Latest HIPAA News

FINAL CALL to Take Part in Emergency Preparedness and Security Trends in Healthcare Survey

Posted by HIPAA Journal

Each year, Rave Mobile Safety conducts a survey to identify healthcare security trends and determine the state of emergency preparedness in the healthcare industry.

For the 2020 Emergency Preparedness and Security Trends in Healthcare report, insight is being sought from leaders in the healthcare community.

Many HIPAA Journal readers have already participated in last year’s survey and have provided information on the measures that have been deployed to improve safety in emergency situations. Their answers will be used to gain an overview of emergency preparedness throughout the United States.

If you have not already participated, you are invited to share your feedback in this anonymous survey (click here).

This is an opportunity for you to find out how your healthcare industry colleagues nationwide communicate in emergency preparedness and security matters and where they expect to take these practices next.

You can participate completely anonymously.

After you complete the survey, you will have the opportunity to enter into a raffle for a $200 gift card from the survey sponsor.

If you provide your email address, you’ll receive the anonymized survey results before they are published as well as entering the raffle.

HIPAA Journal will eventually publish the results of the survey.

Note: HIPAA Journal is not conducting this survey and does not receive any payment for promoting this survey. HIPAA Journal has no commercial relationship with the survey sponsor. If your organization is running a survey that is of interest to healthcare professionals, you can contact us with the details.

The post FINAL CALL to Take Part in Emergency Preparedness and Security Trends in Healthcare Survey appeared first on HIPAA Journal.

U.S. Cyber Command Warns of Active Exploitation of 2017 Outlook Vulnerability

Posted by HIPAA Journal

A two-year-old vulnerability in Microsoft Outlook is being exploited by hackers in targeted attacks on U.S. government networks.

U.S. Cyber Command has issued a warning about vulnerability CVE-2017-1174, which is being actively exploited to install remote access Trojans and other forms of malware.  U.S. Cyber Command strongly recommends patching the vulnerability immediately to prevent exploitation.

The flaw is a sandbox escape vulnerability which can be exploited if the attacker has the user’s outlook credentials, which could be obtained via a phishing attack or other means. The attacker could then change the user’s home page to a page with embedded code that downloads and executes malware when Outlook is opened.

U.S. Cyber Command made no mention of the threat actors believed to be behind the attacks, although security researchers at Palo Alto Networks, FireEye, Chronicale, and others have linked the attacks to the Iran-backed cyberespionage group APT33.

APT33 has been exploiting this vulnerability for at least a year, but instead of using phishing, the group conducts brute force attacks using commonly used passwords. A typical attack will see multiple accounts targeted. When multiple passwords have been guessed, the Outlook vulnerability is exploited, and malware is downloaded on multiple devices on the network.

While there have been attacks on U.S. entities in the past, the group has been most active in the Middle East. The rise in attacks on American targets is believed to be linked to the escalating tensions between the two countries.

The U.S. Cyber Command warning on Twitter comes just a few days after the Director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Chris Krebs, issued a warning on Twitter about Iran-backed threat groups conducting attacks using wiper malware. That warning was issued following an increase in cyberattacks on U.S. businesses and government entities by threat actors with links to Iran.

Symantec also issued a warning about an increase in attacks by the threat group APT33 in March this year, in which an exploit for a vulnerability in WinRAR was being used.

APT33, also known as Shamoon, was discovered to have links to Iran by FireEye researchers in 2017. The group is believed to have conducted a range of cyberattacks throughout the Middle East. The largest ever cyberattack in the Middle East, on oil firm Saudi Aramco in 2012, involved wiper malware called Shamoon. While the malware shares the name with the threat group, APT33 has not been confirmed as being involved in the attacks, although it is suspected by many.

Brandon Levene, head of applied intelligence at Chronicle, analyzed malware samples released by U.S. Cyber Command and found several similarities between the latest attacks and Shamoon malware campaigns in 2016. The latter leveraged a vulnerability and executed a PowerShell script to download the Pupy remote access Trojan and there are code similarities in the downloaders used in the latest attacks.

Levene also analyzed three malicious tools that were used in the recent attacks. The tools had different purposes but would have allowed the attackers to interact with a server they have compromised and conduct a range of different malicious activities. APT33 has used similar tools in attacks in the past to remotely execute code on compromised devices. FireEye’s Andrew Thompson also attributed the latest attacks to the threat group APT33.

