HIPAA Breach News

Memorial Hermann Health System Hit with $2.4 Million HIPAA Fine

Posted by HIPAA Journal

Memorial Hermann Health System has agreed to settle potential HIPAA Privacy Rule violations with the Department of Health and Human Services’ Office for Civil Rights (OCR) for $2.4 million. The settlement stems from an impermissible disclosure on a press release issued by MHHS in September 2015.

Memorial Hermann Health System (MHHS) is a 16-hospital health system based in Southeast Texas, serving patients in the Greater Houston area. In September, a patient visited a MHHS clinic and presented a fraudulent identification card to hospital staff.

The fraudulent ID card was identified as such by hospital staff, law enforcement was notified and the patient was arrested. The hospital disclosed the name of the patient to law enforcement, which is allowable under HIPAA Rules.

However, the following action taken by the hospital was a violation of the HIPAA Privacy Rule. MHHS issued a press release about the incident but included the patients name in the title of the press release. That press release was approved before release by MHHS senior management, even though naming the patient constituted an impermissible disclosure of PHI.

The incident was widely reported in the media and a complaint was filed with OCR, prompting an investigation. The investigation revealed that the press release had been distributed to fifteen media outlets. On three occasions following the issuing of the press release, the patient’s identity was disclosed in meetings with advocacy groups, a state senator and state representatives. A statement in which the patient was named was also published on the MHHS website.

These unauthorized disclosures, which occurred between September 15 and October 1, 2015 constituted a knowing and intentional failure to safeguard the PHI of the patient. MHHS was also discovered to have failed to document the sanctions imposed against the members of staff who violated the HIPAA Privacy Rule, as is required by HIPAA (45 C.F .R. § 164.530( e )(2)).

In addition to the sizable payment to OCR, Memorial Hermann Health System has agreed to adopt a corrective action plan that requires policies and procedures to be updated and staff trained to prevent further impermissible disclosures of PHI. All MHHS facilities must also attest that they understand the allowable disclosures and uses of PHI.

HIPAA penalties are often issued for large scale breaches of PHI stemming from violations of HIPAA Rules. While OCR has agreed settlements with HIPAA-covered entities for breaches of fewer than 500 records in the past, settlements are typically reserved for large breaches of PHI caused by HIPAA violations. This is the first settlement to be agreed with a HIPAA-covered entity for a breach of a single patient’s PHI.

OCR Director Roger Severino issued a statement about the settlement saying “Senior management should have known that disclosing a patient’s name on the title of a press release was a clear HIPAA Privacy violation that would induce a swift OCR response.” He went on to explain that “This case reminds us that organizations can readily cooperate with law enforcement without violating HIPAA, but that they must nevertheless continue to protect patient privacy when making statements to the public and elsewhere.”

This is the eighth HIPAA settlement to be announced by OCR in 2017. In 2016, a record year for HIPAA settlements, there were 12 settlements reached with covered entities to resolve HIPAA violations and one CMP issued. At this rate, 2017 looks set to be another record breaking year.

The sharp increase in HIPAA penalties should serve as a warning to covered entities that any violation of HIPAA Rules could result in a substantial financial penalty.

The post Memorial Hermann Health System Hit with $2.4 Million HIPAA Fine appeared first on HIPAA Journal.

New Jersey IVF Clinic Hack Sees PHI of 14,000 Patients Potentially Compromised

Posted by HIPAA Journal

A third-party server hosting the electronic health record database of the New Jersey Diamond Institute for Infertility and Menopause has been hacked and access gained by an unauthorized individual.

The Diamond Institute says its database and EHR system was encrypted, so the attackers were unable to access patient health records, although many unencrypted supporting documents were also stored on the server and may have been accessed.

It is unclear when the attack took place, although the Diamond Institute learned of the cyberattack on February 27, 2017. A full investigation was rapidly initiated and steps taken to secure the server to prevent further unauthorized activity.

