HIPAA Breach News

Healthcare Organizations Reminded of HIPAA Rules Relating to Ransomware

Posted by HIPAA Journal

Following the recent WannaCry ransomware attacks, the Department of Health and Human Services has been issuing cybersecurity alerts and warnings to healthcare organizations on the threat of attack and steps that can be taken to reduce risk.

The email alerts were sent soon after the news of the attacks on the UK’s NHS first started to emerge on Friday May 12, and continued over the course of the week. The alerts provided timely and pertinent information for U.S. healthcare organizations allowing them to take rapid action to counter the threat.

While the Office for Civil Rights has previously sent monthly emails to healthcare organizations warning of new threats in its cybersecurity newsletters, the recent alerts were sent much more rapidly and frequently, with four email alerts and conference calls made with industry stakeholders alerting them to the imminent threat.

Whether this was a one off in response to a specific and imminent major threat or the HHS plans to issue more timely alerts remains to be seen. However, the rapid communication of the ransomware threat almost certainly helped many healthcare organizations take prompt action to reduce risk.

Fortunately, attacks on organizations in the United States appear to have been limited, with the Department of Homeland Security saying fewer than 10 U.S. companies have reported being attacked.

In the email alerts, healthcare organizations were reminded of the need to implement data security measures to reduce the risk of malware and ransomware attacks. OCR also issued guidance on HIPAA specific to the threat from WannaCry ransomware.

OCR reiterated that a ransomware attack that involved the encryption of patients ePHI is presumed to be a HIPAA breach, reminding covered entities to report attacks within 60 days, as is required by the HIPAA Breach Notification Rule.

OCR also advised healthcare organizations that breach reports– and patient notifications – are required if data have been compromised that have not been encrypted by the entity to NIST specifications.

In the event of a breach, covered entities were told to contact their local FBI filed office, submit details of the incident to the FBI’s Internet Crime Complaint Center and report the incident to US-CERT. OCR also emphasized that reporting ransomware attacks to other federal organizations or law enforcement bodies does not constitute a HIPAA-compliant breach report. OCR must be notified of the incident separately.

Threat intelligence sharing can prevent other organizations suffering similar attacks and OCR encourages the sharing of cyber threat information. However, the HIPAA Privacy Rule does not permit the sharing of PHI. When cyber threat information is shared with federal agencies, law enforcement, or an Information Sharing and Analysis Organization (ISAO), covered entities must ensure that PHI is not shared. Doing so would be a HIPAA violation and could result in action being taken against the organization in question.

OCR also reminded organizations that compliance with the HIPAA Security Rule helps covered entities prepare for ransomware attacks and respond appropriately if systems are compromised and data are encrypted.

Further information on HIPAA and ransomware attacks can be found in an OCR factsheet available on this link.

Healthcare organizations were also reminded that they can request and unauthenticated scan of their public IP addresses from the Department of Homeland Security.

US-CERT’s National Cybersecurity Assessment & Technical Services (NCATS) provides an objective third-party perspective on an organizations cybersecurity posture and can conduct a broad assessment scanning for known vulnerabilities at no cost to stakeholders. The service allows healthcare organizations to be proactive and take steps to reduce risk prior to exploitation by malicious individuals.  Requests can be made by emailing NCATS on NCATS_INFO@hq.dhs.gov

The post Healthcare Organizations Reminded of HIPAA Rules Relating to Ransomware appeared first on HIPAA Journal.

Patients’ Email Addresses Accidentally Disclosed by Rutland Regional Medical Center

Posted by HIPAA Journal

An electronic survey can provide healthcare organizations with valuable information to improve patient services; however, in the case of Rutland Regional Medical Center, it has resulted in a privacy breach.

According to the Burlington Free Press, Rutland Regional Medical Center sent emails to more than 700 patients asking for opinions on discharge paperwork in an effort to make improvements to patient discharges.

Rather than using an email group or the BCC field to mask patients email addresses, patients email addresses were added to the ‘to’ field. Consequently, the email addresses of more than 700 patients were revealed to all who received the mailshot.

The error only revealed the email addresses of patients, many of whom would not have been easily identifiable from their email addresses. However, any patient who was identifiable from their email addresses would also have had their status as a patient of Rutland Regional Medical Center disclosed to other individuals. The email also suggests that the recipient had recently been discharged from hospital; something patients may have wished to remain private.

