HIPAA Breach News

Vendor Configuration Error Results in Exposure of 14,000 Individuals’ ePHI

Posted by HIPAA Journal

A major breach of electronic protected health information has been discovered by Universal Care, dba, Brand New Day – A Medicare approved Health Plan.

The incident occurred on December 22, 2016 and was discovered six days later on December 28, 2016. Brand New Day became aware that an unauthorized individual had gained access to the ePHI provided to one of its HIPAA business associates. Access to ePHI was gained via a third-party vendor system used by Brand New Day’s contracting provider.

The breach notification submitted to the California Attorney General does not indicate whether the ePHI of plan members was stolen, although the data were accessed and a criminal investigation into the breach has been launched by law enforcement. The types of data accessed include plan members’ names, addresses, phone numbers, dates of birth and Medicare ID numbers.

Upon discovery of the incident, Brand New Day immediately launched an investigation and contacted its vendor to ensure that access to ePHI was immediately terminated. The vendor was informed that someone had improperly accessed plan members’ data and rapid action was taken to block access. Brand New Day says the error that allowed ePHI to be accessed was eliminated ‘within hours’ of the vendor being notified of the breach.

While no specific mention of the exact nature of improper access was made, Brand New Day says “We changed our practices regarding access requiring monthly verification of each user.” Brand New Day is also performing a thorough ‘self audit’ to determine whether any other errors have occurred that jeopardize the confidentiality, integrity and availability of ePHI.

As a precaution against identity theft, all affected individuals have been offered 12 months’ complimentary identity theft mitigation services via Experian.

The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates 14,005 individuals were impacted by the incident. Brand New Day says it delayed the issuing of breach notification letters so as not to interfere with the criminal investigation of the breach.

HIPAA and Business Associates

Before any electronic protected health information is provided to a business associate, a signed copy of a business associate agreement must be obtained. The business associate agreement should explain the need to comply with the HIPAA Privacy, Security, and Breach Notification Rules and the need to implement safeguards to ensure the confidentiality, integrity, and availability of ePHI is not put at risk. The BAA should also explain the procedures for notifying the covered entity in the event of a breach of ePHI.

A BAA will not necessarily prevent breaches of ePHI, although it will ensure that business associates are aware of their responsibilities to safeguard ePHI and issue notifications in the event of a breach. Should any violation of HIPAA Rules occur, it would likely be the business associate that is liable, rather than the covered entity. Since the introduction of the HIPAA Omnibus Rule, business associates of HIPAA covered entities can be fined directly by OCR and state attorneys general if HIPAA Rules are discovered to have been violated.

The post Vendor Configuration Error Results in Exposure of 14,000 Individuals’ ePHI appeared first on HIPAA Journal.

North Carolina Department of Health and Human Services Email Breach Impacts 12,700

Posted by HIPAA Journal

The North Carolina Department of Health and Human Services has announced that the names, addresses, and Medicaid numbers of 12,731 patients were exposed as a result of an email error. The data were sent via email to adult care homes last year, but the emails were not encrypted. Potentially, the emails could have been intercepted and the data obtained by individuals unauthorized to view the information.

The emails were sent on November 30, 2016 and the Department of Health and Human Services’ Office for Civil Rights has now been notified of the incident. No mention has been made of when the incident was discovered.

This is the third such incident of this nature to have affected the NC Department of Health and Human Services in the past 38 months.

On December 30, 2013, 49,000 Medicaid cards of minors were accidentally mailed to incorrect recipients, exposing Medicaid numbers, names and birth dates. The privacy breach was attributed to human error. Two years later, 1,615 patients were impacted when an unencrypted email containing was sent to the Granville County Health Department. The email contained a spreadsheet containing names, Medicaid ID numbers, provider’s name and ID number, and other Medicaid related information.

The two email incidents are not believed to have resulted in any individual’s data being compromised. No indications that the emails were intercepted has been found by the NC Department of Health and Human Services, although the possibility cannot be ruled out. Individuals affected by the latest incident have been advised to monitor their accounts for any signs of fraud as a precaution.

In order to prevent similar security breaches from occurring in the future, policies and procedures have now been changed. Rather than emailing Medicaid numbers and names, identification numbers will be used in future. Should any email messages be intercepted, it would not be possible for patients to be identified.

