Almost half a million breached health records in January; 60% from one hacking incident alone

Protenus has released its Breach Barometer for January health data breaches. While the number of insider and external incidents continue to run pretty much neck-to-neck, once again external breaches accounted for significantly more breached records than insider incidents. Protenus reports: Of note, hacking incidents affected significantly more patient records, due largely to one particular breach that affected 59% of the total number of breached patient records this past month. There were 37 incidents reported on in Protenus’s report, as identified below. For some incidents, we had no details other than what was reported on HHS’s public breach tool. Adams Memorial Hospital Alicia Ann Oswald Allscripts Central States Southeast and Southwest Areas Health and Welfare Fund Charles River Medical Associates Coplin Health Systems Corovan Corporation Corrine A. Dale Decatur County General Hospital DJO Global Employer Leasing Florida Agency for Health Care Administration Gilette Medical Imaging Hancock Health High Plains Surgical Associates MD Medical Spa and Wellness Center Montana State U. Billings Nevro Corporation Oklahoma State University Center for Health Sciences Onco360 and CareMed Specialty Pharmacy Palomar Health Pearlie Mae’s Compassion and Care LLC Pedes Orange County, Inc. Penn Medicine RGH Enterprises, Inc. (dba Edgepark Medical Supplies, Inc) Robert Smith DMD, PC Rocky Mountain Women’s Health Center, Inc. Singing River Health Steven Yang, D.D.S., Inc. The Pediatric Endocrinology and Diabetes Specialists UnitedHealthcare Community Plan of Pennsylvania University of Rochester Jones Memorial Hospital Vermont Health Connect WellStar Neurosurgery Western Washington Medical Group Westminster Ingleside King Farm Presbyterian Retirement Communities, Inc. Zachary E. Adkins, DDS

Women’s Health Group of Pennsylvania Notifies 300,000 Patients of Ransomware Attack

Mitch Blacher and David Chang report: A data breach at one of Pennsylvania’s largest health networks has sparked safety concerns and questions regarding why it took several months for patients to be notified. The Women’s Health Care Group of Pennsylvania, which is based in Oaks, Pennsylvania but has 45 offices serving women in Montgomery, Chester and Delaware Counties, sent a letter to patients this month informing them that hackers had stolen their information. That information included patient names, birth dates, social security numbers, pregnancy histories, blood type information and medical diagnoses. Read more on NBC. The following notice, posted on Women’s Health Group’s site on July 18, indicates that this was a ransomware attack: Notice of Security Breach Incident Posted: July 18, 2017 On May 16, 2017, we discovered that a server and workstation located at one of our practice locations had been infected by a virus designed to block access to system files. Upon discovering the virus, we immediately removed the infected server and workstation from our network and began an investigation with the assistance of an expert computer forensics team to determine how the virus made it onto our systems and the extent to which the virus may have affected any of our data. Local Federal Bureau of Investigation authorities were contacted and a report was filed. As part of our investigation, we learned that external hackers gained access to our systems, as far back as January 2017, through a security vulnerability. We also believe the virus was propagated through this vulnerability. Although this security vulnerability allowed access to limited patient information and the virus encrypted certain files, we have been unable to determine if any specific information was actually acquired or viewed in connection with this incident. In addition, the encrypted files were promptly restored from our back-up server and the incident had no effect on our ability to continue to provide patient care nor was any information lost. The types of files that could have been accessed may have included information about a patient’s name, address, date of birth, Social Security number, lab tests ordered and lab results, telephone number, gender, pregnancy status, medical record number, blood type, race, employer, insurance information, diagnosis, and physician’s name. No driver’s license, credit card or other financial information was stored in any files on the infected server. Individuals whose information may have been affected by this incident will receive a letter informing them of this incident, with instructions on steps they can take to receive free credit monitoring and identity theft protection services for a year. We recommend these individuals review all financial account information closely and report any fraudulent activity or suspected incident or identity theft. We have set up a call center with a toll-free help line for individuals who have questions about this incident. The phone number is (877) 534-7033. The call center is staffed weekdays Monday through Friday from 9:00 AM to 9:00 PM (EST) and Saturday and Sunday from 11:00 AM to 8:00 PM (EST) We sincerely regret any concerns or inconvenience this incident may cause our patients. Maintaining the integrity and confidentiality of our patients’ personal information is very important to us and we are conducting a comprehensive internal review of our information security practices and procedures to help prevent such events in the future. Update: When this incident appeared on HHS’s breach tool, it was reported as impacting 300,000 patients.

