HIPAA Breach News

3,365 Patients’ Billing Records Potentially Stolen by Hacker

Posted by HIPAA Journal

Atlanta-based Skin Cancer Specialists, P.C., has announced a data security incident has been discovered that has resulted in the exposure of the billing records of 3,365 patients.

An unauthorized individual was discovered to have gained access to the healthcare provider’s system on October 15, 2016, with the intrusion detected on February 2, 2017.

The system contained the billing records of 3,365 patients. Those records included patients’ names, addresses, telephone numbers, dates of birth, medical record numbers, physician information and health insurance details. Financial information and Social Security numbers were not viewed or obtained by the attacker.

Skin Cancer Specialists hired a cybersecurity firm to conduct a thorough investigation into the breach to determine how access was gained. Action has now been taken to secure its systems to prevent further cyberattacks.

No evidence of inappropriate use of the billing records was uncovered during the investigation, although patients have been advised to check their explanation of benefits statements for any sign of fraudulent use of their health insurance information. Patients were notified of the breach by mail on April 3, 2017.

Healthcare Hacking Incidents Have Increased by 26% in 2017

2016 was a particularly bad year for healthcare data breaches, with more reported breaches of patient health records than in any other year since the Department of Health and Human Services’ Office for Civil Rights started publishing data breach summaries on its ‘Wall of Shame’.

However, 2017 looks set to be even worse. Healthcare hacking incidents have increased in 2017, with 26% more incidents discovered during the first three months of 2017 than in the corresponding period in 2016.

Up to March 31, 2017, OCR received reports of 24 healthcare hacking/IT incidents, resulting in 811,343 healthcare records being exposed or stolen. 10 of those incidents have been reported in the past 30 days.

The post 3,365 Patients’ Billing Records Potentially Stolen by Hacker appeared first on HIPAA Journal.

Mental Health Histories and Therapy Session Notes of 3,000+ Patients Sold On Darknet

Posted by HIPAA Journal

Databreaches.net has discovered a healthcare data breach of more than 3,000 records. Those records appear to have been sold by the hacker responsible for the attack via a darknet marketplace. The records contained health and mental health histories and therapy session notes from 2007 to present.

In total, more than 4,500 patient records were obtained by the hacker, which related to ‘3,000-3,500’ unique individuals. The records included names, addresses, phone numbers and employer details along with SSNs, dates of birth and the names of patients’ physicians.

Worse still, the records contained complete family histories, details of substance abuse, legal histories, health and mental health histories, and detailed ‘complete’ notes of therapy sessions spanning several years.

The individual responsible for stealing the information listed the records for sale on a darknet marketplace advising potential buyers that the records contained “Everything confessed/discussed in complete privacy is in here for thousands of patients.”

The complete set of data was listed for sale for a minimum price of $10,000 and was allegedly sold to one individual. The seller suggested the records could be sold back to the organization from where they were stolen.

It is not clear how the records were stolen, although the seller claims the healthcare organization had ‘not-so-great network security. Databreaches.net was able to identify the source of the data and alerted the organization – Behavioral Health Center in Bangor, Maine. The health center has launched an investigation into the breach and will notify affected patients in due course.

The report of the discovery can be viewed on this link.

The post Mental Health Histories and Therapy Session Notes of 3,000+ Patients Sold On Darknet appeared first on HIPAA Journal.

Large Hospitals and Teaching-Focused Hospitals Face Greater Risk of Data Breaches

Posted by HIPAA Journal

A study recently published in JAMA Internal Medicine examined recent healthcare data breach trends to determine which types of hospitals are the most susceptible to data breaches.

The researchers analyzed breach reports submitted to the Department of Health and Human Services’ Office for Civil Rights between October 21, 2009 and December 31, 2016. During that time, 216 hospitals reported 257 breaches of more than 500 patient records.

