HIPAA Breach News

Cleveland Medical Associates Attacked with Ransomware

Posted by HIPAA Journal

Another healthcare organization has experienced a ransomware attack in which the protected health information of patients was potentially accessed. Ransomware is typically installed for the purpose of extortion rather than the theft of data; however, even if data theft is not suspected, ransomware attacks are reportable security incidents under HIPAA Rules and patients must be notified per the HIPAA Breach Notification Rule.

Cleveland Medical Associates does not believe any data were stolen in its attack and no evidence has been uncovered to suggest that the PHI of patients was compromised. However, since it is not possible to rule out the possibility of a PHI being accessed with a high degree of certainty, the incident has been reported to the HHS’ Office for Civil Rights and patients are being notified of the cyberattack.

The ransomware attack was discovered on April 21, 2017 with ransomware believed to have been installed the previous evening.  The ransomware was installed on a server than contained the protected health information of 22,000 patients. Medical services were not disrupted as a result of the attack.

A third-party cybersecurity firm was contracted to conduct a forensic investigation of the attack to determine which data were potentially compromised and the extent of the infection. That investigation revealed the server contained names, addresses, contact telephone numbers, Social Security numbers, insurance billing information, email addresses, medical records and other clinical information.

The incident was reported to the FBI and appropriate state and federal agencies have been notified. While data theft is not suspected, as a precautionary measure Cleveland Medical Associates is offering all patients 12 months of complimentary credit monitoring services through Equifax, which include an identity theft insurance policy.

The incident has prompted the healthcare provider to conduct a full review of its security procedures and a new medical record system is now being implemented.

The post Cleveland Medical Associates Attacked with Ransomware appeared first on HIPAA Journal.

Family Tree Health Clinic Announces Ransomware Attack

Posted by HIPAA Journal

The Family Tree Health Clinic in League City, Texas is alerting 13,402 patients that their protected health information was potentially viewed by unauthorized individuals. The attackers gained access to the IT systems of the clinic and downloaded ransomware.

The clinic reports that this was a ‘sophisticated ransomware-encryption’ attack that was quickly remediated. The attack occurred on April 24, 2017 preventing the clinic from accessing its systems. The clinic was prepared for ransomware attacks and had a backup of patients’ protected health information. All encrypted data was restored from those backups and no ransom payment was made.

The clinic has received no reports that any PHI has been misused, although data were potentially accessed by the individuals behind the attack. The types of data that could have been viewed included the patients’ names, addresses, dates of birth, Social Security numbers, medical information including claims and diagnosis codes and health insurance information. Financial information, including credit/debit card numbers, were not stored in the system and remained secured.

After PHI had been restored and the ransomware infection removed, Family Tree Health corrected the security vulnerability that allowed the attackers to gain access to its system. Steps have also been taken to prevent future ransomware attacks from occurring.

The incident was reported to the FBI and the Department of Health and Human Services’ Office for Civil Rights has now been notified of the potential data breach.

Breach notification letters were sent to all affected patients on June 19. No credit monitoring services have been offered, although patients have been provided with further information on how they can secure their accounts and monitor for fraudulent use of their information.

A spokesperson for the clinic said, “Privacy and protection of patient information is a top priority for us, and we deeply regret any inconvenience or concern this incident may cause.”

The post Family Tree Health Clinic Announces Ransomware Attack appeared first on HIPAA Journal.

Experian Health Accidentally Sends PHI to Incorrect Individuals

Posted by HIPAA Journal

Experian Health has discovered the protected health information of some patients has been accidentally disclosed to incorrect individuals due to a technical error that occurred during a server migration.

The disclosed data including names, addresses, genders, dates of birth, Medicare ID/HIC numbers, member ID numbers, insurance/payer company names, group numbers/group policy numbers and Medicaid case numbers. The data were shared with incorrect HIPAA covered entities. No information was sent to or otherwise shared with members of the public.

Experian Health took immediate action to address what it refers to as ‘an isolated error’ and reports that the mistake has been corrected. The error affected two platforms used by Experian Health, with data disclosed between February 13 and March 13, 2017.

The information disclosed could only have been accessed or saved by HIPAA-covered entities, who are bound by HIPAA Rules. Therefore, the risk of protected health information being misused is likely to be low.

Experian Health notified affected healthcare institutions of the error on April 28, 2017. One of those entities was Southern Illinois Healthcare (SIH), which was told that 600 of its patients were impacted. Experian Health is a business associate of SIH and performs insurance eligibility verification during patient registration. Experian Health also works with other healthcare organizations.

