Detroit Medical Center has discovered an employee has stolen the protected health information of as many as 1,529 patients and impermissibly disclosed that information to a third party.

Detroit Medical Center became aware of the security breach when the staffing agency that supplied the employee contacted DMC to report that it had discovered protected health information had been obtained and provided to an third party.

DMC is part of the Tenet Healthcare system and runs eight hospitals and institutions in Detroit and southeast Michigan. DMC has not released information on the specific medical center where the employee worked or that individual’s role.

The types of information that were stolen and disclosed were also not made public. However, DMC has issued a statement confirming the data theft and disclosure have been reported to law enforcement and that the hospital is cooperating fully with the police investigation.

Upon hearing of the unauthorized disclosure, Detroit Medical Center conducted a thorough internal investigation, which included a review of all medical records that could potentially have been accessed by the employee. The employee’s login to systems containing PHI has been blocked and the employee has been terminated.

Detroit Medical Center determined that patients impacted by the security breach had visited a DMC facility for treatment between March 2015 and May 2016. Those individuals have now been notified by mail that their PHI has been compromised and have been offered credit monitoring services for 12 months without charge through AllClear.

If employees are given access to PHI in order to complete work duties there is always a risk that data access rights will be abused. It is therefore important for healthcare organizations to monitor PHI access logs regularly to check for inappropriate access. Detroit Medical Center did have monitoring systems in place, although the security breach has prompted DMC to modify monitoring programs to ensure any future incidents are detected rapidly.

The post Detroit Medical Center Discovers Agency Employee Disclosed Patients’ PHI appeared first on HIPAA Journal.

A data breach experienced by FastHealth, a vendor of website services, has impacted more than 500 patients of Ivinson Memorial Hospital in Laramie, WY.

Access was gained to a web server used by FastHealth and the attackers altered code on the website to capture billing and health information submitted by patients in online forms.

The breach does not affect all patients, only those that used the online bill-pay platform or completed new patient intake forms between January 14, 2016 and December 20, 2016. The security breach was discovered by FastHealth on December 21, 2016 and a third-party security firm was contracted to conduct an investigation. Forensic investigations can take some time to conduct, although it is unclear why it took almost 5 months for FastHealth to notify organizations about the breach.

The Laramie Boomerang reports that Ivinson Memorial Hospital was informed about the security breach on May 15, 2017. Patients are just being notified of the breach as it took time for Ivinson Memorial Hospital to verify the information sent by FastHealth. Ivinson Memorial Hospital says it wanted to make sure that the information it received about the breach was correct before making an announcement and notifying its patients.

The breach has prompted Ivinson Memorial Hospital to look for a new website vendor and will be terminating the contract with FastHealth as soon as possible.

The Fast Health data breach does not only impact individuals from Ivinson Memorial Hospital. Fast Health provides website services to many healthcare organizations with more than 100 hospitals across the United States understood to have been affected by the security breach, according to the Laramie Boomerang.

Heart of the Rockies Regional Medical Center in Salida, CO was also impacted by the breach and was recently notified by FastHealth. Its patients have been informed that their names, dates of birth, email addresses, billing addresses, phone numbers, account numbers, payment card numbers, expiration dates and CVV security codes were compromised as a result of the breach.   Heart of the Rockies Regional Medical Center has now found an alternate vendor to provide its online payment and registration platform.

The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates 9,289 individuals were impacted by the security breach at FastHealth.

The post Ivinson Memorial Hospital Affected by FastHealth Security Breach appeared first on HIPAA Journal.

University of California Davis Health is alerting almost 15,000 patients that their PHI may have been viewed as a result of an employee falling for a phishing scam.

The incident occurred on May 15, 2017. A phishing email was sent to a UC Davis Health employee who responded and unwittingly gave the attacker login credentials to his/her email account. That email account was accessed by the attacker on May 17.

It is possible that the attacker accessed the employee’s email messages and viewed and/or obtained patients’ PHI. The investigation did not uncover any evidence to suggest that any patients’ PHI was viewed, although it was not possible to rule out the possibility with a high degree of confidence.

On May 17, the attacker used the email account to send emails to other staff members requesting bank transfers for large sums of money. The emails were recognized as fraudulent and were reported to the data security team which secured the email account to prevent further access. Since access to the email account was rapidly blocked it is possible that PHI was not viewed or copied by the attacker. However, out of an abundance of caution, affected individuals have been notified of the breach.

The employee had previously conducted various informational mailings and was required to perform other actions that required a limited amount of patients’ PHI. Consequently, the email account contained some PHI.

In most cases, the PHI in the email account was limited to patients’ names’ addresses, and phone numbers, although some patients’ Social Security numbers, medical record numbers and diagnoses were also potentially compromised.

Individuals whose sensitive information was exposed have been offered credit monitoring and identity theft protection services without charge for 12 months.

UC Davis Health says the phishing email was delivered to the employee’s inbox even though security measures had been introduced to block spam and phishing emails. An intrusion detection solution had been installed, but failed to detect fraudulent use of the email account. Staff at UC Davis Health are also provided with security awareness training to raise awareness of phishing and other threats.

