HIPAA Breach News

Jackson Health Investigating Nurse Social Media HIPAA Violation

Posted by HIPAA Journal

Jackson Health has launched an investigation into a nurse social media violation after photographs of a baby with a birth defect were posted on Facebook.

A nurse who worked in the neonatal intensive care unit at Jackson Memorial Hospital posted two photographs on Facebook of a baby with gastroschisis – a rare birth defect of the abdominal wall that can cause the intestines to protrude from the body. The photos were accompanied with the captions, “My night was going great then boom!” and “Your intestines posed (sic) to be inside not outside baby! #gastroschisis.” The disturbing images were posted on accounts belonging to Sierra Samuels.

The posting of images of patients on social media without first obtaining authorization is a serious breach of patient privacy. Photographs of patients are classed as protected health information and posting images on social media platforms, even in closed Facebook groups, is a violation of the Health Insurance Portability and Accountability Act (HIPAA) unless prior authorization is obtained from the patient.

HIPAA requires healthcare providers to provide privacy policy training to staff members. Training must be provided within a reasonable time after an employee joins a covered entity’s workforce and training must be regularly reinforced. The best practice is to provide refresher HIPAA privacy training annually. A sanctions policy must also be developed and implemented that clearly states the sanctions employees will face if they violate the HIPAA Rules.

After being alerted to the social media posts Jackson Health launched an investigation into the privacy violation and immediately placed the nurse on administrative leave pending the outcome of the investigation. “Protecting the privacy of our patients is always a top priority at Jackson Health System. Any potential privacy breach is taken seriously and thoroughly investigated,” said a spokesperson for Jackson Health. Jackson Health also confirmed that when employees violate patient privacy, despite being educated, they will be subject to disciplinary action which may involve suspension or termination.

The post Jackson Health Investigating Nurse Social Media HIPAA Violation appeared first on HIPAA Journal.

OCR Announces 20th Financial Penalty Under HIPAA Right of Access Enforcement Initiative

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights (OCR) has imposed its 20th financial penalty under the HIPAA Right of Access enforcement initiative that was launched in late 2019.

Children’s Hospital & Medical Center (CHMC), a pediatric care provider in Omaha, Nebraska, has been ordered to pay a penalty of $80,000 to resolve the alleged HIPAA Right of Access violation, is required to adopt a corrective action plan to address the noncompliance discovered by OCR, and will be monitored for compliance by OCR for a period of one year.

The Privacy Rule of the Health Insurance Portability and Accountability Act gave individuals the right to obtain a copy of their protected health information held by a HIPAA covered entity, and for parents and legal guardians to obtain a copy of the medical records of their minor children. HIPAA covered entities must provide the requested records within 30 days and are only permitted to charge a reasonable cost-based fee for providing copies. In certain circumstances, covered entities can apply for a 30-day extension, making the maximum time for providing records 60 days from the date the written request for access is received.

When individuals feel their HIPAA rights have been violated, they cannot take legal action against a HIPAA-covered entity for a HIPAA violation, but they can file a complaint with OCR. In this case, OCR received a complaint from a parent who alleged CHMC had not provided her with timely access to her minor daughter’s medical records.

CHMC received the parent’s request and provided some of her with some of her daughter’s medical records but did not provide all the requested information. The parent also made several follow-up requests to CHMC. OCR investigated and confirmed the parent requested a copy of her late daughter’s medical records in writing on January 3, 2020. Some of the requested records were provided; however, the remainder of the records needed to be obtained from a different CHMC division. Some of the remaining records were provided on June 20, 2020, with the rest provided on July 16, 2020. OCR determined this was in violation of the HIPAA Right of Access – 45 C.F.R. § 164.524(b).

In addition to the financial penalty, CHMC must review and update its policies and procedures related to the HIPAA Right of Access, provide the policies to OCR for assessment, and distribute the approved policies to the workforce and ensure training is provided.

“Generally, HIPAA requires covered entities to give parents timely access to their minor children’s medical records, when the parent is the child’s personal representative,” said Acting OCR Director Robinsue Frohboese. “OCR’s Right of Access Initiative supports patients’ and personal representatives’ fundamental right to their health information and underscores the importance of all covered entities’ compliance with this essential right.”

The post OCR Announces 20th Financial Penalty Under HIPAA Right of Access Enforcement Initiative appeared first on HIPAA Journal.

