HIPAA Breach News

Patient Posts PHI of New Hampshire State Psychiatric Hospital Patients Online

Posted by HIPAA Journal

New Hampshire Department of Health and Human Services has alerted approximately 15,000 patients to a breach of some of their personal and highly sensitive information. Patient data were accessed by a former patient in October 2015 and were posted on a social media website.

The data accessed and posted online by the former patient included names and addresses along with Medicaid ID numbers and Social Security numbers. The patient gained access to the data on a laptop computer located in the hospital library. Patients are permitted to use the library and the computers, although access to patients’ protected health information should not have been possible.

At the time of the breach the patient was observed accessing ‘non-confidential’ hospital data by a staff member. The incident was reported to a supervisor and steps were taken to restrict access to the library computers. At the time, it was not known that sensitive data were accessed. While a supervisor was alerted to the incident, the matter was not escalated and neither the New Hampshire Hospital nor the New Hampshire Department of Health and Human Services (NH-DHHS) were informed.

However, ten months later in August 2016, a security official at the hospital alerted NH-DHHS that the former patient may have posted NH-DHHS data on a social media website. An investigation into the incident was launched and the Department of Information Technology was notified. The matter was also reported to State Police and state officials. However, according to the breach notice published by NH-DHHS on December 27, “An investigation at that time did not reveal any evidence that confidential personal or personal health information had been breached.”

Three months later on November 4, 2016, hospital security notified NH-DHHS that the patient had posted some protected health information to a social media site that day. Within 24 hours of DHHS being informed of the breach, the PHI was removed from the site and a criminal investigation was launched. NH-DHHS says patients impacted by the breach had received services New Hampshire Hospital prior to November 2015, although no evidence has been uncovered to suggest any PHI has been misused.

NH-DHHS Commissioner Jeffrey A. Meyers issued a statement saying the breach was “an isolated incident stemming from unauthorized access in October 2015 as described above and is not the result of an external attack.”

He also confirmed that all state departments are investigating the incident and efforts are being made to strengthen state cybersecurity policies and procedures to better protect patient health data from attacks from hackers, as well as accidental disclosures as a result of human error.

The post Patient Posts PHI of New Hampshire State Psychiatric Hospital Patients Online appeared first on HIPAA Journal.

UCLA Medical Center Investigates Potential Breach of Kanye West’s Medical Records

Posted by HIPAA Journal

UCLA Health Medical Center in Los Angeles is conducting an internal investigation into a potential HIPAA breach that occurred around Thanksgiving weekend.

On November 21, 2016, Kanye West checked in to the hospital and stayed for 8 days. During his stay at the hospital, a number of nurses and other medical staff allegedly accessed his medical records without authorization. It would appear than the employees could not resist the temptation to snoop on his medical records.

The unauthorized viewing of celebrities’ medical records is a problem for hospitals, in particular medical facilities in Los Angeles and New York. In recent years, there have been a number of incidences of the privacy of celebrities being violated by curious hospital employees. Numerous employees have been found to have accessed the records of celebrities out of personal curiosity, although in many cases, inside information has been sold to gossip websites and tabloids.

A former employee of UCLA Medical Center plead guilty to accessing and selling the medical records of Farrah Fawcett and Brittney Spears to the National Enquirer in 2008, although an investigation into celebrity health record breaches at the time revealed that more than 120 workers had improperly accessed the celebrities’ health records.

Under Health Insurance Portability and Accountability Rules, HIPAA-covered entities should maintain logs to ensure the improper accessing of PHI can be identified. UCLA Medical Center logs access attempts and can check those logs to determine which staff members viewed a particular patient’s health records and determine whether there was any legitimate reason for access.

If improper access is determined to have occurred, employees will be disciplined accordingly. All too often, improper access results in termination.

While UCLA Medical Center has not confirmed whether any employees have been terminated as a result of accessing Kanye West’s medical records, some online sources claim that dozens of staff at the hospital are facing disciplinary action and that several staff members have already been fired.

The post UCLA Medical Center Investigates Potential Breach of Kanye West’s Medical Records appeared first on HIPAA Journal.

Increase in Ransomware and Cyberattacks Linked to Fall in Price of Health Data

Posted by HIPAA Journal

The value of health records on the black market dropped substantially in 2016. A set of health records is now reportedly attracting a price of between $1.50 and $10, according to a recent report from TrapX. Back in 2012, the value of a complete set of health records was around $50 to $60.