The investigation involved checking all documents to determine the patients impacted and the types of data that could potentially have been viewed or copied. The documents were found to contain a limited amount of protected health information relating to more than 14,000 patients. Those data included patients’ names, addresses, birth dates, Social Security numbers, sonograms and lab test results.

The breach has prompted the Diamond Institute to perform a full password reset and update its firewall to prevent similar attacks from occurring in the future. Virtual network credentials have also been changed and all unused open ports have now been closed.

The investigation did not uncover any evidence to suggest that information contained in the documents has been misused as a result of the incident, although patients have been provided with resources to protect their identities and prevent future fraudulent uses of their data.

Since highly sensitive protected health information has potentially been accessed and copied by the attackers, out of an abundance of caution, all patients affected by the security breach are being offered credit monitoring and identity theft restoration services for 12 months without charge.

The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights shows 14,633 individuals have been impacted by the incident.

The post New Jersey IVF Clinic Hack Sees PHI of 14,000 Patients Potentially Compromised appeared first on HIPAA Journal.

Unencrypted Hard Drive Stolen from LSU Health New Orleans: 2,200 Individuals Impacted

Posted by HIPAA Journal

Another healthcare provider has announced that an unencrypted device used to store electronic protected health information of patients has been stolen.

The medical data of 2,200 patients of Louisiana State University Health New Orleans were stored on a portable hard drive that was stolen from the Department of Neurology Research in March.

The theft occurred on or around March 6 and was immediately reported to law enforcement. A suspect was arrested the following day, although the hard drive has not been recovered. Officials do not believe any data on the drive have been misused, although the possibility that ePHI has been viewed cannot be ruled out.

LSU Health New Orleans has reconstructed the data on the drive and is notifying affected individuals. The drive contained research data relating to individuals who participated in studies between 1998 and 2009.

No Social Security numbers or financial information have been compromised, with the data breach limited to names, dates of birth, diagnosis codes and treatment codes.

This is not the first time that an incident such as this has resulted in the exposure of patients protected health information. In 2015, a faculty member of the LSU Health New Orleans School of Medicine had a laptop computer stolen from his vehicle. The device contained a wide range of protected health information of approximately 5,000 minor patients. Following that breach, information security policies and procedures were reviewed to determine whether improvements could be made to reduce the risk of future breaches.

LSU Health New Orleans does now have information technology policies in place that require safeguards to be implemented on mobile devices to reduce the risk of data exposure in the event that devices are lost or stolen. Those policies do include the use of encryption; however, in this case, those policies were not followed.

According to a statement issued by LSU Health New Orleans, the lack of encryption on the device has resulted in ‘appropriate remedial action’ being taken.

Data security policies will now be updated and included in training programs to prevent similar incidents from occurring in the future. Affected patients are being offered one year of credit monitoring services.

The post Unencrypted Hard Drive Stolen from LSU Health New Orleans: 2,200 Individuals Impacted appeared first on HIPAA Journal.

Bitglass Publishes 2017 Healthcare Data Security Report

Posted by HIPAA Journal

Bitglass has recently published its 2017 Healthcare Data Breach Report, the third annual report on healthcare data security issued by the data protection firm.

For the report, Bitglass conducted an analysis of healthcare data breach reports submitted to the Department of Health and Human’ Services Office for Civil Rights.

The report confirms 2016 was a particularly bad year for healthcare industry data breaches. Last year saw record numbers of healthcare data breaches reported, although the number of healthcare records exposed in 2016 was lower than in 2015. In 2016, 328 healthcare data breaches were reported, up from 268 incidents in 2015. Last year’s healthcare data breaches impacted around 16.6 million Americans.

The good news is that while incidents are up, breaches are exposing fewer healthcare records. If the colossal data breach at Anthem Inc., which exposed 78.8 million healthcare records, is considered an anomaly and is excluded from last year’s figures, the number of individuals impacted by healthcare data breaches has fallen for two years in a row. That trend looks set to continue in 2017, although the number of data breaches already reported by healthcare organizations remains high.

