Search Results : women’s health care group fo PA

Feb 282018
 

Protenus has released its Breach Barometer for January health data breaches. While the number of insider and external incidents continue to run pretty much neck-to-neck, once again external breaches accounted for significantly more breached records than insider incidents. Protenus reports:

Of note, hacking incidents affected significantly more patient records, due largely to one particular breach that affected 59% of the total number of breached patient records this past month.

There were 37 incidents reported on in Protenus’s report, as identified below. For some incidents, we had no details other than what was reported on HHS’s public breach tool.

  1. Adams Memorial Hospital
  2. Alicia Ann Oswald
  3. Allscripts
  4. Central States Southeast and Southwest Areas Health and Welfare Fund
  5. Charles River Medical Associates
  6. Coplin Health Systems
  7. Corovan Corporation
  8. Corrine A. Dale
  9. Decatur County General Hospital
  10. DJO Global
  11. Employer Leasing
  12. Florida Agency for Health Care Administration
  13. Gilette Medical Imaging
  14. Hancock Health
  15. High Plains Surgical Associates
  16. MD Medical Spa and Wellness Center
  17. Montana State U. Billings
  18. Nevro Corporation
  19. Oklahoma State University Center for Health Sciences
  20. Onco360 and CareMed Specialty Pharmacy
  21. Palomar Health
  22. Pearlie Mae’s Compassion and Care LLC
  23. Pedes Orange County, Inc.
  24. Penn Medicine
  25. RGH Enterprises, Inc. (dba Edgepark Medical Supplies, Inc)
  26. Robert Smith DMD, PC
  27. Rocky Mountain Women’s Health Center, Inc.
  28. Singing River Health
  29. Steven Yang, D.D.S., Inc.
  30. The Pediatric Endocrinology and Diabetes Specialists
  31. UnitedHealthcare Community Plan of Pennsylvania
  32. University of Rochester Jones Memorial Hospital
  33. Vermont Health Connect
  34. WellStar Neurosurgery
  35. Western Washington Medical Group
  36. Westminster Ingleside King Farm Presbyterian Retirement Communities, Inc.
  37. Zachary E. Adkins, DDS
Jul 262017
 

Mitch Blacher and David Chang report:

A data breach at one of Pennsylvania’s largest health networks has sparked safety concerns and questions regarding why it took several months for patients to be notified.

The Women’s Health Care Group of Pennsylvania, which is based in Oaks, Pennsylvania but has 45 offices serving women in Montgomery, Chester and Delaware Counties, sent a letter to patients this month informing them that hackers had stolen their information. That information included patient names, birth dates, social security numbers, pregnancy histories, blood type information and medical diagnoses.

Read more on NBC.

The following notice, posted on Women’s Health Group’s site on July 18, indicates that this was a ransomware attack:

Notice of Security Breach Incident

Posted: July 18, 2017

On May 16, 2017, we discovered that a server and workstation located at one of our practice locations had been infected by a virus designed to block access to system files. Upon discovering the virus, we immediately removed the infected server and workstation from our network and began an investigation with the assistance of an expert computer forensics team to determine how the virus made it onto our systems and the extent to which the virus may have affected any of our data. Local Federal Bureau of Investigation authorities were contacted and a report was filed.

As part of our investigation, we learned that external hackers gained access to our systems, as far back as January 2017, through a security vulnerability. We also believe the virus was propagated through this vulnerability. Although this security vulnerability allowed access to limited patient information and the virus encrypted certain files, we have been unable to determine if any specific information was actually acquired or viewed in connection with this incident. In addition, the encrypted files were promptly restored from our back-up server and the incident had no effect on our ability to continue to provide patient care nor was any information lost.

The types of files that could have been accessed may have included information about a patient’s name, address, date of birth, Social Security number, lab tests ordered and lab results, telephone number, gender, pregnancy status, medical record number, blood type, race, employer, insurance information, diagnosis, and physician’s name. No driver’s license, credit card or other financial information was stored in any files on the infected server.

Individuals whose information may have been affected by this incident will receive a letter informing them of this incident, with instructions on steps they can take to receive free credit monitoring and identity theft protection services for a year. We recommend these individuals review all financial account information closely and report any fraudulent activity or suspected incident or identity theft. We have set up a call center with a toll-free help line for individuals who have questions about this incident. The phone number is (877) 534-7033. The call center is staffed weekdays Monday through Friday from 9:00 AM to 9:00 PM (EST) and Saturday and Sunday from 11:00 AM to 8:00 PM (EST)

We sincerely regret any concerns or inconvenience this incident may cause our patients. Maintaining the integrity and confidentiality of our patients’ personal information is very important to us and we are conducting a comprehensive internal review of our information security practices and procedures to help prevent such events in the future.

Update: When this incident appeared on HHS’s breach tool, it was reported as impacting 300,000 patients.

