HIPAA Breach News

Plastic Surgery Clinic Employee Suspected of Stealing 15,000 Patient Records

Posted by HIPAA Journal

A former employee of a Californian plastic surgery clinic is suspected of stealing the medical records of around 15,000 patients.

The employee worked at the Rodeo Drive clinic in Beverly Hills run by Dr. Zain Kadri. The employee had been employed as a driver and translator since September 2016, but had subsequently been given other duties such as data entry. Allegedly, she quit the practice on May 13 after being accused of embezzlement.

The employee was later discovered to have taken photographs of patients before and during surgical procedures and uploaded those pictures to the image sharing site Snapchat.

Further data theft was uncovered in May while the clinic was transferring paper records to digital files. As part of that process, the clinic checked a company phone used by the former employee. Images were discovered on the device including photographs of patients, but also photographs of patient IDs, usernames and passwords, copies of checks and credit and debit card information. Conversations were also reportedly recorded by the employee. It is unclear how much of that information was shared on social media or was stolen.

The clinic has performed surgeries on several celebrities, many of whom have had their privacy violated. The patients affected by the incident come from 16 U.S. states and four countries. The potential harm from misuse of the information is considerable.

The data theft has been reported to the Los Angeles County Sheriff’s Department and the incident is being investigated. All patients affected by the breach are now being notified that their information may have been stolen. At this stage, it is unclear whether charges will be filed against the former employee.

The post Plastic Surgery Clinic Employee Suspected of Stealing 15,000 Patient Records appeared first on HIPAA Journal.

Trios Health Discovers Employee Accessed EHR Without Authorization for 41 Months

Posted by HIPAA Journal

The medical records of 570 Trios Health patients have been accessed by an employee, without authorization, over a period of 41 months.

In March, Trios Health noticed some irregularities in its EHR logs which suggested patient records were being accessed without any legitimate work purpose for doing so. An investigation was launched to investigate and the employee was placed on leave. The investigation revealed the employee had accessed hospital patient records without authorization between October 2013 and March 2017.

The types of information that was viewed included names, contact information, driver’s license numbers, Social Security numbers, dates of service, demographic information and limited medical information such as diagnoses.

Interviews were conducted, although a spokesperson for Trios Health said, “We don’t know the motivation,” although it would appear that no harm was intended by the employee. Trios Health says the risk of information being used inappropriately is low, although credit monitoring and identity theft protection services are being offered to affected patients for 12 months without charge as a precautionary measure.

Trios Health interim CEO said, “We cannot succeed as an organization without holding ourselves and others responsible for mistakes and taking decisive action to address them.”

The employee has now been terminated for violating hospital policies and HIPAA Rules and Trios Health is implementing software that will alert staff to improper ePHI access. EHR restrictions have also been put in place to limit ePHI access, with staff only able to access the records of patients in their own department.

If a member of staff attempts to access the medical records of a patient that they are unauthorized to view, access will be prevented, a popup warning will appear on screen and an alert of attempted ePHI access will be sent to a supervisor. Staff have also received additional privacy training and a new PHI auditing process will be implemented.

The incident has now been reported to the state Attorney General and the Department of Health and Human Services’ Office for Civil Rights. Patients impacted by the breach are being notified by mail.

The post Trios Health Discovers Employee Accessed EHR Without Authorization for 41 Months appeared first on HIPAA Journal.

Molina Healthcare Patient Portal Discovered to Have Exposed Patient Data

Posted by HIPAA Journal

Earlier this month, security researcher Brian Krebs was alerted to a flaw in a patient portal used by True Health Group that allowed patients’ test results to be viewed by other patients. While patients were required to login to the patient portal before viewing their test results, a security flaw allowed then to also view other patients’ results.

Now, the Medicaid and Affordable Care Act Insurer Molina Healthcare is investigating a similar flaw in its patient portal that has allowed the sensitive medical information of patients to be accessed by unauthorized individuals. In the case of Molina Healthcare, patients’ medical claims could be accessed without authentication.

Brian Krebs contacted Molina Healthcare to alert the company to the flaw. An investigation was conducted and its patient portal was shut down while the issue was resolved.

It is unclear for how long the flaw existed, whether medical claims had been viewed by unauthorized individuals, and if so, how many patients had their privacy violated. Potentially, the flaw resulted in the exposure of all customers’ medical claims. Molina Healthcare serves 4.8 million individuals in 12 states and Puerto Rico.

