HIPAA Breach News

April 2023 Healthcare Data Breach Report

Posted by HIPAA Journal

There was a 17.5% month-over-month fall in the number of reported healthcare data breaches with 52 breaches of 500 or more records reported to the HHS’ Office for Civil Rights (OCR) – less than the 12-month average of 58 breaches per month, and one less than in April 2022.

April 2023 Healthcare Data Breaches

One of the largest healthcare data breaches of the year was reported in April, but there was still a significant month-over-month reduction in breached records, which fell by 30.7% to 4,425,891 records. The total is less than the 12-month average of 4.9 million records a month, although more than twice the number of records that were breached in April 2022.

Healthcare records breached in the last 12 months - April 2023

Largest Healthcare Data Breaches Reported in April 2023

As previously mentioned, April saw a major data breach reported that affected 3,037,303 individuals – The third largest breach to be reported by a single HIPAA-covered entity so far this year, and the 19th largest breach to be reported by a single HIPAA-regulated entity to date.  The breach occurred at the HIPAA business associate, NationsBenefits Holdings, and was a data theft and extortion attack by the Clop ransomware group involving the Fortra GoAnywhere MFT solution.  8 of the month’s 21 breaches of 10,000 or more records were due to these Clop attacks, including the top 5 breaches in April. Brightline Inc. was also hit hard by those attacks, which were reported separately for each covered entity client (9 reports). Together, the attacks on Brightline involved the PHI of more than 964,000 individuals.

18 of the 21 breaches of 10,000 or more records were hacking incidents. The remaining three breaches were unauthorized disclosures of protected health information, one due to tracking technologies and the other two due to mailing errors. While ransomware and data theft/extortion attacks dominated the breach reports, phishing, business email compromise, and other email account breaches are common, with 5 of the top 21 breaches involving hacked email accounts. End-user security awareness training is recommended to reduce susceptibility to these attacks and multifactor authentication should be implemented on all email accounts, ideally using phishing-resistant multifactor authentication.

Name of Covered Entity State Covered Entity Type Individuals Affected Location of Breached Information Breach Cause
NationsBenefits Holdings, LLC FL Business Associate 3,037,303 Network Server Hacking and extortion (Fortra GoAnywhere MFT)
Brightline, Inc. CA Business Associate 462,241 Network Server Hacking and extortion (Fortra GoAnywhere MFT)
Brightline, Inc. CA Business Associate 199,000 Network Server Hacking and extortion (Fortra GoAnywhere MFT)
Brightline, Inc. CA Business Associate 180,694 Network Server, Other Hacking and extortion (Fortra GoAnywhere MFT)
California Physicians’ Services d/b/a Blue Shield of California CA Business Associate 61,790 Network Server Hacking and extortion (Fortra GoAnywhere MFT)
MiniMed Distribution Corp. CA Healthcare Provider 58,374 Network Server Unauthorized disclosure of PHI to Google and other third parties (Tracking code)
Brightline, Inc. CA Business Associate 49,968 Network Server, Other Hacking and extortion (Fortra GoAnywhere MFT)
United Steelworkers Local 286 PA Health Plan 37,965 Email Hacked email account
Retina & Vitreous of Texas, PLLC TX Healthcare Provider 35,766 Network Server Hacking incident
Brightline, Inc. CA Business Associate 31,440 Network Server Hacking and extortion (Fortra GoAnywhere MFT)
Brightline, Inc. CA Business Associate 21,830 Network Server Hacking and extortion (Fortra GoAnywhere MFT)
Iowa Department of Health and Human Services – Iowa Medicaid Enterprise (Iowa HHS-IME) IA Health Plan 20,815 Network Server Hacking incident at business associate (Independent Living Systems)_
Lake County Health Department and Community Health Center IL Healthcare Provider 17,000 Email Hacked email account
Southwest Healthcare Services ND Healthcare Provider 15,996 Network Server Hacking incident (data theft confirmed)
La Clínica de La Raza, Inc. CA Healthcare Provider 15,316 Email Hacked email accounts
St. Luke’s Health System, Ltd. ID Healthcare Provider 15,246 Paper/Films Mailing error
Two Rivers Public Health Department NE Healthcare Provider 15,168 Email Hacked email account
Robeson Health Care Corporation NC Healthcare Provider 15,045 Network Server Malware infection
Northeast Behavioral Health Care Consortium PA Health Plan 13,240 Email Hacked email account (Phishing)
Centers for Medicare & Medicaid Services MD Health Plan 10,011 Paper/Films Mailing error at business associate (Palmetto GBA)
Modern Cardiology Associates PR Healthcare Provider 10,000 Network Server Hacking incident