At present, it is unclear exactly how many patients have been impacted in total since the incident has yet to appear on the Department of Health and Human Services’ Office for Civil Rights breach portal. It is possible that breach notices will be submitted separately by all of the covered entities impacted by the incident.

SIH has made the decision to offer credit monitoring and credit repair services to all affected individuals as a precautionary measure. Those services, which are being provided through AllClear ID, are available for 24 months without charge.

The post Experian Health Accidentally Sends PHI to Incorrect Individuals appeared first on HIPAA Journal.

Aetna Error Sees PHI of 5,000 Individuals Exposed Online

Posted by HIPAA Journal

Hartford, CT-based health insurer Aetna has discovered the protected health information of more than 5,000 plan members has been exposed online and was accessible through search engines.

Aetna started investigating a security issue affecting two computer services on April 27, 2017. Those services were intended to show documents containing PHI to plan members and other authorized individuals, although it was discovered that the documents had been indexed by search engines and could be viewed by unauthorized individuals.

On May 10, the investigation had uncovered evidence that confirmed a data breach had occurred, with the investigation concluding on June 9. While the investigation into security issues was launched in April, Aetna first became aware of exposed PHI on February 1, according to the San Antonio Express-News. It is unclear why it took almost three months for an investigation to be launched.

Aetna says Social Security numbers, financial information and credit/debit card information was not exposed. The PHI in the documents only included names, identification numbers, member numbers, provider information and claim payment amounts. Some individuals also had dates of service, procedure codes and service codes exposed.

1,708 Ohio and 522 Texas residents are known to have been affected by the breach. In total, the PHI of 5,002 individuals was exposed online, according to the breach report submitted to the Department of Health and Human Services’ Office for Civil Rights.

Aetna has not uncovered evidence to suggest any information has been misused as a result of its exposure online. Action has already been taken to deindex the documents to prevent them from being displayed in search engine results and for cached data to be removed from search engines. Steps have also been taken to prevent the documents from being re-indexed by search engines.

Affected individuals and plan sponsors are now being notified of the data breach by mail.

The post Aetna Error Sees PHI of 5,000 Individuals Exposed Online appeared first on HIPAA Journal.

Airway Oxygen Inc. Ransomware Attack Impacts up to 500,000 Individuals

Posted by HIPAA Journal

A ransomware attack on the Wyoming, MI-based medical supply company Airway Oxygen Inc., in April 2017 has potentially resulted in the protected health information of 500,000 individuals being accessed by the attackers.

No evidence of data access or theft was uncovered by Airway Oxygen, although it was not possible to rule out the possibility that information was compromised in the attack.

The attackers gained access to the company’s technical infrastructure on April 18, 2017 and installed ransomware. The part of the network affected was discovered to contain protected health information including names, addresses, birth dates, contact telephone numbers, medical diagnoses, health insurance policy numbers and details of the services the company provided to patients. Financial information and Social Security numbers were not exposed.

Upon discovery of the cyberattack, immediate action was taken to prevent further network intrusions and a scan of the entire system was performed to search for any additional malware. Passwords for users, vendors and applications were changed as a precaution. Airway Oxygen has reported the incident to the FBI and has brought in a third-party cybersecurity company to conduct a full investigation to determine how the ransomware was installed and the impact of the breach.

The incident has prompted Airway Oxygen to update its security tools and deploy new security protections to prevent future attacks. A firewall review has been scheduled and a new system has been installed to monitor suspicious firewall activity. That system will issue alerts if suspicious firewall activity is detected. The firm will also continue to review its security protections to reduce the risk of future incidents occurring.

Affected individuals were notified of the breach this month and provided with information on the steps they can take to secure their accounts and prevent fraud. While the attackers are not believed to have viewed PHI, affected individuals have been advised to monitor all their healthcare and financial accounts for suspicious activity.

Airway Oxygen Inc., has not released details about the type of ransomware involved, the ransom amount demanded by the attackers or whether the ransom was paid.

Last year, the HHS’ Office for Civil Rights issued guidance for covered entities on ransomware attacks, explaining that a ransomware attack that results in the encryption of data is a reportable security incident unless the covered entity had encrypted PHI prior to the ransomware attack occurring or it can be demonstrated, by means of a risk assessment, that there is a low risk of PHI having been accessed, used, disclosed or modified. Following the WannaCry ransomware attacks last month, OCR reconfirmed that ransomware attacks are usually reportable incidents.

The post Airway Oxygen Inc. Ransomware Attack Impacts up to 500,000 Individuals appeared first on HIPAA Journal.

