HIPAA Breach News

Estill County Chiropractic Patients Impacted by Ransomware Attack

Posted by HIPAA Journal

On January 17, 2017, Irvine, KY-based Estill County Chiropractic discovered its computer system had been breached and files had been encrypted with ransomware by an unauthorized individual.

An external computer consultant was hired to conduct a thorough investigation of the incident to determine how the ransomware was installed and the extent of the attack.

While many ransomware infections occur as a result of an employee responding to a malicious spam email message, in this case, the attacker was discovered to have previously gained access to Estill County Chiropractic’s computer system. Access to the system was first gained on January 6, 2017, although the ransomware was not installed until January 17.

Due to the nature of the attack, it is possible the attacker gained access to the protected health information of patients and stole patient data. The information potentially accessed included patients’ names, addresses, phone numbers, email addresses, dates of birth, clinical information, Social Security numbers, medical diagnoses, provider notes, claims information and health plan identification numbers. The investigation did not uncover any evidence to suggest that patients’ PHI had been accessed or stolen, although the possibility could not be ruled out.

Estill County Chiropractic is currently notifying affected patients that their PHI has potentially been compromised. Patients have been told that cybersecurity protections were already in place, although in response to the attack the chiropractic center’s systems have been replaced and additional security measures have been deployed to prevent future attacks.

The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates 5,335 patients have been impacted by the attack. Estill County Chiropractic is offering all affected patients 12 months of credit monitoring services free of charge through Equifax Personal Solutions to protect them against fraud and identity theft. Patients have been advised to exercise caution and to be vigilant to the possibility that their PHI may have been used for nefarious purposes.

The post Estill County Chiropractic Patients Impacted by Ransomware Attack appeared first on HIPAA Journal.

Former Employee Accused of Stealing PHI of up to 160,000 Med Center Health Patients

Posted by HIPAA Journal

The Kentucky-based 6-hospital health system Med Center Health has reported a data breach affecting approximately 160,000 patients. Med Center Health believes a former employee may have stolen patients’ protected health information (PHI) prior to leaving employment.

The former employee has been accused of stealing PHI including names, addresses, health insurance information, Social Security numbers, procedure codes and billing information. Medical records were not compromised at any point.

The FBI has been notified and is also investigating along with other federal agencies. Med Center health is in the process of notifying patients of the breach, although the process is expected to take a couple of weeks due to the number of individuals that have been impacted.

While the breach has only recently been announced, the data theft incidents date back to 2014 and 2015. The former employee is understood to have taken an encrypted CD and encrypted portable storage device in August 2014 and February 2015. There was no legitimate work reason for ePHI to have been taken, although on both occasions the former employee claimed the data were needed for word-related duties.

The Bowling Green Daily News suggests Med Center Health discovered the breach several months ago, although notifications were delayed. A spokesperson for Med Center Health told Bowling Green Daily News “Med Center Health informed patients as expeditiously as possible. It is important to understand that the information leading Med Center Health to report the incident pursuant to HIPAA developed over time during an intensive internal investigation.”

Patients affected by the breach had received medical services at one of six Med Center Health facilities between 2011 and 2014: Cal Turner Rehab and Specialty Care, Medical Center EMS, the Commonwealth Regional Specialty Hospital, the Medical Center at Bowling Green, the Medical Center at Franklin and the Medical Center at Scottsville.

Patients impacted by the breach have been offered 12 months of credit monitoring and identity theft protection services without charge. Med Center Health has not uncovered any evidence to suggest that any of the stolen information was used to commit fraud, although the possibility cannot be ruled out.

The post Former Employee Accused of Stealing PHI of up to 160,000 Med Center Health Patients appeared first on HIPAA Journal.

Flowers Hospital Data Breach Lawsuit Awarded Class-Action Status

Posted by HIPAA Journal

A lawsuit filed by five plaintiffs following a breach of protected health information at Flowers Hospital in 2013 has finally been awarded class-action status.

The lawsuit was filed against Triad of Alabama, the parent company of Flowers Hospital, in 2014. Triad of Alabama submitted motions to dismiss the lawsuit in 2014 and 2015, but the lawsuit survived.

In contrast to many healthcare data breach lawsuits that are filed following cyberattacks by hackers, this incident involved an insider. A phlebotomist employed at Flowers Hospital – Kamarian Millender – stole non-hospital records stored at the hospital. The information in those records was used to file fraudulent tax returns in the names of 124 individuals over two years.

Millender was arrested in 2014 and was found to be in possession of 54 patient records. Millender was subsequently charged with trafficking stolen identities and aggravated identity theft and pled guilty to stealing 73 identities for the purpose of filing fraudulent tax returns.

