HIPAA Breach News

Urology Austin Ransomware Attack Announced

Posted by HIPAA Journal

Urology Austin has started notifying its patients that some of their protected health information may have been impacted in a recent ransomware attack. Potentially, the attackers gained access to names, addresses, dates of birth, medical information and the Social Security numbers of patients.

The attack occurred on January 22, 2017, although rapid detection of the incident limited the damage caused. Within minutes of the attack, the computer network was shut down to prevent the spread of the infection and potential access/exfiltration of PHI.  However, even with the fast response, data stored on the organization’s servers were encrypted.

Ransomware often blindly encrypts data. The attacks are intended to cause major disruption to patient services to force an organization into paying a ransom demand to obtain a key to unlock the encryption. Data are not accessed or stolen by the attackers.

The risk of patients’ protected health information being accessed and misused after this type of attack is often low. In this case, the decision was taken to provide identity theft monitoring services to patients out of an abundance of caution ‘to help relieve concerns and restore confidence.” A commendable action by the Urology center to ensure patients are protected, in the event that data was accessed.

Urology Austin has also taken a number of steps to prevent similar incidents from occurring in the future. System backups have been updated to ensure fast recovery in the event of a further attack and network security has been improved.

The breach notice submitted to the California attorney general’s office provides an indication of how the ransomware attack occurred. Urology Austin said employees have been retrained regarding suspicious emails, patient privacy and security, suggesting the infection was the result of a member of staff responding to a malicious email – one of the most common methods attackers use to install ransomware.

The post Urology Austin Ransomware Attack Announced appeared first on HIPAA Journal.

UNC Health Care Reports Exposure of 1300 Prenatal Patients’ PHI

Posted by HIPAA Journal

Prenatal patients who visited certain obstetric clinics operated by UNC Health Care are being notified that some of their protected health information has been disclosed to local health departments by mistake.

Pregnancy Home Risk Screening Forms of Medicaid-eligible patients are sent to local health departments to ensure those individuals are connected with appropriate support services. However, UNC Health Care has discovered that in addition to Medicaid-eligible patients, forms relating to patients who were not eligible for Medicaid were also sent to local health departments. In total, around 1,300 patients have been affected.

The privacy breach affects women who had prenatal appointments at the UNC Maternal-Fetal Medicine at Rex Hospital or the Women’s Clinic at the North Carolina Women’s Hospital between April 2014 and February 2017.

Pregnancy Home Risk Screening Forms contain patients’ names and addresses, race and ethnicity, Social Security numbers, health and mental health histories, details of patients’ HIV status, any sexually transmitted diseases contracted, medical diagnoses related to the pregnancy or past pregnancies, details of drug and alcohol use and whether the patients were smokers.

Patients whose privacy has been violated were informed of the breach by mail on March 20, 2017. Patients have been advised that the health departments that have been sent the information are covered by state and federal laws put in place to protect patient privacy. Those health departments must have appropriate administrative, technical and physical safeguards in place to protect all protected health information that is received and stored.

Consequently, the risk of any sensitive information being used inappropriately is believed to be low, although as a precaution, all individuals affected by the breach have been offered fraud resolution services in case any experience identity theft or fraud as a result of the incident.

To prevent future breaches of this nature from occurring, UNC Health Care has updated its policies and procedures covering patients who complete the Pregnancy Home Risk Screening Form and all staff members have been trained on the new procedures. In future, only forms completed by Medicaid-eligible individuals will be sent to county health departments.

UNC Health Care has requested all county health departments purge any information relating to non-Medicaid-patients from their databases.

The post UNC Health Care Reports Exposure of 1300 Prenatal Patients’ PHI appeared first on HIPAA Journal.

Snapshot of Healthcare Data Breaches in February 2017

Posted by HIPAA Journal

The Protenus Breach Barometer healthcare data breach report for February includes some good news. Healthcare data breaches have not risen month on month, with both January and February seeing 31 data breaches reported.

The report offers some further good news. Healthcare hacking incidents fell in February, accounting for just 12% of the total number of breaches reported during the month. There was also a major fall in the number of healthcare records exposed or stolen. In January, 388,207 healthcare records were reported as being exposed or stolen. In February, the number fell to 206,151 – a 47% drop in exposed and stolen records. However, February was far from a good month for the healthcare industry.

IT security professionals have long been concerned about the threat from within, and last month clearly showed those fears are grounded in reality. February saw a major increase in the number of incidents caused by insiders. Insider breaches in February accounted for 58% of the total number of incidents reported for which the cause was known; double the number reported the previous month.

Insider wrong-doing was behind eight of the 18 incidents caused by insiders and nine were the result of errors by employees. One of the incidents could not be classified due to a lack of information about the exact nature of the breach.

