Almost half a million breached health records in January; 60% from one hacking incident alone

Protenus has released its Breach Barometer for January health data breaches. While the number of insider and external incidents continue to run pretty much neck-to-neck, once again external breaches accounted for significantly more breached records than insider incidents. Protenus reports: Of note, hacking incidents affected significantly more patient records, due largely to one particular breach that affected 59% of the total number of breached patient records this past month. There were 37 incidents reported on in Protenus’s report, as identified below. For some incidents, we had no details other than what was reported on HHS’s public breach tool. Adams Memorial Hospital Alicia Ann Oswald Allscripts Central States Southeast and Southwest Areas Health and Welfare Fund Charles River Medical Associates Coplin Health Systems Corovan Corporation Corrine A. Dale Decatur County General Hospital DJO Global Employer Leasing Florida Agency for Health Care Administration Gilette Medical Imaging Hancock Health High Plains Surgical Associates MD Medical Spa and Wellness Center Montana State U. Billings Nevro Corporation Oklahoma State University Center for Health Sciences Onco360 and CareMed Specialty Pharmacy Palomar Health Pearlie Mae’s Compassion and Care LLC Pedes Orange County, Inc. Penn Medicine RGH Enterprises, Inc. (dba Edgepark Medical Supplies, Inc) Robert Smith DMD, PC Rocky Mountain Women’s Health Center, Inc. Singing River Health Steven Yang, D.D.S., Inc. The Pediatric Endocrinology and Diabetes Specialists UnitedHealthcare Community Plan of Pennsylvania University of Rochester Jones Memorial Hospital Vermont Health Connect WellStar Neurosurgery Western Washington Medical Group Westminster Ingleside King Farm Presbyterian Retirement Communities, Inc. Zachary E. Adkins, DDS

Women’s Health Group of Pennsylvania Notifies 300,000 Patients of Ransomware Attack

Mitch Blacher and David Chang report: A data breach at one of Pennsylvania’s largest health networks has sparked safety concerns and questions regarding why it took several months for patients to be notified. The Women’s Health Care Group of Pennsylvania, which is based in Oaks, Pennsylvania but has 45 offices serving women in Montgomery, Chester and Delaware Counties, sent a letter to patients this month informing them that hackers had stolen their information. That information included patient names, birth dates, social security numbers, pregnancy histories, blood type information and medical diagnoses. Read more on NBC. The following notice, posted on Women’s Health Group’s site on July 18, indicates that this was a ransomware attack: Notice of Security Breach Incident Posted: July 18, 2017 On May 16, 2017, we discovered that a server and workstation located at one of our practice locations had been infected by a virus designed to block access to system files. Upon discovering the virus, we immediately removed the infected server and workstation from our network and began an investigation with the assistance of an expert computer forensics team to determine how the virus made it onto our systems and the extent to which the virus may have affected any of our data. Local Federal Bureau of Investigation authorities were contacted and a report was filed. As part of our investigation, we learned that external hackers gained access to our systems, as far back as January 2017, through a security vulnerability. We also believe the virus was propagated through this vulnerability. Although this security vulnerability allowed access to limited patient information and the virus encrypted certain files, we have been unable to determine if any specific information was actually acquired or viewed in connection with this incident. In addition, the encrypted files were promptly restored from our back-up server and the incident had no effect on our ability to continue to provide patient care nor was any information lost. The types of files that could have been accessed may have included information about a patient’s name, address, date of birth, Social Security number, lab tests ordered and lab results, telephone number, gender, pregnancy status, medical record number, blood type, race, employer, insurance information, diagnosis, and physician’s name. No driver’s license, credit card or other financial information was stored in any files on the infected server. Individuals whose information may have been affected by this incident will receive a letter informing them of this incident, with instructions on steps they can take to receive free credit monitoring and identity theft protection services for a year. We recommend these individuals review all financial account information closely and report any fraudulent activity or suspected incident or identity theft. We have set up a call center with a toll-free help line for individuals who have questions about this incident. The phone number is (877) 534-7033. The call center is staffed weekdays Monday through Friday from 9:00 AM to 9:00 PM (EST) and Saturday and Sunday from 11:00 AM to 8:00 PM (EST) We sincerely regret any concerns or inconvenience this incident may cause our patients. Maintaining the integrity and confidentiality of our patients’ personal information is very important to us and we are conducting a comprehensive internal review of our information security practices and procedures to help prevent such events in the future. Update: When this incident appeared on HHS’s breach tool, it was reported as impacting 300,000 patients.