With the U.S. stepping up its cyber offensive against Iran and as tensions continue to rise, retaliatory attacks on U.S. targets are likely to continue.

The post U.S. Cyber Command Warns of Active Exploitation of 2017 Outlook Vulnerability appeared first on HIPAA Journal.

Smaller Healthcare Providers Struggling to Implement Healthcare Cybersecurity Best Practices

Posted by HIPAA Journal

A recent study of cybersecurity best practices adopted by large and small healthcare providers has revealed there is a growing gulf between the two. Larger providers are more likely to have mature, sophisticated cybersecurity defenses, while smaller providers are struggling to follow cybersecurity best practices.

For the study, KLAS and CHIME analyzed responses to the 2018 Healthcare’s Most Wanted survey given by around 600 healthcare providers and assessed each to determine whether they were adhering to healthcare cybersecurity best practices.

One of the requirements of the Cybersecurity Act of 2015 was for the Department of Health and Human Services (HHS) to form a task group to develop guidance for healthcare providers to help them manage and mitigate threats to patient data.

The 405(d) Task Group released the document – Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP) – which details 10 cybersecurity principles relevant to healthcare providers of all sizes. These principles must be addressed to ensure cybersecurity risks are reduced to a reasonable and acceptable level.

The principles are:

  • Email protection systems
  • Endpoint protection systems
  • Access management
  • Data protection and loss prevention
  • Network management
  • Vulnerability management
  • Incident response
  • Medical device security
  • Cybersecurity policies

KLAS and CHIME assessed the responses against these principles and found large healthcare organizations to be performing well, with mature and sophisticated cybersecurity defenses. Larger healthcare organizations were more proactive and were conducting regular vulnerability scans and application testing, whereas smaller providers were reliant on penetration tests to identify vulnerabilities.

Larger healthcare organizations were more likely to have a dedicated CISO, board-level committees and governance, risk management, compliance committees, and BYOD management, which were often found lacking at smaller organizations.

Smaller providers were less likely to use network segmentation and multi-factor authentication – Two important measures for limiting damage in the event of credentials being compromised. While network access controls had been implemented at virtually all surveyed provider organizations, less than half of smaller providers had implemented network segmentation.

Network segmentation is important for preventing the spread of malware internally and to stop hackers from having full access to the entire network. Without it, a single compromised device could mean the entire network is compromised. Multi-factor authentication is similarly important. In the event of credentials being stolen, in a phishing attack for example, multi-factor authentication should prevent the account from being accessed. Only half of smaller providers had implemented MFA.

There were several positives in the report. Email and endpoint security systems had been implemented at most provider organizations which provide a reasonable level of protection against external threats. The threat from phishing was being addressed through security awareness training and phishing email simulations. 70% of all providers conducted phishing simulations at least every quarter.

Providers are concerned about medical device security and the potential for an attack to cause harm to patients. Most providers have included medical device security in their cybersecurity program, which is supported by strong cybersecurity practices in other areas. Data loss prevention solutions have also been widely adopted, although on-premises DLP solutions have slowed transition to the cloud. Most organizations that use DLP solutions backup data physically rather than using cloud backup services.

Incident response plans have been developed by most providers and most have signed up with information sharing and analysis organizations to participate in threat sharing. It is essential to have a plan in place to ensure a smooth incident response, but that plan must be tested to make sure it works in practice. Only half of organizations conduct an exercise annually to test their incident response plan.

“Today’s security requirements are challenging historical asset management practices, making it increasingly necessary for organizations to establish clear policies that align their IT, information security, healthcare technology management, and procurement teams,” said Steven R. Cagle, CEO of Clearwater, sponsor of the report.

Making improvements to an organization’s cybersecurity posture can be a challenge with too little money and resources often available to address all issues. Consequently, it can be difficult to know where to start. Cagle suggests starting with a comprehensive risk analysis to identify and evaluate all risks. A risk management plan can then be developed to prioritize the most serious vulnerabilities.

Larger healthcare organizations are more likely to use risk management software to support this process and identify the highest risks and optimize deployment of security controls. The result is greater risk reduction for lower costs.

The findings of the KLAS-CHIME study were published in the white paper – How Aligned Are Provider Organizations with the Health Industry Cybersecurity Practices (HICP) Guidelines?

The post Smaller Healthcare Providers Struggling to Implement Healthcare Cybersecurity Best Practices appeared first on HIPAA Journal.

