OptumHealth New Mexico has notified 2,006 patients of a privacy breach that was caused by one of its vendors. The vendor had downloaded some electronic protected health information to a flash drive, which was then sent to an undisclosed recipient by mail using the U.S. Postal Service. The flash drive did not arrive at its destination.

Upon discovery of the loss, the U.S. Postal Service was notified but attempts to locate the device have so far failed, although according to the substitute breach notice issued by OptumHealth, the matter is still being investigated.

It is unclear why, with many secure methods of sending sensitive data, the vendor chose to post the flash drive nor why the contents of the drive were not encrypted.

OptumHealth was notified of the potential privacy breach on September 26, 2016 and breach notification letters were mailed to all affected individuals on November 17. A substitute breach notice was recently uploaded to the OptumHealth website as it was not possible to contact all affected individuals by mail.

Patients have been informed that the data stored on the drive includes names, telephone numbers, addresses, full or partial dates of birth, health identification numbers, providers’ names, medical diagnoses, and other health information. Some patients’ full or partial Social Security numbers were also present on the device. OptumHealth was informed that only “a limited number” of Social Security numbers were saved to the flash drive.

It is not possible to tell whether the device was lost or stolen, nor whether any of the information stored on the device has been accessed. Since there is a possibility of the data on the device being viewed by unauthorized individuals, all affected patients have been offered one year of identity theft protection services through LifeLock.

Affected patients have been encouraged to check healthcare documents, tax returns, and bank and credit card statements and to be vigilant for any signs of fraudulent activity.

OptumHealth has responded to the incident by updating its processes relating to vendors to prevent similar privacy breaches from occurring in the future.

The post OptumHealth New Mexico Announces 2000-Record Data Breach appeared first on HIPAA Journal.

Berkshire Medical Center (BMC) in Pittsfield, Massachusetts has been informed that 1,745 patients of its cardiology department have been impacted by the security breach at Ambucor Health Solutions (AHS).

The Wilmington, DE-based business associate provides a remote monitoring service for BMC patients that have been fitted with cardiac devices. In July, AHS discovered an employee had emailed the protected health information of 41 patients to a personal email account prior to leaving the company.

However, an investigation into the incident revealed that more patient had been affected than was initially thought. The employee had also copied some protected health information onto two thumb drives. Those devices were recovered via law enforcement and were found to contain the sensitive data of thousands of patients.

AHS has now contacted all healthcare providers whose patients have been impacted by the breach and is notifying all affected individuals by mail, although it is the responsibility of each impacted healthcare provider to notify the Department of Health and Human Services’ Office for Civil Rights.

While the total number of individuals impacted by the security breach has not been released, the data of 2,500 patients of Greenville Health System in South Carolina, 775 patients of Wentworth-Douglass Hospital in Dover, New Hampshire, and 537 patients of WellSpan Cardiology (formerly Lebanon Cardiology Associates) have also been affected.

BMC patients have been told that their name, address, phone number, date of birth, patient ID number, ethnicity, testing data, Ambucor enrolment number, diagnosis, medications, medical device information, practice where they were being seen, and the names of the Ambucor technician that fitted the device and their physician were also present on one of the thumb drives.

Affected patients will be protected by a $1 million identity theft insurance policy and will be provided with credit monitoring and identity theft protection services for a period of one year without charge; although AHS does not believe any patient data have been used inappropriately. Additional security controls have now been implemented by AHS to prevent future breaches of patient health information.

The post 1,745 Berkshire Medical Center Patients Impacted by Ambucor Health Solutions Breach appeared first on HIPAA Journal.

Berkshire Medical Center (BMC) in Pittsfield, Massachusetts has been informed that 1,745 patients of its cardiology department have been impacted by the security breach at Ambucor Health Solutions (AHS).

The Wilmington, DE-based business associate provides a remote monitoring service for BMC patients that have been fitted with cardiac devices. In July, AHS discovered an employee had emailed the protected health information of 41 patients to a personal email account prior to leaving the company.

However, an investigation into the incident revealed that more patient had been affected than was initially thought. The employee had also copied some protected health information onto two thumb drives. Those devices were recovered via law enforcement and were found to contain the sensitive data of thousands of patients.

