HIPAA Breach News

Austin Medical Center Discovers Patient Data Was Accessible Via Internet

Posted by HIPAA Journal

An Austin, TX medical center has discovered patient data has been stolen and uploaded to the Internet and was accessible for 4 years. The information, which related to approximately 2,000 patients, could freely be found via search engines.

Victory Medical Center was alerted to the data leak on April 5, 2017 by a patient who had found his or her personal information online while browsing the Internet.

An investigation was launched by Victory Medical which revealed a paper based report containing patient information had been uploaded to Github by an unauthorized individual. The data was taken and uploaded without the knowledge or authorization by Victory Medical. The company says the breach was likely the work of a ‘lone bad actor’.

The date of the breach is not known, although it is likely the incident occurred on or after June 10, 2013 according to the substitute breach notice uploaded to the Victory Medical website. The report had been generated from Victory Medical’s secure patient record system, although it did not include any medical information.

The types of information exposed and likely viewed by unauthorized individuals was restricted to patients’ names, phone numbers, addresses, email addresses, preferred language, race and ethnicity and internal medical account numbers. Victory Medical contacted Github and arranged for the information to be removed. The information was taken offline five days later.

Since only demographic information has been exposed, Victory Medical believes the risk of improper use of the information is low.

The breach investigation involved interviews with all members of staff who were working at or around the time of the suspected breach, although the person responsible for the breach could not be identified.

The breach has prompted a review of privacy practices, policies and security procedures that could potentially have contributed to the breach, although no systemic weaknesses have been identified. Physical security standards are also being reviewed at the organization’s offices and feasible changes will be implemented to improve security and prevent future breaches of PHI.

The post Austin Medical Center Discovers Patient Data Was Accessible Via Internet appeared first on HIPAA Journal.

WannaCry Ransomware Continues to Cause Problems for U.S. Hospitals

Posted by HIPAA Journal

The Department of Health and Human Services (HHS) has issued a cyber notice to alert healthcare organizations of the continuing problems caused by the WannaCry ransomware attacks on May 12, 2017.

Following the attacks, the United States Department of Homeland Security (DHS) issued a statement saying the U.S. had suffered ‘limited attacks’ with only a small number of companies affected. However, the problems caused by those attacks have been considerable. The HHS says two large, multi-state hospital systems are still facing significant challenges to operations as a result of the May 12 attacks.

The Windows SMB vulnerability (MS17-010) exploited by the threat actors was addressed by Microsoft in a March 14, 2017 update, with an emergency patch released for unsupported Windows versions shortly after the attacks took place. The patches will prevent the MS17-010 vulnerability from being exploited and thus prevent WannaCry from being downloaded.

The encryption routine used by the WannaCry malware was deactivated quickly following the discovery of a kill switch. While the encryption process has been blocked, that does not stop infection. Vulnerable devices could still be infected if the patch has not been applied.

Further, if a device has already been infected prior to the patch being applied, the malware will still be present on the infected system. The HHS likens the patch to quarantining a patient. While that action will prevent the spread of the infection to other individuals, simply placing a patient in quarantine will not remove the infection in that patient.

While the ransomware component of the malware is not active, the presence of the malware on computer systems will have some effects. Those are dependent on the Windows version installed.

If the malware is present, it will be capable of scanning the network for other vulnerable devices and spreading to those devices.

The HHS says that if a device has been infected with WannaCry, reimaging and applying the patch will remove the virus and prevent it from being installed again. However, HHS explains that while the patch addresses a vulnerability in the Windows Server Message Block version 1 (SMBv1) protocol, that may not be the only vulnerability that is exploited to download WannaCry. Even patched systems may still be infected if the threat actors exploit a different vulnerability to introduce the malware. Patches must therefore be applied promptly after they have been issued to prevent future WannaCry – and other – malware attacks.

If you have been affected by WannaCry, the HHS recommends contacting your FBI Field Office Cyber Task Force or the US Secret Service Electronic Crimes Task Force to report the incident and request assistance.

The HHS also recommends contacting the FDA’s 24/7 emergency line at 1-866-300-4374 if a suspected cyberattack affects medical devices.

HHS has issued the following advice to healthcare organizations on mitigating the risk of WannaCry infection:

The post WannaCry Ransomware Continues to Cause Problems for U.S. Hospitals appeared first on HIPAA Journal.

