Blog

Recent HIPAA Breaches Highlight Need for Providers to Remain Vigilant

Recent HIPAA Breaches Highlight Need for Providers to Remain Vigilant
https://www.natlawreview.com/article/recent-hipaa-breaches-highlight-need-providers-to-remain-vigilant

 

A recent disclosure by Community Health Systems, Inc. (CHS) of a data breach compromising information pertaining to 4.5 million of its patients highlights the need for providers to remain vigilant in securing patient information. The breach at CHS is just one example among others that have occurred recently involving many individuals. Health care providers may want to take this time to review and update their policies as necessary to address emerging threats and vulnerabilities to their systems.

Recent breaches of data held by health care providers

CHS is a health system whose affiliates own, operate or lease 206 hospitals in 29 states. As reported by CHS in a filing with the Securities and Exchange Commission (SEC), the breach resulted from a targeted, external cyber-attack of CHS’s computer network in April and June, 2014. CHS believes the attacks originated from China and involved "highly sophisticated malware and technology" that enabled the attacker to bypass CHS’s security measures. The breaches were the result of an advanced persistent threat, or "APT," in which an attacker uses multiple phases, typically over a long period of time, to conduct reconnaissance of a target; break into a network, often by using social engineering; map an organization’s assets and defenses; access, capture, and exfiltrate information; and potentially install malware. According to the SEC filing, the attackers were able to copy and transfer data, including patient names, addresses, birth dates, and Social Security numbers, to networks outside of CHS. The attackers did not acquire credit card numbers or any medical or clinical information. CHS indicated it will offer credit monitoring to affected individuals and that it has liability insurance to protect against losses of this nature.

The type of breach that occurred at CHS could happen to any health care provider. As the Federal Bureau of Investigation’s (FBI) Cyber Division noted in a Private Industry Notification earlier this year, the health care industry generally "is not technically prepared to combat against cyber criminals’ basic cyber intrusion tactics, techniques and procedures (TTPs), much less against more advanced persistent threats (APTs)."1 Given the sophisticated nature of the attack on CHS, similar attacks may be occurring at other health systems. The breach at CHS is just one of a number of breaches in the last year involving information held by health care providers. Based on information on the Office for Civil Rights’ (OCR) website, other recent and notable breaches of data held by health care providers include:

  • A breach reported by St. Joseph Health System in Texas affecting 405,000 individuals. The breach may have included names, Social Security numbers, medical information, etc.

  • A breach reported by UW Medicine in Washington affecting over 76,000 individuals.

  • A breach reported by Centura Health in Colorado affecting over 12,000 individuals.

  • A breach reported by Nrad Medical Associates in New York affecting 97,000 individuals.

  • A breach reported by the Montana Department of Public Health and Human Services affecting over 1,060,000 individuals.

Incidents reported to OCR in the last 12 months include breaches involving information on desktop computers, network servers, and portable electronic devices, as well as in emails.

Cybersecurity threats facing health care providers

A review of OCR’s website reveals that a wide range of health care providers have had to report breaches involving more than 500 individuals, including health systems, medium-sized medical groups and sole practitioners. Health care providers are especially prone to data theft due to the high value cyber criminals place on medical information, which is often more valuable than credit card data. The street cost for a single patient’s medical record is reportedly $50 and has a longer useful lifespan than a credit card, while a stolen Social Security card is only worth $1.2 According to the Identify Theft Resource Center, 43.4% (204 of 470) of all breaches identified by the Center as of August 12, 2014 fell within the “medical/healthcare” category.3 Access to a patient’s protected health information (PHI) at a health care provider may reveal health insurance information, Social Security numbers, patient medical information and diagnoses, bank account information, etc.

Cybersecurity threats facing health care organizations include:

Continue reading
188 Hits

Austin, Texas-based Seton Family of Hospitals, a division of Seton Healthcare Family, has notified approximately 39,000 patients that their protected health information may have been accessed by hackers, according to a statement on their website.