Causes of April 2023 Healthcare Data Breaches

Hacking and other IT incidents continue to dominate the breach reports, accounting for 36 of the month’s breaches (69.2%) and the vast majority of the breached records. Across those incidents, 4,077,019 healthcare records were exposed or stolen – 92.1% of the records that were breached in April. The average breach size was 119,914 records and the median breach size was 9,675 records.

April 2023 Healthcare data breach causes

Ransomware attacks continue to be conducted by there has been a notable shift in tactics, with many ransomware gangs opting for data theft and extortion without encrypting files, as was the case with the attacks conducted by the Clop ransomware group which exploited a zero-day vulnerability in the Fortra GoAnywhere MFT solution. The BianLian threat group has previously conducted attacks using ransomware, but this year has been primarily conducting extortion-only attacks, which are quieter and faster. 12 of the month’s breaches (40%) involved hacked email accounts, highlighting the importance of security awareness training and multifactor authentication.

There were 13 unauthorized access/disclosure incidents in April, including a 58K-record incident involving tracking technologies that transferred sensitive data to third parties such as Google, instances of paper records not being secured, and PHI that had been exposed over the Internet. Across those 13 breaches, 105,155 records were impermissibly disclosed. The average breach size was 8,089 records and the median breach size was 1,304 records.

There were two theft incidents involving 3,321 records in total and one improper disposal incident. The improper disposal incident was reported as involving 501 records – a placeholder commonly used to meet the Breach Notification Rule reporting deadline when the total number of individuals affected has yet to be determined.  As the chart below shows, the majority of incidents involved ePHI stored on network servers and in email accounts.

Location of PHI in April 2023 healthcare data breaches

Where Did the Breaches Occur?

The raw data on the OCR breach portal shows the reporting entity, which in some cases is a HIPAA-covered entity when the breach actually occurred at a business associate. The breach portal shows 31 data breaches were reported by healthcare providers, 8 by health plans, and 13 by business associates. The charts below are based on where the breach occurred, rather than the entity that reported the data breach, to better reflect the extent to which data breaches are occurring at business associates.

April 2023 healthcare data breaches by HIPAA-regulated entity type

While healthcare providers were the worst affected HIPAA-regulated entity, the majority of the month’s breached records were due to data breaches at business associates.

Records exposed or stolen in April 2023 healthcare data breaches by hipaa-regulated entity type

Geographical Distribution of April 2023 Healthcare Data Breaches

Data breaches of 500 or more records were reported by HIPAA-regulated entities in 25 states and Puerto Rico, with California the worst affected state with 16 breaches, 9 of which were the same incident that was reported separately for each client by Brightline Inc., which is why the breach count was so high for California this month.

State Breaches
California 16
Florida 4
New York & Pennsylvania 3
Illinois, Kentucky, Ohio, & Texas 2
Alabama, Arizona, Idaho, Iowa, Indiana, Maryland, Michigan, Minnesota, Nebraska, North Carolina, North Dakota, Oregon, Utah, Virginia, Washington, West Virginia, Wisconsin & Puerto Rico 1

HIPAA Enforcement Activity in April 2023

No HIPAA enforcement actions were announced by OCR or state attorneys general in April 2023 to resolve violations of HIPAA and state laws, and no Health Breach Notification Rule enforcement actions were announced by the Federal Trade Commission.

