Carlsbad, CA-based Zest Dental Solutions has discovered that an unauthorized individual has gained access to its e-commerce system and has potentially stolen the credit card details of some of its customers.

A number of customers reported receiving unusual emails containing information related to past Zest Dental Solutions purchases. The complaints prompted an investigation and an external cybersecurity firm was brought in to conduct a thorough analysis of the company’s systems. On February 16, 2017, it was confirmed that the company’s e-commerce system had been breached.

That system contained credit card numbers, CVV codes, expiry dates, customers’ names, addresses, and phone numbers. Individuals affected by the security incident had previously made purchases through the website between December 13, 2013 and September 21, 2014 or between November 2, 2016 and February 4, 2017. The breach also impacts customers who purchased items prior to the company changing its name from Zest Anchors.

Since credit card details may have been stolen, affected individuals are at risk of experiencing credit card fraud and should take precautions to secure their accounts. Customers have been told to carefully monitor their credit card statements for any sign of fraudulent activity.

While affected individuals have not been offered credit monitoring services, they may be refunded any reasonable fraudulent charges that are not reimbursed by their credit card providers.

Website breaches are a major concern for any organization that operates an e-commerce website. It is essential that regular scans are performed to check for any potential malicious activity and to implement security measured to keep sites secured.

In response to the security breach, Zest Dental Solutions has improved security on its e-commerce site and will be switching to an alternative card payment processing system. Additional security controls have also been added to the site to better protect customers’ sensitive information in the future.

The post Zest Dental Solutions Alerts Customers to Payment Card Information Breach appeared first on HIPAA Journal.

644 participants of the Raising St. Louis program run by BJC HealthCare have been notified that some of their personally identifiable information has been exposed via email following the discovery that protocols for sending sensitive information securely were not followed.

No Social Security numbers, financial information, or test results/treatment data were communicated via unencrypted email, although names, addresses, telephone numbers, dates of birth, visit dates, nursing notes, medication and vaccination information could potentially have been intercepted and viewed by unauthorized individuals.

BJC HealthCare has established protocols for communicating sensitive information, although in January it was discovered that those protocols had not been used for communicating personally identifiable information of Raising St. Louis participants to program partners for a period of three years between January 17, 2014 and January 9, 2017. The correct protocol for emailing sensitive data has now been adopted and staff members have been re-educated and instructed to only send sensitive data via encrypted email.

An internal investigation did not uncover any evidence to suggest that emails had been intercepted or viewed by unauthorized individuals, although the possibility could not be ruled out.

HIPAA and Email Encryption

The HIPAA Security Rule does not prohibit the sending of ePHI via email, although any data sent via an open network must be appropriately secured and controls implemented to prevent unauthorized access (See 45 CFR § 164.312(e)).

Prior to ePHI being communicated via email, a covered entity must assess the available security controls that can be applied to safeguard the confidentiality, integrity, and availability of ePHI. An appropriate solution should be applied and the decision process behind the use of that solution should be documented.

HIPAA does not specify which protection must be used, although access controls for data in motion should comply with NIST Special Publications 800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations; 800-77, Guide to IPsec VPNs; or 800-113, Guide to SSL VPNs.

The post Lack of Email Encryption Exposes PHI of 644 Raising St. Louis Participants appeared first on HIPAA Journal.

The danger of storing unencrypted protected health information has been highlighted by a recent security incident reported by Texas-based Denton Heart Group – A member of the Health Texas Provider Network.

A hard drive containing 7 years of EHR backup data was recently discovered to have been stolen. While the device was stored in a locked closet, the data on the device were not encrypted.

The backup files contained a treasure trove of patient data including names, addresses, phone numbers, dates of birth, Social Security numbers, driver’s license numbers, medical record numbers, insurance provider names and policy numbers, physicians’ names, clinic account numbers, medical diagnoses, lab test results, medications and other clinical data. The backups were made between 2009 and 2016.

The theft was discovered by the medical group on January 11, 2017 although the device was believed to have been stolen on or around December 29, 2017.

All eligible individuals affected by the incident will be offered credit monitoring and identity theft protection services through Experian, although no reports of misuse of the stored data have been received.

To prevent future incidents, Denton Heart Group is re-evaluating the security of computer devices used by its clinics, although it is unclear whether the theft will prompt the medical group to encrypt its backups in the future.

