Bon Secours Health System, Inc. (“Bon Secours”) and its affiliates are committed to maintaining the privacy and security of our patient information. This notice is to inform our patients of an incident involving one of our vendor’s handling of some patients’ information. On June 14, 2016, Bon Secours discovered that files containing patient information inadvertently had been left accessible by one of our vendors, R-C Healthcare Management. While attempting to adjust their computer network settings from April 18, 2016 to April 21, 2016, R-C Healthcare inadvertently made files located within their computer network accessible via the internet. When Bon Secours discovered this issue, Bon Secours notified R-C Healthcare of this issue so that information could no longer be accessed via the internet. Upon receiving the notification, R-C Healthcare immediately took steps to secure the information so that it could no longer be accessed via the internet. We, at Bon Secours, immediately began an internal investigation into this matter. Our investigation determined that the files that were available via the internet may have contained patients’ names, health insurers’ names, health insurance identification numbers, limited clinical information, social security numbers, and in some instances, bank account information. Medical records were not made available via the internet and medical care has not and will not be affected. This incident did not affect all Bon Secours patients. We have no knowledge that the information contained within the files has been misused in any way. However, as a precaution, we began mailing letters to affected patients on August 12, 2016, and established a dedicated call center to answer patients’ questions. If you believe that you are affected but do not receive a letter by September 2, 2016, please contact 1-888-522-8917, Monday through Friday, between the hours of 9:00 a.m. to 9:00 p.m. Eastern Time. We also recommend that affected patients review the statements that they receive from their health insurance providers. If patients see that their insurer has been charged for services or procedures that they did not receive, they should contact their insurer to notify the insurer of their concerns. Unfortunately, Bon Secours is not able to contact the insurer on the patient’s behalf. We deeply regret any concern this may cause our patients. To help prevent something like this from happening in the future, we are reinforcing standards with our vendors to ensure our patients’ information is securely maintained. SOURCE: BonSecours.com 655,000 patients are reportedly being notified. For previous breach incidents involving Bon Secours, see these posts.
Liv Osby reports: An employee at Bon Secours St. Francis Health System has been terminated after hospital officials discovered that she had inappropriately accessed personal patient information. Hospital employees began reporting in July that their insurers had recorded unpaid balances and charges for a prescription cream, officials said in a statement. An investigation concluded on Aug. 26 that an employee had been accessing patient medical records “in a manner that was inconsistent with her job functions, hospital procedures and … training,” between Jan. 1, 2014 and Aug. 12, 2015, according to the statement. The number of affected patients wasn’t provided. Read more on Greenville Online. The full statement from Bon Secours Health System follows: This notice is to inform our patients of a recent incident involving a group of our patients’ personal health information. In late July of this year, employees reported concerns regarding bills they received for unpaid balances for a prescription cream. Additionally, some employees noted the insurance company was being billed very high dollar amounts for a prescription cream. An investigation was launched in response to these concerns. The investigation revealed that a co-worker of the affected employees had caused potentially fraudulent charges to be billed to the other employee’s insurance plans. Because of the alleged behavior of the accused employee, and out of an abundance of caution, Bon Secours began an audit to assess this employee’s access of our patients’ medical records. On August 26, 2015 we became aware of a concerning pattern of access of patient medical records by this employee. Further investigation revealed that between January 1, 2014 and August 12, 2015 the employee accessed patients’ medical records in a manner that was inconsistent with her job functions, hospital procedures and the training that this employee received regarding the appropriate access of patients’ medical records. The type of information the employee accessed included patients’ names, dates of birth, driver’s license numbers, insurance information, clinical information, such as diagnosis, and potentially Social Security numbers. Law enforcement was previously contacted regarding the charges to fellow employees’ insurance plans as described above. Due to the nature of the accesses, and out of an abundance of caution to protect our patients, we have made law enforcement, specifically the South Carolina Law Enforcement Division (“SLED”), aware of the findings from the audit. The employee involved in this incident has been terminated. Although we have nothing to indicate this type of access has been undertaken by any other employee, we are providing supplementary education to all current employees. This training is in addition to our mandatory privacy education all employees participate in on an annual basis. The training will remind our employees that inappropriate use, access or disclosure of patients’ information will result in serious consequences up to and including termination and, where applicable, the involvement of law enforcement. Out of an abundance of caution, we began sending letters to affected patients on October 23, 2015, and are offering eligible patients credit monitoring services. We also recommend that affected patients review their explanation of benefits received from their health insurer. If the patients see services that they did not receive, please contact the insurer immediately. If you have any questions or believe you are affected, please call the dedicated call center at 844-369-9359 between the hours of 8 a.m. to 5 p.m., Monday through Friday. Representatives will be available to take your call. We deeply regret that this has happened. Bon Secours St. Francis takes its responsibility for protecting our patients’ personal information and using it in an appropriate manner very seriously. Please know that our employees work hard every day to provide excellent care to our patients. Words cannot express how deeply disappointed we are that this has occurred.
