Introduction
I’ve put together a brief list of reported HIPAA violations through 2017. Key points are listed below:
- Encrypt and password-protect any portable hard drives, laptops, cell phones, digital cameras, and any removable piece of medical equipment.
- Don’t upset the HIPAA Gods. You have 60 days from breach to when a customer receivers a Breach Notification. Additionally, you must post Breach Notifications to your company’s website.
- If you cannot be sure of what data might have been pilfered, ALL patients must be considered to be at risk.
- Any breach consisting of more than 500 patients will be investigated by the HHS Office for Civil Rights (OCR). You had better have all your ducks in a row when they stop by.
- Make sure you provide, and document, Security Awareness and Phish Training for your employees.
- Conduct daily audits of medical record access within your EHR/EMR system.
- Contact your EHR/EMR vendor and make sure that your access clients are “forensically secure”. By forensic, that means that there are no residual TEMP files lying around on client workstations.
- Make sure that all processes, including your backup processes, abide by “Data-At-Rest” and “Data-In-Transit” encryption standards.
- Use the “3-2-1” method of Backup. Three total copies of data, two on different local systems, and one off-site.
- Secure your Email transport and your Email accounts. Do not send PHI data via unsecured Email unless you have a signed waiver in-hand.
References
Breach Reports are public record and are maintained by the Department of Health and Human Services, Office for Civil Rights (OCR). The report can be found here: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
The HIPAA Journal website was also useful. It can be found here: http://www.hipaajournal.com/
Violations: Year-to-Date
As you read this, note that many of these breaches can happen to anyone, at any time. Look at each one of these and compare them with your existing policies and procedures. How does your business or practice compare?
6/26: Anthem, Inc.
Settlement reached in a breach of 78.8 million records in 2015. Anthem offered two years of complimentary credit monitoring services to affected plan members.
Anthem has agreed to settle the class-action lawsuite for $115 million.
6/22: Saint Thomas Rutherford Hospital, Murfreesboro, TN
Paper census reports of 2,859 patients were improperly discarded.
6/21: Texas Health and Human Services Commission, TX
Improper Disposal of 1,800 paper copies Patient Records. All individuals impacted by the breach have been offered credit monitoring services for a period of 12 months without charge, This is the second such breach within a year.
6/20: Torrance Memorial Medical Center, Claysburg, PA
Breach of two staff member Email accounts, via Phishing attacks, exposed the PHI of 46,632 patients. Those patients have been offered one year of free credit monitoring and identity theft restoration services.
6/19: CoPilot Provider Support Services Inc.
An Administrative website run by the company was inappropriately access in October, 2015. PHI of 221,178 individuals was stolen. CoPilot claims it is not a HIPAA-covered entity, but has been fined $130,000 by New York. The HHS Office for Civil Rights (OCR) is also investigating.
6/14: Sound Community Services, New London, CT
Email account breach discovered contained the PHI of 1,278 individuals.
6/13: SouthWest Community Health Center, Bridgeport, CT
Burglarly at a clinic. System access was protected, but data of patient records was found to exist on other hard drives at the facility. All affected patients have been offered identity theft monitoring and restoration services without charge for a period of 12 months.
6/8: Austin Medical Center, TX
An unknown entity uploaded a report containing PHI of ~2000 patients to GitHub, and was accessible via the Internet.
6/6: North Dakota Department of Human Services (NDDHS)
Improper disposal (dumping in trash) of medical records affecting 2,452 Medicaid recipients
6/2: Rodeo Drive Clinic, CA
An employee of this Californian plastic surgery clinic is suspected of stealing the medical records of around 15,000 patients and also posting Before and After photographs on Snapchat.
6/2: Trios Health
A Trios Health employee accessed patient records without any legitimate work purpose; from October 2013 to March 2017.
5/31: Molina Healthcare
Security researcher Brian Krebs found a flaw in the Molina Healthcara patient portal; potentially affecting 4.8 million individuals in 12 states and Puerto Rico. Under active investigation
5/31: Children’s Mercy Hospital, Kansas City, MO
Lack of appropriate security protections on a doctor’s website; potentially allowing the protected health information of 5,511 patients
5/30: Beacon Health System
An employee accessed the medical records of approximately 1,200 patients without authorization over a period of three years.