The post April 2023 Healthcare Data Breach Report appeared first on HIPAA Journal.

5 Healthcare Providers Suffer PHI Breaches

Posted by HIPAA Journal

The Edinburg, TX-based internal medicine specialists, ASAS Health, have recently notified 25,527 individuals about a hacking incident that exposed some of their sensitive protected health information. Suspicious network activity was detected on March 9, 2023, and immediate action was taken to secure the network. A forensic investigation confirmed that hackers had access to parts of its network that contained patient information. The breach notifications do not disclose the nature of the incident or for how long the hackers had access to its systems.

ASUS Health said it was not possible to definitively determine if patient data was accessed or stolen, but data may have been compromised. The review of the affected files confirmed they contained information such as names, date of birth, addresses, phone numbers, email addresses, driver’s license numbers, Social Security numbers, diagnoses, disability codes, Medicare ID numbers, and health plan carrier information.

The breach report that was sent to the Maine Attorney General indicates credit monitoring services have been offered. Affected individuals have also been advised to monitor their accounts and report any suspicious activity, and to be wary of phishing attempts and emails and documents allegedly sent from ASUS Health. ASUS Health said it will continue to refine its security protocols and maintain a robust information security program.

Methodist Family Health Affected by Data Breach at Business Associate

Little Rock, AR-based Methodist Family Health has confirmed that patient data was exposed in a security breach at one of its business associates. The business associate was used to provide pharmacy services and was provided with patient data to perform the contracted duties.  The business associate detected a security breach on March 6, 2023, and the investigation confirmed its systems were accessed on March 4, 2023.

Methodist Family Health has confirmed that the unauthorized access has been blocked and additional security measures have been deployed to prevent similar incidents in the future. The compromised documents contained information such as names, addresses, birth dates, admission/treatment dates, account numbers, diagnoses, service charges, and medication information.  The breach has recently been reported to the HHS’ Office for Civil Rights as affecting 5,259 individuals.

People Incorporated of Sequoyah County Suffers Ransomware Attack

People Incorporated of Sequoyah County (People Inc), a Sallisaw, OK-based provider of behavioral health, addiction recovery, and anger management services, has discovered an unauthorized third party gained access to the sensitive data of 8,725 current and former patients in a recent ransomware attack.

The incident was detected by People Inc on March 6, 2023, and the forensic investigation confirmed that an unauthorized individual had access to certain systems between March 2, and March 6, 2023, during which time files were exfiltrated that contained patient data.  The files contained names, Social Security numbers, care plans, scheduling information, and billing information.

Notification letters have recently been mailed and affected individuals have been offered complimentary credit monitoring and identity theft protection services. People Inc said it has strengthened system security to prevent similar incidents in the future.

Email Account Breach at Lake County Health Department and Community Health Center

Lake County Health Department and Community Health Center in Illinois have notified 1,700 patients that some of their personal and health information has potentially been compromised due to an email security breach. The security incident was detected on March 6, 2023, and the investigation confirmed that an email account had been accessed by an unauthorized individual.

A third-party digital forensics firm was engaged to investigate the incident and found no evidence of data transfers from the email account; however, unauthorized access to patient information could not be ruled out. The review of the account revealed the email account contained partially de-identified PHI concerning Lake County residents who may have had a communicable disease or a disease that was part of a cluster or outbreak that was investigated by the health department between April 23, 2012, and March 6, 2023.

The exposed information included one or more of the following types of information: names, addresses, zip codes, date of birth, gender, phone number, email address, medical record number, diagnoses or conditions, lab results, and other treatment information. Additional email security safeguards have now been implemented and further cyber security training has been provided to the workforce.

Oyate Health Center Notifies Patients About Impermissible PHI Disclosure

Oyate Health Center in South Dakota has discovered an unintended impermissible disclosure of the protected health information of 575 patients. The information related to pharmacy visits between August 31, 2021, and September 8, 2021.

