HIPAA Breach News

May’s Healthcare Data Breach Report Shows Some Incidents Took 3 Years to Discover

Posted by HIPAA Journal

The May 2017 healthcare Breach Barometer Report from Protenus shows there was an increase in reported data breaches last month. May was the second worst month of the year to date for healthcare data breaches with 37 reported incidents, approaching the 39 data breaches reported in March. In April, there were 34 incidents reported.

So far, each month of 2017 has seen more than 30 data breaches reported – That’s one reported breach per day, as was the case in 2016.

In May, there were 255,108 exposed healthcare records representing a 10% increase in victims from the previous month; however, it is not yet known how many records were exposed in 8 of the breaches reported in May. The number of individuals affected could rise significantly.

The largest incident reported in May was the theft of data by TheDarkOverlord, a hacking group/hacker known for stealing data and demanding a ransom in exchange for not publishing the data. The latest incident saw the data dumped online when the organization refused to pay the ransom.

While April saw a majority of healthcare data breaches caused by hackers, in May it was insiders that caused the most data breaches. Insiders were responsible for 40.54% of data breaches (15 incidents) in May, with 10 the result of insider errors and 5 incidents the result of insider wrongdoing. In total, 39,491 healthcare records were exposed as the result of insiders.

Hacking was the second biggest cause of data breaches, accounting for 35.14% of the month’s reported breaches. As is typical, hacking resulted in the exposure of the most records – 203,394. At least three of those hacking incidents involved ransomware.

This month’s report proved problematic, as several hacking incidents were discovered after data were posted on black market websites, yet it is unclear whether the incidents are genuine as efforts to verify the data proved inconclusive.

Loss or theft of unencrypted devices and physical records accounted for 13.51% of breaches. Those incidents resulted in the exposure of 4,122 records, although it is unclear how many records were exposed in one of the 4 breaches involving theft/loss. The cause of the 10.81% of incidents is still unknown.

Healthcare providers reported 81% of the months’ breaches, followed by business associates (11%) and health plans (8%).

Over the past two months there has been an improvement in the reporting of healthcare data breaches, with more covered entities reporting incidents inside the 60-day limit of the HIPAA Breach Notification Rule. This month 83% of covered entities reported their breaches on time, an improvement from last month when just 66% of breaches were reported within 60 days. One covered entity took 77 days to report a breach while another took 140 days; more than twice the allowable time. The improvement could be due, in part, to OCR’s decision to fine a covered entity $475,000 for the late issuing of breach notifications to patients.

This month’s Breach Barometer report shows that while breach reporting is improving, breach detection remains a problem. April’s breaches took an average of 51 days to detect, whereas in May it took an average of 441 days for healthcare organizations to discover a breach had occurred. Three healthcare organizations took more than three years to discover a breach had occurred. One healthcare organization took almost three and a half years (1,260 days) to discover a breach, another took 1,125 days and one took 1,071 days.

California was once again the worst affected state with 6 breaches, closely followed by Florida with 5 incidents.

The post May’s Healthcare Data Breach Report Shows Some Incidents Took 3 Years to Discover appeared first on HIPAA Journal.

Torrance Memorial Medical Center Reports Email Account Compromise

Posted by HIPAA Journal

The danger of phishing has been highlighted by an incident reported by Torrance Memorial Medical Center in Claysburg, PA. The medical center discovered the email accounts of two staff members had been accessed by an unauthorized individual.

The incident was detected rapidly, with third party forensic investigators brought in to investigate the breach. The investigation revealed the accounts were accessed on April 18 and April 19.

The investigation revealed the email accounts contained the protected health information of some patients, including names, addresses, dates of birth, Social Security numbers, insurance details and treatment and diagnostic information. The forensic investigation did not uncover evidence to suggest any patient information has been misused, although it was not possible to rule out the possibility that data were accessed by the attackers. Torrance Memorial Medical Center says the breach investigation is ongoing and the incident has been reported to the FBI.

