Only one week after Anthem accepted to pay $115 million to victims of its massive February 2015 data breach that impacted the 78.8 million people, the company confronts another data breach discovered by a contractor, this time affecting over 18,500 of Anthem Medicare members.
LaunchPoint Ventures, which gives insurance coordination services to Anthem, learned in the month of April that a worker likely was engaged in identity theft activities. The contractor then employed a forensic firm to assess suspicious incidents.
In the month of late May, LaunchPoint learned that the employee might have accessed data of other LaunchPoint customers, in addition to that of Anthem. The inquiry further determined that the worker emailed a file with information on Anthem members to his personal address in the month of July 2016; the inquiry couldn’t determine if the employee had a legitimate work-related reason for doing so.
LaunchPoint says the worker has since been terminated and is now being held by law enforcement on charges that are unrelated to the Anthem breach.
In June, LaunchPoint was capable to confirm that the Anthem data emailed by the worker contained protected health information of Anthem Medicare members. There is not yet evidence the data was misused. Compromised member information includes Medicare ID numbers including Social Security numbers, health plan ID numbers, Medicare contract numbers, dates of enrollment, and a restricted number of last names and dates of birth.
LaunchPoint is now reinforcing policies and protocols, and evaluating additional safeguards. The company is providing affected individuals 2 years of free credit monitoring and identity theft services with AllClear ID.
Anthem refused to comment on the incident, and executives didn’t say whether it will continue to use LaunchPoint’s services.
Showing posts with label Social Security. Show all posts
Showing posts with label Social Security. Show all posts
Tuesday, August 1, 2017
Monday, July 31, 2017
Attacks of Ransomware strucks South Dakota plastic surgery practice
Plastic Surgery of South Dakota is providing about 10,200 current and former patients a year of credit and identity protection services amid concerns that their information was accessed during a mid-February ransomware attack.
The agency removed the ransomware from its information systems and decrypted data, then brought in security experts to determine if any data was accessed by unauthorized users. While the majority of records were not accessed, the practice was unable to rule out whether a smaller subset of sufferer records had been breached.
To date, although, there is no proof of any actual or attempted misuse of data, the practice noted in a patient notification letter. Information that could have been compromised includes patients’ names, driver’s license numbers, Social Security numbers, state identification numbers, credit and debit card information, medical conditions and diagnosis information, lab results, addresses, dates of birth and health insurance data.
Plastic Surgery of South Dakota is further recommending a range of steps for affected individuals to take to protect themselves, including monitoring credit reports and explanations of benefits; getting free credit reports from the three major credit bureaus; placing fraud alerts on credit files and placing a security freeze on credit reports, which prohibits release of information from the reports absent consumer authorization.
The practice refused to give further details about the incident beyond a patient notification letter.
The agency removed the ransomware from its information systems and decrypted data, then brought in security experts to determine if any data was accessed by unauthorized users. While the majority of records were not accessed, the practice was unable to rule out whether a smaller subset of sufferer records had been breached.
To date, although, there is no proof of any actual or attempted misuse of data, the practice noted in a patient notification letter. Information that could have been compromised includes patients’ names, driver’s license numbers, Social Security numbers, state identification numbers, credit and debit card information, medical conditions and diagnosis information, lab results, addresses, dates of birth and health insurance data.
Plastic Surgery of South Dakota is further recommending a range of steps for affected individuals to take to protect themselves, including monitoring credit reports and explanations of benefits; getting free credit reports from the three major credit bureaus; placing fraud alerts on credit files and placing a security freeze on credit reports, which prohibits release of information from the reports absent consumer authorization.
The practice refused to give further details about the incident beyond a patient notification letter.
Tuesday, July 25, 2017
Tewksbury Hospital in Massachusetts terminates worker after long-term snooping
A worker at Tewksbury Hospital in Massachusetts was discovered to be occasionally snooping in sufferers’ electronic medical records without clinical justification.
The inappropriate access of medical records occurred from the year of 2003 until it was discovered this past spring. Now, the facility—one of four hospitals in the Massachusetts Department of Public Health serving complex chronically ill adult sufferers and psychiatric patients—has notified more than 1,100 affected people.
Tewksbury Hospital officials say they learned of the breach in April, when a former patient expressed concern that their medical record might have been inappropriately accessed. Compromised data involved names, addresses, and dates of birth, gender, diagnoses and medical treatments. Less than half of the records involved viewing of Social Security numbers, according to the hospital.
The state’s department of health has terminated the worker.
“To decrease the chance of future tragedies like this occurring, we are reviewing our policies regarding access to the electronic medical records system,” Tewksbury executives noted in a statement. “We’re also reassessing how we review our workforce members’ use of the electronic medical records system and will be reviewing the training we provide to all workforce members regarding the privacy and security of confidential information.”
Tewksbury Hospital is advising affected people to notify credit reporting agencies, order a credit report and review it for signs of fraud, and request a security freeze to prevent the opening of new accounts using the compromised information.
In its notification to sufferers, Tewksbury Hospital is not offering credit monitoring or identity theft protection services. Currently, there is no indication that information has been accessed or misused, in accordance with a spokesperson for the hospital.
The hospital refused to give additional details about the incident, and did not comment on why the inappropriate access had gone undetected for fourteen years.
The inappropriate access of medical records occurred from the year of 2003 until it was discovered this past spring. Now, the facility—one of four hospitals in the Massachusetts Department of Public Health serving complex chronically ill adult sufferers and psychiatric patients—has notified more than 1,100 affected people.
Tewksbury Hospital officials say they learned of the breach in April, when a former patient expressed concern that their medical record might have been inappropriately accessed. Compromised data involved names, addresses, and dates of birth, gender, diagnoses and medical treatments. Less than half of the records involved viewing of Social Security numbers, according to the hospital.
The state’s department of health has terminated the worker.
“To decrease the chance of future tragedies like this occurring, we are reviewing our policies regarding access to the electronic medical records system,” Tewksbury executives noted in a statement. “We’re also reassessing how we review our workforce members’ use of the electronic medical records system and will be reviewing the training we provide to all workforce members regarding the privacy and security of confidential information.”
