HIPAA Breach News

Stolen Electromyography Device Contained 836 Patients PHI, says SSM Health

Posted May 25, 2017 by HIPAA Journal

SSM Health has started notifying patients that some of their protected health information was exposed when a portable device was stolen from DePaul Hospital St Louis in Bridgeton, MO.

The device contained the protected health information of 836 patients, including names, medical record numbers, dates of birth and brief details of patients’ chief health complaint. No insurance details, financial information, Social Security numbers or contact information were stored on the device. Due to the limited data stored on the device, patients are not believed to be at risk of experiencing identity theft or fraud.

The portable device was stolen from DePaul hospital overnight between April 12 and the morning of April 13, 2017. The theft has been reported to the local police department and an investigation into the incident is ongoing.

The device, which resembles a laptop computer, was part of an electromyography (EMG) medical device. Officials at DePaul hospital believe the device was stolen because it resembles a laptop computer, not for the information stored on the device. No evidence has been uncovered to suggest any data on the device have been misused.

SSM Health has confirmed in a substitute breach notice uploaded to its website that the device was solely used in conjunction with the EMG device and that it is not possible to access patients’ medical records through the device.

Affected individuals had been participating in an electro diagnostic study run by Dr. Syed Khader and had received treatment at the hospital between 2002 and 2017. No other patients of the hospital were affected by the incident.

Patients have been notified of the breach as is required by Health Insurance Portability and Accountability Act (HIPAA) Rules and the Department of Health and Human Services’ Office for Civil Rights has been notified.

Action has already been taken to ensure similar incidents do not occur in the future, including tightening security controls through written procedures and retraining staff on the correct handling of patient information.

The post Stolen Electromyography Device Contained 836 Patients PHI, says SSM Health appeared first on HIPAA Journal.

Impermissible Disclosure of HIV Status to Employer Results in $387,000 HIPAA Penalty

Posted May 24, 2017 by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced a new HIPAA settlement to resolve violations of the HIPAA Privacy Rule.

St. Luke’s-Roosevelt Hospital Center Inc., has paid OCR $387,200 to resolve potential HIPAA violations discovered during an OCR investigation of a complaint about an impermissible disclosure of PHI.

In September 2014, OCR received a complaint about a potential privacy violation involving a patient of St. Luke’s Spencer Cox Center for Health. In the complaint, it was alleged that a member of St Luke’s staff violated the privacy of a patient by faxing protected health information to the individual’s employer.

The information in the fax was highly sensitive, including the patient’s sexual orientation, HIV status, sexually transmitted diseases, mental health diagnosis, details of physical abuse suffered, medical care and medications. Instead of faxing the information, the data should have been sent to a personal post box as requested.

The investigation revealed that the incident was not the only time that the HIPAA Privacy Rule had been violation in such a fashion. A similar incident occurred nine months previously when a patient’s PHI was sent via fax to an office where he volunteered.

The Privacy Rule violations in both cases were particularly serious due to the highly sensitive nature of information that was disclosed. In the resolution agreement, OCR said the impermissible disclosures were egregious.

HIPAA Rules require covered entities to safeguard patients’ protected health information at all times. However, the investigation revealed that St Luke’s had failed to do that on two occasions, violating 45 C.F.R. § 164.530(c)(2)(i). Further, after the first impermissible disclosure, St Luke’s failed to address vulnerabilities in their compliance program to prevent further impermissible disclosures from occurring. Had those vulnerabilities been addressed, the second privacy violation may have been avoided.

In addition to paying OCR $387,200, St Luke’s is required to adopt a corrective action plan. The CAP involves reviewing and updating policies and procedures covering allowable uses and disclosures of PHI and training staff members on policy and procedural updates.

OCR issued a press release announcing the HIPAA settlement in which OCR director Roger Severino said “Individuals cannot trust in a health care system that does not appropriately safeguard their most sensitive PHI,” explaining “Covered entities and business associates have the responsibility under HIPAA to both identify and actually implement these safeguards.” OCR consideration the nature of the breach and the extent of the harm caused when deciding an appropriate settlement amount.

May is not yet over, but already there have been nine HIPAA settlements between OCR and covered entities to resolve HIPAA violations discovered during the investigation of complaints and data breaches. At the current rate of almost two settlements a month, OCR will double last year’s record breaking number of HIPAA enforcement penalties. The increase in HIPAA penalties shows that OCR is taking a much harder line on covered entities that fail to comply with HIPAA Rules.

