HIPAA Breach News

Email Account Compromised: 1,200 MultiCare Patients’ ePHI Exposed

Posted by HIPAA Journal

The Tacoma, WA-based MultiCare Health System has announced that the email account of one of its employees has been compromised by a hacker following a successful phishing attack.

The five-hospital health system issued a statement yesterday about the email security breach confirming patients’ protected health information had been compromised. It is unclear when access to the email account was first gained, although the email security breach was discovered by MultiCare Health on November 27, 2016.

An investigation into the breach was immediately launched and rapid action was taken to secure the health system’s email accounts, including resetting passwords on all email accounts. However, the investigation revealed that only one email account had been compromised.

An analysis of the email account revealed that emails contained the ePHI of 1,200 former and current patients. Data potentially accessed by the attacker included patients’ names, addresses, dates of birth, genders, dates of service, account balances, and diagnosis and treatment information. MultiCare has confirmed that the compromised email account contained no Social Security numbers or financial information.

Patients are in the process of being notified of the security breach by mail and have been advised to check their Explanation of Benefits statements and to report any irregularities. To date, MultiCare has not received any reports of misuse of patients’ information.

Phishing attacks on healthcare organizations are to be expected. It is therefore essential for healthcare organizations to make employees aware of the risk of phishing and how to identify potential phishing attacks. Phishing simulation exercises are highly effective at reinforcing training and can greatly improve detection of phishing emails. Healthcare organizations should also set up a system of reporting potential phishing emails. Fast detection can help to prevent other employees from falling for the scams.

To counter the threat and prevent similar incidents from occurring in the future, MultiCare Health is reinforcing the education and training of its employees and will be providing staff members with additional training on phishing email detection. A review of security practices and procedures and ePHI safeguards has also been scheduled.

The post Email Account Compromised: 1,200 MultiCare Patients’ ePHI Exposed appeared first on HIPAA Journal.

Hospital Employee Discovered to Have Improperly Accessed 6,200 Patient Records

Posted by HIPAA Journal

Covenant HealthCare has notified more than 6,000 patients that their electronic medical records were inappropriately accessed by one of its employees. Individuals affected by the privacy breach had previously received medical services at a Covenant HealthCare facility in Saginaw, Michigan.

The improper access was discovered during a November 2016 audit of EMR access logs. The audit revealed an unusual pattern of medical record access by a single employee. Covenant HealthCare immediately ordered a full review of ePHI access by the employee to determine which medical records had been accessed and whether there was any legitimate reason for those records to have been viewed.

The review revealed that the Covenant HealthCare employee first started improperly accessing its electronic medical record system on February 1, 2016. The improper access continued for nine months until November 21, 2016 and involved 6,197 patients. A range of data were potentially viewed including patient’s names, dates of birth, home addresses, health insurance information, diagnostic and treatment information, medical record numbers, Social Security numbers and driver’s license numbers.

Covenant HealthCare spokesperson Kristin Knoll said in a statement that an investigation into the HIPAA breach was immediately launched and resulted in termination of the employee. Knoll also confirmed that the breach has been reported to all appropriate agencies.

Affected patients have now been notified of the breach by mail, although the delay in issuing notifications was because Covenant required two months to complete its investigation.

No reports of misuse of patients’ information have been received to date by Covenant HealthCare. All patients who have had their Social Security numbers viewed will be offered free credit monitoring and protection services to mitigate risk.

To prevent future breaches of this nature, Covenant HealthCare has increased ongoing training on patient privacy. Audits of ePHI access logs will also be conducted more frequently to ensure that any future inappropriate access is identified promptly.

The post Hospital Employee Discovered to Have Improperly Accessed 6,200 Patient Records appeared first on HIPAA Journal.

Mailing Error Sees 1,126 Letters Sent to Patients’ Previous Addresses

Posted by HIPAA Journal

A ‘software glitch’ has resulted in billing statements and other communications sent by TriHealth of Cincinnati being sent to patients’ former addresses. The privacy breach was discovered in November 2016, and impacts 1,126 TriHealth patients.

The glitch caused current addresses to be substituted with former addresses. In some cases, mail may have been forwarded on to the correct address, although TriHealth was unable to determine whether this was the case.  Letters have now been mailed to the correct addresses and affected patients have been notified of the error by mail.

The error affected mailings of billing statements, appointment reminder letters, and other correspondence between November 15, 2015 and January 12, 2017 when the error was discovered. Individuals affected by the error had all mailings directed to wrong addresses between those dates.