5/30: Arizona Department of Health Services (ADHS)
Missing postal mail containing sensitive health information of approximately 2,500 patients.
5/25: SSM Health
Stolen Electromyography Device from DePaul Hospital St Louis in Bridgeton, MO cntained 836 Patients PHI
5/24: St. Luke’s-Roosevelt Hospital Center Inc
Impermissible Disclosure of HIV Status to Employer Results in $387,000 HIPAA Penalty
5/18: Rutland Regional Medical Center, VT
Human error resulted in the inappropriate disclosure of Email addresses for 600 people by not using BCC headers
5/17: Coney Island Hospital, NY
Unvetted volunteer accessed a limited amount of PHI for 3,500 patients. Notifications sent to patients, although there is no financial risk.
5/16: Dallas Senior Living Community, Walnut Place
A ransomware attack in January, 2017, reported to management in May, and notifications sent out in late June. Walnut Place is offering affected individuals 12 months of credit monitoring services free of charge. A “Delay of Breach Notification” penality (more than 60 days) is expected.
5/12: Bronx Lebanon Hospital Center, NY
Unsecure backup services provided by a Business Associate, iHealth Innovations, of Louisville, KY that allowed researchers to view highly sensitive information including names, addresses, medical diagnoses, health histories and highly sensitive data including HIV statuses, reports of domestic violence, sexual assaults and addiction histories. Still under investigation.
5/11: Memorial Hermann Health System, TX
A patient visited a MHHS clinic and presented a fraudulent identification card to hospital staff. The patient was identified and arrested by law enforcement. However, in a subsequent press release, the Hospital system named the individual. OCR issued a fine of $2.4M.
5/10: The Diamond Institute, NJ
EHR was hacked and documents released were found to contain a limited amount of protected health information relating to more than 14,000 patients. All patients affected by the security breach are being offered credit monitoring and identity theft restoration services for 12 months without charge.
5/9: Louisiana State University Health New Orleans, LA
An unencrypted portable hard drive was stolen, containing PHI of 2,200 patients. Affected patients are being offered one year of credit monitoring services.
5/3: Harrisburg Endoscopy and Surgery Center/Harrisburg Gastroenterology, PA
EHR hack. The unauthorized access/intrusion was detected and not records were believed to be compromised. 93,323 Harrisburg Gastroenterology patients and 9,092 patients of Harrisburg Endoscopy and Surgery Center were notified of the breach. No credit monitoring services were offered.
5/2: Greenway Health, Tampa, FL
Ransomware attack of their cloud-based Intergy EHR. Still under investigation.
5/1: Hill Country Memorial Hospital, TX
Breach of a ER member’s Email account was used to send fraudulent invoices. The breach report indicates that 8,449 patients might have been impacted by the incident. Patients impacted by the incident have been offered credit monitoring and identity theft protection services for 12 months without charge.
4/25: Lifespan
Theft of a MacBook laptop exposed limited PHI of 20,431 patients. The company is conducting employee awareness and education. Credit monitoring services were not offered.
4/24: CardioNet, PA
CardioNet settled a case for $2.5M in the 2011 theft of a laptop that contained PHI of 1,391 patients. The company was fined for various violations, including “Delayed Breach Notification”, inadequete safeguarding of ePHI equipment, failure to implement encrypton or safeguards on portable devices, and failure to produce HIPAA-compliance information.
4/21: Cardiology Center of Acadiana, LA
Ransomware breach of a Remote Desktop server affected the PHI of 9,700 patients. Notifications of potential breach were sent out to the affected patients, but no credit monitoring services have been offered.
4/21: BioReference Laboratories, NJ
The third-largest clinical diagnostic lab in the US, BioReference that an employee had improperly disposed of paper medical records in a dumpster in Davenport, Florida. The employee was terminate and new employee training and awareness policies were put in place.
4/18: Amedisys Home Health, Fayetteville, NC
Improper disposal of paper records in a dumpster. No disclosure of PHI, except for the individual finding the records. All patients impacted by the incident are now being notified of the potential privacy violation by mail.