Peg Bolgioni, a spokesperson for Rutland Regional Hospital, issued a statement apologizing for the error and privacy breach. She said as soon as staff were alerted to the mistake the mailing was terminated. An investigation into the incident has been launched to determine how the error was made.

Errors such as this may not warrant HIPAA violation penalties and are unlikely to elevate the risk of patients experiencing identity theft and fraud, although there is potential for the disclosed email addresses to be misused.

Email addresses can be used to send phishing emails and other malicious messages. For instance, malicious individuals could send phishing emails impersonating the hospital in an attempt to gather further information to commit fraud.

Incidents such as this can all too easily occur as a result of poor training or human error. It is important for healthcare organizations to ensure that staff members are properly trained and policies and procedures implemented to prevent errors from resulting in patient privacy violations.

The post Patients’ Email Addresses Accidentally Disclosed by Rutland Regional Medical Center appeared first on HIPAA Journal.

Coney Island Hospital Supervisor Allowed Unvetted Volunteer to Access PHI

Posted by HIPAA Journal

NYC Health + Hospitals has discovered a volunteer accessed the protected health information of almost 3,500 patients without official authorization.

The unauthorized disclosure of PHI was discovered by NYC Health + Hospitals on March 10, 2017. The volunteer had worked in the phlebotomy department of Coney Island Hospital for a period of three months under direction of a supervisor.

The supervisor arranged for the volunteer to perform a number of tasks, some of which involved accessing certain patients’ PHI. While volunteers would be permitted access to PHI if they had been first vetted by Coney Island Hospital’s Human Resources department, in this case that process had not been completed.

When the supervisor instructed the volunteer to perform certain duties that required the PHI of patients to be accessed, the supervisor violated NYC Health + Hospitals polices and Health Insurance Portability and Accountability Act Rules.

The activities performed by the volunteer that involved accessing PHI included logging the names of patients in a log book and transporting specimens within the Coney Island facility. While performing those duties, the volunteer had access to protected health information such as patients’ names, medical record numbers and dates of birth. Since the volunteer had not been vetted, an unauthorized disclosure of PHI had occurred.

The incident was investigated and aside from the volunteer viewing PHI, no other improper disclosures of PHI are understood to have occurred; however, the privacy violation warranted notifications to be sent to patients as is required by HIPAA Rules.

Anthony Rajkumar, Chief Executive Officer of NYC Health + Hospitals issued a statement confirming action has been taken to prevent further privacy breaches of this nature from occurring, including reminding management of the responsibility to ensure all volunteers are subjected to proper processing procedures by the human resources department.

Action has also been taken against the supervisor for violating hospital policies. The supervisor was initially suspended and later resigned from the position. The volunteer has been prevented from accessing Coney Island Hospital facilities.

Due to the limited nature of PHI accessed by the volunteer, credit monitoring services have not been offered, although a toll-free number has been set up to allow patients to have any questions answered.

The post Coney Island Hospital Supervisor Allowed Unvetted Volunteer to Access PHI appeared first on HIPAA Journal.

Ransomware Attack Reported by Dallas Senior Living Community

Posted by HIPAA Journal

A ransomware attack on the Dallas Senior Living Community, Walnut Place, in February resulted in highly sensitive data being encrypted, including Social Security numbers, driver’s license numbers, birth dates, banking and credit card numbers, health insurance information, clinical information and patients’ and residents’ contact information.

The ransomware was installed on its systems on January 25, 2017, with the issue remediated 8 days later on February 2, 2017.  Third-party security experts were called in to assist with the forensic investigation of the breach and conducted a security scan of its systems to ensure all traces of malware had been removed.

The incident report has yet to appear on the Department of Health and Human Services’ Office for Civil Rights breach portal, so it is currently unclear exactly how many individuals have been impacted.

Ransomware Attacks and HIPAA Rules

Ransomware attacks are not always reportable under HIPAA Rules. If an organization can demonstrate there was a low probability of PHI being acquired, accessed, used or disclosed (see OCR ransomware clarification), a breach report is not required and affected individuals would not need to be notified. That said, ransomware attacks are covered under the definition of security incidents in the HIPAA Security Rule (45 C.F.R. 164.304).

Further, the Department of Health and Human Services confirms in its guidance that “When electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a [HIPAA] breach has occurred because the ePHI encrypted by the ransomware was acquired, and thus is a “disclosure” not permitted under the HIPAA Privacy Rule.”

A ransomware attack that involves ePHI being encrypted therefore requires the organization to follow security incident procedures, including procedures for reporting those incidents.

