessment of how access logs to medical records are reviewed. Staff will also be provided with additional training on the privacy and security of protected health information.

Tewksbury Hospital says the investigation did not uncover any evidence to suggest protected health information was misused in any way.

The incident has been reported to the Department of Health and Human Services’ Office for Civil Rights, which investigates all data breaches that have impacted more than 500 individuals. If the investigation reveals HIPAA Rules have been violated by the hospital, the penalty is likely to be severe for a breach of this duration.

The post Hospital Employee Discovered to Have Accessed Medical Records Without Authorization for 14 Years appeared first on HIPAA Journal.

NotPetya Attack Continues to Disrupt Nuance Communications’ Services

Posted by HIPAA Journal

In late June, Nuance Communications, a provider of healthcare solutions and transcription services, was one of many organizations around the globe to have systems taken out of action by NotPetya ransomware.

While most ransomware attacks are conducted with the intention of obtaining ransom payments in exchange for the keys to unlock data, NotPetya was different. The aim was sabotage. Infection resulted in permanent encryption of master file tables, preventing infected computers from locating stored data. Data recovery was not possible even if the ransom demand was paid.

The attacks caused permanent damage at many organizations requiring the replacement of hardware and substantial portions of affected networks. Nuance Communications was no different.

Following the attack, Nuance Communications brought in external security experts to contain the infection and determine the extent of the attack. However, not in time to prevent widespread damage. Systems were taken out of action preventing hundreds of hospitals from using its services.

Premier Health was one of many hospital systems forced to switch transcription service providers. Boston’s Beth Israel Deaconess Medical Center was also impacted and has been prevented from using Nuance’s eScription service. University of Pittsburgh Medical Center was similarly affected and still cannot use the company’s transcription service.

It took Nuance Communications until July 3 to bring its eScription RH and Clinic 360 clients back online on the Emdat platform, and until July 5 to bring its eScription LH platform back online.  By July 11, almost 200 hospitals had started using its eScription LH platform again, although some company services continue to be disrupted.

Nuance Communications spokesperson Richard Mack announced yesterday that “We are doing everything within our power to support our health-care customers and provide them with the information and resources they need to provide quality patient care, including offering an alternative system and solutions.”

In addition to fixing its systems and working hard to bring customers back online, the company has been improving its security to prevent future attacks.

Even though most systems are now back online, it may be difficult to convince hospitals to return. Many have since switched to other service providers as a result of the attack and loss of its services. Many are unlikely to return. That is likely to make a serious dent in its Q3 profits at the very least. At present, the company’s share price has fallen 6% since the attack.

The post NotPetya Attack Continues to Disrupt Nuance Communications’ Services appeared first on HIPAA Journal.

U.S. Data Breaches Hit Record High

Posted by HIPAA Journal

Hacking still the biggest cause of data breaches and the breach count has risen once again in 2017, according to a new report released by the Identity Theft Resource Center (ITRC) and CyberScout.

In its half yearly report, ITRC says 791 data breaches have already been reported in the year to June 30, 2017 marking a 29% increase year on year. At the current rate, the annual total is likely to reach 1,500 reported data breaches. If that total is reached it would represent a 37% increase from last year’s record-breaking total of 1,093 breaches.

Following the passing of the HITECH Act in 2009, the Department of Health and Human Services’ Office for Civil Rights (OCR) has been publishing healthcare data breach summaries on its website. Healthcare organizations are required by HIPAA/HITECH to detail the extent of those breaches and how many records have been exposed or stolen. The healthcare industry leads the way when it comes to transparency over data breaches, with many businesses failing to submit details of the extent of their breaches.

ITRC says it is becoming much more common to withhold this information. In the first 6 months of 2017, 67% of data breach notifications and public notices did not include the number of records exposed, which is a 13% increase year on year and a substantial increase from the 10-year average of 43%. The lack of full information about data breaches makes it harder to produce meaningful statistics and assess the impact of breaches.

81.5% of healthcare industry data breach reports included the number of people impacted – a similar level to 2016. ITRC points out that does not mean healthcare organizations are failing to provide full reports, only that HITECH/HIPAA regulations do not require details of breaches of employee information to be reported.

The OCR breach portal shows healthcare industry data breaches in the year to June 30, 2017 increased by 14% year on year. 169 breaches were reported in the first six months of 2017 compared to 148 in the same period in 2016.

Hacking is Still the Biggest Cause of U.S Data Breaches

The biggest cause of U.S data breaches is still hacking according to the report, accounting for 63% of data breaches reported in the first half of the year across all industries – and increase of 5% year on year. Phishing, ransomware, malware and skimming were also included in the totals for hacking. 47.7% of those breaches involved phishing and 18.5% involved ransomware or malware.

