HIPAA Breach News

Ashland Women’s Health Reports Ransomware Attack

Posted by HIPAA Journal

Since the start of 2016, cybercriminals have been increasingly turning to ransomware to attack healthcare organizations. Rather than attempting to steal the electronic protected health information of patients, malicious actors are blocking access to ePHI and are issuing ransom demands to restore access.

While large healthcare organizations such as MedStar Health are major targets for cybercriminals, healthcare organizations of all sizes are at risk of experiencing ransomware attacks, even small one-practitioner medical centers.

This week, one such practice has announced a ransomware attack has resulted in patients’ ePHI being encrypted. Ashland Women’s Health (AWH) is a small obstetrics and gynecology practice in Ashland, Kentucky. Earlier this month, AWH submitted a report of a hacking/IT incident to the Department of Health and Human Services’ Office for Civil Rights. The breach report indicates 19,727 patients were impacted.

This week, further information on the security breach has been released. The security breach was caused by a malicious actor who gained access to the computer system used by AWH and installed a ransomware variant called HakunaMatata. HakunaMatata ransomware is a variant of NMoreira ransomware.

While electronic protected health information was encrypted by the ransomware, a ransom payment was not made to regain access to data. AWH was able to recover all encrypted EHR data from backups.

The ransomware attack was reported to the FBI and law enforcement and an investigation is being conducted. AWH has now successfully restored patient data and has brought its systems back online. AWH experienced downtime of around two days following the attack while the infection was removed and data were restored. During that time, medical services continued to be provided, with staff resorting to pen and paper to record health information and schedule appointments.

In accordance with HIPAA Rules, breach notification letters will shortly be sent to all affected patients.

The post Ashland Women’s Health Reports Ransomware Attack appeared first on HIPAA Journal.

Virus Infection at Erie County Medical Center Forces Computer System Shutdown

Posted by HIPAA Journal

A computer virus sent via email to staff at Erie County Medical Center in Buffalo, New York – the main teaching hospital used by the University of Buffalo – has forced the hospital to shut down its entire computer system, parts of which remain out of action three days later.

The incident occurred in the early hours of Sunday morning. IT staff reacted promptly and shut down email and took the entire computer system offline as a precaution to prevent the spread of the virus. The IT team, assisted by external security experts, is working to systematically restore its systems. That process is expected to take several days, although most computer systems at the hospital have now been brought back online. The hospital’s email system is still not operational and its website is still inaccessible. The hospital has a backup of all data, including patients’ health information. A full recovery is therefore expected.

Staff at the hospital have been forced to temporarily work with pen and paper while the IT security incident is resolved. Communication between care teams has continued using ECMC’s proprietary text messaging system. A spokesperson for the hospital says operations are continuing as normal and patient services have not been affected.

Peter K. Cutler, ECMC’s Vice President of Communications and External Affairs, said “We have concerns about the motivation that led to this virus, and we are working with the appropriate agencies to determine the validity of whatever information we’ve received as a result of this virus coming into our system.”

The hospital is “confident that no patient information has been compromised,” however, at this stage, that cannot be entirely ruled out. The investigation into the attack is continuing and once systems have been restored, ECMC will be conducting a complete post-infection analysis to ensure that no further malware or viruses remain on its system. Law enforcement agencies, including the FBI, have been notified of the cyberattack.

The nature of the virus has not been disclosed, although the incident bears the hallmarks of a ransomware infection. Targeted ransomware attacks on hospitals are occurring, with at least one malicious actor using Philadelphia ransomware to attack hospitals and encrypt data. Those attacks started in the third week of March.

A decryptor has been released to unlock files encrypted by Philadelphia ransomware, although many ransomware variants have yet to be cracked. Decrypting data is only possible if a ransom is paid, something the FBI and other law enforcement agencies strongly advise against.

In order to ensure a complete recovery from a ransomware attack is possible, healthcare organizations must regularly backup their data and test those backups to make sure data can be recovered in the event of a disaster.

The post Virus Infection at Erie County Medical Center Forces Computer System Shutdown appeared first on HIPAA Journal.