The individuals who identified the flaw and reported the issue to Brian Krebs was able to demonstrate it was possible to access other patients’ names, addresses, birthdates, medical procedure codes, prescribed medications and other sensitive data related to health complaints. Anyone with a link to a medical claim could change a digit in the URL and view other individuals’ medical claims.

In contrast to the security flaw at True Health, Brian Krebs said anyone with a link to a medical claim would be able to access the URL without any authentication required. The link could be clicked and the medical claim could be viewed.

On Friday last week, Molina Healthcare issued a statement saying “We are in the process of conducting an internal investigation to determine the impact, if any, to our customers’ information and will provide any applicable notifications to customers and/or regulatory authorities.”

Molina Healthcare has also engaged the services of Mandiant to improve its system security. Molina Healthcare says the security vulnerability in the patient portal has now been remediated.

The post Molina Healthcare Patient Portal Discovered to Have Exposed Patient Data appeared first on HIPAA Journal.

Children’s Mercy Hospital Discovers Unauthorized Website Exposed 5,500 Patients’ PHI

Posted by HIPAA Journal

A website created by a physician at Children’s Mercy Hospital in Kansas City, MO has recently been discovered to lack appropriate security protections, potentially allowing the protected health information of 5,511 patients to be viewed by unauthorized individuals.

The physician created the website with good intentions and used the site as an educational resource. Data uploaded to the website was protected with a password to prevent unauthorized access. However, the protections in place to prevent unauthorized ePHI access did not meet the hospital’s security standards.

The lack of security controls on the website meant information uploaded to the website could have been accessed by unauthorized individuals.

Contact information (addresses and telephone numbers), Social Security numbers, financial information, health insurance details, photos and other images were not uploaded to the site. However, the website did contain information such as patients’ first and last names, gender, age, medical record number, encounter number, dates of service, admission and discharge dates, birthdates, procedure dates, procedure and diagnostic codes, brief notes on the patient and their height, weight and body mass index.

The types of information uploaded to the website would not typically allow unauthorized individuals to defraud patients or commit identity theft, but as a precaution, all patients impacted by the incident have been offered identity theft protection services free of charge through AllClear.

The physician who created the website believed the information uploaded to the website had been appropriately secured and was inaccessible by unauthorized individuals. Children’s Mercy Hospital said the website was unauthorized, was not owned by the hospital, and that the creation of the website and uploading of ePHI was a violation of hospital policies. The website has now been taken down.

The incident has prompted Children’s Mercy Hospital to reeducate key staff members on compliance to prevent future incidents of this nature from occurring. Children’s Mercy Hospital has not received any reports to suggest information uploaded to the website has been misused in any way.

The post Children’s Mercy Hospital Discovers Unauthorized Website Exposed 5,500 Patients’ PHI appeared first on HIPAA Journal.

Beacon Health Employee Improperly Accessed 1,200 Patient Records Over 3 Year Period

Posted by HIPAA Journal

A former Beacon Health System employee has been discovered to have accessed the medical records of approximately 1,200 patients without authorization over a period of three years.

The privacy breach was uncovered during a routine audit of ePHI access logs, with the unauthorized access discovered on March 30, 2017. The employee in question was permitted to access patient records to perform work duties, although access rights were abused and the records of other patients were viewed even though there was no legitimate work reason for doing so.

Upon discovery of the unauthorized access, Beacon Health conducted a full review with assistance from an external computer forensics firm and determined the inappropriate access started in March 2014. The employee was interviewed and claimed the records were accessed out of curiosity only and confirmed no information was copied or disclosed to other individuals. The medical records were accessed after patients visited the Emergency Room for treatment.

The types of information in the records included patients’ names, ages, room numbers, chief medical complaint and the acuity of their illness. Social Security numbers, health insurance information and financial account information were also potentially viewed by the employee.

The incident has prompted Beacon Health System to introduce new procedures to reduce the likelihood of further privacy breaches of this nature from occurring. A review of the Beacon Health training curriculum is also taking place and training programs will be updated accordingly.

While the breach notice does not explicitly state that the employee was terminated as a direct result of this incident, Beacon Health System said the individual is no longer employed.

Even though further disclosures of patients’ ePHI are not believed to have occurred, the sensitive nature of the ePHI that was accessed by the employee prompted Beacon Health to offer all affected patients 12 months of identity theft and identity restoration services without charge.

