HIPAA Breach News

OCR Announces 4 Financial Penalties to Resolve HIPAA Violations

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced its first financial penalties of 2022 to resolve alleged violations of the Health Insurance Portability and Accountability Act (HIPAA). Three of the cases were settled with OCR, and one resulted in a civil monetary penalty being imposed.

OCR is continuing to enforce compliance with the HIPAA Right of Access, with two of the enforcement actions resolving violations of this important HIPAA provision. One of the fines was been imposed, in part, for overcharging a patient who requested a copy of their medical records – The first financial penalty under the 2019 enforcement initiative to allege overcharging for copies of medical records. To date, OCR has imposed 27 financial penalties on healthcare providers that have failed to provide patients with timely access to their medical records. The other two cases involved impermissible disclosures of the protected health information of patients.

“Between the rising pace of breaches of unsecured protected health information and continued cyber security threats impacting the health care industry, it is critical that covered entities take their HIPAA compliance responsibilities seriously,” said OCR Director Lisa J. Pino. “OCR will continue our steadfast commitment to protect individuals’ health information privacy and security through enforcement, and we will pursue civil money penalties for violations that are not addressed.”

Dental Practitioner Fined $30,000 for Noncompliance with the HIPAA Right of Access

Dr. Donald Brockley D.D.M, a solo dental practitioner in Butler, PA, was investigated by OCR over a complaint from a patient who had not been provided with a copy of the requested medical records within the time allowed by the HIPAA Privacy Rule. OCR determined that there had been a HIPAA Right of Access violation and provided Dr. Brockley with the opportunity to provide written evidence of any mitigating factors in an August 27, 2019, letter. No response was received.

OCR then notified Dr. Brockley of its intention to impose a financial penalty of $104,000, and Dr. Brockley requested a hearing with an Administrative Law Judge to contest the financial penalty. On October 8, 2021, the parties filed a joint motion to stay proceedings for 60 days, during which time an agreement was reached with both parties and the case was settled.

Dr. Brockley agreed to pay a $30,000 financial penalty and adopt a corrective action plan which included updating policies and procedures to ensure compliance with the HIPAA Right of Access.

$28,000 Financial Penalty for California Psychiatric Medical Services in HIPAA Right of Access Case

Jacob & Associates, a California provider of psychiatric medical services, was investigated by OCR over a complaint from a patient who claimed that medical records had been requested from Jacob & Associates on July 1, 2018, but had not been provided. The complainant claimed to have sent similar requests every July 1 since 2013 but had never been provided with the requested records.

After submitting the complaint to OCR, the complainant resent their record request was provided with a complete copy of the requested records on May 16, 2019, by electronic mail. However, in order for the patient to be provided with those records, she was required to travel to the practice to complete a record access form in person. She was also charged $25 for the copy of her records, and initially was only provided with an incomplete, single-page copy and had to submit another request to obtain her full records.

OCR determined that Jacob & Associates had violated the HIPAA Right of Access by not providing timely access to the patient’s medical records, had charged the patient an unreasonable non-cost-based fee, and did not have policies and procedures in place concerning the right of patients to access their protected health information.

During the investigation, OCR also determined that Jacob & Associates had not designated a HIPAA Privacy Officer and its notice of privacy practices lacked the required content. The case was settled for $28,000 and Jacob & Associates agreed to a corrective action plan to address all areas of alleged non-compliance.

$50,000 Civil Monetary Penalty Imposed on Dental Practice for Social Media HIPAA Violation

Dr. U. Phillip Igbinadolor, D.M.D. & Associates, P.A., (UPI), a dental practice with offices in Charlotte and Monroe, NC, was investigated by OCR after a patient submitted a complaint in November 2015 alleging an unauthorized disclosure of his protected health information in response to a negative online review of the practice.

On or around September 28, 2015, the complainant, using a pseudonym to protect his privacy, posted a negative review on UPI’s Google page.  UPI responded to the review and claimed the accusations made by the patient were unsubstantiated; however, UPI identified the patient and mentioned the patient’s full name on three occasions in the response, the symptoms the patient was experiencing, and the treatment that was recommended but not provided.