In total, prosecutors alleged tax returns totaling around $536,000 were submitted to the IRS, although most of those returns were stopped and just $18,915 in refunds were issued.  Millender was sentenced to serve 2 years in prison after pleading guilty. Millender is not believed to have acted alone, but his suspected accomplice remains at large.

While there is no doubt that PHI was stolen and misused and losses were suffered as a direct result, there is some debate as to how many individuals have been impacted. Flowers hospital sent breach notification letters to 1,208 patients after discovering five files were missing, each of which were understood to contain the records of around 100 to 150 patients.

While patients were notified that they were potentially affected, Flowers Hospital only sent the letters to all of those patients ‘out of an abundance of caution’. Not all of those individuals have necessarily had their information stolen and misused. The breach report submitted to OCR indicates 629 individuals were impacted by the breach.

Earlier this week, Chief United States District Judge W. Keith Watkins awarded class action status to the lawsuit, even though it was unclear how many individuals were impacted. The plaintiffs had not shown how many punitive class members were affected, although it is probable that they will number in the hundreds. Judge Watkins said, “[Even if] the class is limited to the 73 victims identified in Millender’s plea agreement, the named plaintiffs have easily satisfied the numerosity requirement.”

Many data breach lawsuits ultimately fail as the plaintiffs are unable to demonstrate that losses have been suffered as a direct result of the theft or exposure of protected health information. In this case, the perpetrator was convicted and it is clear that at least some of the plaintiffs have suffered losses. How many of the class members will be able to demonstrate that harm has been suffered remains to be seen. The lawsuit alleges negligence, breach of contract, violation of the Fair Credit Reporting Act and an invasion of privacy, although the latter claims have now been dismissed.

It is possible that the Judge’s ruling may be challenged so there are potential hurdles ahead. If the lawsuit survives a challenge it will move to the discovery phase. Flowers Hospital/Triad of Alabama have not yet announced their next course of action.

The post Flowers Hospital Data Breach Lawsuit Awarded Class-Action Status appeared first on HIPAA Journal.

Urology Austin Ransomware Attack Announced

Posted by HIPAA Journal

Urology Austin has started notifying its patients that some of their protected health information may have been impacted in a recent ransomware attack. Potentially, the attackers gained access to names, addresses, dates of birth, medical information and the Social Security numbers of patients.

The attack occurred on January 22, 2017, although rapid detection of the incident limited the damage caused. Within minutes of the attack, the computer network was shut down to prevent the spread of the infection and potential access/exfiltration of PHI.  However, even with the fast response, data stored on the organization’s servers were encrypted.

Ransomware often blindly encrypts data. The attacks are intended to cause major disruption to patient services to force an organization into paying a ransom demand to obtain a key to unlock the encryption. Data are not accessed or stolen by the attackers.

The risk of patients’ protected health information being accessed and misused after this type of attack is often low. In this case, the decision was taken to provide identity theft monitoring services to patients out of an abundance of caution ‘to help relieve concerns and restore confidence.” A commendable action by the Urology center to ensure patients are protected, in the event that data was accessed.

Urology Austin has also taken a number of steps to prevent similar incidents from occurring in the future. System backups have been updated to ensure fast recovery in the event of a further attack and network security has been improved.

The breach notice submitted to the California attorney general’s office provides an indication of how the ransomware attack occurred. Urology Austin said employees have been retrained regarding suspicious emails, patient privacy and security, suggesting the infection was the result of a member of staff responding to a malicious email – one of the most common methods attackers use to install ransomware.

The post Urology Austin Ransomware Attack Announced appeared first on HIPAA Journal.

UNC Health Care Reports Exposure of 1300 Prenatal Patients’ PHI

Posted by HIPAA Journal

Prenatal patients who visited certain obstetric clinics operated by UNC Health Care are being notified that some of their protected health information has been disclosed to local health departments by mistake.

Pregnancy Home Risk Screening Forms of Medicaid-eligible patients are sent to local health departments to ensure those individuals are connected with appropriate support services. However, UNC Health Care has discovered that in addition to Medicaid-eligible patients, forms relating to patients who were not eligible for Medicaid were also sent to local health departments. In total, around 1,300 patients have been affected.

The privacy breach affects women who had prenatal appointments at the UNC Maternal-Fetal Medicine at Rex Hospital or the Women’s Clinic at the North Carolina Women’s Hospital between April 2014 and February 2017.

Pregnancy Home Risk Screening Forms contain patients’ names and addresses, race and ethnicity, Social Security numbers, health and mental health histories, details of patients’ HIV status, any sexually transmitted diseases contracted, medical diagnoses related to the pregnancy or past pregnancies, details of drug and alcohol use and whether the patients were smokers.

Patients whose privacy has been violated were informed of the breach by mail on March 20, 2017. Patients have been advised that the health departments that have been sent the information are covered by state and federal laws put in place to protect patient privacy. Those health departments must have appropriate administrative, technical and physical safeguards in place to protect all protected health information that is received and stored.