Veterans Administration responds to Freedom of Information request; releases breach reports

So what did we miss because the Veterans Administration stopped posting their monthly breach reports to Congress on their web site? DataBreaches.net filed a Freedom of Information request on June 7, and the VA has responded by providing all of the requested monthly reports for the period May, 2016 – June 7, 2017.   As an overview: there appears to be no major shift in the number of breaches reported each month by the VA. The monthly reports generally contain descriptions of incidents in which numbers of veterans were either sent HIPAA notifications or offers of credit protection services. In addition, the VA provides a summary of how many mishandling incidents, mismailing incidents, and mismailed Consolidated Mail Outpatient Pharmacy (CMOP) incidents there were.  For comparison purposes, in June 2016, there were 186 mismailing incidents, 6 mismailed CMOP incidents, and 117 mishandling incidents. In May, 2017, there were 199 mismailing incidents, 7 mismailed CMOP incidents, and 111 mishandling incidents. To keep these in perspective, however, it is important to note that these are a tiny percentage of all of the incidents VA facilities handle on a monthly basis. But here are 22 breach incidents I found in the reports, below. Only one resulted in any press release or media coverage at the time – at least as far as DataBreaches.net can determine – which is why we need the VA to be transparent and make these reports publicly available. In chronological order, beginning with May, 2016: A contractor for the Ralph H. Johnson VAMC lost a USB drive used in the process of fit-testing respirators for employees.  Neither the outpatient clinic where it was last used nor the rental car company the contractor used could locate it. On June 23, the IT technician for the contractor confirmed that the USB drive was not encrypted because an encrypted drive could not be used in the PortaCount device. A total of 992 employee were sent notification letters because their names and partial SSNs were on the drive. The VA Sunshine Healthcare Network in Bay Pines, FL reported on June 21 that 386 requests for medical records could not be found. By the time they concluded their search, they determined that 235 living veterans needed to be sent letters offering credit protection, while next-of-kin notification letters were also sent to others.   On June 24, another case was opened in Bay Pines after they were notified by an anesthesiologist that a logbook containing approximately 50 patients’ names, full SSNs, and dates of birth had been missing for approximately two weeks. Investigation determined that the logbook contained information on 294 veterans, but they were unable to determine exactly what information had been included for each veteran as this was not an approved logbook. All 294 veterans were subsequently offered credit protection services. In another incident involving a a potential breach in Fargo, North Dakota, the ex-wife of a former telework employee discovered 62 pieces of returned mail while cleaning out a file cabinet. She returned the documents to the local VAMC, but the facility that was supposed to investigate reportedly did not contact her and there was no further contact with the employee in question, who had transferred to a different office. Sixty-two veterans were sent letters offering credit protection services . 102 veterans participating in a research study in San Francisco received letters notifying them of a breach under HIPAA after a researcher’s car was broken into on July 16, 2016 and a research participants’ log was among the stolen items. The log contained a recruitment flyer and the participants’ first and last names, appointment date and time, phone number, and last four digits of SSN.   On Sept 8, the Mid-Atlantic Healthcare Network in Beckley, WV learned that a binder with patient satisfaction discharge call back forms for the months of July and August was missing. The binder was an unapproved logbook that contained an estimated 70-80 patients’ information, including full name, full SSN, and date of birth. After further review and analysis, the VA determined that 150 veterans would be sent letters offering credit protection services.   The Midwest Health Care Network in Minneapolis reported an incident on September 8, 2016 after copies of prosthetic device information from various vendors went missing during office relocation. After investigation, the VA determined that 351 veterans would be sent letters offering credit protection services.   88 veterans in St. Louis, Missouri (the Heartland Network) were sent letters offering credit protection services after a medical student left patient lists in her lab coat, and left her coat in her car, which was then broken into.    Portland, Oregon  (Northwest Network) opened an investigation on December 1, 2016 after a veteran received an appointment letter that included a four-page list with information on 162 veterans – last name, first initial, last four digits of SSN, clinic appointment title and date of appointment. The 161 living veterans were sent HIPAA notification letters; one next-of-kin notification letter was sent.   Columbus, Ohio  (VISN 10) opened an incident on December 12, 2016 after an employee emailed PII externally that contained protected health information on 179 patients to three different applicants in error. There were 178 HIPAA notification letters sent and one next-of-kin notification.   A mishandling incident of note occurred in Muskogee, Oklahoma (the South Central Health Care Network). A veteran notified VA staff after spotting blood vials lying on the ground in front of a dumpster filled with blood and information for each patient (name and full SSN). The recovered vial rack contained 93 veteran specimens, 30 of which were recovered and 63 of which were unaccounted for.  93 veterans were sent letters offering credit protection services. Memphis, TN (the MidSouth Healthcare Network) opened an investigation on January 8  after a principal investigator reported the mailing of 961 research study survey letters sent out with the wrong names. The mailing addresses were correct, but the wrong study subject’s name from another group in the same research study had been included. 961 veterans were sent HIPAA notification letters, but […]