4/17: Virginia Mason Memorial, WA
Improper accesss of the PHI of 419 patients by 21 employees. As a precaution, all affected patients have been offered credit monitoring services without charge. The company is now doing daily audits of medical record access.
4/13: Ashland Women’s Health, KY
“HakunaMatata/NMoreira” ransomware infection created a potential breach of 19.727 patients. FBI investigating. Breach notificaton letters sent to affected patients.
4/12: Erie County Medical Center, Buffalo, NY
Malicious Email attachment, believed to be ransomware (no detail reported) caused a shutdown of their EHR systems. The internal messaging system was restored, allowing internal communications, then the rest of the systems restored and put back online. The FBI is investigating the incident.
4/7: Skin Cancer Specialists, P.C., Atlanta, GA
Unauthorized individual was discovered to have gained access to the healthcare provider’s system on October 15, 2016. The intrusion was detected on February 2, 2017. The system contained the billing records of 3,365 patients. No credit monitoring services were offered but an advisory was sent out to all affected patients.
4/4: ABCD Pediatrics, San Antonio, TX
“Dharma” ransomware attack affected PHI of 55,000 patients. The company offered 12 months of credit monitoring and identity theft protection services to affected individuals via Equifax Personal Solutions.
3/31: Washington University School of Medicine
Phishing emails were used to obtain login credentials to staff members’ email accounts. This exposed the PHI of 80,270 patients. Washington University School of Medicine will be reeducating staff members of existing protocols regarding phishing emails. Logon authentication processes and business practices will also be strengthened.
3/29: Mecklenburg County, NC
Sent PHI of 1200 patients in response to a FOIA request. Patients notified of the privacy breach.
3/29: Estill County Chiropractic, KY
Ransomware attack on EHR systems. 5,335 patients were affected in the breach. The company is offering all affected patients 12 months of credit monitoring services free of charge through Equifax Personal Solutions.
3/28: Med Center Health, KY
Employee theft of billing information and limited PHI. Patients impacted by the breach have been offered 12 months of credit monitoring and identity theft protection services without charge.
3/23: Urology Austin, CA
Ransomware delivered by Email exposed PHI of 279,663 patients. Identity theft monitoring services were offered to patients.
3/21: UNC Health Care, NC
Accidental exposure of 1200 patient’s PHI data to State health organizations. Breach notification sent to the patients. The recipient State health are covered entities.
3/20: Local 693 Plumbers, Pipefitters & HVACR Technicians, VT
Unencrypted, portable backup drive stolen, affecting the PHI of 1,291 members. Breach notification sent to affected patients.
3/17: Metropolitan Urology Group, WI
Ransomware attack impacted the PHI of 17,634 patients. New Firewall and Email systems installed. Their IT vendor has implemented additional training for its employees in IT Security and Risk Analysis.
3/17: St. Charles Health System, OR
Over a 27 month period, a caregiver accessed 2,459 patient files without authorization. Disciplenary action was taken against the employee. There was no release of PHI to other parties, per employee testimony. All individuals affected by the breach were offered credit monitoring services for 12 months.
3/16: Zest Dental Solutions, CA
Hack and unauthorized access of credit card information from their e-Commerce server. Customers sent an advisory email and will be compensated for any fraudulent Credit Card transactions.
3/15: BJC HealthCare, MO
PHI for 644 participants of the Raising St. Louis program might be compromised due to the use of unencrypted Email systems; participants notified although no interception of Email data is evident.
3/14: Denton Heart Group
A portable, unencrypted backup drive was stolen, affecting 21,665 patients. Any affected individual can receive credit monitoring and identity theft protection services (Experian).
3/14: Tarleton Medical, CA
Server hacked and medical records potentially accessed. 3,929 patients have been offered identity theft protection and credit monitoring services for 12 months.
3/13: Virginia Commonwealth University Health System, VA
Unauthorized access of about 2600 patient records by various doctors and physician groups over a four year period of time. About 2700 people impacted by the privacy breaches have been offered credit monitoring services for 12 months.
3/10: Saliba’s Extended Care Pharmacy, Phoenix, Arizona
Invoices were mailed to the wrong customers, limited PHI of 6,500 individuals was exposed. The offending employee was terminated and additional training provided to the staff.