When Oyate Health Center moved to a new clinic location, boxes of surplus supplies were donated to community organizations. On March 7, 2023, one of those organizations opened one of the boxes and found a weekly pharmacy visit report, which was a list of patients with their chart number, date of visit, and a diagnosis code related to the prescription they were filling. The list was seen by two people at the non-profit organization, and the list was then locked in a secure location until it could be collected.

Under HIPAA this is classed as an impermissible disclosure. Oyate Health Center said it has no reason to believe the list was viewed by anyone else and does not believe the information has been missed. In response to the incident, new internal controls, policies, and procedures have been implemented and the affected individuals have been notified.

The post 5 Healthcare Providers Suffer PHI Breaches appeared first on HIPAA Journal.

Oklahoma Institute of Allergy Asthma and Immunology Halts Operations After Cyberattack

Posted by HIPAA Journal

The Oklahoma Institute of Allergy Asthma and Immunology was forced to cease trading while it recovered from a cyberattack, with patients forced to wait to receive medical care or seek treatment at other facilities. The asthma and allergy clinic has been closed for at least two weeks as a result of the attack, but the closure appears to be temporary. The clinic furloughed staff while systems were shut down and efforts are being made to restore systems. The closure was necessary as the clinic was unable to access patient records. The clinic has yet to upload a breach notification to its website or report the breach to regulators, so the extent to which patient data has been compromised is not yet known.

Larger healthcare providers may temporarily divert ambulances and cancel some appointments following a ransomware attack but do not typically halt operations, but smaller healthcare providers may be left with little alternative. Recently, Murfreesboro Medical Clinic & SurgiCenter in Tennessee halted operations for two weeks while recovering from a cyberattack, and a 2022 survey indicated 25% of healthcare organizations would be forced to temporarily halt operations in the event of a ransomware attack.

Uintah Basin Healthcare Hacking Incident Affects Almost 104,000 Patients

The Roosevelt, UT-based health system, Uintah Basin Healthcare, has discovered hackers gained access to its network and may have viewed or obtained the protected health information of 103,974 patients. Suspicious network activity was detected on November 7, 2022, and its digital environment was immediately secured. Third-party cybersecurity experts were engaged to investigate the breach and determined on or around April 7, 2023, that patient data was potentially accessed. The breach notification letter does not state when access to the network was first gained.

The review of the affected files confirmed they contained a range of PHI, which varied from individual to individual. That information related to patients who had received healthcare services between March 2012 and November 2022. The information exposed included names, addresses, dates of birth, Social Security numbers, health insurance information, diagnoses/conditions, medications, test results, and procedure information. The notification process was completed on April 10, 2023.

Complimentary credit monitoring and identity protection services have been offered to affected individuals and security has been improved to prevent similar incidents in the future, including the deployment of the SentinelOne endpoint detection and the response tool, which includes 24/7 monitoring.

Asian Health Services Reports Email Account Breach

Asian Health Services in Oakland, CA, has recently alerted patients about a recent data security incident involving an employee’s email account. Suspicious activity was detected in the account on February 13, 2023. The account was immediately secured to prevent further unauthorized access and a forensic investigation was conducted to determine the extent of the incident. The email account was determined to have been compromised between February 7, 2023, and February 13, 2023, with the review of emails and attachments confirming they contained names, medical record numbers, dates of birth, phone numbers, and health information such as diagnoses.

Asian Health Services did not find any evidence to indicate patient data had been compromised but the possibility could not be ruled out. Affected individuals have been offered complimentary credit monitoring, fraud assistance, and remediation services for 12 months. Asian Health Services said a third-party cybersecurity firm has confirmed that the email account can no longer be accessed, and additional email safeguards have been implemented to provide an additional layer of protection.

New Mexico Department of Health Reports Impermissible Disclosure of PHI

The New Mexico Department of Health has recently confirmed there has been an impermissible disclosure of the protected health information of 49,000 deceased patients to a journalist. The journalist requested information subject to the Inspection of Public Records Act and was sent a spreadsheet that included all deaths in New Mexico from January 2020 to December 2021. It was later discovered that the spreadsheet contained protected health information that should not have been disclosed. The Department of Health said the spreadsheet did not contain names, birthdates, addresses, or contact information.