What kind of month was April for health data breaches?

Protenus has published its Breach Barometer for April, with data and some analyses provided by this site. The analyses were based on the following incidents: Amedisys Home Health Area Agency of Aging 1-B: On March 31, 2017 the Area Agency on Aging 1-B (AAA 1-B) became aware of an unintentional potential disclosure of the personal health information (PHI) of 1741 program participants. Two separate unencrypted emails containing the participant’s name, case number, claim payment amount, units of service, service codes and vendor code of AAA 1-B participants were sent by the AAA 1-B to the Michigan Department of Health and Human Services (MDHHS) Aging & Adult Services Agency on March 23 and March 30. Ashland Women’s Health Atlantic Digestive Specialists Behavioral Health Center BioReference Laboratories, Inc. Cardiology Center of Acadiana Carson Valley Medical Center:  Following the receipt of a fake email, a CVMC employee released a single spreadsheet that included patient first and last names, patient account number, service discharge date, and identification of the location of treatment as CVMC. Central New York Psychiatric Center Cleveland Metropolitan School District CVS Erie County Medical Center Eyecare Services Partners Management, LLC GlaxoSmithKline Patient Assistance Program Greenway Health Harrisburg Endoscopy and Surgery Center, Inc. Harrisburg Gastroenterology Hill Country Memorial Hospital Humana Inc [case # HU17001CC] Iowa Veterans Home LifeSpan Memorial Healthcare Memorial Hospital Clinic South Memorial Hospital Clinic West Michigan Facial Aesthetic Surgeons d/b/a University Physician Group MVP Health Care, Inc. Pentucket Medical Spine Specialist St. Lucie County University of Oklahoma, OU Physicians University of South Florida Valley Women’s Health, S.C. Virginia Mason Memorial Western Health Screening Significantly, perhaps, one of the worst incidents in terms of potential harm to individual patients was one that only appeared on HHS’s breach tool because this site discovered it and notified the entity that its patients’ psychotherapy records appeared to be up for sale on the dark web. Of note, the hacker never attempted to extort the clinic to see if the clinic would pay to get the data back – the data were just put up for sale with an asking price of  a minimum of $10,000.00 (about $2-$3 per patient). Another candidate for worst breach of the month was the Erie County Medical Center ransomware attack, which is still not totally resolved. Thankfully, the center had backups and other means of accessing patient records and information or the impact on care could have been a nightmare. While DataBreaches.net considered these perhaps the worst breaches of the month (admittedly a somewhat subjective determination), perhaps my biggest concern in reviewing the April data was wondering how many incident reports we are not seeing on HHS’s breach tool. Are we missing so many incidents from both HIPAA-covered and non-HIPAA-covered entities that what we do know about is not really representative of what’s going on with threats to health data security?  Is HHS’s public breach tool giving us any kind of accurate insights into risks and breaches involving health data, or is it just significantly underestimating and misrepresenting the real risks?  I’ll have more to say on this in another post.