Tewksbury Hospital is advising affected people to notify credit reporting agencies, order a credit report and review it for signs of fraud, and request a security freeze to prevent the opening of new accounts using the compromised information.
In its notification to sufferers, Tewksbury Hospital is not offering credit monitoring or identity theft protection services. Currently, there is no indication that information has been accessed or misused, in accordance with a spokesperson for the hospital.
The hospital refused to give additional details about the incident, and did not comment on why the inappropriate access had gone undetected for fourteen years.
Sunday, July 2, 2017
Ransomware attacks Cleveland Medical, affects info of 22,000 sufferers
Cleveland Medical Associates is providing about 22,000 sufferers identity protection services after a ransomware attack against the practice.
The five-clinician practice is giving a year of protective services through Equifax to both current and former sufferers whose information may have been affected.
Cleveland Medical Associates refused to give more details about the tragedy and also did not provide any extra statements about the attack.
The breach was discovered the morning of April 17. In response, the practice executed a new medical records system and engaged forensic specialists to verify the extent to which information was affected. The practice believes the motive for the attack was extortion and that access to patient health information wasn’t an end result of the attack.
“Based upon our inquiry, there is no evidence that your protected health information was taken from our system or misused as result of the incident,” the practice told patients in a notification letter. “Because we were not able to determine with reasonable certainty whether or not there was an unauthorized access of your information, however, we’re offering you with notification of this incident.”
Protected health information that could have been compromised involves patient names, addresses, demographics, telephone numbers, email addresses, clinical information, insurance billings and Social Security numbers.
The Equifax protection package offers credit monitoring, as much as $25,000 in identity theft insurance and automatic fraud alerts of changes to a credit report.
The five-clinician practice is giving a year of protective services through Equifax to both current and former sufferers whose information may have been affected.
Cleveland Medical Associates refused to give more details about the tragedy and also did not provide any extra statements about the attack.
The breach was discovered the morning of April 17. In response, the practice executed a new medical records system and engaged forensic specialists to verify the extent to which information was affected. The practice believes the motive for the attack was extortion and that access to patient health information wasn’t an end result of the attack.
“Based upon our inquiry, there is no evidence that your protected health information was taken from our system or misused as result of the incident,” the practice told patients in a notification letter. “Because we were not able to determine with reasonable certainty whether or not there was an unauthorized access of your information, however, we’re offering you with notification of this incident.”
Protected health information that could have been compromised involves patient names, addresses, demographics, telephone numbers, email addresses, clinical information, insurance billings and Social Security numbers.
The Equifax protection package offers credit monitoring, as much as $25,000 in identity theft insurance and automatic fraud alerts of changes to a credit report.
Sunday, June 11, 2017
Medicaid Claim Resolution Worksheet documents with patient information found in dumpster
The North Dakota Department of Human Services has reported the breach of patient information contained on Medicaid claim resolution worksheet documents, impacting the data of almost 2,500 individuals.
The agency reported that one of its workers was supposed to have properly disposed of the forms in secure onsite receptacles that a contractor picks up for shredding. Rather, the Medicaid claim resolution worksheet documents were found on the day of May 10 in a dumpster in Bismarck by a citizen who notified the agency, which retrieved the materials.
Now, NDDHS is notifying 2,452 affected people, offering 1 year of credit and identity theft monitoring services from CSIdentity and has taken “suitable disciplinary action against the responsible workforce member,” according to the patient notification letter.
Protected information at risk was extensive but didn’t involve the most sensitive information about recipients, like addresses, financial information and Social Security numbers.
The compromised information involved recipient names, dates of birth, Medicaid provider numbers, first two characters of providers’ names, recipient Medicaid ID numbers, two-digit code of recipients’ counties, recipients’ internal NDDHS identification numbers, dates of service, amounts billed and allowed, amounts covered by insurance, diagnosis codes, HCPCS/CPT procedure codes and details on dental work.
In the sufferer letter, the agency said it has no evidence of PHI being inadequately used or revealed and believes the risk for disclosure is low.
The North Dakota Department of Human Services is emphasizing affected individuals to review credit reports, request a free fraud alert be placed on credit files and to contact the state Attorney General Office if they become a victim of identity theft.
As is common in breach notifications, the agency apologized for the tragedy and will retain workers and review policies and procedures to ignore another similar incident.
The agency reported that one of its workers was supposed to have properly disposed of the forms in secure onsite receptacles that a contractor picks up for shredding. Rather, the Medicaid claim resolution worksheet documents were found on the day of May 10 in a dumpster in Bismarck by a citizen who notified the agency, which retrieved the materials.
Now, NDDHS is notifying 2,452 affected people, offering 1 year of credit and identity theft monitoring services from CSIdentity and has taken “suitable disciplinary action against the responsible workforce member,” according to the patient notification letter.
Protected information at risk was extensive but didn’t involve the most sensitive information about recipients, like addresses, financial information and Social Security numbers.
The compromised information involved recipient names, dates of birth, Medicaid provider numbers, first two characters of providers’ names, recipient Medicaid ID numbers, two-digit code of recipients’ counties, recipients’ internal NDDHS identification numbers, dates of service, amounts billed and allowed, amounts covered by insurance, diagnosis codes, HCPCS/CPT procedure codes and details on dental work.
In the sufferer letter, the agency said it has no evidence of PHI being inadequately used or revealed and believes the risk for disclosure is low.
The North Dakota Department of Human Services is emphasizing affected individuals to review credit reports, request a free fraud alert be placed on credit files and to contact the state Attorney General Office if they become a victim of identity theft.
As is common in breach notifications, the agency apologized for the tragedy and will retain workers and review policies and procedures to ignore another similar incident.
Wednesday, May 31, 2017
Beacon Health System notifies data breach from worker snooping
A worker at Beacon Health System in South Bend, Ind., who for 3 years was accessing patient emergency department (ED) records without permission or a reason to analyze them, has been blamed for a breach of protected health information at the facility.