Two of the most recent penalties have resulted from complaints involving HIPAA violations relating to one or two patients. It is no longer just large scale data breaches that merit financial penalties. Any severe violation of HIPAA Rules can result in a HIPAA fine.

The post Impermissible Disclosure of HIV Status to Employer Results in $387,000 HIPAA Penalty appeared first on HIPAA Journal.

Leading Cause of Healthcare Data Breaches in April was Hacking

Posted May 23, 2017 by HIPAA Journal

The monthly Breach Barometer Report from Protenus shows a significant reduction in the number of exposed healthcare records in April, with 232,060 records exposed compared to more than 1.5 million in March. The number of reported data breaches also fell from 39 to 34.

The report offers some further good news. The time taken by healthcare organizations to report security incidents also fell last month. 66% of breaches were reported within the 60-day time period allowed by the Health Insurance Portability and Accountability Act Breach Notification Rule. While it is good news that the trend for reporting data breaches more promptly is continuing, there is still plenty of room for improvement.

Protenus reports that in April, it took an average of 51 days from the date of the breach to discovery, and an average of 59 days from the discovery of a breach to the submission of a breach report to the HHS’ Office for Civil Rights.

The data for the Protenus Breach Barometer report was supplied by Databreaches.net, which uncovered one of the worst breaches of the year to date. The theft of psychotherapy notes, substance abuse histories, health histories and the personally identifiable information of 4,229 patients of Bangor Health Center in Maine. That incident was one of 16 hacking incidents reported in April.

Hacking/IT incidents were cited as the cause of 47% of data breaches reported in April, followed by insider incidents (29%), and loss and theft of devices/PHI (15%). The cause of 9% of the breaches is currently unknown.

Hacking was the cause of the largest data breach of the month. The incident, which was reported by Harrisburg Gastroenterology, affected 93,323 individuals.

Out of the 16 hacking/IT incidents reported in April, five were related to ransomware infections and three incidents were phishing attacks. There were five breaches due to insider errors and four incidents involving insider wrongdoing.

While the majority of data breaches involved electronic protected health information, healthcare organizations must ensure appropriate controls are in place to secure physical PHI. Five of the breaches reported in April involved the theft or exposure of physical PHI.

There were two business associate data breaches in April and two reported by health plans. The majority of the breaches (79.41%) were reported by healthcare providers.

Texas was the worst affected state with 4 breaches, followed by Michigan, Ohio and New York, each with three incidents.

The post Leading Cause of Healthcare Data Breaches in April was Hacking appeared first on HIPAA Journal.

Healthcare Organizations Reminded of HIPAA Rules Relating to Ransomware

Posted May 19, 2017 by HIPAA Journal

Following the recent WannaCry ransomware attacks, the Department of Health and Human Services has been issuing cybersecurity alerts and warnings to healthcare organizations on the threat of attack and steps that can be taken to reduce risk.

The email alerts were sent soon after the news of the attacks on the UK’s NHS first started to emerge on Friday May 12, and continued over the course of the week. The alerts provided timely and pertinent information for U.S. healthcare organizations allowing them to take rapid action to counter the threat.

While the Office for Civil Rights has previously sent monthly emails to healthcare organizations warning of new threats in its cybersecurity newsletters, the recent alerts were sent much more rapidly and frequently, with four email alerts and conference calls made with industry stakeholders alerting them to the imminent threat.

Whether this was a one off in response to a specific and imminent major threat or the HHS plans to issue more timely alerts remains to be seen. However, the rapid communication of the ransomware threat almost certainly helped many healthcare organizations take prompt action to reduce risk.

Fortunately, attacks on organizations in the United States appear to have been limited, with the Department of Homeland Security saying fewer than 10 U.S. companies have reported being attacked.

In the email alerts, healthcare organizations were reminded of the need to implement data security measures to reduce the risk of malware and ransomware attacks. OCR also issued guidance on HIPAA specific to the threat from WannaCry ransomware.

OCR reiterated that a ransomware attack that involved the encryption of patients ePHI is presumed to be a HIPAA breach, reminding covered entities to report attacks within 60 days, as is required by the HIPAA Breach Notification Rule.

OCR also advised healthcare organizations that breach reports– and patient notifications – are required if data have been compromised that have not been encrypted by the entity to NIST specifications.

In the event of a breach, covered entities were told to contact their local FBI filed office, submit details of the incident to the FBI’s Internet Crime Complaint Center and report the incident to US-CERT. OCR also emphasized that reporting ransomware attacks to other federal organizations or law enforcement bodies does not constitute a HIPAA-compliant breach report. OCR must be notified of the incident separately.