World’s Largest Data Breach Settlement Agreed by Anthem

Posted by HIPAA Journal

The largest data breach settlement in history has recently been agreed by the health insurer Anthem Inc. Anthem experienced the largest healthcare data breach ever reported in 2015, with the cyberattack resulting in the theft of 78.8 million records of current and former health plan members. The breach involved names, addresses, Social Security numbers, email addresses, birthdates and employment/income information.

A breach on that scale naturally resulted in many class-action lawsuits, with more than 100 lawsuits consolidated by a Judicial Panel on Multidistrict Litigation. Now, two years on, Anthem has agreed to settle the litigation for $115 million. If approved, that makes this the largest data breach settlement ever – Substantially higher than $18.5 million settlement agreed by Target after its 41 million-record breach and the $19.5 million paid to consumers by Home Depot after its 50-million record breach in 2014.

After experiencing the data breach, Anthem offered two years of complimentary credit monitoring services to affected plan members. The settlement will, in part, be used to pay for a further two years of credit monitoring services. Alternatively, individuals who have already enrolled in the credit monitoring services previously offered may be permitted to receive a cash payment of $36 in lieu of the additional two years of cover or up to $50 if funds are still available. The settlement also includes a $15 million fund to cover out-of-pocket expenses incurred by plaintiffs, which will be decided on a case-by-case basis for as long as there are funds available.

Anthem has also agreed to set aside ‘a certain level of funding’ to make improvements to its cybersecurity defenses and systems, including the use of encryption to secure data at rest. Anthem will also be making changes to how it archives sensitive data and will be implementing stricter access controls. While the settlement has been agreed, Anthem has not admitted any wrongdoing.

Anthem Spokesperson Jill Becher explained that while data were stolen in the attack, Anthem has not uncovered evidence to suggest any of the information stolen in the cyberattack was used to commit fraud or was sold on. Becher also said, “We are pleased to be putting this litigation behind us, and to be providing additional substantial benefits to individuals whose data was or may have been involved in the cyberattack and who will now be members of the settlement class.”

While the decision to settle has been made, the settlement must now be approved by the U.S. District judge in California presiding over the case. District Judge Lucy Koh will hear the case on August 17, 2017.

The post World’s Largest Data Breach Settlement Agreed by Anthem appeared first on HIPAA Journal.

2,859 Patients Impacted by Improper Disposal at St. Thomas Rutherford Hospital

Posted by HIPAA Journal

This month, North Dakota Department of Human Services and Texas Health and Human Services have both reported that patients’ protected health information has been disposed of improperly. Today, another HIPAA-covered entity – Saint Thomas Rutherford Hospital in Murfreesboro, TN – has reported a similar incident.

Documents containing the protected health information of almost 3,000 patients were discovered to have been abandoned by the side of a remote, rural road in DeKalb County in April. The documents were discovered by a member of the public.

Upon being notified of the discarded reports, St Thomas Rutherford Hospital immediately launched an investigation but it is currently unclear how the documents were discarded and who was responsible.

The documents were reports on a sample of 2,859 patient census reports and date between 2009 and 2010.  Affected patients have now been notified of the privacy breach by mail and the incident has been reported to all appropriate authorities.

The documents contained no medical records or Social Security numbers, only each patient’s name, admitting diagnosis, date of birth, physician’s name and account number. Due to the limited nature of data in the documents, Saint Thomas Rutherford hospital does not believe patients face any additional financial risk as a result of the breach.

Cynthia Figaro, Corporate Responsibility Officer and Corporate Privacy Officer of Saint Thomas Health issued a statement about the incident in which she confirmed, “Protecting the privacy of our patient’s information is always a top priority for us at Saint Thomas Health and Ascension,” and sincerely apologized to patients for the privacy violation.

The investigation confirmed that no further disclosures of patient information have occurred and a third-party firm has been contracted to ensure all storage files are appropriately secured until they can be permanently destroyed in accordance with Health Insurance Portability and Accountability Act Rules.

The post 2,859 Patients Impacted by Improper Disposal at St. Thomas Rutherford Hospital appeared first on HIPAA Journal.

Texas Health and Human Services Commission Reports Improper Disposal of 1,800 Patient Records

Posted by HIPAA Journal

A box of paper forms has been discovered to have been improperly disposed of by the Texas Health and Human Services Commission. The Texas Health and Human Services Commission recently announced that the paperwork was discovered in a box next to a dumpster used by one of its eligibility offices in the E. 40th St. complex in Houston.

An investigation into the improper disposal has been launched and steps are being taken to prevent similar incidents from occurring in the future. Those steps will include a review of the processes and procedures for permanently destroying documents containing protected health information.

Texas Health and Human Services Commission is in the process of issuing breach notification letters to all affected individuals. The breach summary on the Department of Health and Human Services breach portal indicates 1,842 patients were impacted. Those individuals all reside in the Houston area.