33 hospitals experienced more than one data breach during that time frame. Four hospitals – Brigham and Women’s Hospital, Cook County Health & Hospitals System, Mount Sinai Medical Center and St. Vincent Hospital and Healthcare Inc – experienced three data breaches. Two hospitals – Montefiore Medical Center and University of Rochester Medical Center & Affiliates – experienced four data breaches.

The researchers determined the size of the acute care hospitals by linking the facilities to their Medicare cost reports submitted to the Centers for Medicare and Medicaid Services in the 2014 fiscal year. 141 acute care hospitals were linked to CMS cost reports. Unlinked hospitals included those run by the Department of Veteran Affairs and military hospitals and long term care hospitals.

The study revealed that larger hospitals were statistically more likely to experience a data breach. More than one third of hospitals (37%) that had experienced a data breach are classed as major teaching hospitals.

Linked hospitals had a median of 262 beds, while an analysis of 2852 acute care hospitals that had not reported a data breach had a median of 134 beds. 265 (9%) of those unbreached hospitals were major teaching hospitals.

The researchers found that both the size of hospitals and their teaching status were positively associated with the risk of experiencing data breaches.

The researchers used multivariable and regression analyses to compare the 141 linked acute care hospitals with other hospitals to determine why they faced a higher risk of experiencing data breaches.

The researchers suggest the reason why larger hospitals and teaching hospitals experience more data breaches is due to having broader access to sensitive patient data. The more individuals who require access to data, the greater the risk of data breaches occurring. The report suggests “There is a fundamental trade-off between data security and data access.” When data are made available to a greater number of individuals for research and education purposes it makes “zero breach” an extremely challenging objective.

While investment in information technology such as EHRs has certainly made hospitals more efficient and has improved the provision of care to patients, it has also made security and privacy breaches more likely.

While many hospitals have invested heavily in cybersecurity defenses to reduce the risk of data breaches, the breach reports submitted to the Department of Health and Human Services’ Office for Civil Rights clearly show that healthcare data breaches are increasing in frequency.

The fast-evolving threat landscape requires hospitals to invest in cybersecurity defenses to mitigate data breach risk and hospitals must continuously evaluate data security risks and apply best data security practices to prevent breaches from occurring; however, it is difficult for hospitals to determine which technologies and best practices are the most effective at preventing data breaches.

Lead author of the study, Ge Bai, an assistant professor at John Hopkins Business School said, “More research is needed to identify effective and evidence-based data security practices to guide hospitals’ risk management efforts.”

The post Large Hospitals and Teaching-Focused Hospitals Face Greater Risk of Data Breaches appeared first on HIPAA Journal.

More than 55,000 Patients Impacted by ABCD Pediatrics Ransomware Attack

Posted by HIPAA Journal

San Antonio, TX-based ABCD Pediatrics has discovered cybercriminals gained access to its servers and encrypted data with ransomware, including the protected health information of its patients. The individuals behind the attack may also have gained access to data stored on the healthcare provider’s servers prior to ransomware being deployed. The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates 55,447 patients have been impacted.

The attack involved a variant of CrySiS ransomware called Dharma, which started encrypting data on February 6, 2017. Dharma ransomware is not known to exfiltrate data; however, an analysis of the attack revealed a number of suspicious user accounts on the servers, suggesting access had been gained prior to the ransomware being installed. User logs were also discovered that indicated programs or users may have been on the servers for a limited period of time prior to the ransomware being installed.

Fortunately, the encryption process was hampered by the anti-virus solution used by ABCD Pediatrics. ABCD Pediatrics, via its IT company, was able to isolate the affected servers and take them offline limiting the effectiveness of the attack. ABCD was not able to determine with a high degree of certainty that data were not viewed or stolen, although no evidence was uncovered to suggest data were accessed or exfiltrated.

The types of information potentially compromised included patients’ names, addresses, telephone numbers, demographic information, dates of birth, Social Security numbers, insurance billing information, medical records, procedural codes and lab test results. To protect patients from identity theft and fraud, ABCD Pediatrics has offered 12 months of credit monitoring and identity theft protection services to affected individuals via Equifax Personal Solutions.