In this case, Walnut Place took the decision to send breach notification letters to those affected due to the sensitive nature of the data that was compromised in the attack. Walnut Place is also offering affected individuals 12 months of credit monitoring services free of charge.

However, the breach notices appear to have been delayed. Under HIPAA Rules, organizations have up to 60 days following the discovery of the breach to issue notifications. The press release issued by Walnut Place on May 12, 2017 states that the ransomware attack was only discovered by its ‘leadership’ on March 13, 2017.

The press release, and notifications, were therefore issued within 60 days of leadership discovering the breach, but more than 3 months after the breach was actually discovered and remediated.

That suggests the ransomware attack was identified and dealt with without the knowledge of the organization’s leadership and/or there was an impermissible delay in issuing notifications and a potential violation of the HIPAA Breach Notification Rule.

Implement Policies and Procedures to Ensure Breach Reporting Deadlines Are Met

The incident highlights the importance of ensuring that policies and procedures are implemented requiring all potential PHI incidents to be reported internally to the organization’s leadership. Policies and procedures should also be in place to ensure OCR, affected individuals and state officials receive timely notifications of security incidents. The failure to report incidents in a timely manner can attract a financial penalty.

OCR has already settled with a covered entity solely for delayed breach notifications. A settlement of $475,000 was reached with Presense Health of Illinois for delaying the issuing of breach notifications by 34 days, more than a month outside the maximum time frame allowable under the HIPAA Breach Notification Rule.

The post Ransomware Attack Reported by Dallas Senior Living Community appeared first on HIPAA Journal.

PHI of Thousands of Patients of Bronx Lebanon Hospital Center Exposed Online

Posted by HIPAA Journal

Highly sensitive medical records of thousands of patients of New York’s Bronx Lebanon Hospital Center have been exposed online. Those records were reportedly accessible for three years as a result of a misconfigured backup server.

The exposed records were uncovered by researchers at the Kromtech Security Research Center after conducting a “regular security audit of exposed rsync protocols on Shodan,” a search engine that can be used to find networked devices. Rsync backup servers are used for transferring files between computer systems and for file syncing.

The records were not encrypted nor protected with a password and could have been downloaded by any individual who knew where to look.

It is currently unclear exactly how many patient records were exposed, with initial reports indicating tens of thousands of patients may have been affected. NBC’s Mary Emily O’Hara recently reported that the breach has impacted at least 7,000 individuals.

The misconfiguration allowed the researchers to view highly sensitive information including names, addresses, medical diagnoses, health histories and highly sensitive data including HIV statuses, reports of domestic violence, sexual assaults and addiction histories.

It was not initially clear to whom the data belonged, although the records were eventually traced to the Bronx Lebanon Hospital Center, with the backup device linked to iHealth Innovations, a Louisville, KY-based IT services and records management company.

In a recent blog post, MacKeeper researcher Bob Diachenko explained that efforts were made by Kromtech to contact the owners of the data, with assistance provided by Databreaches.net. In a statement provided to databreaches.net, Diachenko confirmed there has been no improper usage of the data by the Kromtech researchers.

While the majority of data appear to relate to patients of the Bronx Lebanon Hospital Center, it is unclear at this stage whether patients of other healthcare providers have also been affected.

iHealth has confirmed that a breach has occurred and the incident has been investigated. While the investigation is ongoing, iHealth says the investigation revealed that only one individual had accessed the data – the Kromtech researcher who discovered the error.

The server has now been reconfigured to prevent further access and the investigation is continuing, with a third-party cybersecurity company called in to validate iHealth’s analysis. The breach has been reported to law enforcement and Bronx Lebanon Hospital Center is assisting with the investigation.

The post PHI of Thousands of Patients of Bronx Lebanon Hospital Center Exposed Online appeared first on HIPAA Journal.

Security Breach Highlights Need for Patient Portals to be Pen Tested

Posted by HIPAA Journal

A range of safeguards must be implemented to ensure networks and EHRs are protected. Encryption should be considered to prevent the loss or theft of devices from exposing the ePHI of patients. However, it is important for healthcare organizations also check their patient portals for potential vulnerabilities and implement safeguards to prevent unauthorized disclosures of sensitive information.

The failure to implement appropriate safeguards on web-based applications can easily result in unauthorized disclosures of patients PHI, as was recently demonstrated at True Health Diagnostics.