OCR reviewed the complaint and requested documentation from UPI in July 2016 on its policies and procedures covering responses to online reviews and social media, uses and disclosures of PHI, safeguarding PHI, and details of HIPAA training that was provided prior to, and in response to, the incident. UPI confirmed that a response had been posted to the Google page, but only provided OCR with its notice of privacy practices.

In August 2016, OCR informed UPI that the response to the review violated the HIPAA Privacy Rule and was an impermissible disclosure of PHI and told UI to remove its response to the review and implement policies and procedures, if they had not already been implemented, covering online reviews and social media. In 2017, OCR requested a copy of the policies and procedures and again told UPI to remove the response to the review.

Only an acknowledgment of training was provided to OCR, and it did not include any of the training content. The response to the review was not removed. OCR then requested financial statements to be used to determine an appropriate financial penalty, but UPI refused to provide them claiming they were not related to HIPAA. After OCR explained why they were required, UPI responded in September 2017 and refused to provide the records, and included the statement “I will see you in court”.

After receiving and failing to respond to an administrative subpoena requesting the provision of policies and procedures, training, income statements, balance sheets, statements of cash flow, and federal tax returns, and the failure to respond to further communications, OCR obtained the authorization of the Attorney General of the United States and imposed a civil monetary penalty of $50,000 under the penalty tier of wilful neglect with no correction.

Dental Practice Fined $62,500 for Impermissible Disclosure of PHI for Marketing Purposes

Northcutt Dental-Fairhope, LLC (Northcutt Dental), a Fairhope, AL dental practice, was investigated by OCR over an impermissible disclosure of PHI. Dr. David Northcutt, the operator and owner of Northcutt Dental, ran for state senator for Alabama District 32 in 2017. Dr. Northcutt engaged a campaign manager and a third-party marketing company to provide assistance with the state senate election campaign. The campaign manager was provided with an Excel spreadsheet that included the names and addresses of 3,657 patients, and letters were sent to those individuals to notify them that Dr. Northcutt was running for state senate.  The email addresses of those individuals, along with the email addresses of a further 1,727 patients, were provided to the marketing company Solutionreach to send a campaign email.

OCR determined that the disclosures of PHI to the campaign manager and third-party marketing company were impermissible disclosures of PHI. OCR also determined that Northcutt Dental had not appointed a HIPAA Privacy Officer until November 14, 2017, and policies and procedures related to the HIPAA Privacy and Breach Notification Rules were not implemented until January 1, 2018. The case was settled and Northcutt Dental agreed to a $62,500 penalty and a corrective action plan to address the alleged areas of non-compliance.

The post OCR Announces 4 Financial Penalties to Resolve HIPAA Violations appeared first on HIPAA Journal.

Email Incidents Reported by Ultimate Care, CareOregon Advantage, and University Medical Center Southern Nevada

Posted by HIPAA Journal

Three email incidents have recently been reported by Ultimate Care, CareOregon Advantage, and University Medical Center Southern Nevada that have affected a total of 38,485 individuals.

Phishing Attack on Ultimate Care Impacts 15,788 Individuals

The Brooklyn, NY-based home care agency, Ultimate Care, has recently announced that a limited number of employee email accounts have been accessed by unauthorized individuals after employees responded to phishing emails. When the security breach was detected, rapid action was taken to secure its email environment and a forensic investigation was launched to determine the scope of the breach.

The forensic investigation revealed the email accounts were accessed by unauthorized individuals between April 7, 2021, and June 2, 2021. A manual review of all emails in the accounts confirmed they contained names, along with one or more of the following types of information: Social Security numbers, driver’s license numbers, passport numbers, dates of birth, financial account information, credit or debit card information, medical information, health insurance policy information, and/or usernames and passwords.

Ultimate Care said no reports have been received that indicate there has been any misuse of patient information; however, as a precaution against identity theft and fraud, individuals whose Social Security numbers were impacted have been offered complimentary one-year memberships with a credit monitoring service. Notification letters were sent to affected individuals on February 22, 2022.

The breach was reported to the HHS’ Office for Civil Rights as affecting 15,788 individuals.

University Medical Center Southern Nevada Patients Affected by Business Associate Email Breach

University Medical Center Southern Nevada (UMC) has recently confirmed the protected health information of 12,230 patients was potentially compromised in a cyberattack at one of its business associates: The healthcare software provider Advent Health Partners (AHA).

