HIPAA Breach News

Logan Health Proposes $4.3 Million Settlement to Resolve Class Action Data Breach Lawsuit

Posted January 25, 2023 by HIPAA Journal

Logan Health has agreed to settle a class action lawsuit related to a 2021 hacking incident that exposed the protected health information of 213,543 individuals. Under the terms of the settlement, Logan Health has agreed to create a fund of $4.3 million to cover claims from individuals affected by the breach.

Logan Health, formerly Kalispell Regional Medical Center, is a 622-bed health system based in Kalispell, MT, which operates six hospitals and more than 68 provider clinics in the state. On February 18, 2022, Logan Health announced that it was the victim of a sophisticated cyberattack in which hackers gained access to a file server containing patient data. The breach was detected on November 22, 2021, and the investigation confirmed that access to its systems was gained on November 18, 2021. On January 5, 2022, Logan Health learned that the attackers accessed files containing patient information such as names, addresses, medical record numbers, dates of birth, telephone numbers, email addresses, insurance claim information, date(s) of service, treating/referring physician, medical bill account number, and/or health insurance information. Affected individuals were offered complimentary credit monitoring services.

A lawsuit – Tafelski, et al. v. Logan Health Medical Center – was filed against Logan Health in the Montana Eighth Judicial District Court shortly after notification letters were mailed. The lawsuit alleged Logan Health had failed to implement reasonable and appropriate cybersecurity measures and had not provided sufficient security awareness training to its workforce. Had those measures been implemented, the data breach would have been prevented. In addition to this breach, Logan Health had experienced others while operating as Kalispell Regional Medical Center, which had affected 2,081 state residents in 2021 and 126.805 individuals in 2019. The lawsuit alleged the plaintiffs and class members have suffered damages including the compromise, publication, theft and/or unauthorized use of their PII/PHI, out-of-pocket costs from the prevention, detection, recovery, and remediation from identity theft or fraud, lost opportunity costs and lost wages, that they faced a continued risk to their PII/PHI.

Logan Health chose to settle the lawsuit to avoid further legal costs and the uncertainty of trial. Under the terms of the settlement, affected individuals can submit claims up to a maximum of $25,000 for reimbursement of out-of-pocket expenses that are reasonably traceable to the data breach and were not reimbursable by a third party. Claims can also include lost time up to a maximum of $125 per class member. In addition to claims for reimbursement of losses, class members can choose to claim three years of credit monitoring services or a cash payment in lieu of the credit monitoring services.

The deadline for exclusion from or objections to the settlement is February 13, 2023. Claims must be submitted by April 3, 2023, and the final approval hearing for the settlement has been scheduled for March 9, 2023.

The post Logan Health Proposes $4.3 Million Settlement to Resolve Class Action Data Breach Lawsuit appeared first on HIPAA Journal.

Second Class Action Lawsuit Filed Against CommonSpirit Health Over Ransomware Attack

Posted January 24, 2023 by HIPAA Journal

Another lawsuit has been filed against CommonSpirit Health over its 2022 ransomware attack and data breach that alleges the nation’s largest catholic health system failed to implement reasonable and appropriate safeguards to prevent unauthorized access to sensitive patient data.

CommonSpirit Health announced in early October that it was dealing with a cyberattack that took down its IT systems, then in December confirmed that the individuals behind the ransomware attack had access to certain parts of its network from September 16 through October 3, 2022, during which time they may have accessed or obtained the protected health information of 623,774 patients including names, contact information, birth dates, and internal patient identifiers.

The latest lawsuit was filed on January 13, 2022, in the U.S. District Court for the Northern District of Illinois on behalf of plaintiff Jose Antonio Koch, his two minor children (John/James Doe), and other similarly affected individuals. Koch and his children received medical care at St. Michael Medical Center in Silverdale, WA, a CommonSpirit Health member hospital operated by Virginia Mason Franciscan Health, that was affected by the attack.

CommonSpirit Health provided regular updates on its website about the cyberattack and data breach and notified patients in December when the extent of the breach had been determined, approximately two and a half months after the breach occurred and two months after the breach was detected. The lawsuit alleges CommonSpirit Health “intentionally, willfully, recklessly or negligently” failed to take adequate and reasonable measures to ensure its data systems were protected against unauthorized intrusions, and that “CommonSpirit has not been forthcoming about the data breach.” The lawsuit also suggests the actual number of individuals affected may be much higher, potentially as high as 20 million, and takes issue with the time it took CommonSpirit Health to detect the data breach, which started on September 16, 2022, but was not detected until October 2, 2022.

The lawsuit alleges the plaintiffs and class members have been exposed to a heightened and imminent risk of fraud, financial identity theft, and medical identity theft, and must now cover the cost of credit monitoring services, credit freezes, credit reports, and other protective measures, as that they have had to spend time monitoring their accounts, changing passwords, and taking other measures to protect their identities.

The lawsuit alleges negligence, breach of implied contract, unjust enrichment, and negligence per se, and seeks class action status, at least 7 years of complimentary credit monitoring services, and an award of actual damages, compensatory damages, statutory damages, and statutory penalties, as determined and allowable by law, and an award of punitive damages and attorneys’ fees.

