HIPAA Breach News

Patients Notified of KinetoRehab Physical Therapy Laptop Theft

Posted by HIPAA Journal

New York-based KinetoRehab Physical Therapy has started sending HIPAA breach notification letters to patients alerting them to the potential exposure of some of their protected health information.

On September 16, 2016, KinetoRehab discovered a laptop computer was missing from its facilities. A review of security camera footage revealed the laptop computer had been stolen. While the laptop bag has now been found, the laptop computer had been removed and has not been recovered. The incident was reported to law enforcement and efforts are currently being made to locate the individual identified from the CCTV camera footage.

The laptop contained data on a limited number of patients, although those affected by the breach have had highly sensitive information exposed. The laptop contained patients’ names, birthdates, Social Security numbers, insurance information, and notes relating to the physical therapy provided by the clinic. Patients affected by the incident had visited KinetoRehab Physical Therapy for treatment between November 2011 and March 2013.

While the data stored on the device could potentially be accessed by unauthorized individuals, there is no indication that data have been accessed or that they will be used inappropriately. However, since highly sensitive information has been exposed, KinetoRehab Physical Therapy is offering all affected patients 12 months of credit monitoring and identity theft protection through Experian’s® ProtectMyID® Alert or Family Secure®.

KinetoRehab Physical Therapy has informed patients “We have taken every step necessary to address the incident, and that we are committed to fully protecting all the information that has been entrusted to us.” A review of the organizations technical safeguards is being conducted and improvements will be made to prevent similar incidents from occurring in the future.

The ePHI breach has been reported to the New York Attorney General and the Department of State’s Division of Consumer Protection. The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates 665 individuals have been affected.

The post Patients Notified of KinetoRehab Physical Therapy Laptop Theft appeared first on HIPAA Journal.

Healthcare Data Breaches Fell in October

Posted by HIPAA Journal

There was a fall in the number of data breaches reported by healthcare organizations in the United States in October, according to the latest Breach Barometer report from Protenus. This is the second month in a row where the number of data breaches have fallen.

The number of reported breaches dropped from an annual high of 42 incidents in August to 35 breaches in October; two fewer breaches than were reported last month. However, the number of exposed records increased from 246,876 in September to 776,533 records in October. The final victim count for the month could be considerably higher as while 35 breaches were reported, the number of individuals impacted by four of those incidents is not yet known.

There were some notable IT security incidents reported last month:

Four healthcare organizations reported being attacked with ransomware in October. Three of those incidents resulted in a permanent loss of healthcare data. Two organizations attempted to recover data from backups, only for the backup recovery process to fail, while one healthcare organization reported data loss as a direct result of the infection. The extent of data loss in each of these incidents was not disclosed publicly.

Two healthcare organizations were subject to extortion attempts after data were stolen. The organizations in question were told that the stolen data would be published or sold if payment was not made to the attacker.

The hacker responsible for those attacks was The Dark Overlord, who has previously hacked a number of healthcare organizations and held their data to ransom. While The Dark Overlord claims to have been paid by some healthcare organizations, there is no evidence of any payments actually being made according to Dissent of DataBreaches.net. Some of the stolen data have been dumped online and listings have been placed on darknet marketplaces offering the stolen data for sale.

Hacking and ransomware/malware infections were the main causes of healthcare data breaches in October, accounting for 40% of all data breaches. Those breaches were the most severe and accounted for the majority (86%) of stolen/exposed records for the month. (664,549/776,533).

Hacking and ransomware attacks were closely followed by accidental and deliberate insider breaches. 37% of October healthcare data breaches were due to insiders. Those incidents impacted 79,974 individuals. Two insider breaches occurred for which the victim count is not yet known.

The majority of breaches (82.8%) involved healthcare providers, followed by business associates of covered entities (8.6%), health plans (5.7%), and health information exchanges (2.9%). For the second month running, California was the worst hit state, recording 4 healthcare data breaches.

According to Robert Lord, Co-Founder & CEO of Protenus,”A few things stand out as particularly interesting this month.  First, there were the public reports of data loss due to ransomware, which confirmed the rumors that ransomware payments aren’t always leading to recovered data.  Second, the continued consistency of insider threats demonstrates the critical necessity of thinking about how we can mitigate these types of health data breaches and HIPAA violations.”