AHA discovered the email breach in early September 2021 and determined on December 2, 2021, that files containing the protected health information of its healthcare provider clients had been accessed. The files contained first and last names, Social Security numbers, drivers’ license information, dates of birth, health insurance information, medical treatment information, and financial account information. AHA provided notice about the attack on January 6, 2021. The breach was reported by Advent Health Partners as affecting 1,383 individuals, but some of its clients, including UMC, reported the breach themselves.

This is the third data breach to be reported by UMC in the past 18 months. UMC was a victim of a REvil ransomware attack in June 2021 that resulted in the theft of the protected health information of 1.3 million individuals, and in March 2021, UMC reported an unauthorized access/disclosure incident affecting 1,833 individuals.

Misdirected Email Exposed the PHI of CareOregon Advantage Members

The Portland, OR-based health insurance agency, CareOregon Advantage, has started notifying 10,467 plan members about an impermissible disclosure of some of their protected health information. On January 27, 2022, an email containing an attachment with plan member data was sent to a contracted consultant in error.

The consultant immediately notified CareOregon Advantage about the error and permanently deleted the email and attachment. The attached file contained information such as member names, ID numbers, Medicare/Medicaid numbers, and dates of birth. CareOregon Advantage believes the risk of misuse of member data is low.

CareOregon Advantage said its investigation confirmed that it has the correct policies and procedures in place to address these types of incidents and those policies and procedures are reviewed annually. The employee who sent the email has received additional training.

The post Email Incidents Reported by Ultimate Care, CareOregon Advantage, and University Medical Center Southern Nevada appeared first on HIPAA Journal.

Horizon Actuarial Services Reports Data Theft and Extortion Incident

Posted by HIPAA Journal

Horizon Actuarial Services, Clinic of North Texas, and Parkland Community Health Plan have recently announced breaches of the protected health information of patients and plan members.

Horizon Actuarial Services Reports Data Theft and Extortion Incident

Horizon Actuarial Services (HAS) has recently announced a security breach and the theft of the personal data of members of benefits plans to whom it provides technical and actuarial consulting services, including the Local 295 IBT Employer Group Welfare Fund and the Major League Baseball Players Benefit Plan.

HAS said it received an email on November 12, 2021, from a cyber actor who claimed to have stolen the personal data of plan members from its computer servers. Steps were immediately taken to secure its servers to prevent any further unauthorized access, and a computer forensics firm was engaged to investigate the potential security breach and determine the legitimacy of the email.

HAS confirmed that two servers had been accessed between November 10 and 11, 2021, and files containing names, dates of birth, Social Security numbers, and health plan information had been stolen. HAS said it negotiated with the cyber actors and made a payment in exchange for an agreement that the stolen data would be deleted and would not be distributed or misused.

HAS said it notified the affected plans about the breach and offered to provide notifications. Letters started to be mailed to affected individuals on March 9, 2022. Complimentary credit monitoring and fraud and identity theft support services have been offered to affected individuals.

Some affected plans chose to self-report the breach. Horizon Actuarial Services reported the breach as affecting 38,418 individuals, and the breach was reported separately by the Major League Baseball Players Benefit Plan as affecting 13,156 individuals.

HAS said it is reviewing its security policies and has implemented additional measures to protect against similar incidents in the future.

Clinic of North Texas Victim of November 2021 Cyberattack

Clinic of North Texas in Wichita Falls has recently announced it was the victim of a cyberattack on or around November 9, 2021, in which hackers gained access to patient data stored on its systems.  A third-party computer forensics firm was engaged to determine the nature and scope of the breach, and whether patient data was stolen in the attack.

The investigation revealed the attackers gained access to a folder on one of its systems that contained files that included patient names, addresses, dates of birth, and limited health information. Clinic of North Texas said it took several steps in response to the breach, including changing all administrator passwords, implementing two-factor authentication, and deploying endpoint detection, response, and threat hunting tools. Affected individuals have been offered complimentary memberships to a credit monitoring service.

The incident has not yet appeared on the HHS’ Office for Civil Rights breach portal so it is currently unclear how many individuals have been affected.