An earlier lawsuit was filed in the U.S. District Court for the Northern District of Illinois on December 29, 2022, by Washington resident, Leeroy Perkins, which makes similar claims that industry-standard cybersecurity measures had not been implemented. That lawsuit seeks damages exceeding $5 million and injunctive relief, which includes the requirement for CommonSpirit Health to implement stronger data security measures to prevent further data breaches.

The post Second Class Action Lawsuit Filed Against CommonSpirit Health Over Ransomware Attack appeared first on HIPAA Journal.

2022 Healthcare Data Breach Report

Posted January 24, 2023 by HIPAA Journal

For the first time since 2015, there was a year-over-year decline in the number of data breaches reported to the Department of Health and Human Services’ Office for Civil Rights (OCR), albeit only by 1.13% with 707 data breaches of 500 or more records reported. Even with that reduction, 2022 still ranked as the second-worst-ever year in terms of the number of reported breaches.

As the year drew to an end, data breach numbers started to decline from a high of 75 data breaches in October. Time will tell whether this trend will continue in 2023, although the lull in data breaches appears to have continued so far this year with an atypically low number of breaches currently showing on the OCR data breach portal this month.

In addition to the slight reduction in reported data breaches, there was also a drop in the number of breached records, which fell by 13.15% from 54.09 million records in 2021 to 51.9 million records in 2022.

The theft of protected health information places patients and health plan members at risk of identity theft and fraud, but by far the biggest concern is the threat to patient safety. Cyberattacks on healthcare providers often cause IT system outages, which in many cases have lasted several weeks causing considerable disruption to patient care. While there have not been any known cases of cyberattacks directly causing fatalities, the lack of access to patient data causes diagnosis and treatment delays that affect patient outcomes. Multiple studies have identified an increase in mortality rates at hospitals following ransomware attacks and other major cyber incidents.

These cyberattacks and data breaches result in huge financial losses for healthcare organizations. The 2022 IBM cost of a data breach report indicates the average cost of a healthcare data breach increased to an all-time high of $10.1 million in 2023, although data breaches can be significantly more expensive. In addition to the considerable breach remediation costs, security must be improved, cyber insurance premiums increase, and it is now common for multiple class action lawsuits to be filed following data breaches. There is also a risk of financial penalties from regulators.

The largest ever healthcare data breach, suffered by Anthem Inc in 2015, affected 78.8 million members and cost the health insurer around $230 million in clean-up costs, $115 million to settle the lawsuits, $39.5 million to settle the state attorneys general investigation, and $16 million to resolve the OCR investigation. Even much smaller data breaches can prove incredibly costly. Scripps Health suffered a data breach of 1.2 million records in 2021 due to a ransomware attack. The attack caused losses in excess of $113 million due to lost business ($92 million) and the clean-up costs ($21 million). There are also several lawsuits outstanding and there could be regulatory fines.

Largest Healthcare Data Breaches in 2022

There were 11 reported healthcare data breaches of more than 1 million records in 2022 and a further 14 data breaches of over 500,000 records. The majority of those breaches were hacking incidents, many of which involved ransomware or attempted extortion. Notable exceptions were several impermissible disclosure incidents that resulted from the use of pixels on websites. These third-party tracking technologies were added to websites to improve services and website functionality, but the data collected was inadvertently transmitted to third parties such as Meta and Google when users visited the websites while logged into their Google or Facebook accounts. The extent to which these tracking technologies have been used by healthcare organizations prompted OCR to issue guidance on these technologies, highlighting the considerable potential for HIPAA violations.

Name of Covered Entity	State	Covered Entity Type	Individuals Affected	Type of Breach
OneTouchPoint, Inc.	WI	Business Associate	4,112,892	Ransomware attack
Advocate Aurora Health	WI	Healthcare Provider	3,000,000	Pixel-related impermissible disclosure via websites
Connexin Software, Inc.	PA	Business Associate	2,216,365	Hacking incident and data theft
Shields Health Care Group, Inc.	MA	Business Associate	2,000,000	Hacking incident and data theft
Professional Finance Company, Inc.	CO	Business Associate	1,918,941	Ransomware attack
Baptist Medical Center	TX	Healthcare Provider	1,608,549	Malware infection
Community Health Network, Inc. as an Affiliated Covered Entity	IN	Healthcare Provider	1,500,000	Pixel-related impermissible disclosure via websites
Novant Health Inc. on behalf of Novant Health ACE & as contractor for NMG Services Inc.	NC	Business Associate	1,362,296	Pixel-related impermissible disclosure via websites
North Broward Hospital District d/b/a Broward Health (“Broward Health”)	FL	Healthcare Provider	1,351,431	Hacking incident and data theft
Texas Tech University Health Sciences Center	TX	Healthcare Provider	1,290,104	Hacking incident and data theft
Doctors’ Center Hospital	PR	Healthcare Provider	1,195,220	Ransomware attack
Practice Resources, LLC	NY	Business Associate	942,138	Hacking incident and data theft
Wright & Filippis LLC	MI	Healthcare Provider	877,584	Ransomware attack
Partnership HealthPlan of California	CA	Health Plan	854,913	Hacking incident and data theft
MCG Health, LLC	WA	Business Associate	793,283	Hacking incident and data theft
Yuma Regional Medical Center	AZ	Healthcare Provider	737,448	Ransomware attack
SightCare, Inc.	AZ	Health Plan	637,999	Hacking incident and data theft
CommonSpirit Health	IL	Business Associate	623,774	Ransomware attack
Metropolitan Area EMS Authority dba MedStar Mobile Healthcare	TX	Healthcare Provider	612,000	Ransomware attack
Wolfe Clinic, P.C.	IA	Healthcare Provider	542,776	Ransomware attack
Morley Companies, Inc.	MI	Business Associate	521,046	Ransomware attack
Adaptive Health Integrations	ND	Healthcare Provider	510,574	Adaptive Health Integrations
Christie Business Holdings Company, P.C.	IL	Healthcare Provider	502,869	Hacking incident and data theft
Health Care Management Solutions, LLC	WV	Business Associate	500,000	Hacking incident and data theft
OakBend Medical Center / OakBend Medical Group	TX	Healthcare Provider	500,000	Ransomware attack