Preventing insider breaches can be a major challenge for healthcare organizations, as can detecting breaches when they occur. Small to mid-sized organizations often do not have the resources to allow them to continuously monitor for the inappropriate accessing of healthcare records by employees. However, if continuous monitoring is not possible, covered entities must ensure that regular audits of access logs take place. Fast detection of improper access can greatly reduce the harm that those incidents cause. Regular reviews of access logs will also reduce the risk of a OCR HIPAA fine or settlement

HIPAA requires covered entities to maintain access logs and regularly check for inappropriate ePHI access, although the frequency of those checks and audits is left to the discretion of the covered entity. The frequency of audits should be dictated by the results of an organization’s risk analysis.

Last month showed that while some healthcare organizations are complying with 45 CFR § 164.308(a)(5)(ii)(C) – log-in monitoring – and 45 CFR § 164.312(b) – Audit controls – and are keeping logs, they are failing on Section 45 CFR § 164.308(a)(1)(ii)(D) by not regularly conducting information system activity reviews.

One incident reported in February involved an employee improperly accessing ePHI for more than five years (2,103 days) before the improper access was detected. HIPAA Rules may not stipulate how frequently access logs should be checked, but it would be difficult to argue that a check every five years constituted ‘regular’.

That was not the only long delay in detecting a breach. A second incident was also reported in February that took more than five years to detect (1,952 days). In that case the incident involved a system glitch that left ePHI exposed.

Overall, the breaches and security incidents reported in February took far longer to identify than those reported in January. It took an average of 478 days from the date the incident occurred to the date OCR was notified of the breach; that said, the average time was increased considerably by the two 5-year+ delays in detection. In January, the average time from the initial event to reporting was 174 days.

Breaches of electronic protected health information made up the bulk of incidents, although a third of incidents involved paper records, highlighting the importance of implementing physical controls to keep physical PHI secured.

While California usually tops the list for the number of incidents reported each month, this month Texas earned the title of the worst hit state with 4 reported breaches. California, Arizona, and New York shared second place with three incidents apiece.

Healthcare providers were the worst affected in February, accounting for 77% of the month’s incidents. Health plans reported 13% of breaches and business associates and vendors accounted for 3%. The remaining 3% were reported by other organizations.

The post Snapshot of Healthcare Data Breaches in February 2017 appeared first on HIPAA Journal.

Back Up Drive Stolen: PHI of 1,291 Patients Exposed

Posted by HIPAA Journal

The failure to encrypt backup data on a portable electronic device has resulted in the protected health information of 1,291 individuals being exposed.

The device was stolen from Local 693 Plumbers, Pipefitters & HVACR Technicians, a member of the United Association of Journeyman and Apprentices of the Plumbing and Pipefitting Industry of the United States and Canada. The backup device was discovered to be missing on January 23, 2017 following a break-in at Local 693 offices the day before.

An investigation revealed the device contained names, telephone numbers, addresses and Social Security numbers of current and former Plumbers & Pipefitters Local 693 Benefit Funds recipients and members of the Plumbers & Pipefitters Local 693 union.

The theft has been reported to law enforcement, the Vermont attorney general and the Department of Health and Human Services Office for Civil Rights. While the data on the device could potentially be accessed by unauthorized individuals, an independent information technology consultant who was retained to conduct an investigation believes the probability of data on the device being accessed and used inappropriately is “very low”.

To date, Local 693 has not received any reports to suggest data have been misused, although affected individuals have been advised to remain vigilant for abuse of their protected health information and identity theft.

This is the second incident to be reported to OCR in the past few days that has involved the theft of a device used to store backup data. Last week, Denton Heart Group discovered a backup device had been stolen from a locked facility. That incident resulted in 7 years of backup data being stolen.

These incidents show that even when physical devices are stored in secure locations, there is still potential for the devices to be stolen. However, by encrypting stored data, privacy breaches such as this can be prevented.

In response to this incident, Local 693 has taken the decision to switch to a more secure form of storage for backup data. Data will now be stored securely in the cloud and all back up data will now be encrypted.

The post Back Up Drive Stolen: PHI of 1,291 Patients Exposed appeared first on HIPAA Journal.

Almost 18,000 Metropolitan Urology Patients Impacted by Ransomware Attack

Posted by HIPAA Journal

Wauwatosa, WI-based Metropolitan Urology Group has recently discovered a ransomware attack that affected two computer servers potentially resulted in the attackers gaining access to the protected health information of 17,634 patients.

The ransomware attack occurred on November 28, 2016, although it was initially unclear whether access to patients’ PHI had been gained by the attackers.

Metropolitan Urology Group contracted an international information technology company to perform a thorough analysis of the affected servers and its systems to determine the nature and extent of the attack.