Threat intelligence sharing can prevent other organizations suffering similar attacks and OCR encourages the sharing of cyber threat information. However, the HIPAA Privacy Rule does not permit the sharing of PHI. When cyber threat information is shared with federal agencies, law enforcement, or an Information Sharing and Analysis Organization (ISAO), covered entities must ensure that PHI is not shared. Doing so would be a HIPAA violation and could result in action being taken against the organization in question.

OCR also reminded organizations that compliance with the HIPAA Security Rule helps covered entities prepare for ransomware attacks and respond appropriately if systems are compromised and data are encrypted.

Further information on HIPAA and ransomware attacks can be found in an OCR factsheet available on this link.

Healthcare organizations were also reminded that they can request and unauthenticated scan of their public IP addresses from the Department of Homeland Security.

US-CERT’s National Cybersecurity Assessment & Technical Services (NCATS) provides an objective third-party perspective on an organizations cybersecurity posture and can conduct a broad assessment scanning for known vulnerabilities at no cost to stakeholders. The service allows healthcare organizations to be proactive and take steps to reduce risk prior to exploitation by malicious individuals. Requests can be made by emailing NCATS on NCATS_INFO@hq.dhs.gov

The post Healthcare Organizations Reminded of HIPAA Rules Relating to Ransomware appeared first on HIPAA Journal.

Patients’ Email Addresses Accidentally Disclosed by Rutland Regional Medical Center

Posted May 18, 2017 by HIPAA Journal

An electronic survey can provide healthcare organizations with valuable information to improve patient services; however, in the case of Rutland Regional Medical Center, it has resulted in a privacy breach.

According to the Burlington Free Press, Rutland Regional Medical Center sent emails to more than 700 patients asking for opinions on discharge paperwork in an effort to make improvements to patient discharges.

Rather than using an email group or the BCC field to mask patients email addresses, patients email addresses were added to the ‘to’ field. Consequently, the email addresses of more than 700 patients were revealed to all who received the mailshot.

The error only revealed the email addresses of patients, many of whom would not have been easily identifiable from their email addresses. However, any patient who was identifiable from their email addresses would also have had their status as a patient of Rutland Regional Medical Center disclosed to other individuals. The email also suggests that the recipient had recently been discharged from hospital; something patients may have wished to remain private.

Peg Bolgioni, a spokesperson for Rutland Regional Hospital, issued a statement apologizing for the error and privacy breach. She said as soon as staff were alerted to the mistake the mailing was terminated. An investigation into the incident has been launched to determine how the error was made.

Errors such as this may not warrant HIPAA violation penalties and are unlikely to elevate the risk of patients experiencing identity theft and fraud, although there is potential for the disclosed email addresses to be misused.

Email addresses can be used to send phishing emails and other malicious messages. For instance, malicious individuals could send phishing emails impersonating the hospital in an attempt to gather further information to commit fraud.

Incidents such as this can all too easily occur as a result of poor training or human error. It is important for healthcare organizations to ensure that staff members are properly trained and policies and procedures implemented to prevent errors from resulting in patient privacy violations.

The post Patients’ Email Addresses Accidentally Disclosed by Rutland Regional Medical Center appeared first on HIPAA Journal.

Coney Island Hospital Supervisor Allowed Unvetted Volunteer to Access PHI

Posted May 17, 2017 by HIPAA Journal

NYC Health + Hospitals has discovered a volunteer accessed the protected health information of almost 3,500 patients without official authorization.

The unauthorized disclosure of PHI was discovered by NYC Health + Hospitals on March 10, 2017. The volunteer had worked in the phlebotomy department of Coney Island Hospital for a period of three months under direction of a supervisor.

The supervisor arranged for the volunteer to perform a number of tasks, some of which involved accessing certain patients’ PHI. While volunteers would be permitted access to PHI if they had been first vetted by Coney Island Hospital’s Human Resources department, in this case that process had not been completed.

When the supervisor instructed the volunteer to perform certain duties that required the PHI of patients to be accessed, the supervisor violated NYC Health + Hospitals polices and Health Insurance Portability and Accountability Act Rules.

The activities performed by the volunteer that involved accessing PHI included logging the names of patients in a log book and transporting specimens within the Coney Island facility. While performing those duties, the volunteer had access to protected health information such as patients’ names, medical record numbers and dates of birth. Since the volunteer had not been vetted, an unauthorized disclosure of PHI had occurred.