When an employee is terminated, their login credentials to vendors’ databases with PHI must also be terminated. How often do you verify that it is actually being terminated properly? Bon Secours Kentucky notified 697 patients that a former employee had improperly accessed their information from a billing database maintained by Athena. In a statement uploaded to their website, Bon Secours write: In early April, 2014, during an audit of our billing data base, Athena, we identified suspicious access that prompted an investigation. Our investigation revealed that a user ID and password assigned to a former employee had been used to access information in the Athena system between April, 2013 and March, 2014. Our investigation determined that the information accessed with the user ID and password for the majority of patients included their name, date of birth and the last four digits of their Social Security number. A small group of patients had additional information accessed which included their name, dates and times of service, provider and facility names, patient account numbers (which may have included Social Security numbers), date of birth, and treatment information, such as diagnosis. Due to the nature of the access, and out of an abundance of caution to protect our patients, we approached law enforcement, specifically the Secret Service, to assist us with our investigation. The Secret Service asked Bon Secours to delay notifying patients until their investigation was complete so as not to compromise their investigation. The Secret Service worked with Bon Secours to thoroughly investigate this matter and to determine if any patient information may have been used illegally. After discussions with the IRS Identity Task Squad, the Secret Service informed Bon Secours they found no evidence of criminal use of patients’ information at this time. The Secret Service advised on August 26 that we could send letters to affected patients. As a precaution, we began mailing letters to affected patients on September 5 and are offering all eligible individuals one year free credit monitoring and identity protection services. We have also established a dedicated call center to assist our patients. If you believe you are affected by this matter, but have not received a notification letter by September 26, please call 877-683-9363 between 9 a.m. and 9 p.m. Eastern Time to speak with a call center agent. We are deeply sorry that this has occurred. In response to this matter, we are working with our vendor, Athena, to ensure that all user IDs and passwords to their system are properly and permanently disabled when Bon Secours determines that an employee should no longer have access to information in the Athena system. We will continue to proactively monitor our systems to ensure that access to any protected health information is maintained in the most secure manner possible. We apologize for any inconvenience this may cause our patients.
The Bon Secours Hampton Roads Health System posted this notice on Wednesday: Bon Secours Hampton Roads Health System officials announced today that they are proactively contacting former patients via letters on behalf of Bon Secours Mary Immaculate Hospital to inform them of an electronic medical records security breach. The health system has contracted the services of Kroll Advisory Solutions to offer access to identity theft safeguards at no charge to the patients contacted. Patients may call Kroll at 1-866-599-7347 8:00 a.m. to 5:00 p.m. (Central Time) Monday – Friday, for additional information on how to enroll in this service. A membership number provided in the letter will be needed to activate the service. During an April 2013 audit of a patient’s medical record, the health system identified suspicious access that prompted an investigation. The investigation revealed that two members of the patient care team accessed patients’ medical records in a manner that was inconsistent with their job functions and hospital procedures, and inconsistent with the training they received regarding appropriate access of patient medical records. The information accessed by these employees included one or more of the following: (i) patient name; (ii) dates and times of service; (iii) provider and facility names; (iv) internal hospital medical record and account numbers, which may have included social security number; (v) date of birth; and (vi) treatment information, such as diagnosis, medications and vital signs. The health system became concerned that the access to the medical records possibly indicated unlawful behavior and contacted law enforcement to assist with the investigation. Local and federal law enforcement agencies have formed The Peninsula Task Force to work with Bon Secours to thoroughly investigate this matter and to determine if any patient information may have been used illegally. The employees involved in this incident have been terminated. SOURCE: Bon Secours The breach was reported yesterday by Daily Press, who reports that 5,000 patients may be impacted. A spokesperson also informed the paper that the hospital “has been using electronic medical records since April 2012, and this was the first instance of any reportable security issues.” That may be true as far as it goes, but the Bon Secours Hampton Roads Health System has had other insider breaches: In September 2008, we learned that an employee in Bon Secours DePaul Medical Center’s emergency room had stolen patient information to use in a fraud scheme. She had accessed patient information “frequently” over a 7-month period; In February 2009, we learned that an emergency room clerk at Bon Secours Memorial Regional Medical Centre had stolen patient information for a fraud scheme; and In October 2012, a former employee of Bon Secours Hospital was sentenced for his role in an ID theft ring. So maybe this was the first insider data theft involving EMR at Bon Secours Mary Immaculate Hospital, but it’s not the health system’s first insider breach.