HELP Committee Approves Bill Calling for HIPAA Enforcement Safe Harbor

Posted by HIPAA Journal

The Senate Health, Education, Labor and Pensions (HELP) Committee has approved the Lower Health Care Costs (LHCC) Act of 2019, which has implications for HIPAA-covered entities.

One of the main aims of the bill is to improve transparency of health care costs and service quality. The bill is intended to end surprise health bills and make sure patients are kept well informed about healthcare costs.

The LHCC Act includes a provision that incentivizes healthcare organizations to adopt strong cybersecurity practices by calling for the Department of Health and Human Services’ Office for Civil Rights to consider the organization’s good faith security efforts when making decisions about enforcement actions.

The bipartisan bill passed the HELP committee by 20 votes to 3. The bill includes 54 different proposals from 65 senators. With the bill now passed, HELP committee chairman Lamar Alexander (R-Tenn) hopes to present the bill to the Majority and Minority Leaders for consideration by the full senate in July.

Many healthcare organizations have been calling for OCR to consider adoption of security frameworks and other good faith efforts to improve security posture when deciding on whether a penalty for noncompliance is appropriate. A safe harbor for organizations that adopt a cybersecurity framework such as the framework developed by NIST has been proposed by several industry groups.

The LHCC Act falls short of proposing a safe harbor from all enforcement actions, but could incentivize healthcare organizations to adopt security frameworks, invest time and resources in cybersecurity, and go above and beyond the minimum standards required by HIPAA.

The provision should not be viewed as a ‘get out of jail free’ card. When financial penalties are issued by OCR, they are usually for multiple compliance failures and/or egregious violations of HIPAA Rules. Adoption of the NIST Cybersecurity Framework would likely do little to prevent financial penalties.

The impact of the new requirement may only be minimal. Currently, when OCR investigates a data breach, many factors are taken into consideration when deciding whether financial penalties are appropriate. OCR has previously made it clear that HIPAA compliance is about minimizing, not eliminating risks. OCR accepts that even organizations with strong cybersecurity protections can still be breached. The organization’s security program is already considered when OCR decides whether enforcement actions are appropriate.

In addition to the HIPAA enforcement provision, the bill proposes that the CMS require health insurers to make information such as claim data and expected out-of-pocket-expenses available to patients via APIs to help patients decide on the best health plan. This would also help to communicate that patients’ privacy and security is protected and HIPAA and state laws apply.

Concern has been raised about the risks to individually identifiable health information when it is transferred electronically to and from non-HIPAA-covered entities. The bill proposes the Government Accountability Office (GAO) conduct a study to identify any risks associated with such transfers. In addition, a study is required to identify privacy and security gaps when health information is transferred to third parties via mobile apps created by developers not bound by HIPAA.

The bill must first go before the full senate and house; however, if the bill does not pass both houses, the provisions related to HIPAA may be added to a different bill.

The post HELP Committee Approves Bill Calling for HIPAA Enforcement Safe Harbor appeared first on HIPAA Journal.

OCR Clarifies Allowable Uses and Disclosures by Health Plans for Care Coordination and Continuity of Care

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights has issued new HIPAA guidance for health plans on how protected health information can be shared to support care coordination and continuity of care.

The guidance, which is in the form of an FAQ, answers two questions commonly asked by health plans:

Can PHI be disclosed to another health plan for care coordination purposes?

OCR has confirmed that the HIPAA Privacy Rule allows PHI to be used and disclosed for healthcare operations, so it is possible to share PHI with another health plan or other covered entity if doing so is necessary for the entity’s own healthcare operations. PHI can also be shared with another health plan for the recipient’s healthcare operations provided the following conditions are met: Both entities have or had a relationship with the individual, the disclosure pertains to that relationship, and the healthcare operation is one permitted by HIPAA (See 45 CFR 164.502(a)(1)(ii); 45 CFR 164.506(c)(4))

Case management and care coordination are included in permitted ‘healthcare operations,’ so they are permitted without patient authorization, but any disclosures should be limited to the minimum necessary information.

Can a health plan use and disclose PHI to inform individuals about other available health plans, without first obtaining authorization and Is this possible if PHI was received for another purpose?

Uses and disclosures of PHI for marketing purposes is generally not permitted without prior authorization. Using PHI for the purposes of offering an individual a different health plan could be seen to be marketing and would therefore only be permitted with prior authorization.