North Dakota Department of Human Services Notifies 2,452 Medicaid Recipients of PHI Exposure

Posted by HIPAA Journal

The North Dakota Department of Human Services (NDDHS) is alerting 2,452 Medicaid recipients that some of their protected health information has been exposed when documents were improperly disposed of in a Bismarck dumpster.

The HIPAA breach was discovered on May 19, 2017 when a member of the public saw documents containing sensitive information in a dumpster. The citizen contacted NDDHS about the discovery and an investigation was immediately launched. NDDHS arranged to collect the documents the same day.

The documents were Medicaid worksheets dated 2015. The worksheets did not contain Social Security numbers, financial information or Medicaid recipients’ addresses; however, detailed on the sheets were Medicaid recipients’ first and last names, the first two characters of their Medicaid provider name, Medicaid provider numbers, Medicaid ID numbers, a two-digit code representing the county of residence, an internal NDDHS ID number, dates of service, amounts covered by insurance, amounts billed and allowed, diagnosis codes, coding modifiers and quantity and tooth and surface detail relating to dental work. The information exposed varied for each patient.

The internal investigation into the privacy breach revealed one individual was responsible for dumping the documents and the improper disposal involved no malicious intent. The records were dumped on May 8, 2017, two days prior to them being found by a member of the public.

Since there is a possibility that the documents have been viewed by others, individuals affected by the incident have been offered complimentary credit monitoring and identity theft protection services. However, the potential for re-disclosure of information is believed to be low as all documents have now been recovered and secured. NDDHS said in its press release that no evidence has been uncovered to suggest any information in the documents has been used improperly or further disclosed and that “appropriate disciplinary action has been taken.”

Training had already been provided to staff members on information security and HIPAA Rules. NDDHS is now working with its staff to prevent future incidents of this nature from occurring. The incident has also prompted NDDHS to conduct a review of its policies and procedures for safeguarding the protected health information of Medicaid recipients.

The post North Dakota Department of Human Services Notifies 2,452 Medicaid Recipients of PHI Exposure appeared first on HIPAA Journal.

Plastic Surgery Clinic Employee Suspected of Stealing 15,000 Patient Records

Posted by HIPAA Journal

A former employee of a Californian plastic surgery clinic is suspected of stealing the medical records of around 15,000 patients.

The employee worked at the Rodeo Drive clinic in Beverly Hills run by Dr. Zain Kadri. The employee had been employed as a driver and translator since September 2016, but had subsequently been given other duties such as data entry. Allegedly, she quit the practice on May 13 after being accused of embezzlement.

The employee was later discovered to have taken photographs of patients before and during surgical procedures and uploaded those pictures to the image sharing site Snapchat.

Further data theft was uncovered in May while the clinic was transferring paper records to digital files. As part of that process, the clinic checked a company phone used by the former employee. Images were discovered on the device including photographs of patients, but also photographs of patient IDs, usernames and passwords, copies of checks and credit and debit card information. Conversations were also reportedly recorded by the employee. It is unclear how much of that information was shared on social media or was stolen.

The clinic has performed surgeries on several celebrities, many of whom have had their privacy violated. The patients affected by the incident come from 16 U.S. states and four countries. The potential harm from misuse of the information is considerable.

The data theft has been reported to the Los Angeles County Sheriff’s Department and the incident is being investigated. All patients affected by the breach are now being notified that their information may have been stolen. At this stage, it is unclear whether charges will be filed against the former employee.

The post Plastic Surgery Clinic Employee Suspected of Stealing 15,000 Patient Records appeared first on HIPAA Journal.

Trios Health Discovers Employee Accessed EHR Without Authorization for 41 Months

Posted by HIPAA Journal

The medical records of 570 Trios Health patients have been accessed by an employee, without authorization, over a period of 41 months.

In March, Trios Health noticed some irregularities in its EHR logs which suggested patient records were being accessed without any legitimate work purpose for doing so. An investigation was launched to investigate and the employee was placed on leave. The investigation revealed the employee had accessed hospital patient records without authorization between October 2013 and March 2017.

The types of information that was viewed included names, contact information, driver’s license numbers, Social Security numbers, dates of service, demographic information and limited medical information such as diagnoses.

