Chattanooga Heart Institute Increases April 2023 Breach Total to 547,000 Individuals

Posted by Steve Alder

The Chattanooga Heart Institute has discovered that its April 2023 cyberattack involved the personal information of a further 136,000 individuals. Data breaches have also been reported by Northern Virginia Oral, Maxillofacial & Implant Surgery, Ezras Choilim Health Center, Battle Mountain General Hospital, and RxBenefits.

More Than 547,000 Individuals Affected by April 2023 Cyberattack on The Chattanooga Heart Institute

The Chattanooga Heart Institute in Texas has revised the number of people affected by an April 2023 cyberattack. The investigation confirmed that its network was breached between March 8, 2023, and March 16, 2023, and on May 31, 2023, The Chattanooga Heart Institute confirmed that files had been exfiltrated from its network. The Karakurt threat group claimed responsibility for the attack.

The initial review of the affected files confirmed in July 2023 that at least 170,450 individuals had been affected, and notifications were sent to those individuals, but as the investigation progressed it became clear that the breach was more extensive. In October 2023, the victim count was doubled to 411,383 individuals, with additional notification letters sent on October 5, 2023. Further notifications were mailed on February 13, 2024, March 12, 2024, and March 27, 2024, with 547,434 individuals now known to have been affected.

Many of the individuals who were recently notified about the breach were employees and their dependents. The compromised information includes names, mailing addresses, email addresses, phone numbers, dates of birth, driver’s license numbers, Social Security numbers, account information, health insurance information, diagnosis/condition information, lab results, medications, and other clinical, demographic, or financial information. Credit monitoring services have been offered to the affected individuals.

Almost 60,000 Individuals Affected by Cyberattack on Ezras Choilim Health Center

Ezras Choilim Health Center in Monroe, NY, has recently reported a breach of the protected health information of 59,861 individuals to the HHS’ Office for Civil Rights. Unusual activity was detected within its network on September 18, 2023, with the forensic investigation confirming on November 14, 2023, that the attacker exfiltrated files from the network. Ezras Choilim Health Center publicly disclosed the data breach a few days later, but the review of the affected files was still ongoing at the time.

It has now been confirmed that names were exposed and potentially obtained in the attack along with addresses, dates of birth, Social Security numbers health information, and limited medical information. Ezras Choilim Health Center said data privacy and security are among its highest priorities and steps have been taken to improve security and mitigate the risk of harm. Those measures include setting up a security operations center for monitoring, detecting, and responding to security threats across its information systems and network.

Patient Data Exposed in Northern Virginia Oral, Maxillofacial & Implant Surgery Cyberattack

Northern Virginia Oral, Maxillofacial & Implant Surgery (NOVA OMS) has notified 5,568 individuals about the exposure of some of their protected health information in a cyberattack detected on October 5, 2023. The third-party forensic investigation revealed that personal and protected health information may have been accessed and exfiltrated without authorization between October 3, 2023, and October 6, 2023. The review of the affected files was completed in late February, and the affected individuals have now been mailed notification letters.

The information involved varied from individual to individual and may have included names, driver’s license numbers, medical information, health insurance information, and other sensitive data, the details of which are included in the individual notifications. Complimentary identity protection services have been offered to the affected individuals. NOVA OMS said additional safeguards have now been implemented to prevent similar incidents in the future.

RxBenefits Reports Impermissible Disclosure of PHI Due to Mailing Error

RxBenefits, a Birmingham, AL-based Pharmacy Benefits Administrator, has discovered a mailing error that resulted in letters being sent to incorrect individuals. The mailing error was discovered on January 16, 2024, and it was determined that letters intended for 3,396 individuals had been sent to other individuals. The letters stated that as of January 1, 2024, medications required by the intended recipient or their dependent may require prior authorization from a physician. The letters contained names and addresses and confirmed that the intended recipient or their dependent took that specific medication. The affected individuals were AdventHealth Employee Health Plan members.

RxBenefits said it is reviewing its HIPAA privacy and security policies and procedures to ensure ongoing compliance and additional security and privacy measures have been implemented to prevent similar incidents in the future.

3,000 Individuals Have PHI Exposed in Cyberattack on Battle Mountain General Hospital

Battle Mountain General Hospital in Nevada has recently announced that the personal and protected health information of employees and patients has been exposed and potentially stolen. On January 25, 2024, an unauthorized individual exploited a vulnerability and remotely accessed an employee workstation. The forensic investigation confirmed that the exposed data included names, addresses, dates of birth, Social Security numbers, medical histories, and treatment information of our patients and employees. Approximately 3,000 individuals had their data exposed.

Battle Mountain General Hospital CEO, Jason Bleak, said “I am deeply sorry for what has happened, and sincerely apologize for the understandable distress this incident may cause those affected. I am fully committed to making it right.” While data has been exposed, no evidence has been found to indicate that any of the exposed data has been shared, published, or misused; however, as a precaution, the affected individuals have been offered complimentary credit monitoring and identity theft protection services.