Parkland Community Health Plan Discovers Mailing Error

Parkland Community Health Plan (PCHP) in Dallas, TX, has recently discovered a mismailing incident that saw the ID cards of 1,682 of its members sent to other health plan members in error. The mailing error was discovered on January 4, 2022, with the investigation confirming the following types of information had been impermissibly disclosed: Name, PCHP ID number, provider information, and plan/copay information.

PCHP said the error was made at its print vendor, and steps have since been taken to ensure similar breaches are avoided in the future. PCHP said it is unaware of any misuse of plan member information and new ID cards have now been mailed to the correct individuals.

The post Horizon Actuarial Services Reports Data Theft and Extortion Incident appeared first on HIPAA Journal.

Patient Data Stolen in July 2021 Cyberattack on Chelan Douglas Health District

Posted by HIPAA Journal

Chelan Douglas Health District in East Wenatchee, WA, has announced it was the victim of a cyberattack in July 2021 in which the personal and protected health information of patients was exfiltrated from its systems. The breach notice uploaded to Chelan Douglas Health District website does not disclose when the breach was detected but says a third-party cybersecurity company was engaged to investigate the cyberattack and confirmed that its network was accessed by unauthorized individuals between July 2 and July 4, 2021. A representative for the health district said this was not a ransomware attack.

The review of the files that were removed from its systems was completed on February 12, 2022, and confirmed the following types of patient data had been stolen: Names, Social Security numbers, dates of birth/death, financial account information, treatment information, diagnosis information, medical record/ patient numbers, and health insurance policy information.

Notification letters started to be sent to affected individuals on March 15, 2022. Individuals who had their Social Security numbers stolen have been offered complimentary credit monitoring services. Chelan Douglas Health District said it is unaware of any cases of identity fraud or other misuse of patient data. Steps have since been taken to improve the security of its systems to prevent further data breaches in the future.

The incident has not yet appeared on the HHS’ Office for Civil Rights website, so it is currently unclear exactly how many individuals have been affected. There have been some reports in the media that suggest the PHI of approximately 109,000 individuals was stolen in the attack.

BEC Attack Reported by Liberty of Oklahoma Corporation

Oklahoma’s Department of Human Services and Liberty of Oklahoma Corporation (LOC) have announced that patient information was potentially accessed in a business email compromise attack in early December 2021.

On December 7, 2022, an employee in the Oklahoma Waitlist program received an email from a spoofed email account that attempted to redirect payments that were owed to LOC. The scam was detected and no fraudulent payments were made, but while investigating the incident they determined the email account of a LOC employee had been compromised.

The email account was immediately disabled, and a review was conducted to determine the types of information that may have been accessed or stolen. The review confirmed names, addresses, dates of birth, phone numbers, Social Security numbers, Oklahoma client Numbers, and the contact information of representing persons had been exposed.

LOC reported the breach to the HHS’ Office for Civil Rights as affecting 5,746 individuals.

East Tennessee Children’s Hospital Investigating Security Breach

East Tennessee Children’s Hospital is currently investigating a security breach that occurred on March 13, 2022, and caused disruption to its IT systems. A spokesperson for the hospital said the incident has not affected the ability of the hospital to provide care to patients and its internal teams and external agencies are working to minimize the disruption caused by the incident.

A forensic investigation has been initiated to determine the nature and scope of the security incident, but at this stage of the investigation, it is not known whether any patient information has been accessed or stolen.

The post Patient Data Stolen in July 2021 Cyberattack on Chelan Douglas Health District appeared first on HIPAA Journal.

Data Breaches Reported by New Jersey Brain and Spine, Highmark Inc. and Dialyze Direct

Posted by HIPAA Journal

New Jersey Brain and Spine (NJBS) has recently announced it was the victim of a cyberattack on or around November 16, 2021, that encrypted data on its network. NJBS said it immediately took steps to secure its network and engaged a computer forensic firm to investigate the security breach. While no evidence has been found to indicate there has been any misuse of patient data as a result of the attack, the forensics firm said the attacker may have accessed files containing patient data.

A third party vendor was engaged to conduct a review of all files on its network that had potentially been accessed, and while the data mining process is ongoing, it has been confirmed that the files contained information such as names, addresses, dates of birth, email addresses, telephone numbers, social security numbers, financial account information, debit or credit card information, driver’s license numbers or other ID numbers, and medical information. Notification letters were sent to affected individuals on March 10, 2022.