The post North Carolina Department of Health and Human Services Email Breach Impacts 12,700 appeared first on HIPAA Journal.

Vanderbilt University Medical Center Employees Inappropriately Accessed 3,000 Patients’ PHI

Posted by HIPAA Journal

Two employees of Vanderbilt University Medical Center have been discovered to have inappropriately accessed the medical records of more than 3,000 patients.

The inappropriate ePHI access was discovered during a routine audit of access logs: A requirement of the Health Insurance Portability and Accountability Act (HIPAA).

While the HIPAA Security Rule requires audit logs to be regularly reviewed by HIPAA-covered entities, in this case the inappropriate accessing of ePHI continued for 19 months before it was detected.

Vanderbilt University Medical Center first became aware of inappropriate ePHI access on December 27, 2016, prompting a full audit of access logs.

That audit revealed that two patient transporters at the medical center had viewed more information than was necessary in order for them to perform their work duties. The employees were required to move patients between treatment rooms and hospital floors. The pair were discovered to have first started viewing patients protected health information in May 2015. Medical records of patients continued to be accessed until December 2016.

The types of information accessed included patients’ names, medical record IDs, and birth dates. According to a press release from VUMC, one individual was also able to view some patients’ Social Security numbers. While patients’ electronic medical records were accessed, VUMC does not believe that any information has been copied or misused. VUMC has not said why patients’ health information was viewed by the employees, although the individuals concerned have been disciplined for their actions.

Patients are not believed to be at any elevated risk of suffering identity theft or fraud as a result of the privacy breaches. However, as a precaution, VUMC said “we are contacting each of them by letter to recommend that they vigilantly review account statements and their credit status.” Any patient whose Social Security number has been viewed is being provided with credit monitoring services via Experian Family Secure “out of an abundance of caution.”

In response to the breach, Vanderbilt University Medical Center has changed policies and procedures relating to how patient transporters are provided with patients’ health information. Any PHI needed for patient transporters to conduct their work duties will now be provided on paper. Access to its medical record system will no longer be provided. Patient transporters have also received further training relating to the accessing of patient health information.

The post Vanderbilt University Medical Center Employees Inappropriately Accessed 3,000 Patients’ PHI appeared first on HIPAA Journal.

Berkeley Medical Center Employee Inappropriately Accessed 7,445 Patients’ Records

Posted by HIPAA Journal

A Berkeley Medical Center employee has been discovered to have inappropriately accessed the electronic protected health information of more than 7,400 patients over a period of 10 months.

WVU Medicine University Healthcare discovered the inappropriate accessing of ePHI by an employee of the Berkeley Medical Center on January 17, 2017 after being alerted to potential data theft by law enforcement. A joint investigation into the employee had been conducted by the FBI and the Berkeley County Sheriff’s Department.

As soon as WVU Medicine University Healthcare became aware of the incident, an internal investigation was launched. Two days later, the employee was suspended pending the outcome of the investigation. Information provided to the healthcare provider from law enforcement linked the employee with 113 former patients who had suffered identity theft.

The healthcare worker had been employed by WVU Medicine University Healthcare since March 2004 and was required to schedule appointments for patients at both the Berkeley Medical Center in Martinsburg, WV and Jefferson Medical Center in Ranson, WV. The investigation revealed that the inappropriate accessing of medical records first occurred on March 1, 2016. Inappropriate access continued until the notification was received by law enforcement.

No evidence was uncovered to suggest that the employee copied ePHI onto a portable device, although Teresa McCabe, vice president of marketing and development, said the employee manually copied data from computer screens and removed that information from the premises. A link between 113 patients and the employee was found, although in total, 7,445 breach notification letters were sent to patients informing them of unauthorized ePHI access.

After the investigation confirmed that hospital and HIPAA Rules had been violated, WVU Medicine University Healthcare terminated the employee. A criminal investigation is ongoing and the woman is being prosecuted.

The female employee was found to be in possession of driver’s licenses with photos and insurance and Social Security cards, suggesting the stolen information had already been used for identity theft. It is unclear whether those identification documents have been used to fraudulently obtain credit or medical services.