Fortunately, ABCD Pediatrics was able to restore all encrypted and corrupted data from a backup that was securely stored on a different system. No data were lost as a result of the attack and no ransom was paid. ABCD Pediatrics reports that no ransom demand was actually received from the attackers.

The ransomware attack occurred in spite of a host of security defenses that had been deployed. Those defenses included “network filtering and security monitoring, intrusion detection systems, firewalls, antivirus software, and password protection.”

The forensic investigation identified the source of the attack and additional security solutions have now been deployed to prevent future attacks, including state-of-the-art network cyber monitoring.

The incident shows that even with advanced cybersecurity solutions in place, ransomware attacks remain a threat. While it may not be possible to prevent all ransomware attacks, risk can be reduced to an acceptable level with cybersecurity solutions and securely stored backups of data will ensure ransom demands will not have to be paid.

A good backup policy to adopt is the 3-2-1 approach. There should be three copies of data, two should be stored locally on two different mediums and one should be stored off site. The local media should be disconnected after a backup has been performed.

The post More than 55,000 Patients Impacted by ABCD Pediatrics Ransomware Attack appeared first on HIPAA Journal.

Phishing Attack Potentially Impacts 80,000 Patients of Washington University School of Medicine

Posted by HIPAA Journal

A phishing attack on the Washington University School of Medicine has resulted in a number of staff members’ email accounts being compromised.

Washington University School of Medicine learned of the phishing attack on January 24, 2017, more than seven weeks after the attack occurred. An investigation into the incident revealed the attack occurred on December 2, 2016.

Phishing emails use a variety of social engineering techniques to fool end users into revealing sensitive information such as usernames, passwords, or bank details. In this case, the phishing emails were used to obtain login credentials to staff members’ email accounts.

Email accounts contain a treasure trove of information. An investigation revealed the compromised accounts contained the protected health information of 80,270 patients. Data in the accounts included patients’ names, dates of birth, medical record numbers, clinical information, medical diagnoses and treatment information. Some patients’ Social Security numbers were also exposed as a result of the attack.

The investigation did not uncover any evidence to suggest any of the information in the accounts had been misused, although due to the length of time that the attackers potentially had access to the accounts, it is possible that information was accessed and stolen.

Washington University School of Medicine started notifying affected individuals of the exposure of their PHI on March 24 and the incident has been reported to law enforcement which is conducting an investigation.

To prevent future incidents of this nature from occurring, Washington University School of Medicine will be reeducating staff members of existing protocols regarding phishing emails. Logon authentication processes and business practices will also be strengthened.

Preventing staff from responding to phishing emails is a major challenge. Cybersecurity training can be provided to employees, but as this incident shows, training is not always effective.

Organizations can greatly improve their resilience to phishing attacks by conducting dummy phishing attacks. Dummy phishing exercises highlight areas of weakness and allow healthcare organizations to identify which members of staff require further training. Research conducted by PhishMe shows that with practice, employees’ phishing identification skills can be significantly improved.

The post Phishing Attack Potentially Impacts 80,000 Patients of Washington University School of Medicine appeared first on HIPAA Journal.

Patients’ PHI Accidentally Sent to Media Outlets by Mecklenburg County

Posted by HIPAA Journal

A spreadsheet containing the protected health information of more than 1,200 patients has been accidentally sent to two media outlets by a worker at Mecklenburg County, NC.

The spreadsheet was emailed to the media outlets in response to a freedom of information request. That request was made following the discovery that 185 female patients had not been notified of abnormal Pap smear results. The spreadsheet had been created for state officials who were conducting an audit.

County officials discovered the HIPAA breach on Monday and immediately launched an investigation to determine how such an error could have been made. County officials are furious about the privacy breach. Commissioner Vilma Leake said she wanted “to fire everybody on the health department.” County Manager Dena Diorio said “I am absolutely speechless with anger about how something like this could happen.”

This is the second HIPAA breach in a month to be discovered by Meklenburg County. WSOCTV said it had previously been sent information that contained the name of an individual that should not have been released. A request was received to return that information.