NJBS said that following the breach, several steps were taken to better protect patient data, including implementing 2-factor authentication, migrating patient data to a third-party hosted cloud-based platform, and installing a new server. NJBS has also implemented an ongoing monitoring response solution that tracks user activity, services, and ports, and coordinates logging.

The breach has been reported to the HHS’ Office for Civil Rights as affecting up to 92,453 individuals.

Highmark Inc. Patients Affected by Breach at Printing and Mailing Vendor

Highmark Inc., a Pittsburgh, PA-based non-profit healthcare company and Integrated Delivery Network has recently announced that some HIPAA-protected data has been exposed in a data breach at the printing and mailing vendor, Quantum Group, which was used by its vendor, Webb Mason, which provides marketing services to Highmark.

Webb Mason provided patient data to Quantum Group in 2017 to assist with marketing efforts for Highmark, and that information has potentially been accessed by unauthorized individuals. Highmark stressed that its own IT systems were not compromised.

Highmark reported the breach as affecting up to 67,147 individuals, who have been offered complimentary online identity monitoring services for 12 months at no cost.

Dialyze Direct Alerts Patients About PHI Exposure in Cyberattack

Dialyze Direct, a Neptune City, NJ, provider of kidney care services, has suffered a data breach that has affected up to 14,203 patients. According to a March 10, 2022 data breach notice, Dialyze Direct said it discovered on February 14, 2022, that an unauthorized individual had gained access to an employee email account between January 21, 2021, and March 4, 2021.

A comprehensive review of the email account confirmed it contained patients’ protected health information such as names, dates of birth, Social Security numbers, government identification numbers, financial account information, payment card information, and medical information that potentially includes financial identification numbers, medical diagnostic and treatment information, and/or health insurance plan information.

Notification letters have been sent to affected patients. Individuals whose Social Security numbers were potentially compromised have been offered complimentary credit monitoring services. Dialyze Direct said it has found no evidence to suggest that there has been any misuse of patient data.

The post Data Breaches Reported by New Jersey Brain and Spine, Highmark Inc. and Dialyze Direct appeared first on HIPAA Journal.

February 2022 Healthcare Data Breach Report

Posted by HIPAA Journal

For the third successive month, the number of data breaches reported to the HHS’ Office for Civil Rights (OCR) has fallen. 46 healthcare data breaches of 500 or more records were reported to OCR in February – an 8% fall from January. February saw the lowest number of data breaches in the past 5 months. Even with the reduction in breaches, on average, more than 2 healthcare data breaches have been reported each day over the past 12 months. From March 1, 2021, to February 28, 2022, there have been 723 reported data breaches of 500 or more records.

Healthcare data breaches in the past 12 months

Across February’s 46 incidents, the records of 2,525,023 individuals were exposed or compromised – a 2.28% fall from the previous month – which is considerably lower than the 3,506,400 records that have been breached each month, on average, from March 1, 2021, to February 28, 2022. At least 42,076,805 healthcare records were exposed over that period. In February, the average breach size was 48,957 records and the median breach size was 7,014 records.

breached healthcare records over the past 12 months

Largest Healthcare Data Breaches Reported in February 2022

22 HIPAA-regulated entities reported breaches of 10,000 or more healthcare records in February. The largest breach of the month was reported by Morley Companies, which was a hacking incident that resulted in the exposure and possible theft of the protected health information of 521,046 members of its health plan.

Monongalia Health System reported a major hacking incident that potentially resulted in the theft of the PHI of 492,861 individuals. The breach was discovered a few days after the health system announced a previous data breach – a phishing and business email compromise attack – that affected almost 398,164 individuals.

Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach Cause of Breach
Morley Companies, Inc. MI Business Associate 521,046 Hacking/IT Incident Unspecified hacking incident
Monongalia Health System, Inc. WV Healthcare Provider 492,861 Hacking/IT Incident Unspecified hacking incident
Norwood Clinic AL Healthcare Provider 228,000 Hacking/IT Incident Unspecified hacking incident
Logan Health Medical Center MT Healthcare Provider 213,543 Hacking/IT Incident Unspecified hacking incident
South Shore Hospital Corporation IL Healthcare Provider 115,670 Hacking/IT Incident Unspecified hacking incident
Comprehensive Health Services FL Healthcare Provider 106,752 Hacking/IT Incident Business email compromise
US Radiology Specialists, Inc. NC Business Associate 87,552 Hacking/IT Incident Unknown
Memorial Village ER TX Healthcare Provider 80,000 Hacking/IT Incident Unspecified hacking incident
Montrose Regional Health CO Healthcare Provider 52,632 Hacking/IT Incident Compromised email accounts
Cross Timbers Health Clinics dba AccelHealth TX Healthcare Provider 48,126 Hacking/IT Incident Ransomware attack
Jacksonville Spine Center, P.A. FL Healthcare Provider 38,000 Hacking/IT Incident Ransomware attack
The Puerto Rican Organization to Motivate, Enlighten, and Serve Addicts, Inc. NY Healthcare Provider 30,220 Hacking/IT Incident Compromised email accounts
EPIC Pharmacy Network, Inc. VA Healthcare Provider 28,776 Hacking/IT Incident Compromised email accounts
Ascension Michigan (single affiliated covered entity) ACE MI Healthcare Provider 27,177 Unauthorized Access/Disclosure Unauthorized EHR access by an employee
Bako Diagnostics GA Healthcare Provider 25,745 Hacking/IT Incident Unspecified hacking incident (data exfiltration confirmed)
Ultimate Care, Inc. NY Healthcare Provider 15,788 Hacking/IT Incident Compromised email accounts
Alliance Physical Therapy Group, LLC MI Business Associate 14,970 Hacking/IT Incident Unspecified hacking incident
University Medical Center Southern Nevada NV Healthcare Provider 12,230 Hacking/IT Incident Unknown
Seneca Nation Health System NY Healthcare Provider 12,000 Hacking/IT Incident Unknown
CareOregon Advantage OR Health Plan 10,467 Unauthorized Access/Disclosure Misdirected email
Extend Fertility NY Healthcare Provider 10,373 Hacking/IT Incident Ransomware attack
Houston Health Department TX Healthcare Provider 10,291 Unauthorized Access/Disclosure Misconfigured web portal

Causes of February 2022 Healthcare Data Breaches

As the table above shows, hacking incidents dominated the breach reports in February. 39 of the month’s data breaches were hacking/IT incidents, the majority of which saw unauthorized individuals hack into networks and view and/or exfiltrate sensitive data. It is common for breached entities to disclose hacking incidents but not publicly disclose details about the exact nature of the attacks, such as if they involved malware or ransomware. Across those 39 breaches, the records of 2,184,973 individuals were exposed or compromised. The average breach size was 56,025 records and the median breach size was 6,221 records.

causes of february 2022 healthcare data breaches

There were 6 unauthorized access/disclosure incidents reported in February involving the records of 62,550 individuals. The average breach size was 10,425 records and the median breach size was 8,953 records. There was one loss incident involving a desktop computer that contained the PHI of 4,500 individuals. There were no reported theft or improper disposal incidents.location of breached PHI in February 2022 healthcare data breaches

Healthcare Data Breaches by State

HIPAA-regulated entities in 23 states reported data breaches in February. New York the worst affected state with 6 reported breaches, followed by Florida, Michigan, and New Jersey which each had 5.

State Number of reported breaches
New York 6
Florida, Michigan, and New Jersey 5
Texas and Virginia 3
Pennsylvania and West Virginia 2
Alabama, Arizona, Colorado, Connecticut, Georgia, Illinois, Massachusetts, Montana, Nevada, North Carolina, Oklahoma, Oregon, Rhode Island, Utah, and Washington 1

Healthcare Data Breaches by HIPAA-Regulated Entity Type

Healthcare providers were the worst affected entity in February 2022 having reported a total of 35 data breaches involving the records of 1,597,155 individuals. There were 6 data breaches reported by health plans involving 21,284 records, and 5 data breaches were self-reported by business associates of HIPAA-covered entities, which involved the records of 633,584 individuals.

10 breaches occurred at business associates but were reported by the affected covered entity, with the adjusted figures shown in the chart below.

February 2022 healthcare data breaches by HIPAA-regulated entity type

HIPAA Enforcement Actions in February 2022

There were no announcements by the HHS’ Office for Civil Rights or state Attorneys General about HIPAA enforcement actions in February. In fact, there have been no financial penalties imposed for HIPAA violations so far in 2022.

