As an effort to help inform health organizations and covered entities regarding the ways that HIPAA breaches of protected health information (PHI) are occurring, as well as the measures being taken to prevent them, HIPAA Vault provides the following summaries of recent data breaches:
What’s in a Name?
A recent, inadvertent email disclosure in a hospital setting led to a disclosure of PHI (protected health information) – a violation of HIPAA privacy rules – for 840 patients. The incident was yet one more validation of a recent Health IT report, which found:
“Data breaches in healthcare are 50 percent more likely to stem from internal mistakes by employees than from external causes, such as hackers,” according to a recent study in JAMA Internal Medicine.”
The disclosure of PHI occurred at University Hospitals Rainbow Babies & Children’s Hospital in Cleveland, OH. The hospital realized that the patients had their PHI accidentally disclosed, through an email-related employee error. Here’s how it happened:
A select group of patients were sent an email, containing a limited amount of personally identifiable information. By a simple inclusion of all recipients in the email’s ‘to’ field – instead of adding them to ‘BCC field’ – the email addresses of all recipients were visible to the other recipients. Essentially, this amounted to…
… a clear implication that all those who received the email were suffering from the same medical condition.
To date, all patients involved have been notified of the breach of privacy. The hospital also helped the employee to be properly trained on email procedures and patient privacy in regards to HIPAA requirements will be provided to other staff members.
Another Stolen Laptop
Another potential breach of protected health information (PHI) — including names & addresses, medical diagnoses, and medications — was reported by a major health system in Michigan.
The cause? Yet another stolen laptop, this one containing approximately 15,000 patient records.
Securing electronic PHI means, at minimum, implementing “reasonable and appropriate physical safeguards related to equipment and facilities.”
Resolve this year to keep your PHI HIPAA-compliant and SECURE: https://bit.ly/2OvVueG
Lawsuit Involving California HIV Patient PHI Breach Allowed to Move Forward
Summary: In February 2017, the California Department of Health learned that its portal had been exploited, allowing unauthorized persons to gain access to the system and download the highly sensitive, protected health information information of 93 patients with HIV or AIDS. On behalf the data breach Victims, a suit was subsequently brought against A.J. Boggs & Company, the former administrator of the California AIDS Drug Assistance Program (ADAP), by Lambda Legal.
As noted in the HIPAA Journal, “Lambda Legal alleges A.J. Boggs & Company violated the California AIDS Public Health Records Confidentiality Act, the California Confidentiality of Medical Information Act, and other state medical privacy laws, by failing to ensure its online enrollment system was secure prior to implementing that system and allowing patients to enter sensitive information. Following the discovery, the contract with the firm was cancelled and a new state-run system was adopted.” (See https://www.hipaajournal.com/california-hiv-patient)
Statutory and compensatory damages for the patient is being sought by Lambda Legal, as well as a class action status to allow the other 92 breach victims to be included in the lawsuit. A motion to dismiss offered by AJ Bogg & Company was recently denied.
- When: 2016-2017
- Where: California – A.J. Boggs & Company
- Who: 93 patients impacted
- What: Exploitation of the California Department of Health Portal
Four Years Later, UMass Memorial Medical Group Inc. and UMass Memorial Medical Center Still Recovering from PHI Breach from Unauthorized Employee
Summary: On two separate occasions, employees of the UMass Memorial Health Care system copied patient health information without authorization. Subsequent cell phone and credit card accounts were then opened in the victims’ names. UMass was fined $230,000 by the Massachusetts attorney general for failing to protect the protected health information (PHI) of more than 15,000 state residents.
As part of the remediation process, UMass is required to provide employee training on handling PHI, ensure employee discipline, and allow an independent firm to review data security policies and procedures and provide a report to the Attorney General’s office.
In the four years since took place we have taken steps aimed at further strengthening our privacy and information security program,” said a UMass Memorial Health Care spokesperson in a written statement. “This includes the implementation of additional technical tools that safeguard patient information, and enhancement of our existing privacy and information security procedures.”
- When: 2014
- Where: Massachusetts – UMass Memorial Medical Group Inc., and UMass Memorial Medical Center
- Who: Around 15,000 patients impacted
- What: Employee violation of PHI
Acadiana Phishing Attack on Computer Systems leaves the PHI of 31,000 Exposed
Summary: An employee of Acadiana Computer Services experienced an unauthorized breach of their email account, exposing the PHI of more than 31,000 patients. The breach was discovered on July 6, 2018, and appeared limited to names, addresses, treatment information from a range of healthcare providers, billing information, and for a limited number of individuals, Social Security numbers. External access to the account was immediately disabled.
- When: September 12, 2018
- Where: Lafayette, LA
- Who: Acadiana Computer Services, Inc.