The post Oklahoma Institute of Allergy Asthma and Immunology Halts Operations After Cyberattack appeared first on HIPAA Journal.

Debt Collection Agency Data Breach Affects Many Healthcare Providers

Posted by HIPAA Journal

R&B Corporation of Virginia, doing business as Credit Control Corporation (CCC), has recently reported a data breach to the Maine Attorney General that has affected 286,699 individuals. CCC is a debt collection agency and business associate of many hospitals and doctor’s offices. The Newport News, VA-based debt collection agency said it detected suspicious activity within its computer systems on March 7, 2023. Its IT systems were immediately isolated, and a forensic investigation was conducted to determine the nature and scope of the activity. On or around March 14, 2023, CCC determined that unauthorized individuals had accessed its systems and copied files that contained sensitive data. The intrusion was determined to have occurred from March 2, 2023, to March 7, 2023.

An initial review of the compromised files was completed on May 3, 2023, which confirmed that the files contained information such as names, addresses, and Social Security numbers. Affected individuals were notified by mail on May 15, 2023. Complimentary credit monitoring services have been offered to affected individuals. CCC said it regularly reviews its data security policies, procedures, and practices and will continue to do so, has augmented its security safeguards to better protect patient data, and has increased the frequency of employee training on the importance of safeguarding data.

Healthcare providers known to have been affected by the breach include:

  • Atlantic Orthopaedic Specialists
  • Bayview Physicians Group
  • Chesapeake Radiology
  • Chesapeake Regional Medical Center
  • Children’s Hospital of the King’s Daughters Health System and its Affiliates
  • Children’s Specialty Group
  • Dominion Pathology Laboratories
  • Emergency Physicians of Tidewater
  • Mary Washington Healthcare
  • Medical Center Radiology
  • Pariser Dermatology Specialists, Inc
  • Riverside Health System
  • Sentara Health System
  • Tidewater Physicians Multispecialty Group
  • UVA Health System
  • Valley Health System
  • VCU Health System

The post Debt Collection Agency Data Breach Affects Many Healthcare Providers appeared first on HIPAA Journal.

NextGen Healthcare Facing Multiple Class Action Data Breach Lawsuits

Posted by HIPAA Journal

A healthcare data breach of 1 million+ records is certain to result in multiple lawsuits, and the data breach experienced by NextGen Healthcare is no exception. The data breach was only disclosed by NextGen on May 5, but at least a dozen lawsuits have already been filed in federal court in Georgia over the breach.

The data breach was the result of a hacking incident involving stolen credentials, which allowed unauthorized individuals to access a database that contained sensitive patient data such as names, addresses, dates of birth, and Social Security numbers. The investigation determined that the credentials stolen by the hackers came from other sources and did not appear to have been stolen from NextGen. The breach was detected by NextGen on March 30, 2023, and the forensic investigation confirmed hackers had access to its network between March 29, 2023, and April 14, 2023.  This was the second data breach to be reported by NextGen this year, with the earlier incident being a BlackCat ransomware attack. NextGen told the Maine Attorney General that 1,049,375 individuals had been affected and complimentary credit monitoring services have been offered to affected individuals.

The lawsuits were all filed in the United States District Court for the Northern District of Georgia, Atlanta Division, and make similar allegations – That NextGen was negligent for failing to safeguard the sensitive data of patients. The lawsuits claim NextGen was or should have been aware of the high risk of data breaches as multiple warnings have been issued by federal agencies about cybersecurity threats targeting the healthcare sector and extensive media reports about healthcare data breaches. Further, NextGen had suffered a ransomware attack just a few weeks previously and should have known that security needed to be improved.