OCR Director, Lisa J. Pino, has confirmed that the Department of Health and Human Services has an ambitious regulatory agenda for 2021, which will include strong enforcement of HIPAA compliance, including the continuation of its enforcement initiative targeting healthcare providers that violate the HIPAA Right of Access and fail to provide individuals with timely access to their medical records.

The post February 2022 Healthcare Data Breach Report appeared first on HIPAA Journal.

JDC Healthcare Management Data Breach Affects More than 1 Million Texans

Posted by HIPAA Journal

On March 17, 2022, Dallas, TX-based JDC Healthcare Management, which runs more than 70 Jefferson Dental & Orthodontics practices throughout the state of Texas, reported a security breach to the Office of the Attorney General of Texas that has affected more than 1 million Texans.

As previously reported on this site, JDC Healthcare Management detected malware within its IT network on or around August 9, 2021, with the forensic investigation into the security breach confirming the malware was downloaded onto its systems on July 27, 2021.

Further information on the data breach has now been obtained. JDC Healthcare Management explained that the malware gave unauthorized individuals access to its IT systems from July 27, 2021, to August 16, 2021, and its forensic investigation confirmed the attackers viewed or copied files on its systems that contained patients’ electronic protected health information (ePHI).

JDC Healthcare Management explained in its March 2022 breach notification letters that the comprehensive review of the impacted files is ongoing, but it has been confirmed that the types of exposed and compromised ePHI included names, dates of birth, Social Security numbers, driver’s license numbers, financial information, health insurance information, and medical information.

In its breach notification letters, JDC Healthcare Management said, “Upon learning of this incident, we moved quickly to investigate and respond to this incident, assess the security of our systems, restore functionality to our environment, and notify potentially affected individuals.”

JDC Healthcare Management said it is reviewing and enhancing its existing policies and procedures to reduce the likelihood of further security breaches. Affected individuals have been advised to check their accounts, explanation of benefits statements, and free annual credit reports, although there is no mention in the breach notification letters about credit monitoring and identity theft protection services being offered.  JDC Healthcare Management said that at the time of issuing notification letters, it was unaware of any actual or attempted misuse of patient data.

Notification letters are now being sent and the incident will be reported to the HHS’ Office for Civil Rights. The breach report submitted to the Texas Attorney General indicates the ePHI of 1,026,820 Texans was potentially compromised.

Wheeling Health Right Inc. Suffers Ransomware Attack

Wheeling Health Right Inc. in West Virginia has announced it was the victim of a ransomware attack in January 2022. The security breach was detected on January 18, 2022, when access to files on its IT systems was prevented. Wheeling Health Right said it engaged legal counsel and a data breach remediation firm to investigate the attack and determine the extent to which its systems had been compromised.

A review of all files on the affected parts of its systems confirmed they contained sensitive patient and employee information such as full names, addresses, email addresses, phone numbers, driver’s license numbers, medical record numbers, Social Security numbers, tax information, income information, and health information of patients who applied for or received services from Wheeling Health Right.

Wheeling Health Right said its information technology service provider decrypted, recovered, and rebuilt its systems, initiated a password reset for all system end-users, implemented multi-factor authentication for employee email accounts, and installed additional endpoint detection and response software. Further privacy and security measures have also been implemented, including providing additional cybersecurity training to the workforce.

Wheeling Health Right said affected individuals were notified on March 18, 2022, and have been offered identity monitoring to affected individuals at no cost for 12 months. The incident has not yet appeared on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

The post JDC Healthcare Management Data Breach Affects More than 1 Million Texans appeared first on HIPAA Journal.

Central Indiana Orthopedics & Duncan Regional Hospital Report 80K-Record Data Breaches

Posted by HIPAA Journal

Cyberattacks have been reported by Duncan Regional Hospital in Oklahoma and Central Indiana Orthopedics that have affected a total of 170,084 individuals.

Duncan Regional Hospital

Duncan Regional Hospital has recently announced it was the victim of a cyberattack in January. The incident was detected on January 20, 2022, when suspicious activity was identified in some of its IT systems. All systems were immediately taken offline to prevent further unauthorized access and a third-party computer forensics firm was engaged to determine the nature and scope of the breach.