An audit by Beacon Health found the unwarranted access of patient information, which occurred from the time period of March 2014 to March 2017.
“While the worker might have had authorizations to view records in certain circumstances, the employee viewed patient records without a permissible reason,” the 3-hospital delivery system pointed out in a press release to local media.
“The worker refused taking or misusing any information, and we’ve no evidence that any data was used to commit fraud or otherwise misused,” the statement continued, demonstrating that the employee is no longer employed at Beacon Health System.
Compromised information involves patient names, Social Security numbers, ages, diagnoses, room numbers, acuity of sickness, chief complaints and some financial and insurance coverage information.
Beacon Heath System is reviewing training materials and putting in place new processes to decrease the likelihood of a similar tragedy occurring again. Affected individuals are being offered 1 year of identity monitoring and identity restoration services from Experian, and they are being asserted to monitor account statements and credit reports.
This is the 2nd major breach of protected health information for Beacon Health System, which operates 3 hospitals, home care services and a medical group practice. A hacking tragedy in May 2015 affected 306,789 people.
Beacon Health refused to give more information on the most recent tragedy, but sent the following statement about the incident:
“Beacon Health System’s Information Security and Privacy Team monitor worker access to records 24/7 and investigate potential issues for appropriateness on a daily basis. After an anomaly outside of Beacon’s routine monitoring was traced, upon further review, there was proof that records other than those that were required to complete this individual’s job duties were viewed. A third party forensic review validated that no data was electronically downloaded or transferred. Out of an abundance of caution, Beacon took the most conservative route to report the tragedy and notify those involved.”
An audit by Beacon Health found the unwarranted access of patient information, which occurred from the time period of March 2014 to March 2017.
“While the worker might have had authorizations to view records in certain circumstances, the employee viewed patient records without a permissible reason,” the 3-hospital delivery system pointed out in a press release to local media.
“The worker refused taking or misusing any information, and we’ve no evidence that any data was used to commit fraud or otherwise misused,” the statement continued, demonstrating that the employee is no longer employed at Beacon Health System.
Compromised information involves patient names, Social Security numbers, ages, diagnoses, room numbers, acuity of sickness, chief complaints and some financial and insurance coverage information.
Beacon Heath System is reviewing training materials and putting in place new processes to decrease the likelihood of a similar tragedy occurring again. Affected individuals are being offered 1 year of identity monitoring and identity restoration services from Experian, and they are being asserted to monitor account statements and credit reports.
This is the 2nd major breach of protected health information for Beacon Health System, which operates 3 hospitals, home care services and a medical group practice. A hacking tragedy in May 2015 affected 306,789 people.
Beacon Health refused to give more information on the most recent tragedy, but sent the following statement about the incident:
“Beacon Health System’s Information Security and Privacy Team monitor worker access to records 24/7 and investigate potential issues for appropriateness on a daily basis. After an anomaly outside of Beacon’s routine monitoring was traced, upon further review, there was proof that records other than those that were required to complete this individual’s job duties were viewed. A third party forensic review validated that no data was electronically downloaded or transferred. Out of an abundance of caution, Beacon took the most conservative route to report the tragedy and notify those involved.”
Thursday, April 27, 2017
Western Health Screening breach impacts the 15,326 sufferers
Western Health Screening, which gives onsite blood screening services at health fairs across the region of Colorado Western Slope, is providing 15,326 affected people protective services following a data breach.
Much of the at-risk patient information isn’t largely sensitive—data on the drive included names, addresses and phone numbers, but few Social Security numbers also might have been compromised, claimed the healthcare agency.
The breach happened when a car owned by Western Health Screening was stolen; a flash drive with the protected health information was in the car. The drive was password protected but not encrypted; it hasn’t been recovered.
Data on the flash drive can be accessed merely by using a unique password, and to date, there is no proof of data misuse, in accordance to Western Health Screening.
Still, the agency is offering 3 tiers of protective services from Kroll to affected people. The services being administered by Kroll involve credit monitoring, identity theft restoration and fraud consultation, a service that other healthcare agencies have rarely provided after a breach tragedy.
Western Health Screening didn’t respond to a request for data on the decision-making process they followed in making protective services to affected people.
Robert Belfort, a HIPAA attorney at the law firm Manatt, Phelps & Phillips, points out that if Social Security numbers were potentially compromised, the offer of multiple protections doesn’t seem like overkill. “If SSNs weren’t involved, the offer would appear to be very generous, however in my experience, there is a broad variation in how healthcare agencies treat these matters,” he adds.
Much of the at-risk patient information isn’t largely sensitive—data on the drive included names, addresses and phone numbers, but few Social Security numbers also might have been compromised, claimed the healthcare agency.
The breach happened when a car owned by Western Health Screening was stolen; a flash drive with the protected health information was in the car. The drive was password protected but not encrypted; it hasn’t been recovered.
Data on the flash drive can be accessed merely by using a unique password, and to date, there is no proof of data misuse, in accordance to Western Health Screening.
Still, the agency is offering 3 tiers of protective services from Kroll to affected people. The services being administered by Kroll involve credit monitoring, identity theft restoration and fraud consultation, a service that other healthcare agencies have rarely provided after a breach tragedy.
Western Health Screening didn’t respond to a request for data on the decision-making process they followed in making protective services to affected people.
Robert Belfort, a HIPAA attorney at the law firm Manatt, Phelps & Phillips, points out that if Social Security numbers were potentially compromised, the offer of multiple protections doesn’t seem like overkill. “If SSNs weren’t involved, the offer would appear to be very generous, however in my experience, there is a broad variation in how healthcare agencies treat these matters,” he adds.
Thursday, April 6, 2017
Ransomware strikes pediatric group, impacting 55,000 sufferers’ data
A four-site pediatric group serving the San Antonio metropolitan place victoriously fought off a ransomware attack, but it yet is giving 55,447 sufferers identity and credit protection services from Equifax Personal Solutions.
Before the ransomware attack, ABCD Pediatric group already had software applications that supplied network filtering and security monitoring, intrusion detection, and firewall, antivirus and password protection.
