HIPAA Breach News

Protenus Releases 2016 Healthcare Data Breach Report

Posted by HIPAA Journal

Protenus, in conjunction with Databreaches.net, has published its 2016 healthcare data breach report, summarizing the hacks and mishaps that have resulted in patient and health plan members’ protected health information being exposed or stolen.

Fortunately, 2016 has not seen the mega data breaches of 2015, although it has been far from a good year. More than 27 million healthcare records were stolen in 2016 across 450 reported data breaches. The total number of breached records may be down year on year, but the total number of incidents has increased. 2016 has been the worst year for healthcare industry breaches since records first started being kept.

The Protenus 2016 healthcare data breach report includes data breaches that have already been reported to the Department of Health and Human Services’ Office for Civil Rights, in addition to those that have been disclosed to the media but not yet uploaded to the OCR breach portal.

In total, there were 27,314,647 individuals affected by healthcare data breaches in 2016, with detailed information available for 380 of the 450 incidents. More than one healthcare data breach was reported every single day, on average, in 2016.

Data breaches fluctuated throughout 2016, with no clear trend emerging. The worst months of the year – in terms of the number of records breached – were June and August. In June, 10,880,605 healthcare records were exposed or stolen. 9,096,515 records were breached in August.

The worst months of 2016 for reported data breaches were November (58 incidents) April (946 incidents) and August (45 incidents). January saw the fewest breaches with 21 incidents reported. January also saw the lowest number of healthcare records exposed, with 104,056 individuals impacted.

Million-record plus data breaches were relatively rare. The largest breach of the year – at Banner Health – saw 3.62 million records exposed.

The 2016 healthcare data breach report shows the majority of security breaches in 2016 involved insiders. Protenus classified insider breaches as those involving accidents caused by human error, data theft by healthcare workers, and snooping on medical records. 43% of the data breaches in 2016 involved insiders, compared to 26.8% of incidents which involved hacking, malware or ransomware.

There were 99 accidental data breaches and 91 breaches caused by insider wrongdoing. Breaches that were the result of insider wrongdoing tended to result in the theft of less data than accidental data breaches. Accidental data breaches exposed three times as many records, on average.

2016 saw an explosion in ransomware attacks with the healthcare industry heavily targeted. The healthcare data breach report indicates only 30 ransomware attacks were reported in 2016. The true figure may be considerably higher. Healthcare organizations are only required to report ransomware attacks if there was a reasonable probability that ePHI was compromised. Covered entities also have up to 60 days to report healthcare data breaches, so a final total for the year will not be available until March 1, 2017. 2016 also saw a rise in other extortion attempts, with hackers gaining access to healthcare data and demanding ransoms not to publish the information.

Hacking may not have been the biggest cause of healthcare data breaches in 2016, but hackers certainly obtained the most records. 120 hacking incidents were included in the report, although the number of records stolen in those attacks was only known for 99 incidents. Even so, the total number of records obtained by hackers was 87% of the annual total – 23,695,069 records.

Healthcare providers were the worst hit in 2016 accounting for 80% of the total breach count. Health plans were second with 10% of attacks, followed by business associate breaches which accounted for 6.3% of the total. 4% of breaches affected other entities.

The report shows healthcare organizations are slow to detect breaches. The report indicates the average time to discover data breaches was 233 days, although insider breaches took considerably longer. Cases of insider wrongdoing took an average of 607 days to discover that ePHI had been breached. Protenus reports the average time from the breach to reporting the incident to HHS was 344 days.

The post Protenus Releases 2016 Healthcare Data Breach Report appeared first on HIPAA Journal.

$2.2 Million Settlement for Impermissible Disclosure of ePHI

Posted by HIPAA Journal

The U.S. Department of Health and Human Services’ Office for Civil Rights has agreed to a $2.2 million settlement with MAPFRE Life Assurance Company of Puerto Rico – A subsidiary of MAPFRE S.A., of Spain – to resolve potential noncompliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

The settlement relates to the impermissible disclosure of the electronic protected health information of 2,209 patients in 2011. On September 29, 2011, a portable USB storage device (pen drive) was left overnight in the IT Department from where it was stolen. The device contained a range of patients’ ePHI, including full names, Social Security numbers and dates of birth. The device was not protected by a password and data on the device were not encrypted.