Austin, Texas-based Seton Family of Hospitals, a division of Seton Healthcare Family, has notified approximately 39,000 patients that their protected health information may have been accessed by hackers, according to a statement on their website.

https://www.beckershospitalreview.com/healthcare-information-technology/phishing-attack-compromises-39-000-patients-records-at-seton-family-of-hospitals.html

Hackers conducted an email phishing attack Dec. 4, 2014 through which hackers obtained usernames and passwords of Seton employees' email accounts. Affected email accounts were immediately shut down when the system learned of the attack, according to the statement.

Compromised personal health information includes names, addresses, birth dates, medical record numbers, insurance information, "limited critical information" and some Social Security numbers. Hackers did not gain access to individual medical records or billing records, according to the statement.

Seton has notified affected patients and is offering free identity monitoring and protection services for individuals whose Social Security number was compromised. The health system is also determining ways to better enhance its security and will provide additional education to employees about email phishing, according to the statement.

Seton Healthcare Family is a member of Ascension, a faith-based health system based in St. Louis.

More articles on data breaches:

FBI advises Anthem not to speak publicly about breach
Growing incidence of medical identity fraud puts healthcare organizations on red alert
Anthem aftermath: CIOs and IT leaders recall what they did right after the attack

 

© Copyright ASC COMMUNICATIONS 2018. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.

 

 

 

 
Continue reading
179 Hits

Data Breaches Increase 40 Percent in 2016, Finds New Report from Identity Theft Resource Center and CyberScout

Data Breaches Increase 40 Percent in 2016, Finds New Report from
Identity Theft Resource Center and CyberScout
  

https://www.idtheftcenter.org/2016databreaches.html

Update:  Subsequent to the release of the following information, two duplicate breaches were removed bringing the year-end total for 2016 to 1,091. This was due to inconsistent naming conventions used in the data breach reporting process by different sources, i.e. media, breach notification letters and/or HHS.gov.

SCOTTSDALE, Ariz. and SAN DIEGO - Jan. 19, 2017 - The number of U.S. data breaches tracked in 2016 hit an all-time record high of 1,093, according to a new report released today by the Identity Theft Resource Center (ITRC) and CyberScout (formerly IDT911). This represents a substantial hike of 40 percent over the near record high of 780 reported in 2015. This raises the question: are there actually more breaches or is it because more states are making this information publicly available?

“With support from CyberScout, the ITRC has been able to heighten its efforts in tracking breaches nationwide by seeking out information on breach incidents through direct contact with numerous states’ attorney general offices as well as by submitting Freedom of Information Act requests,” said Eva Velasquez, President and CEO, ITRC. “For the past 10 years, the ITRC has been aware of the under-reporting of data breach incidents on the national level and the need for more state or federal agencies to make breach notifications more publicly available. This year we have seen a number of states take this step by making data breach notifications public on their websites. The ITRC Data Breach Report 2016 now includes information from more than a dozen state agencies,” Velasquez added. 

Since 2005, the ITRC has been identifying data breaches in five industry sectors (see Fig.1 below).  In 2016, the business sector again topped the list in the number of data breach incidents, with 494 reported, representing 45.2 percent of the overall number of breaches. This was followed by the healthcare/medical industry (377 incidents), representing 34.5 percent of the overall total. The education sector (98) followed at 9.0 percent, the government/military (72) at 6.6 percent and the banking/credit /financial sector (52) at 4.8 percent.

Leading Types of Data Breaches 

In 2007, the ITRC began adding categories to identify data breach incidents by the “type of occurrence” (see Fig. 2 below). For the eighth consecutive year, hacking/skimming/phishing attacks were the leading cause of data breach incidents, accounting for 55.5 percent of the overall number of breaches, which is an increase of 17.7 percent over 2015 figures. Of these, many were a result of CEO spear phishing efforts (also known as business email compromise schemes) in which highly sensitive data, typically information required for state and federal tax filings, was exposed. As early as February, the IRS had already seen a 400 percent surge in this type of activity prompting both consumer and industry alerts addressing this issue. 