Philadelphia Mental Health Service Provider Breach Affects 29,000 Patients

Posted by HIPAA Journal

The Wedge Recovery Centers, a mental health service provider based in Philadelphia, Pennsylvania, discovered suspicious activity within the computer network on June 25, 2021 which indicated unauthorized individuals had breached the security defenses. Steps were immediately taken to block further access and an investigation was launched to determine the nature and scope of the breach.

The investigation confirmed an unauthorized actor had gained access to its network on June 25, 2021; however, no evidence was uncovered during the course of the investigation to suggest any individual’s information had been subjected to actual or attempted misuse as a result of the security breach.

A comprehensive review was conducted of all data potentially affected and that process is ongoing; however, it has now been confirmed that the following types of information were stored in files on parts of the network that were compromised: Name, address, date of birth, Social Security number, and treatment and health insurance information.

The Wedge Recovery Centers have implemented additional technical security safeguards to prevent further incidents of this nature and policies and procedures are being reviewed and enhanced to further improve privacy and security.

All individuals affected by the security breach are being notified by mail and have been advised to remain vigilant against identity theft and fraud and to review their account statements, explanation of benefits statements, and free credit reports for signs of suspicious activity or errors.

The breach has recently been reported to the Department of Health and Human Services’ Office for Civil Rights as affecting 29,000 individuals.

The post Philadelphia Mental Health Service Provider Breach Affects 29,000 Patients appeared first on HIPAA Journal.

TX: Denton County Discovers COVID-19 Application Leaked Data of 346,000 Individuals

Posted by HIPAA Journal

Denton County in Texas has discovered a vulnerability in a third-party provider application used in connection with individuals’ personal health information has potentially been exploited by unauthorized individuals. The application was used at COVID-19 vaccination clinics in the County, and contained information such as names, dates of birth, email addresses, phone numbers, and COVID-19 vaccination information.

The vulnerability, discovered by Denton County officials on July 7, 2021, meant the information in the application database was accessible by anonymous users. When the flaw was discovered, the application was immediately shut down and an investigation was launched to determine the extent of the issue and whether any unauthorized individuals had exploited the flaw to gain access to sensitive data.

Denton County confirmed that an error had been made configuring the application which exposed data to unauthorized individuals. While no evidence was found to indicate any actual or attempted misuse of individuals’ protected health information, it was not possible to rule out unauthorized access to the underlying database.

A time consuming, comprehensive review was conducted to determine which individuals had been affected. Only the above information had been exposed. Sensitive data such as Social Security numbers, driver license numbers, and financial account information were not used in connection with the application.

Denton County, assisted by the third-party application provider, has now implemented additional safeguards to ensure the security of the application and the personal and protected health information of Couty residents.

The nature of the exposed data does not put individuals at a high risk of identity theft or fraud; however, the County has advised all affected individuals to remain vigilant and to review their account statements and credit reports for suspicious activity.

Initially, it appeared that around 1.2 million individuals had been affected, but a review confirmed many exposed files were duplicates. The breach has now been reported to the Department of Health and Human Services’ Office for Civil Rights as affecting 326,417 individuals.

The post TX: Denton County Discovers COVID-19 Application Leaked Data of 346,000 Individuals appeared first on HIPAA Journal.

CareATC Email Accounts Accessed by Unauthorized Individuals

Posted by HIPAA Journal

CareATC, a Tulsa, OK-based population health management company, has discovered the email accounts of two employees have been accessed by unauthorized individuals, who potentially gained access to the personal information of patients and employees.

CareATC launched an investigation on June 29, 2021 when suspicious activity was detected in the email account of an employee. Third-party forensics specialists were engaged to assist with the investigation and determine the extent and scope of the security breach. That investigation revealed a second email account had also been compromised, with the two email accounts subject to unauthorized access between June 18 and June 29, 2021.

Upon discovery of the compromised email accounts steps were taken to block any further unauthorized access, and a comprehensive review was conducted to determine which patient data had been exposed. The review was completed around August 11, 2021.

For the majority of affected individuals – which include patients, employees, and dependents of patients and employees – the information in the compromised email accounts was limited to names and dates of birth. Other individuals also had one or more of the following data elements exposed in addition to their name: Social Security number, driver’s license number, date of birth, financial account information, medical history and treatment information, health insurance information, passport number, US Alien Registration number, electronic/digital signature, and username and password.