The Frisco, TX-based healthcare services company offers testing for a wide range of diseases and genetic abnormalities, with test information available to patient via a web portal. The web portal allows patients to obtain their test results quickly. Patients are required to register and can only access their records if they first log in to the portal.

However, a flaw on the web portal allowed patients to access not only their own test results, but the test results and PHI of other patients. The website flaw was discovered by a Las Vegas IT consultant called Troy Mursch, who alerted Brian Krebs to the vulnerability last week.

Mursch discovered that after logging into the patient porta, he was able to access health records and medical test results of other patients. Mursch accessed his own test results, which were uploaded to the portal in PDF form but, by changing a digit in the URL, was able to view the medical information of other patients.

True Health Diagnostics used sequential numbers on their PDF files, which makes it easy for the URL to be altered and for other patients records to be viewed via a web browser. While the portal required users to be logged in to view test results, there appear to have been no controls in place to prevent a logged in user from accessing the records of other patients.

Krebs alerted True Health Diagnostics to the flaw and the web portal was immediately taken offline while the issue was resolved. The issue has now been fixed and the portal is now back online. An investigation has now been launched to determine whether any patient health information was accessed by unauthorized individuals. Should that be the case, patients will be notified.

In this case, the incident was identified and reported quickly, allowing rapid action to be taken to secure the records. However, Mursch noted that his test results from two years ago also appeared to have been numbered in the same manner, suggesting patient records could have been exposed for a number of years.

This incident should serve as a warning to covered entities that have implemented patient portals to ensure appropriate safeguards have been implemented to prevent unauthorized disclosures of PHI. Any web-based interface should be thoroughly checked, using penetration tests, to determine whether vulnerabilities exist. If a solution is purchased from a third party firm, a covered entity should determine the extent to which the system has been tested and should also consider verifying no vulnerabilities exist by conducting penetration tests.

OCR has taken action against covered entities in the past for the failure to secure PHI accessible via web-based interfaces, including a $1.7 million settlement with WellPoint and a $100,000 settlement with Phoenix Cardiac Surgery.

The post Security Breach Highlights Need for Patient Portals to be Pen Tested appeared first on HIPAA Journal.

Memorial Hermann Health System Hit with $2.4 Million HIPAA Fine

Posted by HIPAA Journal

Memorial Hermann Health System has agreed to settle potential HIPAA Privacy Rule violations with the Department of Health and Human Services’ Office for Civil Rights (OCR) for $2.4 million. The settlement stems from an impermissible disclosure on a press release issued by MHHS in September 2015.

Memorial Hermann Health System (MHHS) is a 16-hospital health system based in Southeast Texas, serving patients in the Greater Houston area. In September, a patient visited a MHHS clinic and presented a fraudulent identification card to hospital staff.

The fraudulent ID card was identified as such by hospital staff, law enforcement was notified and the patient was arrested. The hospital disclosed the name of the patient to law enforcement, which is allowable under HIPAA Rules.

However, the following action taken by the hospital was a violation of the HIPAA Privacy Rule. MHHS issued a press release about the incident but included the patients name in the title of the press release. That press release was approved before release by MHHS senior management, even though naming the patient constituted an impermissible disclosure of PHI.

The incident was widely reported in the media and a complaint was filed with OCR, prompting an investigation. The investigation revealed that the press release had been distributed to fifteen media outlets. On three occasions following the issuing of the press release, the patient’s identity was disclosed in meetings with advocacy groups, a state senator and state representatives. A statement in which the patient was named was also published on the MHHS website.

These unauthorized disclosures, which occurred between September 15 and October 1, 2015 constituted a knowing and intentional failure to safeguard the PHI of the patient. MHHS was also discovered to have failed to document the sanctions imposed against the members of staff who violated the HIPAA Privacy Rule, as is required by HIPAA (45 C.F .R. § 164.530( e )(2)).

In addition to the sizable payment to OCR, Memorial Hermann Health System has agreed to adopt a corrective action plan that requires policies and procedures to be updated and staff trained to prevent further impermissible disclosures of PHI. All MHHS facilities must also attest that they understand the allowable disclosures and uses of PHI.

HIPAA penalties are often issued for large scale breaches of PHI stemming from violations of HIPAA Rules. While OCR has agreed settlements with HIPAA-covered entities for breaches of fewer than 500 records in the past, settlements are typically reserved for large breaches of PHI caused by HIPAA violations. This is the first settlement to be agreed with a HIPAA-covered entity for a breach of a single patient’s PHI.