- What: Security breach of emails
- Remedy: Notification letters were sent to all individuals whose PHI may have been accessed, along with information on how to monitor and protect their personal information. Acadiana will also cover the cost of identity monitoring services for all affected patients, and has taken steps to increase email account security, retrain staff, and update its policies and procedures.
Houston Television Employee Discovers Patient Records on the Street
Summary: An employee of the CBS-affiliated television station KBOU 11 stumbled upon a cache of nearly 1800 medical records, left abandoned on a Midtown, Houston street. Patients’ names, birth dates, diagnoses, treatment information, medications, vital signs, and admission dates were all included in the files.
A subsequent investigation led to a former medical resident who had worked at the above hospitals, and had been keeping the records in his car while studying at the UT Health McGovern medical school. The records had been stolen from his car, and later abandoned. The KBOU 11 employee collected the records, which originated from five Houston hospitals – MD Anderson Cancer Center, LBJ Hospital, Children’s Memorial Hermann, Memorial Hermann Hospital, and TIRR Memorial Hermann – and returned them to UT health. 500 patients have been affected by the breach.
UT Health found no evidence to suggest that any information in the documents was viewed by unauthorized individuals, and all of the hospitals will be issuing notifications to affected patients in due course. It remains unclear why the records were taken from the hospitals in the first place, and why the theft was not originally reported.
- When: July, 2018
- Where: Houston, Texas – UT Health; MD Anderson Cancer Center, LBJ Hospital, Children’s Memorial Hermann, Memorial Hermann Hospital, and TIRR Memorial Hermann
- Who: Around 500 patients impacted
- What: Employee violation of PHI
Golden Heart Administrative Professionals – Around 45,000 Patients
Summary: An Alaska based company, Golden Heart Administrative Professionals, reported the largest Healthcare organization data breach for the month of July 2018. In a ransomware attack on the company, around 45,000 patients were notified that their protected health information may have been compromised. Golden Heart Administrative Professionals said “All client patient information must assume to be compromised.” Efforts are continuing to recover the files.
- When: July 2018
- Where: Alaska, Golden Heart Administrative Professionals
- Who: Around 45,000 patients impacted
- What: Ransomware attack
- Remedy: Largest reported Healthcare organization data breach in July
Alaska Department of Health and Social Services – More than 500 People
Summary: In another major data breach, the Alaska Department of Health and Social Services was compromised. A ZeuS Trojan was downloaded, which has the purpose of stealing information. More than five hundred people’s protected health information was potentially accessed in this attack.
- When: July 2018
- Where: Alaska, Alaska Department of Health and Social Services
- Who: More than 500 people impacted by breach
- What: Malware infection- Zeus/Zbot Trojan, an information stealer
SSM Health St. Mary’s Hospital – Over 300,000 Patients
Summary: In November 2014, St. Mary’s Hospital in Missouri moved to a new location and transferred all patient’s medical records there as well. Now, four years later, St. Mary’s has discovered that some of these medical records were misplaced. The records contained limited amounts of patient’s Protected Health Information (PHI), but St. Mary’s is working with a document services firm to determine which patients have been affected. Since only a small amount of PHI was exposed, such as patient names and medical numbers, it is not likely that there is a big risk for those impacted.
- When: Discovered June 2018
- Where: SSM Health St. Mary’s Hospital, Jefferson City, Missouri
- Who: Over 300,000 patients impacted
- What: Misplacement of Protected Health Information (PHI)
- Remedy: The hospital has reviewed and changed their policies regarding records and has taken action to prevent similar breaches like this in the future.
Government of Atlanta, including 5 government departments – SamSam ransomware attack
Summary: The City of Atlanta has become the target of a SamSam Ransomware attack which has cost them approximately $17 Million. This attack has caused disruptions in five government departments, including their court system. A SamSam attack focuses on finding weaknesses on servers, using brute-force attacks to guess passwords. Since Atlanta refused to pay the ransom, which was around $50,000, it looks the total cost will be around $17 Million for them to recuperate.
- Where: Atlanta
- Who: Government of Atlanta, including 5 government departments.
- What: SamSam ransomware attack
- Remedy: In response to the attack, a complete system reconstruction has begun. The City of Atlanta has upgraded their systems and security to ensure safety.
InterAct of Michigan – Around 1,000 Patients
Summary: An attack discovered in early June of 2018 revealed that approximately 1,290 patients’ Protected Health Information had potentially been accessed. This attack targeted InterAct of Michigan, which has clinics in Grand Rapids and Kalamazoo. The Protected Health Information exposed included names, dates of birth, Social Security Numbers, and other medical information. To ensure that a breach of this nature will not happen again, InterAct has increased security and improved their protocols on how to spot suspicious activity.