2017 Shaping Up to Be Another Record-Breaking Year for Healthcare Data Breaches

Posted by HIPAA Journal

2016 was a particularly bad year for healthcare data breaches. More data breaches were reported than in any other year since the Department of Health and Human Services’ Office for Civil Rights started publishing healthcare data breach summaries in 2009.

In 2016, 329 breaches of more than 500 records were reported to the Office for Civil Rights and 16,655,952 healthcare records were exposed or stolen.

2017 looks set to be another record breaking year for healthcare data breaches. Figures for the first quarter of 2017 show data breaches have increased, with rises in theft incidents, hacks and unauthorized disclosures.

By the end of Q1, 2016, 64 breaches of more than 500 records had been reported to OCR and 3,529,759 had been exposed or stolen.

Between January 1, 2017 and March 31, 2017, OCR received 79 data breach reports from HIPAA covered entities and business associates. Those breaches have resulted in the theft or exposure of 1,713,591 healthcare records.

While fewer individuals have been impacted by healthcare data breaches than in the equivalent period last year, the number of reported breaches has increased by more than 23%.

Hacking incidents have increased by 26%, unauthorized access and disclosures have risen by 28%, and theft incidents have increased by 30%. Incidents involving improper disposal of PHI have remained the same and there has been little change in the number of reported loss incidents.

April has also started poorly, with Ashland Women’s Health having discovered a hacking incident that has resulted in the exposure of 19,727 patient health records.

While hacking incidents have risen year on year, the biggest threat comes from within. Protenus reports that in January, 59.2% of healthcare data breaches were caused by insiders, with February’s healthcare data breach report indicating insiders were responsible for 58% of breaches.

Largest Healthcare Data Breaches in Q1, 2017

 

Organization Covered Entity Type Type of Breach Individuals Affected
Commonwealth Health Corporation Healthcare Provider Theft 697,800
Urology Austin, PLLC Healthcare Provider Hacking/IT Incident 279,663
VisionQuest Eyecare Healthcare Provider Hacking/IT Incident 85,995
Washington University School of Medicine Healthcare Provider Hacking/IT Incident 80,270
Emory Healthcare Healthcare Provider Hacking/IT Incident 79,930
Stephenville Medical & Surgical Clinic Healthcare Provider Unauthorized Access/Disclosure 75,000
Primary Care Specialists, Inc. Healthcare Provider Hacking/IT Incident 65,000
ABCD Pediatrics, P.A. Healthcare Provider Hacking/IT Incident 55,447
WellCare Health Plans, Inc. Health Plan Hacking/IT Incident 24,809
Denton Heart Group Healthcare Provider Theft 21,665

The post 2017 Shaping Up to Be Another Record-Breaking Year for Healthcare Data Breaches appeared first on HIPAA Journal.

3,365 Patients’ Billing Records Potentially Stolen by Hacker

Posted by HIPAA Journal

Atlanta-based Skin Cancer Specialists, P.C., has announced a data security incident has been discovered that has resulted in the exposure of the billing records of 3,365 patients.

An unauthorized individual was discovered to have gained access to the healthcare provider’s system on October 15, 2016, with the intrusion detected on February 2, 2017.

The system contained the billing records of 3,365 patients. Those records included patients’ names, addresses, telephone numbers, dates of birth, medical record numbers, physician information and health insurance details. Financial information and Social Security numbers were not viewed or obtained by the attacker.

Skin Cancer Specialists hired a cybersecurity firm to conduct a thorough investigation into the breach to determine how access was gained. Action has now been taken to secure its systems to prevent further cyberattacks.

No evidence of inappropriate use of the billing records was uncovered during the investigation, although patients have been advised to check their explanation of benefits statements for any sign of fraudulent use of their health insurance information. Patients were notified of the breach by mail on April 3, 2017.

Healthcare Hacking Incidents Have Increased by 26% in 2017

2016 was a particularly bad year for healthcare data breaches, with more reported breaches of patient health records than in any other year since the Department of Health and Human Services’ Office for Civil Rights started publishing data breach summaries on its ‘Wall of Shame’.