The practice became aware of the attack on the day of February 6, when a worker discovered a virus that started encrypting servers. The encryption was slowed primarily by existing antivirus software, the firm explained to sufferers in a notification letter, and the practice’s IT vendor shifted all servers and computers offline.
A practice administrator didn’t respond to a request for extra information. Ransomware strikes pediatric group which has impacted 55,000 sufferers’ data.
Potentially compromised data involved names, addresses, phone numbers, dates of birth, demographic information, Social Security numbers, insurance billing information, procedure codes, medical records and lab reports, its letter to sufferers noted.
The vendor identified the virus strain as “Dharma Ransomware,” a variant of an older virus called “CriSiS.” These strains generally don’t remove data from servers, but that couldn’t be ruled out, executives of the practice say. “Also, during the analysis of ABCD’s servers and computers, suspicious user accounts were discovered, recommending that hackers might have accessed portions of ABCD’s network,” the practice told sufferers.
After the virus and corrupt information were removed, the practice was capable to restore all affected data through secure backup files stored away from servers and computers. No ransom demands or other communications were got.
While the practice’s IT vendor discovered no evidence of data being acquired or removed, it couldn’t rule out the possibility, sufferers were told. “Significantly, ABCD can’t confirm with a high degree of likelihood that confidential information remained secure throughout this incident.”
Subsequently, the practice pointed out that no confidential or protected health information was lost and no ransom demands were made, but indications that programs or persons might have been on the server compelled notifying patients, the FBI and the HHS Office for Civil Rights.
In regard to the Equifax protective services, the practice suggested patients place a fraud alert on their credit files with credit reporting firms.
Before the ransomware attack, ABCD Pediatric group already had software applications that supplied network filtering and security monitoring, intrusion detection, and firewall, antivirus and password protection.
The practice became aware of the attack on the day of February 6, when a worker discovered a virus that started encrypting servers. The encryption was slowed primarily by existing antivirus software, the firm explained to sufferers in a notification letter, and the practice’s IT vendor shifted all servers and computers offline.
A practice administrator didn’t respond to a request for extra information. Ransomware strikes pediatric group which has impacted 55,000 sufferers’ data.
Potentially compromised data involved names, addresses, phone numbers, dates of birth, demographic information, Social Security numbers, insurance billing information, procedure codes, medical records and lab reports, its letter to sufferers noted.
The vendor identified the virus strain as “Dharma Ransomware,” a variant of an older virus called “CriSiS.” These strains generally don’t remove data from servers, but that couldn’t be ruled out, executives of the practice say. “Also, during the analysis of ABCD’s servers and computers, suspicious user accounts were discovered, recommending that hackers might have accessed portions of ABCD’s network,” the practice told sufferers.
After the virus and corrupt information were removed, the practice was capable to restore all affected data through secure backup files stored away from servers and computers. No ransom demands or other communications were got.
While the practice’s IT vendor discovered no evidence of data being acquired or removed, it couldn’t rule out the possibility, sufferers were told. “Significantly, ABCD can’t confirm with a high degree of likelihood that confidential information remained secure throughout this incident.”
Subsequently, the practice pointed out that no confidential or protected health information was lost and no ransom demands were made, but indications that programs or persons might have been on the server compelled notifying patients, the FBI and the HHS Office for Civil Rights.
In regard to the Equifax protective services, the practice suggested patients place a fraud alert on their credit files with credit reporting firms.
Tuesday, March 28, 2017
Instant action by Urology Austin Prevents ransomware attack
The hackers implemented a ransomware attack on Urology Austin, a specialty provider that operates thirteen sites serving Round Rock and Austin. While the attack was prevented and Urology Austin regained access to its systems, it couldn’t be evaluated whether patient data was accessed by the hackers. As an outcome, the agency is offering a year of credit and identity protection services to 279,663 sufferers.
The attack occurred on the day of January 22. In an informational notice issued to the media, the practice claimed that it was aware of the attack within minutes, shut down the network and started data and operational restoration.
The practice told the regional NBC television affiliate that no ransom was paid to regain information. Compromised data involved patients’ names, addresses, dates of birth, Social Security numbers and medical information.
Notification letters have been sent to sufferers, giving them detailed information on steps to take to secure personal information.
“We take the security of our sufferers’ information very crucially and we’ve taken measures to stop a similar event from occurring in the future, involving strengthening our security measures and making sure that our networks and systems are now secure,” in accordance to a statement from the practice. “The privacy and protection of patient data is a top priority, and we strongly regret any inconvenience or concern this tragedy may cause.”
A spokesperson for Urology Austin didn’t respond to queries for further information.
The attack occurred on the day of January 22. In an informational notice issued to the media, the practice claimed that it was aware of the attack within minutes, shut down the network and started data and operational restoration.
The practice told the regional NBC television affiliate that no ransom was paid to regain information. Compromised data involved patients’ names, addresses, dates of birth, Social Security numbers and medical information.
Notification letters have been sent to sufferers, giving them detailed information on steps to take to secure personal information.
“We take the security of our sufferers’ information very crucially and we’ve taken measures to stop a similar event from occurring in the future, involving strengthening our security measures and making sure that our networks and systems are now secure,” in accordance to a statement from the practice. “The privacy and protection of patient data is a top priority, and we strongly regret any inconvenience or concern this tragedy may cause.”
A spokesperson for Urology Austin didn’t respond to queries for further information.
Monday, March 27, 2017
Inside theft violations Billing Information at Med Center Health
Six-hospital Med Center Health, facilitating the Bowling Green region of Kentucky, started notifying 160,000 sufferers on the day of March 24 after a worker stole huge amounts of billing information to help in an unapproved project to establish a new tool for an outside business interest.
The worker, who is no longer with the agency, on 2 occasions acquired information on the pretense it was required to carry out duties at Med Center Health, in accordance to a notification letter sent to affected individuals and the community.
“To date, our inquiry demonstrates that in the year of August 2014 and February 2015 the people in question obtained patient data on an encrypted CD and encrypted USB drive, without any work-related reason to do so,” the letter claims.