MAPFRE reported the device theft to OCR, which launched an investigation to determine whether HIPAA Rules had been violated, as is customary with all breaches of ePHI that impact more than 500 individuals.

Multiple Areas of Noncompliance with HIPAA Rules Discovered

During the course of the investigation, OCR discovered numerous HIPAA noncompliance issues:

45 C.F.R. 164.502(a) – Impermissible disclosure of the ePHI of 2,209 individuals.

5 C.F.R. 164.308(a)(1)(i) – A failure to conduct a comprehensive risk assessment to evaluate risks and vulnerabilities to the confidentiality, integrity and availability of ePHI and a failure to implement measures to reduce risks to an appropriate level.

45 C.F.R. 164.308(a)(5)(i) – A failure to implement a security awareness training program for all members of the workforce.

45 C.F.R. 164.312(a)(2)(iv) – A failure to implement data encryption or an equivalent measure to safeguard the ePHI stored on portable storage devices.

45 C.F.R. 164.316 (a) – A failure to implement reasonable and appropriate policies and procedures to safeguard ePHI to comply with HIPAA standards implementation specifications.

Additionally, the corrective measures MAPFRE said it would undertake following the submission of a breach report to OCR on August 5, 2011 were delayed. MAPFRE did not start encrypting data on laptop computers and portable storage devices until September 1, 2014.

OCR considered the financial position of MAPFRE along with the number and severity of HIPAA violations when determining the resolution amount. In addition to paying OCR $2,204,182, MAPFRE is required to adopt a corrective action plan to address all areas of noncompliance.

HIPAA and Data Encryption

HIPAA does not require covered entities to implement encryption on portable devices used to store ePHI. Data encryption is only an addressable issue. However, covered entities must conduct a thorough risk assessment to identify potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. If, after assessing risks, covered entities determine that other controls are in place to safeguard ePHI and data encryption is not appropriate, the reasons for not implementing encryption must be documented.

Recent HIPAA Settlements

OCR has stepped up its enforcement of HIPAA Rules in recent years, with more settlements agreed in 2016 than in any other year to date. Last year, 12 healthcare organizations settled potential HIPAA violations with OCR, and one civil monetary penalty (CMP) was imposed.

MAPFRE is the second HIPAA-covered entity to settle potential HIPAA violations with OCR in 2017. Last week, OCR announced a settlement of $475,000 had been agreed with Presense Health for violations of the HIPAA Breach Notification Rule.

The post $2.2 Million Settlement for Impermissible Disclosure of ePHI appeared first on HIPAA Journal.

Potential ePHI Breach Impacts 3,600 Children’s Hospital Los Angeles Patients

Posted by HIPAA Journal

3,600 patients of Children’s Hospital Los Angeles (CHLA) and Children’s Hospital Los Angeles Medical Group (CHLAMG) are being notified of a potential breach of their electronic protected health information following the theft of an unencrypted, password-protected laptop computer.

The laptop was stolen from the locked vehicle of a CHLAMG employee who practices at CHLA. The theft is understood to have occurred on October 18, 2016.

CHLAMG encrypts its laptop computers, and while the investigation into the breach initially indicated the laptop had been encrypted to institutional standards, on December 21, 2016, CHLA determined that there was a possibility that the device had not been encrypted.

Typically, laptops are stolen by thieves for the value of the device, not for data stored on the devices. Laptops are wiped, have software reinstalled, and are sold on.

While it cannot be confirmed that this was the case in this instance, CHLA investigators were able to determine that the laptop computer has not been used to connect to the Internet since it was stolen, suggesting the device was wiped and ePHI is no longer accessible.

A CHLA spokesperson said their IT security systems allow data on laptop computers to be remotely and securely erased. The protocol for doing this has been activated and data on the device will be wiped should the device be used to connect to the Internet.  No evidence has been uncovered to suggest data have been accessed or used inappropriately. CHLA is continuing to work with law enforcement, although to date, the laptop computer has not been recovered.

The data stored on the device included children’s names, addresses, medical record numbers, birthdates, and limited clinical information.