While 2022 saw some very large data breaches reported, the majority of reported data breaches were relatively small. 81% of the year’s data breaches involved fewer than 50,000 records, and 58% involved between 500 and 999 records.

Hacking incidents dominated the breach reports with 555 of the 707 reported breaches (71.4%) classified as hacking/IT incidents, which accounted for 84.6% of all breached records in 2022. The average breach size was 79,075 records and the median breach size was 8,871 records. There were 113 reported unauthorized access/disclosure breaches reported in 2022, accounting for 14.5% of the breached records. The average breach size was 66,610 records due to some large pixel-related data breaches, and the median breach size was 1,652 records.

Theft (23 breaches) and loss (12 breaches) incidents were reported in relatively low numbers, continuing a downward trend from these once incredibly common data breaches. The downward trend is due to better control of devices and the use of encryption. The average breach size was 13,805 records and the median breach size was 1,704 records. There were four incidents involving the improper disposal of devices containing PHI and physical records. The average breach size was 1,772 records and the median was 1,021 records.

The high number of hacking incidents is reflected in the chart below, which shows the location of breached protected health information. Compromised email accounts remain a major source of data breaches, highlighting the importance of multi-factor authentication and training employees on how to recognize the signs of phishing.

Which Entities Suffered the Most Data Breaches?

The raw data on the OCR breach portal does not accurately reflect the extent to which business associate data breaches are occurring. When you factor in business associate involvement it is possible to gain a more accurate gauge of the extent to which data breaches are occurring at business associates. In 2022, 127 data breaches were self-reported by business associates, but there were 394 reported data breaches where business associates were involved – That’s a 337% increase since 2018. Last year, data breaches at business associates outnumbered data breaches at healthcare providers for the first time.

Several major business associate data breaches were reported to OCR in 2022, with some of the data breaches affecting several hundred healthcare organizations. A data breach at the debt collections company, Professional Finance Company, affected 657 of its healthcare clients and involved more than 1.91 million healthcare records. Eye Care Leaders, a provider of electronic health records to eye care providers, suffered a cyberattack that affected at least 41 eye care providers and exposed the data of almost 3.65 million patients.

The graph below shows the sharp increase in data breaches at business associates in recent years. There are several reasons for the increase. Hackers have realized the value of conducting attacks on business associates. One successful attack can provide access to the data, and sometimes networks, of all of the vendor’s clients. Healthcare organizations are now using more vendors to manage administrative functions and risk increases in line with the number of vendors. As more vendors are used, it becomes harder to monitor cybersecurity at the vendors. Managing third-party risk is one of the biggest challenges for healthcare organizations in 2023.

Where Did the Data Breaches Occur?

Healthcare data breaches were reported by HIPAA-regulated entities in 49 states, Washington D.C., and Puerto Rico in 2022. Alaska was the only state to survive the year with no reported data breaches. In general, the most populated states suffer the most data breaches. In 2022, the 10 most populated U.S. states all ranked in the top 15 worst affected states, although it was New York rather than California that topped the list with 68 reported breaches.

State	Breaches
New York	68
California & Texas	52
Florida & Pennsylvania	38
New Jersey	27
Georgia	26
Michigan, Virginia & Washington	24
Ohio	23
Illinois & North Carolina	22
Tennessee	17
Arizona & Maryland	16
Massachusetts & Wisconsin	15
Colorado	14
Connecticut, Indiana & Missouri	13
Alabama	11
Kansas, Oklahoma & South Carolina	9
Arkansas, New Hampshire & West Virginia	8
Nebraska & Oregon	7
Minnesota	6
Utah	5
Delaware, Nevada & Rhode Island	4
Hawaii, Kentucky, Louisiana, Mississippi, Montana, South Dakota, % Vermont	3
Iowa, Idaho, Maine, New Mexico, and Washington D.C.	2
North Dakota & Wyoming	1
Alaska	0

HIPAA Enforcement in 2022

HIPAA is primarily enforced by OCR, with state attorneys general also assisting with HIPAA enforcement. OCR imposed more financial penalties for HIPAA violations in 2022 than in any other year to date, with 22 investigations resulting in settlements or civil monetary penalties.