Since there is a risk that PHI was accessed, all affected individuals have been offered one year of credit monitoring and identity theft restoration services without charge.

Torrance Memorial Medical Center is currently working on improving its security controls to prevent future incidents, including retraining staff on safeguarding protected health information and maintaining the privacy and security of its systems.

The data breach has now been reported to the Department of Health and Human Services’ Office for Civil Rights, although no information has been released to indicate how many patients were affected by the incident.

Phishing attacks pose a major threat to healthcare organizations. Employees are targeted as they are a weak point in security defenses; however, employees’ security awareness can be greatly improved with regular training and phishing simulations.

Research conducted by PhishMe suggests organizations can reduce susceptibility to phishing attacks by up to 95% by using phishing simulations in addition to training. Other anti-phishing platform providers have released similar figures, showing how effective training can be.

The post Torrance Memorial Medical Center Reports Email Account Compromise appeared first on HIPAA Journal.

Delayed Breach Notification Sees CoPilot Fined $130,000 by NY AG

Posted by HIPAA Journal

A data breach that occurred in October 2015 should have seen affected individuals notified within 2 months, yet it took CoPilot Provider Support Services Inc., until January 2017 to issue breach notifications.

An administration website maintained by CoPilot was accessed by an unauthorized individual on October 26, 2015. That individual also downloaded the data of 221,178 individuals. The stolen data included names, dates of birth, phone numbers, addresses, and medical insurance details.

The individual suspected of accessing the website and downloading data was a former employee. CoPilot contacted the FBI in February 2016 to receive help with the breach investigation and establish the identity of the unauthorized individual.

However, notifications were not sent by CoPilot until January 18, 2017. CoPilot says the delay was due to the time taken for the FBI to investigate the breach; however, since CoPilot was aware that reimbursement-related records had been stolen, notifications should have been sent sooner. Further, law enforcement did not instruct CoPilot to delay the issuing of breach notifications as doing so would not have impeded the investigation.

There is some debate as to whether CoPilot is a HIPAA covered entity. CoPilot has previously said it is not covered by HIPAA Rules, although a breach report was sent to the Department of Health and Human Services’ Office for Civil Rights. If CoPilot is a HIPAA covered entity, it would be necessary for breach notifications to be sent within 60 days of the discovery of the breach.

OCR is investigating and trying to determine whether CoPilot is classed as a business associate and therefore must comply with HIPAA Rules. If OCR determines CoPilot is a HIPAA-covered entity, the decision may be taken to issue a financial penalty for the delayed breach notifications. Earlier this year, OCR fined Presense Health $475,000 for delaying breach notifications for three months. A fine for CoPilot would likely be considerably higher considering the number of individuals impacted by the breach and the length of the delay.

HIPAA fines may or may not result from the notification delay, but the New York attorney general has now taken action. On Thursday last week, Eric Schneiderman announced that CoPilot has been fined $130,000 for the breach notification delay, not for a breach of HIPAA Rules but for a breach of General Business Law § 899-aa. The law requires businesses to send timely breach notifications to individuals impacted by a data breach. In addition to the fine, CoPilot is required to improve its notification and legal compliance program.

Announcing the fine, Schneiderman said, “Healthcare services providers have a duty to protect patient records as securely as possible and to provide notice when a breach occurs,” explaining that “Waiting over a year to provide notice is unacceptable.”

The financial penalty sends a message to all businesses that unnecessary breach notification delays will not be tolerated. Schneiderman said “My office will continue to hold businesses accountable to their responsibility to protect customers’ private information.”

The post Delayed Breach Notification Sees CoPilot Fined $130,000 by NY AG appeared first on HIPAA Journal.

OCR’s Wall of Shame Under Review by HHS

Posted by HIPAA Journal

Since 2009, the Department of Health and Human Services’ Office for Civil Rights has been publishing summaries of healthcare data breaches on its website. The data breach list is commonly referred to as OCR’s ‘Wall of Shame’.