Lauren King reports: A Virginia Beach man pleaded guilty today to aggravated identity theft and participating in a scheme to defraud Navy Federal Credit Union, according to a news release from the U.S. Attorneyâ€™s Office in the eastern district of Virginia. Jorge Luis Silva-Davalos, 29, is to be sentenced Jan. 22 and faces up to 30 years for the financial institution fraud plus a mandatory, consecutive two-year term in prison for the aggravated identity theft, the news release said. According to court documents, between December 2007 and February 2008, Silva-Davalos, with others, defrauded financial institutions, including the credit union, by creating bogus car loans using stolen identities of patients from a local hospital and neighbors of a member of the scheme, the news release said. Read more in The Virginian-Pilot
Liv Osby reports: Patients of a Bon Secours St. Francis Health System medical practice are being notified that their personal information may be at risk after a data breach at the practice. On Jan. 4, officials learned that an unauthorized person had gained access to some systems at Milestone Family Medicine in Greenville, St. Francis said in a statement issued late Friday afternoon. An investigation was launched and steps were taken to secure the account, according to the statement. Officials determined that patient information may have included names, dates of birth, Social Security numbers, addresses, health insurance company, and other information related to care provided at Milestone Family Medicine. Read more on Greenville Online. The following is the text of a notice on Bon Secours St. Francis web site: St. Francis Physician Services previously employed the physicians at Milestone Family Medicine. St. Francis Physician Services is fully committed to maintaining the privacy and security of its patients’ information. Regrettably this notice regards an incident that may have involved some of that information. On January 4, 2019, we learned that an unauthorized individual gained access to some systems at Milestone Family Medicine. We immediately took steps to secure the systems and began an investigation. We retained a third party forensic firm to assist us in that investigation. We determined that some patients’ information was contained on one of the servers and may have included patients’ names, dates of birth, addresses, health insurance company, social security number and information related to care received at Milestone Family Medicine. We have no indication that any patient information has been misused in any way. We are mailing notification letters to affected patients and providing complimentary credit monitoring and identity protection services to those patients whose social security number was on the affected system. We recommend affected patients review the statements they receive from their health care providers. If there are charges for services they did not receive, they should contact the provider. We deeply regret any concern this may cause. To help prevent something like this from happening in the future, we are enhancing technology management and information security risk oversight. If any patients have questions, please call 1-877-239-1255, Monday through Friday, 9 a.m. to 9 p.m. Eastern Time. DataBreaches.net reached out to BSHI for clarification on a few points. Although they did not answer the question as to how many patients were being notified, they did explain that Milestone is no longer affiliated with St. Francis Physician Services, “so we cannot comment on anything they are currently doing or any protocols that have been or will be put into place in regards to their health record systems.” In response to a question about how the attack occurred, the spokesperson responded, These attacks targeted electronic health record systems that allowed remote user access to the internet. Any internet connections for systems not actively used to support patient care have been shut down to avoid further malicious activity.
There were a number of year-in-review analyses for the healthcare sector, but now Protenus has released its report, which is based on analyses of 450 U.S. incidents first disclosed in 2016. The incidents were compiled by DataBreaches.net, who also provided some of the analyses. While some media outlets still headline external hacks where massive numbers of records are involved, Protenus’s report shines a brighter light on why covered entities need to pay greater attention to, and allocate more resources to, preventing and detecting insider breaches and business associate or third-party breaches. To demonstrate how media headlines may over-focus on hacks and under-report the insider factors or third-party factors, let’s review the “top 12” list for 2016 based on number of records or patients. Unnamed vendor for health plan: 10,300,000 records. No one ever admitted that they were the owner of this hacked database and the data were old, but according to the hacker, it was a vendor’s insurance leads file for a major health insurer. Many outlets don’t seem to even know about this incident and consider the Banner incident the largest of the year. Banner Health: 3,620,000 patients. Banner announced that on July 7, it discovered its payment card system at food and beverage outlets had been hacked. On July 13, they learned that the hacker(s) might have also gained access to protected health information (PHI). Newkirk Products: 3,466,120 health plan members. Newkirk Products is a service provider that issues healthcare ID cards for health insurance plans. On July 6, they detected that a server may have been hacked. 21st Century Oncology: 2,213,597 patients. 