HIPAA Breach News

Bitglass Publishes 2017 Healthcare Data Security Report

Posted by HIPAA Journal

Bitglass has recently published its 2017 Healthcare Data Breach Report, the third annual report on healthcare data security issued by the data protection firm.

For the report, Bitglass conducted an analysis of healthcare data breach reports submitted to the Department of Health and Human’ Services Office for Civil Rights.

The report confirms 2016 was a particularly bad year for healthcare industry data breaches. Last year saw record numbers of healthcare data breaches reported, although the number of healthcare records exposed in 2016 was lower than in 2015. In 2016, 328 healthcare data breaches were reported, up from 268 incidents in 2015. Last year’s healthcare data breaches impacted around 16.6 million Americans.

The good news is that while incidents are up, breaches are exposing fewer healthcare records. If the colossal data breach at Anthem Inc., which exposed 78.8 million healthcare records, is considered an anomaly and is excluded from last year’s figures, the number of individuals impacted by healthcare data breaches has fallen for two years in a row. That trend looks set to continue in 2017, although the number of data breaches already reported by healthcare organizations remains high.

The 2017 Healthcare Data Security Report confirms that the biggest problem area is unauthorized disclosures, which accounted for 40% of breaches last year. Those figures include deliberate acts by healthcare employees and unintentional errors that left data exposed.

The report’s authors explain the rise in unauthorized disclosures saying, “Unauthorized disclosures continue to tick up and are now the leading cause of breaches as data moves to cloud and mobile and as external sharing becomes easier.”

Those incidents have exposed the records of many Americans, but hacking is the biggest cause of exposed and stolen records. More records were stolen as a result of hacking than all of the other breach causes combined.

80% of all exposed/stolen healthcare records in 2016 were the result of hacks and the five largest healthcare data breaches of 2016 were all due to hacking and IT incidents. The same is true of 2017 so far. With the exception of the largest reported breach this year, all other breaches in the top five were the result of hacking.

Largest Healthcare Data Breaches of 2016

 

Rank Organization Entity Type Individuals Affected Cause of Breach
1 Banner Health Healthcare Provider 3,620,000 Hacking/IT Incident
2 Newkirk Products Business Associate 3,466,120 Hacking/IT Incident
3 21st Century Oncology Healthcare Provider 221,3597 Hacking/IT Incident
4 Valley Anesthesiology Consultants Healthcare Provider 882,590 Hacking/IT Incident
5 County of Los Angeles Departments of Health and Mental Health Healthcare Provider 749,017 Hacking/IT Incident
6 Bon Secours Health System Incorporated Healthcare Provider 651,971 Hacking/IT Incident
7 Peachtree Orthopaedic Clinic Healthcare Provider 531,000 Unauthorized Access/Disclosure
8 Radiology Regional Center, PA Healthcare Provider 483,063 Hacking/IT Incident
9 California Correctional Health Care Services Healthcare Provider 400,000 Loss
10 Community Health Plan of Washington Health Plan 381,504 Theft

 

Largest Healthcare Data Breaches of 2017 (January-April)

 

Rank Organization Entity Type Individuals Affected Cause of Breach
1 Commonwealth Health Corporation Healthcare Provider 697,800 Theft
2 Urology Austin, PLLC Healthcare Provider 279,663 Hacking/IT Incident
3 VisionQuest Eyecare Healthcare Provider 85,995 Hacking/IT Incident
4 Washington University School of Medicine Healthcare Provider 80,270 Hacking/IT Incident
5 Emory Healthcare Healthcare Provider 79,930 Hacking/IT Incident
6 Stephenville Medical & Surgical Clinic Healthcare Provider 75,000 Unauthorized Access/Disclosure
7 Primary Care Specialists, Inc. Healthcare Provider 65,000 Hacking/IT Incident
8 ABCD Pediatrics, P.A. Healthcare Provider 55,447 Hacking/IT Incident
9 WellCare Health Plans, Inc. Health Plan 24,809 Hacking/IT Incident
10 Denton Heart Group Healthcare Provider 21,665 Theft

 

Healthcare Security Spending is Increasing

Fortunately, healthcare organizations have realized they need to increase spending on data and network security defenses. Security budgets growing rapidly and while not quite at the level of the retail sector, they are fast catching up.