The 2017 Healthcare Data Security Report confirms that the biggest problem area is unauthorized disclosures, which accounted for 40% of breaches last year. Those figures include deliberate acts by healthcare employees and unintentional errors that left data exposed.

The report’s authors explain the rise in unauthorized disclosures saying, “Unauthorized disclosures continue to tick up and are now the leading cause of breaches as data moves to cloud and mobile and as external sharing becomes easier.”

Those incidents have exposed the records of many Americans, but hacking is the biggest cause of exposed and stolen records. More records were stolen as a result of hacking than all of the other breach causes combined.

80% of all exposed/stolen healthcare records in 2016 were the result of hacks and the five largest healthcare data breaches of 2016 were all due to hacking and IT incidents. The same is true of 2017 so far. With the exception of the largest reported breach this year, all other breaches in the top five were the result of hacking.

Largest Healthcare Data Breaches of 2016

 

Rank Organization Entity Type Individuals Affected Cause of Breach
1 Banner Health Healthcare Provider 3,620,000 Hacking/IT Incident
2 Newkirk Products Business Associate 3,466,120 Hacking/IT Incident
3 21st Century Oncology Healthcare Provider 221,3597 Hacking/IT Incident
4 Valley Anesthesiology Consultants Healthcare Provider 882,590 Hacking/IT Incident
5 County of Los Angeles Departments of Health and Mental Health Healthcare Provider 749,017 Hacking/IT Incident
6 Bon Secours Health System Incorporated Healthcare Provider 651,971 Hacking/IT Incident
7 Peachtree Orthopaedic Clinic Healthcare Provider 531,000 Unauthorized Access/Disclosure
8 Radiology Regional Center, PA Healthcare Provider 483,063 Hacking/IT Incident
9 California Correctional Health Care Services Healthcare Provider 400,000 Loss
10 Community Health Plan of Washington Health Plan 381,504 Theft

 

Largest Healthcare Data Breaches of 2017 (January-April)

 

Rank Organization Entity Type Individuals Affected Cause of Breach
1 Commonwealth Health Corporation Healthcare Provider 697,800 Theft
2 Urology Austin, PLLC Healthcare Provider 279,663 Hacking/IT Incident
3 VisionQuest Eyecare Healthcare Provider 85,995 Hacking/IT Incident
4 Washington University School of Medicine Healthcare Provider 80,270 Hacking/IT Incident
5 Emory Healthcare Healthcare Provider 79,930 Hacking/IT Incident
6 Stephenville Medical & Surgical Clinic Healthcare Provider 75,000 Unauthorized Access/Disclosure
7 Primary Care Specialists, Inc. Healthcare Provider 65,000 Hacking/IT Incident
8 ABCD Pediatrics, P.A. Healthcare Provider 55,447 Hacking/IT Incident
9 WellCare Health Plans, Inc. Health Plan 24,809 Hacking/IT Incident
10 Denton Heart Group Healthcare Provider 21,665 Theft

 

Healthcare Security Spending is Increasing

Fortunately, healthcare organizations have realized they need to increase spending on data and network security defenses. Security budgets growing rapidly and while not quite at the level of the retail sector, they are fast catching up.

While healthcare organizations are committed to protecting the privacy of patients, one of the main drivers behind the increase in security investment is the cost of breach resolution. The cost of data breaches makes investment in cybersecurity defenses a priority.

The authors of the 2017 Healthcare Data Breach Report point out that healthcare data breaches cost more to resolve than breaches experienced by other industries. Figures from the Ponemon Institute show that a healthcare data breach costs organizations an average of $402 per compromised record. For other industries, the average is $221 per compromised record. With such high costs, lax data security simply isn’t an option.

Bitglass CEO Nat Kausik, said “While threats to sensitive healthcare data will persist, increased investments in data-centric security and stronger compliance and disclosure mandates are driving down the impact of each breach events.”