The latest mistake was allegedly made while a county worker was attempting to resolve the first privacy violation. County Commissioner Jim Puckett told WSOCTV Channel 9 “We had a relatively small problem that has escalated into a large one.”

The latest incident has prompted the County to implement new policies and procedures to prevent HIPAA breaches of this nature from occurring in the future.

Those policies will include prohibiting the inclusion of any protected health information in spreadsheets. ‘Gap measures’ have also been put in place to reduce the potential for a repeat HIPAA breach. Those measures include signing off any information coming out of the health department by two employees. A long-term solution is also being developed to ensure that public information requests are processed correctly without violating individuals’ privacy.

The Department of Health and Human Services’ Office for Civil Rights and affected patients will be notified of the privacy breach in the next 60 in accordance with HIPAA Rules.

Healthcare organizations should have policies in place to ensure responses to information requests are checked by multiple members of staff before they are released outside an organization.

All workers can make mistakes, but policies should be in place to prevent an error by a single employee resulting in a HIPAA violation and potentially, a significant HIPAA violation penalty. This incident shows how easy it is for a HIPAA breach to occur if adequate checks are not conducted.

The post Patients’ PHI Accidentally Sent to Media Outlets by Mecklenburg County appeared first on HIPAA Journal.

Estill County Chiropractic Patients Impacted by Ransomware Attack

Posted by HIPAA Journal

On January 17, 2017, Irvine, KY-based Estill County Chiropractic discovered its computer system had been breached and files had been encrypted with ransomware by an unauthorized individual.

An external computer consultant was hired to conduct a thorough investigation of the incident to determine how the ransomware was installed and the extent of the attack.

While many ransomware infections occur as a result of an employee responding to a malicious spam email message, in this case, the attacker was discovered to have previously gained access to Estill County Chiropractic’s computer system. Access to the system was first gained on January 6, 2017, although the ransomware was not installed until January 17.

Due to the nature of the attack, it is possible the attacker gained access to the protected health information of patients and stole patient data. The information potentially accessed included patients’ names, addresses, phone numbers, email addresses, dates of birth, clinical information, Social Security numbers, medical diagnoses, provider notes, claims information and health plan identification numbers. The investigation did not uncover any evidence to suggest that patients’ PHI had been accessed or stolen, although the possibility could not be ruled out.

Estill County Chiropractic is currently notifying affected patients that their PHI has potentially been compromised. Patients have been told that cybersecurity protections were already in place, although in response to the attack the chiropractic center’s systems have been replaced and additional security measures have been deployed to prevent future attacks.

The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates 5,335 patients have been impacted by the attack. Estill County Chiropractic is offering all affected patients 12 months of credit monitoring services free of charge through Equifax Personal Solutions to protect them against fraud and identity theft. Patients have been advised to exercise caution and to be vigilant to the possibility that their PHI may have been used for nefarious purposes.

The post Estill County Chiropractic Patients Impacted by Ransomware Attack appeared first on HIPAA Journal.

Former Employee Accused of Stealing PHI of up to 160,000 Med Center Health Patients

Posted by HIPAA Journal

The Kentucky-based 6-hospital health system Med Center Health has reported a data breach affecting approximately 160,000 patients. Med Center Health believes a former employee may have stolen patients’ protected health information (PHI) prior to leaving employment.

The former employee has been accused of stealing PHI including names, addresses, health insurance information, Social Security numbers, procedure codes and billing information. Medical records were not compromised at any point.

The FBI has been notified and is also investigating along with other federal agencies. Med Center health is in the process of notifying patients of the breach, although the process is expected to take a couple of weeks due to the number of individuals that have been impacted.

While the breach has only recently been announced, the data theft incidents date back to 2014 and 2015. The former employee is understood to have taken an encrypted CD and encrypted portable storage device in August 2014 and February 2015. There was no legitimate work reason for ePHI to have been taken, although on both occasions the former employee claimed the data were needed for word-related duties.