While healthcare organizations are committed to protecting the privacy of patients, one of the main drivers behind the increase in security investment is the cost of breach resolution. The cost of data breaches makes investment in cybersecurity defenses a priority.

The authors of the 2017 Healthcare Data Breach Report point out that healthcare data breaches cost more to resolve than breaches experienced by other industries. Figures from the Ponemon Institute show that a healthcare data breach costs organizations an average of $402 per compromised record. For other industries, the average is $221 per compromised record. With such high costs, lax data security simply isn’t an option.

Bitglass CEO Nat Kausik, said “While threats to sensitive healthcare data will persist, increased investments in data-centric security and stronger compliance and disclosure mandates are driving down the impact of each breach events.”

The post Bitglass Publishes 2017 Healthcare Data Security Report appeared first on HIPAA Journal.

Survey Explores Trust in Healthcare Organizations’ Ability to Keep Data Secure

Posted by HIPAA Journal

A recent survey by Accenture has explored consumers’ attitudes about healthcare data security and the impact of healthcare data breaches on consumers.

The survey revealed the extent to which individuals had suffered losses as a result of a data breach, how consumers felt their organization handled data breaches and the effect those breaches had on trust.

Trust in Healthcare Providers and Insurers is High

In the United States, trust in healthcare providers’ and health insurers’ ability to keep sensitive data secure is high. 88% of respondents said they trusted their physician or other healthcare providers ‘somewhat’ (53%) or ‘a great deal’ (36%). Trust in hospitals was slightly lower at 84% (54% somewhat / 30% a great deal). Health insurers and laboratories that process medical tests fared slightly worse, both somewhat trusted by 54% of respondents and trusted a great deal by 28% of respondents.

Distrust –not at all trusted or not trusted very much – was highest in urgent care clinics (25%), non-medical staff at physicians’ and healthcare providers’ offices (36%) and tech companies that provide wearables and health apps (43%). As a comparison, 56% said they somewhat trusted or trusted the government a great deal with respect to health data security. 32% didn’t trust the government very much and 13% didn’t trust the government at all.

80% of consumers were very confident or somewhat confident in their healthcare providers’ data security measures, with trust in health insurers’ data security measures a fraction lower at 79%. The measures put in place by health app and device companies only received the highest two ratings by 63% of consumers.

Trust may be fairly high, but a quarter of U.S. consumers have experienced a breach of their healthcare data and half of those individuals have been a victim of medical identity theft as a direct result. Consumers have been forced to cover costs as a result of the exposure of their data, with 88% of individuals spending an average of $2,528.

More than a third of those individuals said their hospital had experienced the breach. 22% said their pharmacy or urgent care clinic had been breached with health insurers’ and physicians’ offices the next worst affected, with 21% of consumers saying they were the source of the breach.

Even with HIPAA Rules requiring breach notifications to be sent to patients, half of those impacted by a health data breach said they found out about it on their own. Only 36% of respondents said their company told them about the breach, although 91% said action was taken by that company in response to the breach.

The breach response was rated as being handled very well by 25% of respondents and somewhat well by 51% of respondents. 18% said the breach response was not handled very well and 6% said it was not handled well at all.

Trust in Healthcare Organizations May Improve After a Data Breach

While healthcare data breaches have the potential to destroy patients’ and health plan members’ trust in their providers, the survey showed that is not always the case. In fact, in 41% of cases, consumers’ trust in their healthcare organizations increased after a data breach.

12% of respondents said they ended up trusting their providers much more, 29% said they trusted their providers a little more and 24% said the breach response made no difference to trust levels.

The results show just how important it is for the breach response to be handled well. 34% of respondents said they lost trust in their healthcare organization after a breach was experienced.

Getting the breach response right is essential if healthcare organizations want to ensure trust is not negatively affected. For that to happen, organizations must be prepared for the worst and have policies and procedures that can be rapidly implemented when a breach is discovered.

Fast notifications are important for consumers as they need to take action to secure their accounts and protect their identities. 91% of respondents said they personally took action when they discovered their health data had been stolen. The faster that process can take place, the less likely consumers are to experience losses.