OCR has limited resources for investigations but does investigate all breaches of 500 or more records. That task has become increasingly difficult due to the increase in data breaches, which have tripled since 2010. Despite the increase in data breaches, OCR’s budget for HIPAA enforcement has hardly increased at all, aside from adjustments for inflation. As of January 17, 2022, OCR had 882 data breaches listed as still under investigation. 97% of all complaints and data breach investigations have been successfully resolved.

Some investigations warrant financial penalties, and while the number of penalties has increased, the penalty amounts for HIPAA violations have been decreasing. Most of the financial penalties in 2022 were under $100,000.

Since 2019, the majority of financial penalties imposed by OCR have been for HIPAA right of access violations, all of which stemmed from complaints from individual patients who had not been provided with their medical records within the allowed time frame. OCR continues to pursue financial penalties for other HIPAA violations, but these penalties are rare.

2022 HIPAA Settlements and Civil Monetary Penalties

Regulated Entity	Penalty Amount	Type of Penalty	Reason
Health Specialists of Central Florida Inc	$20,000	Settlement	HIPAA Right of Access failure
New Vision Dental	$23,000	Settlement	Impermissible PHI disclosure, Notice of Privacy Practices, releasing PHI on social media.
Great Expressions Dental Center of Georgia, P.C.	$80,000	Settlement	HIPAA Right of Access failure (time/fee)
Family Dental Care, P.C.	$30,000	Settlement	HIPAA Right of Access failure
B. Steven L. Hardy, D.D.S., LTD, dba Paradise Family Dental	$25,000	Settlement	HIPAA Right of Access failure
New England Dermatology and Laser Center	$300,640	Settlement	Improper disposal of PHI, failure to maintain appropriate safeguards
ACPM Podiatry	$100,000	Civil Monetary Penalty	HIPAA Right of Access failure
Memorial Hermann Health System	$240,000	Settlement	HIPAA Right of Access failure
Southwest Surgical Associates	$65,000	Settlement	HIPAA Right of Access failure
Hillcrest Nursing and Rehabilitation	$55,000	Settlement	HIPAA Right of Access failure
MelroseWakefield Healthcare	$55,000	Settlement	HIPAA Right of Access failure
Erie County Medical Center Corporation	$50,000	Settlement	HIPAA Right of Access failure
Fallbrook Family Health Center	$30,000	Settlement	HIPAA Right of Access failure
Associated Retina Specialists	$22,500	Settlement	HIPAA Right of Access failure
Coastal Ear, Nose, and Throat	$20,000	Settlement	HIPAA Right of Access failure
Lawrence Bell, Jr. D.D.S	$5,000	Settlement	HIPAA Right of Access failure
Danbury Psychiatric Consultants	$3,500	Settlement	HIPAA Right of Access failure
Oklahoma State University – Center for Health Sciences (OSU-CHS)	$875,000	Settlement	Risk analysis, security incident response and reporting, evaluation, audit controls, breach notifications, & the impermissible disclosure of the PHI of 279,865 individuals
Dr. Brockley	$30,000	Settlement	HIPAA Right of Access
Jacob & Associates	$28,000	Settlement	HIPAA Right of Access, notice of privacy practices, HIPAA Privacy Officer
Dr. U. Phillip Igbinadolor, D.M.D. & Associates, P.A.,	$50,000	Civil Monetary Penalty	Impermissible disclosure on social media
Northcutt Dental-Fairhope	$62,500	Settlement	Impermissible disclosure for marketing, notice of privacy practices, HIPAA Privacy Officer

HIPAA enforcement by state attorneys general is relatively rare. Only three financial penalties were imposed in 2022 by state attorneys general. In these cases, penalties were imposed for violations of the HIPAA Rules and state laws.

State	Regulated Entity	Penalty	Penalty Type	Reason
Oregon/Utah	Avalon Healthcare	$200,000	Settlement	Lack of safeguards and late breach notifications
Massachusetts	Aveanna Healthcare	$425,000	Settlement	Lack of safeguards against phishing
New York	EyeMed Vision Care	$600,000	Settlement	Multiple security failures

The post 2022 Healthcare Data Breach Report appeared first on HIPAA Journal.

PHI of More Than 240K Patients Compromised in 5 Healthcare Data Breaches

Posted January 23, 2023 by HIPAA Journal

A round-up of data breaches that have recently been reported to the HHS’ Office for Civil Rights and state Attorneys General.

BayCare Clinic Announced Pixel-Related Data Breach

The Wisconsin-based healthcare provider, BayCare Clinic, LLP, has recently announced that the protected health information of up to 134,000 of its patients has been impermissibly disclosed to unauthorized third parties as a result of the use of pixels by its partner, Advocate Aurora Health. Advocate Aurora Health previously disclosed a pixel-related data breach that resulted in the personal and protected health information of up to 3 million of its patients being disclosed to third parties such as Google and Meta. The impermissible disclosures occurred when users visited its website and patient portal while logged into either their Google or Facebook accounts.