On January 10, 2017, Metropolitan Urology Group was informed that patient data may have been accessed as a result of the infection. The firm was able to successfully remove the ransomware infection and restore the medical group’s systems.

Current patients are unaffected by the security breach. The data stored on the servers related to patients who had received medical services at the medical group’s facilities between 2003 and 2010.

The types of data that were potentially accessed include patients’ full names, procedural codes, dates of service, patient control numbers, patient account numbers and provider identification numbers. Only five of the 17,634 patients had their Social Security number stored on the servers.

When ransomware was detected, the servers were promptly isolated and external access was blocked. The medical group said it has now implemented ‘the best firewall and secure email system’, its information technology vendor – Digicorp – and its employees have all undergone further training on information security and a risk analysis is being performed to identify any further vulnerabilities in its IT systems to prevent future attacks. If any vulnerabilities are detected, rapid action will be taken to mitigate risk. Policies and procedures will also be updated to reflect technological changes that have been implemented in response to the attack.

All patients impacted by the incident have now been notified of the potential privacy breach by mail and have been offered 12 months of credit monitoring services without charge as a precaution against fraud and identity theft.

The post Almost 18,000 Metropolitan Urology Patients Impacted by Ransomware Attack appeared first on HIPAA Journal.

Snooping St. Charles Health System Employee Accessed Almost 2,500 Patient Records

Posted by HIPAA Journal

The four-hospital St. Charles Health System in central Oregon has discovered an employee accessed the medical records of almost 2,500 patients without authorization over a period of 27 months from October 2014 to January 2017.

On January 16, 2017, the unnamed caregiver was discovered to have improperly accessed the medical records of a single patient, prompting a review of her ePHI access logs. That investigation revealed that this was far from a one-off incident. The improper access dated back to October 8, 2014. During that time, the caregiver was found to have accessed 2,459 patient files with no legitimate work reason for doing so.

When confronted about the improper access the female employee said she had accessed the records out of curiosity with no malicious intent. The health system said it took ‘swift and appropriate action’ and the employee was disciplined, although it is unclear what the disciplinary action involved and whether the employee was terminated as a result of her actions.

The health system does not consider the employee’s actions were criminal in nature, and a signed affidavit was obtained in which the employee stated she had not used or shared any information with others with the purpose of committing fraud, financial crimes or any other crimes against the patients concerned.

The incident has now been reported to the Department of Health and Human Services’ Office for Civil Rights and state regulators. Affected patients are being notified of the privacy breach by mail. All individuals affected by the breach have been offered credit monitoring and identity theft restoration services for 12 months as a precaution.

The information accessed by the employee included names, addresses, dates of birth, driver’s license numbers, health insurance information, diagnoses, medications prescribed, treatment information, and physician’s names.

A statement about the incident was issued by Nicole Hough, vice president of compliance at St. Charles Health System, saying “We want our patients and their families and the community to really understand how sorry we are for this situation and understand we took swift action and we are taking action to ensure this doesn’t happen again.”

The post Snooping St. Charles Health System Employee Accessed Almost 2,500 Patient Records appeared first on HIPAA Journal.

Zest Dental Solutions Alerts Customers to Payment Card Information Breach

Posted by HIPAA Journal

Carlsbad, CA-based Zest Dental Solutions has discovered that an unauthorized individual has gained access to its e-commerce system and has potentially stolen the credit card details of some of its customers.

A number of customers reported receiving unusual emails containing information related to past Zest Dental Solutions purchases. The complaints prompted an investigation and an external cybersecurity firm was brought in to conduct a thorough analysis of the company’s systems. On February 16, 2017, it was confirmed that the company’s e-commerce system had been breached.

That system contained credit card numbers, CVV codes, expiry dates, customers’ names, addresses, and phone numbers. Individuals affected by the security incident had previously made purchases through the website between December 13, 2013 and September 21, 2014 or between November 2, 2016 and February 4, 2017. The breach also impacts customers who purchased items prior to the company changing its name from Zest Anchors.

Since credit card details may have been stolen, affected individuals are at risk of experiencing credit card fraud and should take precautions to secure their accounts. Customers have been told to carefully monitor their credit card statements for any sign of fraudulent activity.

While affected individuals have not been offered credit monitoring services, they may be refunded any reasonable fraudulent charges that are not reimbursed by their credit card providers.

Website breaches are a major concern for any organization that operates an e-commerce website. It is essential that regular scans are performed to check for any potential malicious activity and to implement security measured to keep sites secured.

In response to the security breach, Zest Dental Solutions has improved security on its e-commerce site and will be switching to an alternative card payment processing system. Additional security controls have also been added to the site to better protect customers’ sensitive information in the future.