Getting breach notifications right is also important. If trust is to be built, consumers need to be reassured that privacy and security is taken seriously. Consumers should also be informed about the actions that are being taken in response to the breach to ensure a similar incident will not occur in the future. However, this is an area that could be improved.

Only 27% of companies explained the cause of the breach and just 26% the breach has prompted them to add new security protocols. Only 22% explained how future breaches would be prevented.

Fewer than a quarter of companies (24%) explained the potential consequences of the breach to consumers and only 23% offered identity theft protection services.

The post Survey Explores Trust in Healthcare Organizations’ Ability to Keep Data Secure appeared first on HIPAA Journal.

Two Harrisburg Practices Report Potential ePHI Breach

Posted by HIPAA Journal

Two Harrisburg practices have discovered their systems have been accessed by an unauthorized individual who may have gained access to the electronic protected health information of their patients.

Harrisburg Endoscopy and Surgery Center and Harrisburg Gastroenterology in Dauphin County, PA were alerted to a potential intrusion when suspicious system activity was detected on March 17, 2017.

While the investigation revealed the system had been accessed, no evidence was uncovered to suggest any ePHI was accessed or stolen by the attacker; however, the possibility of data access could not be ruled out.

Out of an abundance of caution, patients were sent breach notification letters on April 28 providing them with information about the breach to allow them to take precautions to protect their identities. It would appear that credit monitoring and identity theft protection services are not being offered to affected patients.

The types of information stored on the compromised system included names, demographic information, health insurance details, Social Security numbers, clinical data and diagnostic information.

The incident has prompted both practices to enhance their security protections to prevent future breaches of this nature from occurring.

The incident has yet to appear on the Department of Health and Human Services’ Office for Civil Rights breach portal. It is currently unclear exactly how many patients have been impacted.

Over the past few weeks there has been a spate of hacking incidents reported to OCR by healthcare organizations. In January/February, there were 51 healthcare data breaches reported to OCR, 27% of which were the result of hacking.

In March/April, a further 51 healthcare data breaches were reported, 19 of which (37%) were due to hacking – A rise of 37% in the past two months. Hacking incidents have increased, although they are not the leading cause of data breaches. In March/April, 22 breaches involved unauthorized disclosures – 43% of all incidents reported to OCR. That represents a 10% increase in unauthorized disclosures from the first two months of the year.

The post Two Harrisburg Practices Report Potential ePHI Breach appeared first on HIPAA Journal.

Greenway Health Ransomware Attack Stops 400 Clients from Accessing EHRs

Posted by HIPAA Journal

Tampa, Florida-based practice management software and EHR vendor, Greenway Health, has experienced a ransomware attack that has affected around 5% of its client base – approximately 400 healthcare organizations.

It is unclear whether the ransomware infection resulted in EHR data being encrypted, although clients were temporarily prevented from accessing the cloud-based Intergy EHR/medical management platform. Those clients were forced to resort to using pen and paper while Greenway Health worked to restore its system.

Fortunately, all client data were backed up and could be recovered, although that process took time. On April 22, 2017, third-party rapid response security firms were brought in to remove the infection and restore data. A spokesperson for Greenway Health said the teams were “working around the clock to restore access to affected Intergy hosted customers.”  As of yesterday, around half of affected clients had access to the Intergy system restored.

While the cloud-based platform was taken out of action, Greenway Health has not uncovered any evidence to suggest that patient data were accessed or exfiltrated. The ransomware infection was rapidly contained and there are no signs that the infection has spread to other systems, although Greenway Health is continuing to monitor the situation. Greenway Health said there was little or no data loss.

Since the investigation into the attack is ongoing, few details on the specifics have been released. Greenway Health has not announced which ransomware variant was involved, how the ransomware was installed on its system, and whether all data were recovered from backups or if the ransom demand was paid.

Greenway Health’s CEO, Scott Zimmerman, said “Though we build extensive safeguards into our products and services, no Internet-based system is completely immune from attack.” Zimmerman also explained that the company is “continuously focused on evaluating additional measures that we may take to further enhance our defenses against cybercrime.”

EHR vendors typically have highly advanced cybersecurity protections in place, but this incident shows that no company is immune to attack. The ransomware attack should serve as a warning for all healthcare providers that use cloud-based EHR systems. ePHI access may be lost, so it is essential that contingency plans are developed to ensure that a cyberattack on their EHR vendor does not majorly impact healthcare operations.