However, there are exceptions to marketing rule. Marketing communications are permitted face to face – 5 CFR 164.508(a)(3)(i) and HIPAA also does not count communications regarding replacements to, or enhancements of, existing health plans, provided the covered entity is not receiving financial remuneration for the communications. (See 45 CFR 164.506(c)(1) and 45 CFR 164.501). It is also permitted to use PHI that has been received for another purpose if the above conditions are met.

You can view the new OCR FAQ on this link.

The post OCR Clarifies Allowable Uses and Disclosures by Health Plans for Care Coordination and Continuity of Care appeared first on HIPAA Journal.

2.9 Million Members Affected by Dominion National 9-Year PHI Breach

Posted by HIPAA Journal

Dominion National, a Virginia-based insurer, health plan administrator, and administrator of dental and vision benefits, has experienced a data security incident involving the personal information of individuals connected to the services it provides. Hackers first gained access to its servers in 2010.

Following an internal alert, Dominion National launched an internal investigation and determined on April 24, 2019 that its systems had been breached.

A leading cybersecurity company performed a comprehensive forensic analysis and review of affected data and confirmed the sensitive information of current and former members of Dominion National and Avalon Vision plans may have been compromised along with the PHI of individuals who are members of health plans for which the company provides administration services for.

Data relating to individuals affiliated with the organizations that the company administers dental and vision benefits for, plan producers, and participating healthcare providers were also potentially compromised. Unauthorized access to its systems first occurred on August 25, 2010, nine years before the investigation was completed. It is currently unclear when the Dominion National first became aware of the breach.

The investigation into the cyberattack concluded on April 24, 2019. All affected individuals have been notified and offered two years membership to credit monitoring and identity theft protection services. Dominion National has cleaned all affected servers and has enhanced its monitoring and alerting software.

The types of information involved varied from individual to individual but may have included names along with addresses, email addresses, dates of birth, Social Security numbers, bank account and routing numbers, taxpayer ID numbers, member ID numbers, group numbers, and subscriber numbers.

A long-term breach such as this has potential to affect a great many plan members. According to the summary published on the HHS’ Office for Civil Rights Breach Portal, 2,964,778 plan members have had their PHI exposed.

While system access was confirmed, Dominion National uncovered no evidence to suggest any patient data was accessed, acquired or misused by the individual responsible for the attack. Breach notification letters were mailed on June 21, 2019. The substitute breach notice on the Dominion National website makes no mention of credit monitoring or identity theft protection services.

Updated: 07.03.19

The post 2.9 Million Members Affected by Dominion National 9-Year PHI Breach appeared first on HIPAA Journal.

DHS Warns of Increasing Risk of Wiper Malware Attacks by Iranian Threat Actors

Posted by HIPAA Journal

The Director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning following a rise in cyberattacks by ‘Iranian regime actors.’

The warning from Christopher C. Krebs came as tensions are building between the United States and Iran. Iran has been accused of planting magnetic mines to damage commercial shipping vessels and a U.S. surveillance drone was shot as it flew over the Strait of Hormuz. Iran claims the drone was flying in its territory.

The U.S. responded with a planned air strike, although it was called off by President Trump due to the likely loss of life. However, a strike did take place in cyberspace. The U.S. Cyber Command has reportedly launched an attack on an Iranian spying group, Islamic Revolutionary Guard Corps, that is believed to have been involved in the mine laying operation. According to a recent report in the Washington Post, the cyberattacks disabled the command and control system that was used to launch missiles and rockets.

Iranian threat actors have also been highly active. There have been increasing numbers of cyberattacks on United States industries and government agencies.

While cyberattacks can take many forms, Iranian threat actors have increased attacks using wiper malware. In addition to stealing data and money, the threat actors use the malware to wipe systems clean and take down entire networks.

Iran is one of three countries rated by the United States as having highly capable threat actors involved in economic espionage and theft of trade secrets and proprietary data. Iranian hackers are more than capable of conducting devastating cyberattacks.

Iranian hackers were behind the SamSam ransomware attacks on healthcare providers and hackers working for the Iranian regime are believed to be responsible for the cyberattack on the Saudi Arabian oil firm Saudi Aramco in 2012. Shamoon wiper malware was used in that attack to wipe tens of thousands of devices.

The harm caused by these wiper attacks is considerable. In 2017, attacks using NotPetya wiper malware resulted in global financial losses of between $4 billion and $8 billion. The attack on the shipping firm Maersk resulted in losses of around $300 million. The attacks are also common. According to a recent report by Carbon Black, 45% of healthcare CISOs have experienced a wiper malware attack in the past 12 months.