20% of Healthcare Organizations Do Not Use Encryption

Two reports were published last month that showed how the healthcare industry in the United States lags behind other industry sectors when it comes to data encryption.

The 2017 Thales Data Threat Report for the Healthcare Industry indicates only 65% of healthcare organizations in the United States encrypt backup data stored in the cloud. A study by HyTrust indicates 25% of healthcare organizations are using cloud services but are not encrypting cloud data.

Even though healthcare organizations are increasing security budgets, the industry still has one of the lowest data encryption adoption rates. Last year, Sophos conducted a survey that showed only 31% of healthcare organizations were extensively using encryption to protect sensitive data – The lowest percentage of all industries surveyed. Encryption was used to some degree by a further 49% of healthcare organizations, although 20% of surveyed organizations were not using encryption at all. Only the retail sector scored lower with 23% of retailers opting not to use encryption.

The lack of encryption leaves healthcare organizations particularly vulnerable to data breaches. According to OCR figures, since January 1, 2014, there have been 182 hacking incidents reported. Those incidents resulted in the theft/exposure of 125,994,157 healthcare records. There have also been 249 cases of lost or stolen equipment containing PHI. Those incidents impacted 8,902,225 individuals.

Given the extent to which healthcare organizations are now being targeted by cybercriminals and the huge numbers of healthcare records exposed or stolen as a result of hacks and lost and stolen devices, any healthcare organization that is not encrypting PHI is taking a huge risk.

The post Unencrypted Backup Drive Containing 7 Years of PHI Stolen from Denton Heart Group appeared first on HIPAA Journal.

Hacking continues to be a leading cause of healthcare data breaches. There have been 55 data breaches reported to the Department of Health and Human Services’ Office for Civil Rights (OCR) as of March 13, 2017, a quarter of which were attributed to hacking. While unauthorized access/disclosure is the leading cause of healthcare data breaches in 2017 with 44% of the total number of reported breaches, hacking incidents have exposed more records. 260,277 patient and health plan member records have been compromised in hacking incidents – 60% of the total number of healthcare records exposed in 2017.

The two largest healthcare data breaches of the year to date and seven of the top ten healthcare data breaches of 2017 were due to hacking. A network server was compromised in all of those incidents. The largest hacking incident of 2017 impacted 85,995 patients of VisionQuest Eyecare of Indiana. The second largest incident, which impacted 79,930 individuals, was reported by Emory Healthcare and involved a hacked MongoDB database.

Hacked Network Server Discovered by CA-Based Tarleton Medical

The latest hacking incident affects Rancho Mirage, CA-based Tarleton Medical. On January 6, 2017, the medical practice run by Dr. Harold Tarleton, MD, discovered a server had been inappropriately accessed. Upon discovery of the security breach, prompt action was taken to isolate the server and secure patient data. A third-party computer forensics firm was brought in to conduct an investigation to determine the extent of the breach.

On February 2, 2017, the forensics firm determined that the server had been inappropriately accessed by a third party and the PHI of patients was potentially viewed. Information stored on the hacked server included names, addresses, birth dates, healthcare claims information and Social Security numbers.

The breach notice submitted to the California attorney general’s office does not confirm how many individuals have been impacted by the security incident nor the duration of the breach. The incident has yet to appear on the OCR breach portal. All individuals impacted by the breach have been offered identity theft protection and credit monitoring services without charge for a period of 12 months.

The post Server Compromise at Tarleton Medical: PHI Potentially Accessed appeared first on HIPAA Journal.

For the past three years, the electronic medical records of patients of Virginia Commonwealth University Health System have been inappropriately accessed by employees of physician groups.

In total, around 2,700 individuals, many of whom were children, have had their medical records viewed and their privacy violated.

VCU Health System provides access to patients’ medical records to community physician groups and contracted vendors. Community physicians are able to share patients’ medical records with the VCU Health System to ensure continuity of care when referring patients. Contractors that provide medical equipment to patients are similarly given access to medical records.

However, VCU Health System discovered ‘an unusual pattern of accessing medical records’ in January. Further investigation revealed individuals were accessing patients’ medical records without any legitimate business reason for doing so and that records had been accessed for a period of more than three years. The first privacy breach occurred on January 3, 2014 and inappropriate access continued until January 10, 2017, when the privacy breaches were discovered. The records were accessed by a contractor and employees of some community physician groups that were partnered with Virginia Commonwealth University Health System.