The types of protected health information contained in the mailings varied from patient to patient. PHI that was potentially exposed was limited to patients’ names, visit dates, descriptions of medical service provided, places of service, financial charges, details of payments and adjustments, account balances, due payments, and details of appointments.

No insurance numbers, Social Security numbers, credit/debit card information or financial institution information was printed in any of the misdirected letters.

TriHealth has not received any reports to suggest any of the information contained in the letters has been misused in any way. Since the privacy breach only involved a limited amount of data, and the risk of misuse is believed to be low, affected individuals have not been offered credit monitoring or identity theft protection services. They have been advised that they are entitled to obtain a free annual credit report from credit reporting companies and can check for suspicious credit activity.

The software error has now been fixed and affected patients have had their addresses corrected in TriHealth’s computer system.

The post Mailing Error Sees 1,126 Letters Sent to Patients’ Previous Addresses appeared first on HIPAA Journal.

South Carolina Hospital Reports Loss of Camera Containing Babies’ PHI

Posted by HIPAA Journal

Roper St. Francis Mount Pleasant Hospital in South Carolina has discovered that a digital camera used to take photographs of new born babies has been lost and potentially stolen.

As is recommended by the National Center for Missing and Exploited Children, photographs of new born babies are taken by hospital staff for security reasons. In the event that a baby goes missing, the digital images can be used for identification purposes. According to hospital spokesperson Andy Lyons, the camera was stored in a secure location in the hospital not accessible by the general public.

Following the discovery that the camera was missing, an extensive search of the hospital was conducted, although the missing camera has not yet been located.

The camera stored images on a memory card which was in the device when it went missing. The memory card is believed to contain the images of approximately 500 babies born at the hospital between November 2015 and November 2016. The photos also contained physicians’ names, the birthdate of each baby, and the babies’ names.

Parents of the babies are being notified of the privacy breach in accordance with Health Insurance Portability and Accountability Act Rules and a HIPAA breach notice has been sent to the Department of Health and Human Services’ Office for Civil Rights. Roper St. Francis Mount Pleasant Hospital has not received any reports to suggest any of the data stored on the device have been used inappropriately.

According to a statement released by the hospital, action has been taken to prevent similar incidents from occurring in the future. Staff members have been provided with additional training on the importance of safeguarding patient information and additional measures have been implemented to protect cameras used by the hospital. The hospital has also strengthened its policies and procedures covering the use, disclosure, and storage of patient information.

The post South Carolina Hospital Reports Loss of Camera Containing Babies’ PHI appeared first on HIPAA Journal.

ePHI Improperly Accessed, Copied, and Lost by Employee

Posted by HIPAA Journal

The protected health information of 600 individuals who received treatment for mental health disorders and/or substance abuse at a Baltimore treatment center has potentially been compromised.

On November 28, 2016, Complete Wellness discovered that highly confidential information had been accessed and copied onto a flash drive without authorization. Even though the treatment center was able to identify the individual responsible, it was not possible to recover the drive as the device was allegedly lost by the employee.

While no reports of misuse of the information contained on the device have been received by Complete Wellness, the possibility remains that the drive has been found and patient data accessed.

Data stored on the device included patients’ names, phone numbers. home addresses, email addresses, ages and dates of birth, languages spoken, ethnicity, race, marital statuses, the names of primary care physicians, emergency contact information, level of education, employer information, hurricane victim status, living situation, arrest history, military service information, and whether individuals had any hearing or vision difficulties. Social Security numbers of patients were also downloaded to the device. Patients affected by the breach had previously received treatment from Leslie Duff CRNP or Durwood Whitten, PhD.

Complete Wellness has since implemented a number of security measure to prevent future privacy breaches from occurring. Those measures included adopting technology to enable sensitive data to be sent securely rather than being transported on portable devices. Encryption technology has been implemented and additional privacy training provided to all administration and clinical staff members. A review of policies and procedures has been conducted and updates made to prevent similar incidents from occurring in the future.

Ongoing discussions have taken place with company leadership to address the security incident and prevent a recurrence. Complete Wellness has also confirmed that the employee was terminated as a result of the incident.

The post ePHI Improperly Accessed, Copied, and Lost by Employee appeared first on HIPAA Journal.

Theft of Unencrypted Laptop Exposes Wonderful Health & Wellness Patients’ ePHI

Posted by HIPAA Journal

Los Angeles-based Wonderful Health and Wellness has notified patents that their electronic protected health information (ePHI) was exposed in early December, 2016 when an unencrypted laptop computer was stolen from the company’s Wonderful Center for Health Innovation.