While it is certainly good news that the downward trend in breaches is continuing, this does not necessarily mean that healthcare organizations are getting better at securing protected health information. As Lord explains, “while breach numbers aren’t as high as the catastrophic numbers of the summer, we don’t see the fundamentals of a severely-threatened health data landscape changing anytime soon.”

The Protenus Breach Barometer is a monthly report of healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights or disclosed to the media or other trusted online sources.

The post Healthcare Data Breaches Fell in October appeared first on HIPAA Journal.

Emblem Health Mailing Error Exposes Members’ Social Security Numbers

Posted by HIPAA Journal

Emblem Health, one of the largest health plans in the United States, has discovered a printing error has resulted in some members’ Social Security numbers being printed on the outside of envelopes during a recent mailing.

The New York-based health insurer says the privacy breach affects members of its subsidiary company, Group Health Inc. (GHI).

The error was made while mailing Medicare Prescription Drug Plan Evidence of Coverage documents to health plan members. Normally, all mailings include a unique mailing identifier which is printed on the envelope. These ID numbers are randomly generated and are included on the envelopes to help keep track of mailings.

However, for the latest mailing, an error was made that resulted in members Health Insurance Claim Number (HICN) being included in the electronic file that was sent to the health plan’s mailing vendor. That number was then printed on the envelopes instead of the mailing identifier. HICN numbers are formed from members’ 9-digit Social Security numbers.

Affected members therefore had their Social Security numbers printed on the outside of the envelopes along with their name and address. The HICN numbers were listed as a package number on the envelope (PKG#), not as a HCIN number or Social Security number. Even if the envelopes were viewed, it would likely be unclear that the number was the same as members’ Social Security numbers.

However, since SSNs were exposed, Emblem Health is taking no chances and has offered all affected members free enrolment in AllClear’s credit monitoring and identity repair services. Members will also be protected by a $1 million identity theft insurance policy and the services will be available for a period of two years rather than the standard 12 months.

Affected members are now being notified of the breach by mail and have been advised to sign up for the services and ensure that the label from the Evidence of Coverage mailing is removed and disposed of in a secure manner.

Emblem Health will be reviewing its policies and procedures and implementing new controls to ensure that errors of this nature are prevented in the future.

The post Emblem Health Mailing Error Exposes Members’ Social Security Numbers appeared first on HIPAA Journal.

Horizon BCBS of New Jersey Privacy Breach Impacts 170,000 Members

Posted by HIPAA Journal

Horizon Blue Cross Blue Shield of New Jersey has been alerted to a printing error that resulted in a limited amount of members’ protected health information being disclosed to other plan members. According to a statement issued by Horizon BCBSNJ, the error was made by its printing vendor, Command Marketing Innovations of Garfield.

Between October 31 and November 2, Horizon BCBSNJ’s vendor printed and mailed Explanation of Benefit letters to members; however, an error resulted in some members’ names, claim numbers, Member ID numbers, dates of service, service codes, provider and facility names, and a limited description of services being printed on EOB letters that were send to other members.

Horizon BCBSNJ says the error was identified on November 2 and the printing run was halted, but not before letters had been mailed to around 170,000 members. Not all of those members will have received letters containing the PHI of other members, but Horizon BCBSNJ has been unable to determine exactly how many of the letters included other members’ PHI.

According to Horizon spokesman Kevin McArdle, all that is known is that 170,000 EOB letters were mailed by its vendor before the error was identified. Horizon BCBSNJ is now working with its vendor to determine exactly how many individuals have been impacted.

Horizon BCBSNJ has confirmed that no Social Security numbers, dates of birth, addresses, or financial information were included in the letters, but since insurance information was disclosed there is a risk of the information being misused.

Horizon BCBSNJ has said it will be monitoring affected members’ accounts to check for fraudulent medical claims, and members should do the same. Correct EOB letters will be mailed to all members next week along with breach notification letters about the privacy breach, although many members have already noticed the error and have contacted Horizon BCBSNJ and have expressed concern about the incident.

The post Horizon BCBS of New Jersey Privacy Breach Impacts 170,000 Members appeared first on HIPAA Journal.