UC Davis Health is now evaluating its security controls and training program and is considering augmenting its security protections to improve resilience against phishing attacks.

The incident has been reported to the Department of Health and Human Services’ Office for Civil Rights. The breach report indicates 14,900 individuals were impacted by the security breach.

The post PHI of 15,000 UC Davis Health Patients Compromised in Phishing Attack appeared first on HIPAA Journal.

In the past two weeks, two further healthcare organizations have announced that they have experienced ransomware attacks that potentially resulted in the protected health information of patients being accessed by cybercriminals. A combined 11,843 patient records were exposed in the two attacks.

The first incident affects PVHS-ICM Employee Health and Wellness, LLC. Ransomware was installed on a server at a single UCHealth walk-in clinic in Fort Collins, CO. The ransomware attack was discovered on May 4, 2017, with the crypto-ransomware believed to have been installed the same day.

A third-party computer expert was called in to help remove the ransomware and conduct a forensic investigation of the affected server. That investigation revealed the data stored on the server dated back to September 23, 2014 and included the protected health information of 10,143 individuals. PVHS-ICM has not indicated whether the ransom was paid.

The protected health information on the server included patients’ names, home addresses and other demographic information along with health records, including diagnoses and treatment information. Some patients’ Social Security numbers were also stored on the server.

In its substitute breach notice, PVHS-ICM said the forensic investigation did not uncover any evidence to suggest the attackers gained access to the ePHI of patients and there were no signs that any data were stolen in the attack. However, as is often the case with ransomware attacks, it was not possible to rule out the possibility that data were accessed or stolen with a high degree of confidence.

As is required by HIPAA Rules in such cases, patients must be notified that their ePHI was potentially compromised. Out of an abundance of caution, all patients affected by the incident have been offered complementary identity monitoring and identity theft remediation services for 12 months through ID Experts.

PVHS-ICM has taken steps to prevent further ransomware attacks including taking the server offline and creating an encrypted backup of all sensitive information on the server. That backup will be stored in a secure location.

GI Care for Kids Endoscopy Center Suffers Ransomware Attack

The Atlanta, Georgia-based GI Care for Kids Endoscopy Center also recently announced it had discovered ransomware on its systems. The ransomware attack occurred on April 28, 2017 and was discovered the same day.

A forensic investigation by third-party security experts found no evidence of data access or theft, with the investigators believing the attackers only used the ransomware to encrypt patient records in order to extort money from the company. While the attackers are not believed to have stolen or viewed data, the possibility could not be totally ruled out.

The investigation revealed the ePHI of 1,700 patients was encrypted by the ransomware. The affected computers and servers did not contain any Social Security numbers or financial information; however, patients’ names, telephone numbers, addresses, birth dates, ages, and medical information such as health histories and diagnoses could potentially have been accessed.

Affected patients have now been notified of the incident in accordance with HIPAA Rules. GI Care for Kids Endoscopy Center told patients no further actions are required to protect against possible harm, although, affected patients can obtain credit reports, place fraud alerts on credit accounts and should monitor their financial accounts closely if they are concerned about fraud following the ransomware attack.

The post Almost 12,000 Records Compromised in Two New Ransomware Attacks appeared first on HIPAA Journal.

Baptist Medical Center South of Jacksonville, Florida has discovered a backup drive containing the electronic protected health information of 531 patients has gone missing. The portable storage drive was discovered to be missing on May 18, 2017. The device appears to have been taken from an EEG room.

A full search for the device was conducted but it could not be located. Baptist Medical Center South was unable to determine whether the portable drive had been borrowed by a member of staff and not returned, was misplaced, stolen or had been accidentally discarded. Baptist Medical Center South was also unable to determine when the device went missing.

An investigation was conducted which enabled the medical center to determine which data had been backed up on the device. The information stored on the drive was limited to names, dates of birth, physician’s orders, medical record numbers, diagnoses, reasons for study, images taken during EEG tests and patients’ room numbers. The data related to certain patients who had visited the medical center for EEG testing in 2015, 2016 and 2017. No financial information or Social Security numbers were stored on the device.

The device was not protected with encryption, although patients’ electronic protected health information could only be accessed using special software. If the device was taken, that would make it difficult for the thieves to access patients’ information.

No reports have been received to suggest any information on the device has been accessed or misused, although patients whose protected health information was exposed have now been notified by mail out of an abundance of caution and to satisfy regulatory requirements.

In order to prevent future security incidents of this nature from occurring, Baptist Medical Center South has reinforced and enhanced its security practices and has re-educated all staff that work in the EEG department.

The post Lost Backup Drive Contained PHI of More than 500 EEG Patients appeared first on HIPAA Journal.

Medicaid recipients in Indiana are being notified that some of their protected health information was accessible over the Internet between February and May this year.

The fiscal agent for the Indiana Health Coverage Program (IHCP), DXC Technology, says a hyperlink to an IHCP report containing patient information was accessible online. The report was an internal document used for administrative functions.