The data breach list only provides a brief summary of data breaches, including the name of the covered entity, the state in which the covered entity is based, covered entity type, date of notification, type of breach, location of breach information, whether a business associate was involved and the number of individuals affected.

The list includes all reported data breaches, including those which occurred due to no fault of the healthcare organization. The list is not a record of HIPAA violations. Those are determined during OCR investigations of breaches.

Making brief details of the data breaches available to the public is an ‘unnecessarily punitive’ measure, according to Rep. Michael Burgess (R-Texas), who recently criticized OCR about its data breach list.

Burgess was informed at a cybersecurity hearing last week that HHS secretary Tom Price is currently reassessing the website and how the information is made public.

While the publication of information is under review, the publication of breach summaries is a requirement of the HITECH Act of 2009. Any decision to stop publishing breach summaries on the website would require assistance from Congress. However, it is possible for changes be made to how the information displayed and for how long the information is made available. HITECH Act only requires the information to be published. It does not stipulate the length of time that the covered entity remains on the list.

The reason behind the publication of breach information is to inform the public of data breaches and to provide some information on what has occurred. If there was a time limit placed on the length of time a covered entity remained on the list, it would not be possible for a member of the public to determine whether a breach was an isolated event or one of several suffered by a covered entity.

OCR Director Roger Severino issued a statement confirming the usefulness of the website saying, “The website provides an important source of information to the public, but we recognize that the format has become stale and can and should be improved,” explaining “OCR will continue to evaluate the best options for communicating this information as we meet statutory obligations, educate the regulated community (and the public) on lessons learned, and highlight actions taken in response.”

Burgess told Fierce Healthcare, “I am interested in pursuing solutions that hold hospital systems accountable for maintaining patient privacy without defaming systems that may fall victim to large-scale ransomware attacks, such as WannaCry.”

Of course, in the case of the WannaCry attacks, healthcare organizations may not be blameless. The attacks were only possible as a result of the failure to apply patches promptly. However, in its current form, there would be no indication on the website that a covered entity had experienced a ransomware attack as the breach list does not go into that much detail.

While options are being considered, some privacy advocates argue that the breach portal does not go into nearly enough detail and suggest even more information should be uploaded to the site to better inform the public on exactly what has occurred.

The post OCR’s Wall of Shame Under Review by HHS appeared first on HIPAA Journal.

Sound Community Services Discovers Email Account Breach

Posted by HIPAA Journal

New London, CT-based Sound Community Services Inc., a not-for-profit provider of education, support and assistance for individuals with persistent mental illness and/or substance abuse disorders has discovered an unauthorized individual has gained access to an employee’s email account.

Suspicious activity was detected on the email account on January 13, 2017. An investigation was immediately launched and access to the email account was blocked. The investigators determined access to the email account had been gained the previous day.

A forensic investigation into the security breach was conducted, although the identity of the unauthorized individual could not be determined. The email account was discovered to contained the protected health information of 1,278 individuals.

No information has been released detailing how the unauthorized individual gained access to the email account, although this type of security breach is commonly caused as a result of employees responding to phishing emails and disclosing their email credentials.

While it is possible that patient information was accessed by the unauthorized individual, no evidence has been uncovered to suggest emails in the account were opened and viewed and no reports have been received to suggest any exposed information has been obtained and misused. Fortunately, the information in the emails was limited, with only names and client numbers exposed. One individual also had details of referring information exposed.

The review of the email accounts was only completed on April 18, hence the delay in issuing notifications. The Department of Health and Human Services’ Office for Civil Rights was notified of the breach on May 26.

Even though the information exposed was limited, all affected individuals have been offered 24 months of identity protection services without charge. Those individuals are being notified of the breach by mail and are being provided with background information on the incident.

Sound Community Services will be implementing new controls to ensure similar incidents are prevented in the future.

The post Sound Community Services Discovers Email Account Breach appeared first on HIPAA Journal.

Double Burglary Sees Connecticut Patients’ PHI Exposed

Posted by HIPAA Journal

SouthWest Community Health Center, a Bridgeport, CT network of health centers, has alerted patients that some of their protected health information has been exposed after burglars targeted two of its facilities.