Staff at the Center discovered the laptop computer was missing on December 12 when they returned to work after the weekend, with the theft having occurred at some point between December 9 and 12. The theft was immediately reported to law enforcement, although the device has not been recovered.

The laptop contained a range of protected health information including patients’ names along with their home addresses, telephone numbers, dates of birth, email addresses, clinical account numbers, medical conditions, treatment information, treatment dates, and test results. No Social Security numbers or financial information were stored on the device.

While the laptop computer was not encrypted, software had been installed which allows data on the device to be remotely deleted, although only if the laptop is used to connect to the Internet. Wonderful Health and Wellness has programmed the software to delete all sensitive data on the device the next time the device connects.

Patients were notified of the potential ePHI breach on January 18, 2017. At that point, there was no indication that any of the data on the device had been accessed or used inappropriately.

Wonderful Health and Wellness has conducted a review of its strategy for storing and transmitting medical information and additional safeguards have already been implemented to better secure patients’ medical information and prevent future breaches of this nature from occurring.

The incident has yet to appear on the Department of Health and Human Services’ Office for Civil Rights breach portal, so it is currently unclear how many patients have been impacted by the incident.

The post Theft of Unencrypted Laptop Exposes Wonderful Health & Wellness Patients’ ePHI appeared first on HIPAA Journal.

Court of Appeal Rules Horizon BCBS Class Action Has Standing Without Evidence of ID Theft

Posted by HIPAA Journal

The United States Court of Appeals for the Third Circuit has ruled that a class action lawsuit filed by customers of Horizon Blue Cross Blue Shield whose protected health information was exposed when two laptop computers were stolen from its New Jersey offices does have standing, even without proof of harm. The case had previously been dismissed by U.S. District Judge Claire Cecchi.

The incident which led to the lawsuit occurred between November 1 and 3, 2013. Two unencrypted laptop computers containing the personal information of 839,000 plan members were stolen from Horizon BCBS’s headquarters in Newark, NJ. Stored on the laptops were names, addresses, birth dates, Social Security numbers, medical histories, demographic data, lab test results, insurance information, and other care-related data.

Four plaintiffs – Courtney Diana, Karen Pekelney, Mark Meisel, and Mitchell Rindner – are named on the lawsuit, which was filed on behalf of themselves and other customers whose personal information was exposed.

The complainants maintain that the laptop computers were targeted by thieves who realized the value of data contained on the devices, rather than the computers being stolen for resale for their hardware value.

The plaintiffs claim that the disclosure, although accidental, placed them at “imminent, immediate, and continuing increased risk of harm from identity theft, identity fraud, and medical fraud, requiring them to take the time and effort to mitigate the actual and potential impact of the Data Breach on their lives.”

The plaintiffs allege Horizon BCBS wilfully and negligently violated the Fair Credit Reporting Act (FCRA) – in addition to a number of state laws – by failing to adequately protect their personal information. The plaintiffs claim that the unauthorized transfer of personal information was a violation of FCRA and that the transfer, in itself, constitutes a cognizable injury.

The District Court dismissed the lawsuit under Federal Rule of Civil Procedure 12(b)(1) claiming a lack of Article III standing. However, the court of appeals judges ruled that even without evidence of misuse of the plaintiffs’ personal information, the case has standing.

According to U.S. Circuit Judge Kent Jordan , who wrote for the three-judge panel, “In light of the congressional decision to create a remedy for the unauthorized transfer of personal information, a violation of FCRA gives rise to an injury sufficient for Article III standing purposes.” Judge Jordan explained, “the alleged disclosure of their personal information created a de facto injury. Accordingly, all of the Plaintiffs suffered a cognizable injury, and the Complaint should not have been dismissed under Rule 12(b)(1).”

The post Court of Appeal Rules Horizon BCBS Class Action Has Standing Without Evidence of ID Theft appeared first on HIPAA Journal.

CoPilot Provider Support Services Alerts 220,000 Patients to Historic ePHI Incident

Posted by HIPAA Journal

An unauthorized individual has accessed and downloaded the highly sensitive information of approximately 220,000 osteoarthritis patients from a website database maintained by CoPilot Provider Support Services.

The website is used by physicians to determine whether ORTHOVISC® and MONOVISC® injections are covered by patients’ health insurance. The information entered via the website is added to a database maintained by CoPilot. That database was downloaded by an unauthorized individual, although according to a breach notice issued by CoPilot, the database was not accessible to the general public at any point.

While not explicitly stated in the breach notice, the wording suggests that the individual responsible for the breach was a former employee. CoPilot believes it identified the person responsible and details of its investigation were passed to law enforcement.  CoPilot reports that the law enforcement investigation confirmed CoPilot’s conclusions to be correct.