The post Beacon Health Employee Improperly Accessed 1,200 Patient Records Over 3 Year Period appeared first on HIPAA Journal.

Arizona Department of Health Services Notifies 2,500 Patients of Potential Loss of PHI

Posted by HIPAA Journal

Data collected as part of a newborn screening program run by the Arizona Department of Health Services (ADHS) has been lost in the mail. The information, which was to be used for billing purposes, contained the personal information, financial data and sensitive health information of approximately 2,500 patients.

Names, addresses, phone numbers, Social Security numbers, health insurance information, birth dates, and health information relating to mothers and newborns have all potentially been exposed. While state officials have said no evidence has been found to suggest any of the information has been accessed by unauthorized individuals or misused, ADHS has no idea where the records are located.

The information was sent via the U.S. Postal Service to billing contractor Midwest Medical Practice Management of Carbondale, Illinois in two boxes; however, only one of the boxes arrived.

The last known location of the missing box was a Postal Service facility in Phoenix, AZ. The U.S. Postal Services has been contacted and a search for the missing box has been conducted. Postal Service records indicate the parcel was not delivered to an alternate address and did not leave the Phoenix facility. The box was last tracked on April 22, 2017.

The search for the missing box is continuing, although ADHS is assuming the records may not be found with all affected individuals already notified that their PHI may have been exposed. No identity theft protection services are being offered to affected individuals at this stage as no evidence has been uncovered to suggest the records have been accessed by unauthorized individuals. That may change if the package is not located and declared lost.

The incident has prompted ADHS to conduct a review of its policies and procedures for transferring patient information, including the possibility of using a secure web-based system for transferring billing information rather than mailing physical records.

The post Arizona Department of Health Services Notifies 2,500 Patients of Potential Loss of PHI appeared first on HIPAA Journal.

Stolen Electromyography Device Contained 836 Patients PHI, says SSM Health

Posted by HIPAA Journal

SSM Health has started notifying patients that some of their protected health information was exposed when a portable device was stolen from DePaul Hospital St Louis in Bridgeton, MO.

The device contained the protected health information of 836 patients, including names, medical record numbers, dates of birth and brief details of patients’ chief health complaint.  No insurance details, financial information, Social Security numbers or contact information were stored on the device. Due to the limited data stored on the device, patients are not believed to be at risk of experiencing identity theft or fraud.

The portable device was stolen from DePaul hospital overnight between April 12 and the morning of April 13, 2017. The theft has been reported to the local police department and an investigation into the incident is ongoing.

The device, which resembles a laptop computer, was part of an electromyography (EMG) medical device. Officials at DePaul hospital believe the device was stolen because it resembles a laptop computer, not for the information stored on the device. No evidence has been uncovered to suggest any data on the device have been misused.

SSM Health has confirmed in a substitute breach notice uploaded to its website that the device was solely used in conjunction with the EMG device and that it is not possible to access patients’ medical records through the device.

Affected individuals had been participating in an electro diagnostic study run by Dr. Syed Khader and had received treatment at the hospital between 2002 and 2017. No other patients of the hospital were affected by the incident.

Patients have been notified of the breach as is required by Health Insurance Portability and Accountability Act (HIPAA) Rules and the Department of Health and Human Services’ Office for Civil Rights has been notified.

Action has already been taken to ensure similar incidents do not occur in the future, including tightening security controls through written procedures and retraining staff on the correct handling of patient information.

The post Stolen Electromyography Device Contained 836 Patients PHI, says SSM Health appeared first on HIPAA Journal.

Impermissible Disclosure of HIV Status to Employer Results in $387,000 HIPAA Penalty

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced a new HIPAA settlement to resolve violations of the HIPAA Privacy Rule.

St. Luke’s-Roosevelt Hospital Center Inc., has paid OCR $387,200 to resolve potential HIPAA violations discovered during an OCR investigation of a complaint about an impermissible disclosure of PHI.

In September 2014, OCR received a complaint about a potential privacy violation involving a patient of St. Luke’s Spencer Cox Center for Health. In the complaint, it was alleged that a member of St Luke’s staff violated the privacy of a patient by faxing protected health information to the individual’s employer.

The information in the fax was highly sensitive, including the patient’s sexual orientation, HIV status, sexually transmitted diseases, mental health diagnosis, details of physical abuse suffered, medical care and medications. Instead of faxing the information, the data should have been sent to a personal post box as requested.