The post Bitglass Publishes 2017 Healthcare Data Security Report appeared first on HIPAA Journal.

Survey Explores Trust in Healthcare Organizations’ Ability to Keep Data Secure

Posted by HIPAA Journal

A recent survey by Accenture has explored consumers’ attitudes about healthcare data security and the impact of healthcare data breaches on consumers.

The survey revealed the extent to which individuals had suffered losses as a result of a data breach, how consumers felt their organization handled data breaches and the effect those breaches had on trust.

Trust in Healthcare Providers and Insurers is High

In the United States, trust in healthcare providers’ and health insurers’ ability to keep sensitive data secure is high. 88% of respondents said they trusted their physician or other healthcare providers ‘somewhat’ (53%) or ‘a great deal’ (36%). Trust in hospitals was slightly lower at 84% (54% somewhat / 30% a great deal). Health insurers and laboratories that process medical tests fared slightly worse, both somewhat trusted by 54% of respondents and trusted a great deal by 28% of respondents.

Distrust –not at all trusted or not trusted very much – was highest in urgent care clinics (25%), non-medical staff at physicians’ and healthcare providers’ offices (36%) and tech companies that provide wearables and health apps (43%). As a comparison, 56% said they somewhat trusted or trusted the government a great deal with respect to health data security. 32% didn’t trust the government very much and 13% didn’t trust the government at all.

80% of consumers were very confident or somewhat confident in their healthcare providers’ data security measures, with trust in health insurers’ data security measures a fraction lower at 79%. The measures put in place by health app and device companies only received the highest two ratings by 63% of consumers.

Trust may be fairly high, but a quarter of U.S. consumers have experienced a breach of their healthcare data and half of those individuals have been a victim of medical identity theft as a direct result. Consumers have been forced to cover costs as a result of the exposure of their data, with 88% of individuals spending an average of $2,528.

More than a third of those individuals said their hospital had experienced the breach. 22% said their pharmacy or urgent care clinic had been breached with health insurers’ and physicians’ offices the next worst affected, with 21% of consumers saying they were the source of the breach.

Even with HIPAA Rules requiring breach notifications to be sent to patients, half of those impacted by a health data breach said they found out about it on their own. Only 36% of respondents said their company told them about the breach, although 91% said action was taken by that company in response to the breach.

The breach response was rated as being handled very well by 25% of respondents and somewhat well by 51% of respondents. 18% said the breach response was not handled very well and 6% said it was not handled well at all.

Trust in Healthcare Organizations May Improve After a Data Breach

While healthcare data breaches have the potential to destroy patients’ and health plan members’ trust in their providers, the survey showed that is not always the case. In fact, in 41% of cases, consumers’ trust in their healthcare organizations increased after a data breach.

12% of respondents said they ended up trusting their providers much more, 29% said they trusted their providers a little more and 24% said the breach response made no difference to trust levels.

The results show just how important it is for the breach response to be handled well. 34% of respondents said they lost trust in their healthcare organization after a breach was experienced.

Getting the breach response right is essential if healthcare organizations want to ensure trust is not negatively affected. For that to happen, organizations must be prepared for the worst and have policies and procedures that can be rapidly implemented when a breach is discovered.

Fast notifications are important for consumers as they need to take action to secure their accounts and protect their identities. 91% of respondents said they personally took action when they discovered their health data had been stolen. The faster that process can take place, the less likely consumers are to experience losses.

Getting breach notifications right is also important. If trust is to be built, consumers need to be reassured that privacy and security is taken seriously. Consumers should also be informed about the actions that are being taken in response to the breach to ensure a similar incident will not occur in the future. However, this is an area that could be improved.

Only 27% of companies explained the cause of the breach and just 26% the breach has prompted them to add new security protocols. Only 22% explained how future breaches would be prevented.

Fewer than a quarter of companies (24%) explained the potential consequences of the breach to consumers and only 23% offered identity theft protection services.