The Texas Health and Human Services Commission says the forms contained protected health information such as names, dates of birth, client numbers, case numbers and telephone numbers, and potentially also mailing addresses, health information, bank account numbers and Social Security numbers.

All individuals impacted by the breach have been offered credit monitoring services for a period of 12 months without charge, although the commission pointed out that no evidence has been uncovered to suggest any of the forms have been accessed by unauthorized individuals.

This is the second data breach in the space of a year reported by the Texas Health and Human Services Commission. In June last year, the commission was informed by Iron Mountain that boxes had been removed from three of its storage facilities. The boxes contained forms relating to individuals who had applied for medical assistance, with the incident impacting 600 individuals.

The post Texas Health and Human Services Commission Reports Improper Disposal of 1,800 Patient Records appeared first on HIPAA Journal.

Healthcare Data Breach Costs Fall to $380 Per Record

Posted by HIPAA Journal

Healthcare data breach costs have fallen year-over year according to the latest IBM Security/Ponemon Institute study. However, for the seventh straight year, healthcare data breach costs were higher than any other industry sector.

This year, the Ponemon Institute calculated the average healthcare data breach costs to be $380 per record. The average global cost per record for all industries is now $141, with healthcare data breach costs more than 2.5 times the global average. Last year, average healthcare data breach costs were $402 per record. The average cost of a breach in the United States across all industries is $225 per record, up from $221 in 2016.

Data breach costs have risen substantially over the past seven years, although the latest report shows there was a 10% reduction in data breach costs across all industry sectors. This was the first year that data breach costs have shown a decline. The average global cost of a data breach now stands at $3.62 million, having reduced from $4 million last year.

The study was conducted globally, with 63 organizations in the United States surveyed. Those organizations were spread across 16 industry sectors. The Ponemon Institute surveyed each company after they experienced the loss or theft of sensitive information and had issued breach notifications to affected individuals. Sensitive data was classed as “An individual’s name plus Social Security number, medical record and/or a financial record or debit card.”

In the United States, the surveyed companies experienced data breaches that resulted in the exposure or theft of between 5,563 and 99,500 records, with an average of 28,512 records per breach.

The Ponemon compared the total cost of a breach with the average cost over the past four years. In the United States, the total cost of a data breach rose from $7.01 million to $7.35 million. This was the highest total breach cost since IBM Security/Ponemon first started conducting the study.

Across all industry sectors, the cost of a data breach was higher for malicious or criminal attacks ($244 per record) followed by system glitches ($209 per record) and human error ($200 per record). The breakdown of the causes of the breaches were malicious or criminal attacks ($52%), system glitches (24%) and human error (24%).

How do Healthcare Data Breach Costs Compare to Other Industries?

 

United States Data Breach Costs
Industry Average Cost per Record (USD)
Healthcare 380
Financial Services 336
Services 274
Life Sciences 264
Industrial 259
Technology 251
Education 245
Transportation 240
Communications 239
Energy 228
Consumer 196
Retail 177
Hospitality 144
Entertainment 131
Research 123
Public Sector 110
Average Cost 225

 

The study showed the United States has higher breach costs than Europe, where the average cost of a data breach declined by 26% year-over-year. The Ponemon Institute attributed this, in part, to the centralized regulatory environment in Europe. In the United States, organizations have to comply with federal regulations as well as separate regulations in 48 of the 50 states. This makes the breach response labor intensive and extremely costly.

The report suggests the reason for the rise in breach costs in the United States was the result of compliance failures and a rush to notify individuals, with the latter costing organizations 50% more than in Europe. The study revealed the cost of issuing breach notifications was $690,000 on average in the United States – twice the figure of any other country.

The study showed that when third parties were involved in a breach there was an increase in data breach costs, typically adding an extra $17 per record.

As in previous years, a rapid response to a data breach saw organizations limit the cost. When an incident response plan was in place prior to a breach, organizations were able to save an average of $19 per record. There was an average reduction in breach costs of $1 million when organizations were able to contain the breach within 30 days. However, on average, companies took more than six months to discover a breach and more than 66 days to contain it.

Other factors that led to a reduction in breach costs were the use of encryption, which saw a $16 reduction in costs per record and employee education which saw breach costs reduced by $12.50 per record.

Dr. Larry Ponemon, Chairman and Founder of the Ponemon Institute said, “Data breaches and the implications associated continue to be an unfortunate reality for today’s businesses,” explaining, “Year-over-year we see the tremendous cost burden that organizations face following a data breach.

The post Healthcare Data Breach Costs Fall to $380 Per Record appeared first on HIPAA Journal.