The types of information involved depended on users’ interactions on the MyChart and LiveWell websites and applications, which may have included the following types of data: IP address, dates, times, and/or locations of scheduled appointments, proximity to a practice location, provider information, type of appointment or procedure, whether the individual had insurance cover, communications between the patient and others through MyChart, which may have included first and last names and medical record numbers, and whether the user had a proxy MyChart account, in which case the first and last name of the proxy may have been disclosed.

Advocate Aurora Health has removed the pixels and will subject all tracking technologies to more stringent checks in the future. Further information on the nature of the breach can be found in this post.

Rhode Island Department of Health Reports Internal Data Breach

The Rhode Island Department of Health (RIDOH) has announced there has been an internal impermissible disclosure of patient information. The breach was discovered on October 21, 2022, with the investigation confirming patient information was impermissibly disclosed between July and October 2022. A hyperlink to a spreadsheet was included in emails sent to employees and the spreadsheet contained information about the individuals who were receiving food deliveries while in isolation or quarantine during the COVID-19 pandemic. The spreadsheet contained information such as names, addresses, phone numbers, household information, delivery information, and information about the specific food needs of those individuals.

Access to the file was immediately restricted when the issue was detected, and a scan was conducted on email accounts to determine whether the emails had been shared. RIDOH said it is not aware of any misuse of the exposed information. Steps have since been taken to prevent further disclosures of this nature, including providing additional training to employees on the handling of sensitive information. Approximately 8,800 individuals were affected.

DCH Health System Discovers Insider Data Breach

Tuscaloosa, AL-based DCH Health System, has recently announced that a former employee has accessed the medical records of patients without authorization. The unauthorized medical record access was discovered by DCH Health on December 9, 2022, during a routine privacy audit. The audit revealed the employee had viewed the medical records of a patient on December 5, 2022, when there was no legitimate work reason for doing so. During the subsequent investigation, DCH Health discovered this was not the first time that medical records had been accessed by the employee, as the privacy violations had been occurring since September 2021. During that time, the records of approximately 2,530 patients were impermissibly accessed. The types of information viewed included names, addresses, birth dates, Social Security numbers, dates of encounters, diagnoses, vital signs, medications, test results, and clinical/provider notes.

DCH Health said the employee was immediately suspended when the first unauthorized access was discovered and was subsequently terminated over the privacy violations. Complimentary identity theft protection services have been offered to affected patients, although DCH Health said there are no indications that any patient information has been or will be misused. DCH Health said employees will continue to be provided with HIPAA and privacy training on appropriate access, and the incident will be used to improve privacy monitoring tools and processes.

Patient Data Compromised in Rundle Eye Care Hacking Incident

Drs. Keith and Herman Rundle have recently confirmed that the protected health information of certain Rundle Eye Care patients has been accessed and potentially obtained by unauthorized individuals. According to the breach notification letters, the attack occurred “recently” and involved patient names, birth dates, and treatment information.

While data theft may have occurred, there are no indications that patient data have been or will be misused. As a precaution against the misuse of patient data, affected patients have been offered complimentary single bureau credit monitoring services for 12 months. Measures have also been taken to strengthen system security.

While ransomware was not mentioned in the breach notice, the Everest Ransomware Group claimed responsibility for the attack and says 30 GB of data was stolen, including tax records, medical records, and prescription forms.

Satellite Healthcare Reports Breach Affecting 95,000 Patients

San Jose, CA-based Satellite Healthcare has recently reported a breach of the PHI of 95,128 patients to the Texas Attorney General, including 22 Texas residents. Few details are available on the breach at this stage as the incident has yet to appear on the website of the California attorney general and there is no notice on the healthcare provider’s website.

What is known is the breach involved protected health information such as names, medical information, health insurance information, and financial information. Notifications have been issued to affected individuals by mail. Satellite Healthcare was contacted for further information on the breach, but no immediate response was received. This post will be updated when further information becomes available.

The post PHI of More Than 240K Patients Compromised in 5 Healthcare Data Breaches appeared first on HIPAA Journal.

Phishing Attack on Washington Therapist Exposes Patients’ PHI

Posted January 19, 2023 by HIPAA Journal

A Washington therapist, Robert S. Miller LICSW, ACSW (RSM), has recently notified 640 current and former clients about a phishing incident that resulted in the exposure of some of their protected health information.

State laws require notifications to be sent to state attorneys general when there has been a breach of the private information of state residents. The notifications typically provide the minimum information about privacy breaches, but in this case, the therapist explained exactly how the phishing attack played out.

RSM had purchased an antivirus solution from the Iolo Software Company, and subsequently purchased an additional encryption program, which had disappeared from his computer. RSM was contacted by a person who claimed to be an Iolo employee who said he was aware that RSM’s computer had been hacked and requested access to clean the computer of viruses and malware. Access to the device was granted. RSM said he discovered this was a scam when the employee requested eBay cards worth $300.