Several computers were stolen in a double burglary at its 1046 Fairfield Avenue and 10 Clinton Avenue sites. Thieves first broke into the Fairfield Avenue facility on Saturday 8, April and stole four desktop computers and a laptop. The following weekend, the Clinton Avenue health center was broken into and two laptop computers were stolen.

Both facilities had security alarms which were triggered when the offices were entered. Law enforcement responded immediately in both cases, but the perpetrators had fled the scene.

The burglaries were not believed to have been conducted in order to gain access to patients’ protected health information, only for the value of the computer hardware that was stolen. However, it is possible that the thieves or other unauthorized individuals were able to view the information stored on the devices. The data stored locally on the devices were not encrypted.

SouthWest Community Health Center reconstructed the data stored on the computers to determine which patients’ protected health information had been exposed. The investigation revealed patients’ names, dates of birth, bank account numbers, Social Security numbers, insurance information and medical information, including diagnoses, treatment and admission information had been saved on the hard drives.

Due to the sensitive nature of exposed information, all affected patients have been offered identity theft monitoring and restoration services without charge for a period of 12 months. SouthWest Community Health Center is also reviewing security at its health centers to prevent future burglaries and is working closely with law enforcement and other third parties in this regard.

The incident has been reported to the Department of Health and Human Services’ Office for Civil Rights, although since the incident has yet to appear on the OCR breach portal it is unclear exactly how many patients have been impacted.

The post Double Burglary Sees Connecticut Patients’ PHI Exposed appeared first on HIPAA Journal.

Austin Medical Center Discovers Patient Data Was Accessible Via Internet

Posted by HIPAA Journal

An Austin, TX medical center has discovered patient data has been stolen and uploaded to the Internet and was accessible for 4 years. The information, which related to approximately 2,000 patients, could freely be found via search engines.

Victory Medical Center was alerted to the data leak on April 5, 2017 by a patient who had found his or her personal information online while browsing the Internet.

An investigation was launched by Victory Medical which revealed a paper based report containing patient information had been uploaded to Github by an unauthorized individual. The data was taken and uploaded without the knowledge or authorization by Victory Medical. The company says the breach was likely the work of a ‘lone bad actor’.

The date of the breach is not known, although it is likely the incident occurred on or after June 10, 2013 according to the substitute breach notice uploaded to the Victory Medical website. The report had been generated from Victory Medical’s secure patient record system, although it did not include any medical information.

The types of information exposed and likely viewed by unauthorized individuals was restricted to patients’ names, phone numbers, addresses, email addresses, preferred language, race and ethnicity and internal medical account numbers. Victory Medical contacted Github and arranged for the information to be removed. The information was taken offline five days later.

Since only demographic information has been exposed, Victory Medical believes the risk of improper use of the information is low.

The breach investigation involved interviews with all members of staff who were working at or around the time of the suspected breach, although the person responsible for the breach could not be identified.

The breach has prompted a review of privacy practices, policies and security procedures that could potentially have contributed to the breach, although no systemic weaknesses have been identified. Physical security standards are also being reviewed at the organization’s offices and feasible changes will be implemented to improve security and prevent future breaches of PHI.

The post Austin Medical Center Discovers Patient Data Was Accessible Via Internet appeared first on HIPAA Journal.

WannaCry Ransomware Continues to Cause Problems for U.S. Hospitals

Posted by HIPAA Journal

The Department of Health and Human Services (HHS) has issued a cyber notice to alert healthcare organizations of the continuing problems caused by the WannaCry ransomware attacks on May 12, 2017.

Following the attacks, the United States Department of Homeland Security (DHS) issued a statement saying the U.S. had suffered ‘limited attacks’ with only a small number of companies affected. However, the problems caused by those attacks have been considerable. The HHS says two large, multi-state hospital systems are still facing significant challenges to operations as a result of the May 12 attacks.