The lawsuits also take issue with the length of time it took to contain the breach – two weeks after the intrusion was detected, the length of time it took to issue notification letters to affected individuals, and the failure to disclose sufficient facts about the data breach in those notification letters to allow the victims to determine the level of risk they face. The lawsuits allege the victims of the breach have already suffered harm and will continue to do so, and face a continuing risk of identity theft and fraud for years to come. The lawsuits seek class action status, a jury trial, damages, legal costs, and injunctive relief, including an order from the court to prohibit NextGen from engaging in unlawful practices and for improvements to be made to its data security practices.

The post NextGen Healthcare Facing Multiple Class Action Data Breach Lawsuits appeared first on HIPAA Journal.

Almost 6 Million Individuals Affected by PharMerica Data Breach

Posted by HIPAA Journal

In April 2023, the Money Message ransomware group announced it had breached the systems of PharMerica and its parent company, BrightSpring Health Services, and added both to its data leak site. The group claimed to have exfiltrated databases containing 4.7 million terabytes of data which included the records of more than 2 million individuals. PharMerica has now confirmed the extent of the data breach.

PharMerica is one of the largest providers of pharmacy services in the United States, operating more than 2,500 facilities and over 3,100 pharmacy and healthcare programs. PharMerica and BrightSpring have now completed their investigation and have confirmed that there was unauthorized accessing of sensitive patient information and reported the data breach to the Maine Attorney General as affecting 5,815,591 individuals. That makes it the largest healthcare data breach to be reported by a single HIPAA-covered entity so far in 2023.

PharMerica explained in its notification letters that suspicious activity was detected within its computer network on March 14, 2023. The network was isolated, and an investigation was conducted to determine the nature and scope of the intrusion. Assisted by third-party cybersecurity experts, PharMerica determined that “an unknown third party” accessed its computer systems between March 12 and March 13, 2023, and that personal information may have been obtained from its systems during that time frame.

By March 21, 2023, PharMerica had determined that the compromised information included names, addresses, birth dates, Social Security numbers, medication information, and health insurance information. PharMerica made no mention of a ransomware attack nor any publication of data online but did state that “we have no reason to believe that anyone’s information has been misused for the purpose of committing fraud or identity theft.”

Affected individuals have been notified and offered complimentary credit monitoring and identity theft protection services for 12 months. Patients and executors of deceased patients’ estates have been advised to contact any one of the three national credit reporting agencies and to ensure the individual’s credit file is marked as ‘deceased – do not issue credit’, or for the credit reporting agency to make a notation on the individual’s credit file to notify an individual (such as a family member/next of kin) and/or law enforcement if an application is made for credit. PharMerica says it has implemented additional technical cybersecurity safeguards to prevent similar incidents in the future.

The post Almost 6 Million Individuals Affected by PharMerica Data Breach appeared first on HIPAA Journal.

EyeMed Vision Care Settles Multistate Data Breach Investigation for $2.5 Million

Posted by HIPAA Journal

In June 2020, the Luxottica Group PIVA-owned vision insurance company, EyeMed Vision Care, experienced a data breach involving the protected health information (PHI) of 2.1 million patients. An unauthorized individual gained access to an employee email account that contained approximately 6 years of personal and medical information including names, contact information, dates of birth, Social Security numbers, vision insurance account/identification numbers, medical diagnoses and conditions, and treatment information. The unauthorized third party then used the email account to distribute around 2,000 phishing emails.

State attorneys general have the authority to investigate data breaches and can fine organizations for HIPAA violations. A multi-state investigation was launched by state attorneys general in Oregon, New Jersey, and Florida into the EyeMed data breach, and Pennsylvania later joined the multistate action. The state attorneys general sought to establish whether the data breach was preventable and if it was the result of a failure to comply with the HIPAA Security Rule and state data protection laws.

The investigation identified data security failures that violated HIPAA and state laws. Under HIPAA and state data protection laws, entities that collect, maintain, or handle sensitive personal and medical information are required to implement administrative, technical, and physical safeguards to ensure the confidentiality, integrity, and availability of that information, yet those safeguards were found to be lacking at EyeMed. The investigation revealed a failure to ensure all individuals with access to protected health information had a unique login and password. Several EyeMed employees were found to be sharing a single password for an email account that was used to communicate sensitive information, including PHI related to vision benefits enrollment and coverage.