As a result of this incident, that individual had access to the computer from December 2 to December 4, 2022, and potentially obtained files containing names, dates of birth, mailing addresses, email addresses, phone numbers, medical insurance ID numbers, Social Security numbers, and clinical information, which included evaluations, progress notes, mental health rating scales, and letters.

In response to this incident, RSM has taken several steps to prevent similar incidents in the future, including adopting encryption technologies, strengthening passwords, and engaging a third-party software company to review computers and remove any malware that may have been installed. Affected clients have been offered complimentary identity theft protection services.

Email Account Breach Reported by MJ Care

MJ Care, a New Berlin, WI-based provider of rehabilitation and health services, has recently notified 1,832 patients that some of their protected health information has potentially been accessed or obtained by an unauthorized individual. MJ Care did not state when the breach was detected; however, the investigation revealed the email account was accessed between May 31, 2022, and June 24, 2022.

The review of the affected email account concluded on November 2, 2022, and confirmed it contained patient names along with one or more of the following types of information: Social Security numbers, dates of birth, financial account information, credit/debit card information, biometric information, dates of service, treatment/diagnosis information, provider name, medical record numbers, patient numbers, medications, general medical information, and/or health insurance policy information. Notifications were sent to affected individuals on December 29, 2022. Complimentary credit monitoring services have been offered to patients whose Social Security numbers were exposed.

The post Phishing Attack on Washington Therapist Exposes Patients’ PHI appeared first on HIPAA Journal.

Tracking Code Privacy Incident Affects 29,000 Insulet Corporation Customers

Posted January 19, 2023 by HIPAA Journal

The Massachusetts-based medical device company, Insulet Corporation, has recently notified 29,000 of its Omnipod DASH customers about a recent privacy breach. A Medical Device Correction letter was recently sent to customers. Due to the importance of applying the update, a follow-up receipt acknowledgment request was sent via email on December 1, 2022.

The emails included a clickable link that directed customers to a webpage that was used for receipt verification; however, an error was made configuring that website which resulted in an impermissible disclosure of customers’ protected health information. Each customer was sent a unique URL that included their IP address, whether the customer was an Omnipod DASH user, and if they had a Personal Diabetes Manager.

Cookies and trackers embedded in the MDC acknowledgment pages transferred details of the URLs to third-party website performance and marketing partners. Insulet said the privacy violation was discovered on December 6, 2022, and all tracking technologies on the web pages were disabled to prevent further PHI exposure, and requests were sent to Insulet’s marketing partners requesting they delete the logs of the IP addresses and unique URLs.

Minnesota Department of Human Services Employee Error Impacts 4,307 Individuals

A mistake by an employee of the Minnesota Department of Human Services (DHS) has resulted in the impermissible disclosure of the protected health information of 4,307 Minnesota residents. On November 18, 2022, in response to a request from a client for a copy of their own data, the employee accidentally sent the billing statements of 4,307 individuals who were enrolled in Medical Assistance.

The investigation found no evidence to suggest the information was downloaded or misused. The patient who was sent the data notified DHS about the error and said the email would be deleted. The DHS confirmed that highly sensitive information such as Social Security Numbers, banking information, and credit card numbers were not included in the statements. Notification letters were sent to all affected individuals on January 11, 2023.

The post Tracking Code Privacy Incident Affects 29,000 Insulet Corporation Customers appeared first on HIPAA Journal.

Mayo Clinic Settles Lawsuit Alleging Former Employee Viewed Nude Patient Images

Posted January 18, 2023 by HIPAA Journal

Mayo Clinic has settled another lawsuit that stemmed from a data breach involving a former employee, who was discovered to have accessed the records of patients without authorization, including nude images.

In October 2020, Mayo Clinic notified 1,614 patients that some of their protected health information had been viewed by a former employee. That information included demographic information, birth dates, medical record numbers, and clinical notes. The employee was also discovered to have viewed photographs of patients that had been taken for medical purposes, which included nude images.

The employee in question, Ahmad Maher Abdel-Munim Alsughayer, 28, of Saginaw, MI, was a doctor at Mayo Clinic, and terminated his employment in August 2022 around the time that the privacy violations were discovered. The Olmsted County Attorney’s Office opened a criminal investigation into Alsughayer over the privacy violations after a complaint was received from a patient who obtained a copy of her records and discovered they included three nude images that were in her medical records at the time the alleged privacy violations occurred. She obtained the records in response to being notified about the breach.

Alsughayer faces a gross misdemeanor charge for unauthorized computer access. His legal team sought to dismiss the case on the grounds that there was no probable cause to believe the defendant committed the alleged privacy violations; however, those efforts have been unsuccessful. Alsughayer pleaded not guilty to the charges in August 2021. A date has yet to be set for the trial.

At least three lawsuits were filed against Mayo Clinic over the privacy violations. One of those lawsuits was settled out of court with the complainant last year and another – filed in May 2021 – is scheduled to go to trial in September 2023. The third lawsuit, which was filed in November 2020 on behalf of Mayo Clinic patient Olga Ryabchuk, sought class action status for the 1,614 patients whose privacy was violated. That lawsuit was dismissed by an Olmsted County Judge in December after all parties agreed to a settlement, the details of which have not been publicly disclosed.