The information exposed was limited to names, Medicaid ID numbers, patient numbers, procedure codes, dates of service, payment amounts and names/addresses of health care providers. At no point was it possible for Social Security numbers, addresses or financial information to be accessed.

While protected health information could potentially have been accessed via the Internet, no evidence has been uncovered to suggest the link was clicked or that any information was stolen.

DXC Technology is contacting all affected individuals by mail to alert them to the potential data breach to allow them to take precautions to protect their identities and to satisfy state and federal regulatory requirements. As an additional precaution, all affected individuals are being offered complimentary credit protection services for 12 months, even though DXC Technology does not believe any information has been, or will be, used inappropriately.

DXC Technology says the issue has now been mitigated and the report is no longer accessible.

Employee of Professional Counseling and Medical Associates Stole Patients PHI

Paris, TN-based Professional Counseling and Medical Associates has discovered a former employee copied information from its electronic health record system on or around May 14, 2017.

The data theft was discovered on May 22 and the incident was reported to law enforcement and state and federal agencies. The counselling service does not believe the individual disseminated the information publicly, but the possibility cannot be ruled out.

The stolen data include names, dates of birth, home addresses and insurance information, with some individuals’ medical notes and counselling records also believed to have been copied.

The post Indiana Medicaid Recipients Alerted to Potential Data Breach appeared first on HIPAA Journal.

Tampa Bay Surgery Center has started notifying almost 26,000 patients that some of their protected health information was stolen by an unauthorized individual who subsequently posted the information on a file sharing website.

Law enforcement contacted Tampa Bay Surgery Center on May 5, 2017 alerting the healthcare provider to the data dump. The file had been uploaded to the file sharing website the previous day. The file contained sensitive data that had been obtained from a database maintained by Tampa Bay Surgery Center. Data stolen and exposed online by the malicious third party included the full names of patients along with dates of birth, home addresses and social security numbers. A link to the file was also distributed on Twitter by the individual who claimed to have stolen the data.

Tampa Bay Surgery Center has notified the Department of Health and Human Services’ Office for Civil Rights of the breach. The breach report indicates 25,848 patients were affected by the incident. Those individuals are being offered identity theft protection services without charge, although patients have been informed that no evidence has been uncovered to suggest any of the stolen protected health information has been misused.

An investigation into the breach is ongoing and processes and procedures are being updated to ensure similar incidents do not occur in the future.

While the breach will come as news to many patients, the incident was reported in May by Databreaches.net, which has been following the activities of the individual/group responsible for the attack – The Dark Overlord (TDO). TDO has conducted numerous attacks on healthcare organizations over the past few months.

TDO steals data, threatens to publish the information online and advises organizations that they can stop the data dump by paying a ransom. If the ransom is paid, TDO claims data will not be released online. As has happened on numerous occasions already, if the ransom demand is not paid or the request is ignored, data are published. TDO was behind attacks on OC Gastrocare, Aesthetic Dentistry, Dougherty Laser Vision, Peachtree Orthopedics, Midwest Orthopedic Pain & Spine, Athens Orthopedic Clinic and many others, including an unnamed third-party health insurer from which 9.3 million records were stolen.

According to Databreaches.net, the data dump appeared to include 142,000 records. The tweet sent by TDO, from an account that has subsequently been suspended, was ““Into the hundred thousand range we go. However, this clinic didn’t do anything wrong except annoy us.” The file has since been taken down and is no longer accessible online.  

The post Tampa Bay Surgery Center Notifies 26,000 of PHI Theft appeared first on HIPAA Journal.

White Blossom Care Center in San Jose, CA has started notifying approximately 800 of its residents that some of their protected health information has been inappropriately accessed and acquired by a former employee.

The care center was recently alerted to the potential data security incident and launched an investigation to determine whether a data breach had occurred. A third party technical security expert was brought in to assist with the investigation.

The investigation confirmed that data had been obtained by the former employee, although it was not possible to tell when data were accessed and acquired.

The types of information accessed and acquired by the former employee includes residents’ full names, along with insurance provider names and account numbers, dates of birth, Social Security numbers and medical information such as diagnoses, procedures performed and details of medications. White Blossom Care Center believes only a limited number of the acquired files contain the above information. Based on the information available, the care center believes that credit card/debit card information of other financial data were not accessed or acquired.

The incident has been reported to law enforcement and the care center is continuing to assist in the law enforcement investigation. Appropriate state and federal agencies have also been notified of the incident.

No evidence has been uncovered to suggest any of the information obtained by the former employee has been used inappropriately, but out of an abundance of caution, all affected residents have been offered identity theft protection services for a period of 12 months without charge.

The care center has advised all residents that safeguards had been introduced prior to this incident to prevent unauthorized access and keep personal information secure. However, the incident has prompted the care center to review its safeguards and improvements will be made as appropriate. Employee computer user accounts and passwords have also been reconfigured to further restrict access to sensitive information.

The post White Blossom Care Center Notifies Residents of Improper PHI Access appeared first on HIPAA Journal.