All individuals impacted by the incident have been offered credit monitoring and identity theft protection services for a period of one year via Kroll. Patients have been encouraged to check their accounts, credit histories, and EoB statements and to alert their financial organizations to the possibility of fraudulent use of their information.

HIPAA Requires Regular Reviews of ePHI Access Logs

Inappropriate accessing of patients’ medical records by healthcare employees occurs frequently, although this incident stands out due to the number of patients potentially impacted and how long it took for the HIPAA violation to be discovered – almost 10 months.

According to a statement released by WVU Medicine University Healthcare, “Because the former employee had access to this information as part of her employment as an authorization/prescheduling coordinator, her criminal conduct could not be detected as part of University Healthcare’s routine IT/privacy security checks.”

The HIPAA Security Rule (Security Management Process) requires healthcare originations to maintain ePHI access logs and to regularly check those logs for signs of inappropriate access. An Information System Activity Review should be conducted regularly. Audit logs, access reports and security incident tracking reports should be reviewed – § 164.308(a)(1)(ii)(D).

When healthcare employees are found to have accessed information without a legitimate work reason for doing so, it sends a message to other employees that their actions are being carefully monitored. This helps to establish a culture of responsibility and accountability. Prompt identification of inappropriate ePHI access will also ensure that patients can be notified in time to prevent their stolen information from being used to steal identities and commit medical fraud.

The post Berkeley Medical Center Employee Inappropriately Accessed 7,445 Patients’ Records appeared first on HIPAA Journal.

Theft, Hacking, Ransomware and Improper Accessing of ePHI – Attacks Coming from All Angles

Posted by HIPAA Journal

Theft, hacking, ransomware, and improper ePHI access by employees – The past few days have seen a diverse range of healthcare data breaches reported.

St. Joseph’s Hospital and Medical Center in Arizona, Family Service Rochester of Minnesota, and the University of North Carolina have all reported potential breaches of patients’ ePHI, while Lexington Medical Center in South Carolina has announced that the sensitive data of its employees have been viewed.

University of North Carolina Reports Theft of Dental Patients’ ePHI

A laptop computer and a SD memory card from a digital camera have been stolen from the car of a postgrad dental resident of the University of North Carolina School of Dentistry. While the devices should have had a number of security measures installed to prevent improper data access, UNC has been unable to confirm whether that was the case. The breach may have resulted in the exposure of around 200 patients’ personal information including full face photographs (without any other PHI), names, dates of birth, dental record numbers, treatment plans, dental and health histories, and referral letters including contact information.

Affected patients have been offered one year of credit monitoring services, staff have been retrained on the proper procedures for storing patient health information and disciplinary sanctions have been imposed on the individual who had been issued with the devices.

Family Services Rochester: Systems Hacked; ePHI Potentially Viewed; Data Encrypted

Family Services Rochester in Minnesota has discovered that some of its systems were compromised by a hacker. The accessed part of its computer system contained a range of sensitive electronic information including names, addresses, dates of birth, Social Security numbers, driver’s license numbers, medical insurance numbers and medical information.

Access to the computer system was first gained on December 26, 2016 and continued until January 25, 2017, when the attacker installed ransomware that encrypted a range of sensitive data. The incident is being investigated internally and by law enforcement and affected individuals have been offered credit monitoring services to protect them against identity theft.

St. Joseph’s Hospital and Medical Center Breach: Improper Access by Employee

The electronic protected health information of 623 patients of Dignity Health’s St. Joseph Hospital and Medical Center in Phoenix, AZ., has been improperly accessed by one of the center’s employees. The part-time employee was discovered to have accessed the records of patients without any legitimate work purpose for doing so between October 1, 2016 and November 22, 2016. The types of data accessed include patients’ names, demographic data, diagnostic information, clinical information (including doctor’s orders) and medication records. No Social Security numbers or financial data were accessed. The employee in question is not believed to have accessed the records with malicious intent and patients are not believed to be at risk of identity theft.  Dignity Health says “appropriate action has been taken in response to the event.”