The post Mayo Clinic Settles Lawsuit Alleging Former Employee Viewed Nude Patient Images appeared first on HIPAA Journal.

Home Care Providers of Texas Announces 124K-Record Data Breach

Posted January 17, 2023 by HIPAA Journal

The Dallas, TX-based home help service provider, Home Care Providers of Texas (HCPT), has recently announced that unauthorized individuals gained access to its network and used ransomware to encrypt files. The security breach was detected on June 29, 2022, when staff members were prevented from accessing files. Leading third-party cybersecurity experts were engaged to investigate the incident and determine the nature and scope of the breach and confirmed that the threat actors had access to its network between June 15, 2022, and June 29, 2022. During that time, files were exfiltrated from the network that contained names, addresses, dates of birth, Social Security numbers, treatment or diagnosis information, and medication information.

The delay in issuing notification letters was due to the lengthy process of reviewing all files potentially accessed or obtained to determine which individuals had been affected. That process was completed on November 15, 2022. Affected individuals have been advised to monitor their credit reports, accounts, and explanation of benefits statements for unauthorized activity. HCPT said steps have since been taken to augment cybersecurity.

The incident has yet to appear on the HHS’ Office for Civil Rights breach portal but has been reported to the Texas Attorney General as affecting 124,363 Texas residents.

Circles of Care, Inc. Hacking Incident Affects 61,170 Individuals

Circles of Care, a Florida-based provider of behavioral care services, has recently announced that employee and patient information was potentially compromised in a September 2022 cyberattack. Suspicious activity was detected within its network on September 21, 2022, with the investigation confirming an unauthorized third party gained access to the network on September 6, 2022.

The forensic investigation confirmed on November 29, 2022, that the unauthorized third party had access to parts of the network that contained patient and employee information such as names, dates of birth, Social Security numbers, addresses, phone numbers, driver’s license numbers, bank routing and account numbers, medical account numbers, provider names, service dates, diagnoses, and medical procedure codes. That information was potentially accessed or acquired, although, at the time of issuing notifications, no reports of misuse of that information have been received. Affected individuals have been advised to be vigilant against incidents of identity theft and fraud by reviewing their account statements and explanation of benefit forms.

The breach has been reported to the HHS’ Office for Civil Rights as affecting up to 61,170 individuals.

Community Health Network Says Tracking Technologies Impermissibly Disclosed PHI of Fishers Digestive Care Patients

Indianapolis, IN-based Community Health Network has recently announced that tracking technologies were used on the website and patient portal of its affiliated organization, Fishers Digestive Care, which resulted in patient data being impermissibly disclosed to third parties. The disclosed information included names, medical record numbers, IP addresses, appointments, insurance coverage, healthcare provider information, and conversations between individuals and others through the MyChart patient portal. The extent to which each individual was affected could not be determined and would have depended on their interactions on the website and patient portal.

Community Health Network previously reported the breach to the Office for Civil Rights as affecting up to 1.5 million patients. It is currently unclear how many Fishers Digestive Care patients have been affected, and whether they are included in the 1.5 million total.

The post Home Care Providers of Texas Announces 124K-Record Data Breach appeared first on HIPAA Journal.

December 2022 Healthcare Data Breach Report

Posted January 16, 2023 by HIPAA Journal

The number of reported healthcare data breaches declined for the second successive month, with 40 data breaches of 500 or more healthcare records reported to the Department of Health and Human Services’ Office for Civil Rights (OCR) in December 2022 – The lowest monthly total of the year and 29.7% fewer data breaches than the average monthly for 2022. The year ended with 683 data breaches, which is a year-over-year reduction of 4.3%. Only one other year has seen a fall in recorded data breaches (2014).

The worst month of 2022 for breached records was followed by the best, with 2,174,592 healthcare records exposed or compromised in December, well below the 2022 average of 3,986,025 records per month and 68.5% fewer breached records than in November. While this is certainly great news, even with this reduction, 2022 was the second worst-ever year for healthcare data breaches with more than 47 million records exposed or compromised from January 1 to December 31, 2022.

Largest Healthcare Data Breaches in December 2022

December saw 13 data breaches of 10,000 or more healthcare records reported to OCR. HIPAA Journal has been unable to obtain information on two of those breaches. Ransomware attacks continue to plague the healthcare industry, with 5 of the 13 largest breaches in December confirmed as involving ransomware, two of which involved the protected health information of more than 600,000 patients. Ransomware attacks on the healthcare industry more than doubled between 2016 and 2021 according to one recent analysis, although it is becoming increasingly difficult to obtain reliable data on the extent to which ransomware is used in cyberattacks due to the lack of standardized reporting. While healthcare organizations of all sizes are being attacked, ransomware gangs tend to focus their efforts on larger healthcare organizations, according to a recent report by Delinea.