Consequently, the risk of any sensitive information being used inappropriately is believed to be low, although as a precaution, all individuals affected by the breach have been offered fraud resolution services in case any experience identity theft or fraud as a result of the incident.

To prevent future breaches of this nature from occurring, UNC Health Care has updated its policies and procedures covering patients who complete the Pregnancy Home Risk Screening Form and all staff members have been trained on the new procedures. In future, only forms completed by Medicaid-eligible individuals will be sent to county health departments.

UNC Health Care has requested all county health departments purge any information relating to non-Medicaid-patients from their databases.

The post UNC Health Care Reports Exposure of 1300 Prenatal Patients’ PHI appeared first on HIPAA Journal.

Snapshot of Healthcare Data Breaches in February 2017

Posted by HIPAA Journal

The Protenus Breach Barometer healthcare data breach report for February includes some good news. Healthcare data breaches have not risen month on month, with both January and February seeing 31 data breaches reported.

The report offers some further good news. Healthcare hacking incidents fell in February, accounting for just 12% of the total number of breaches reported during the month. There was also a major fall in the number of healthcare records exposed or stolen. In January, 388,207 healthcare records were reported as being exposed or stolen. In February, the number fell to 206,151 – a 47% drop in exposed and stolen records. However, February was far from a good month for the healthcare industry.

IT security professionals have long been concerned about the threat from within, and last month clearly showed those fears are grounded in reality. February saw a major increase in the number of incidents caused by insiders. Insider breaches in February accounted for 58% of the total number of incidents reported for which the cause was known; double the number reported the previous month.

Insider wrong-doing was behind eight of the 18 incidents caused by insiders and nine were the result of errors by employees. One of the incidents could not be classified due to a lack of information about the exact nature of the breach.

Preventing insider breaches can be a major challenge for healthcare organizations, as can detecting breaches when they occur. Small to mid-sized organizations often do not have the resources to allow them to continuously monitor for the inappropriate accessing of healthcare records by employees. However, if continuous monitoring is not possible, covered entities must ensure that regular audits of access logs take place. Fast detection of improper access can greatly reduce the harm that those incidents cause. Regular reviews of access logs will also reduce the risk of a OCR HIPAA fine or settlement

HIPAA requires covered entities to maintain access logs and regularly check for inappropriate ePHI access, although the frequency of those checks and audits is left to the discretion of the covered entity. The frequency of audits should be dictated by the results of an organization’s risk analysis.

Last month showed that while some healthcare organizations are complying with 45 CFR § 164.308(a)(5)(ii)(C) – log-in monitoring – and 45 CFR § 164.312(b) – Audit controls – and are keeping logs, they are failing on Section 45 CFR § 164.308(a)(1)(ii)(D) by not regularly conducting information system activity reviews.

One incident reported in February involved an employee improperly accessing ePHI for more than five years (2,103 days) before the improper access was detected. HIPAA Rules may not stipulate how frequently access logs should be checked, but it would be difficult to argue that a check every five years constituted ‘regular’.

That was not the only long delay in detecting a breach. A second incident was also reported in February that took more than five years to detect (1,952 days). In that case the incident involved a system glitch that left ePHI exposed.

Overall, the breaches and security incidents reported in February took far longer to identify than those reported in January. It took an average of 478 days from the date the incident occurred to the date OCR was notified of the breach; that said, the average time was increased considerably by the two 5-year+ delays in detection. In January, the average time from the initial event to reporting was 174 days.

Breaches of electronic protected health information made up the bulk of incidents, although a third of incidents involved paper records, highlighting the importance of implementing physical controls to keep physical PHI secured.

While California usually tops the list for the number of incidents reported each month, this month Texas earned the title of the worst hit state with 4 reported breaches. California, Arizona, and New York shared second place with three incidents apiece.

Healthcare providers were the worst affected in February, accounting for 77% of the month’s incidents. Health plans reported 13% of breaches and business associates and vendors accounted for 3%. The remaining 3% were reported by other organizations.

The post Snapshot of Healthcare Data Breaches in February 2017 appeared first on HIPAA Journal.

Back Up Drive Stolen: PHI of 1,291 Patients Exposed

Posted by HIPAA Journal

The failure to encrypt backup data on a portable electronic device has resulted in the protected health information of 1,291 individuals being exposed.

The device was stolen from Local 693 Plumbers, Pipefitters & HVACR Technicians, a member of the United Association of Journeyman and Apprentices of the Plumbing and Pipefitting Industry of the United States and Canada. The backup device was discovered to be missing on January 23, 2017 following a break-in at Local 693 offices the day before.

An investigation revealed the device contained names, telephone numbers, addresses and Social Security numbers of current and former Plumbers & Pipefitters Local 693 Benefit Funds recipients and members of the Plumbers & Pipefitters Local 693 union.