AHS has now contacted all healthcare providers whose patients have been impacted by the breach and is notifying all affected individuals by mail, although it is the responsibility of each impacted healthcare provider to notify the Department of Health and Human Services’ Office for Civil Rights.

While the total number of individuals impacted by the security breach has not been released, the data of 2,500 patients of Greenville Health System in South Carolina, 775 patients of Wentworth-Douglass Hospital in Dover, New Hampshire, and 537 patients of WellSpan Cardiology (formerly Lebanon Cardiology Associates) have also been affected.

BMC patients have been told that their name, address, phone number, date of birth, patient ID number, ethnicity, testing data, Ambucor enrolment number, diagnosis, medications, medical device information, practice where they were being seen, and the names of the Ambucor technician that fitted the device and their physician were also present on one of the thumb drives.

Affected patients will be protected by a $1 million identity theft insurance policy and will be provided with credit monitoring and identity theft protection services for a period of one year without charge; although AHS does not believe any patient data have been used inappropriately. Additional security controls have now been implemented by AHS to prevent future breaches of patient health information.

The post 1,745 Berkshire Medical Center Patients Impacted by Ambucor Health Solutions Breach appeared first on HIPAA Journal.

CHI Franciscan Health has started notifying patients about the potential exposure of some of their electronic protected health information after a laptop computer was stolen from an employee.

According to The News Tribune, a CHI Franciscan Health employee had a backpack stolen on October 18. The backpack contained documents that included some patient health information, a work laptop computer, and a mobile phone.

The backpack also contained a day planner, in which the login credentials for the laptop were recorded. The information in the documents could potentially have been viewed and the login credentials could have been used to gain access to the electronic protected health information stored on the laptop.

CHI Franciscan Health has not received any reports to suggest any information has been accessed or used inappropriately, although patients have been informed to take precautions against identity theft. All affected individuals have been offered a year of credit monitoring services without charge.

The exposed ePHI/PHI includes the names, phone numbers, Social Security numbers, demographic information, and next of kin names of current and deceased patients.

Law enforcement was notified upon discovery of the theft, although laptop computer has not been recovered. The incident has yet to appear on the Department of Health and Human Service’ Office for Civil Rights Breach Portal so it is currently unknown how many individuals have been affected.

This is the third data security incident affecting CHI Franciscan Health this year. In early September, CHI Franciscan Health’s Highline Medical Center in Burien, WA reported a potential breach of 18,399 patient records after its network server. A vendor of Highline Medical Center, R-C Healthcare Management, removed security protections during a server upgrade and failed to reactivate them when work had been completed.

CHI Franciscan Health also reported a data security incident in September that affected St. Clare Hospital in Lakewood, WA and St. Joseph Medical Center in Tacoma, WA. That electronic medical record breach impacted 2,818 individuals.

The post CHI Franciscan Health Alerts Patients to ePHI Exposure appeared first on HIPAA Journal.

Vascular Surgical Associates – A group of specialty-trained vascular surgeons in Atlanta – has announced that it has been the victim of a hacking incident that has potentially resulted in certain protected health information being viewed by unauthorized individuals.

IT staff noticed unusual activity on one of the company’s servers on or around September 13, 2016. An investigation into the anomaly was launched, which revealed the server had been improperly accessed using login credentials supplied to some of the group’s vendors. Access to patient data was first gained on March 25, 2016 when a software application upgrade was performed.

The investigation did not confirm whether patient health information had been obtained by the hackers, although for more than five months it would have been possible for the login credentials to have been used to view patient data. As soon as IT staff determined the server had been compromised access was immediately terminated. The server is now secure and Vascular Surgical Associates is confident that no further unauthorized access is possible.

It would not have been possible for the intruders to view Social Security numbers or financial data, as that information was stored elsewhere on a part of the network that was not compromised. However, names, addresses, birth dates, demographic data, and medical records were all potentially viewed.

The investigation did not confirm the identity of the hackers, although evidence was uncovered to suggest the attackers were based in other countries. The login credentials used to gain access to the server were only used by vendors and their staff members. Vascular Surgical Associates is confident that none of its staff members were involved in the breach.

