HIPAA Breach News

California Appellate Court Confirms Trial Court’s Decision to Toss Class Action Insider Breach Lawsuit

Posted by HIPAA Journal

A Californian appellate court has recently confirmed the decision of the lower court to deny class action status for a lawsuit filed against a Californian healthcare provider over an insider data breach that affected 5,485 patients.

In May 2018, the healthcare provider – Muir Medical Group IPA – discovered a former employee had accessed and copied the records of patients before leaving employment and took patient information to her new employer. The investigation determined the breach occurred in December 2017 and affected patients who received treatment between November 2013 and February 2017. The information copied by the employee included names, contact information, treatment information, and other sensitive data.

A lawsuit was filed in the wake of the breach – Vigil v. Muir Medical Group IPA, Inc. – that alleged negligence and violations of the Confidentiality of Medical Information Act (CMIA), the Customer Records Act, and unlawful business practices under the Unfair Competition Law. The lawsuit also alleged violations of the Security Management Process standard of HIPAA, as the employee should not have been able to access the records of many of the patients.

Class action status for the lawsuit was rejected by the trial court, as the claims made by the plaintiff were deemed to be deficient. The court determined the patient’s claims hinged on the alleged CMIA violation. The trial court found the predominance of common questions requirement was not met as, under CMIA, individualized inquiries would be required to prove the defendant’s liability and damages to each of the affected patients, and liability is predicated on whether each of the class members’ records was actually viewed which, based on the facts, was not capable of resolution in the aggregate.

The decision was appealed, but the appellate court sided with the defendant, confirming that class action status could not be granted as the plaintiff was unable to show an unauthorized third party had viewed the records of each class member, therefore this was a private issue and class certification was not appropriate. The appellate court also ruled the plaintiff had no viable claim under CMIA due to failure to demonstrate the healthcare provider had negligently maintained or stored patient information, then lost that information due to its negligence.

The post California Appellate Court Confirms Trial Court’s Decision to Toss Class Action Insider Breach Lawsuit appeared first on HIPAA Journal.

RIPTA, UnitedHealthcare of New England Sued Over 2021 Data Breach

Posted by HIPAA Journal

The American Civil Liberties Union of Rhode Island (ACLU of RI) is taking legal action against the Rhode Island Public Transit Authority (RIPTA) and UnitedHealthcare New England (UHC) over an August 2021 data breach that affected more than 22,000 individuals.

According to RIPTA, a cyberattack on its systems was detected and blocked on August 5, 2021. The breach was investigated, and it was determined that hackers gained access to its network two days previously, on August 3. The review of the files on the accessible parts of its system revealed they contained the data of 5,015 members of its group health plan, including names, dates of birth, Social Security numbers, and health plan ID numbers.

The breach was reported to the HHS’ Office for Civil Rights as affecting 5,015 individuals; however, the information of a further 17,378 individuals who were not RIPTA employees was also compromised. Notification letters were sent to all affected individuals four months after the discovery of the data breach, which saw multiple complaints filed with the Rhode Island Attorney General by non-RIPTA employees demanding to know how and why RIPTA had access to their data. According to RIPTA, those individuals were insured by UnitedHealthcare, RIPTA’s previous health insurance provider. RIPTA said UnitedHealthcare had provided RIPTA with files containing the data of non-RIPTA employees.

Steven Brown, ACLU of RI Executive Director, told HIPAA Journal, “To this day, it remains unclear how and why UHC provided RIPTA with the personal and healthcare information of non-RIPTA state employees, and why it took over four months for RIPTA to notify both their employees and other affected individuals that their information had been hacked.”

The lawsuit was filed on behalf of plaintiffs Alexandra Morelli, a URI employee, and Diane Cappalli, a retired RIPTA employee. The plaintiffs represent a class of more than 20,000 individuals. The lawsuit alleges the plaintiffs and class members have been exposed to an ongoing risk of fraud and identity theft, which requires them to constantly monitor their financial accounts and credit reports as their personal information is in the hands of cybercriminals. Morelli alleges she has been a victim of fraud and has had unauthorized charges on her credit cards and withdrawals from her bank account.

The lawsuit alleges the defendants were negligent for failing to implement appropriate safeguards to protect sensitive employee and health plan member information, such as failing to encrypt data and properly maintain, protect, purge, and safely destroy data. These failures are alleged to have violated two state laws in Rhode Island – The Identify Theft Protection Act of 2015 and the Confidentiality of Healthcare Communications and Information Act.