Veterans Administration responds to Freedom of Information request; releases breach reports

So what did we miss because the Veterans Administration stopped posting their monthly breach reports to Congress on their web site? filed a Freedom of Information request on June 7, and the VA has responded by providing all of the requested monthly reports for the period May, 2016 – June 7, 2017.   As an overview: there appears to be no major shift in the number of breaches reported each month by the VA. The monthly reports generally contain descriptions of incidents in which numbers of veterans were either sent HIPAA notifications or offers of credit protection services. In addition, the VA provides a summary of how many mishandling incidents, mismailing incidents, and mismailed Consolidated Mail Outpatient Pharmacy (CMOP) incidents there were.  For comparison purposes, in June 2016, there were 186 mismailing incidents, 6 mismailed CMOP incidents, and 117 mishandling incidents. In May, 2017, there were 199 mismailing incidents, 7 mismailed CMOP incidents, and 111 mishandling incidents. To keep these in perspective, however, it is important to note that these are a tiny percentage of all of the incidents VA facilities handle on a monthly basis. But here are 22 breach incidents I found in the reports, below. Only one resulted in any press release or media coverage at the time – at least as far as can determine – which is why we need the VA to be transparent and make these reports publicly available. In chronological order, beginning with May, 2016: A contractor for the Ralph H. Johnson VAMC lost a USB drive used in the process of fit-testing respirators for employees.  Neither the outpatient clinic where it was last used nor the rental car company the contractor used could locate it. On June 23, the IT technician for the contractor confirmed that the USB drive was not encrypted because an encrypted drive could not be used in the PortaCount device. A total of 992 employee were sent notification letters because their names and partial SSNs were on the drive. The VA Sunshine Healthcare Network in Bay Pines, FL reported on June 21 that 386 requests for medical records could not be found. By the time they concluded their search, they determined that 235 living veterans needed to be sent letters offering credit protection, while next-of-kin notification letters were also sent to others.   On June 24, another case was opened in Bay Pines after they were notified by an anesthesiologist that a logbook containing approximately 50 patients’ names, full SSNs, and dates of birth had been missing for approximately two weeks. Investigation determined that the logbook contained information on 294 veterans, but they were unable to determine exactly what information had been included for each veteran as this was not an approved logbook. All 294 veterans were subsequently offered credit protection services. In another incident involving a a potential breach in Fargo, North Dakota, the ex-wife of a former telework employee discovered 62 pieces of returned mail while cleaning out a file cabinet. She returned the documents to the local VAMC, but the facility that was supposed to investigate reportedly did not contact her and there was no further contact with the employee in question, who had transferred to a different office. Sixty-two veterans were sent letters offering credit protection services . 102 veterans participating in a research study in San Francisco received letters notifying them of a breach under HIPAA after a researcher’s car was broken into on July 16, 2016 and a research participants’ log was among the stolen items. The log contained a recruitment flyer and the participants’ first and last names, appointment date and time, phone number, and last four digits of SSN.   On Sept 8, the Mid-Atlantic Healthcare Network in Beckley, WV learned that a binder with patient satisfaction discharge call back forms for the months of July and August was missing. The binder was an unapproved logbook that contained an estimated 70-80 patients’ information, including full name, full SSN, and date of birth. After further review and analysis, the VA determined that 150 veterans would be sent letters offering credit protection services.   The Midwest Health Care Network in Minneapolis reported an incident on September 8, 2016 after copies of prosthetic device information from various vendors went missing during office relocation. After investigation, the VA determined that 351 veterans would be sent letters offering credit protection services.   88 veterans in St. Louis, Missouri (the Heartland Network) were sent letters offering credit protection services after a medical student left patient lists in her lab coat, and left her coat in her car, which was then broken into.    Portland, Oregon  (Northwest Network) opened an investigation on December 1, 2016 after a veteran received an appointment letter that included a four-page list with information on 162 veterans – last name, first initial, last four digits of SSN, clinic appointment title and date of appointment. The 161 living veterans were sent HIPAA notification letters; one next-of-kin notification letter was sent.   Columbus, Ohio  (VISN 10) opened an incident on December 12, 2016 after an employee emailed PII externally that contained protected health information on 179 patients to three different applicants in error. There were 178 HIPAA notification letters sent and one next-of-kin notification.   A mishandling incident of note occurred in Muskogee, Oklahoma (the South Central Health Care Network). A veteran notified VA staff after spotting blood vials lying on the ground in front of a dumpster filled with blood and information for each patient (name and full SSN). The recovered vial rack contained 93 veteran specimens, 30 of which were recovered and 63 of which were unaccounted for.  93 veterans were sent letters offering credit protection services. Memphis, TN (the MidSouth Healthcare Network) opened an investigation on January 8  after a principal investigator reported the mailing of 961 research study survey letters sent out with the wrong names. The mailing addresses were correct, but the wrong study subject’s name from another group in the same research study had been included. 961 veterans were sent HIPAA notification letters, but […]

What kind of month was April for health data breaches?