21st Century Oncology, which operates 181 treatment centers, announced it was investigating a hack of their network that they first learned about from the government in November, 2015. Valley Anesthesiology and Pain Consultants: 882,590 patients. On June 13, 2016, Valley Anesthesiology and Pain Consultants (VAPC) learned that a third party may have gained unauthorized access to VAPC computer systems on March 30, 2016. Los Angeles County: 756,000. It was a great day for a phisher and a bad day for Los Angeles County residents. More than 750,000 people had their PII or PHI stolen. Bon Secours Health System: 651,971 patients. On June 14, 2016, Bon Secours discovered that files containing patient information had accidentally been left accessible via the internet after one of their vendors, R-C Healthcare Management, misconfigured network settings. Peachtree Orthopaedic Clinic: 531,000 patients. On October 13, Peachtree issued a public statement that on September 22, they had confirmed a hack. Although not in their disclosure/press release, an employee had told me in August that they were investigating a potential breach involving one of their vendors – and it was the same vendor presumably linked to other hacks by TheDarkOverlord. That was never confirmed by Peachtree, however. Radiology Regional Center: 483,063 patients. Radiology Regional Center announced that on December 19, 2015, its records disposal vendor, Lee County Solid Waste Division, informed it that paper records containing the personal information of the center’s patients blew off the truck while the records were being transported to an incineration site. Despite diligent efforts to retrieve all the records, because the center couldn’t be sure it had recovered everyone’s records, they sent notifications to everyone. California Correctional Health Care Services: 400,000 patients. In July, California Correctional Center found themselves in the same situation as Radiology Regional Center: having to notify everyone because they were not sure who needed to be notified. In this case, on June 19, 2013, dental records were reported missing from a California Correctional Health Care Services staff member’s possession while off the premises of a correctional institution. Community Health Plan of Washington: 400,000 patients. CHPW described the information in a way that made it sound like a hack of their business associate/claims processor, Transaction Applications Group Inc., doing business as NTT Data. But Justin Shafer publicly announced that he had found that their FTP server had not been secured and was allowing anyone and everyone to access and download files with no login required. Central Ohio Urology Group: 300,000 patients. On August 2, a pro-Ukrainian hacktivist announced that he had hacked and dumped Central Ohio’s databases, presumably to send a warning to the U.S. Nine of the 12 largest incidents were announced or described as hacks. And as Protenus reported, we found that 87% of all breached records were associated with incidents that were coded as “hacks.” But did you notice that 6 of the 12 largest incidents above involved third parties and that 5 out of the 12 largest incidents involved human error? Is there anything we can – and should – learn from those observations? I think there is, so please follow me to Part 2 of this post.
It may seem like old news to you by now, but some patients affected by a third-party breach at R-C Healthcare are first finding out about it now. As reported previously on this site, R-C Healthcare had been notified by Bon Secours on June 14 that files with 655,000 of its patients’ records were exposed. The exposure was the result of an error made in resetting network settings sometime between April 18 – 21. On August 12, Bon Secours disclosed the incident. On September 7, CHI Franciscan Health Highline Medical Center in Washington also notified their patients of the incident, saying they were informed by R-C Healthcare on July 22. Now Northwest Community Hospital in Arlington Heights is notifying 550 patients. They say they were first notified by R-C Healthcare on August 1.
The R-C Healthcare Management error that resulted in Bon Secours notifying over 655,000 patients that their protected health information had been exposed on the Internet beginning in April also impacted CHI Franciscan Health Highline Medical Center in Washington. But unlike Bon Secours, which had a current relationship with the vendor, Highline was no longer a client at the time of the breach. The vendor’s error, first discovered by Bon Secours on June 14, was reported to Highline by R-C Healthcare on July 22. In a notification letter to those affected, Judi Hofman, CHI Franciscan Regional Privacy Officer, Northwest, explained that R-C Healthcare performed services for Highline Medical Center prior to CHI’s acquisition of Highline Medical Center in 2014. The data involved was used in cost reporting functions from years 1993-1994 and 2008 – 2013. Upon notification, we immediately began an investigation and determined that the files may have contained your name, dates of service, health insurance information, and social security number. R-C Healthcare assured us that it has secured the files as of June 13, 2016. Your medical record information was not included and your care will not be affected. Upon validation of the completion of services, we will instruct R-C Healthcare to destroy the files. Highline states that it has no knowledge that the information has been accessed, viewed, acquired or otherwise compromised by any unauthorized third party, but is offering those notified a free one-year credit monitoring membership from Experian’s® ProtectMyID® Alert. Highline also established a call center for those with questions and notified HHS on August 30. They reported that 18,399 patients were notified.
Associated Press reports that Kenneth Elliott McDowell , a Baltimore resident formerly employed at University of Maryland Medical Center and Bon Secours Hospital has been sentenced to time served and 6 months home detention for his role in an ID theft/fraud scheme. McDowell reportedly took patient records home “to hide that he was not completing his work and was submitting false reports.” Two others reportedly took personal identifiers and payment information from the files. Additional details were provided in a press release following his July 2011 indictment. McDowell was also ordered to pay $22,000 in restitution.