Parents of affected children have been notified of the potential ePHI breach out of an abundance of caution. They have been advised to check Explanation of Benefits statements for medical services that have not been received.

CHLA will be enhancing its encryption levels on all laptop computers used by its physicians to prevent future data breaches of this nature from occurring.

The post Potential ePHI Breach Impacts 3,600 Children’s Hospital Los Angeles Patients appeared first on HIPAA Journal.

Sentara Healthcare Informs 5,454 Patients of ePHI Breach

Posted by HIPAA Journal

Sentara Healthcare is notifying 5,454 patients that some of their electronic protected health information has been accessed by an unauthorized individual.

It is unclear when the cybersecurity incident occurred, although law enforcement informed Sentara Healthcare of the security breach on November 17, 2016.

Sentara Healthcare launched an investigation into the potential data breach in November and determined that the cybersecurity incident was experienced by one of its third party vendors.

Sentara has not disclosed which vendor was attacked, nor whether the incident was an internal breach involving one of the vendor’s employees or if patient data were accessed by a hacker.

The data breach affects vascular and thoracic patients who received medical services at Sentara Healthcare’s Virginia hospitals between 2012 and 2015.

Patients have been notified of the data breach by mail and have been told that highly sensitive protected health information was inappropriately accessed. The information viewed – and potentially copied – by an unauthorized third party includes patients’ names, Social Security numbers, dates of birth, medical record numbers, demographic information, medications prescribed, and details of procedures that were performed at Sentara Healthcare hospitals.

Sentara Healthcare’s Information Security Team is working closely with its vendor and is assisting law enforcement with its criminal investigation. The data breach investigation is ongoing.

Sentara Healthcare has told patients that it continually assesses and strengthens its policies, procedures, and cybersecurity defenses to ensure that patient data is appropriately protected at all times. Patients have been told that those processes will continue and that the third party vendor concerned will be implementing additional controls to enhance its security defenses to prevent similar incidents from occurring in the future.

All patients impacted by the data breach have been offered 12 months of complementary credit monitoring and identity theft protection services through Experian’s ConsumerInfo.com, Inc., and will receive in-depth assistance if their ePHI are discovered to have been used inappropriately.

The post Sentara Healthcare Informs 5,454 Patients of ePHI Breach appeared first on HIPAA Journal.

Highmark BCBS of Delaware Investigates Data Breach Affecting 19,000 Individuals

Posted by HIPAA Journal

Highmark BlueCross BlueShield of Delaware is investigating a breach of 19,000 beneficiaries of employer-paid health plans. The data breach involves two subcontractors of Highmark BCBS – Summit Reinsurance Services and BCS Financial Corporation.

Karen Kane, Highmark BSBC director of privacy and information management, issued a statement saying 16 current and former Highmark self-insured customers have been impacted.

Affected individuals have now been notified of the breach by mail. The breach notification letters were sent by Summit Reinsurance Services (SummitRe). In the letters, consumers were informed that some of their highly sensitive protected health information had potentially been accessed by unauthorized individuals.

A ransomware infection was discovered by SummitRe on August 5, 2016, although a forensic analysis of the cyberattack revealed that access to Summit’s systems was first gained on March 12, 2016. SummitRe stated in the letters that the forensic investigation into the breach is ongoing, although no direct evidence has been uncovered to suggest that any ePHI stored on the affected server has been used inappropriately.

The types of data that could potentially have been accessed include names, Social Security numbers, details of health insurance, providers’ names, medical records relating to insurance claims – including medical diagnoses, and some clinical information.

Patients affected by the breach have been offered a year of credit monitoring and identity restoration services to protect them against identity theft and fraud.

Details of the nature of the cyberattack are being kept under wraps for the time being while the investigation continues. One of the questions that is likely to be asked is what happened during the five months between the initial intrusion and the ransomware infection.

Hackers are known to install ransomware after they no longer require access to infiltrated systems. Often after all valuable information has been obtained. In this case, it is unclear whether any data were exfiltrated during those five months.

SummitRe has been criticized for the letter sent to affected individuals, as it was not abundantly clear who the company was. Affected individuals would have been unlikely to have any dealings with the company in the past as insurance plans were provided through their employers.