While it is possible that data were accessed and downloaded with malicious intent, CoPilot does not believe the information was downloaded in order to commit fraud. This also points to an employee rather than a hacker.

The data downloaded was limited to names, genders, addresses, phone numbers, and medical insurance card information, although some individuals’ Social Security numbers were also copied.

Individuals impacted by the breach have been offered credit and identity monitoring services via Kroll for 12 months to protect them against fraudulent use of their information, although CoPilot has told patients it has no reason to believe that any of the downloaded information was misused, nor that it will be disclosed to other individuals.

The security incident came to light when CoPilot started to receive complaints claiming information uploaded to the website could be downloaded. An investigation was immediately initiated and a cybersecurity firm was retained to conduct a forensic investigation.

CoPilot issued a press release on January 18, 2017 announcing the security incident, notified the California Department of Justice on January 19, 2017, and started informing patients on or around the same date.

However, the timing of the breach notices is peculiar. CoPilot discovered the potential breach on December 23, 2015, yet it has taken over a year from discovery of the breach for breach notifications to be issued. CoPilot’s investigation revealed patient data were improperly downloaded in October 2015.

Under Health Insurance Portability and Accountability Act’s Breach Notification Rule, HIPAA-covered entities are required to issue data breach notifications to patients, Office for Civil Rights and the media within 60 days of the discovery of a breach.

The failure to comply with the Breach Notification Rule can result in financial penalties. OCR has recently agreed to settle potential HIPAA Breach Notification Rule violations with Presense Health after breach notifications to patients were delayed. Presense Health was required to pay OCR $475,000 for exceeding the Breach Notification Rule time limit by a month.

Office for Civil Rights investigates all breaches that impact more than 500 individuals to determine whether HIPAA Rules have been violated. Given the recent enforcement activity, action may well be taken against CoPilot for the delayed notifications.

While patients impacted by the incident have only just been notified, prompt action was taken by CoPilot to improve security after the breach was discovered. Those measures included “enhanced verification, enhanced encryption and implementing increased security audit activity.”

The post CoPilot Provider Support Services Alerts 220,000 Patients to Historic ePHI Incident appeared first on HIPAA Journal.

Hacking Group Attempts to Extort Funds from Cancer Services Provider

Posted by HIPAA Journal

TheDarkOverlord has struck again, this time the victim was a small Indiana cancer charity. The attack occurred on January 11 and was accompanied with a 50 Bitcoin ($43,000) ransom demand. Little Red Door Cancer Services of East Central Indiana was threatened with the publication of confidential data if the ransom was not paid.

The charitable organization provides a range of services to help victims of cancer live normal lives during treatment, recovery, and at end of life. Little Red Door provides an invaluable service to cancer patients in East Central Indiana, with its limited funds carefully spent to provide the maximum benefit to cancer patients and their families.

The payment of a $43,000 ransom would have had a significant impact on the good work the organization does, and would have taken funding away from the people who need it most. Little Red Door followed the advice of the FBI and refused to pay.

Little Red Door spokesperson, Aimee Fant, issued a statement saying the organization “will not pay a ransom when all funds raised must instead go to serving families, all stage cancer clients, late stage care/hospice support and preventative screenings.”

The ransom demand was first sent to company executives, its vice president and president by text message. Messages were sent to their personal cell phones. The ransom demand and threats were also followed with email demands. The ransom demand was later reduced to around $12,000, although payment will still not be made. The stolen data included documents pertaining to grants, donors, employees, and the organization’s operations.

In addition to threatening to publish the data, TheDarkOverlord allegedly also issued a threat to contact the families of cancer patients, as well as the organization’s partners and donors.

Previous attacks by TheDarkOverlord have involved data theft. This time around, data were stolen and the company’s database and physical backups were wiped. Fortunately, patient diagnoses and other client information were on paper files.

Little Red Door has a cloud storage backup containing most of its data. Systems and databases will be rebuilt and data reconstructed. The cancer agency expects its IT systems to be back up and running by the end of this week. After recovery, Little Red Door will fully transition to a cloud-based system.

Little Red Door has received assistance from a number of organizations. A spokesperson for the organization said it “extends its immense gratitude to all who have helped in its efforts to gain control of the ransom attack and sincerely apologizes for any inconvenience and distress experienced on account of this act of cyberterrorism.”

The post Hacking Group Attempts to Extort Funds from Cancer Services Provider appeared first on HIPAA Journal.