Under the terms of the settlement, EyeMed agreed to pay a financial penalty of $2.5 million which will be shared between Oregon, New Jersey, Florida, and Pennsylvania. The settlement also requires EyeMed to ensure compliance with state consumer protection acts, state personal information protection acts, and HIPAA law, and ensure EyeMed does not misrepresent the extent to which it maintains and protects the privacy, security, or confidentiality of consumer information.

The data security requirements of the settlement include the development, implementation, and maintenance of a written information security program; maintenance of reasonable policies and procedures governing the collection, use, and retention of patient information; and maintenance of appropriate controls to manage access to all accounts that receive and transmit sensitive information. ”New Jerseyans trusted EyeMed with their vision care and their personal information only to have that trust broken by the company’s poor security measures,” said Attorney General Platkin, who co-led the investigation. “This is more than just a monetary settlement, it’s about changing companies’ behavior to better protect crucial patient data.”

The Office of the New York Attorney General also investigated EyeMed over the data breach and entered into a separate settlement agreement last year, which required EyeMed to pay a $600,000 penalty. In October 2022, a $4.5 million settlement was agreed between EyeMed and the New York Department of Financial Services (NYDFS) to resolve alleged violations of the NYDFS (Part 500) cybersecurity regulations. The security failures included not limiting employee access privileges to email accounts for 9 employees, a partial rollout of multifactor authentication, risk assessment failures, the lack of a sufficient data minimization strategy, and inaccurate submissions of compliance with Part 500 for four years. The settlements with NYDFS and the New York Attorney General also had data security requirements, including the implementation and maintenance of a comprehensive information security program, encryption of data, multi-factor authentication for all administrative and remote access accounts, and penetration testing.

HIPAA compliance investigations by state attorneys general are independent of the HHS’ Office for Civil Rights (OCR), which may also choose to impose civil monetary penalties for HIPAA violations. No penalty has been announced by OCR as of May 2023 and the incident is marked as closed on the OCR breach portal.

The post EyeMed Vision Care Settles Multistate Data Breach Investigation for $2.5 Million appeared first on HIPAA Journal.

OCR Fines Arkansas Business Associate $350,000 for Impermissibly Disclosing ePHI

Posted by HIPAA Journal

The HHS’ Office for Civil Rights (OCR) has agreed to settle a HIPAA investigation of an Arkansas business associate that impermissibly disclosed the electronic protected health information (ePHI) of more than 230,000 individuals after failing to secure a File Transfer Protocol (FTP) server. MedEvolve, Inc. is a Little Rock, AR-based HIPAA business associate that provides practice management, revenue cycle management, and practice analytics software to HIPAA-regulated entities. The nature of MedEvolve’s business means it has access to ePHI from its HIPAA-regulated entity clients. Under HIPAA, MedEvolve is required to ensure that information is safeguarded at all times.

In July 2018, MedEvolve informed OCR that an error had been made configuring an FTP server. MedEvolve’s investigation revealed the server contained the ePHI of 230,572 individuals, which could be freely accessed over the Internet without authentication. The breach affected two HIPAA-regulated entities: Premier Immediate Medical Care, LLC (204,607 individuals) and Dr. Beverly Held (25,965 individuals). The exposed information included names, billing addresses, telephone numbers, health insurer information, doctor’s office account numbers, and, for some individuals, Social Security numbers.

OCR launched an investigation and identified three potential violations of the HIPAA Rules: An impermissible disclosure of the ePHI of 230,572 individuals – 45 C.F.R. § 164.502(a); a failure to enter into a business associate agreement with a subcontractor – 45 C.F.R. § 164.502(e)(1)(ii); and an insufficiently thorough and accurate assessment of potential risks to the confidentiality, integrity, and availability of ePHI – 45 C.F.R. § 164.308(a)(1)(ii)(A).