The fall in price is easy to explain. Last year saw more than 113 million healthcare records breached, according to figures from the Department of Health and Human Services’ Office for Civil Rights. The vast majority of those records are in the hands of cybercriminals. Supply is now outstripping demand and just like any commodity, that results in a dramatic fall in prices.

Stealing medical records is now much less profitable which means cybercriminals have to recoup their losses from somewhere. That does not mean the healthcare industry is likely to be attacked less. Instead the fall in price is likely to lead to even more attacks. In order to make the same level of profit, more records need to be stolen and sold on.

The fall in the price of healthcare records has also prompted cybercriminals to change their tactics and look for new ways to make money. Many have opted for ransomware. Ransomware offers cybercriminals a quick and easy source of cash. Ransom payments are typically paid within 7 days of the malicious software being installed on healthcare networks. It is also relatively easy to bypass healthcare organizations’ defenses to install ransomware. Given the quick source of cash, the ease of attacks, and the high likelihood of payment, it is no surprise that ransomware has proven so popular.

It is difficult to calculate exactly how many healthcare organizations have been attacked with ransomware in 2016, as not all incidents are reported. However, hacking incidents affecting more than 500 individuals are.

TrapX calculated that major healthcare data breaches increased by 63% in 2016 (January 1 to December 12, 2016) compared to 2015. TrapX classed any breach of more than 500 records as ‘major’ and only included hacking incidents. In 2015, 57 major healthcare data breaches were reported to the Office for Civil Rights, whereas in 2016 there have been 90 reported breaches and the year is not over yet.

Since healthcare organizations have 60 days from the date of discovery of a breach to issue a report to OCR, the final figures for 2016 will not be known until March 1, 2017. The end of year total is certain to be considerably higher than 90 breaches.

The healthcare industry has responded to the rise in attacks by committing more funds to cybersecurity defenses. Employees are being trained on security best practices and overall awareness of security risks such as phishing has increased. Even so, many healthcare organizations are still falling victim to ransomware attacks and hacking incidents continue to rise.

TrapX, along with many security experts, predicts the use of ransomware will continue and attacks on healthcare organizations will increase in 2017. Hacking incidents are also likely to rise, with TrapX predicting attacks on medical devices will significantly increase in 2017.

2017, it would seem, is set to be yet another difficult year for the healthcare industry.

The post Increase in Ransomware and Cyberattacks Linked to Fall in Price of Health Data appeared first on HIPAA Journal.

Fairbanks Hospital Alerts Patients to Potential 3-Year Internal HIPAA Breach

Posted by HIPAA Journal

Fairbanks Hospital in Indianapolis, IN., has discovered that the electronic health information of its patients could have been accessed by all of its employees for a period of at least three years.

Protections had been put in place to prevent unauthorized accessing of electronic health records by staff members, but on October 18, 2016, the hospital became aware that some files had been stored on an internal network that lacked those protections and could be accessed by all employees, even those who were unauthorized to view patients’ electronic information.

Following the discovery, an independent forensics expert was called in to determine the nature and scope of the problem. That individual was able to determine that the files were accessible since November 2013, and potentially longer. It was not possible to say whether the files were accessible before that date.

Attempts were made to determine whether the files had been accessed by employees during the time that they were unprotected, but access logs were not kept so it was not possible to determine whether any unauthorized individuals had viewed the information in the files.

The majority of patients impacted by the incident only had their name and a very limited amount of information exposed to unauthorized staff members. In such cases, the information that could have been accessed included admission dates and appointment scheduling information.

However, in some cases, Social Security numbers, dates of birth, addresses, telephone numbers, patient ID numbers, treatment information, medical diagnoses, and health insurance information could have been accessed.

Fairbanks hospital is in the process of informing patients of the potential privacy breach by mail and is providing them with further information on the steps that can be taken to protect against identity theft and fraud. Credit monitoring and identity theft protection services do not appear to have been offered.

Patients have been encouraged to “remain vigilant against incidents of identity theft and fraud, to review your account statements, and to monitor your credit reports and explanation of benefits forms for suspicious activity.” They have also been told “this also includes reviewing account statements, medical bills, and health insurance statements regularly to ensure that no one has submitted fraudulent medical claims using your name and address.” However, no reports of unauthorized use or misuse of the information have been reported to date.

The incident has been reported to appropriate state and federal bodies, including the Department of Health and Human Services’ Office for Civil Rights. It is unclear at this stage exactly how many patients have potentially been impacted.

The post Fairbanks Hospital Alerts Patients to Potential 3-Year Internal HIPAA Breach appeared first on HIPAA Journal.