Jul 152017
 

So what did we miss because the Veterans Administration stopped posting their monthly breach reports to Congress on their web site? DataBreaches.net filed a Freedom of Information request on June 7, and the VA has responded by providing all of the requested monthly reports for the period May, 2016 – June 7, 2017.   As an overview: there appears to be no major shift in the number of breaches reported each month by the VA.

The monthly reports generally contain descriptions of incidents in which numbers of veterans were either sent HIPAA notifications or offers of credit protection services. In addition, the VA provides a summary of how many mishandling incidents, mismailing incidents, and mismailed Consolidated Mail Outpatient Pharmacy (CMOP) incidents there were.  For comparison purposes, in June 2016, there were 186 mismailing incidents, 6 mismailed CMOP incidents, and 117 mishandling incidents. In May, 2017, there were 199 mismailing incidents, 7 mismailed CMOP incidents, and 111 mishandling incidents. To keep these in perspective, however, it is important to note that these are a tiny percentage of all of the incidents VA facilities handle on a monthly basis.

But here are 22 breach incidents I found in the reports, below. Only one resulted in any press release or media coverage at the time – at least as far as DataBreaches.net can determine – which is why we need the VA to be transparent and make these reports publicly available.

In chronological order, beginning with May, 2016:

A contractor for the Ralph H. Johnson VAMC lost a USB drive used in the process of fit-testing respirators for employees.  Neither the outpatient clinic where it was last used nor the rental car company the contractor used could locate it. On June 23, the IT technician for the contractor confirmed that the USB drive was not encrypted because an encrypted drive could not be used in the PortaCount device. A total of 992 employee were sent notification letters because their names and partial SSNs were on the drive.

The VA Sunshine Healthcare Network in Bay Pines, FL reported on June 21 that 386 requests for medical records could not be found. By the time they concluded their search, they determined that 235 living veterans needed to be sent letters offering credit protection, while next-of-kin notification letters were also sent to others.

 

On June 24, another case was opened in Bay Pines after they were notified by an anesthesiologist that a logbook containing approximately 50 patients’ names, full SSNs, and dates of birth had been missing for approximately two weeks. Investigation determined that the logbook contained information on 294 veterans, but they were unable to determine exactly what information had been included for each veteran as this was not an approved logbook. All 294 veterans were subsequently offered credit protection services.

In another incident involving a a potential breach in Fargo, North Dakota, the ex-wife of a former telework employee discovered 62 pieces of returned mail while cleaning out a file cabinet. She returned the documents to the local VAMC, but the facility that was supposed to investigate reportedly did not contact her and there was no further contact with the employee in question, who had transferred to a different office. Sixty-two veterans were sent letters offering credit protection services .

102 veterans participating in a research study in San Francisco received letters notifying them of a breach under HIPAA after a researcher’s car was broken into on July 16, 2016 and a research participants’ log was among the stolen items. The log contained a recruitment flyer and the participants’ first and last names, appointment date and time, phone number, and last four digits of SSN.

 

On Sept 8, the Mid-Atlantic Healthcare Network in Beckley, WV learned that a binder with patient satisfaction discharge call back forms for the months of July and August was missing. The binder was an unapproved logbook that contained an estimated 70-80 patients’ information, including full name, full SSN, and date of birth. After further review and analysis, the VA determined that 150 veterans would be sent letters offering credit protection services.

 

The Midwest Health Care Network in Minneapolis reported an incident on September 8, 2016 after copies of prosthetic device information from various vendors went missing during office relocation. After investigation, the VA determined that 351 veterans would be sent letters offering credit protection services.

 

88 veterans in St. Louis, Missouri (the Heartland Network) were sent letters offering credit protection services after a medical student left patient lists in her lab coat, and left her coat in her car, which was then broken into.

 

 Portland, Oregon  (Northwest Network) opened an investigation on December 1, 2016 after a veteran received an appointment letter that included a four-page list with information on 162 veterans – last name, first initial, last four digits of SSN, clinic appointment title and date of appointment. The 161 living veterans were sent HIPAA notification letters; one next-of-kin notification letter was sent.

 

Columbus, Ohio  (VISN 10) opened an incident on December 12, 2016 after an employee emailed PII externally that contained protected health information on 179 patients to three different applicants in error. There were 178 HIPAA notification letters sent and one next-of-kin notification.

 

A mishandling incident of note occurred in Muskogee, Oklahoma (the South Central Health Care Network). A veteran notified VA staff after spotting blood vials lying on the ground in front of a dumpster filled with blood and information for each patient (name and full SSN). The recovered vial rack contained 93 veteran specimens, 30 of which were recovered and 63 of which were unaccounted for.  93 veterans were sent letters offering credit protection services.