The types of information accessed includes names, addresses, medical record numbers, birth dates, visit dates, health care provider names, health insurance details, medical information and some patients’ Social Security numbers.

According to a statement released by VCU Health System, the investigation did not uncover any evidence to suggest that health insurance information had been used inappropriately and no information appears to have been accessed with malicious intent.

VCU Health System determined which individuals had improperly accessed patients’ medical records and employers terminated those employees. In order to prevent similar breaches from occurring in the future, VCU Health System has implemented new safeguards to prevent inappropriate system access. All individuals impacted by the privacy breaches have been offered complimentary credit monitoring services for 12 months without charge.

The incident highlights how important it is for controls to be put in place to prevent the inappropriate accessing of medical records and for regular audits of PHI access logs to be conducted. It may not always be possible to prevent inappropriate accessing of medical records by employees, partners and business associates, but fast identification of privacy violations will allow healthcare organizations to take action to limit the harm caused.

The post Virginia Commonwealth University Health System Discovers 3-Year HIPAA Breach appeared first on HIPAA Journal.

Saliba’s Extended Care Pharmacy in Phoenix, Arizona is alerting more than 6,500 patients to an accidental disclosure of some of their protected health information (PHI).

A copy of invoices for December 2016 was sent via Saliba’s Pharmacy’s encrypted email platform to the wrong patients in January. While there is no chance that the emails could have been intercepted by unauthorized individuals, the emails were opened by three patients or their representatives. The incident occurred on January 12, 2017, and Saliba’s Pharmacy discovered the error four days later on January 16.

Since HIPAA Rules and patient privacy were accidentally violated, breach notification letters were sent to patients on March 3 to alert them to the incident. Patients have been advised to exercise caution and check their explanation of benefits statements and Saliba’s Pharmacy statements for signs of misuse. However, no reports of any misuse of the information have been received by Saliba’s Pharmacy and the risk of PHI misuse as a result of this impermissible disclosure is believed to be very low.

Patients affected by the incident have been told that the information disclosed was limited to names, addresses, and account balances. Some patients also had descriptions and amounts of over-the-counter medications and other pharmacy items detailed in the invoices. The invoices did not contain highly sensitive PHI such as Social Security numbers, health insurance information or financial information.

President of Saliba’s Pharmacy, John Saliba, issued a statement saying privacy breaches such as this are treated very seriously. The employee who made the error has been terminated and additional training has been provided to staff members. Policies and procedures at the pharmacy have also been updated to prevent similar incidents from occurring in the future and to ensure the protected health information of patients is better protected.

According to the breach report submitted to the Department of Health and Human Services’ Office for Civil Rights, 6,599 patients were impacted by this incident.

The post Email Error Impacts 6,500 Saliba’s Extended Care Pharmacy Patients appeared first on HIPAA Journal.

A computer and an external storage drive have been discovered to have been stolen from San Diego-based healthcare provider Sharp Healthcare.

The devices were taken from a locked cabinet in an access-controlled patient treatment area of the Sharp Memorial Outpatient Pavilion in Kearny Mesa in San Diego, CA. It is not known when the devices were taken, although they were discovered to be missing on February 6, 2017.

The devices were used to store the data of patients who had undergone wellness screening as part of blood pressure and cardiac health studies performed at the outpatient center. The types of data stored on the devices includes patients’ full names, ages, dates of birth, medications currently being taken, a summary of the studies that were being performed and family health histories. The devices were not encrypted, so it is possible that the patient health information stored on both devices could be accessed by unauthorized individuals.

An internal investigation was conducted when the devices were discovered to be missing and efforts were made to locate the devices, although the investigation suggested the devices had been stolen. Law enforcement has been notified of the theft, although the equipment has not yet been discovered.

In response to the incident, Sharp Healthcare is reviewing its security practices and will be implementing a number of additional safeguards to prevent further incidents of this nature from occurring.

The Department of Health and Human Services’ Office for Civil Rights and the California Department of Public Health have been notified of the breach. 750 current and former patients are understood to have been impacted by the incident. All patients have already been notified by mail in accordance with Health Insurance Portability and Accountability Act Rules.

The post Sharp Healthcare Says Stolen Devices Contained PHI of Patients appeared first on HIPAA Journal.