Website Glitch Exposes Personal Information of KP Members

Posted by HIPAA Journal

Kaiser Permanente is alerting certain members to the potential disclosure of a limited amount of their personal information to other KP members after a glitch was discovered in the company’s online ‘Estimates’ tool.

On November 16, 2016, Kaiser Permanente updated the Estimates tool on the kp.org website; however, an error occurred during the update that potentially resulted in members’ name, address, age, copay information, deductible payments from 2016, and out of pocket expenses from 2016 being displayed to another user of the tool.

Individuals potentially affected by the error visited the website and used the tool from the date that the update was applied until November 28, 2016 when the error was discovered and corrected.

Kaiser Permanente has informed affected patients that there was only a small chance that their information was viewed by another person. At no point were Social Security numbers, claims information, or banking details exposed.

The error did not result in the mass disclosure of PHI to other members. In each case, an individual who used the tool may have had their data displayed to the next person who used the tool.

Kaiser Permanente conducts extensive testing of its online systems following any upgrade. Members have now been notified of the incident by mail and told “there is always the rare chance that an error can go undetected until an update is live.”

However, this will be bad news for Kaiser Permanente as it is the second website error to be discovered in just a few weeks. Certain members were impacted by a website error caused during a kp.org site upgrade in October. In that instance, the upgrade was made to improve webpage speed and the error was identified and corrected within 24 hours.

Members affected by the latest breach have been urged to review their Explanation of Benefits statements and to report any irregularities, although due to the type information exposed and the speed of detection and correction of the error, Kaiser Permanente says the privacy risk is ‘limited’.

The post Website Glitch Exposes Personal Information of KP Members appeared first on HIPAA Journal.

Community Health Plan of Washington Announces 400,000-Record Data Breach

Posted by HIPAA Journal

An unplugged security vulnerability at a business associate of Community Health Plan of Washington has resulted in the exposure of the protected health information (PHI) of almost 400,000 plan members.

Community Health Plan of Washington is now in the process of notifying all affected members that highly sensitive information including names, addresses, dates of birth, Social Security numbers, and health insurance information have been exposed and compromised.

The data breach was confirmed on November 30, 2016, although Community Health Plan of Washington first became aware of a potential breach on November 7 after a tip-off was received.

Staff at the health plan picked up a voicemail message from an individual who reported a vulnerability that had been discovered in the network of one of the health plan’s business associates. That vulnerability could be exploited to gain access to members’ data.

Community Health Plan of Washington followed up on the tip-off and contacted the firm in question, which is a subsidiary of NTT Data. The firm provides technical services to the health plan. Rapid action was then taken by the firm to confirm that the vulnerability existed and then correct the flaw to prevent data access.

A computer forensics investigator was hired to conduct a thorough analysis of the network and confirmed that the vulnerability had been exploited and that an unauthorized individual had accessed plan members’ PHI. It is unclear whether that individual was the same person that reported the vulnerability. At the time of writing, plan members’ data are not believed to have been used inappropriately. No reports of data misuse have been received by the health plan or its business associate.

Notification letters to affected plan members were delayed until the investigation into the data breach was completed and while the health plan set put the logistics in place to deal with the breach. A toll-free helpline for members has now been set up and credit monitoring services have been arranged.

According to a report in the Seattle Times, each member will receive an individual notification letter with an identification number that can be used to register for credit monitoring services with Kroll.

381,534 members of the health plan, which provides insurance through Medicaid throughout Washington state, have been affected by the breach.

The post Community Health Plan of Washington Announces 400,000-Record Data Breach appeared first on HIPAA Journal.

Identity Thief Sentenced to 4 Years for Selling Stolen Rotech Healthcare Data

Posted by HIPAA Journal

A Florida man has been sentenced to serve four years in federal jail for selling medical records obtained from the medical device firm, Rotech Healthcare.

Vickie Lorenzo Bryant, 39, from Plant City, FL made contact with a government informant in May 2016 and offered to sell personally identifiable information of 957 individuals who had received medical devices from Rotech Healthcare.

This was not the first time Bryant had attempted to sell stolen data to identity thieves and fraudsters. The confidential informant had previously purchased other individuals’ data from Bryant and had used the information to obtain Florida driver’s licenses, make counterfeit credit cards, and purchase mobile phones in the victims’ names.

Bryant met with the informant on two occasions in June 2016 and sold the data of 957 different individuals. Bryant asked to be paid $15,000 for the batch of data or $15 per identity.

