Jun 202018

On June 14, medical claims processor Med Associates issued a press release notifying an unspecified number of patients of a hacking incident. The firm had become aware of unusual activity in their system on March 22.

Now Brian Nearing of the Times Union has an update that indicates that more than 270,000 New York residents had their data potentially stolen in that hack. He also reports:

Last week, the company mailed out letters to people whose records may have been compromised, warning them to watch for potential identity theft or financial fraud. Nearly all the letters went to people in the Capital Region and elsewhere in the state, while about 1,700 notices went to people in Massachusetts, Vermont and Florida.

Alvey said the “vast majority” of the potentially-compromised records did not include individual Social Security numbers.

Read more on Times Union. The incident was reported to HHS on June 14, so it should appear on the breach tool soon.

Jun 202018

Black River Medical Center in Missouri has sent notification letters to an unspecified number of patients potentially affected by a phishing incident discovered in April.  Here is their June 13 notice from their web site:

Black River Medical Center has become aware of a potential data security incident that may have resulted in the inadvertent exposure of some patients’ personal information.  Although at this time there is no evidence that patient information was actually accessed or viewed, or any indication that anyone’s information was actually misused, we have taken steps to notify any patients who may have been affected by this incident.  This includes sending letters to anyone whose information might have been exposed.

On April 23, 2018, we discovered that an employee’s email account was compromised as the result of a phishing attack.  Our IT department immediately commenced an investigation to determine whether sensitive information in the account was at risk.  The investigation determined that an unknown, unauthorized third party gained access to the employee’s email account and could have viewed or accessed the information contained therein, which included patients’ names, addresses and phone numbers, and in certain instances, limited treatment information. Fortunately, Social Security numbers or financial / billing information were not involved in this incident.

At this time, there is no evidence that the unauthorized party actually accessed or viewedany patient information in the email account, and Black River is not aware of any misuse of patient information. Notification letters mailed on June 13, 2018, include additional information about what occurred and a toll-free number that patients can call to learn more about the incident. The call center is available Monday through Friday from 7:00 AM and 7:00 PM Central, and can be reached at 1-800-939-4170.  For more information, you may also visit https://stage.myidcare.com/BlackRiverMedicalCenter.

The privacy and protection of patient information is a top priority for Black River Medical Center, which regrets any inconvenience or concern this incident may cause.

The incident is not on HHS’s public breach tool at the time of this blog post.  Whether that is a function of less than 500 patients being notified or just due to some delay in posting on HHS’s part is not yet clear.

Jun 192018

A U.S. Department of Health and Human Services Administrative Law Judge (ALJ) has ruled that The University of Texas MD Anderson Cancer Center (MD Anderson) violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules and granted summary judgment to the Office for Civil Rights (OCR) on all issues, requiring MD Anderson to pay $4,348,000 in civil money penalties to OCR. This is the second summary judgment victory in OCR’s history of HIPAA enforcement and the $4.3 million is the fourth largest amount ever awarded to OCR by an ALJ or secured in a settlement for HIPAA violations.

MD Anderson is both a degree-granting academic institution and a comprehensive cancer treatment and research center located at the Texas Medical Center in Houston. OCR investigated MD Anderson following three separate data breach reports in 2012 and 2013 involving the theft of an unencrypted laptop from the residence of an MD Anderson employee and the loss of two unencrypted universal serial bus (USB) thumb drives containing the unencrypted electronic protected health information (ePHI) of over 33,500 individuals. OCR’s investigation found that MD Anderson had written encryption policies going as far back as 2006 and that MD Anderson’s own risk analyses had found that the lack of device-level encryption posed a high risk to the security of ePHI. Despite the encryption policies and high risk findings, MD Anderson did not begin to adopt an enterprise-wide solution to implement encryption of ePHI until 2011 , and even then it failed to encrypt its inventory of electronic devices containing ePHI between March 24, 2011 and January 25, 2013. The ALJ agreed with OCR’s arguments and findings and upheld OCR’s penalties for each day of MD Anderson’s non-compliance with HIPAA and for each record of individuals breached.

“OCR is serious about protecting health information privacy and will pursue litigation, if necessary, to hold entities responsible for HIPAA violations,” said OCR Director Roger Severino. “We are pleased that the judge upheld our imposition of penalties because it underscores the risks entities take if they fail to implement effective safeguards, such as data encryption, when required to protect sensitive patient information.”

MD Anderson claimed that it was not obligated to encrypt its devices, and asserted that the ePHI at issue was for “research,” and thus was not subject to HIPAA’s nondisclosure requirements. MD Anderson further argued that HIPAA’s penalties were unreasonable. The ALJ rejected each of these arguments and stated that MD Anderson’s “dilatory conduct is shocking given the high risk to its patients resulting from the unauthorized disclosure of ePHI,” a risk that MD Anderson “not only recognized, but that it restated many times.”

The Notice of Proposed Determination and the ALJ’s opinion may be found on the OCR website at https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/mdanderson/index.html


Previous coverage of the incidents referenced in this case can be found on DataBreaches.net here

Jun 182018

Jennifer Hamilton-McCharles reports:

One of the province’s most well-known home care service providers has fallen victim of a cyber-attack.

The attack has breached CarePartners‘ computer system and as a result patient and employee information held in that system, including personal health and financial information, has been inappropriately accessed, according to Ontario’s Local Health Integration Network.

Read more on Nugget.

Jun 182018

Megan Barnes reports that more than 1,000 patients at the Long Beach Veterans Affairs Medical Center had their information stolen by a now-former employee who has been sentenced to prison.

Albert Torres was reportedly arrested on April 12 after  officers became suspicious when his license plates were not those for a noncommercial vehicle. A search of the vehicle uncovered patient data for 14 people, including names, dates of birth and full Social Security numbers. A subsequent search of his apartment uncovered even more patient data.

Torres was sentenced on June 4 to three years in  prison, and affected patients are being notified.