The lawsuit also takes issue with the length of time it took to issue notifications about the breach, which were sent 138 days after the data breach was discovered. HIPAA requires notifications to be issued within 60 days of discovery of a data breach and state law requires notifications to be issued within 45 days. Further, the notifications did not contain sufficient information, such as if Social Security numbers have been breached, and RIPTA’s website notification – published in December 2021 – failed to state that the data of Non-RIPTA employees had also been breached.

The lawsuit seeks compensatory and punitive damages, attorneys’ fees, and an order for the defendants to cover the cost of “adequate” credit monitoring and identity theft protection services, which has been specified as 10 years. The lawsuit also calls for the defendants to implement and maintain a comprehensive information security program.

“Every Rhode Islander should be concerned not just about the flimsy safeguards that were in place to protect against a breach, but also that a state agency had access to the personal medical information of people not even in their employ,” said Brown. “As we pursue a legal remedy for this tremendous breach of personal and medical privacy, we believe this incident should also serve as a wake-up call to the General Assembly to strengthen the remedies available to victims of these breaches.”

The post RIPTA, UnitedHealthcare of New England Sued Over 2021 Data Breach appeared first on HIPAA Journal.

RIPTA, UnitedHealthcare of New England Sued Over 2021 Data Breach

Posted by HIPAA Journal

The American Civil Liberties Union of Rhode Island (ACLU of RI) is taking legal action against the Rhode Island Public Transit Authority (RIPTA) and UnitedHealthcare New England (UHC) over an August 2021 data breach that affected more than 22,000 individuals.

According to RIPTA, a cyberattack on its systems was detected and blocked on August 5, 2021. The breach was investigated, and it was determined that hackers gained access to its network two days previously, on August 3. The review of the files on the accessible parts of its system revealed they contained the data of 5,015 members of its group health plan, including names, dates of birth, Social Security numbers, and health plan ID numbers.

The breach was reported to the HHS’ Office for Civil Rights as affecting 5,015 individuals; however, the information of a further 17,378 individuals who were not RIPTA employees was also compromised. Notification letters were sent to all affected individuals four months after the discovery of the data breach, which saw multiple complaints filed with the Rhode Island Attorney General by non-RIPTA employees demanding to know how and why RIPTA had access to their data. According to RIPTA, those individuals were insured by UnitedHealthcare, RIPTA’s previous health insurance provider. RIPTA said UnitedHealthcare had provided RIPTA with files containing the data of non-RIPTA employees.

Steven Brown, ACLU of RI Executive Director, told HIPAA Journal, “To this day, it remains unclear how and why UHC provided RIPTA with the personal and healthcare information of non-RIPTA state employees, and why it took over four months for RIPTA to notify both their employees and other affected individuals that their information had been hacked.”

The lawsuit was filed on behalf of plaintiffs Alexandra Morelli, a URI employee, and Diane Cappalli, a retired RIPTA employee. The plaintiffs represent a class of more than 20,000 individuals. The lawsuit alleges the plaintiffs and class members have been exposed to an ongoing risk of fraud and identity theft, which requires them to constantly monitor their financial accounts and credit reports as their personal information is in the hands of cybercriminals. Morelli alleges she has been a victim of fraud and has had unauthorized charges on her credit cards and withdrawals from her bank account.

The lawsuit alleges the defendants were negligent for failing to implement appropriate safeguards to protect sensitive employee and health plan member information, such as failing to encrypt data and properly maintain, protect, purge, and safely destroy data. These failures are alleged to have violated two state laws in Rhode Island – The Identify Theft Protection Act of 2015 and the Confidentiality of Healthcare Communications and Information Act.

The lawsuit also takes issue with the length of time it took to issue notifications about the breach, which were sent 138 days after the data breach was discovered. HIPAA requires notifications to be issued within 60 days of discovery of a data breach and state law requires notifications to be issued within 45 days. Further, the notifications did not contain sufficient information, such as if Social Security numbers have been breached, and RIPTA’s website notification – published in December 2021 – failed to state that the data of Non-RIPTA employees had also been breached.

The lawsuit seeks compensatory and punitive damages, attorneys’ fees, and an order for the defendants to cover the cost of “adequate” credit monitoring and identity theft protection services, which has been specified as 10 years. The lawsuit also calls for the defendants to implement and maintain a comprehensive information security program.