The hackers may be highly capable, but they still use basic techniques and exploit common weaknesses to gain access to networks. These include phishing and spear phishing, social engineering, password spraying, and credential stuffing.

All of these attack methods can be blocked with basic cybersecurity measures such as enforcing the use of strong passwords, changing all default passwords, rate limiting on logins, applying the rule of least privilege when setting permissions, implementing multi-factor authentication, closing unused ports, disabling RDP, prompt patching,  adopting a robust backup strategy, and providing security awareness training to employees.

Krebs warned that all U.S industries, government agencies, and businesses should be alert to the risk of cyberattacks. “If you suspect an incident, take it seriously and act quickly,” said Krebs.

The post DHS Warns of Increasing Risk of Wiper Malware Attacks by Iranian Threat Actors appeared first on HIPAA Journal.

May 2019 Healthcare Data Breach Report

Posted by HIPAA Journal

In April, more healthcare data breaches were reported than in any other month to date. The high level of data breaches has continued in May, with 44 data breaches reported. Those breaches resulted in the exposure of almost 2 million individuals’ protected health information.

Healthcare data breaches by month 2014-2019

On average, 2018 saw 29.5 healthcare data breaches reported to the HHS’ Office for Civil Rights each month – a rate of more than one a day.

From January 2019 to May 2019, an average of 37.2 breaches have been reported each month. Up until May 31, 2019, 186 healthcare data breaches had been reported to OCR, which is more than half (52%) the number of breaches reported last year.

It remains to be seen whether the increase in data breaches is just a temporary blip or whether 40+ healthcare data breaches a month will become the new norm.

Healthcare records exposed by month 2017-2019

May saw a 186% increase in the number of exposed records compared to April. Across the 44 breaches, 1,988,376 healthcare records were exposed or compromised in May. So far this year, more than 6 million healthcare records have been exposed, which is more than half of the number of records exposed in 2018.

Healthcare records exposed by year 2014-2019

In terms of the number of records exposed, May would have been similar to April were it not for a massive data breach at the healthcare clearinghouse Inmediata Health Group. The breach was the largest of the year to date and resulted in the exposure of 1,565,338 records.

A web page which was supposed to only be accessible internally had been misconfigured and the page could be accessed by anyone over the internet.

 

Rank Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach
1 Inmediata Health Group, Corp. Healthcare Clearing House 1,565,338 Unauthorized Access/Disclosure
2 Talley Medical Surgical Eyecare Associates, PC Healthcare Provider 106,000 Unauthorized Access/Disclosure
3 The Union Labor Life Insurance Company Health Plan 87,400 Hacking/IT Incident
4 Encompass Family and internal medicine group Healthcare Provider 26,000 Unauthorized Access/Disclosure
5 The Southeastern Council on Alcoholism and Drug Dependence Healthcare Provider 25,148 Hacking/IT Incident
6 Cancer Treatment Centers of America® (CTCA) at Southeastern Regional Medical Center Healthcare Provider 16,819 Hacking/IT Incident
7 Takai, Hoover, and Hsu, P.A. Healthcare Provider 16,542 Unauthorized Access/Disclosure
8 Hematology Oncology Associates, PC Healthcare Provider 16,073 Hacking/IT Incident
9 Acadia Montana Treatment Center Healthcare Provider 14,794 Hacking/IT Incident
10 American Baptist Homes of the Midwest Healthcare Provider 10,993 Hacking/IT Incident

Causes of May 2019 Healthcare Data Breaches

Hacking/IT incidents were the most numerous in May with 22 reported incidents. In total, 225,671 records were compromised in those breaches. The average breach size was 10,258 records with a median of 4,375 records.

There were 18 unauthorized access/disclosure incidents in May, which resulted in the exposure of 1,752,188 healthcare records. The average breach size was 97,344 records and the median size was 2,418 records.

8,624 records were stolen in three theft incidents. The average breach size 2,875 records and the median size was 3,578 records. There was one loss incident involving 1,893 records.

causes of May 2019 healthcare data breaches

Location of Breached PHI

Email continues to be the most common location of breached PHI. 50% of the month’s breaches involved at least some PHI stored in email accounts. The main cause of these types of breaches is phishing attacks.