Duncan Regional Hospital said the hackers did not gain access to its electronic medical record system but did access parts of the network where files containing patient data were stored. Those files contained patient names, addresses, phone numbers, dates of birth, Social Security numbers, appointment information such as dates of service and healthcare provider names, and limited treatment information.

Steps have been taken to improve security and prevent further attacks, including an organization-wide password reset and implementing new endpoint threat detection and response monitoring software and more robust firewall restrictions. Affected individuals have been notified and offered complimentary credit monitoring and identity protection services.

The incident has been reported to the HHS’ Office for Civil Rights as affecting 86,379 patients.

Central Indiana Orthopedics

Earlier this month, Central Indiana Orthopedics announced it was the victim of a cyberattack that was detected on October 16, 2021. Steps were immediately taken to secure its network and a third-party computer forensics firm was engaged to investigate the breach.

The investigation revealed files containing patient information had been accessed by unauthorized individuals, although no reports have been received that suggest any patient information has been misused. The types of information in the files varied from patient to patient and may have included names, addresses, Social Security numbers, and limited medical information.

Central Indiana Orthopedics said several steps have been taken in response to the breach to improve security, prevent further cyberattacks., and mitigate the risk of future harm. All individuals affected by the breach have been notified and offered complimentary credit monitoring, dark web monitoring, and identity theft protection services.

The incident has been reported to the HHS’ Office for Civil Rights as affecting 83,705 individuals.

The post Central Indiana Orthopedics & Duncan Regional Hospital Report 80K-Record Data Breaches appeared first on HIPAA Journal.

Capital Region Medical Center and Labette Health Announce Potential PHI Breaches

Posted by HIPAA Journal

Capital Region Medical Center (CRMC) in Jefferson City, MO has recently confirmed patient information was accessed by unauthorized individuals in a December 2021 cyberattack that took its network and phone systems offline for several days.

The attack was detected on December 17, 2021, when network systems were disrupted. An investigation was launched to determine the nature and scope of the breach, and a public announcement about the security incident was issued on December 23, 2021. It was initially unclear if patient information had been compromised but that has now been confirmed.

CRMC said at this stage of the investigation it does not appear that the attackers gained access to its electronic medical record database; however, the files accessed or potentially accessed by the attackers included information such as patient names, addresses, birth dates, medical information, and health insurance information. A subset of patients also had their Social Security numbers, driver’s license numbers, and/or financial account information exposed. That subset of patients has been offered a complimentary 12-month membership to credit monitoring services. CRMC said it has found no evidence to date to indicate any patient information has been misused.

CRMC said it will continue to evaluate its security practices and will look for opportunities to implement additional cybersecurity measures to bolster security and prevent similar cyberattacks in the future.

The incident has yet to appear on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

Labette Health Notifies Patients About October 2021 Cyberattack

Labette Health in Kansas has recently announced its IT systems were accessed by unauthorized individuals between October 15, 2021, and October 24, 2021.

Labette Health said that it took immediate steps to secure its network and limit the potential for additional harm. Third-party cybersecurity professionals were engaged to investigate the security breach and determine the nature and scope of the cyberattack. The investigation concluded on February 11, 2022, that certain files and folders on its network that contained patients’ protected health information had been accessed by unauthorized individuals, who may have exfiltrated some of those files.

The files contained employee and patient names and one or more of the following types of information: Social Security number, medical treatment and diagnosis information, treatment costs, dates of service, prescription information, Medicare or Medicaid number, and health insurance information.

It has been four months since the breach occurred, and to date, Labette Health has not found any evidence of misuse of patient or employee information.  Labette Health said on March 11, 2022, written notifications were sent to affected individuals out of an abundance of caution. Individuals whose Social Security numbers were exposed have been offered complimentary credit monitoring services.

Labette Health said it followed the recommendations of cybersecurity experts and has strengthened network security, implemented more robust password security policies and multi-factor authentication for network access, and has upgraded endpoint detection software and provided additional network security and threat detection training to the workforce.

The data breach has not yet appeared on the HHS’ Office for Civil Rights breach portal so it is currently unclear how many individuals have been affected.

The post Capital Region Medical Center and Labette Health Announce Potential PHI Breaches appeared first on HIPAA Journal.