“Every Rhode Islander should be concerned not just about the flimsy safeguards that were in place to protect against a breach, but also that a state agency had access to the personal medical information of people not even in their employ,” said Brown. “As we pursue a legal remedy for this tremendous breach of personal and medical privacy, we believe this incident should also serve as a wake-up call to the General Assembly to strengthen the remedies available to victims of these breaches.”

The post RIPTA, UnitedHealthcare of New England Sued Over 2021 Data Breach appeared first on HIPAA Journal.

Hacking, Database Misconfigurations, and Improper Disposal Incidents Reported

Posted by HIPAA Journal

A round-up of healthcare data breaches that have recently been reported to the HHS’ Office for Civil Rights and State Attorneys General.

Delaware Department of Health and Social Services – Database Misconfiguration

The Delaware Department of Health and Social Services, Division of Developmental Disabilities Services (DDDS) has recently discovered a misconfiguration occurred when creating new user accounts for the division’s client database. As a result of the misconfiguration, access was granted to the records of 7,074 individuals.

The misconfiguration was discovered on August 23, 2022, with the investigation confirming 159 new user accounts had been created that provided access to service recipients’ personal, identifiable information and protected health information, as well as some more detailed information. 12 cases were identified where records were actively accessed by the users, but many more records may have been passively accessed. It was not possible to determine how many records were passively accessed. As such, the decision was taken to notify all 7,074 individuals, who have been offered complimentary credit monitoring services for 12 months.

Steps have since been taken to improve security to prevent similar misconfigurations in the future. The lessons learned from the incident will be applied to the new client data management system that is currently being developed and is due to be implemented in 2023.

Country Doctor Community Clinic, WA – Hacking Incident

Country Doctor Community Clinic in Seattle, WA, announced on October 19, 2022, that hackers had gained access to its digital environment and viewed and potentially obtained files containing the protected health information of 38,751 patients.

Unusual activity was detected in its computer systems on October 6, 2022. Immediate action was taken to secure its IT systems and prevent further unauthorized access, and third-party cybersecurity experts were engaged to investigate the incident and determine the nature and scope of the attack. A review was conducted to determine the types of information that had been compromised, then up-to-date contact information had to be obtained for affected individuals. That process concluded on October 14, 2022.

Country Doctor Community Clinic said names, addresses, Social Security numbers, dates of birth, and other protected health information were potentially compromised. Credit monitoring and identity theft protection services are being offered to individuals whose Social Security numbers were exposed. Steps have also been taken to improve security to prevent similar breaches in the future.

Riverside Medical Group, NJ – Hacking Incident

Riverside Medical Group, an adult medical practice serving patients in Northern New Jersey, has discovered hackers gained access to a legacy server at its clinic in West Orange and may have viewed or obtained files containing patient data. The compromised server belonged to a provider who used it to store immunization records. No other systems were affected.

Riverside Medical Group said the breach was detected on August 3, 2022. The review of files on the server determined they contained the protected health information of 12,499 patients, including name, date of birth, address, gender, phone number, email address, immunization records, dates of immunizations, provider information, health plan information, and in limited instances, Social Security number. Riverside Medical Group said it is unaware of any actual or attempted misuse of patient information.

The Valley Hospital, NJ – Improper Disposal of Documents Containing PHI

The Valley Hospital in Ridgewood, NJ, has recently announced that the records of individuals who visited an outpatient COVID-19 testing facility have been disposed of in an improper manner, and could potentially have been accessed or obtained by unauthorized individuals.

The improper disposal incident was detected by the Valley Hospital on August 29, 2022. In its substitute breach notice, the hospital said post-COVID-19 testing instructions were discarded in a recycling bin at the testing facility, rather than being sent for shredding. The documents included the names of the providers administering COVID-19 tests and labels that included patient names, medical record numbers, location codes, and service dates.

The hospital attempted to recover the documents but was unable to retrieve them. The breach affected patients who received COVID-19 tests at the site between June 1 and September 1, 2022. Notifications have now been sent to affected individuals. It is currently unclear how many patients have been affected.

The post Hacking, Database Misconfigurations, and Improper Disposal Incidents Reported appeared first on HIPAA Journal.

WakeMed Announces Meta Pixel-Related Breach Affecting 495,000 Patients

Posted by HIPAA Journal

WakeMed Health and Hospitals, a health system with multiple healthcare facilities in metropolitan Raleigh, NC, has recently notified around 495,000 patients that some of their protected health information may have been impermissibly disclosed to Meta/Facebook due to the use of Meta Pixel tracking code on its website.