Vascular Surgical Associates has reported to the incident to the appropriate federal and state authorities and investigations will be launched by the FBI and Department of Health and Human Services’ Office for Civil Rights. At present, no announcement has been made about the number of patients that have been impacted by the incident. Affected individuals will be notified of the security breach by mail.

The post Vascular Surgical Associates Hacking Incident Reported appeared first on HIPAA Journal.

Wentworth-Douglass Hospital in Dover, New Hampshire has started alerting patients to a privacy breach experienced by one of its vendors, Ambucor Health Solutions.

Ambucor Health Solutions provides a remote-monitoring service for cardiac devices for hospitals throughout the United States. Earlier this month, the company started notifying its clients of a privacy breach caused by one of its former employees.

Prior to leaving employment, the employee downloaded sensitive company data onto two flash drives. The data breach was discovered by Ambucor Health Solutions over the summer and an investigation was launched.

The incident was reported to law enforcement, and the subsequent investigation resulted in the flash drives being recovered in July.

An analysis of the contents of the drives, which was completed in September, revealed the downloaded data included a range of electronic health information of cardiac patients from a number of the company’s clients, and included the protected health information of 775 patients of Wentworth-Douglass Hospital.

Social Security numbers, financial information, insurance information, and Medicare/Medicaid numbers were not copied to the flash drives so Wentworth-Douglass Hospital believes the risk of data being used to make fraudulent claims or steal identities is low. No evidence has been uncovered by law enforcement, Ambucor Health Solutions, nor Wentworth-Douglass Hospital to suggest any of the downloaded data have been used inappropriately.

However, out of an abundance of caution, all affected patients have been offered 12 months of identity theft protection services without charge. Patients will also be protected by a $1 million identity theft insurance policy.

The protected health information copied to the device included names, phone numbers, home address, race, Ambucor enrollment numbers, Ambucor enrollment dates, Ambucor technician names, patient ID numbers, Physicians’ names, testing data, medications, medical diagnoses, names of the practices visited, and details of the cardiac devices that had been fitted.

Ambucor Health Solutions has since taken steps to improve security to prevent future breaches of this nature from occurring, including conducting a thorough review and update of all HIPAA policies covering data security.

The post Privacy Breach Reported by Wentworth-Douglass Hospital appeared first on HIPAA Journal.

Two providers of chiropractic services in California have started notifying their patients of a security breach affecting their billing software company.

Luque Chiropractic, Inc., and Watsonville Chiropractic, Inc., were alerted to a cloud storage account breach on November 18, 2016., following a data security incident that saw patient data accessed by an unauthorized individual.

The breach was experienced by EMR4all, Inc., and affected clients that used the company’s associated billing service.

EMR4all, Inc provides free EMR software for physical therapy, occupational therapy, and chiropractic practices throughout the United States, while billing services are provided by Rehab Billing Solutions.

In early September, security researcher Chris Vickery discovered a cloud storage account used by EMR4all/Rehab Billing Solutions could be freely accessed via the Internet. The cloud storage account contained the health records and personal information of many thousands of patients from more than 30 providers of physical therapy and chiropractic services.

Vickery was able to access and download the data from the account. In total, around 61GB of data – and approximately 240,000 unencrypted files – were stored in the account.

Luque Chiropractic and Watsonville Chiropractic were informed that their patients’ names, addresses, birth dates, medical diagnoses, Social Security numbers, treatment dates, and treatment locations, had been compromised and had potentially been accessed.

The data in the account was downloaded by Vickery on September 10, 2016, although the account was left unsecured for a period of around 4 months from May 2016 to September 2016.

As soon as the billing service provider was informed of the lack of security protections, rapid action was taken to secure the account. Proper access credentials are now required to access patient data.

Vickery only downloaded the data for the purpose of highlighting the lack of security protections and to ensure that all companies/individuals affected could be notified. Vickery has agreed to delete the data and not to disclose the information to any other individuals. However, it is possible that other individuals may have accessed the data during the time that the storage account was left unprotected. To date, Luque Chiropractic, Inc., and Watsonville Chiropractic have not received any reports to suggest that patient data have been used inappropriately.