Interviews were conducted, although a spokesperson for Trios Health said, “We don’t know the motivation,” although it would appear that no harm was intended by the employee. Trios Health says the risk of information being used inappropriately is low, although credit monitoring and identity theft protection services are being offered to affected patients for 12 months without charge as a precautionary measure.

Trios Health interim CEO said, “We cannot succeed as an organization without holding ourselves and others responsible for mistakes and taking decisive action to address them.”

The employee has now been terminated for violating hospital policies and HIPAA Rules and Trios Health is implementing software that will alert staff to improper ePHI access. EHR restrictions have also been put in place to limit ePHI access, with staff only able to access the records of patients in their own department.

If a member of staff attempts to access the medical records of a patient that they are unauthorized to view, access will be prevented, a popup warning will appear on screen and an alert of attempted ePHI access will be sent to a supervisor. Staff have also received additional privacy training and a new PHI auditing process will be implemented.

The incident has now been reported to the state Attorney General and the Department of Health and Human Services’ Office for Civil Rights. Patients impacted by the breach are being notified by mail.

The post Trios Health Discovers Employee Accessed EHR Without Authorization for 41 Months appeared first on HIPAA Journal.

Molina Healthcare Patient Portal Discovered to Have Exposed Patient Data

Posted by HIPAA Journal

Earlier this month, security researcher Brian Krebs was alerted to a flaw in a patient portal used by True Health Group that allowed patients’ test results to be viewed by other patients. While patients were required to login to the patient portal before viewing their test results, a security flaw allowed then to also view other patients’ results.

Now, the Medicaid and Affordable Care Act Insurer Molina Healthcare is investigating a similar flaw in its patient portal that has allowed the sensitive medical information of patients to be accessed by unauthorized individuals. In the case of Molina Healthcare, patients’ medical claims could be accessed without authentication.

Brian Krebs contacted Molina Healthcare to alert the company to the flaw. An investigation was conducted and its patient portal was shut down while the issue was resolved.

It is unclear for how long the flaw existed, whether medical claims had been viewed by unauthorized individuals, and if so, how many patients had their privacy violated. Potentially, the flaw resulted in the exposure of all customers’ medical claims. Molina Healthcare serves 4.8 million individuals in 12 states and Puerto Rico.

The individuals who identified the flaw and reported the issue to Brian Krebs was able to demonstrate it was possible to access other patients’ names, addresses, birthdates, medical procedure codes, prescribed medications and other sensitive data related to health complaints. Anyone with a link to a medical claim could change a digit in the URL and view other individuals’ medical claims.

In contrast to the security flaw at True Health, Brian Krebs said anyone with a link to a medical claim would be able to access the URL without any authentication required. The link could be clicked and the medical claim could be viewed.

On Friday last week, Molina Healthcare issued a statement saying “We are in the process of conducting an internal investigation to determine the impact, if any, to our customers’ information and will provide any applicable notifications to customers and/or regulatory authorities.”

Molina Healthcare has also engaged the services of Mandiant to improve its system security. Molina Healthcare says the security vulnerability in the patient portal has now been remediated.

The post Molina Healthcare Patient Portal Discovered to Have Exposed Patient Data appeared first on HIPAA Journal.

Children’s Mercy Hospital Discovers Unauthorized Website Exposed 5,500 Patients’ PHI

Posted by HIPAA Journal

A website created by a physician at Children’s Mercy Hospital in Kansas City, MO has recently been discovered to lack appropriate security protections, potentially allowing the protected health information of 5,511 patients to be viewed by unauthorized individuals.

The physician created the website with good intentions and used the site as an educational resource. Data uploaded to the website was protected with a password to prevent unauthorized access. However, the protections in place to prevent unauthorized ePHI access did not meet the hospital’s security standards.

The lack of security controls on the website meant information uploaded to the website could have been accessed by unauthorized individuals.

Contact information (addresses and telephone numbers), Social Security numbers, financial information, health insurance details, photos and other images were not uploaded to the site. However, the website did contain information such as patients’ first and last names, gender, age, medical record number, encounter number, dates of service, admission and discharge dates, birthdates, procedure dates, procedure and diagnostic codes, brief notes on the patient and their height, weight and body mass index.