The privacy violation was announced by the health system on October 14, 2022, with WakeMed stating that the code was first added to its website and MyChart patient Portal in March 2018. The code is used to gather information on user activity on websites, which is achieved through the use of cookies. WakeMed said the code was added for website optimization and to, “better connect members of our community with WakeMed’s MyChart patient portal, thereby improving access to their health care, and to help improve the WakeMed website.”

The problem, as many healthcare systems have discovered, is that in addition to tracking user activity, the snippet of JavaScript code also transmits data to Meta/Facebook, which potentially includes sensitive patient information and information that can allow patients to be identified. According to WakeMed, that information included information entered by patients in the MyChart patient portal and on the appointment scheduling page.

The types of information transmitted depended on patients’ interactions on the website, their use of forms, and the data selected or entered when scheduling appointments. WakeMed said the information transmitted to Meta/Facebook may have included one or more of the following: email address, phone number, other contact information, IP address, emergency contact information, information provided during online check-in (e.g., allergy or medication information), COVID vaccine status, information about an upcoming appointment (e.g., appointment type and date, physician selected, and button/menu selections), and any information added to free text boxes.

WakeMed said its investigation was unable to determine whether Meta or Facebook collected or used any of the information transmitted by the Meta Pixel code. Meta has previously stated that if it identifies any information it is not authorized to receive, the information will not be used or provided to third parties for uses such as serving targeted advertisements. Multiple lawsuits have been filed against other healthcare organizations that claim targeted advertisements have been served using Meta Pixel-collected data.

WakeMed said that after becoming aware of the issue, the Meta Pixel code was stripped from its website in May 2022 and that there are no further plans to use the code unless it can be confirmed that there is no potential for it to transmit sensitive data. Policies and procedures have also been implemented that involve comprehensive reviews of code before it is added to its website to prevent similar situations in the future. The North Carolina Attorney General has launched an investigation into the incident.

Wakemed joins Novant Health and Aurora Advocate Health in issuing notifications to patients about impermissible disclosures of PHI due to the use of Meta Pixel and other tracking code and, this is unlikely to be the last such announcement by a healthcare provider. A study conducted by The Markup/STAT on the top 100 hospitals in the United States found one-third had used Meta Pixel code on their websites.

The post WakeMed Announces Meta Pixel-Related Breach Affecting 495,000 Patients appeared first on HIPAA Journal.

September 2022 Healthcare Data Breach Report

Posted by HIPAA Journal

63 data breaches of 500 or more records were reported to the HHS’ Office for Civil Rights in September, bringing an end to the downward trend in data breaches seen over the previous three months. September’s total was above the 12-month average of 59 breaches a month, with data breaches being reported at a rate of more than 2 per day. In 2017, data breaches were being reported at a rate of one per day.

healthcare data breaches in the past 12 months - September 2022

While the number of reported data breaches increased by 28.6% month-over-month, for the third consecutive month the number of breached records decreased, with 2,440,434 records breached across the 63 reported incidents. September’s total was well below the 12-month average of 3,481,033 breached records a month. Breached healthcare records in the past 12 months

So far in 2022, 31,705,618 patient records have been exposed or impermissibly disclosed.

The Largest Healthcare Data Breaches Reported in September

30 data breaches of 10,000 or more patient records were reported to the HHS’ Office for Civil Rights in September 2022, all but one of which were hacking/IT incidents. The largest data breach involved the records of more than 542,000 patients of the Wolfe Clinic in Iowa and occurred at its electronic health record provider Eye Care Leaders. The attack saw database and system configuration files deleted. More than 3.6 million individuals were affected by the data breach.