However, 2017 looks set to be even worse. Healthcare hacking incidents have increased in 2017, with 26% more incidents discovered during the first three months of 2017 than in the corresponding period in 2016.

Up to March 31, 2017, OCR received reports of 24 healthcare hacking/IT incidents, resulting in 811,343 healthcare records being exposed or stolen. 10 of those incidents have been reported in the past 30 days.

The post 3,365 Patients’ Billing Records Potentially Stolen by Hacker appeared first on HIPAA Journal.

Mental Health Histories and Therapy Session Notes of 3,000+ Patients Sold On Darknet

Posted by HIPAA Journal

Databreaches.net has discovered a healthcare data breach of more than 3,000 records. Those records appear to have been sold by the hacker responsible for the attack via a darknet marketplace. The records contained health and mental health histories and therapy session notes from 2007 to present.

In total, more than 4,500 patient records were obtained by the hacker, which related to ‘3,000-3,500’ unique individuals. The records included names, addresses, phone numbers and employer details along with SSNs, dates of birth and the names of patients’ physicians.

Worse still, the records contained complete family histories, details of substance abuse, legal histories, health and mental health histories, and detailed ‘complete’ notes of therapy sessions spanning several years.

The individual responsible for stealing the information listed the records for sale on a darknet marketplace advising potential buyers that the records contained “Everything confessed/discussed in complete privacy is in here for thousands of patients.”

The complete set of data was listed for sale for a minimum price of $10,000 and was allegedly sold to one individual. The seller suggested the records could be sold back to the organization from where they were stolen.

It is not clear how the records were stolen, although the seller claims the healthcare organization had ‘not-so-great network security. Databreaches.net was able to identify the source of the data and alerted the organization – Behavioral Health Center in Bangor, Maine. The health center has launched an investigation into the breach and will notify affected patients in due course.

The report of the discovery can be viewed on this link.

The post Mental Health Histories and Therapy Session Notes of 3,000+ Patients Sold On Darknet appeared first on HIPAA Journal.

Large Hospitals and Teaching-Focused Hospitals Face Greater Risk of Data Breaches

Posted by HIPAA Journal

A study recently published in JAMA Internal Medicine examined recent healthcare data breach trends to determine which types of hospitals are the most susceptible to data breaches.

The researchers analyzed breach reports submitted to the Department of Health and Human Services’ Office for Civil Rights between October 21, 2009 and December 31, 2016. During that time, 216 hospitals reported 257 breaches of more than 500 patient records.

33 hospitals experienced more than one data breach during that time frame. Four hospitals – Brigham and Women’s Hospital, Cook County Health & Hospitals System, Mount Sinai Medical Center and St. Vincent Hospital and Healthcare Inc – experienced three data breaches. Two hospitals – Montefiore Medical Center and University of Rochester Medical Center & Affiliates – experienced four data breaches.

The researchers determined the size of the acute care hospitals by linking the facilities to their Medicare cost reports submitted to the Centers for Medicare and Medicaid Services in the 2014 fiscal year. 141 acute care hospitals were linked to CMS cost reports. Unlinked hospitals included those run by the Department of Veteran Affairs and military hospitals and long term care hospitals.

The study revealed that larger hospitals were statistically more likely to experience a data breach. More than one third of hospitals (37%) that had experienced a data breach are classed as major teaching hospitals.

Linked hospitals had a median of 262 beds, while an analysis of 2852 acute care hospitals that had not reported a data breach had a median of 134 beds. 265 (9%) of those unbreached hospitals were major teaching hospitals.

The researchers found that both the size of hospitals and their teaching status were positively associated with the risk of experiencing data breaches.

The researchers used multivariable and regression analyses to compare the 141 linked acute care hospitals with other hospitals to determine why they faced a higher risk of experiencing data breaches.