OCR Director Roger Severino issued a statement about the settlement saying “Senior management should have known that disclosing a patient’s name on the title of a press release was a clear HIPAA Privacy violation that would induce a swift OCR response.” He went on to explain that “This case reminds us that organizations can readily cooperate with law enforcement without violating HIPAA, but that they must nevertheless continue to protect patient privacy when making statements to the public and elsewhere.”

This is the eighth HIPAA settlement to be announced by OCR in 2017. In 2016, a record year for HIPAA settlements, there were 12 settlements reached with covered entities to resolve HIPAA violations and one CMP issued. At this rate, 2017 looks set to be another record breaking year.

The sharp increase in HIPAA penalties should serve as a warning to covered entities that any violation of HIPAA Rules could result in a substantial financial penalty.

The post Memorial Hermann Health System Hit with $2.4 Million HIPAA Fine appeared first on HIPAA Journal.

New Jersey IVF Clinic Hack Sees PHI of 14,000 Patients Potentially Compromised

Posted by HIPAA Journal

A third-party server hosting the electronic health record database of the New Jersey Diamond Institute for Infertility and Menopause has been hacked and access gained by an unauthorized individual.

The Diamond Institute says its database and EHR system was encrypted, so the attackers were unable to access patient health records, although many unencrypted supporting documents were also stored on the server and may have been accessed.

It is unclear when the attack took place, although the Diamond Institute learned of the cyberattack on February 27, 2017. A full investigation was rapidly initiated and steps taken to secure the server to prevent further unauthorized activity.

The investigation involved checking all documents to determine the patients impacted and the types of data that could potentially have been viewed or copied. The documents were found to contain a limited amount of protected health information relating to more than 14,000 patients. Those data included patients’ names, addresses, birth dates, Social Security numbers, sonograms and lab test results.

The breach has prompted the Diamond Institute to perform a full password reset and update its firewall to prevent similar attacks from occurring in the future. Virtual network credentials have also been changed and all unused open ports have now been closed.

The investigation did not uncover any evidence to suggest that information contained in the documents has been misused as a result of the incident, although patients have been provided with resources to protect their identities and prevent future fraudulent uses of their data.

Since highly sensitive protected health information has potentially been accessed and copied by the attackers, out of an abundance of caution, all patients affected by the security breach are being offered credit monitoring and identity theft restoration services for 12 months without charge.

The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights shows 14,633 individuals have been impacted by the incident.

The post New Jersey IVF Clinic Hack Sees PHI of 14,000 Patients Potentially Compromised appeared first on HIPAA Journal.

Unencrypted Hard Drive Stolen from LSU Health New Orleans: 2,200 Individuals Impacted

Posted by HIPAA Journal

Another healthcare provider has announced that an unencrypted device used to store electronic protected health information of patients has been stolen.

The medical data of 2,200 patients of Louisiana State University Health New Orleans were stored on a portable hard drive that was stolen from the Department of Neurology Research in March.

The theft occurred on or around March 6 and was immediately reported to law enforcement. A suspect was arrested the following day, although the hard drive has not been recovered. Officials do not believe any data on the drive have been misused, although the possibility that ePHI has been viewed cannot be ruled out.

LSU Health New Orleans has reconstructed the data on the drive and is notifying affected individuals. The drive contained research data relating to individuals who participated in studies between 1998 and 2009.

No Social Security numbers or financial information have been compromised, with the data breach limited to names, dates of birth, diagnosis codes and treatment codes.

This is not the first time that an incident such as this has resulted in the exposure of patients protected health information. In 2015, a faculty member of the LSU Health New Orleans School of Medicine had a laptop computer stolen from his vehicle. The device contained a wide range of protected health information of approximately 5,000 minor patients. Following that breach, information security policies and procedures were reviewed to determine whether improvements could be made to reduce the risk of future breaches.

LSU Health New Orleans does now have information technology policies in place that require safeguards to be implemented on mobile devices to reduce the risk of data exposure in the event that devices are lost or stolen. Those policies do include the use of encryption; however, in this case, those policies were not followed.

According to a statement issued by LSU Health New Orleans, the lack of encryption on the device has resulted in ‘appropriate remedial action’ being taken.

Data security policies will now be updated and included in training programs to prevent similar incidents from occurring in the future. Affected patients are being offered one year of credit monitoring services.

The post Unencrypted Hard Drive Stolen from LSU Health New Orleans: 2,200 Individuals Impacted appeared first on HIPAA Journal.