Name of Covered Entity State Covered Entity Type Individuals Affected Cause of Breach
Wolfe Clinic, P.C. IA Healthcare Provider 542,776 Hacking incident at its EHR provider (Eye Care Leaders)
Empress Ambulance Service LLC NY Healthcare Provider 318,558 Ransomware attack
Cytometry Specialists, Inc. d/b/a CSI Laboratories GA Healthcare Provider 244,850 Business email compromise (BEC) attack
FMC Services, LLC TX Healthcare Provider 233,948 Hacked network server
Physician’s Business Office, Inc. WV Business Associate 196,673 Hacked network server
Providence WA Anesthesia Services PC NY Healthcare Provider 98,643 Hacked network server at management company
Medical Associates of the Lehigh Valley PA Healthcare Provider 75,628 Ransomware attack
Dyersburg Family Walk-In Clinic, LLC (Reelfoot Family Walk-In Clinic) TN Healthcare Provider 58,562 Hacked network server (data theft confirmed)
Palm Springs Anesthesia Services PC NY Healthcare Provider 58,513 Hacked network server at management company
Reiter Affiliated Companies, LLC CA Business Associate 48,000 Ransomware attack at a business associate
Reiter Affiliated Health and Welfare Plan CA Health Plan 45,000 Ransomware attack
Anesthesia Services of San Joaquin PC NY Healthcare Provider 44,015 Hacked network server at management company
Anesthesia Associates of El Paso PA NY Healthcare Provider 43,168 Hacked network server at management company
The Physicians’ Spine and Rehabilitation Specialists of Georgia, P.C. GA Healthcare Provider 38,765 Hacked network server
Country Doctor Community Clinic WA Healthcare Provider 38,751 Hacked network server
Resource Anesthesiology Associates PC NY Healthcare Provider 37,697 Hacked network server at management company
Lubbock Heart & Surgical Hospital TX Healthcare Provider 23,379 Hacked network server
Genesis Health Care, Inc. SC Healthcare Provider 21,226 Hacked network server
Resource Anesthesiology Associates of IL PC NY Healthcare Provider 18,321 Hacked network server at management company
Bronx Anesthesia Services PC NY Healthcare Provider 17,802 Hacked network server at management company
Resource Anesthesiology Associates of CA A Medical Corporation CA Healthcare Provider 16,001 Hacked network server at management company
Monroe Ear Nose and Throat Associates, PC MI Healthcare Provider 14,500 Hacked network server hosting EHRs
Magellan Rx Management MD Business Associate 13,663 Hacked network server
Hazleton Anesthesia Services PC NY Healthcare Provider 13,607 Hacked network server at management company
Riverside Medical Group NJ Healthcare Provider 12,499 Hacked legacy server containing EHRs
Anesthesia Associates of Maryland LLC MD Healthcare Provider 12,403 Hacked network server at management company
Northern California Fertility Medical Center CA Healthcare Provider 12,145 Ransomware attack
Neurology Center of Nevada NV Healthcare Provider 11,700 Hacking incident involving EHRs
Dr. Alexander J. Richardson, DPM OH Healthcare Provider 11,300 Hacking incident involving EHRs
WellMed Medical Management TX Healthcare Provider 10,506 A physician took records to his new practice

Causes of September 2022 Data Breaches

As is now the norm, the majority of the month’s data breaches were categorized as hacking/IT incidents, which include hacking, ransomware and malware attacks, phishing attacks, and misconfigured databases and cloud resources.

Causes of September 2022 healthcare data breaches

52 breaches – 82% of the month’s total – were hacking/IT incidents, which resulted in the exposure and/or theft of the records of 2,410,654 individuals. The average breach size was 46,359 records and the median breach size was 12,274 records. These incidents accounted for 98.78% of all records breached in September.

Ransomware is commonly used in attacks on hospitals to prevent access to business-critical files and patient records. These attacks typically involve data theft prior to file encryption with the attackers threatening to sell or publish the stolen data if the ransom is not paid. Several threat actors have now dispensed with the file encryption and are just stealing data and demanding payment to prevent its sale or release. That makes the attacks quicker and easier for the attackers and ransoms are still often paid. These extortion-only attacks have been increasing in recent months.

There were 7 reported unauthorized access/disclosure incidents reported, which include unauthorized access by employees, misdirected emails, and mailing errors. Across the 7 breaches, the records of 24,639 individuals were impermissibly disclosed. The average breach size was 3,250 records and the median breach size was 1,359 records.

There were 4 data breaches reported that involved the loss or theft of electronic devices that contained individually identifiable protected health information. Those devices contained 5,141 records. The average breach size was 1,285 records and the median breach size was 1,207 records. These incidents could have been avoided had data on the devices been encrypted.

The number of email-related data breaches is below the levels normally seen, with just 7 email data breaches reported. However, data from the ransomware remediation firm Coveware suggests email is still the most common way that threat actors gain access to networks in ransomware attacks. One of the largest data breaches reported this month – at CSI Laboratories – saw threat actors gain access to email accounts containing the records of almost 245,000 individuals. The email account was then used in a business email compromise attack to try to reroute CSI customer healthcare provider payments.

locatioon of PHI in september 2022 healthcare data breaches

HIPAA-Regulated Entities Affected by Data Breaches

Healthcare providers were the worst affected entity in September with 46 data breaches reported, with 10 breaches reported by business associates and 7 breaches reported by health plans. Healthcare providers and health plans often choose to report breaches at business associates themselves, as was the case in 7 data breaches at business associates in September. The pie chart below reflects this and shows where the data breaches actually occurred.