Protenus has published its Breach Barometer for April, with data and some analyses provided by this site. The analyses were based on the following incidents: Amedisys Home Health Area Agency of Aging 1-B: On March 31, 2017 the Area Agency on Aging 1-B (AAA 1-B) became aware of an unintentional potential disclosure of the personal health information (PHI) of 1741 program participants. Two separate unencrypted emails containing the participant’s name, case number, claim payment amount, units of service, service codes and vendor code of AAA 1-B participants were sent by the AAA 1-B to the Michigan Department of Health and Human Services (MDHHS) Aging & Adult Services Agency on March 23 and March 30. Ashland Women’s Health Atlantic Digestive Specialists Behavioral Health Center BioReference Laboratories, Inc. Cardiology Center of Acadiana Carson Valley Medical Center:  Following the receipt of a fake email, a CVMC employee released a single spreadsheet that included patient first and last names, patient account number, service discharge date, and identification of the location of treatment as CVMC. Central New York Psychiatric Center Cleveland Metropolitan School District CVS Erie County Medical Center Eyecare Services Partners Management, LLC GlaxoSmithKline Patient Assistance Program Greenway Health Harrisburg Endoscopy and Surgery Center, Inc. Harrisburg Gastroenterology Hill Country Memorial Hospital Humana Inc [case # HU17001CC] Iowa Veterans Home LifeSpan Memorial Healthcare Memorial Hospital Clinic South Memorial Hospital Clinic West Michigan Facial Aesthetic Surgeons d/b/a University Physician Group MVP Health Care, Inc. Pentucket Medical Spine Specialist St. Lucie County University of Oklahoma, OU Physicians University of South Florida Valley Women’s Health, S.C. Virginia Mason Memorial Western Health Screening Significantly, perhaps, one of the worst incidents in terms of potential harm to individual patients was one that only appeared on HHS’s breach tool because this site discovered it and notified the entity that its patients’ psychotherapy records appeared to be up for sale on the dark web. Of note, the hacker never attempted to extort the clinic to see if the clinic would pay to get the data back – the data were just put up for sale with an asking price of  a minimum of $10,000.00 (about $2-$3 per patient). Another candidate for worst breach of the month was the Erie County Medical Center ransomware attack, which is still not totally resolved. Thankfully, the center had backups and other means of accessing patient records and information or the impact on care could have been a nightmare. While considered these perhaps the worst breaches of the month (admittedly a somewhat subjective determination), perhaps my biggest concern in reviewing the April data was wondering how many incident reports we are not seeing on HHS’s breach tool. Are we missing so many incidents from both HIPAA-covered and non-HIPAA-covered entities that what we do know about is not really representative of what’s going on with threats to health data security?  Is HHS’s public breach tool giving us any kind of accurate insights into risks and breaches involving health data, or is it just significantly underestimating and misrepresenting the real risks?  I’ll have more to say on this in another post.

Parallon Business Solutions insider breach affected patients in New Hampshire

Parallon Business Solutions in Tennessee provides billing services for physician practices. On February 5, 2014, they were informed by Metropolitan Police in Nashville and the Secret Service that a former employee was under investigation for stealing patient information. The data theft occurred between August 27, 2012 and April 23, 2013 and included patients’ names, addresses, Social Security numbers, and health insurance information. Parallon notified affected patients on March 21, and offered them free credit monitoring services with TransUnion. Forty residents of New Hampshire were affected by the breach. Those 40 patients were from 13 physician practices in the state: PRH Hospitalists and the following practices that are all part of Appledore Medical Group: Beacon Internal Medicine, Coastal NH Neurosurgeons, David J. Itkin, MD,  Mark Henschke DO,  Portsmouth Family Practice, Portsmouth Internal Medicine Associates, Thoracic and Vascular Associates,  Woodbury Family Practice,  Portsmouth Primary Care Associates,  Parkland Physician Services Parkland Primary Care, Clipper Cardiovascular Associates, and Women’s Health Associates. The total number of patients affected nationwide was not reported in their notification to New Hampshire. Note that this breach report is related to a breach recently reported by LewisGale Regional Health System.   In that case, Parallon provided billing services for Salem Hospitalists. Media coverage of the LewisGale breach suggested that 400 patients may have been affected nationwide, and that in some cases, patient information was misused for new account fraud, leasing apartments, or utilities accounts.