The Bowling Green Daily News suggests Med Center Health discovered the breach several months ago, although notifications were delayed. A spokesperson for Med Center Health told Bowling Green Daily News “Med Center Health informed patients as expeditiously as possible. It is important to understand that the information leading Med Center Health to report the incident pursuant to HIPAA developed over time during an intensive internal investigation.”

Patients affected by the breach had received medical services at one of six Med Center Health facilities between 2011 and 2014: Cal Turner Rehab and Specialty Care, Medical Center EMS, the Commonwealth Regional Specialty Hospital, the Medical Center at Bowling Green, the Medical Center at Franklin and the Medical Center at Scottsville.

Patients impacted by the breach have been offered 12 months of credit monitoring and identity theft protection services without charge. Med Center Health has not uncovered any evidence to suggest that any of the stolen information was used to commit fraud, although the possibility cannot be ruled out.

The post Former Employee Accused of Stealing PHI of up to 160,000 Med Center Health Patients appeared first on HIPAA Journal.

Flowers Hospital Data Breach Lawsuit Awarded Class-Action Status

Posted by HIPAA Journal

A lawsuit filed by five plaintiffs following a breach of protected health information at Flowers Hospital in 2013 has finally been awarded class-action status.

The lawsuit was filed against Triad of Alabama, the parent company of Flowers Hospital, in 2014. Triad of Alabama submitted motions to dismiss the lawsuit in 2014 and 2015, but the lawsuit survived.

In contrast to many healthcare data breach lawsuits that are filed following cyberattacks by hackers, this incident involved an insider. A phlebotomist employed at Flowers Hospital – Kamarian Millender – stole non-hospital records stored at the hospital. The information in those records was used to file fraudulent tax returns in the names of 124 individuals over two years.

Millender was arrested in 2014 and was found to be in possession of 54 patient records. Millender was subsequently charged with trafficking stolen identities and aggravated identity theft and pled guilty to stealing 73 identities for the purpose of filing fraudulent tax returns.

In total, prosecutors alleged tax returns totaling around $536,000 were submitted to the IRS, although most of those returns were stopped and just $18,915 in refunds were issued.  Millender was sentenced to serve 2 years in prison after pleading guilty. Millender is not believed to have acted alone, but his suspected accomplice remains at large.

While there is no doubt that PHI was stolen and misused and losses were suffered as a direct result, there is some debate as to how many individuals have been impacted. Flowers hospital sent breach notification letters to 1,208 patients after discovering five files were missing, each of which were understood to contain the records of around 100 to 150 patients.

While patients were notified that they were potentially affected, Flowers Hospital only sent the letters to all of those patients ‘out of an abundance of caution’. Not all of those individuals have necessarily had their information stolen and misused. The breach report submitted to OCR indicates 629 individuals were impacted by the breach.

Earlier this week, Chief United States District Judge W. Keith Watkins awarded class action status to the lawsuit, even though it was unclear how many individuals were impacted. The plaintiffs had not shown how many punitive class members were affected, although it is probable that they will number in the hundreds. Judge Watkins said, “[Even if] the class is limited to the 73 victims identified in Millender’s plea agreement, the named plaintiffs have easily satisfied the numerosity requirement.”

Many data breach lawsuits ultimately fail as the plaintiffs are unable to demonstrate that losses have been suffered as a direct result of the theft or exposure of protected health information. In this case, the perpetrator was convicted and it is clear that at least some of the plaintiffs have suffered losses. How many of the class members will be able to demonstrate that harm has been suffered remains to be seen. The lawsuit alleges negligence, breach of contract, violation of the Fair Credit Reporting Act and an invasion of privacy, although the latter claims have now been dismissed.

It is possible that the Judge’s ruling may be challenged so there are potential hurdles ahead. If the lawsuit survives a challenge it will move to the discovery phase. Flowers Hospital/Triad of Alabama have not yet announced their next course of action.

The post Flowers Hospital Data Breach Lawsuit Awarded Class-Action Status appeared first on HIPAA Journal.