The post Chattanooga Heart Institute Increases April 2023 Breach Total to 547,000 Individuals appeared first on HIPAA Journal.

New Jersey Nursing Facility to Pay $100,000 CMP to Resolve HIPAA Right of Access Violation

Posted by Steve Alder

The HHS’ Office for Civil Rights has announced another financial penalty has been imposed for a violation of the HIPAA Right of Access. Essex Residential Care, LLC, which does business as Hackensack Meridian Health, West Caldwell Care Center in New Jersey, has been ordered to pay a civil monetary penalty of $100,000 to resolve the alleged violation.

Hackensack Meridian Health operates skilled nursing facilities in New Jersey, including the West Caldwell Care Center. In May 2020, OCR received a complaint from the son of a mother who had received care at West Caldwell Care Center who alleged he had not been provided with a copy of her medical records within the 30 days allowed by the HIPAA Privacy Rule.

Son Not Provided with His Mother’s Records within 30 Days

The complainant was the personal representative of his mother and therefore should have been provided with a copy of his mother’s medical records. The complainant first asked for a copy of the records on April 19, 2020, via email, and on April 23, 2020, an administrator at West Caldwell Care Center advised him that the records could not be provided without a copy of a power of attorney, medical proxy or similar document executed by the mother, confirming that he was her personal representative.

The appropriate documentation was provided but West Caldwell Care Center still did not provide the requested records, which led to him filing a complaint with OCR. On October 15, 2020, OCR notified West Caldwell Care Center that an investigation had been opened as a result of the complaint and the correspondence included a data request pursuant to the investigation.

West Caldwell Care Center responded and acknowledged that the records had not been provided within the allowed 30 days and, in response to OCR’s investigation, sent the requested records in late November, which were received by the complainant on December 1, 2020, 161 days after the initial request was made.

West Caldwell Care Center Disagreed with OCR’s Determination

Most HIPAA Right of Access investigations are informally settled with OCR, a financial penalty is paid, and the covered entity agrees to adopt a corrective action plan which includes updates to its policies and procedures and training on HIPAA policies for staff members. In this case, West Caldwell Care Center’s attorney disagreed with OCR’s proposed resolution of the investigation. OCR then notified West Caldwell Care Center that the investigation had uncovered preliminary indications of non-compliance with the HIPAA Right of Access, and OCR provided West Caldwell Care Center with the opportunity to submit evidence of mitigating factors.

West Caldwell Care Center acknowledged that the complainant was not provided with the requested records, but the records were provided to another facility to which his mother had been transferred. West Caldwell Care Center also said that at the time of the initial request, there was ongoing litigation due to the non-payment of care costs. As another mitigating factor, West Caldwell Care Center said it was dealing with the COVID-19 pandemic, and that the complainant filed a complaint with OCR exactly 30 days after the request was made before West Caldwell Care Center’s response to the initial request was due. West Caldwell Care Center accepted that the matter should have been handled differently.

$100,000 Civil Monetary Penalty Imposed

OCR determined that West Caldwell Care Center failed to provide the requested records within the 30 days allowed by the HIPAA Privacy Rule and that the delay from June 23, 2020, to December 1, 2020, was a violation of the HIPAA Right of Access. The maximum civil monetary penalty was $206,080 based on the reasonable cause penalty tier (see: What are the penalties for HIPAA violations); however, per OCR’s reinterpretation of the language of the HITECH Act and its subsequent Notice of Enforcement Discretion, the penalty was capped at $100,000.

West Caldwell Care Center argued that a civil monetary penalty was not permitted because the violation was not due to wilful neglect and was timely corrected and that imposing a civil monetary penalty would be arbitrary and capricious and would violate the Administrative Procedure Act (APA). OCR disagreed that the violation was timely corrected and said the affirmative defense requirements were not met, and that the penalty was appropriate and reasonable given that the violation did not violate the APA and that the civil penalty amount was reasonable given the substantial delay providing the requested records.

West Caldwell Care Center said its staff believed they had responded in the allowed time frame by transferring the records to another facility; however, OCR’s view was that the records were not provided to the personal representative as required by HIPAA. West Caldwell Care Center was advised of its right to request a hearing with an administrative law judge; but on advice from its legal counsel, chose to waive that right.

“A patient’s timely access to health records is paramount for medical care. The Office for Civil Rights continues to receive complaints from individuals and personal representatives on behalf of individuals who do not receive timely access to their health records,” commented OCR Director Melanie Fontes Rainer. “OCR will continue to vigorously enforce this essential right to ensure compliance by health care facilities across the country.”

This is the fourth financial penalty imposed by OCR in 2024 to resolve alleged HIPAA violations and its 145th financial penalty to date. OCR has now fined 48 HIPAA-regulated entities for failing to provide patients or their personal representatives with timely access to the requested medical records that they are legally entitled to obtain.

The post New Jersey Nursing Facility to Pay $100,000 CMP to Resolve HIPAA Right of Access Violation appeared first on HIPAA Journal.