Trinidad Navarro, Insurance Commissioner for the State of Delaware, said the letter “appears as if it is A) and Ad, or B) a scam.” Navarro also said, “Unfortunately, we fear that many may have misinterpreted or inadvertently discarded the letter.”

One of the data breach notification letters was provided to NBC 10 reporters by an affected patient. The letter was dated January 4, 2016. It is unclear why it took five months for patients to be notified of the breach – almost 10 months after the server was inappropriately accessed.

HIPAA Breach Notification Rule Requirements for Notifying Individuals of Data Breaches

The HIPAA Breach Notification Rule requires covered entities to notify individuals of a suspected ePHI breach within 60 days of discovery of the breach. Last week, the Department of Health and Human Services’ Office for Civil Rights sent a strong message to covered entities about the importance of issuing timely breach notifications. Presence Health of Illinois agreed to settle potential violations of the HIPAA Breach Notification Rule after OCR investigators became aware that it had delayed breach notifications for 3 months following a 2013 security incident affecting 836 individuals. Presense Health will pay OCR $475,000 as part of the settlement deal.

The post Highmark BCBS of Delaware Investigates Data Breach Affecting 19,000 Individuals appeared first on HIPAA Journal.

Brandywine Pediatrics Alerts 27,000 to Potential ePHI Breach

Posted by HIPAA Journal

Wilmington, DE-based healthcare provider Brandywine Pediatrics, P.A. has informed tens of thousands of its patients that some of their protected health information has potentially been accessed by an unknown individual. The security breach involved a computer virus, which was discovered on one of the organization’s file servers.

While it has not been explicitly stated that the virus was ransomware, Brandywine Pediatrics has informed patients that the virus rendered ePHI inaccessible. In order to regain access to files it was necessary to restore files from data backups.

The virus infection was discovered on October 25, 2016, sparking a full investigation. A third-party computer forensics expert was contracted to conduct an investigation. That investigation revealed that a number of practice files containing ePHI had potentially been accessed. Sensitive data in the files included names, addresses, medical information, and health insurance details of patients. Brandywine Pediatrics has confirmed that Social Security numbers, credit card/debit card numbers and financial data were not accessed or exposed at any point.

While data access was possible, no evidence was uncovered to suggest that files had actually been copied by the attacker, and no reports of unauthorized use or misuse have been received as of December 23.

Breach notification letters were mailed to affected patients in late December. At the time, it was unclear exactly how many individuals had been impacted by the breach as this was not stated in the breach notice. The security incident has now been added to the Department of Health and Human Services’ Office for Civil Rights Breach portal. The breach summary indicates 26,873 patients were affected.

Brandywine Pediatrics has advised patients how they can minimize risk and action has been taken to prevent similar malware and ransomware infections in the future. Policies and procedures have been reviewed and updated, and Brandywine Pediatrics is reviewing the security of its systems and improvements will be made, as appropriate.

The post Brandywine Pediatrics Alerts 27,000 to Potential ePHI Breach appeared first on HIPAA Journal.

OCR HIPAA Enforcement: Summary of 2016 HIPAA Settlements

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights has stepped up its enforcement activities in recent years, and 2016 HIPAA settlements were at record levels. In total, payments of $22,855,300 were made to OCR in 2016 to resolve alleged HIPAA violations. Seven settlements were in excess of $1,500,000.

In 2016, OCR settled alleged HIPAA violations with 12 healthcare organizations. Last year also saw an Administrative Law Judge rule that civil monetary penalties previously imposed on a covered entity – Lincare Inc. – by OCR were lawful, bringing the total to thirteen for 2016. Lincare was only the second healthcare organization required to pay a civil monetary penalty for violations of the Health Insurance Portability and Accountability Act. All other organizations opted to settle with OCR voluntarily.

Financial penalties are not always appropriate. OCR prefers to settle potential HIPAA violations using non-punitive measures. Financial penalties are reserved for the most severe violations of HIPAA Rules, when widespread non-compliance is discovered, or in cases where healthcare organizations have blatantly disregarded HIPAA Rules.