Compromised data involved names, addresses, Social Security numbers, health insurance information, diagnoses and procedure codes and charges for medical services provided. Clinical records, medical history and treatment data weren’t accessed.
The breach impacts patients treated at 6 specific facilities between the time period of 2011 and 2014. Med Center is giving affected individuals 1 year of credit monitoring and identity protection services. An agency spokesperson wasn’t immediately available for comment.
The worker, who is no longer with the agency, on 2 occasions acquired information on the pretense it was required to carry out duties at Med Center Health, in accordance to a notification letter sent to affected individuals and the community.
“To date, our inquiry demonstrates that in the year of August 2014 and February 2015 the people in question obtained patient data on an encrypted CD and encrypted USB drive, without any work-related reason to do so,” the letter claims.
Compromised data involved names, addresses, Social Security numbers, health insurance information, diagnoses and procedure codes and charges for medical services provided. Clinical records, medical history and treatment data weren’t accessed.
The breach impacts patients treated at 6 specific facilities between the time period of 2011 and 2014. Med Center is giving affected individuals 1 year of credit monitoring and identity protection services. An agency spokesperson wasn’t immediately available for comment.
Wednesday, March 8, 2017
Sharp HealthCare notifies about the data breach to 757 patients
Sharp HealthCare has informed the 757 sufferers abut the data breach following the suspected theft of a computer and external memory device holding their protected health information.
“The devices, which were kept in a locked cabinet in an access-controlled patient place at the Sharp Memorial Outpatient Pavilion were found missing on the day of Monday morning, February 6,” in accordance to a statement from the organization.
The devices processed and stored patient wellness screening data on outpatient blood pressure or cardiac health studies. Compromised data involved names, dates of birth, ages, current medications, family history and a summary of performed studies.
Sharp HealthCare isn’t offering credit or identity theft protection services, saying the compromised information didn’t involve more sensitive information, like financial information and Social Security numbers, a spokesperson confirmed. This is a common practice as charges for protective services can become prohibitive.
The agency is conducting an analysis of security practices.
“The devices, which were kept in a locked cabinet in an access-controlled patient place at the Sharp Memorial Outpatient Pavilion were found missing on the day of Monday morning, February 6,” in accordance to a statement from the organization.
The devices processed and stored patient wellness screening data on outpatient blood pressure or cardiac health studies. Compromised data involved names, dates of birth, ages, current medications, family history and a summary of performed studies.
Sharp HealthCare isn’t offering credit or identity theft protection services, saying the compromised information didn’t involve more sensitive information, like financial information and Social Security numbers, a spokesperson confirmed. This is a common practice as charges for protective services can become prohibitive.
The agency is conducting an analysis of security practices.
Monday, March 6, 2017
Employee accessed the patient information records for 5 years at Chadron Community hospital
Chadron Community Hospital, a critical access facility in the region of Nebraska, recently found that a worker was accessing the patient information records outside of job duties for more than 5 years.
An investigation learned that compromised patient information records included addresses, names, dates of birth, clinical data from the electronic health record (EHR) system (diagnoses, orders, provider notes and test results) and insurance information. “We don’t believe the ex-employee accessed any Social Security numbers,” the hospital noted in announcement of the breach.
Chadron Community now is notifying 702 sufferers and suggesting them to monitor financial accounts and request a free credit report from Equifax, Experience or TransUnion. Extra information is being given to sufferers on what to do if there is reason to believe data was misused.
“To help stop something like this from happening in the future, we’re reviewing our privacy policies and practices, and reinforcing education with all staff regarding the significance of maintaining the confidentiality of our patients’ data and suitable care-related access to patient records,” in accordance to a statement from the hospital, which refused to comment further on the tragedy.
An investigation learned that compromised patient information records included addresses, names, dates of birth, clinical data from the electronic health record (EHR) system (diagnoses, orders, provider notes and test results) and insurance information. “We don’t believe the ex-employee accessed any Social Security numbers,” the hospital noted in announcement of the breach.
Chadron Community now is notifying 702 sufferers and suggesting them to monitor financial accounts and request a free credit report from Equifax, Experience or TransUnion. Extra information is being given to sufferers on what to do if there is reason to believe data was misused.
“To help stop something like this from happening in the future, we’re reviewing our privacy policies and practices, and reinforcing education with all staff regarding the significance of maintaining the confidentiality of our patients’ data and suitable care-related access to patient records,” in accordance to a statement from the hospital, which refused to comment further on the tragedy.
Wednesday, March 1, 2017
Patient transport department causes Vanderbilt security breach
In the month of late December, executives at the institute of Vanderbilt University Medical Center discovered that 2 employees in the patient transport department were inappropriately accessing the electronic medical records (EHRs) of patients, obtaining more data than they required doing their jobs, in accordance to the hospital.
An audit learned that the activity had been going on for twenty months with 3,247 patients affected. For a smaller but unrevealed number of patients, their Social Security numbers were viewed by those two employees in the patient transport department.
The university doesn’t consider information was printed, forwarded or downloaded, and so far there is no indication that personal patient information was utilized in any way, a spokesman says.
Patients are being notified and provided information on how to review account statements and their credit status. Sufferers whose Social Security numbers were accessed are being automatically enrolled for one year of credit monitoring and identity protection services from Experian. Also, other sufferers that request protective services will get it.
“We take the responsibility to secure the privacy of our patients very seriously and are doing all that we can do to deal this problem,” Howser claims. “We’ve implemented alternative procedures for patient transport staff to obtain the information they require for their jobs in a way that no longer involves access to patients’ electronic medical records.”
Disciplinary action was taken with the 2 workers, and other transport employees have been retrained on suitable access to patient information, in accordance to the hospital.
An audit learned that the activity had been going on for twenty months with 3,247 patients affected. For a smaller but unrevealed number of patients, their Social Security numbers were viewed by those two employees in the patient transport department.
The university doesn’t consider information was printed, forwarded or downloaded, and so far there is no indication that personal patient information was utilized in any way, a spokesman says.