The second biggest causes of U.S. data breaches were employee error, negligence and improper disposal, accounting for 9% of the total, followed by accidental exposure on the Internet – 7% of breaches.

The OCR breach portal shows 63 healthcare data breaches were attributed to hacking/IT incidents – 37% of the half yearly total. That represents a rise of 19% from last year.

In close second place is unauthorized access/disclosure – 58 incidents or 35% of the total. A 14% decrease year on year. In third place is loss/theft of devices – 40 incidents or 24% of all healthcare data breaches. A 4% fall year on year. The remaining 4% of healthcare data breaches – 7 incidents – were caused by improper disposal of PHI/ePHI.

Matt Cullina, CEO of CyberScout, said “All these trends point to the need for businesses to take steps to manage their risk, prepare for common data breach scenarios, and get cyber insurance protection.”

The post U.S. Data Breaches Hit Record High appeared first on HIPAA Journal.

Ransomware Attack Investigation Reveals 15-Month Security Breach

Posted by HIPAA Journal

A ransomware attack on Peachtree Neurological Clinic (PNC) in Atlanta, GA resulted in the encryption of sensitive data. Since PNC had backed up its data, it was possible to restore the affected files without paying the ransom.

Following any ransomware attack it is important to conduct a forensic analysis of systems to ensure all traces of the ransomware have been removed and no backdoors have been installed. PNC performed scans of its system and confirmed that the malware had been removed; however, the scans revealed that its systems had been accessed by unauthorized individuals between February 2016 and May 2017.

Cybercriminals have been known to gain access to organizations’ systems and install ransomware when there is no further need for access, but it is unclear whether the same individuals were responsible for both security breaches.

PNC found no evidence to suggest that the ransomware attack involved the exfiltration of data, but it was not possible to determine with any degree of certainty whether access to protected health information was gained in the initial attack. PNC was only able to confirm that its systems had been accessed.

The types of protected health information stored on the compromised system included names, telephone numbers, addresses, dates of birth, Social Security numbers, driver’s license numbers, prescription information, details of treatments/procedures and health insurance information.

Due to the sensitive nature of the data that were potentially accessed, PNC has offered all affected individuals complimentary identity theft protection services. The attacks have been reported to law enforcement and all affected individuals have been notified of the incidents by mail.

Dr. Lawrence Seiden, M.D., managing partner of PNC, said, “We take patient privacy seriously, and are very sorry for any concern or inconvenience this incident has caused or may cause to anyone who has been affected.”

The security breaches have yet to appear on the Department of Health and Human Services’ Office for Civil Rights Breach portal so it is unclear how many individuals have been impacted.

The post Ransomware Attack Investigation Reveals 15-Month Security Breach appeared first on HIPAA Journal.

Rosalind Franklin University of Medicine and Science Phishing Attack Sees PHI Compromised

Posted by HIPAA Journal

The protected health information of 859 patients of Rosalind Franklin University of Medicine and Science (RFU) has been compromised and potentially been viewed/stolen. The information was stored in two email accounts that were accessed by unauthorized individuals in May.

Access to the email accounts was gained after employees responded to phishing emails. The phishing attack occurred on May 10, 2017 prompting a full investigation. The malicious actors behind the phishing scam gained access to one email account for less than a day and the second email account for a period of 9 days. Access to the second email account was blocked on May 19.

Third party security experts were brought in to assist with the investigation to help determine the full extent of the security breach. RFU is now certain that unauthorized access to sensitive data has been blocked. Part of the investigation involved checking all messages in the compromised email accounts for protected health information.

The investigation confirmed that the compromised PHI was limited to patients’ names, addresses, dates of birth, telephone numbers, medical record numbers, diagnostic information and lab test results. No social security numbers or financial information were compromised.

RFU says it has received no reports of any misuse of information in the accounts, although affected individuals have been advised to remain vigilant and to check their credit reports, account statements and Explanation of Benefits statements for any sign of fraudulent activity.

RFU has reassured patients that security measures had been introduced prior to the attack to protect data stored in its systems and proactive steps have now been taken to address the incident and strengthen security to prevent further successful phishing attacks. RFU has reported the incident to the FBI which is investigating.

An RFU spokesperson said, “The confidentiality, privacy, and security of information within our care is one of our highest priorities.”

The post Rosalind Franklin University of Medicine and Science Phishing Attack Sees PHI Compromised appeared first on HIPAA Journal.