The incident was investigated and aside from the volunteer viewing PHI, no other improper disclosures of PHI are understood to have occurred; however, the privacy violation warranted notifications to be sent to patients as is required by HIPAA Rules.

Anthony Rajkumar, Chief Executive Officer of NYC Health + Hospitals issued a statement confirming action has been taken to prevent further privacy breaches of this nature from occurring, including reminding management of the responsibility to ensure all volunteers are subjected to proper processing procedures by the human resources department.

Action has also been taken against the supervisor for violating hospital policies. The supervisor was initially suspended and later resigned from the position. The volunteer has been prevented from accessing Coney Island Hospital facilities.

Due to the limited nature of PHI accessed by the volunteer, credit monitoring services have not been offered, although a toll-free number has been set up to allow patients to have any questions answered.

The post Coney Island Hospital Supervisor Allowed Unvetted Volunteer to Access PHI appeared first on HIPAA Journal.

Ransomware Attack Reported by Dallas Senior Living Community

Posted May 16, 2017 by HIPAA Journal

A ransomware attack on the Dallas Senior Living Community, Walnut Place, in February resulted in highly sensitive data being encrypted, including Social Security numbers, driver’s license numbers, birth dates, banking and credit card numbers, health insurance information, clinical information and patients’ and residents’ contact information.

The ransomware was installed on its systems on January 25, 2017, with the issue remediated 8 days later on February 2, 2017. Third-party security experts were called in to assist with the forensic investigation of the breach and conducted a security scan of its systems to ensure all traces of malware had been removed.

The incident report has yet to appear on the Department of Health and Human Services’ Office for Civil Rights breach portal, so it is currently unclear exactly how many individuals have been impacted.

Ransomware Attacks and HIPAA Rules

Ransomware attacks are not always reportable under HIPAA Rules. If an organization can demonstrate there was a low probability of PHI being acquired, accessed, used or disclosed (see OCR ransomware clarification), a breach report is not required and affected individuals would not need to be notified. That said, ransomware attacks are covered under the definition of security incidents in the HIPAA Security Rule (45 C.F.R. 164.304).

Further, the Department of Health and Human Services confirms in its guidance that “When electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a [HIPAA] breach has occurred because the ePHI encrypted by the ransomware was acquired, and thus is a “disclosure” not permitted under the HIPAA Privacy Rule.”

A ransomware attack that involves ePHI being encrypted therefore requires the organization to follow security incident procedures, including procedures for reporting those incidents.

In this case, Walnut Place took the decision to send breach notification letters to those affected due to the sensitive nature of the data that was compromised in the attack. Walnut Place is also offering affected individuals 12 months of credit monitoring services free of charge.

However, the breach notices appear to have been delayed. Under HIPAA Rules, organizations have up to 60 days following the discovery of the breach to issue notifications. The press release issued by Walnut Place on May 12, 2017 states that the ransomware attack was only discovered by its ‘leadership’ on March 13, 2017.

The press release, and notifications, were therefore issued within 60 days of leadership discovering the breach, but more than 3 months after the breach was actually discovered and remediated.

That suggests the ransomware attack was identified and dealt with without the knowledge of the organization’s leadership and/or there was an impermissible delay in issuing notifications and a potential violation of the HIPAA Breach Notification Rule.

Implement Policies and Procedures to Ensure Breach Reporting Deadlines Are Met

The incident highlights the importance of ensuring that policies and procedures are implemented requiring all potential PHI incidents to be reported internally to the organization’s leadership. Policies and procedures should also be in place to ensure OCR, affected individuals and state officials receive timely notifications of security incidents. The failure to report incidents in a timely manner can attract a financial penalty.

OCR has already settled with a covered entity solely for delayed breach notifications. A settlement of $475,000 was reached with Presense Health of Illinois for delaying the issuing of breach notifications by 34 days, more than a month outside the maximum time frame allowable under the HIPAA Breach Notification Rule.

The post Ransomware Attack Reported by Dallas Senior Living Community appeared first on HIPAA Journal.

PHI of Thousands of Patients of Bronx Lebanon Hospital Center Exposed Online

Posted May 12, 2017 by HIPAA Journal

Highly sensitive medical records of thousands of patients of New York’s Bronx Lebanon Hospital Center have been exposed online. Those records were reportedly accessible for three years as a result of a misconfigured backup server.

The exposed records were uncovered by researchers at the Kromtech Security Research Center after conducting a “regular security audit of exposed rsync protocols on Shodan,” a search engine that can be used to find networked devices. Rsync backup servers are used for transferring files between computer systems and for file syncing.