The types of information uploaded to the website would not typically allow unauthorized individuals to defraud patients or commit identity theft, but as a precaution, all patients impacted by the incident have been offered identity theft protection services free of charge through AllClear.

The physician who created the website believed the information uploaded to the website had been appropriately secured and was inaccessible by unauthorized individuals. Children’s Mercy Hospital said the website was unauthorized, was not owned by the hospital, and that the creation of the website and uploading of ePHI was a violation of hospital policies. The website has now been taken down.

The incident has prompted Children’s Mercy Hospital to reeducate key staff members on compliance to prevent future incidents of this nature from occurring. Children’s Mercy Hospital has not received any reports to suggest information uploaded to the website has been misused in any way.

The post Children’s Mercy Hospital Discovers Unauthorized Website Exposed 5,500 Patients’ PHI appeared first on HIPAA Journal.

Beacon Health Employee Improperly Accessed 1,200 Patient Records Over 3 Year Period

Posted by HIPAA Journal

A former Beacon Health System employee has been discovered to have accessed the medical records of approximately 1,200 patients without authorization over a period of three years.

The privacy breach was uncovered during a routine audit of ePHI access logs, with the unauthorized access discovered on March 30, 2017. The employee in question was permitted to access patient records to perform work duties, although access rights were abused and the records of other patients were viewed even though there was no legitimate work reason for doing so.

Upon discovery of the unauthorized access, Beacon Health conducted a full review with assistance from an external computer forensics firm and determined the inappropriate access started in March 2014. The employee was interviewed and claimed the records were accessed out of curiosity only and confirmed no information was copied or disclosed to other individuals. The medical records were accessed after patients visited the Emergency Room for treatment.

The types of information in the records included patients’ names, ages, room numbers, chief medical complaint and the acuity of their illness. Social Security numbers, health insurance information and financial account information were also potentially viewed by the employee.

The incident has prompted Beacon Health System to introduce new procedures to reduce the likelihood of further privacy breaches of this nature from occurring. A review of the Beacon Health training curriculum is also taking place and training programs will be updated accordingly.

While the breach notice does not explicitly state that the employee was terminated as a direct result of this incident, Beacon Health System said the individual is no longer employed.

Even though further disclosures of patients’ ePHI are not believed to have occurred, the sensitive nature of the ePHI that was accessed by the employee prompted Beacon Health to offer all affected patients 12 months of identity theft and identity restoration services without charge.

The post Beacon Health Employee Improperly Accessed 1,200 Patient Records Over 3 Year Period appeared first on HIPAA Journal.

Arizona Department of Health Services Notifies 2,500 Patients of Potential Loss of PHI

Posted by HIPAA Journal

Data collected as part of a newborn screening program run by the Arizona Department of Health Services (ADHS) has been lost in the mail. The information, which was to be used for billing purposes, contained the personal information, financial data and sensitive health information of approximately 2,500 patients.

Names, addresses, phone numbers, Social Security numbers, health insurance information, birth dates, and health information relating to mothers and newborns have all potentially been exposed. While state officials have said no evidence has been found to suggest any of the information has been accessed by unauthorized individuals or misused, ADHS has no idea where the records are located.

The information was sent via the U.S. Postal Service to billing contractor Midwest Medical Practice Management of Carbondale, Illinois in two boxes; however, only one of the boxes arrived.

The last known location of the missing box was a Postal Service facility in Phoenix, AZ. The U.S. Postal Services has been contacted and a search for the missing box has been conducted. Postal Service records indicate the parcel was not delivered to an alternate address and did not leave the Phoenix facility. The box was last tracked on April 22, 2017.

The search for the missing box is continuing, although ADHS is assuming the records may not be found with all affected individuals already notified that their PHI may have been exposed. No identity theft protection services are being offered to affected individuals at this stage as no evidence has been uncovered to suggest the records have been accessed by unauthorized individuals. That may change if the package is not located and declared lost.

The incident has prompted ADHS to conduct a review of its policies and procedures for transferring patient information, including the possibility of using a secure web-based system for transferring billing information rather than mailing physical records.

The post Arizona Department of Health Services Notifies 2,500 Patients of Potential Loss of PHI appeared first on HIPAA Journal.