Breaches involving accidental email/internet exposure of information was the second most common type of breach incident at 9.2 percent of the overall number of breaches followed by employee error[1] at 8.7 percent. With the exception of hacking, all other categories reflected decreases from 2015 figures.

“For businesses of all sizes, data breaches hit close to home, thanks to a significant rise in CEO spear phishing and ransomware attacks. With the click of a mouse by a naïve employee, companies lose control over their customer, employee and business data. In an age of an unprecedented threat, business leaders need to mitigate risk by developing C-suite strategies and plans for data breach prevention, protection and resolution,” said Matt Cullina, CEO of CyberScout and Vice Chair of ITRC’s Board of Directors.

Since 2010, the ITRC has been tracking breaches involving Social Security numbers (SSNs) and credit card/debit card numbers (see Fig.3 below). Exposure of SSNs was evidenced in 52.0 percent of the overall number of breaches in 2016, representing an increase of 8.2 percent over 2015 figures.  Exposure of records involving credit/debit cards at 13.1 percent, reflects a decrease of 7.4 percent from 2015. With that said, it is important to remember that most data breach notifications or media reports do not include the type of information exposed. The spike in SSN exposures is in clear alignment with the surge of CEO spear phishing attacks, which target this type of information.

Adam Levin, Chairman and Founder of CyberScout, said, “The database compromises of 2016 confirmed yet again that breaches are the third certainty in life and we are all living in a constant state of cyber insecurity. Hackers and identity thieves continue to evolve. They are very sophisticated, extremely creative and dogged in their pursuit of what is ours. More than half of the breaches reported by the ITRC included the skeleton key to our lives: the Social Security number. This trend, which has accelerated since 2015— when just four breaches exposed over 120 million Social Security numbers to state-sponsored hackers and cyber criminals— represents the point of no return for millions of Americans. While credit and debit card numbers can be changed, SSNs cannot. Therefore, monitoring and damage control become even more important than ever before. Consumers must become better informed as to the risks inherent in this dangerous digital world, be more alert to the signs of individual compromise and know what to do to contain and reverse the damage or take advantage of identity theft protection services offered by their insurers, employers or financial services firms.”

Regarding the reporting of the known number of records exposed, half (50.7 percent) of the overall number of breach notifications did not include this information. However, due to the mandatory reporting requirement for healthcare industry breaches affecting 500 or more individuals, 84 percent of the healthcare breaches publicly stated the number of records exposed. It should also be noted that several large scale breaches in 2016— which only involved usernames, passwords, or emails— while included on the list, did not specify the vast number of records exposed because this type of information does not typically trigger most data breach notification laws.

[1] This category also includes negligence, improper disposal and loss

About the ITRC Breach List

The ITRC Breach List is a compilation of data breaches confirmed by various media sources and/or notification lists from state governmental agencies. Breaches on this list typically have exposed information that could potentially lead to identity theft, including Social Security numbers, financial account information, driver’s license numbers and medical information. This data breach information, and available statistics, have become a valuable resource for media, businesses and consumers looking to become more informed on the need for best practices, privacy and security measures in all areas – both personal and professional.

About the ITRC

Founded in 1999, the Identity Theft Resource Center® (ITRC) is a nationally recognized non-profit organization which provides no-cost victim assistance and consumer education through its toll-free call center, website and highly visible social media efforts. It is the mission of the ITRC to: provide best-in-class victim assistance at no charge to consumers throughout the United States; educate consumers, corporations, government agencies, and other organizations on best practices for fraud and identity theft detection, reduction and mitigation; and, serve as a relevant national resource on consumer issues related to cybersecurity, data breaches, social media, fraud, scams, and other issues. Visit http://www.idtheftcenter.org. Victims may contact the ITRC at 888-400-5530.