The researchers suggest the reason why larger hospitals and teaching hospitals experience more data breaches is due to having broader access to sensitive patient data. The more individuals who require access to data, the greater the risk of data breaches occurring. The report suggests “There is a fundamental trade-off between data security and data access.” When data are made available to a greater number of individuals for research and education purposes it makes “zero breach” an extremely challenging objective.

While investment in information technology such as EHRs has certainly made hospitals more efficient and has improved the provision of care to patients, it has also made security and privacy breaches more likely.

While many hospitals have invested heavily in cybersecurity defenses to reduce the risk of data breaches, the breach reports submitted to the Department of Health and Human Services’ Office for Civil Rights clearly show that healthcare data breaches are increasing in frequency.

The fast-evolving threat landscape requires hospitals to invest in cybersecurity defenses to mitigate data breach risk and hospitals must continuously evaluate data security risks and apply best data security practices to prevent breaches from occurring; however, it is difficult for hospitals to determine which technologies and best practices are the most effective at preventing data breaches.

Lead author of the study, Ge Bai, an assistant professor at John Hopkins Business School said, “More research is needed to identify effective and evidence-based data security practices to guide hospitals’ risk management efforts.”

The post Large Hospitals and Teaching-Focused Hospitals Face Greater Risk of Data Breaches appeared first on HIPAA Journal.

More than 55,000 Patients Impacted by ABCD Pediatrics Ransomware Attack

Posted by HIPAA Journal

San Antonio, TX-based ABCD Pediatrics has discovered cybercriminals gained access to its servers and encrypted data with ransomware, including the protected health information of its patients. The individuals behind the attack may also have gained access to data stored on the healthcare provider’s servers prior to ransomware being deployed. The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates 55,447 patients have been impacted.

The attack involved a variant of CrySiS ransomware called Dharma, which started encrypting data on February 6, 2017. Dharma ransomware is not known to exfiltrate data; however, an analysis of the attack revealed a number of suspicious user accounts on the servers, suggesting access had been gained prior to the ransomware being installed. User logs were also discovered that indicated programs or users may have been on the servers for a limited period of time prior to the ransomware being installed.

Fortunately, the encryption process was hampered by the anti-virus solution used by ABCD Pediatrics. ABCD Pediatrics, via its IT company, was able to isolate the affected servers and take them offline limiting the effectiveness of the attack. ABCD was not able to determine with a high degree of certainty that data were not viewed or stolen, although no evidence was uncovered to suggest data were accessed or exfiltrated.

The types of information potentially compromised included patients’ names, addresses, telephone numbers, demographic information, dates of birth, Social Security numbers, insurance billing information, medical records, procedural codes and lab test results. To protect patients from identity theft and fraud, ABCD Pediatrics has offered 12 months of credit monitoring and identity theft protection services to affected individuals via Equifax Personal Solutions.

Fortunately, ABCD Pediatrics was able to restore all encrypted and corrupted data from a backup that was securely stored on a different system. No data were lost as a result of the attack and no ransom was paid. ABCD Pediatrics reports that no ransom demand was actually received from the attackers.

The ransomware attack occurred in spite of a host of security defenses that had been deployed. Those defenses included “network filtering and security monitoring, intrusion detection systems, firewalls, antivirus software, and password protection.”

The forensic investigation identified the source of the attack and additional security solutions have now been deployed to prevent future attacks, including state-of-the-art network cyber monitoring.

The incident shows that even with advanced cybersecurity solutions in place, ransomware attacks remain a threat. While it may not be possible to prevent all ransomware attacks, risk can be reduced to an acceptable level with cybersecurity solutions and securely stored backups of data will ensure ransom demands will not have to be paid.

A good backup policy to adopt is the 3-2-1 approach. There should be three copies of data, two should be stored locally on two different mediums and one should be stored off site. The local media should be disconnected after a backup has been performed.

The post More than 55,000 Patients Impacted by ABCD Pediatrics Ransomware Attack appeared first on HIPAA Journal.

Phishing Attack Potentially Impacts 80,000 Patients of Washington University School of Medicine

Posted by HIPAA Journal

A phishing attack on the Washington University School of Medicine has resulted in a number of staff members’ email accounts being compromised.