Notifications have now been sent to affected individuals for whom valid mailing addresses were maintained. CareATC has been working with third-party cybersecurity specialists to improve email security, and steps have already been taken to strengthen the security of its email system. CareATC also said employees have been provided with additional email security training.

The breach summary on the Department of Health and Human Services’ Office for Civil Rights breach portal indicates 98,774 patients were affected by the breach.

The post CareATC Email Accounts Accessed by Unauthorized Individuals appeared first on HIPAA Journal.

Outpatient Facilities Targeted by Cyber Actors More Frequently Than Hospitals

Posted by HIPAA Journal

A new analysis of breach reports submitted to the Department of Health and Human Services’ Office for Civil Rights has revealed outpatient facilities and specialty clinics have been targeted by cyber threat actors more frequently than hospital systems in the first 6 months of 2021.

Researchers at Critical Insight explained in their 2021 Healthcare Data Breach Report that cybercriminals have changed their targets within the healthcare ecosystem and are now focusing on outpatient facilities and business associates more often than hospitals and health insurers.

While large health systems are naturally attractive targets for cybercriminals, smaller healthcare organizations tend to have weaker security defenses and can be attacked more easily and are low hanging fruit for hackers. The potential profits from the attacks may be lower, but so too is the effort to gain access to their networks and sensitive data.

“It is no secret as to why hackers are showing interest. Electronic protected health information (ePHI) is worth more than a credit card number or social security number. Scammers can monetize it in a myriad of ways, from selling it on the dark web to filing fraudulent insurance claims,” explained the researchers in the report. “It does not help that many health organizations use devices that run on operating systems that are out-of-date, and many devices were not designed with cybersecurity in mind.”

The researchers confirmed healthcare data breaches are now occurring at almost twice the level of 2018, with data breaches attributed to hacking and IT incidents occurring at almost three times the level of the first half of 2018. In the first half of 2021, 70% of all healthcare data breaches of 500 or more records that were reported to the HHS’ Office for Civil Rights were hacking/IT incidents.

There has been a slight decline in the number of reported data breaches from the last 6 months of 2020, but that does not indicate cyberattacks are falling, as in the last half of 2020 the breach reports submitted to the HHS’ Office for Civil Rights included many breach notices submitted by organizations affected by the data breach at business associate Blackbaud. The number of reported breaches in the first half of 2021 is higher than the first 6 months of last year, and it looks like the trend for increasing numbers of data breaches being reported every year looks set to continue.

There has been a major increase in the number of cyberattacks on business associates of HIPAA covered entities, which now account for 43% of all reported healthcare data breaches. In the first 6 months of 2021, there were 141 data breaches reported by business associates of HIPAA-covered entities. By comparison, there were only 66 data breaches reported by business associates in the last 6 months of 2019. “As these and other third-party breaches continue to make the news, it demonstrates that attackers are paying more attention to this ecosystem of vendors as a vulnerable link in the cybersecurity chain,” explained the researchers.

Cybercriminals are unlikely to stop attaching healthcare organizations as the attacks are profitable. It is up to healthcare organizations and their business associates to improve their defenses against cyber actors. The Critical Insight researchers have made several recommendations, including assessing third party risk more accurately, regularly reviewing business associate agreements and ensuring they clearly define roles and responsibilities, implementing more comprehensive protections against ransomware and phishing attacks, strengthening access controls, and practicing basic security hygiene.

The post Outpatient Facilities Targeted by Cyber Actors More Frequently Than Hospitals appeared first on HIPAA Journal.

600,000 DuPage Medical Group Patients Notified About PHI Breach

Posted by HIPAA Journal

DuPage Medical Group, the largest independent physician group in the state of Illinois, has started notifying approximately 600,000 patients about a security breach in which their personal and protected health information may have been compromised.

DuPage Medical Group identified suspicious activity in its computer network on July 13, 2021 and engaged cyber forensic specialists to conduct an investigation to determine the full nature and scope of the breach. They determined unauthorized actors had gained access to its IT systems on July 12 and access remained possible until the breach was detected on July 13 and its network was secured.

A comprehensive review was conducted of all files on the systems that were accessible to the hackers and, on August 17, 2021, DuPage Medical Group confirmed that files containing patient information had potentially been impacted.