About CyberScout

As the industry leader for over 13 years, CyberScout has been setting the gold standard for identity and data defense services – from proactive protection and education to successful resolution. Formerly IDT911, CyberScout combines boots-on-the-ground experience with high-touch personal service to help commercial clients and individuals minimize risk and maximize recovery. To learn more, visit www.cyberscout.com

Continue reading
202 Hits

Texas HIPAA blunder affects 277K

Texas HIPAA blunder affects 277K

http://www.healthcareitnews.com/news/texas-hipaa-breach-blunder-affects-277k

 

In the biggest HIPAA privacy breach of 2013 – and among the largest to date – Texas Health Harris Methodist Fort Worth is notifying some 277,000 patients that their protected health information has been compromised after several hospital microfilms, which were supposed to be destroyed, were found in various public locations.
 
Texas Health Fort Worth had contracted with Toronto-based Shred-it to destroy the confidential patient information, but the microfilms were not actually destroyed, as had been agreed upon in the contract, officials say. Instead, a local resident found a portion of the microfiche in a nearby park in May. Additionally, three other sheets of microfiche were found in two other public areas.
 
The records on the microfiche contained patient names, addresses, dates of birth, medical record numbers, clinical information, health insurance information and in some cases Social Security numbers. 
 
 
According to a Texas Health website notice, Shred-it assured the hospital that the microfiche remaining in its possession was disposed of. When asked why the other microfiche sheets were not properly destroyed, Shred-it did not respond to Healthcare IT News for comment by publication time. 
 
"One thing to note is that microfiche is no longer commonly used, and you have to have a specialized reader to see the information," wrote Wendell Watson, spokesperson for Texas Health Resources in an emailed statement. "You cannot just hold it up to the light and read it, for example. That is one reason we think it is unlikely that any information was accessed."
 
Watson says the microfiche was limited to Texas Health Fort Worth patients who were seen between 1980 and 1990. Patient notification letters were mailed out starting July 11. 
 
 
"We deeply regret the inconvenience to you," reads a company notice. "To help prevent something like this from happening in the future, Texas Health Fort Worth and the entire Texas Health System has changed document destruction vendors."
 
This is the third big HIPAA breach for a Texas Health Resources hospital, according to data from the Department of Health and Human Services. 
Continue reading
182 Hits

Medical Colleagues of Texas, LLP Notifies Individuals of Possible Data Disclosure

Medical Colleagues of Texas, LLP Notifies Individuals of Possible Data Disclosure

http://www.mctkaty.com/pdf/mct-notice.pdf

On March 8, 2016, Medical Colleagues of Texas, LLP noticed unusual activity on our computer network. In response to that discovery, we began an investigation and hired an independent computer forensic expert to review and analyze our computer network to confirm it was secure. As a result of that investigation, we discovered that hackers had gained access to our computer network. The investigation indicates that unauthorized individuals may have accessed patient medical records and employee personnel files stored on our network. The information that may have been accessed includes names, addresses, social security numbers, and health insurance information. Law enforcement has been informed about the incident and is cooperating with any ongoing investigation by law enforcement regarding this incident.

A letter has been mailed to potentially impacted individuals explaining the event and providing a toll-free phone number to assist those who have questions.

Medical Colleagues of Texas takes the privacy and security of protected information very seriously, and although we are not aware of the misuse of any information, we are offering credit monitoring services through Equifax at no cost for one year for potentially impacted individuals.

In addition, since this event was discovered, we have taken steps to prevent this type of event from happening again, including updating our computer network, strengthening our firewalls, and implementing two factor authorization measures for remote access. We are also providing additional training and strengthening our policies and procedures in regards to the protection of sensitive personal information.

We sincerely regret any inconvenience or concern this matter may cause and remain dedicated to protecting patients’ information. Individuals who may have been affected by this incident can call 844-812-9299, 8 am to 8 pm Central Time, Monday-Friday with any questions or concerns

Continue reading
135 Hits

Blog Archive

February
March
April
May
June
July
August
September
October
November
December
January
March
April
May
July
August
September
October
January
February
April
August
September
October
November
December
January
February
March
April
May
June
July
August
September
October
November

Get a 10% Discount in Your Inbox

Where to find us?

Address
Compliance Learning Solutions, LLC
395 Sawdust Road, Suite 2136
The Woodlands, Texas 77380-2299
Phone Number
1-888-447-5517
Email
contactus@complyls.com