September 2022 healthcare data breaches - entities reporting

Healthcare Data Breaches by State

HIPAA-regulated entities in 22 states reported data breaches in September. New York was the worst affected state with 15 breaches reported. 13 of the breaches were reported by providers of anesthesia services – The breach actually occurred at their management company.

State Breaches
New York 15
California 8
Tennessee & Washington 5
Florida & Texas 4
Georgia 3
Indiana, Maryland, New Jersey, & Pennsylvania 2
Colorado, Connecticut, Iowa, Michigan, Montana, Nebraska, Nevada, Ohio, Rhode Island, South Carolina, & Wisconsin 1

HIPAA Enforcement Activity in September

The HHS’ Office for Civil Rights agreed to settle HIPAA violations with three healthcare providers in September. All three of the settlements resolved violations of the HIPAA Right of Access, where patients were not provided with timely access to their medical records. All three cases were investigated by OCR after patients filed complaints that they had not been provided with their requested medical records. Great Expressions Dental Center of Georgia was also discovered to have overcharged a patient for providing a copy of her medical records.

Great Expressions Dental Center of Georgia, P.C. settled its case for $80,000, Family Dental Care, P.C. settled its case for $30,000, and B. Steven L. Hardy, D.D.S., LTD, dba Paradise Family Dental, settled its care for $25,000,  All three settlements involved a corrective action plan to address the areas of non-compliance.

OCR has now imposed 20 financial penalties on HIPAA-regulated entities to resolve HIPAA violations so far this year – more than any year to date.

The post September 2022 Healthcare Data Breach Report appeared first on HIPAA Journal.

Advocate Aurora Health: Website Tracking Code May Have Impermissibly Disclosed PHI of 3 Million Patients

Posted by HIPAA Journal

A second health system has announced that patient data has been impermissibly passed to Meta (Facebook) as a result of the inclusion of Meta Pixel tracking code on its website. First came Novant Health, with its admission that the protected health information of 1.36 million patients had been sent to Meta. Now, Advocate Aurora Health has confirmed that it too included the tracking code, which resulted in the impermissible disclosure of the protected health information of up to 3,000,000 patients. These two healthcare systems are far from the only ones affected by the use of Meta Pixel and other third-party tracking code on their websites.

An analysis, published by The Markup/STAT in June suggested one-third of the top 100 hospitals in the United States had included the code on their websites, including at least 6 that had incorporated the code within their password-protected patient portals. Following the discovery, patients affected by the breach took legal action against their healthcare providers and Meta over the impermissible disclosure. In some cases, their personal and private information was used to serve them target advertisements related to their medical conditions, as a result of their interactions on the websites of their healthcare providers. Lawsuits have been filed against Meta and Medstar Health System in Maryland, and Meta and UCSF Medical Center/ Dignity Health Medical Foundation.

Meta Pixel is a snippet of JavaScript code that website owners can add to their websites and web applications for the purpose of tracking visitor activity. In the case of healthcare providers, the code can be used for tracking the performance of advertising campaigns, as was the case with Novant Health, or identifying trends and preferences of patients. However, some of the data collected involved choices made via drop-down selection in web forms, which may have included information about medical conditions, and that information may have included personal identifiers.

The data collected through the Meta Pixel code snippet is sent to Meta, and that information may be made available to advertisers and used to serve targeted adverts. Meta has explained that it has technology in place to detect and identify data that it is not authorized to receive – such as medical information – which is stripped out and not made available to advertisers if it is detected. However, that does not appear to have always happened, according to the allegations made in the lawsuits.

There are two issues here: Consent had not been obtained from patients prior to their data being shared with Meta/Facebook and other third parties, and patients’ protected health information was impermissibly disclosed to Meta/Facebook or others when there was no business associate agreement in place, both of which are violations of the Health Insurance Portability and Accountability Act (HIPAA).

Advocate Aurora Health Breach Notification

Advocate Aurora Health is a non-profit health system with dual headquarters in Downers Grove, IL, and Milwaukee, WI. Advocate Aurora Health operates 27 hospitals, more than 500 outpatient locations, and serves around 3 million patients, all of whom may have been affected.