Network servers were the second most common location of PHI. They were involved in 11 breaches, which included hacks, malware infections and ransomware attacks.  Electronic medical records were involved in 7 breaches, most of which were unauthorized access/disclosure breaches.

Location of breached PHi (may 2019)

May 2019 Healthcare Data Breaches by Covered Entity Type

Healthcare providers were the worst affected covered entity type in May with 34 breaches. 5 breaches were reported by health plans and 4 breaches were reported by business associates of HIPAA-covered entities. A further two breaches had some business associate involvement. One breach involved a healthcare clearinghouse.

May 2019 healthcare data breaches by covered entity type

May 2019 Healthcare Data Breaches by State

May saw healthcare data breaches reported by entities in 17 states.  Texas was the worst affected state in May with 7 reported breaches. There were 4 breaches reported by covered entities and business associates in California and 3 breaches were reported in each of Indiana and New York.

2 breaches were reported by entities base in Connecticut, Florida, Georgia, Maryland, Minnesota, North Carolina, Ohio, Oregon, Washington, and Puerto Rico. One breach was reported in each of Colorado, Illinois, Kentucky, Michigan, Missouri, Montana, and Pennsylvania.

HIPAA Enforcement Actions in May 2019

OCR agreed two settlements with HIPAA covered entities in May and closed the month with fines totaling $3,100,000.

Touchstone Medical Imaging agreed to settle its HIPAA violation case for $3,000,000. The Franklin, TN-based diagnostic medical imaging services company was investigated after it was discovered that an FTP server was accessible over the internet in 2014.

The settlement resolves 8 alleged HIPAA violations including the lack of a BAA, insufficient access rights, a risk analysis failure, the failure to respond to a security incident, a breach notification failure, a media notification failure, and the impermissible disclosure of the PHI of 307,839 individuals.

Medical Informatics Engineering settled its case with OCR and agreed to pay a financial penalty of $100,000 to resolve alleged HIPAA violations uncovered during the investigation of its 2015 breach of 3.5 million patient records. Hackers had gained access to MIE servers for 19 days in May 2015.

OCR determined there had been a failure to conduct a comprehensive risk analysis and, as a result of that failure, there was an impermissible disclosure of 3.5 million individuals’ PHI.

It did not end there for MIE. MIE also settled a multi-state lawsuit filed by 16 state attorneys general. A multi-state investigation uncovered several HIPAA violations. MIE agreed to pay a penalty of $900,000 to resolve the case.

The post May 2019 Healthcare Data Breach Report appeared first on HIPAA Journal.

Oregon Department of Human Services Notifies 645,000 Clients of Phishing Breach

Posted by HIPAA Journal

The Oregon Department of Human Services (ODHS) is notifying 645,000 clients that some of their personal information has potentially been compromised as a result of a phishing attack.

The targeted attack started on January 9, 2019 and resulted in 9 ODHS employees following links in emails and disclosing their login credentials.

ODHS and the Department of Administrative Services Enterprise Security Office discovered the breach on January 28 following reports from employees who believed their email accounts had been accessed. All affected email accounts were rapidly identified and remote access to the accounts was blocked the same day.

An investigation was launched into the breach to determine what protected health information may have been viewed and who had been affected. That process has taken some time to complete as it involved checking around 2 million emails.

The attackers accessed the compromised accounts and were able to access emails in the accounts for a period of 19 days. ODHS has confirmed that no malware was installed by the attackers but they may have viewed or obtained PHI such as names, contact information, Social Security numbers, case numbers, and sensitive health information.

On March 21, when it became clear that PHI was involved, ODHS uploaded a substitute breach notice to its website and created a call center where affected individuals could find out more about the breach. However, individual breach notifications were not sent until June 21.

ODHS oversees programs related to child welfare, individuals with disabilities, and seniors and deals with some of the most vulnerable individuals in the state. To protect those individuals from harm, ODHS has covered the cost of a $1 million identity theft reimbursement insurance policy and is offering all affected individuals 12 months of complimentary credit monitoring and identity theft recovery services.

ODHS spokesperson Robert Oakes said this was an “extremely sophisticated email attack.” ODHS has since closed access to the email web application that was breached and will continue to conduct internal security audits to vulnerabilities and will subject those vulnerabilities to a HIPAA-compliant risk management process. Training is already provided to staff on security awareness and efforts will continue to educate the workforce about the dangers from phishing.

The post Oregon Department of Human Services Notifies 645,000 Clients of Phishing Breach appeared first on HIPAA Journal.