The investigation revealed that the incident was not the only time that the HIPAA Privacy Rule had been violation in such a fashion. A similar incident occurred nine months previously when a patient’s PHI was sent via fax to an office where he volunteered.

The Privacy Rule violations in both cases were particularly serious due to the highly sensitive nature of information that was disclosed. In the resolution agreement, OCR said the impermissible disclosures were egregious.

HIPAA Rules require covered entities to safeguard patients’ protected health information at all times. However, the investigation revealed that St Luke’s had failed to do that on two occasions, violating 45 C.F.R. § 164.530(c)(2)(i). Further, after the first impermissible disclosure, St Luke’s failed to address vulnerabilities in their compliance program to prevent further impermissible disclosures from occurring. Had those vulnerabilities been addressed, the second privacy violation may have been avoided.

In addition to paying OCR $387,200, St Luke’s is required to adopt a corrective action plan. The CAP involves reviewing and updating policies and procedures covering allowable uses and disclosures of PHI and training staff members on policy and procedural updates.

OCR issued a press release announcing the HIPAA settlement in which OCR director Roger Severino said “Individuals cannot trust in a health care system that does not appropriately safeguard their most sensitive PHI,” explaining “Covered entities and business associates have the responsibility under HIPAA to both identify and actually implement these safeguards.” OCR consideration the nature of the breach and the extent of the harm caused when deciding an appropriate settlement amount.

May is not yet over, but already there have been nine HIPAA settlements between OCR and covered entities to resolve HIPAA violations discovered during the investigation of complaints and data breaches. At the current rate of almost two settlements a month, OCR will double last year’s record breaking number of HIPAA enforcement penalties. The increase in HIPAA penalties shows that OCR is taking a much harder line on covered entities that fail to comply with HIPAA Rules.

Two of the most recent penalties have resulted from complaints involving HIPAA violations relating to one or two patients. It is no longer just large scale data breaches that merit financial penalties. Any severe violation of HIPAA Rules can result in a HIPAA fine.

The post Impermissible Disclosure of HIV Status to Employer Results in $387,000 HIPAA Penalty appeared first on HIPAA Journal.

Leading Cause of Healthcare Data Breaches in April was Hacking

Posted by HIPAA Journal

The monthly Breach Barometer Report from Protenus shows a significant reduction in the number of exposed healthcare records in April, with 232,060 records exposed compared to more than 1.5 million in March. The number of reported data breaches also fell from 39 to 34.

The report offers some further good news. The time taken by healthcare organizations to report security incidents also fell last month. 66% of breaches were reported within the 60-day time period allowed by the Health Insurance Portability and Accountability Act Breach Notification Rule. While it is good news that the trend for reporting data breaches more promptly is continuing, there is still plenty of room for improvement.

Protenus reports that in April, it took an average of 51 days from the date of the breach to discovery, and an average of 59 days from the discovery of a breach to the submission of a breach report to the HHS’ Office for Civil Rights.

The data for the Protenus Breach Barometer report was supplied by Databreaches.net, which uncovered one of the worst breaches of the year to date. The theft of psychotherapy notes, substance abuse histories, health histories and the personally identifiable information of 4,229 patients of Bangor Health Center in Maine. That incident was one of 16 hacking incidents reported in April.

Hacking/IT incidents were cited as the cause of 47% of data breaches reported in April, followed by insider incidents (29%), and loss and theft of devices/PHI (15%). The cause of 9% of the breaches is currently unknown.

Hacking was the cause of the largest data breach of the month. The incident, which was reported by Harrisburg Gastroenterology, affected 93,323 individuals.

Out of the 16 hacking/IT incidents reported in April, five were related to ransomware infections and three incidents were phishing attacks. There were five breaches due to insider errors and four incidents involving insider wrongdoing.

While the majority of data breaches involved electronic protected health information, healthcare organizations must ensure appropriate controls are in place to secure physical PHI. Five of the breaches reported in April involved the theft or exposure of physical PHI.

There were two business associate data breaches in April and two reported by health plans. The majority of the breaches (79.41%) were reported by healthcare providers.

Texas was the worst affected state with 4 breaches, followed by Michigan, Ohio and New York, each with three incidents.

The post Leading Cause of Healthcare Data Breaches in April was Hacking appeared first on HIPAA Journal.