Parallon Business Solutions insider breach affected patients in New Hampshire

Parallon Business Solutions in Tennessee provides billing services for physician practices. On February 5, 2014, they were informed by Metropolitan Police in Nashville and the Secret Service that a former employee was under investigation for stealing patient information. The data theft occurred between August 27, 2012 and April 23, 2013 and included patients’ names, addresses, Social Security numbers, and health insurance information. Parallon notified affected patients on March 21, and offered them free credit monitoring services with TransUnion. Forty residents of New Hampshire were affected by the breach. Those 40 patients were from 13 physician practices in the state: PRH Hospitalists and the following practices that are all part of Appledore Medical Group: Beacon Internal Medicine, Coastal NH Neurosurgeons, David J. Itkin, MD,  Mark Henschke DO,  Portsmouth Family Practice, Portsmouth Internal Medicine Associates, Thoracic and Vascular Associates,  Woodbury Family Practice,  Portsmouth Primary Care Associates,  Parkland Physician Services Parkland Primary Care, Clipper Cardiovascular Associates, and Women’s Health Associates. The total number of patients affected nationwide was not reported in their notification to New Hampshire. Note that this breach report is related to a breach recently reported by LewisGale Regional Health System.   In that case, Parallon provided billing services for Salem Hospitalists. Media coverage of the LewisGale breach suggested that 400 patients may have been affected nationwide, and that in some cases, patient information was misused for new account fraud, leasing apartments, or utilities accounts.