Advocate Aurora Health explained in its breach notification letters that Meta Pixel code was added to its website and applications “to understand how patients and others interact with our websites,” and for “identifying trends and preferences of patients.” Advocate Aurora Health also pointed out that many other hospitals and health systems had also used the code snippets on their websites and applications for similar purposes.

Advocate Aurora Health said it discovered that when individuals interacted with its websites and web applications while signed into their Google or Facebook accounts, in addition to data about their interactions on the websites and applications being shared with Google and Facebook/Meta, their identities would also have been disclosed. In some cases, those interactions may have included disclosures of protected health information.

“We learned that pixels or similar technologies installed on our patient portals available through MyChart and LiveWell websites and applications, as well as on some of our scheduling widgets, transmitted certain patient information to the third-party vendors that provided us with the pixel technology,” explained Advocate Aurora Health. When this was discovered, the code snippets were either disabled or removed from its websites and web applications, and an internal investigation was launched to determine the extent to which patient data had been transmitted to third-party vendors.

Advocate Aurora Health explained that, out of an abundance of caution, the decision was taken to issue notifications to all patients who had an Advocate Aurora Health MyChart account, used the LiveWell application, or the scheduling widgets on its web platforms. The extent to which those patients were affected, if at all, depends on their interactions with the website and whether they were logged into their Google or Facebook accounts at the time.

Patients affected may have had one or more of the following types of information transmitted to Google, Facebook/Meta, or others:

  • IP address
  • Dates, times, and/or locations of scheduled appointments
  • Proximity to an Advocate Aurora Health location
  • Information about a patient’s provider
  • Type of appointment or procedure
  • Communications through MyChart, which may have included their first and last name and medical record number
  • Information about whether the patient was insured
  • If a patient had a proxy MyChart account, the patient’s first name and the first name of the patient’s proxy.

Advocate Aurora Health said its investigation indicates no Social Security numbers, financial account information, or credit/debit card information was impermissibly disclosed. Advocate Aurora Health said it has now implemented an enhanced, robust technology vetting process for any tracking technologies that it considers using in the future to ensure similar privacy violations do not occur again.

The post Advocate Aurora Health: Website Tracking Code May Have Impermissibly Disclosed PHI of 3 Million Patients appeared first on HIPAA Journal.

New York State Fines EyeMed $4.5 Million for Phishing Attack and 2.1M-Record Data Breach

Posted by HIPAA Journal

The New York State Department of Financial Services (DFS) has agreed to settle an investigation of EyeMed Vision Care (EyeMed) into potential violations of the DFS Cybersecurity Regulation for $4.5 million.

EyeMed is an Ohio-based licensed health insurance company, which collects and stores sensitive consumer information as part of its business practices. EyeMed Vision Care was investigated by the DFS after EyeMed disclosed it had been the victim of a phishing attack and data breach that was discovered on July 1, 2020. An employee responded to a phishing email and disclosed credentials to a shared EyeMed mailbox that contained more than 6 years’ worth of non-public consumer information, including the information of minors, related to vision benefits enrollment and coverage. After accessing the account, malicious actors used it to send more than 2,000 phishing emails to EyeMed clients to trick them into disclosing their EyeMed login credentials. EyeMed was alerted to the breached email account when its clients complained about receiving phishing emails from EyeMed.

EyeMed’s investigation confirmed the email account had been accessed by unauthorized individuals on June 24, 2020, and continued until July 1, 2020, when the breach was discovered and access to the email account was terminated. The email account contained the information of approximately 2.1 million individuals, including the data of 98,632 New York residents.

The DFS determined that EyeMed was in violation of the DFS Cybersecurity Regulation (23 NYCRR Part 500) due to the failure to implement multi-factor authentication for its email environment. EyeMed had also failed to limit user access privileges, as nine employees shared login credentials for the affected email account. Further, EyeMed had failed to implement sufficient data retention limits on information in the email account nor had the company implemented sufficient data disposal processes. If multifactor authentication had been implemented, the data breach could have been prevented, and proper data retention and disposal practices would have lessened the severity of the data breach if it was not possible to prevent it.

Further investigation revealed EyeMed had not conducted a comprehensive risk assessment, which is one of the core requirements of the DFS cybersecurity regulation. If a risk assessment had been conducted, it would have highlighted the shared login credentials, lack of multifactor authentication, and lack of data retention/disposal policies. Those risks could then have been managed and reduced to a low and acceptable level. DFS also determined that EyeMed’s cybersecurity certifications for the calendar years 2018 through 2021 were improper.