MedEvolve chose to settle the case with no admission of liability or wrongdoing and paid a financial penalty of $350,000. The settlement also includes a corrective action plan that requires MEdEvolve to conduct accurate and thorough risk assessments, implement risk management plans to address identified risks, develop, implement, and maintain policies and procedures to comply with the HIPAA Privacy and Security Rules, and improve its workforce HIPAA and security training program.

“Ensuring that security measures are in place to protect electronic protected health information where it is stored is an integral part of cybersecurity and the protection of patient privacy,” said OCR Director Melanie Fontes Rainer. “HIPAA-regulated entities must ensure that they are not leaving patient health information unsecured on network servers available to the public via the Internet.”

This is the fourth HIPAA penalty to be imposed by OCR this year and follows a $15,000 settlement with  David Mente, MA, LPC, and a $16,500 settlement with Life Hope Labs, LLC, to resolve HIPAA Right of Access violations, and a $1,250,000 settlement with Banner Health to resolve multiple HIPAA Security Rule violations.

The post OCR Fines Arkansas Business Associate $350,000 for Impermissibly Disclosing ePHI appeared first on HIPAA Journal.

OCR Fines Arkansas Business Associate $350,000 for Impermissibly Disclosing ePHI

Posted by HIPAA Journal

The HHS’ Office for Civil Rights (OCR) has agreed to settle a HIPAA investigation of an Arkansas business associate that impermissibly disclosed the electronic protected health information (ePHI) of more than 230,000 individuals after failing to secure a File Transfer Protocol (FTP) server. MedEvolve, Inc. is a Little Rock, AR-based HIPAA business associate that provides practice management, revenue cycle management, and practice analytics software to HIPAA-regulated entities. The nature of MedEvolve’s business means it has access to ePHI from its HIPAA-regulated entity clients. Under HIPAA, MedEvolve is required to ensure that information is safeguarded at all times.

In July 2018, MedEvolve informed OCR that an error had been made configuring an FTP server. MedEvolve’s investigation revealed the server contained the ePHI of 230,572 individuals, which could be freely accessed over the Internet without authentication. The breach affected two HIPAA-regulated entities: Premier Immediate Medical Care, LLC (204,607 individuals) and Dr. Beverly Held (25,965 individuals). The exposed information included names, billing addresses, telephone numbers, health insurer information, doctor’s office account numbers, and, for some individuals, Social Security numbers.

OCR launched an investigation and identified three potential violations of the HIPAA Rules: An impermissible disclosure of the ePHI of 230,572 individuals – 45 C.F.R. § 164.502(a); a failure to enter into a business associate agreement with a subcontractor – 45 C.F.R. § 164.502(e)(1)(ii); and an insufficiently thorough and accurate assessment of potential risks to the confidentiality, integrity, and availability of ePHI – 45 C.F.R. § 164.308(a)(1)(ii)(A).

MedEvolve chose to settle the case with no admission of liability or wrongdoing and paid a financial penalty of $350,000. The settlement also includes a corrective action plan that requires MEdEvolve to conduct accurate and thorough risk assessments, implement risk management plans to address identified risks, develop, implement, and maintain policies and procedures to comply with the HIPAA Privacy and Security Rules, and improve its workforce HIPAA and security training program.

“Ensuring that security measures are in place to protect electronic protected health information where it is stored is an integral part of cybersecurity and the protection of patient privacy,” said OCR Director Melanie Fontes Rainer. “HIPAA-regulated entities must ensure that they are not leaving patient health information unsecured on network servers available to the public via the Internet.”

This is the fourth HIPAA penalty to be imposed by OCR this year and follows a $15,000 settlement with  David Mente, MA, LPC, and a $16,500 settlement with Life Hope Labs, LLC, to resolve HIPAA Right of Access violations, and a $1,250,000 settlement with Banner Health to resolve multiple HIPAA Security Rule violations.

The post OCR Fines Arkansas Business Associate $350,000 for Impermissibly Disclosing ePHI appeared first on HIPAA Journal.