Unsecured backup devices continue to be a hot mess

After a few years of headlines blaring mega-numbers of records exposed by misconfigured RSYNC backups, we might hope that we would be seeing fewer errors by now. But it seems that RSYNC errors continue at a high rate, exposing massive amounts of data. This month, part of what I did was look at RSYNC errors by hosting companies, as these mistakes would affect a number of clients, and in turn, the clients’ data. Here’s just a small sample of what I found, keeping in mind that I was not sorting or looking for leaks with large numbers — small leaks are as significant to small businesses as large leaks are to large companies. And for small to medium businesses, picking the right IT host can be the difference between secure data and data at frequent risk. USCNet (IT services firm in New Jersey) On November 21, this researcher discovered an RSYNC device that was open on port 843. By looking at the list of clients and additional information, the device appeared to belong to USCNet.com, that USCNet,com, an IT services firm in New Jersey with an established history and reputation. Email notification was first sent on November 29 and then again on December 2 when they did not respond to the first notification. Notifications were also sent to USCNet’s clients on December 2 via email or through website contact forms. Despite asking for acknowledgement of notifications, neither the vendor nor the clients acknowledged any notification, although the data were locked down after the December 2 notifications. Here’s a brief summary of what was in the exposed backup: Applied Research + Consulting had 82.48GB of data consisting of internal documents, resumes, invoices, billing and other documents related to their research and clients, who include: Novartis, Consolidated Edison, Centocor, Abbott Laboratories, Animas, Accelerating Transitions, Accenture, Amalfe Brothers, Amgen, Avaya, Brookhaven, COBI, Columbia University Medical Center, Comcast, Cutter Farms, CIBA, Colgate, ComEd, Cordis, Danbury Health Systems, DentalEZ, Dept of Watershed, Devon, Elizabeth Presbytery, Empowerment Group Seminar, Ethicon, FDA, Fenestra, Ferring Pharmaceuticals, Janssen Ortho Realignment, Janssen Biotech Inc, Janssen Pharm, Johnson and Johnson, Janssen Pharmaceuticals Inc, KeySpan, LifeScan, Lo, wenstein Sandler, Lowe’s, MEF, Boro Traffic & Transportation, Chamber of Commerce, FPC First Presbyterian Church, NY Presbyterian, OCD, OMJPI-Marketing, OPQ, OraPharma, Ortho Biotech, Ortho-McNeil Pharmaceuticals, OrthoNeutrogena, Maternal and Child Health of Northern NJ, Pfizer, Prudential, Rothman Institute, Boehringer Ingelheim, AstraZeneca, AZ Medical Services, CHUBB, Corning, Deloitte & Touche, ETHICON, Financial Women’s Association, Humana, J&J Consortium, McGraw-Hill, Equiva, Extra Materials WLJ, Goldman Sachs, J&J Corp, J&J Consumer, J&J Cordis, J&J Healthcare System, J&J Finance Women’s Leadership, J&J PRD, JP Morgan Chase, Morgan Stanley, Rutgers, Tibotec, The Next Level, Thomas Miller, Trinitas, Velez, VNAHG, Tyco Healthcare, Verizon, Vistage, Veteran’s Admin, Vistakon, and Wyeth. The Law Office Of Angela C. Femino, LLC had 47.37GB of data in 2074 folders, although there appeared to be a number of duplicates. Clients names often appeared as part of Folder names, and files included Aetna EOBs, Beneficiary Lists, clients, collections, expenses, estate documents, property sales, bestcase.com information and documents, wills, deeds, agreements, personal documents, medicare documents and other documents you might expect to see in a law firm. Affinity Health Plan had 397.29GB of data that included Affinity Care of NJ Payroll, claims, billing, timesheets, finances, and patient data that goes back to 2012 or perhaps even earlier. Catholic Family and Community Services (Diocese of Paterson) had 184.44G bytes of data, including what appeared to be a complete company backup of all files including client information. Jersey Joe’s Barbeque and Grill had  33.09GB of data. Mount Holly Surgical Supplies had 152.76GB of data, including QuickBook files, personal files of an employee, and Medicare information. Mannan Nahiam Karim & Associates had 519.10GB of data including ProSystemTax files, files from ublonline.com, files from ProConnect ProSeries Professional Edition, and Quickbooks Spectrum Psychological Operations (Spectrum Healthcare) had 284.34GB of client information from scanned documents, forms, desktop backups, images, patient and provider information. What will the entities who are likely covered by HIPAA do?  DataBreaches.net reached out to them for follow-up but got no replies, even after pointing out to Affinity Health Plan that its exposed data included files that embedded patient names in the filenames. Meanwhile, in Canada….. JustCallDave.ca (Electronics repair firm in New Brunswick) At the same time I was notifying USCnet in New Jersey, I was also reaching out to an electronics repair firm in New Brunswick, Canada. JustCallDave.ca responded promptly to my email notification, but somewhat aggressively, asking why I was “hacking around, trying to find ‘security breaches’.” The machine is on a DMZ for a reason. Don’t go alarming people when there isn’t a problem, when it is none of your business. I replied that the RSYNC and HTTP as well as RDP and MySQL were all indexed on shodan.io, and the IP address had also been indexed by Google showing an open directory. Dave subsequently apologized for his initial response, and said that they found that “bad backup software” was to blame for the exposure error. I am not sure what that actually means in this context where port 843 had been left open. Nor do I know why Dave seemed to think he could have just fixed the problem without notifying any clients, unless he had been able to immediately determine that there had been absolutely no access to the data from any unauthorized IP addresses for the entire period that the backup device was open. That seemed unlikely, In this case, there were 10 modules, with three belonging to 1 of his clients, and the others all representing individual other clients: East Hants Animal Hospital had patient files, pdf files with patient names, invoices, end of day reports, emails, x-ray files, and other files. There was approximately  800GB of data. Maritime Animal Hospital had x-rays, photos, backups, and Windows desktop backups, totaling approximately 56 GB of data. Cobequid Animal Hospital had x-rays, photos, backups, Windows desktop backups with a total size of 483GB. Hometown Veterinary Hospital had x-rays, photos, backups, Windows desktop backups, […]