- When: June 8, 2018
- Where: InterAct of Michigan
- Who: Around 1,000 patients
- What: Unauthorized email access
- Remedy: InterAct of Michigan has sent notices to those whose information was possibly accessed, and granted them free identity theft protection services. Also, the company has begun numerous new security protocols, such as email access logs, to make sure they catch any suspicious actions before it is too late.
NorthStar Anesthesia – Phishing attack
Summary: NorthStar Anesthesia identified an email phishing campaign on May 23, 2018 that had compromised some email accounts containing protected health information. Third party investigators were brought in to discover the extent of this data breach. The investigators determined that PHI such as names, medical histories, diagnosis and treatment information, and birth dates had been compromised, and in some cases, Social Security numbers as well. NorthStar Anesthesia has improved their security since the data breach and has offered free identity restoration services as well as free credit monitoring to those affected by the breach for up to two years.
- When: May 2018
- Where: Texas, NorthStar Anesthesia
- What: Phishing attack
- Remedy: NorthStar Anesthesia has improved their security since the data breach and has offered free identity restoration services as well as free credit monitoring to those affected by the breach for up to two years.
Boys Town National Research Hospital – Over 100,000 Patients
Summary: A recent phishing attack on the Boys Town National Research Hospital in Nebraska resulted in over 100,000 patients impacted by a data breach. The discovery of the data breach occurred the same day as the attack, on May 23, when unusual email account activity was noticed. A computer forensics team was called in, who confirmed that there had been an attack and that PHI had possibly been compromised. Names, passport information, Social Security numbers, diagnosis or treatment information, banking or financial account numbers, and other Protected Health Information may have been accessed.
- When: May 2018
- Where: Nebraska, Boys Town National Research Hospital
- Who: Over 100,000 patients impacted by the breach
- What: Phishing attack
- Remedy: Boys Town has responded to the attack by updating security measures and providing 12 months of free identity protection services to those affected.
MedSpring Urgent Care – Around 13,000 Patients
Summary: Through a phishing attack on MedSpring Urgent care, one email account was accessed, which potentially gave the hacker access to Protected Health Information (PHI) of around 13,000 patients. This PHI included names, medical records, and more information about the medical services patients received. According to MedSpring, only patients that have been to its urgent care clinic in Illinois are possibly at risk.
- When: May 17, 2018
- Where: MedSpring Urgent Care, located in Atlanta, Chicago, Austin, Dallas, Fort Worth, Houston
- Who: Around 13,000 patients have been affected by the breach.
- What: Phishing Attack
- Remedy: MedSpring has given 12 months of free credit monitoring, fraud resolution, as well as identity protection to those patients who have been impacted.
Blue Springs Family Care – Around 45,000 Patients
Summary: On May 12, 2018, Blue Springs Family Care experienced a ransomware attack as well as malicious software installation that would have given the attacker access to all computer systems. There have been no reports that PHI was taken by the attacker, however access and theft of PHI still could have occurred. A computer forensics firm was able to prevent any further attacks or data access, and new protections and software has been put in place to stop attacks like these in the future. Approximately 45,000 patients were impacted by this data breach.
- When: May 2018
- Where: Missouri, Blue Springs Family Care
- Who: Around 45,000 patients were impacted by the breach
- What: Ransomware – attacker gained access to computer systems and installed malware
- What: PHI – Protected Health Information
- Remedy: Due to the attack, Blue Springs Family Care will be switching over to a system that encrypts all data at rest so PHI cannot be attained if another breach were to happen
Adams County, Wisconsin – Over 250,000 Residents
Summary: In Adams County, Wisconsin, around 258,000 people have been impacted by a data breach. According to multiple sources, this breach is suspected to have been perpetrated by an employee of the Adams County Government. Personal information was accessed and possibly retained by an individual who did not have authorization to do so. Due to this breach, Adams County has already taken several steps to improve their security and monitoring to ensure that this will not happen again.
- When: March 28, 2018
- Where: Adams County, Wisconsin
- Who: Over 250,000 residents
- What: Security breach, possibly by an employee
- Remedy: Notifications will be sent to those who had their information exposed due to the breach, and the County is taking steps to improve their security measures for the future.
Augusta University Health – Over 400,000 People
Summary: In a phishing attack on Augusta University Health, around 417,000 people’s Protected Health Information was exposed. The attack was discovered in September of 2017, but it wasn’t until July 2018 that investigators told Augusta that personal information was possibly accessed. A second phishing attack occurred on July 11, 2018, but was less impactful than the first.
- When: September 11, 2017
- Where: Augusta University Health
- Who: Over 400,000 people impacted
- What: Phishing attack
- Remedy: Augusta University Health has warned all affected individuals to monitor for suspicious activity.