The types of information potentially compromised in the security breach varied from patient to patient and may have included the following data elements: Names, address­es, dates of birth, diag­no­sis codes, Cur­rent Pro­ce­dur­al Ter­mi­nol­o­gy (CPT) codes, and treat­ment dates. The Social Security numbers of a small subset of patients were affected, but no financial information was exposed.

DuPage Medical Group said the forensic investigation uncovered no evidence to suggest any information stored on the affected systems has been sub­ject to actu­al or attempt­ed mis­use as a result of the security inci­dent; however, as a precaution against identity theft and fraud, complimentary credit monitoring and identity theft protection services are being offered to all individuals affected by the breach.

The exact nature of the cyberattack was not disclosed so it is unclear if the attackers attempted to deploy ransomware. DuPage Med­ical Group said the security breach “caused a disruption to network systems” and resulted in a “network outage.”

DuPage Medical Group said it has reviewed its existing security measures and has already implemented additional cybersecurity protections to reduce the risk of further cyberattacks, and will “improve every aspect of our tech­nol­o­gy roadmap to bet­ter serve patients.”

The post 600,000 DuPage Medical Group Patients Notified About PHI Breach appeared first on HIPAA Journal.

San Andreas Regional Center Victim of Ransomware Attack

Posted by HIPAA Journal

San Andreas Regional Center in San Jose, CA has started notifying patients that their PHI may have been compromised in a July 2021 ransomware attack.

On July 5, its networks and servers were taken out of action as a result of the attack. Steps were rapidly taken to remediate the attack and third-party computer forensics experts were engaged to investigate the breach, determine how access to its systems was gained, and to discover the extent to which patient data had been affected.

The initial investigation into the ransomware attack was concluded on August 2, 2021, when it was confirmed that the attackers had gained access to parts of the network where patients’ protected health information was stored and certain files stored on its servers that contained patient data had been exfiltrated by the attackers prior to the use of ransomware. It was not possible to determine any specific patient information that was stolen by the attackers.

At the time of issuing notification letters to affected patients, San Andreas Regional Center had not identified any instances of attempted or actual misuse of patient data. A review of all files accessible to the attackers confirmed the following types of patient data were potentially compromised in the attack: First and last names, addresses, dates of birth, telephone numbers, Social Security numbers, email addresses, health plan beneficiary numbers, health insurance information, full-face photos, and or comparable images, UCI (unique identifying number or code generated by SARC for patients), medical information, diagnoses, disability codes, and other certificate/license numbers.

Policies and procedures are being updated, employees have received further cybersecurity training, and additional cybersecurity safeguards are being implemented to strengthen security. Complimentary credit monitoring and identity theft protection services are being offered to affected individuals.

The breach has been reported to the HHS’ Office for Civil Rights but the incident is not yet showing on the OCR breach portal, so it is currently unclear how many patients have been affected.

The post San Andreas Regional Center Victim of Ransomware Attack appeared first on HIPAA Journal.

48,000 Individuals Affected by Ransomware Attack on CarePointe ENT

Posted by HIPAA Journal

The Merrillville, IN-based ear, nose, and throat specialist, CarePointe ENT, has announced it suffered a ransomware attack on June 25, 2021 which resulted in the encryption of files on its network. Some of the files encrypted in the attack are known to include the personal and protected health information of its patients.

It is common in ransomware attacks for sensitive data to be exfiltrated prior to the use of ransomware to encrypt files. The main purpose of data exfiltration is to pressure victims into paying the ransom. CarePointe said it believes the attack was conduced with the sole purpose of extorting money from the practice, not to steal patient data. No reports have been received which suggest any patient data have been misused as a result of the cyberattack, although after thoroughly investigating the attack it was not possible to rule out the possibility that patient data had been viewed by the attackers.

CarePointe said it has taken steps to reduce the likelihood of further cyberattacks, with the additional measures implemented including enhanced its threat detection capabilities and restricting remote access to its systems. Affected patients have been advised to obtain a free credit report and to check the report for signs of misuse of their personal and protected health information, and also to consider placing a fraud alert on their credit reports.

A review of the systems accessible to the attackers confirmed the following types of patient data may have been compromised: Name, address, date of birth, Social Security number (if provided to CarePointe), medical insurance information, and related health information.

The ransomware attack has been reported to the Department of Health and Human Services’ Office for Civil Rights as affecting up to 48,742 individuals.

The post 48,000 Individuals Affected by Ransomware Attack on CarePointe ENT appeared first on HIPAA Journal.