EmblemHealth Pays $100,000 HIPAA Violation Penalty to New Jersey for 2016 Data Breach

The health insurance provider EmblemHealth has been fined $100,000 by New Jersey for a 2016 data breach that exposed the protected health information (PHI) of more than 6,000 New Jersey plan members.

On October 3, 2016, EmblemHealth sent Medicare Part D Prescription Drug Plan Evidence of Coverage documents to its members.

The mailing labels included beneficiary identification codes and Medicare Health Insurance Claim Numbers (HCIN), which mirror Social Security numbers. The documents were sent to more than 81,000 policy members, 6,443 of whom were New Jersey residents.

The New Jersey Division of Consumer Affairs investigated the breach and identified policy, procedural, and training failures. Previous mailings of Evidence of Coverage documents were handled by a trained employee, but when that individual left EmblemHealth, mailing duties were handed to a team manager who had only been given minimal task-specific training and worked unsupervised.

That individual sent a data file to EmblemHealth’s mailing vendor without first removing HCINs, which resulted in the HCINs being printed on mailing labels: A violation of HIPAA, the New Jersey Identity Theft Prevention Act, and the New Jersey Consumer Fraud Act.

“Health insurers entrusted with their customers’ sensitive personal information have a duty to avoid improper disclosures,” said New Jersey Attorney General Gurbir S. Grewal. “EmblemHealth fell short of its obligations to its customers in this case, and I am pleased that our settlement includes measures designed to prevent similar breaches at this company in the future.”

In addition to the financial penalty, EmblemHealth has agreed to make changes to its policies and procedures to prevent further breaches of plan members’ PHI. Those measures include the use of unique patient identifiers for mailings rather than HCINs or Medicare Beneficiary Identifiers.

EmblemHealth will also ensure that a formal transfer process takes place when the responsibilities of outgoing staff are passed on to other EmblemHealth employees or third parties, and that all necessary training will be provided.

All incoming employees will also be required to complete additional privacy and security training modules and refresher training sessions will be conducted annually. The New Jersey Division of Consumer Affairs will be monitoring EmblemHealth over the next three years and must be informed of any further breaches of the PHI of New Jersey customers.

“This settlement should serve as a reminder that we are committed to safeguarding consumer privacy, and will hold accountable any businesses that are careless in the handling of such personal data,” said Paul R. Rodríguez, Acting Director of the Division of Consumer Affairs.

New Jersey has been highly active as an enforcer of HIPAA Rules and has agreed four settlements in 2018 to resolve violations of HIPAA Rules. In addition to the EmblemHealth HIPAA fine, New Jersey has settled HIPAA violations with Best Transcription Medical ($200,000), Aetna ($365,211.59), and Virtua Medical Group ($417,816) in 2018.

The post EmblemHealth Pays $100,000 HIPAA Violation Penalty to New Jersey for 2016 Data Breach appeared first on HIPAA Journal.

University of Maryland Medical System Discovers 250-Device Malware Attack

In the early hours of Sunday, December 9, 2018, the University of Maryland Medical System discovered an unauthorized individual had succeeded in installing malware on its network. Prompt action was taken to isolate the infected computers to contain the attack.

According to a statement issued by UMMS senior VP and chief information officer, Jon P. Burns, most of the devices that were infected with the malware were desktop computers. The prompt action taken by IT staff allowed the infected computers to be quarantined quickly. No files were encrypted and there was no impact on medical services.

UMMS should be commended for its rapid response. The attack was detected at 4.30am and by 7am, its networks and devices had been taken offline and affected devices had been quarantined. The majority of its systems were back online and fully functional by Monday morning.

The incident highlights just how important it is for healthcare organizations to have an effective incident response plan that can be immediately implemented in the event of a malware attack.

UMMS runs medical facilities in more than 150 locations and uses more than 27,000 computers. If a breach response plan had not been in place, the malware attack could have been far more serious and could have had a major impact on patients.

“The measures we took to identify the initial threat, isolate it to prevent intrusion, and to counter and combat the attack before it could infiltrate and infect our network worked as designed,” explained Burns.

At this stage, UMMS does not believe that any medical records or other patient data have been compromised. The investigation into the attack is continuing to determine how the malware was introduced. UMMS has enlisted help from computer forensics experts in this regard and the security breach has been reported to law enforcement.

The post University of Maryland Medical System Discovers 250-Device Malware Attack appeared first on HIPAA Journal.

48,000 Patients of Frisco Medical Center Notified of Breach of Payment Information

Baylor Scott & White Medical Center in Frisco, TX, has discovered the payment information of almost 48,000 patients and guarantors may have been compromised.

The medical center, which is jointly managed by United Surgical Partners International (USPI) and Baylor Scott & White Health, discovered an issue with the credit card processing system of one of its vendors. The investigation revealed there had been a week-long computer intrusion between September 22 and September 29. Upon discovery of the issue, the medical center informed the vendor and stopped all credit card processing through the vendor’s system.

Baylor Scott & White Health did not uncover evidence to suggest any patient/guarantor information had been further disclosed or misused; however, as a precaution, all individuals affected by the incident have been offered one year of complimentary credit monitoring services through TransUnion Interactive.

The security breach was limited to the third-party vendor’s system. Hospital information and clinical systems remained secure at all times. No health information or Social Security numbers were exposed. Only the Frisco medical center was affected by the breach.

The information that was exposed and potentially accessed by an unauthorized individual was limited to: Names, addresses, dates of service, medical record numbers, health insurance provider information, account numbers, the last four digits of credit card numbers, CCV numbers, type of credit card used, recurring payment dates, account balances, invoice numbers, and transaction statuses.

All individuals affected by the breach have been notified by mail. The data security incident was reported to the Department of Health and Human Services’ Office for Civil Rights on November 26, 2018. The OCR breach portal indicates 47,948 individuals have been affected.

The post 48,000 Patients of Frisco Medical Center Notified of Breach of Payment Information appeared first on HIPAA Journal.

Obama-Era Administrative Overreach And Its Multi-Billion Dollar Adverse Impact On The US Health Care System – Food, Drugs, Healthcare, Life Sciences – United States – Mondaq News Alerts

Obama-Era Administrative Overreach And Its Multi-Billion Dollar Adverse Impact On The US Health Care System - Food, Drugs, Healthcare, Life Sciences - United States  Mondaq News Alerts

The Trump Administration has prioritized the elimination of overreaching regulations:i In FY 2017, the Trump Administration reduced lifetime net regulatory costs ...