The Windows SMB vulnerability (MS17-010) exploited by the threat actors was addressed by Microsoft in a March 14, 2017 update, with an emergency patch released for unsupported Windows versions shortly after the attacks took place. The patches will prevent the MS17-010 vulnerability from being exploited and thus prevent WannaCry from being downloaded.

The encryption routine used by the WannaCry malware was deactivated quickly following the discovery of a kill switch. While the encryption process has been blocked, that does not stop infection. Vulnerable devices could still be infected if the patch has not been applied.

Further, if a device has already been infected prior to the patch being applied, the malware will still be present on the infected system. The HHS likens the patch to quarantining a patient. While that action will prevent the spread of the infection to other individuals, simply placing a patient in quarantine will not remove the infection in that patient.

While the ransomware component of the malware is not active, the presence of the malware on computer systems will have some effects. Those are dependent on the Windows version installed.

If the malware is present, it will be capable of scanning the network for other vulnerable devices and spreading to those devices.

The HHS says that if a device has been infected with WannaCry, reimaging and applying the patch will remove the virus and prevent it from being installed again. However, HHS explains that while the patch addresses a vulnerability in the Windows Server Message Block version 1 (SMBv1) protocol, that may not be the only vulnerability that is exploited to download WannaCry. Even patched systems may still be infected if the threat actors exploit a different vulnerability to introduce the malware. Patches must therefore be applied promptly after they have been issued to prevent future WannaCry – and other – malware attacks.

If you have been affected by WannaCry, the HHS recommends contacting your FBI Field Office Cyber Task Force or the US Secret Service Electronic Crimes Task Force to report the incident and request assistance.

The HHS also recommends contacting the FDA’s 24/7 emergency line at 1-866-300-4374 if a suspected cyberattack affects medical devices.

HHS has issued the following advice to healthcare organizations on mitigating the risk of WannaCry infection:

The post WannaCry Ransomware Continues to Cause Problems for U.S. Hospitals appeared first on HIPAA Journal.

North Dakota Department of Human Services Notifies 2,452 Medicaid Recipients of PHI Exposure

Posted by HIPAA Journal

The North Dakota Department of Human Services (NDDHS) is alerting 2,452 Medicaid recipients that some of their protected health information has been exposed when documents were improperly disposed of in a Bismarck dumpster.

The HIPAA breach was discovered on May 19, 2017 when a member of the public saw documents containing sensitive information in a dumpster. The citizen contacted NDDHS about the discovery and an investigation was immediately launched. NDDHS arranged to collect the documents the same day.

The documents were Medicaid worksheets dated 2015. The worksheets did not contain Social Security numbers, financial information or Medicaid recipients’ addresses; however, detailed on the sheets were Medicaid recipients’ first and last names, the first two characters of their Medicaid provider name, Medicaid provider numbers, Medicaid ID numbers, a two-digit code representing the county of residence, an internal NDDHS ID number, dates of service, amounts covered by insurance, amounts billed and allowed, diagnosis codes, coding modifiers and quantity and tooth and surface detail relating to dental work. The information exposed varied for each patient.

The internal investigation into the privacy breach revealed one individual was responsible for dumping the documents and the improper disposal involved no malicious intent. The records were dumped on May 8, 2017, two days prior to them being found by a member of the public.

Since there is a possibility that the documents have been viewed by others, individuals affected by the incident have been offered complimentary credit monitoring and identity theft protection services. However, the potential for re-disclosure of information is believed to be low as all documents have now been recovered and secured. NDDHS said in its press release that no evidence has been uncovered to suggest any information in the documents has been used improperly or further disclosed and that “appropriate disciplinary action has been taken.”

Training had already been provided to staff members on information security and HIPAA Rules. NDDHS is now working with its staff to prevent future incidents of this nature from occurring. The incident has also prompted NDDHS to conduct a review of its policies and procedures for safeguarding the protected health information of Medicaid recipients.

The post North Dakota Department of Human Services Notifies 2,452 Medicaid Recipients of PHI Exposure appeared first on HIPAA Journal.