Lexington Medical Center – Employee Information Accessed by an Unauthorized Individual

Lexington Medical Center, in Lexington, SC., has discovered that a database – eConnect/Peoplesoft – containing the sensitive information of employees has been accessed by an unauthorized individual. The database contained the types of information criminals seek when sending W-2 Form phishing emails. In this case, the database does not appear to have been accessed as a result of an employee falling for such a scam. The data accessed includes the names and Social Security numbers of employees, but no patient information. Action has been taken to secure the database to prevent further access by unauthorized individuals.

Healthcare Data Breaches Reported to Office for Civil Rights in February 2017

Other recent healthcare data breaches reported to the Department of Health and Human Services Office for Civil Rights in February include:

 

Covered Entity Location Entity Type Records Breached Cause of Breach
Universal Care, Inc. DBA Brand New Day CA Health Plan 14,005 Unauthorized Access/Disclosure
Family Medicine East, Chartered KS Healthcare Provider 6,800 Theft
Walgreen Co IL Healthcare Provider 4,500 Unauthorized Access/Disclosure
Catalina Post-Acute Care and Rehabilitation AZ Healthcare Provider 2,953 Improper Disposal
Jeffrey D. Rice, O.D., L.L.C. OH Healthcare Provider 1,586 Theft
Benesch, Friedlander, Coplan & Aronoff LLP OH Business Associate 1,134 Unauthorized Access/Disclosure
Bloom Physical Therapy, LLC dba Physicians Physical Therapy Service AZ Healthcare Provider 500 Unauthorized Access/Disclosure

The post Theft, Hacking, Ransomware and Improper Accessing of ePHI – Attacks Coming from All Angles appeared first on HIPAA Journal.

Horizon BCBS of New Jersey Pays $1.1 Million for HIPAA Violation

Posted by HIPAA Journal

The New Jersey Division of Consumer Affairs recently announced that Horizon Blue Cross Blue Shield of New Jersey (Horizon BCBSNJ) has agreed to pay a $1.1 million fine for failing to protect the electronic protected health information of almost 690,000 plan members.

The Health Insurance Portability and Accountability Act (HIPAA) requires covered entities to implement administrative, technical and physical safeguard to protect the ePHI of patients and health plan members. While data encryption is not mandatory technical safeguard, it is an addressable issue. Covered entities must therefore consider the use of encryption technologies to protect ePHI at rest and in motion. If data encryption is not chosen, alternative, security measures must be implemented that offer an equivalent level of protection.

Covered entities are required to conduct a comprehensive risk analysis to identify potential risks to the confidentiality, integrity and availability of PHI. If laptop computers are used to store the ePHI of patients or plan members, a risk assessment should show that there is a risk of ePHI exposure. Appropriate security controls should therefore be put in place to prevent ePHI exposure in the event that the devices are lost or stolen. Data encryption is one method of securing data, although other controls could equally be used. However, the use of a password on its own is insufficient. Passwords do not offer an equivalent level of protection as data encryption.

In November 2013, two laptop computers were stolen from Horizon BCBSNJ offices. The laptops were password protected but ePHI on the devices was not encrypted and no other technical security controls were used to safeguard the data. The laptop computers were secured to desks with security cables, although the thieves cut through those cables and took the laptops.

Data stored on the devices included names and addresses of policy holders, along with insurance identifiers, birth dates, Some Social Security numbers, and a limited amount of clinical data.

The theft occurred over the course of a weekend when work was being conducted on Horizon BCBSNJ offices. A number of external vendors were provided with unsupervised access to the offices, including the area where the laptops were stored.

This was not the first time that an unencrypted laptop computer containing the ePHI of policyholders was stolen from Horizon BCBSNJ. A laptop computer was stolen from the vehicle of an employee in January 2008. Following that incident, Horizon BCBSNJ changed its policies and started using encryption on all laptop computers used to store ePHI. By May 2008, Horizon BCBSNJ announced that the encryption process had been completed. Training on the use of encryption was also provided to company employees to ensure they were aware of the new security controls.

However, during the course of the Division of Consumer Affairs investigation, it was discovered that more than 100 laptop computers used by Horizon BCBSNJ had no encryption, potentially placing ePHI at risk of exposure. The reason provided for the lack of encryption was the laptops computers were obtained via a non-standard procurement process. As a result, the IT department was unaware that the devices had not been encrypted. The devices were also not subjected to monitoring or servicing, as per corporate policies.