The post Survey Explores Trust in Healthcare Organizations’ Ability to Keep Data Secure appeared first on HIPAA Journal.

Two Harrisburg Practices Report Potential ePHI Breach

Posted by HIPAA Journal

Two Harrisburg practices have discovered their systems have been accessed by an unauthorized individual who may have gained access to the electronic protected health information of their patients.

Harrisburg Endoscopy and Surgery Center and Harrisburg Gastroenterology in Dauphin County, PA were alerted to a potential intrusion when suspicious system activity was detected on March 17, 2017.

While the investigation revealed the system had been accessed, no evidence was uncovered to suggest any ePHI was accessed or stolen by the attacker; however, the possibility of data access could not be ruled out.

Out of an abundance of caution, patients were sent breach notification letters on April 28 providing them with information about the breach to allow them to take precautions to protect their identities. It would appear that credit monitoring and identity theft protection services are not being offered to affected patients.

The types of information stored on the compromised system included names, demographic information, health insurance details, Social Security numbers, clinical data and diagnostic information.

The incident has prompted both practices to enhance their security protections to prevent future breaches of this nature from occurring.

The incident has yet to appear on the Department of Health and Human Services’ Office for Civil Rights breach portal. It is currently unclear exactly how many patients have been impacted.

Over the past few weeks there has been a spate of hacking incidents reported to OCR by healthcare organizations. In January/February, there were 51 healthcare data breaches reported to OCR, 27% of which were the result of hacking.

In March/April, a further 51 healthcare data breaches were reported, 19 of which (37%) were due to hacking – A rise of 37% in the past two months. Hacking incidents have increased, although they are not the leading cause of data breaches. In March/April, 22 breaches involved unauthorized disclosures – 43% of all incidents reported to OCR. That represents a 10% increase in unauthorized disclosures from the first two months of the year.

The post Two Harrisburg Practices Report Potential ePHI Breach appeared first on HIPAA Journal.

Greenway Health Ransomware Attack Stops 400 Clients from Accessing EHRs

Posted by HIPAA Journal

Tampa, Florida-based practice management software and EHR vendor, Greenway Health, has experienced a ransomware attack that has affected around 5% of its client base – approximately 400 healthcare organizations.

It is unclear whether the ransomware infection resulted in EHR data being encrypted, although clients were temporarily prevented from accessing the cloud-based Intergy EHR/medical management platform. Those clients were forced to resort to using pen and paper while Greenway Health worked to restore its system.

Fortunately, all client data were backed up and could be recovered, although that process took time. On April 22, 2017, third-party rapid response security firms were brought in to remove the infection and restore data. A spokesperson for Greenway Health said the teams were “working around the clock to restore access to affected Intergy hosted customers.”  As of yesterday, around half of affected clients had access to the Intergy system restored.

While the cloud-based platform was taken out of action, Greenway Health has not uncovered any evidence to suggest that patient data were accessed or exfiltrated. The ransomware infection was rapidly contained and there are no signs that the infection has spread to other systems, although Greenway Health is continuing to monitor the situation. Greenway Health said there was little or no data loss.

Since the investigation into the attack is ongoing, few details on the specifics have been released. Greenway Health has not announced which ransomware variant was involved, how the ransomware was installed on its system, and whether all data were recovered from backups or if the ransom demand was paid.

Greenway Health’s CEO, Scott Zimmerman, said “Though we build extensive safeguards into our products and services, no Internet-based system is completely immune from attack.” Zimmerman also explained that the company is “continuously focused on evaluating additional measures that we may take to further enhance our defenses against cybercrime.”

EHR vendors typically have highly advanced cybersecurity protections in place, but this incident shows that no company is immune to attack. The ransomware attack should serve as a warning for all healthcare providers that use cloud-based EHR systems. ePHI access may be lost, so it is essential that contingency plans are developed to ensure that a cyberattack on their EHR vendor does not majorly impact healthcare operations.