3/6: Sharp Healthcare, San Diego, CA
A computer and portable backup drive were found to be stolen from a locked cabinet. The potential breach affects 750 people. They were notified of the theft.
3/6: Minneapolis Heart Institute at Abbott Northwestern Hospital, MN
A cleaning crew mistakenly trashed paper records containing PHI of clients from April 2016 to January 2017. Affected individuals notified and offered free credit monitoring services.
3/6: Universal Care, dba, Brand New Day, CA
A Medicare plan provider, unauthorized access to their EHR occurred through one of their Business Associates. Brand New Day says “We changed our practices regarding access requiring monthly verification of each user.” It offered free credit and identity protection services for 12 months to the 14,000 individuals affects by the breach.
2/28: North Carolina Department of Health and Human Services, NC
12,731 patients were exposed as a result of an email error. The Emails were sent in an unsecure manner to Adult Care facilities. The Email process was changed so that no patient identifying information is in the Email (Only Account IDs).
2/27: Vanderbilt University Medical Center, TN
Patient Transporters inappropriately accessed the medical records of 3,000 patients. Patients are being provided with credit monitoring services. New EHR access policies were puti n place, and Transporters no longer have EHR access.
2/27: Berkeley Medical Center, WV
A Berkeley Medical Center employee inappropriately accessed the medical records of 7,445 patients over a 10 month period. The employee was terminated and criminal prosecution is moving forward. WVU has offered all individuals impacted by the incident credit monitoring and identity theft protection for 12 months.
2/21: Horizon Blue Cross Blue Shield of New Jersey, NJ
A settlement was reached whereby Horizon Blue Cross Blue Shield of New Jersey whereby they will pay a $1.1 million dollar fine for a HIPAA breach that occured with he theft of two unsecured and unencrypted laptops in 2013. 690,000 plan members were affected.
2/20: Catalina Post-Acute and Rehabilitation, Tuscon, AZ
A potential breach of 2,953 employees and residents occured when paper medical records were found to left unattended. All affected individuals have now been contacted.
2/20: Brandywine Lock-N-Stock, Zanesville, OH
A break-in occurred in a storage unit where boxes of old medical records were being stored. Patients of Genesis HealthCare, Vision Source, and Capital Prosthetic & Orthotic Center were affected; estimated to be between 3,000 and 5,000 individuals. There is no evidence of the information therein being used inappropriately.
2/16: Fort Worth, TX
Seven providers were mistakenly sending faxes to a local media outlet, including sensitive PHI records. The destination was supposed to be a Fort Worth medical facility but the fax number was one digit off from the media outlet’s.
2/15: South Fulton Mental Health Center, GA
Paper medical records were improperly disposed of as trash. An employee allegedly did this intentionally, in retaliatin for the Clinic out-sourcing Mental Health Services.
2/9: Multnomah County Health Department, OR
An employee set up an automatic mail forwarder to a personal GMail account for a period of three months. The PHI of 1700 patients was exposed. Policies and Procedures were reviewed.
2/9: Singh and Arora Oncology Hematology
Unauthorized access to their server by an unknown individual resulted in PHI exposure to 16,000 patients. It took one year for Breach Notificatons to be sent out. Fines are expected from OCR.
2/8: Princeton Pain Management, PA/NJ/NY
A hacker gained unauthorized EHR access that affected the PHI of 4,668 patients. New security policies and systems were installed.
2/6: WellCare/Summit Reinsurance Services
WellCare Health Plans has announced that 24,809 members were affected by a breach by Summit Reinsurance Services. Summit had been attacked with ransomware on Aug 8, 2016, notifying Wellcare on Dec 27, 2016.
2/6: Verity Health System, Redwood City, CA
A website exploit exposed the PHI of 10,164 patients. The website was taken down and made secure. All patients affected have been notified of the data breach by mail and have been offered 12 months of credit monitoring services without charge.
2/6: Family Medicine East, Chartered, Wichita, KS
A break-in resulted in the theft of an unencrypted, unsecured desktop computer and printer. 6,800 patients have PHI exposures. Security was enhanced to deter burglars. Files were stored on the computer because of an employee’s negligence. No financial information was contained on the computer.