Additionally, the Division of Consumer Affairs investigators determined that the employees who had been issued the two laptop computers were not required to store ePHI, and that doing so violated corporate policies.

The investigators concluded that in addition to violations of HIPAA Privacy and Security Rules, Horizon BCBSNJ had also violated the New Jersey Consumer Fraud Act.

In addition to the $1.1 million fine, Horizon BCBSNJ is required to adopt a robust corrective action plan to ensure compliance with HIPAA/HITECH and the New Jersey Consumer Fraud Act. An external professional must be hired to conduct a comprehensive, organization-wide risk analysis covering all devices and systems used to store or transmit ePHI. That risk analysis must be conducted within 180 days of the settlement date, and annually for the next two years. Reports of the findings of the analysis must be submitted to the Division of Consumer Affairs.

Steve Lee, Director of the Division of Consumer Affairs, said “Protecting the personal information of policyholders must be a top priority of every company. Customers deserve it and the law demands it,” He also explained that “Horizon Blue Cross Blue Shield of New Jersey’s alleged security lapses risked exposing policyholders’ most private information to the public, leaving them vulnerable to identity theft.  This settlement ensures that Horizon BCBSNJ will maintain appropriate data privacy and security protocols to prevent future data breaches.”

The post Horizon BCBS of New Jersey Pays $1.1 Million for HIPAA Violation appeared first on HIPAA Journal.

Three Breaches of Physical Medical Records Impact at Least 4,100 Individuals

Posted by HIPAA Journal

Three healthcare organizations have recently reported security breaches involving the theft/exposure of physical protected health information. While it is currently unclear exactly how many healthcare patients have been impacted, at least 4,100 individuals are known to have been affected. According to police reports, the total could be as high as 8,000 individuals.

The largest confirmed breach has impacted 2,953 employees and residents of Catalina Post-Acute and Rehabilitation of Tucson, AZ.

The nursing home and rehabilitation center discovered that documents containing the sensitive information of residents and employees had been left unattended and unprotected in a location accessible by the public. A range of sensitive information was detailed in the documents including names, demographic information, Social Security numbers and medical diagnoses.

An internal investigation of the incident was conducted to determine how the information was exposed and the potential for that information to have been inappropriately accessed. No evidence was uncovered to suggest any information had been used inappropriately, although the possibility that PHI was disclosed to unauthorized individuals could not be ruled out.

As a result of the potential privacy breach, Catalina Post-Acute and Rehabilitation has reviewed and reinforced its protocols relating to the storage of physical PHI of residents and employee data to prevent future breaches of this nature from occurring. All affected individuals have now been contacted in accordance with HIPAA Rules.

Storage Unit Break in Impacts Patients of Two Healthcare Organizations

A break-in at a Zanesville, OH storage facility used by multiple healthcare organizations has resulted in the theft of highly sensitive patient health information.

Thieves targeted the Brandywine Lock-N-Stock in Zanesville on December 12, 2016 and broke into 9 storage units. The units were used to keep old patient records, many boxes of which were taken by the thieves.

The units raided by the thieves were rented by Genesis HealthCare/Genesis Credit Union, Dr. Rice of Vision Source, and Capital Prosthetic & Orthotic Center, Inc. Genesis HealthCare and Genesis Credit Union have said that no patients were impacted by the break-in, although several boxes of files were taken from the Vision Care and Capital Prosthetic-rented units.

Capital Prosthetic & Orthotic Center, Inc., said 15 boxes of files were taken from its storage unit, and Vision Care said seven boxes of files were taken.

According to a breach notice issued by Capital Prosthetic, the stored documents contained a range of sensitive information of former patients, including names, addresses, birth dates, medical diagnoses, treatment information, health insurance information and Social Security numbers. Individual impacted by the incident had received medical services at Capital Prosthetic between 2008 and 2012. A statement released by Capital Prosthetic indicates 1,134 former patients had their medical records stolen.

The files taken from the Vision Care unit contained names, Social Security numbers and limited health information. While a substitute breach notice has been uploaded to the Vision Care website, no mention has been made about the number of individuals impacted.

The Zanesville Police Department was notified of the break-in and nine days later some boxes of medical files were recovered. Zanesville Police Department has also identified suspects believed to be responsible for the theft, although no charges against those individuals have been filed as of yet.