Memphis, TN (the MidSouth Healthcare Network) opened an investigation on January 8  after a principal investigator reported the mailing of 961 research study survey letters sent out with the wrong names. The mailing addresses were correct, but the wrong study subject’s name from another group in the same research study had been included. 961 veterans were sent HIPAA notification letters, but 240 were returned as undeliverable.  After deleting duplicates, there were 687. But why did the VA conclude that credit monitoring would be required? The survey letter did NOT contain any SSNs, “only the survey questions about pain medication taken by the research subject.”

A mishandling incident involving the Seattle, Washington VA (the Northwest Network) illustrates how labor-intensive a breach response can be. In this case, the VA was first notified by Everett Transit Authority that they needed to speak to someone in Research about an item they had found. It took days before anyone called them back to determine that it was a flash drive that appeared to be associated with a principal research investigator at Puget Sound. But when the VA actually looked at the contents of the drive yet even more days later, they discovered that it contained copied data from older studies and at least one or two folders with research subjects’ protected health information. Most of the data files were from 2004 – 2009, before the VA started giving out encrypted drives. The VA was able to identify the owner of the drive, who no longer worked for the VA and may have lost the drive while packing up to move to her new location. More than 500 files had to be reviewed to determine who might need to be sent letters. All told, 36 were sent credit protection service offers and an additional 373 individuals were sent HIPAA notification letters.

An incident reported by the St. Louis, Missouri VA (Heartland Network) is yet another reminder about disgruntled or terminated employees being able to walk out with PHI. The Privacy Officer received an email from a VA attorney alerting them that in response to a discovery request the VA attorney had made in an employment case, the VA had received VistA print outs of scheduled consults that had veterans’ last name, first initial, and last 4 digits of SSN of “many Veterans” some including those that received HIV counseling. The VA’s investigation revealed that the former employee had the records in his posession and had not been employed by the VA since January 2016 (one year previously). By the time they concluded the investigation, they had identified 724 individuals requiring 615 HIPAA notification letters, 48 credit protection service offers,, and 61 next-of-kin notifications. Because there were more than 500 affected, a press release was also required. The media did pick up the report at the time  and I had noted it on DataBreaches.net at the time, but where is the more detailed explanation of how the employee was able to exfiltrate or obtain so much data and it was never detected through internal controls?

A mishandling incident in February resulted in 61 veterans at the Fayetteville, Arkansas (South Central Health Care Network),  getting credit protection officers. The incident occurred because after an employee contacted environmental services to pick up sensitive confidential shred, they didn’t, and staff left for the day, leaving the bag in the copy room. The next day it was gone – presumably taken by the cleaning crew who would have disposed it with the regular trash.

In February, the West Palm Beach VA (the Sunshine Network) opened an investigation after an employee found a folder in a women’s bathroom. The folder contained many handwritten documents from veterans, including at least 6 full SSNs, with names, dates of birth, and 282 partial SSNs. There were also full names, admission dates, and diagnoses. At least 6 veterans had documents covered by 38 U.S. Code § 7332 (confidentiality of medical records). Further investigation revealed there were 17 diagnoses covered by 7332. The majority of documents were signed by a mental health provider. The bathroom was located in an inpatient mental health ward, but was accessible to patients and their visitors. After removing duplicates, there were 69 unique veterans affected; 62 were sent HIPAA notification letters, while 7 were sent credit protection service offers.

Denver  (Rocky Mountain Network) investigated in March after an employee left lab tissue on a cart outside freight elevators for 24 hours because the employee could not get into the morgue. The elevators and the area around them are accessible by everyone (not just employees) and the lab specimens were anatomic pathology specimens labeled with veterans’ full name, full SSN, and date of birth. As a result, 68 veterans were sent credit protection service offers; one next-of-kin notification was sent, and and administrative action was recommended with respect to the employee.

The VA is clearly not immune to insider snooping or employee wrongdoing problems, as some of the following incidents indicate:

Dayton, Ohio (VISN 10) opened an investigation in March after an employee’s name was found on three colleagues’ Sensitive Patient Access Report (SPAR) reports. The employee had no reason to access those medical records. When contacted about the access, the employee resigned, but the investigation continued, and by early April, they had determined that the employee had accessed 223 veteran and employee EMRs without cause, and had shared information on three (2 employees and 1 patient) with other VA employees. The difficulty in determining what accesses were legitimate is reflected in their report:

The VA calls this next one a “Mishandling” incident. I’d call it an insider-wrongdoing breach. The Murfreesboro, TN VACO Field Program Office opened an investigation in March because an employee teleworking due to RA had allegedly trained and gave access to her boyfriend, who was accessing veterans’ accounts daily to complete her workload for her. The VA incident summary does not indicate how the VA first became aware of what was going on, but as a result, 113 veterans were sent letters offering credit protection services. The employee turned in her government-owned laptop, the VPN account was disabled, and all account accesses were terminated. Additional disciplinary action was alluded to but not detailed.