Patients are being notified and provided information on how to review account statements and their credit status. Sufferers whose Social Security numbers were accessed are being automatically enrolled for one year of credit monitoring and identity protection services from Experian. Also, other sufferers that request protective services will get it.
“We take the responsibility to secure the privacy of our patients very seriously and are doing all that we can do to deal this problem,” Howser claims. “We’ve implemented alternative procedures for patient transport staff to obtain the information they require for their jobs in a way that no longer involves access to patients’ electronic medical records.”
Disciplinary action was taken with the 2 workers, and other transport employees have been retrained on suitable access to patient information, in accordance to the hospital.
Tuesday, February 28, 2017
Healthcare Scam: Identity theft scam targets Berkeley Medical Center
WVU Medicine University Healthcare in the region of West Virginia has confirmed 113 sufferers to date as victims of identity theft scam and is giving 1 year of identity monitoring services to a total of 7,445 patients after a worker at Berkeley Medical Center was discovered to be removing patient information from the premises.
While inquiring other examples of identity theft scam, the FBI and local law enforcement linked the hospital to the scam and notified officials of a potential breach on the day of January 17, 2017, in accordance to a WVU spokesperson.
An internal inquiry then confirmed a link between the worker and people who had their identity stolen. The employee had access to patient data and was writing down information through pad and pencil and taking the data home.
The worker was suspended on January 19, terminated on the day of January 27 and now is being prosecuted. Along with written patient data, other protected health information found in the employee’s possession involved drivers’ licenses, ID cards, insurance cards and Social Security cards. Additional tracking later found the worker also viewed physician orders that consisted of diagnoses and other information.
The hospital sustains to work with law enforcement to notify affected individuals and has contracted with Kroll for the identity theft monitoring services.
While inquiring other examples of identity theft scam, the FBI and local law enforcement linked the hospital to the scam and notified officials of a potential breach on the day of January 17, 2017, in accordance to a WVU spokesperson.
An internal inquiry then confirmed a link between the worker and people who had their identity stolen. The employee had access to patient data and was writing down information through pad and pencil and taking the data home.
The worker was suspended on January 19, terminated on the day of January 27 and now is being prosecuted. Along with written patient data, other protected health information found in the employee’s possession involved drivers’ licenses, ID cards, insurance cards and Social Security cards. Additional tracking later found the worker also viewed physician orders that consisted of diagnoses and other information.
The hospital sustains to work with law enforcement to notify affected individuals and has contracted with Kroll for the identity theft monitoring services.
Thursday, February 9, 2017
Two providers take decidedly different approaches with sufferers after breaches
2 more healthcare agencies have reported cyber attacks that resulted in unauthorized access to patient information, but the two providers took decidedly different approaches in offering protective services to affected people after breaches.
Princeton Pain Management in Plainsboro, N.J., discovered on the day of Nov. 28, 2016, that a third party gained unauthorized access to its computer system, and the data at risk included some 4,668 patients.
Compromised health information involved names, telephone numbers, addresses, dates of birth, Social Security or Medicare numbers, driver license or government identification numbers, insurance information, and diagnostic and treatment information.
Despite the sensitivity of much of the data included in the breach, the agency’s announcement didn’t involve an offer of credit or identity protection services after breaches.
Princeton Pain Management, which used its declaration to provide sufferers with information on how to secure themselves, didn’t respond to a request for extra information on the tragedy or its response.
Six-hospital Verity Health System in California is notifying more than 9,000 people after protected health information was accessed by an unauthorized person. On the day of Jan. 6, 2017, the agency tracked the hack of its Verity Medical Foundation-San Jose Medical Group web site that is no longer being used. Access was discovered to have originated between the time period of October 2015 and January 2017.
Compromised patient information involved the dates of birth, names, medical record numbers, home addresses, email addresses, phone numbers and the last four digits of credit card numbers. Social Security numbers and complete credit card information wasn’t being compromised, the organization says.
Verity Health System is providing 1 year of credit monitoring services. The organization didn’t respond to a request for extra information on the breach or remediation attempts.
Princeton Pain Management in Plainsboro, N.J., discovered on the day of Nov. 28, 2016, that a third party gained unauthorized access to its computer system, and the data at risk included some 4,668 patients.
Compromised health information involved names, telephone numbers, addresses, dates of birth, Social Security or Medicare numbers, driver license or government identification numbers, insurance information, and diagnostic and treatment information.
Despite the sensitivity of much of the data included in the breach, the agency’s announcement didn’t involve an offer of credit or identity protection services after breaches.
Princeton Pain Management, which used its declaration to provide sufferers with information on how to secure themselves, didn’t respond to a request for extra information on the tragedy or its response.
Six-hospital Verity Health System in California is notifying more than 9,000 people after protected health information was accessed by an unauthorized person. On the day of Jan. 6, 2017, the agency tracked the hack of its Verity Medical Foundation-San Jose Medical Group web site that is no longer being used. Access was discovered to have originated between the time period of October 2015 and January 2017.
Compromised patient information involved the dates of birth, names, medical record numbers, home addresses, email addresses, phone numbers and the last four digits of credit card numbers. Social Security numbers and complete credit card information wasn’t being compromised, the organization says.
Verity Health System is providing 1 year of credit monitoring services. The organization didn’t respond to a request for extra information on the breach or remediation attempts.
Monday, February 6, 2017
Pennsylvania Superior Court finds UPMC not responsible for data breach
The Pennsylvania Superior Court has ruled that the institute of University of Pittsburgh Medical Center has no duty under state law to secure employee information and dismissed a class action lawsuit against the delivery system.
The ruling, which is in reaction to a February 2014 tragedy that instantly affected all of UPMC’s 62,000 present and former employees, has ramifications not just for healthcare agencies, but for all businesses in the state, observers claims.
Data compromised in the breach involve names, dates of birth, Social Security numbers, tax information, addresses, and salary and bank information. In the year of April, 2014, UPMC confirmed compromised data for as many as 27,000 workers with at least 788 employees becoming victims of tax fraud, and a month later confirmed all workers were compromised, in accordance to the Pennsylvania Superior Court filings.