While largescale breaches of PHI may warrant financial penalties and will have an impact on the final settlement amount, OCR has resorted to financial penalties when relatively few individuals have been impacted by healthcare data breaches. This year has seen two settlements with organizations for breaches that have impacted fewer than 500 individuals – New York Presbyterian Hospital and Catholic Health Care Services of the Archdiocese of Philadelphia – and one civil monetary penalty – Lincare Inc.

A summary of 2016 HIPAA settlements with the Office for Civil Rights is detailed in the table below:

 

Summary of 2016 HIPAA Settlements

 

Covered Entity Date Amount Breach that triggered OCR investigation Individuals impacted
University of Massachusetts Amherst (UMass) November, 2016 $650,000 Malware infection 1,670
St. Joseph Health October, 2016 $2,140,500 PHI made available through search engines 31,800
Care New England Health System September, 2016 $400,000 Loss of two unencrypted backup tapes 14,000
Advocate Health Care Network August, 2016 $5,550,000 Theft of desktop computers, loss of laptop, improper access of data at business associate 3,994,175 (combined total of three separate breaches)
University of Mississippi Medical Center July, 2016 $2,750,000 Unprotected network drive 10.,000
Oregon Health & Science University July, 2016 $2,700,000 Loss of unencrypted laptop / Storage on cloud server without BAA 4,361 (combined total of two breaches)
Catholic Health Care Services of the Archdiocese of Philadelphia June, 2016 $650,000

 

 Theft of mobile device 412 (Combined total)
New York Presbyterian Hospital

 

 April, 2016 $2,200,000 Filming of patients by TV crew Unconfirmed
Raleigh Orthopaedic Clinic, P.A. of North Carolina April, 2016 $750,000 Improper disclosure to business associate 17,300
Feinstein Institute for Medical Research March, 2016 $3,900,000 Improper disclosure of research participants’ PHI 13,000
North Memorial Health Care of Minnesota March, 2016 $1,550,000 Theft of laptop computer / Improper disclosure to business associate (discovered during investigation) 299,401
Complete P.T., Pool & Land Physical Therapy, Inc. February, 2016 $25,000 Improper disclosure of PHI (website testimonials) Unconfirmed
Lincare, Inc.

 

 February, 2016* $239,800 Improper disclosure (unprotected documents) 278

*Civil monetary penalty confirmed as lawful by an administrative law judge

 

The largest HIPAA settlement of 2016 –  and the largest HIPAA settlement ever agreed with a single covered entity – was announced in August. OCR agreed to settle potential HIPAA violations with Advocate Health Care Network for $5.5 million.

The previous largest HIPAA settlements were agreed with New York-Presbyterian Hospital and Columbia University after PHI was accidentally indexed by search engines. The two entities were required to pay OCR a total of $4.8 million, with $3.3 million covered by New York-Presbyterian Hospital and the remainder by Columbia University. The previous largest HIPAA settlement for a single entity was agreed with Cignet Health ($4.3 million) for denying 41 patients access to their health records.

2017 has started with an early settlement with Presence Health. The $475,000 settlement was solely based on delayed breach notifications – The first time that a settlement has been agreed solely for a HIPAA Breach Notification Rule violation.

Looking forward into 2017 and beyond, the future of HIPAA enforcement activities is unclear. The new administration may cut funding for OCR which would likely have an impact on HIPAA enforcement.

This year will see the completion of the long-delayed second round of HIPAA compliance audits, although it is unlikely that a permanent audit program will commence this year.

Last year, Jocelyn Samuels said OCR will remain “laser-focused on breaches occurring at health care entities,” and that OCR is committed to “maintain an effective enforcement program that addresses industry-wide noncompliance and provides corrective action to protect the greatest number of individuals.”

However, Jocelyn Samuels will be standing down as head of OCR and it is currently unclear who will take her place. While there are a number of suitable candidates for the position, incoming president Trump has a lot on his hands and the appointment of an OCR director is likely to be relatively low down the to do list. When a new OCR director is appointed, we may find that he/she has different priorities for the OCR’s budget.

What we can expect to see in 2017 is a continuation of enforcement actions that have already commenced. HIPAA breach investigations take time to conduct and settlements even longer. The 2016 HIPAA settlements are the result of data breach investigations that were conducted in 2012-2013. The dramatic increase in data breaches in 2014 – and HIPAA violations that caused those breaches – may well see 2017 become another record-breaking year for HIPAA settlements.