Another case of employee wrongdoing was reported by  Philadelphia (VISN 04) in April, 2017. The spouse of an employee printed a copy of a veteran’s information and provided it to family court for her child support hearing. The veteran was sent a HIPAA notice due to PHI being disclosed, and disciplinary action was taken towards the staff member. It is not clear from the summary whether the employee actively assisted his spouse in acquiring the veteran’s information or was just negligent in protecting it.

In April, Palo Alto VA (the Sierra Pacific Network) reported that a binder with “return clinic appointments orders) containing information on approximately 50 veterans had been been removed from a locked cabinet between April 7 and April 10. The list was recreated and was determined to include full names, full SSN, and personal phone numbers and clinic names for 77 veterans, who were sent credit protection service offers; one notification letter was sent to next-of-kin.

Portland, Oregon  (Northwest Network) investigated after an estate attorney called to report a deceased employee’s house was being cleaned and boxes of VA medical records had been found in her garage. After review and analysis, 42 veterans were sent letters offering credit protection services, and 23 were sent HIPAA notification letters. The summary does not explain why the now-deceased employee would have VA medical records in her home, when her employment with the VA had terminated (if it had terminated prior to her death), and why the removal of the records had never been detected, if they had not been.

As noted earlier, DataBreaches.net only obtained these reports because the site filed a Freedom of Information request. The VA did not produce any documents in response to my request for documentation as to why they suddenly stopped making these reports publicly available. And they produced no documentation in response to my request as to how they complied with federal law about providing notice for a change in procedure. Their only response was to assert – without citing any statute – that these reports are not mandated to be provided monthly.  DataBreaches.net respectfully disagrees with the VA’s claim and interpretation, and is considering appealing that portion of the response.

Note that ProPublica also requested the monthly reports from the VA, but in a different format, and they may post them in a more easily analyzable format in the future if and when they receive them. For now I am uploading the pdf files of the reports as I received them from the VA so that they are publicly available:  the May – Dec, 2016 reports and the Jan – May 2017 reports.

 

 

May 222017
 

Protenus has published its Breach Barometer for April, with data and some analyses provided by this site. The analyses were based on the following incidents:

Significantly, perhaps, one of the worst incidents in terms of potential harm to individual patients was one that only appeared on HHS’s breach tool because this site discovered it and notified the entity that its patients’ psychotherapy records appeared to be up for sale on the dark web.

Records from Behavioral Health Center were up for sale on the dark web.

Of note, the hacker never attempted to extort the clinic to see if the clinic would pay to get the data back – the data were just put up for sale with an asking price of  a minimum of $10,000.00 (about $2-$3 per patient).

Another candidate for worst breach of the month was the Erie County Medical Center ransomware attack, which is still not totally resolved. Thankfully, the center had backups and other means of accessing patient records and information or the impact on care could have been a nightmare.

While DataBreaches.net considered these perhaps the worst breaches of the month (admittedly a somewhat subjective determination), perhaps my biggest concern in reviewing the April data was wondering how many incident reports we are not seeing on HHS’s breach tool. Are we missing so many incidents from both HIPAA-covered and non-HIPAA-covered entities that what we do know about is not really representative of what’s going on with threats to health data security?  Is HHS’s public breach tool giving us any kind of accurate insights into risks and breaches involving health data, or is it just significantly underestimating and misrepresenting the real risks?  I’ll have more to say on this in another post.

Apr 182014
 

Parallon Business Solutions in Tennessee provides billing services for physician practices.

On February 5, 2014, they were informed by Metropolitan Police in Nashville and the Secret Service that a former employee was under investigation for stealing patient information. The data theft occurred between August 27, 2012 and April 23, 2013 and included patients’ names, addresses, Social Security numbers, and health insurance information.

Parallon notified affected patients on March 21, and offered them free credit monitoring services with TransUnion.

Forty residents of New Hampshire were affected by the breach. Those 40 patients were from 13 physician practices in the state: PRH Hospitalists and the following practices that are all part of Appledore Medical Group: Beacon Internal Medicine, Coastal NH Neurosurgeons, David J. Itkin, MD,  Mark Henschke DO,  Portsmouth Family Practice, Portsmouth Internal Medicine Associates, Thoracic and Vascular Associates,  Woodbury Family Practice,  Portsmouth Primary Care Associates,  Parkland Physician Services Parkland Primary Care, Clipper Cardiovascular Associates, and Women’s Health Associates.

The total number of patients affected nationwide was not reported in their notification to New Hampshire.

Note that this breach report is related to a breach recently reported by LewisGale Regional Health System.   In that case, Parallon provided billing services for Salem Hospitalists.

Media coverage of the LewisGale breach suggested that 400 patients may have been affected nationwide, and that in some cases, patient information was misused for new account fraud, leasing apartments, or utilities accounts.