The theft has been reported to law enforcement, the Vermont attorney general and the Department of Health and Human Services Office for Civil Rights. While the data on the device could potentially be accessed by unauthorized individuals, an independent information technology consultant who was retained to conduct an investigation believes the probability of data on the device being accessed and used inappropriately is “very low”.

To date, Local 693 has not received any reports to suggest data have been misused, although affected individuals have been advised to remain vigilant for abuse of their protected health information and identity theft.

This is the second incident to be reported to OCR in the past few days that has involved the theft of a device used to store backup data. Last week, Denton Heart Group discovered a backup device had been stolen from a locked facility. That incident resulted in 7 years of backup data being stolen.

These incidents show that even when physical devices are stored in secure locations, there is still potential for the devices to be stolen. However, by encrypting stored data, privacy breaches such as this can be prevented.

In response to this incident, Local 693 has taken the decision to switch to a more secure form of storage for backup data. Data will now be stored securely in the cloud and all back up data will now be encrypted.

The post Back Up Drive Stolen: PHI of 1,291 Patients Exposed appeared first on HIPAA Journal.

Almost 18,000 Metropolitan Urology Patients Impacted by Ransomware Attack

Posted by HIPAA Journal

Wauwatosa, WI-based Metropolitan Urology Group has recently discovered a ransomware attack that affected two computer servers potentially resulted in the attackers gaining access to the protected health information of 17,634 patients.

The ransomware attack occurred on November 28, 2016, although it was initially unclear whether access to patients’ PHI had been gained by the attackers.

Metropolitan Urology Group contracted an international information technology company to perform a thorough analysis of the affected servers and its systems to determine the nature and extent of the attack.

On January 10, 2017, Metropolitan Urology Group was informed that patient data may have been accessed as a result of the infection. The firm was able to successfully remove the ransomware infection and restore the medical group’s systems.

Current patients are unaffected by the security breach. The data stored on the servers related to patients who had received medical services at the medical group’s facilities between 2003 and 2010.

The types of data that were potentially accessed include patients’ full names, procedural codes, dates of service, patient control numbers, patient account numbers and provider identification numbers. Only five of the 17,634 patients had their Social Security number stored on the servers.

When ransomware was detected, the servers were promptly isolated and external access was blocked. The medical group said it has now implemented ‘the best firewall and secure email system’, its information technology vendor – Digicorp – and its employees have all undergone further training on information security and a risk analysis is being performed to identify any further vulnerabilities in its IT systems to prevent future attacks. If any vulnerabilities are detected, rapid action will be taken to mitigate risk. Policies and procedures will also be updated to reflect technological changes that have been implemented in response to the attack.

All patients impacted by the incident have now been notified of the potential privacy breach by mail and have been offered 12 months of credit monitoring services without charge as a precaution against fraud and identity theft.

The post Almost 18,000 Metropolitan Urology Patients Impacted by Ransomware Attack appeared first on HIPAA Journal.

Snooping St. Charles Health System Employee Accessed Almost 2,500 Patient Records

Posted by HIPAA Journal

The four-hospital St. Charles Health System in central Oregon has discovered an employee accessed the medical records of almost 2,500 patients without authorization over a period of 27 months from October 2014 to January 2017.

On January 16, 2017, the unnamed caregiver was discovered to have improperly accessed the medical records of a single patient, prompting a review of her ePHI access logs. That investigation revealed that this was far from a one-off incident. The improper access dated back to October 8, 2014. During that time, the caregiver was found to have accessed 2,459 patient files with no legitimate work reason for doing so.

When confronted about the improper access the female employee said she had accessed the records out of curiosity with no malicious intent. The health system said it took ‘swift and appropriate action’ and the employee was disciplined, although it is unclear what the disciplinary action involved and whether the employee was terminated as a result of her actions.

The health system does not consider the employee’s actions were criminal in nature, and a signed affidavit was obtained in which the employee stated she had not used or shared any information with others with the purpose of committing fraud, financial crimes or any other crimes against the patients concerned.

The incident has now been reported to the Department of Health and Human Services’ Office for Civil Rights and state regulators. Affected patients are being notified of the privacy breach by mail. All individuals affected by the breach have been offered credit monitoring and identity theft restoration services for 12 months as a precaution.

The information accessed by the employee included names, addresses, dates of birth, driver’s license numbers, health insurance information, diagnoses, medications prescribed, treatment information, and physician’s names.

A statement about the incident was issued by Nicole Hough, vice president of compliance at St. Charles Health System, saying “We want our patients and their families and the community to really understand how sorry we are for this situation and understand we took swift action and we are taking action to ensure this doesn’t happen again.”

The post Snooping St. Charles Health System Employee Accessed Almost 2,500 Patient Records appeared first on HIPAA Journal.