Attorneys for the employees argued in the Pennsylvania Superior Court that UPMC had a legal duty to secure employee information and that the organization didn’t properly encrypt data, develop firewalls and implement appropriate user authentication protocols.
A trial court ruled that UPMC didn’t owe a duty of reasonable care in gathering and storing employee information. The Superior Court agreed, pointing put the pervasiveness of electronic storage of information with an obvious social utility to promote efficiency. Moreover, the Pennsylvania Superior Court in its opinion said the mere duty that Pennsylvania’s legislature has enforced on companies in the state is notification of a data breach, and it is not for the courts to change the direction of the legislature because public policy is a matter for the legislature.
“While a data breach (and its ensuring harm) is basically foreseeable, we don’t consider that this possibility outweighs the social utility of electronically storing employee information,” the Pennsylvania Superior Court pointed out in its decision. “In the modern era, more and more data is stored electronically and the days of keeping documents in file cabinets are long gone. Without doubt, workers and consumers alike derive substantial benefits from efficiencies resulting from the transfer and storage of electronic data.”
The Superior Court doubled down on its assertions, saying a judicially created duty of care is not required to incentivize companies to secure their confidential information. “We find it unimportant to need employers to incur potentially significant charges to increase security measures when there is no true way to stop data breaches altogether. Employers strive to run their businesses efficiently, and they have an incentive to secure employee information and stop these types of occurrences.”
Appellants, the court ruled, didn’t provide their information to UPMC for the consideration of its safe keeping but for employment purposes. The full ruling is available here.
The ruling, which is in reaction to a February 2014 tragedy that instantly affected all of UPMC’s 62,000 present and former employees, has ramifications not just for healthcare agencies, but for all businesses in the state, observers claims.
Data compromised in the breach involve names, dates of birth, Social Security numbers, tax information, addresses, and salary and bank information. In the year of April, 2014, UPMC confirmed compromised data for as many as 27,000 workers with at least 788 employees becoming victims of tax fraud, and a month later confirmed all workers were compromised, in accordance to the Pennsylvania Superior Court filings.
Attorneys for the employees argued in the Pennsylvania Superior Court that UPMC had a legal duty to secure employee information and that the organization didn’t properly encrypt data, develop firewalls and implement appropriate user authentication protocols.
A trial court ruled that UPMC didn’t owe a duty of reasonable care in gathering and storing employee information. The Superior Court agreed, pointing put the pervasiveness of electronic storage of information with an obvious social utility to promote efficiency. Moreover, the Pennsylvania Superior Court in its opinion said the mere duty that Pennsylvania’s legislature has enforced on companies in the state is notification of a data breach, and it is not for the courts to change the direction of the legislature because public policy is a matter for the legislature.
“While a data breach (and its ensuring harm) is basically foreseeable, we don’t consider that this possibility outweighs the social utility of electronically storing employee information,” the Pennsylvania Superior Court pointed out in its decision. “In the modern era, more and more data is stored electronically and the days of keeping documents in file cabinets are long gone. Without doubt, workers and consumers alike derive substantial benefits from efficiencies resulting from the transfer and storage of electronic data.”
The Superior Court doubled down on its assertions, saying a judicially created duty of care is not required to incentivize companies to secure their confidential information. “We find it unimportant to need employers to incur potentially significant charges to increase security measures when there is no true way to stop data breaches altogether. Employers strive to run their businesses efficiently, and they have an incentive to secure employee information and stop these types of occurrences.”
Appellants, the court ruled, didn’t provide their information to UPMC for the consideration of its safe keeping but for employment purposes. The full ruling is available here.
Saturday, January 28, 2017
MultiCare Health System: One hacked email account leads to PHI threat for 1,200 individuals
Five-hospital MultiCare Health System, serving the Tacoma, Wash., metropolitan area, is informing and notifying about 1,200 individuals after the email account of one worker was hacked.
The agency learned of the attack in the month of late November. As cyberattacks in the healthcare industry have increased, providers mostly learn that they have been hit when a law enforcement agency investigating one breach discovers other agencies have also been affected.
Protected health information that might have been compromised involves names, dates of birth, addresses, gender, dates of service, account balances, and diagnoses and treatment information.
Financial data and Social Security numbers weren’t accessed, and a media notice from MultiCare didn’t mention either the system would give protective services for affected consumers. The agency said it has no proof that any information has been accessed or misused, but cautioned sufferers to analyze their explanation of benefit statements for irregularities.
MultiCare now is re-educating workers on security precautions involving how to identify “phishing” emails that seem to be legitimate but launch malware when clicked on. The company didn’t respond to a request for additional information.
The agency learned of the attack in the month of late November. As cyberattacks in the healthcare industry have increased, providers mostly learn that they have been hit when a law enforcement agency investigating one breach discovers other agencies have also been affected.
Protected health information that might have been compromised involves names, dates of birth, addresses, gender, dates of service, account balances, and diagnoses and treatment information.
Financial data and Social Security numbers weren’t accessed, and a media notice from MultiCare didn’t mention either the system would give protective services for affected consumers. The agency said it has no proof that any information has been accessed or misused, but cautioned sufferers to analyze their explanation of benefit statements for irregularities.
MultiCare now is re-educating workers on security precautions involving how to identify “phishing” emails that seem to be legitimate but launch malware when clicked on. The company didn’t respond to a request for additional information.
Thursday, January 19, 2017
Cyberattack: Virginia-based Sentara Healthcare informs patients after vendor is hacked
A third-party vendor serving Virginia-based Sentara Healthcare faced a cyberattack, resulting in the twelve-hospital delivery system sending breach notification letters to almost 5,454 affected sufferers.
Law enforcement notified Virginia-based Sentara Healthcare of the breach on the day of Nov. 17, 2016, and a Sentara investigation highlighted the vendor, which it declined to recognize in its announcement, as the target. Healthcare agencies mostly learn of cyberattacks as police in the course of investigating a tragedy find other facilities that also were affected. Police, Sentara and the vendor sustain to investigate the tragedy, in accordance to the notification letter.