Washington University School of Medicine learned of the phishing attack on January 24, 2017, more than seven weeks after the attack occurred. An investigation into the incident revealed the attack occurred on December 2, 2016.

Phishing emails use a variety of social engineering techniques to fool end users into revealing sensitive information such as usernames, passwords, or bank details. In this case, the phishing emails were used to obtain login credentials to staff members’ email accounts.

Email accounts contain a treasure trove of information. An investigation revealed the compromised accounts contained the protected health information of 80,270 patients. Data in the accounts included patients’ names, dates of birth, medical record numbers, clinical information, medical diagnoses and treatment information. Some patients’ Social Security numbers were also exposed as a result of the attack.

The investigation did not uncover any evidence to suggest any of the information in the accounts had been misused, although due to the length of time that the attackers potentially had access to the accounts, it is possible that information was accessed and stolen.

Washington University School of Medicine started notifying affected individuals of the exposure of their PHI on March 24 and the incident has been reported to law enforcement which is conducting an investigation.

To prevent future incidents of this nature from occurring, Washington University School of Medicine will be reeducating staff members of existing protocols regarding phishing emails. Logon authentication processes and business practices will also be strengthened.

Preventing staff from responding to phishing emails is a major challenge. Cybersecurity training can be provided to employees, but as this incident shows, training is not always effective.

Organizations can greatly improve their resilience to phishing attacks by conducting dummy phishing attacks. Dummy phishing exercises highlight areas of weakness and allow healthcare organizations to identify which members of staff require further training. Research conducted by PhishMe shows that with practice, employees’ phishing identification skills can be significantly improved.

The post Phishing Attack Potentially Impacts 80,000 Patients of Washington University School of Medicine appeared first on HIPAA Journal.

Patients’ PHI Accidentally Sent to Media Outlets by Mecklenburg County

Posted by HIPAA Journal

A spreadsheet containing the protected health information of more than 1,200 patients has been accidentally sent to two media outlets by a worker at Mecklenburg County, NC.

The spreadsheet was emailed to the media outlets in response to a freedom of information request. That request was made following the discovery that 185 female patients had not been notified of abnormal Pap smear results. The spreadsheet had been created for state officials who were conducting an audit.

County officials discovered the HIPAA breach on Monday and immediately launched an investigation to determine how such an error could have been made. County officials are furious about the privacy breach. Commissioner Vilma Leake said she wanted “to fire everybody on the health department.” County Manager Dena Diorio said “I am absolutely speechless with anger about how something like this could happen.”

This is the second HIPAA breach in a month to be discovered by Meklenburg County. WSOCTV said it had previously been sent information that contained the name of an individual that should not have been released. A request was received to return that information.

The latest mistake was allegedly made while a county worker was attempting to resolve the first privacy violation. County Commissioner Jim Puckett told WSOCTV Channel 9 “We had a relatively small problem that has escalated into a large one.”

The latest incident has prompted the County to implement new policies and procedures to prevent HIPAA breaches of this nature from occurring in the future.

Those policies will include prohibiting the inclusion of any protected health information in spreadsheets. ‘Gap measures’ have also been put in place to reduce the potential for a repeat HIPAA breach. Those measures include signing off any information coming out of the health department by two employees. A long-term solution is also being developed to ensure that public information requests are processed correctly without violating individuals’ privacy.

The Department of Health and Human Services’ Office for Civil Rights and affected patients will be notified of the privacy breach in the next 60 in accordance with HIPAA Rules.

Healthcare organizations should have policies in place to ensure responses to information requests are checked by multiple members of staff before they are released outside an organization.

All workers can make mistakes, but policies should be in place to prevent an error by a single employee resulting in a HIPAA violation and potentially, a significant HIPAA violation penalty. This incident shows how easy it is for a HIPAA breach to occur if adequate checks are not conducted.

The post Patients’ PHI Accidentally Sent to Media Outlets by Mecklenburg County appeared first on HIPAA Journal.