The post Zest Dental Solutions Alerts Customers to Payment Card Information Breach appeared first on HIPAA Journal.

Lack of Email Encryption Exposes PHI of 644 Raising St. Louis Participants

Posted by HIPAA Journal

644 participants of the Raising St. Louis program run by BJC HealthCare have been notified that some of their personally identifiable information has been exposed via email following the discovery that protocols for sending sensitive information securely were not followed.

No Social Security numbers, financial information, or test results/treatment data were communicated via unencrypted email, although names, addresses, telephone numbers, dates of birth, visit dates, nursing notes, medication and vaccination information could potentially have been intercepted and viewed by unauthorized individuals.

BJC HealthCare has established protocols for communicating sensitive information, although in January it was discovered that those protocols had not been used for communicating personally identifiable information of Raising St. Louis participants to program partners for a period of three years between January 17, 2014 and January 9, 2017. The correct protocol for emailing sensitive data has now been adopted and staff members have been re-educated and instructed to only send sensitive data via encrypted email.

An internal investigation did not uncover any evidence to suggest that emails had been intercepted or viewed by unauthorized individuals, although the possibility could not be ruled out.

HIPAA and Email Encryption

The HIPAA Security Rule does not prohibit the sending of ePHI via email, although any data sent via an open network must be appropriately secured and controls implemented to prevent unauthorized access (See 45 CFR § 164.312(e)).

Prior to ePHI being communicated via email, a covered entity must assess the available security controls that can be applied to safeguard the confidentiality, integrity, and availability of ePHI. An appropriate solution should be applied and the decision process behind the use of that solution should be documented.

HIPAA does not specify which protection must be used, although access controls for data in motion should comply with NIST Special Publications 800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations; 800-77, Guide to IPsec VPNs; or 800-113, Guide to SSL VPNs.

The post Lack of Email Encryption Exposes PHI of 644 Raising St. Louis Participants appeared first on HIPAA Journal.

Unencrypted Backup Drive Containing 7 Years of PHI Stolen from Denton Heart Group

Posted by HIPAA Journal

The danger of storing unencrypted protected health information has been highlighted by a recent security incident reported by Texas-based Denton Heart Group – A member of the Health Texas Provider Network.

A hard drive containing 7 years of EHR backup data was recently discovered to have been stolen. While the device was stored in a locked closet, the data on the device were not encrypted.

The backup files contained a treasure trove of patient data including names, addresses, phone numbers, dates of birth, Social Security numbers, driver’s license numbers, medical record numbers, insurance provider names and policy numbers, physicians’ names, clinic account numbers, medical diagnoses, lab test results, medications and other clinical data. The backups were made between 2009 and 2016.

The theft was discovered by the medical group on January 11, 2017 although the device was believed to have been stolen on or around December 29, 2017.

All eligible individuals affected by the incident will be offered credit monitoring and identity theft protection services through Experian, although no reports of misuse of the stored data have been received.

To prevent future incidents, Denton Heart Group is re-evaluating the security of computer devices used by its clinics, although it is unclear whether the theft will prompt the medical group to encrypt its backups in the future.

20% of Healthcare Organizations Do Not Use Encryption

Two reports were published last month that showed how the healthcare industry in the United States lags behind other industry sectors when it comes to data encryption.

The 2017 Thales Data Threat Report for the Healthcare Industry indicates only 65% of healthcare organizations in the United States encrypt backup data stored in the cloud. A study by HyTrust indicates 25% of healthcare organizations are using cloud services but are not encrypting cloud data.

Even though healthcare organizations are increasing security budgets, the industry still has one of the lowest data encryption adoption rates. Last year, Sophos conducted a survey that showed only 31% of healthcare organizations were extensively using encryption to protect sensitive data – The lowest percentage of all industries surveyed. Encryption was used to some degree by a further 49% of healthcare organizations, although 20% of surveyed organizations were not using encryption at all. Only the retail sector scored lower with 23% of retailers opting not to use encryption.

The lack of encryption leaves healthcare organizations particularly vulnerable to data breaches. According to OCR figures, since January 1, 2014, there have been 182 hacking incidents reported. Those incidents resulted in the theft/exposure of 125,994,157 healthcare records. There have also been 249 cases of lost or stolen equipment containing PHI. Those incidents impacted 8,902,225 individuals.

Given the extent to which healthcare organizations are now being targeted by cybercriminals and the huge numbers of healthcare records exposed or stolen as a result of hacks and lost and stolen devices, any healthcare organization that is not encrypting PHI is taking a huge risk.

The post Unencrypted Backup Drive Containing 7 Years of PHI Stolen from Denton Heart Group appeared first on HIPAA Journal.