The vendor doesn’t give direct care to patients, in accordance to a Sentara spokesperson; it gives information reporting and data benchmarking services. With the investigation ongoing, the agency won’t provide extra information about the vendor or its current relationship with the vendor.
The compromised sufferer information “relates to vascular and/or thoracic processes that took place between the time period of 2012 and 2015 at a Sentara hospital in Virginia, and was inappropriately accessed,” the agency has informed patients.
Data at risk involves sufferer names, dates of birth, Social Security numbers, medical record numbers, procedures, demographic data and medications.
Affected people are being offered one year of credit monitoring and recognize theft protection in the ProtectMyID Alert service of Experian. The vendor, in accordance to Sentara, is enhancing its security posture.
Law enforcement notified Virginia-based Sentara Healthcare of the breach on the day of Nov. 17, 2016, and a Sentara investigation highlighted the vendor, which it declined to recognize in its announcement, as the target. Healthcare agencies mostly learn of cyberattacks as police in the course of investigating a tragedy find other facilities that also were affected. Police, Sentara and the vendor sustain to investigate the tragedy, in accordance to the notification letter.
The vendor doesn’t give direct care to patients, in accordance to a Sentara spokesperson; it gives information reporting and data benchmarking services. With the investigation ongoing, the agency won’t provide extra information about the vendor or its current relationship with the vendor.
The compromised sufferer information “relates to vascular and/or thoracic processes that took place between the time period of 2012 and 2015 at a Sentara hospital in Virginia, and was inappropriately accessed,” the agency has informed patients.
Data at risk involves sufferer names, dates of birth, Social Security numbers, medical record numbers, procedures, demographic data and medications.
Affected people are being offered one year of credit monitoring and recognize theft protection in the ProtectMyID Alert service of Experian. The vendor, in accordance to Sentara, is enhancing its security posture.
Saturday, December 24, 2016
Massive LA County cyberattack impacts 756K people
Massive LA County or Los Angeles County in the recent days has started to notify over 756,000 people of a massive cyberattack that happened in the month of May 2016 across several county departments, involving healthcare, mental health and public health services.
Most of the affected people had contact with the Department of Healthcare Services, the Los Angeles Times reports.
The attacker sent phishing emails to almost 1,000 county workers, and 108 of them clicked on the message and provided usernames and passwords, in accordance to a notice from the county. As has become usual in the time period of cyber attacks, notification to impacted people was delayed far past the HIPAA requirement of sixty days from discovery of a breach at the appeal of law enforcement agencies. The agencies mostly are investigating several breaches launched by the similar attacker, find other HIPAA cover entities that were hit and then notify them.
Compromised information at the massive LA County involved names, dates of birth, Social Security numbers, driver’s license or state identification numbers, home addresses, phone numbers, payment card and bank account data, and medical data, like insurance identification number, diagnoses, treatment histories and medical record number. A known suspect is being sought with an arrest warrant released for a person with Nigerian citizenship, account to the county notice.
The county is providing identity monitoring services to affected people for 1 year; the services involve credit monitoring, identity consultation and identity restoration. Although, attackers usually now wait until after protective services end before using the stolen data.
This isn’t LA County’s 1st key breach of protected health information. The theft of a laptop at a regional office in the year of 2013 affected 18,162 people. The county also was the victim of a huge breach in the year of 2014, when business associate Sutherland Healthcare Solutions had 8 computers stolen, impacting more than 300,000 people. Following the latest breach, the massive LA County has enhanced its cybersecurity awareness training.
Most of the affected people had contact with the Department of Healthcare Services, the Los Angeles Times reports.
The attacker sent phishing emails to almost 1,000 county workers, and 108 of them clicked on the message and provided usernames and passwords, in accordance to a notice from the county. As has become usual in the time period of cyber attacks, notification to impacted people was delayed far past the HIPAA requirement of sixty days from discovery of a breach at the appeal of law enforcement agencies. The agencies mostly are investigating several breaches launched by the similar attacker, find other HIPAA cover entities that were hit and then notify them.
Compromised information at the massive LA County involved names, dates of birth, Social Security numbers, driver’s license or state identification numbers, home addresses, phone numbers, payment card and bank account data, and medical data, like insurance identification number, diagnoses, treatment histories and medical record number. A known suspect is being sought with an arrest warrant released for a person with Nigerian citizenship, account to the county notice.
The county is providing identity monitoring services to affected people for 1 year; the services involve credit monitoring, identity consultation and identity restoration. Although, attackers usually now wait until after protective services end before using the stolen data.
This isn’t LA County’s 1st key breach of protected health information. The theft of a laptop at a regional office in the year of 2013 affected 18,162 people. The county also was the victim of a huge breach in the year of 2014, when business associate Sutherland Healthcare Solutions had 8 computers stolen, impacting more than 300,000 people. Following the latest breach, the massive LA County has enhanced its cybersecurity awareness training.
Wednesday, December 14, 2016
Breach: Quest Diagnostics breach impacts 34,000 individuals’ info
Quest Diagnostics, a famous nationwide healthcare laboratory chain that also sells a suite of information management systems, has informed 34,000 people about Quest Diagnostics breach that few of their protected health information was compromised after an internet application on its network was suddenly hacked.
The impacted application was MyQuest, a patient portal enabling people to access health information and test results from Quest Diagnostics. The app also enables people to schedule an appointment, share health information, and it helps in offering tracking and reminders on medication.
Accessed data involved patient names, lab results, birth dates and few telephone numbers, in accordance to a statement from the company. Social Security numbers, credit card numbers, insurance data and financial data weren’t impacted. Evaluation of information systems sustains to be ongoing.
“There is no prove that information of people has been misused in any way,” the company claimed in a statement. The company is not providing credit and/or identity theft protection services, in accordance to a spokesperson, but sufferers with key concerns are encouraged to call Quest at 888-320-9970.
This tragedy, which will be posted on the HHS Office for Civil Rights web site of breaches impacting 500 or more people, is the 1st major breach for Quest as Quest Diagnostics breach.
Subscribe to:
Posts (Atom)