The post Greenway Health Ransomware Attack Stops 400 Clients from Accessing EHRs appeared first on HIPAA Journal.

Hill Country Memorial Hospital Discovers Email Account Compromise

Posted by HIPAA Journal

An unauthorized individual has gained access to an email account of an employee of Hill Country Memorial Hospital and sent a number of fraudulent invoices, but potentially also accessed the protected heath information of certain patients.

The Fredericksburg, TX hospital discovered the email account of an emergency room employee had been accessed on February 21, 2017. The attack is believed to have been conducted solely for the purpose of sending fraudulent invoices to the hospital’s accounts payable department. However, the email account contained a range of ePHI which could potentially have been accessed and stolen by the attacker.

The investigation into the security breach did not reveal whether any emails had been accessed, and if the ePHI of patients had been viewed or copied, but the possibility could not be ruled out. The email account contained patients’ names, addresses, ID numbers, dates of birth, prescription and treatment information, medical diagnoses, procedure information and Social Security Numbers.

In is unclear at this stage how the criminal gained access to the email account, although steps have now been taken to secure the account to ensure further unauthorized access is not possible. A password reset has also been performed on all email accounts and logins have been changed as a precaution against further attacks. The hospital is also evaluating further measures that can be implemented to strengthen security. The hospital has notified law enforcement about the breach and the investigation into the incident is continuing. It is unclear whether any of the fraudulent invoices sent from the breached account resulted in payments being made.

Jayne Pope, Chief Executive Officer of Hill Country Memorial Hospital has apologized to patients for the inconvenience caused to patients and has confirmed that the hospital takes patient privacy very seriously. Out of an abundance of caution, all patients impacted by the incident have been offered credit monitoring and identity theft protection services for 12 months without charge.

The post Hill Country Memorial Hospital Discovers Email Account Compromise appeared first on HIPAA Journal.

PHI Potentially Compromised in Atlantic Digestive Specialists Ransomware Attack

Posted by HIPAA Journal

Somersworth, New Hampshire-based Atlantic Digestive Specialists is one of the latest healthcare organizations to report a ransomware attack that has potentially resulted in the protected health information of patients being accessed.

The ransomware attack was discovered on February 20, 2017 although a subsequent investigation revealed that the ransomware was installed on February 18. The infection took two days to resolve, during which time access to certain computer systems was limited. All traces of the ransomware were removed from its systems by February 22, 2017.

Atlantic Digestive Specialists hired a third-party cybersecurity firm to conduct a thorough investigation of the attack to determine how the infection occurred, the extent of the attack, and which files were potentially accessed by the attackers.

The investigation revealed files containing patients’ names, addresses, telephone numbers, medical record numbers, clinical and diagnostic information, health insurance details, and in some cases, Social Security numbers were encrypted.

The investigation uncovered no evidence to suggest any sensitive data were accessed or stolen by the attackers, and no reports have been received to suggest any patients’ protected health information has been misused. Since the possibility of data theft could not be ruled out with a high degree of certainty, all affected patients have been advised to be vigilant for signs of fraudulent activity. Out of an abundance of caution, patients have been offered credit monitoring services to protect them against identity theft and fraud.

Over the past few weeks, several small healthcare practices have been attacked with ransomware. While in most cases data have been recovered from backups and no ransom has been paid, the attacks have resulted in considerable disruption and sizable breach resolution costs.

Regular backups of data should be performed to ensure no ransom needs to be paid in the event of an attack and small healthcare organizations should consider augmenting their defenses against ransomware.

Since the majority of ransomware attacks occur via email, staff should be advised to exercise caution and not to open any email attachments from unknown senders, never to enable macros on emailed office documents, and to be wary of hyperlinks sent via email..

Information on how HIPAA Rules apply to ransomware attacks is available from the Department of Health and Human Services on this link.

The post PHI Potentially Compromised in Atlantic Digestive Specialists Ransomware Attack appeared first on HIPAA Journal.