The post Chiropractic Clinics Alert Patients to Billing Vendor Breach appeared first on HIPAA Journal.

Briar Hill Management, a Ridgeland, MS-based provider of management services for skilled nursing facilities in Mississippi, has lost a laptop computer containing the sensitive data of 2,000 nursing facility residents.

The laptop was discovered to be missing on February 26, 2016, although at the time it was not believed that the laptop contained any resident health information. However, according to the breach notice recently uploaded to the company website, an investigation into the incident revealed that the employee who had been assigned the laptop computer had breached company policies and had downloaded sensitive information onto the device.

The data stored on the unencrypted laptop included residents’ names, addresses, birth dates, dates of service, Social security numbers, prescription information, and medical records. Briar Hill Management says “the laptop did not contain all of these types of information for every affected resident.” The breach notice does not state when Briar Hill Management discovered sensitive information had been exposed.

Briar Hill Management conducted an “exhaustive” search for the device, but it was concluded that the laptop was lost off-site. Briar Hill Management says the employee also breached company policies by failing to “properly secure the laptop when outside of the company’s office.” Law enforcement has been notified of the loss, but after more than 8 months since the laptop was lost it can be safely assumed that the device will not be recovered.

Residents impacted by the breach have been informed that the company’s investigation into the incident has not uncovered any evidence to suggest that residents’ information has been improperly accessed, although as a precaution, individuals affected by the breach have been offered a year of credit monitoring and identity theft protection services without charge.

To prevent future breaches of this nature, Briar Hill Management has implemented additional safeguards for all mobile devices used by company employees. The employee responsible for the device has also been sanctioned.

The post Briar Hill Management Notifies 2,000 Individuals of February Laptop Loss appeared first on HIPAA Journal.

The San Rafael, CA-based Eye Institute of Marin has informed some of its patients that a ransomware attack on its electronic medical record provider has potentially resulted in some of their electronic protected health information being accessed by the attackers.

The EMR system contained a considerable amount of sensitive patient data including names, telephone numbers, addresses, birth dates, race, gender, Social Security numbers, medical histories, medical diagnoses, prescription information, health insurance details, health visit information, charges and payment details, and emergency contact information. No financial information or credit/debit card numbers were exposed as these were stored separately in a different system.

The incident was investigated at the time by a third party computer forensics company. The firm’s analysis of the attack did not uncover any evidence to suggest that patient data were accessed or copied by the attackers, although the possibility of data access could not be ruled out entirely.

The ransomware attack took place on July 26, 2016. The electronic medical record provider discovering the attack the following day. Systems were rapidly secured following the attack and data were restored from backup files.

Eye Institute of Marin was notified of the malware attack by its EMR provider on August 22, 2016. Further information about the incident was requested from the EMR provider, including details of the patients that had been affected. On September 14, Eye Institute of Marin discovered that the malware attack involved ransomware.

Eye Institute of Marin also discovered that some patient data were irrevocably lost. The majority of patient data were restored from backup files, although some patients’ consultation notes could not be recovered from the backup files.

The data that were lost included clinical histories, vital signs, and records of communications with patients. Details of refraction examinations may also have been lost. Patients whose data were lost had visited the Eye Institute of Marin between 7/11/16 and 7/26/16.

The Eye Institute of Marin did notify patients of the data loss on October 18, 2016, although breach notification letters have now been sent to all Eye Institute of Marin patients regarding the ransomware infection in accordance with HIPAA Rules. A press release was also issued on November 18 alerting the media to the possible data breach.

Eye Institute of Marin has confirmed that its EMR provider has appropriately secured its systems and policies and procedures have been reviewed. While credit monitoring and identity theft protection services have not been offered to patients, the Eye Institute of Marin has suggested patients place a credit freeze on their accounts and obtain a credit report from one of the three credit monitoring agencies if they are concerned about possible misuse of their data.

The post Eye Institute of Marin Notifies Patients of Ransomware Data Loss appeared first on HIPAA Journal.