Ho ho how many? Breaches newly disclosed by HHS

Today’s update to HHS’s public breach tool sheds light on some previously reported breaches and over half a dozen new ones: The armed robbery of a Brigham and Women’s Hospital physician impacted 999 patients. Newly Revealed: North Big Horn Hospital in Wyoming reported that 1,607 patients were affected by a breach on October 2nd involving the loss of paper records. So far, I haven’t found any statement on their site or in news media. The Hearing Zone in Utah reported that 623 patients had PHI on a laptop that was stolen on October 8th. So far, I haven’t found any additional information on this breach. The Florida Department of Health reported that 2,477 patients were affected by a breach on August 16th involving email. So far, I haven’t found any additional information on this breach. ReachOut Home Care in Kentucky reported that 4,500 patients had PHI on a laptop that was stolen on October 9th. Their statement from their web site: ReachOut Home Care customers in Texas notified of security breach Unencrypted computer stolen from office facility contained patient names and Medicare identification numbers Richardson, TX – Dec. 9, 2014 – In October, at the offices of ReachOut Home Care in Richardson an unencrypted laptop computer was stolen. The computer contained the names, claims data and, in some cases, Medicare identification numbers of approximately 5,000 ReachOut Home Care customers who live in the Dallas/Fort Worth area. At this time, ReachOut Home Care has no reason to believe the information has been used inappropriately. ReachOut Home Care is in the process of notifying all of its customers whose information was on the computer and will provide individuals whose Medicare identification number was included free access to a credit-monitoring service that can help them protect against potential misuse of their information. We are strongly encouraging these ReachOut Home Care customers to enroll for the free service. While ReachOut Home Care has policies and procedures in place to maintain the security of its members’ information, we are taking additional steps as a result of this incident. These steps include a comprehensive review of our technical security procedures with ReachOut Home Care and an inventory and review of all ReachOut Home Care equipment that maintains protected health information to ensure that all equipment has been encrypted. ReachOut Home Care customers who have any questions about this may contact ReachOut Home Care by phone at 1-800-240-3294, from 9 a.m. to 5 p.m. Central Time, Monday through Friday. Any ReachOut Home Care customer who believes their information is being used by another party is urged to contact ReachOut Home Care so that we can work with the ReachOut Home Care customer and law enforcement officials to promptly investigate the matter. District Medical Group in Arizona reported that 616 patients had PHI involved in a breach that occurred on March 1, 2014. A statement on their web site explains: […] On October 24, 2014, we became aware that patient information was made potentially accessible on the Internet. We immediately began an investigation and learned that an employee used a thumb drive while working at home that contained patient billing information. While working from home, the employee connected the thumb drive to the home network, and a security vulnerability made the contents of the thumb drive accessible from the Internet. While connected, the documents and information on the drive could be located through a search engine, such as Google.  The thumb drive included patients’ names, dates of service, names of department where the patients were treated, refund amounts, and in some instances social security numbers. Credit card and banking information were not included on the thumb drive. After we found out about this incident, we promptly took steps to remove the information from the Internet, including working to ensure the documents are no longer available through a search engine. While we have no reason to believe that patient information has been used in any way, out of an abundance of caution, we began sending letters to affected patients on December 12, 2014, and have established a dedicated call center to answer any questions they may have.  If you believe you are affected but do not receive a letter by January 5, please call 1-888-266-9280, Monday through Friday from 7:00 AM to 7:00 PM Mountain Time. We deeply regret any inconvenience it may cause our patients.  To help prevent something like this from happening in the future, we have taken a number of actions, including providing education to the involved employee and re-educating all employees regarding the protection of sensitive information.  In addition DMG is reviewing and updating pertinent policies and procedures regarding data privacy and security. St. Mary Mercy Hospital in Michigan reported that 1,488 patients had PHI involved in a breach involving email that occurred on December 4. I could find no details on their site, however or any media reports. Walgreen Co. reported that 160,000 patients had PHI involved in an August 1st – November 6th breach involving paper records.  I was unable to find any coverage of this, but this could be big, as Walgreen has had problems before with paper records, and was even fined in the past. This is the fifth breach involving Walgreens to show up on HHS’s public breach tool since its inception in September 2009.