The post OCR HIPAA Enforcement: Summary of 2016 HIPAA Settlements appeared first on HIPAA Journal.

Atmore Community Hospital Employee Inappropriately Accessed 1,000 Patient Records

Posted by HIPAA Journal

A routine audit of PHI access logs has revealed that a former employee of Atmore Community Hospital in Alabama accessed the electronic health information of approximately 1,000 patients without authorization over a period of 13 months.

The audit was conducted by Infirmary Management Services, Inc, which manages the hospital. The privacy violations were discovered to have occurred between October 3, 2015 and November 11, 2016.

Fortunately, the information accessed was limited and no financial information, Social Security numbers or medical records were viewed, although the individual did view names of patients, their admission dates, and hospital flowsheets. Data access was permitted in order for the employee to complete work duties, but despite having received training on HIPAA Rules and hospital policies covering patient privacy, the individual viewed patients’ protected health information when there was no legitimate work reason for doing so.

The access is believed to have occurred out of curiosity and no information is thought to have been copied or distributed to any other individuals. Upon discovery of the privacy breach, the employee was placed on immediate leave and was later terminated.

Due to the limited information that was accessed, patients are not believed to face an elevated risk of identity theft and fraud. All affected individuals have been notified of the breach by mail in accordance with Health Insurance Portability and Accountability Act Rules and have been instructed to monitor their finances and statements and to be vigilant for any sign of identity theft and fraud.

Each year there are many instances of healthcare employees violating patient privacy out of curiosity. All too often, these privacy violations are only identified many months after data have started to be inappropriately accessed. While it is not possible to eliminate the risk of privacy violations such as this entirely, healthcare providers can ensure that inappropriate PHI access is identified promptly by conducting regular audits of data access logs.

The post Atmore Community Hospital Employee Inappropriately Accessed 1,000 Patient Records appeared first on HIPAA Journal.

Cosmetic Surgery Center Reports Ransomware Infection: 11,400 Patients Impacted

Posted by HIPAA Journal

Another healthcare provider has announced that a ransomware infection has resulted in patients’ protected health information being encrypted, and potentially accessed, by cybercriminals.

The Susan M. Hughes Center, a provider of aesthetic medicine and cosmetic surgery services in New Jersey and Philadelphia, discovered ransomware had been installed on its computer system on August 30, 2016.

A computer server was attacked and infected which resulted in files containing patients’ names, telephone numbers, dates of service, payment amounts, and details of services provided being encrypted. The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates 11,400 patients have been impacted.

Upon discovery of the incident, passwords were reset and action was taken to isolate the affected server. Fortunately, the center was able to switch to a backup system while the infection was resolved. According to the substitute breach notice posted on the company website, an investigation into the attack was immediately launched and an external cybersecurity firm was hired to conduct a forensic investigation.

While PHI may have been accessed by the attackers, the cosmetic surgery center has not received any reports to suggest any PHI has been used inappropriately.

Ransomware attacks are reportable breaches under HIPAA Rules. Covered entities are required to notify patients of a ransomware attack that potentially results in their PHI being compromised, and OCR must be notified. If the potential breach impacts more than 500 individuals, a notice must be issued to the media and a substitute breach notice placed on the company’s website.

As with other breaches of PHI, the HIPAA Breach Notification Rule allows covered entities up to 60 days to issue a notification to OCR and to inform patents of a ransomware attack if PHI has been compromised.

Yet in this instance, patients were not notified of the attack until December 27, 2016, almost four months after the attack was discovered. Office for Civil Rights was notified of the incident on the same day. It is unclear why notifications were delayed for so long.

Office for Civil Rights has not previously taken action against healthcare organizations solely for delaying breach notifications, although yesterday OCR announced a settlement had been reached with Presence Health of Illinois for the failure to issue breach notifications within the 60-day Breach Notification Rule reporting period. In the case of Presense Healthcare, breach notifications were issued around 100 days after the breach was discovered. Presense Health agreed to settle potential HIPAA violations for $475,000.

The post Cosmetic Surgery Center Reports Ransomware Infection: 11,400 Patients Impacted appeared first on HIPAA Journal.