2/2: Children’s Medical Center, Dallas, TX
Paid a $3.2 million fine for multiple HIPAA violations. In 2008 Price Waterhoue, Coopers (PwC) was consulted and made several recommendations for securing PHI that the medical center did not implement. Continued violations mounted, including the loss of an unsecured Blackberry device affecting 3,800 patients. The also lost an unencrypted iPod containing the ePHI of 22 patients. Then later, they lost a laptop, exposing 2,462 individuals’ ePHI.
1/27: MultiCare Health System, Tacoma, WA
An employee’s Email account was compromised through a phishing attack, exposing the ePHI of 1200 patients. MultiCare conducted a review of security practices and procedures and ePHI safeguards.
1/26: Covenant HealthCare
An employee accessed the medical records of 6,200 patients inappropriately. The employee was terminated. Those patients whose Social Security numbers were viewed were offered free credit monitoring and protection services.
1/26: TriHealth of Cincinnati, OH
A sottware glitch caused bills to be sent to patient’s previous mailing addresses. No sensitive ePHI was disclosed. 1,126 patients were affected.
1/25: Roper St. Francis Mount Pleasant Hospital, SC
Lost a camera containing photos of newborns, with physcian information. No sensitive ePHI was disclosed. The camera’s SD Card contained pictures of about 500 babies.
1/25: Complete Wellness, Baltimore, MD
An employee copied 600 highly sensitive medical records, using unauthorized access to the EHR system, to a flash drive which was subsequently lost. Encryption has been implemented on all portable devices, including laptops and additional training has been provided to employees.
1/24: Wonderful Health and Wellness, Los Angeles, CA
An unencrypted laptop was stolen, exposing the PHI of an undisclosed number of patients. The laptop can be wiped remotely, so the system software was setup to do that. They have implemented some additional safeguards.
1/19: MAPFRE Life Assurance Company of Puerto Rico
A $2.2 million dollar settlement was reached surround the exposure of 2,209 patients. During the investigation, OCR also found ” failure to conduct a comprehensive risk assessment”, “failure to implement data encryption or an equivalent measure to safeguard the ePHI stored on portable storage”, and “failure to implement reasonable and appropriate policies and procedures”.
1/18: Children’s Hospital Los Angeles, CA
Loss of an unsecured laptop resulted in the ePHI exposure of 3,600 patients. Remote Wipe had been installed, and has been invoked.
1/18: Sentara Healthcare, VA
Sentara Healthcare is notifying 5,454 patients of a breach of security, and unauthorized system access by an unknown hacker. All patients impacted by the data breach have been offered 12 months of complementary credit monitoring and identity theft protection services through Experian.
1/17: Highmark BlueCross BlueShield of Delaware, DE
Ransomware infection resulted in exposure of the ePHI for 19,000 patients. Patients affected by the breach have been offered a year of credit monitoring and identity restoration services to protect them against identity theft and fraud.
1/17: Brandywine Pediatrics, Wilmington, DE
Ransomware suspected, but not specifically stated. A virus rendered all ePHI inaccessible. The breach affected 26,873 patients. The company has made security improvements and updated policies and procedures.
1/12: Atmore Community Hospital, AL
An employee accessed the records of 1,000 patients without authorization. The employee was terminated and systematic auditing procedures (which detected the access) put in place.
1/10: Susan M. Hughes Center, NJ
This cosmetic surgery center experienced a Ransom attack in August 2016, not reported until December 2016. 11,400 patients have been impacted. OCR fines are expected for “Delay of Breach Notification”, well past the 60-day limit.
1/10: Presence Health, IL
Breach of surgery schedules at Presense Surgery Center at the Presence St. Joseph Medical Center in Joliet, Illinois. This affectedthe PHI of 836 patients. OCR investigates all breaches of more than 500 individuals. The breach occurred in October 2013 but not reported until January 2014, more than the 60-day limit. Presence Health was finded $425,000 for “Delayy of Breach Notification”. Presense Health had experienced a number of smaller PHI breaches in 2015 and 2016, yet for several of those breaches, Presense Health did not provide affected individuals with timely breach notifications.