Unencrypted Portable Devices are a HIPAA Breach Waiting to Happen

Posted by HIPAA Journal

This week, OCR announced a new settlement with a covered entity to resolve HIPAA violations discovered during the investigation of an impermissible disclosure of ePHI. The incident that sparked the investigation was the theft of an unencrypted laptop computer from the vehicle of a CardioNet employee.

This week has also seen two data breaches reported that have similarly involved the theft of portable devices. Earlier this week, Lifespan announced that a MacBook had been left in an employee’s vehicle from where it was stolen. The device was not encrypted and neither protected with a password. ePHI was accessible via the employee’s email account. More than 20,000 patients’ ePHI was potentially compromised.

The second incident involved a flash drive rather than a laptop. Western Health Screening (WHS), a Billings, MT-based provider of on-site blood screening services, announced that patients’ names, phone numbers, addresses and some Social Security numbers have been exposed. The data on the drive related to individuals who had undergone blood screening tests between 2008 and 2012.

A WHS employee was on route to a health fair in a WHS-owned vehicle on February 7, 2017 when the vehicle was stolen. The flash drive had been left in the van. In this case, the flash drive was password protected, although WHS determined on February 15, 2017 that encryption had not been used on the device. The theft was reported to law enforcement, but the vehicle and flash drive have not been recovered.

WHS has not received any reports suggesting data on the device have been accessed or used inappropriately, although an impermissible disclosure could not be ruled out.  In response to the incident, WHS has taken steps to enhance its procedures relating to the storage of sensitive data on mobile devices and employees have been retrained on safeguarding sensitive information. Individuals affected by the breach have also been offered credit monitoring and identity theft protection services out of an abundance of caution.

The CardioNet, Lifespan, and WHS breaches could all have been prevented if encryption had been used. If an encrypted device is lost or stolen, the incident does not need to be reported to OCR, patients do not need to be notified, and most importantly, patients’ ePHI will not be exposed if devices are lost or stolen.

While HIPAA Rules do not require encryption to be used to protect ePHI on portable storage devices, if the decision is taken not to use encryption, an equivalent safeguard must be used.

While the use of a strong password may prevent data being accessed by thieves, it would not be sufficient to prevent a determined individual from gaining access to a device. A strong password is therefore not a safeguard equivalent to encryption. OCR would determine the use of a password – rather than encryption – to be a violation of the HIPAA Security Rule.

The simple solution to ensure that ePHI is safeguarded is to use encryption (following NIST recommendations) on all portable devices used to store ePHI. While encryption carries a cost, it is likely to be much cheaper than an OCR fine. The decision not to encrypt data on portable storage devices ended up costing CardioNet $2.5 million.

The post Unencrypted Portable Devices are a HIPAA Breach Waiting to Happen appeared first on HIPAA Journal.

Lifespan Laptop Theft Exposes ePHI of 20,000 Patients

Posted by HIPAA Journal

Lifespan has announced a laptop computer has been stolen from the vehicle of one of its employees. A thief stole a number of items from the employee’s car on February 25, 2017, including a MacBook laptop that contained the electronic protected health information of certain Lifespan patients.

An investigation into the incident revealed the laptop was not encrypted, and neither was a password required to gain access to the device. Consequently, ePHI contained in the employee’s email account could potentially have been accessed and viewed.

An analysis of the email account confirmed that no financial information, Social Security numbers, medical records, nor medical diagnoses were exposed, although emails did contain patients’ names, partial addresses, medical record numbers, demographic information and details of prescriptions.

Lifespan took prompt action to secure the email account by changing the employee’s login credentials. While the data stored on the device could have been accessed, the investigation into the incident has not uncovered any evidence to suggest that any information on the device was accessed and no reports have been received to suggest any patient data have been misused.

The incident has prompted Lifespan to conduct a review of the security protections used to safeguard ePHI stored on MacBooks and policies and procedures will be enhanced to prevent future incidents of this nature from resulting in the exposure of patients’ ePHI. Lifespan will also be re-educating its employees on device security.

All patients impacted by the incident were notified of the privacy incident by mail on April 21, 2017. The incident has now been reported to the Department of Health and Human Services’ Office for Civil Rights. The breach report indicates 20,431 patients were impacted.

The incident underscores the importance of implementing safeguards to ensure ePHI stored on portable devices – or can be accessed using the devices– is protected with appropriate security solutions.