The post Greenway Health Ransomware Attack Stops 400 Clients from Accessing EHRs appeared first on HIPAA Journal.

Hill Country Memorial Hospital Discovers Email Account Compromise

Posted by HIPAA Journal

An unauthorized individual has gained access to an email account of an employee of Hill Country Memorial Hospital and sent a number of fraudulent invoices, but potentially also accessed the protected heath information of certain patients.

The Fredericksburg, TX hospital discovered the email account of an emergency room employee had been accessed on February 21, 2017. The attack is believed to have been conducted solely for the purpose of sending fraudulent invoices to the hospital’s accounts payable department. However, the email account contained a range of ePHI which could potentially have been accessed and stolen by the attacker.

The investigation into the security breach did not reveal whether any emails had been accessed, and if the ePHI of patients had been viewed or copied, but the possibility could not be ruled out. The email account contained patients’ names, addresses, ID numbers, dates of birth, prescription and treatment information, medical diagnoses, procedure information and Social Security Numbers.

In is unclear at this stage how the criminal gained access to the email account, although steps have now been taken to secure the account to ensure further unauthorized access is not possible. A password reset has also been performed on all email accounts and logins have been changed as a precaution against further attacks. The hospital is also evaluating further measures that can be implemented to strengthen security. The hospital has notified law enforcement about the breach and the investigation into the incident is continuing. It is unclear whether any of the fraudulent invoices sent from the breached account resulted in payments being made.

Jayne Pope, Chief Executive Officer of Hill Country Memorial Hospital has apologized to patients for the inconvenience caused to patients and has confirmed that the hospital takes patient privacy very seriously. Out of an abundance of caution, all patients impacted by the incident have been offered credit monitoring and identity theft protection services for 12 months without charge.

The post Hill Country Memorial Hospital Discovers Email Account Compromise appeared first on HIPAA Journal.

PHI Potentially Compromised in Atlantic Digestive Specialists Ransomware Attack

Posted by HIPAA Journal

Somersworth, New Hampshire-based Atlantic Digestive Specialists is one of the latest healthcare organizations to report a ransomware attack that has potentially resulted in the protected health information of patients being accessed.

The ransomware attack was discovered on February 20, 2017 although a subsequent investigation revealed that the ransomware was installed on February 18. The infection took two days to resolve, during which time access to certain computer systems was limited. All traces of the ransomware were removed from its systems by February 22, 2017.

Atlantic Digestive Specialists hired a third-party cybersecurity firm to conduct a thorough investigation of the attack to determine how the infection occurred, the extent of the attack, and which files were potentially accessed by the attackers.

The investigation revealed files containing patients’ names, addresses, telephone numbers, medical record numbers, clinical and diagnostic information, health insurance details, and in some cases, Social Security numbers were encrypted.

The investigation uncovered no evidence to suggest any sensitive data were accessed or stolen by the attackers, and no reports have been received to suggest any patients’ protected health information has been misused. Since the possibility of data theft could not be ruled out with a high degree of certainty, all affected patients have been advised to be vigilant for signs of fraudulent activity. Out of an abundance of caution, patients have been offered credit monitoring services to protect them against identity theft and fraud.

Over the past few weeks, several small healthcare practices have been attacked with ransomware. While in most cases data have been recovered from backups and no ransom has been paid, the attacks have resulted in considerable disruption and sizable breach resolution costs.

Regular backups of data should be performed to ensure no ransom needs to be paid in the event of an attack and small healthcare organizations should consider augmenting their defenses against ransomware.

Since the majority of ransomware attacks occur via email, staff should be advised to exercise caution and not to open any email attachments from unknown senders, never to enable macros on emailed office documents, and to be wary of hyperlinks sent via email..

Information on how HIPAA Rules apply to ransomware attacks is available from the Department of Health and Human Services on this link.

The post PHI Potentially Compromised in Atlantic Digestive Specialists Ransomware Attack appeared first on HIPAA Journal.