In addition to paying the financial penalty, EyeMed has agreed to conduct a comprehensive cybersecurity risk assessment and develop a detailed action plan that describes how the risks identified in the assessment will be addressed. The risk assessment and action plan must be reviewed and approved by the DFS.

“It is critically important that consumers’ non-public information is kept safe from potential criminal activity, and DFS’s first-in-the-nation cybersecurity regulation requires New York-regulated entities to take that responsibility seriously,” said New York State Superintendent of Financial Services, Adrienne A. Harris. “This settlement demonstrates DFS’s ongoing commitment to protecting consumers while ensuring the safety and soundness of financial institutions from cyber threats.”

The phishing attack and data breach were also investigated by the Office of the New York Attorney General, which arrived at similar conclusions and fined EyeMed $600,000 in January 2022.

The post New York State Fines EyeMed $4.5 Million for Phishing Attack and 2.1M-Record Data Breach appeared first on HIPAA Journal.

235,000 Keystone Health Patients Affected by August 2022 Cyberattack

Posted by HIPAA Journal

Chambersburg, PA-based Keystone Health has recently announced that it fell victim to a cyberattack on August 19, 2022, which caused temporary disruption to its computer systems. Steps were immediately taken to restore the security of its systems and prevent further unauthorized access, and a third-party cybersecurity firm was engaged to investigate the breach and determine how the hackers gained access to its systems and the scope of the breach.

The forensic investigation revealed the hackers first gained access to its systems on July 28, 2022, with access terminated on August 19. During that time, files were accessed that contained patients’ protected health information, including names, Social Security numbers, and clinical information. A comprehensive review of those files confirmed they contained the information of 235,237 patients.

Law enforcement was notified about the cyberattack and all affected individuals have been notified by mail. Credit monitoring services are being offered to eligible patients. Keystone Health said it is implementing additional security measures to prevent further incidents of this nature, and employees have been provided with additional security awareness training.

Lifespire Services Provides Update on February 2022 Cyberattack

Lifespire Services, a New York-based provider of services to people with developmental disabilities, has provided an update on a security incident that was first disclosed in April 2022. The incident in question was detected on February 8, 2022, and caused disruption to its computer systems. Lifespire engaged a digital forensics company that determined that unauthorized individuals had access to its systems between January 14, 2022, and February 8, 2022, and during that time patient information may have been accessed.

A comprehensive review was conducted on all files on the compromised parts of its network, and that process took until October 7, 2022. Lifespire confirmed that the protected health information of 15,375 patients was compromised, including names, addresses, Social Security numbers, dates of birth, driver’s license numbers, passport numbers, bank account information, credit card information, medical diagnosis/treatment information, Medicare/Medicaid numbers, and health insurance information.

Lifespire said it is unaware of any instances of misuse of patient data but has offered affected individuals free access to credit monitoring and identity protection services. Policies and procedures related to network security have also been updated in response to the data breach.

Investigations into data breaches and reviews of affected files can take several weeks or months. Lifespire should be commended for issuing a notification to patients about the attack in April, even though the file review had yet to be completed. Prompt notification is a requirement of the HIPAA Breach Notification Rule and is important for patients, as it allows them to take appropriate steps to protect themselves against misuse of their information. Many healthcare organizations wait until the document review is completed before announcing a breach, which could be several months after data has been stolen.

Patient Information Potentially Compromised in Phishing Attack on Presbyterian Healthcare Services

Albuquerque, NM-based Presbyterian Healthcare Services recently said the protected health information of 2,624 patients was stored in an employee email account that was accessed by an unauthorized third party following a response to a phishing email.

The security breach was detected on July 8, 2022, with the subsequent investigation determining a single email account was accessed intermittently between March 21, 2022, and July 8, 2022. A review of the account confirmed no financial information was compromised; however, there may have been unauthorized access to names, dates of birth, Social Security numbers, medical record numbers, health insurance information, and limited clinical information related to billing, such as diagnosis codes and treatment information.

The review of the account is ongoing, but notification letters have started to be sent to affected individuals. Complimentary credit monitoring and identity theft protection services have been offered to patients whose Social Security numbers were exposed. Additional security awareness training has been provided to the workforce and email security enhancements are being implemented.

This is not the first incident of this nature to be reported by Presbyterian Healthcare Services. In August 2019, a major email breach was reported that affected 1,120,629 patients. Just over a year later, a hacking incident resulted in the exposure of the PHI of 193,223 patients.

The post 235,000 Keystone Health Patients Affected by August 2022 Cyberattack appeared first on HIPAA Journal.