Around 1,000 documents were handed over to law enforcement and were found to contain a range of personal and medical information about the victims, including names, addresses, Social Security numbers and dates of birth.  Law enforcement contacted those individuals and all confirmed that they had all previously received respiratory or sleep apnea devices from Rotech Healthcare in the past. Rotech Healthcare was alerted to the data breach by law enforcement on June 13, 2016 and all patients were notified of the incident shortly thereafter.

Bryant was arrested and pleaded guilty to access device fraud and aggravated identity theft on August 23, 2016 and was sentenced by U.S. District Judge Charlene Edwards Honeywell on Tuesday last week.

Bryant did not personally steal the data from Rotech Healthcare. Two co-conspirators who were employed at Rotech allegedly obtained the data and sold it to Bryant. Fontella James and Sharmekia Young were indicted on September 29, 2016 and have been charged with conspiracy, computer intrusion, and crimes related to identity theft and are awaiting trial.

The post Identity Thief Sentenced to 4 Years for Selling Stolen Rotech Healthcare Data appeared first on HIPAA Journal.

Oak Cliff Orthopaedic Associates Alerts Patients to Potential PHI Breach

Posted by HIPAA Journal

More than 1,000 current and former patients of Oak Cliff Orthopaedic Associates have been notified that unauthorized individuals may have viewed some of their protected health information.

Boxes of paper business records and other items were stolen from an off-site storage facility used by the Dallas orthopedic firm. It is currently unclear when the theft occurred and how long the thieves had access to the information, although the theft was discovered on October 17, 2016.

The documents contained patients’ names, addresses, and medical record numbers, although an investigation revealed that some of the documents also contained certain patients’ credit card numbers, Social Security numbers, and banking information.  Patients affected by the incident had received medical services from Oak Cliff Orthopaedic Associates between 2006 and 2007.

The Lewisville Police Department did manage to recover the stolen files and they have now been returned to Oak Cliff Orthopaedic Associates and are now secured. The stolen items were found in a hotel room, but it is unclear whether the thieves have been identified or apprehended. All other items not taken by the thieves have since been removed from the storage facility and have now been secured.

Since financial data have potentially been viewed and copied by the thieves, Oak Cliff Orthopaedic Associates notified relevant financial institutions of the risk of fraudulent activity on the affected individuals’ accounts. Patients impacted by the incident have now been notified mail and a press release has been issued in accordance with Health Insurance Portability and Accountability Act Rules.

Oak Cliff Orthopaedic Associates has not received any reports to suggest any of the stolen information has been used inappropriately, although it is possible that patient data were viewed by the thieves. As a precaution against identity theft and fraud, all 1,057 patients affected by the incident have been offered one year of identity theft protection services without charge.

The post Oak Cliff Orthopaedic Associates Alerts Patients to Potential PHI Breach appeared first on HIPAA Journal.

November 2016 Worst Month for Healthcare Data Breaches: 57 Incidents Reported

Posted by HIPAA Journal

Many people will be glad to see the back of 2016. It has been a difficult year, especially for healthcare organizations. Ransomware attacks have increased, hacking incidents are up, and more data breaches have been reported this year than in any other year since records started to be kept by the Department of Health and Human Services’ Office for Civil Rights (OCR).

The year is certainly not ending well. November saw the highest number of healthcare data breaches of any month in 2016, including August; a particularly bad month for the healthcare industry when 42 protected health information (PHI) breaches were reported by covered entities.

However, November’s total was 35% higher than August and 60% higher than October, according to the November Breach Barometer Report from Protenus. Last month, 57 healthcare data breaches reported which is almost two incidents per day.

Fortunately, the breaches that were reported were relatively small and the downward trend in the number of exposed/stolen records continued for the second month in a row. In total, 458,639 healthcare records were exposed in November, down 317,894 from the previous month.

November was something of an atypical month due to the nature of reporting of healthcare data breaches. Had the data breaches at Ambucor Health Solutions and EMR4All/Rehab Billing Solutions been reported as single breaches, the breach total for the month would have stood at 39. Still a particularly bad month, but not as bad as August.

As it was, the incidents were reported to OCR separately by each organization that was affected. There were 11 incidents reported by organizations impacted by the Ambucor Health Solutions breach and a further 9 reported by entities affected by the breach at EMR4All/RBS, according to DataBreaches.net, which provided the data for the Protenus report.

Recent surveys have suggested IT professionals are more concerned about insider breaches than cyberattacks by hackers and with good reason. The Breach Barometer report shows how serious the threat of insider breaches is. In November, 54.4% of healthcare data breaches were caused by insiders. 17 breaches were accidental breaches by healthcare employees and 14 were the result of malicious actions by employees with access to PHI.