According to the Zanesville Times Recorder, detectives estimate that around 3,000 to 5,000 medical files have been recovered. All files relating to Capital Prosthetic patients are believed to have been recovered, according the company’s attorney Cliff Mull. Vision Care also claims that all seven boxes of stolen records have now been recovered and secured.

Both companies say no evidence has been uncovered to suggest that any of the data in the files have been used inappropriately.

The post Three Breaches of Physical Medical Records Impact at Least 4,100 Individuals appeared first on HIPAA Journal.

Faxing Error Sees PHI Sent to Local Media Outlet

Posted by HIPAA Journal

Seven doctors’ offices in the Fort Worth area of Texas accidentally faxed patients’ protected health information to the wrong fax number. The faxes contained a range of highly sensitive patient information including names, dates of birth, Social Security numbers, medical histories and much more.

While such a mistake could potentially see patients’ health information fall into the hands of criminals, in this case the errors saw the faxes sent to local media outlet, WFAA.

The faxes received by WFAA related to at least 28 separate patients and should have been sent to Baylor Surgicare of Oakmont. The fax number used by the Fort Worth medical facility was identical to WFAA’s except for a single digit.

In this case, the seven doctors’ offices were contacted and informed of the error and the faxes were securely destroyed, although the incident shows how easy it is for sensitive patient data to be sent to incorrect recipients by fax.

While an incident such as this is unlikely to result in a HIPAA violation penalty from the Department of Health and Human Services’ Office for Civil Rights, such a mistake could potentially cause patients to come to harm. Medical data can be used for a multitude of criminal activities such as extortion, blackmail, and fraud.

The use of faxes to communicate patient health information is commonplace in the United States. Doctors need to communicate information about patients to other healthcare providers, and faxes have long been used to rapidly communicate essential information. The communication method is fast and convenient, although not particularly secure.

Faxes may be misdirected and sensitive health information could be left on fax machines where it can be accessed by unauthorized individuals. The potential for patient privacy violations are considerable.

In certain circumstances, faxes have their uses, although healthcare providers can easily send data more securely. Encrypted email is a much more secure method of communication, while electronic protected health information can be sent safely using a HIPAA-compliant, secure text messaging platform. The latter incorporates authentication controls to ensure information can only be accessed by the intended recipient.

Faxes and pagers have served the healthcare industry well over the years, although more secure methods of communication are now ubiquitous and cost-effective. They also ensure that privacy violations such as this do not occur.

The post Faxing Error Sees PHI Sent to Local Media Outlet appeared first on HIPAA Journal.

South Fulton Mental Heath Center Discovers Dumped Medical Records

Posted by HIPAA Journal

Late last week, South Fulton Mental Health Center in Georgia discovered highly sensitive patient health records had been improperly disposed of in a dumpster that was accessible by the public.

A statement released by the clinic shortly after the records were discovered confirmed that an investigation had been launched into the HIPAA breach. “A preliminary review suggests that a staff member did not secure the files properly” during the move from the South Fulton Mental Health Center.

The files have now been retrieved and secured, although they were accessed by at least one individual. CBS46 was tipped off about the dumped records and a reporter was able to retrieve some documents from the dumpster before they were secured. The documents viewed by the CBS46 reporter contained patients’ names, Social Security numbers and other sensitive information.

An internal investigation into the incident is ongoing. While it is possible that an employee made an error and either left the records unsecured or accidentally dumped the records, this is now being viewed as a deliberate act.

Fulton County Commission Chairman John Eaves told CBS46 that “There’s at least one disgruntled employee who’s responsible for this.” Fulton County officials have confirmed they have identified the employee they believe is responsible. That individual has not been named although he/she had worked at the clinic for a number of years.

The employee is believed to have dumped the records in an act of retaliation to the decision by the clinic to start outsourcing its mental health services.

Fulton County is now checking all of the dumped records to find out which patients have been affected. Breach notification letters will be sent to all affected patients once that process is complete. At this stage, it is unclear how many of the clinic’s current and former patients have been impacted, although initial reports suggest that hundreds of patients have been impacted.

The post South Fulton Mental Heath Center Discovers Dumped Medical Records appeared first on HIPAA Journal.