The failure to implement appropriate safeguards can prove costly for healthcare organizations. This week, OCR announced it has agreed to settle potential HIPAA violations with CardioNet, which experienced a similar incident in 2011. In that case, an unencrypted laptop computer was stolen from the vehicle of an employee resulting in the exposure of 1,391 individuals’ ePHI. CardioNet must pay OCR $2.5 million and adopt a corrective action plan to address HIPAA failures that contributed to the breach.

The post Lifespan Laptop Theft Exposes ePHI of 20,000 Patients appeared first on HIPAA Journal.

Wireless Health Services Provider Settles HIPAA Violations with OCR for $2.5 Million

Posted by HIPAA Journal

2016 was a record year for HIPAA settlements, but 2017 is looking like it will see last year’s record smashed. There have already been six HIPAA settlements announced so far this year, and hot on the heels of the $31,000 settlement announced last week comes another major HIPAA fine.

A $2.5 million settlement has been agreed with CardioNet to resolve HIPAA violations. CardioNet is a Pennsylvania-based provider of remote mobile monitoring and rapid response services to patients at risk for cardiac arrhythmias.

Settlement have previously been agreed with healthcare providers, health plans, and business associates of covered entities, but this is the first-time OCR has settled potential HIPAA violations with a wireless health services provider.

While OCR has not previously fined a wireless health services provider for violating HIPAA Rules, the same cannot be said of the violations discovered. Numerous settlements have previously been agreed with covered entities after OCR discovered risk analysis and risk management failures.

In this case, the settlement relates to a data breach reported to OCR in January 2012. In 2011, an employee of CardioNet left a laptop computer in a vehicle that was left outside that individual’s home. The laptop computer was stolen, resulting in the impermissible disclosure of 1,391 patients’ electronic protected health information (ePHI).

As is customary following all breaches involving the theft or exposure of more than 500 individuals’ PHI, OCR conducted an investigation to determine whether the breach was a direct result of violations of HIPAA Rules.

In this case, a risk analysis has been performed, but OCR investigators determined that the risk analysis was not comprehensive – a violation of 45 C.F.R. § 164.308(a)(1). Also, at the time of the breach, there were inadequacies in CardioNet’s risk management process.

By 2011, all HIPAA-covered entities were required to comply with the HIPAA Security Rule, yet CardioNet’s HIPAA policies and procedures were still only in draft form and had not yet been implemented. OCR requested final copies of policies and procedures covering the safeguarding of ePHI stored on mobile devices, yet CardioNet was unable to produce any HIPAA-compliant documentation regarding the implementation of ePHI safeguards for mobile devices.

CardioNet was also determined to have violated 45 C.F.R. § 164.310(d)(1) by failing to implement policies and procedures covering the receipt and removal of hardware containing ePHI and for the failure to implement encryption – or another equivalent safeguard – to prevent the exposure of ePHI stored on mobile devices.

Any laptop computer or other mobile device that is used to store the ePHI of patients is vulnerable to theft or loss. When those devices are removed from the premises of a HIPAA-covered entity, the risk of theft or loss increases considerably. Covered entities must therefore implement appropriate safeguards to ensure that in the event of loss or theft of those devices, ePHI remains protected.

OCR Director, Roger Severino, said the “failure to implement mobile device security by Covered Entities and Business Associates puts individuals’ sensitive health information at risk. This disregard for security can result in a serious breach, which affects each individual whose information is left unprotected.”

The latest HIPAA settlement should send a strong message to covered entities that the failure to comply with HIPAA Rules can prove very costly. Also, that it is not only hospitals and health plans that run the risk of a significant financial penalty for failing to comply with HIPAA Rules.

2017 HIPAA Settlements

The other HIPAA settlements agreed between OCR and covered entities in 2017 are:

  • The Center for Children’s Digestive Health- $31,000
  • Metro Community Provider Network – $400,000
  • Memorial Healthcare System – $5.5 million
  • Children’s Medical Center of Dallas- $3.2 million
  • MAPFRE Life Insurance Company of Puerto Rico – $2.2 million
  • Presense Health – $475,000

The post Wireless Health Services Provider Settles HIPAA Violations with OCR for $2.5 Million appeared first on HIPAA Journal.