There were 9 incidents that involved hackers, which was an improvement on October when 14 incidents were attributed to hacking. Ransomware was involved in 3 security breaches reported in November. TheDarkOverlord, who has previously attempted to extort money from a number of healthcare providers after stealing their data, was involved in one incident.

Healthcare providers once again were the worst hit, registering 40 incidents – 70% of incidents – followed by health plans with 11. Business associates reported three breaches, although they were involved to some degree in at least 44% of the breaches reported in November.

Protenus calculated the average time taken to report incidents to OCR to be 135 days from the date of discovery. 65% of breaches were reported after the 60-day window allowed by the HIPAA Breach Notification Rule, most of which were entities affected by the Ambucor breach. The breaches in November were also widespread, with affected entities based in 24 different states.

According to Databreaches.net, the entities involved in the breaches in November were:

Entity Entity Type
Aetna Signature Administrators Business Associate
AON Hewitt Business Associate
Austin Pulmonary Consultants Healthcare Provider
Bay Sleep Clinic Healthcare Provider
Berkshire Medical Center Healthcare Provider
Best Health Physical Therapy, LLC Healthcare Provider
Biomechanics LLC Healthcare Provider
Briar Hill Management Business Associate
Briar Hill Management Business Associate
Broward Health: Broward Health Imperial Point Healthcare Provider
Camas Center Clinic, Kalispel Tribe of Indians Healthcare Provider
Carolina Cardiology Consultants (Greenville Health System) Healthcare Provider
Charleston Area Medical Center Healthcare Provider
CHI Franciscan Health Healthcare Provider
Cleveland Clinic Akron General Healthcare Provider
Command Marketing Innovations Business Associate
Conemaugh Physician Group Cardiology Healthcare Provider
Consultants in Neurological Surgery, LLP Healthcare Provider
Darlingten Business Associate
Darlingten Healthcare Provider
EMR4All/RBS Business Associate
Eye Institute of Marin Healthcare Provider
GHI (Emblem Health) Health Plan
Glendale Adventist Healthcare Provider
Harrisonburg OB GYN Associates, P.C. Healthcare Provider
Horizon BCBS & UnitedHealth Group Health Plan
Horizon Blue Cross Blue Shield of New Jersey Health Plan
HP Enterprise Services, LLC Business Associate
Indiana Family and Social Services Administration -Indiana Health Coverage Program Health Plan
Irvine Company Business Associate
Kaiser Foundation Health Plan Health Plan
Kaiser Permanente Health Plan – N. Cal Health Plan
Kaiser Permanente Health Plan- S. Cal Health Plan
KinetoRehab Physical Therapy, PLLC Healthcare Provider
La Gloria Pharmacy Healthcare Provider
LCS Westminster Partnership IV, LLP d/b/a Sagewood Healthcare Provider
Lebanon Cardiology Associates, PC (now known as WellSpan Cardiology) Healthcare Provider
Lenox Hill Heart and Vascular Institute Healthcare Provider
Lister Healthcare Healthcare Provider
Louisiana Health Cooperative, Inc. in Rehabilitation Health Plan
Luque Chiropractic Healthcare Provider
Main Line Health Healthcare Provider
Managed Health Services Health Plan
Marin Medical Practice Concepts, Inc. Business Associate
New Mexico Heart Institute Healthcare Provider
North Texas Heart Center, P.A Healthcare Provider
OC Gastrocare Healthcare Provider
OptumHealth New Mexico Health Plan
Pikeville Medical Center Healthcare Provider
Pinellas County Board of County Commissioners Health Plan
Primerica Business Associate (Financial Services)
Seguin Dermatology Healthcare Provider
Stony Brook Internists, University Faculty Practice Corporation VA Eastern Colorado Health Care System Healthcare Provider
Unnamed cleaning service Business Associate
Unnamed vendor Business Associate
Unnamed vendor + UPS Business Associate
Vanderbilt U. Psychological & Counseling Center Healthcare Provider
Vascular Surgical Associates Healthcare Provider
Vein Specialists of Northwest Georgia Healthcare Provider
Vision Care Florida, LLC Healthcare Provider
WADA and USADA Anti-Doping Agency
Wal-Mart Stores, Inc. Healthcare Provider
Washington Department of Social and Health Services- Aging and Disability Services Healthcare Provider
Watsonville Chiropractic (David W. Christie, D.C.) Healthcare Provider
Wentworth-Douglass Hospital Healthcare Provider
Young Adult Institute, Inc. Healthcare Provider

The post November 2016 Worst Month for Healthcare Data Breaches: 57 Incidents Reported appeared first on HIPAA Journal.