Name of Covered Entity	State	Covered Entity Type	Individuals Affected	Cause of Breach
CommonSpirit Health	IL	Business Associate	623,774	Ransomware attack with business associate involvement
Metropolitan Area EMS Authority dba MedStar Mobile Healthcare	TX	Healthcare Provider	612,000	Ransomware attack
Avem Health Partners	OK	Business Associate	271,303	Hacking Incident at a business associate
Southwest Louisiana Health Care System, Inc. d/b/a Lake Charles Memorial Health System	LA	Healthcare Provider	269,752	Ransomware attack
Fitzgibbon Hospital	MO	Healthcare Provider	112,072	Ransomware attack
Monarch	NC	Healthcare Provider	56,155	Hacking Incident – No information released
Ola Equipment LLC	HI	Business Associate	39,000	Hacking Incident – No information released
The Elizabeth Hospice	CA	Healthcare Provider	35,496	An employee sent PHI to a personal email account
Legacy Operating Company d/b/a Legacy Hospice	AL	Healthcare Provider	21,202	Compromised email accounts
Employee Group Insurance Benefits Plan of Acuity Brands, Inc.	GA	Health Plan	20,849	Hacking incident (data theft confirmed)
San Gorgonio Memorial Hospital	CA	Healthcare Provider	16,846	Hacking incident (data theft confirmed)
Hawaiian Eye Center	HI	Healthcare Provider	14,524	Ransomware attack
Foundcare, Inc.	FL	Healthcare Provider	14,194	Compromised email account

Causes of December 2022 Healthcare Data Breaches

Hacking and other IT incidents continue to dominate the breach reports and typically involve many more records than other types of data breaches. In December, 28 incidents were classified as hacking/IT incidents – 70% of the month’s total breaches. 1,965,032 healthcare records were exposed or impermissibly disclosed in those incidents– 90.4% of the month’s breached records. The average breach size was 70,180 records and the median breach size was 4,152 records. 20 of the month’s breaches involved compromised network servers, with 12 incidents involving hacked email accounts.

The risk of email-related data breaches can be greatly reduced by providing regular security awareness training to the workforce, as is required by the HIPAA Security Rule, and by implementing multi-factor authentication, with FIDO-based MFA providing the greatest level of protection. HIPAA-regulated entities should also ensure that their password management practices are kept up to date. A recent audit of the Department of the Interior identified many password management failures, which are all too common in the healthcare industry.

There were 10 unauthorized access/disclosure-related data breaches in December involving 168,386 records. The average breach size was 16,839 records and the median breach size was 1,739 records. There has been a decline in these types of data breaches in recent years as HIPAA training and monitoring of medical record access have improved. There were two loss/theft incidents reported involving 41,174 records. Both of these incidents involved computers/other electronic devices and could have been prevented by encrypting the devices.

December Data Breaches by HIPAA Regulated Entity

Healthcare providers were the worst affected type of HIPAA-regulated entity, with 24 breaches reported of 500 or more records. Business associates reported 11 data breaches and 5 data breaches were reported by 5 health plans. Two of the data breaches reported by healthcare providers had business associate involvement but were reported by the healthcare provider. The chart below shows the breakdown based on where the breach occurred.

States Affected by December 2022 Data Breaches

Healthcare data breaches were reported by HIPAA-regulated entities in 22 states. California was the worst affected with 4 reported breaches.

State	Reported Data Breaches
California	4
Florida, New York, Texas & Washington	3
Georgia, Hawaii, Illinois, Massachusetts, Missouri, South Dakota & Virginia	2
Alabama, Connecticut, Louisiana, Maryland, North Carolina, Nebraska, Oklahoma, Rhode Island, Wisconsin & West Virginia	1

HIPAA Enforcement Activity in 2022

OCR closed the year with two financial penalties to resolve alleged HIPAA violations. Health Specialists of Central Florida’s case stemmed from an investigation into a HIPAA Right of Access violation over the failure to provide a woman with a copy of her deceased father’s medical records. The records were provided, but there was a 5-month delay. Health Specialists of Central Florida settled the case and paid a $20,000 financial penalty. This was the 42^nd financial penalty to be imposed under OCR’s HIPAA Right of Access enforcement, which was launched in 2019.

New Vision Dental in California was one of just two healthcare providers to settle a HIPAA violation case with OCR in 2022 that did not involve a HIPAA Right of Access violation. OCR investigated New Vision Dental in response to complaints that patient information was being impermissibly disclosed online in response to negative reviews on Yelp. OCR also identified a Notice of Privacy Practices failure. The case was settled for $23,000. Including these two penalties, OCR resolved 22 HIPAA violation cases with settlements and civil monetary penalties in 2022, more than any other year since OCR was given the authority to impose financial penalties for HIPAA violations.

State Attorneys General also have the authority to impose financial penalties for HIPAA violations. In December, a joint investigation by Oregon and Utah resulted in a financial penalty for Avalon Healthcare over a phishing attack. Avalon Healthcare was determined to be in violation of the HIPAA Security and Breach Notification Rules and state laws due to a lack of appropriate safeguards to protect against phishing attacks and an unreasonable delay in sending breach notification letters, which were issued 10 months after the breach was detected. The case was settled for $200,000. This was one of three enforcement actions by state attorneys general in 2022 to resolve HIPAA violations.

The post December 2022 Healthcare Data Breach Report appeared first on HIPAA Journal.

Daily HIPAA News, HIPAA RSS Feeds, HIPAA Information