The records were not encrypted nor protected with a password and could have been downloaded by any individual who knew where to look.

It is currently unclear exactly how many patient records were exposed, with initial reports indicating tens of thousands of patients may have been affected. NBC’s Mary Emily O’Hara recently reported that the breach has impacted at least 7,000 individuals.

The misconfiguration allowed the researchers to view highly sensitive information including names, addresses, medical diagnoses, health histories and highly sensitive data including HIV statuses, reports of domestic violence, sexual assaults and addiction histories.

It was not initially clear to whom the data belonged, although the records were eventually traced to the Bronx Lebanon Hospital Center, with the backup device linked to iHealth Innovations, a Louisville, KY-based IT services and records management company.

In a recent blog post, MacKeeper researcher Bob Diachenko explained that efforts were made by Kromtech to contact the owners of the data, with assistance provided by Databreaches.net. In a statement provided to databreaches.net, Diachenko confirmed there has been no improper usage of the data by the Kromtech researchers.

While the majority of data appear to relate to patients of the Bronx Lebanon Hospital Center, it is unclear at this stage whether patients of other healthcare providers have also been affected.

iHealth has confirmed that a breach has occurred and the incident has been investigated. While the investigation is ongoing, iHealth says the investigation revealed that only one individual had accessed the data – the Kromtech researcher who discovered the error.

The server has now been reconfigured to prevent further access and the investigation is continuing, with a third-party cybersecurity company called in to validate iHealth’s analysis. The breach has been reported to law enforcement and Bronx Lebanon Hospital Center is assisting with the investigation.

The post PHI of Thousands of Patients of Bronx Lebanon Hospital Center Exposed Online appeared first on HIPAA Journal.

Security Breach Highlights Need for Patient Portals to be Pen Tested

Posted May 11, 2017 by HIPAA Journal

A range of safeguards must be implemented to ensure networks and EHRs are protected. Encryption should be considered to prevent the loss or theft of devices from exposing the ePHI of patients. However, it is important for healthcare organizations also check their patient portals for potential vulnerabilities and implement safeguards to prevent unauthorized disclosures of sensitive information.

The failure to implement appropriate safeguards on web-based applications can easily result in unauthorized disclosures of patients PHI, as was recently demonstrated at True Health Diagnostics.

The Frisco, TX-based healthcare services company offers testing for a wide range of diseases and genetic abnormalities, with test information available to patient via a web portal. The web portal allows patients to obtain their test results quickly. Patients are required to register and can only access their records if they first log in to the portal.

However, a flaw on the web portal allowed patients to access not only their own test results, but the test results and PHI of other patients. The website flaw was discovered by a Las Vegas IT consultant called Troy Mursch, who alerted Brian Krebs to the vulnerability last week.

Mursch discovered that after logging into the patient porta, he was able to access health records and medical test results of other patients. Mursch accessed his own test results, which were uploaded to the portal in PDF form but, by changing a digit in the URL, was able to view the medical information of other patients.

True Health Diagnostics used sequential numbers on their PDF files, which makes it easy for the URL to be altered and for other patients records to be viewed via a web browser. While the portal required users to be logged in to view test results, there appear to have been no controls in place to prevent a logged in user from accessing the records of other patients.

Krebs alerted True Health Diagnostics to the flaw and the web portal was immediately taken offline while the issue was resolved. The issue has now been fixed and the portal is now back online. An investigation has now been launched to determine whether any patient health information was accessed by unauthorized individuals. Should that be the case, patients will be notified.

In this case, the incident was identified and reported quickly, allowing rapid action to be taken to secure the records. However, Mursch noted that his test results from two years ago also appeared to have been numbered in the same manner, suggesting patient records could have been exposed for a number of years.

This incident should serve as a warning to covered entities that have implemented patient portals to ensure appropriate safeguards have been implemented to prevent unauthorized disclosures of PHI. Any web-based interface should be thoroughly checked, using penetration tests, to determine whether vulnerabilities exist. If a solution is purchased from a third party firm, a covered entity should determine the extent to which the system has been tested and should also consider verifying no vulnerabilities exist by conducting penetration tests.

OCR has taken action against covered entities in the past for the failure to secure PHI accessible via web-based interfaces, including a $1.7 million settlement with WellPoint and a $100,000 settlement with Phoenix Cardiac Surgery.

The post Security Breach Highlights Need for Patient Portals to be Pen Tested appeared first on HIPAA Journal.

Daily HIPAA News, HIPAA RSS Feeds, HIPAA Information