TX data breach incident

June 23rd, 2016 by admin No comments »

The Texas Health and Human Services Commission possibly suffered data breach which affected  600 individuals. The data breach incident was the result of missing documents. Iron Mountain, one of TX contractors and a document shredding company mentioned that 15 boxes containing client information went missing from the Irving, Fort Worth, and Dallas facilities.identity-theft

Iron Mountain was hired by the Texas Health and Human Services Commission to destroy the client documents. The missing boxes contained confidential information from individuals who may have applied for medical assistance between January 1, 2008 and August 31, 2009.

Both TX and Iron Mountain did not mention about the reason for misplaced boxes. Affected information included Social Security numbers, addresses, Social Security claim numbers, dates of birth, names, medical record numbers, Medicaid or individual numbers, case numbers, and bank account information.

As per the statement,

“HHSC is committed to ensuring that our clients’ confidential information is secure. The agency is conducting an investigation into Iron Mountain’s handling of this event and taking steps to secure confidential information and reduce the chances of this event happening again. After the investigation is complete, HHSC will review processes and procedures, making any changes needed to prevent this type of event in the future.”

The Texas Health and Human Services Commission reached all affected individuals mentioning them about the healthcare data security incident. They are provided complimentary credit monitoring services for one year. Iron Mountain has taken steps to improve data security measures for confidential information.

“The agency is conducting an investigation into Iron Mountain’s handling of this event and taking steps to secure confidential information and reduce the chances of this event happening again,” explained the statement. “After the investigation is complete, HHSC [Health and Human Services Commission] will review processes and procedures, making any changes needed to prevent this type of event in the future.”

————————————————————————————————————————————————————–

Alertsec is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Bizmatics and data breach

June 20th, 2016 by admin No comments »

As per the HIPAA notification letter on the ENT and Allergy Center’s website, yet another medical center suffered potential healthcare data breach due to hacking incident. Affected information included names, addresses, healthcare visit information, and the last four digits of Social Security numbers. The EHR files did not contain credit card numbers or any other financial information.hacking-964903_960_720

According to the Office of Civil Rights data breach tool, 16,200 individuals were affected by the healthcare data security incident. Facility mentioned that there EHR vendor’s data servers were attacked by hackers. Servers stored and managed patient files. EHR vendor, Bizmatics discovered the intruder and terminated the access.

Bizmatics mentioned that EHR files may have been viewed or acquired as a result of the possible data breach. It also notified ENT and Allergy Centre but failed to identify which patient files may have been exposed.

Bizmatics reached law enforcement officials and hired a private cybersecurity firm to secure its systems. Investigation is carried by the agency.All affected individuals were notified along with free credit, fraud, and identity-theft monitoring services for a year. A toll-free phone number is also setup to answer questions about the healthcare data security incident. ENT and Allergy Centre mentioned that they are in the process of  implementing safeguards to protect information.

There are several other health care facilities affected by this hacking incident. One example include, Pennsylvania-based Integrated Health Solutions PC incident which affected 19,776 individuals. Also, Southeast Eye Institute PA suffered data breach which affected 87,314 individuals.

According to the ENT and Allergy Center’s website:

We intend to abide by the Final Omnibus Rule of the HIPAA regulations regarding your Protected Health Information, hereafter abbreviated as PHI.  The term PHI refers to your medical records, billing and payment records, your name, address, date of birth, social security number, payment history, the name of your health plan and account number, and other data that identifies you.

We are permitted by law to disclose PHI to you and to anyone who needs it to carry out treatment, payment, or healthcare operations.  We will be required to obtain your signature for authorization to release PHI for most uses unrelated to treatment, payment, and healthcare operations.  We will retain your authorization and provide you a copy if you wish to have it.  PHI will be provided within 30 days of the written request in hard copy form.  Information may be available for transfer onto USB media if the media is provided by the patient.  You may revoke your authorization in writing at any time.

————————————————————————————————————————————————————–

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption software.

EHR vendor and data breach

June 18th, 2016 by admin No comments »

Healthcare organization, Vincent Vein Center has notified patients of a potential healthcare data breach. The incident was result of the hacking incident at Bizmatics, a vendor who manages EHR for Vincent. Colorado-based phlebology office of the facility mentioned that some of its EHR files were accessed by the outside entity. Unauthorized access was related to PrognoCIS system, a practice management and EHR system serviced by Bizmatics.18496575259_d14b1eb1f5

The number of affected individuals stands at 2,250 according to the OCR data breach tool. Affected information included names, addresses, health insurance information, health visit and treatment information, and other identifying data, such as Social Security numbers.The PrognoCIS system use to store complete patient files.

Bizmatics mentioned that there has been no indication that Vincent Vein Center’s files were accessed or obtained by the outside party. Also, there are no available reports of information published online.

As per Bizmatics, “cybersecurity firm is hired to investigate the incident. It found out that that cybercriminals had installed malware on its systems to capture user credentials. Affected individuals are contacted about the possible data breach. Also, the facility has established a toll-free number to answer any questions which included identity theft protection resources for patients.”

As noted in Bizmatics’ letter, we have no reason to believe that our patient files were the target of the hackers’ attack on Bizmatics. VVC is examining Bizmatics’ practices and determining whether a continued relationship with Bizmatics is appropriate. VVC will make every attempt to prevent further breaches.

“We sincerely regret that this incident has occurred and thank you for your understanding.”

————————————————————————————————————————————————————–

Alertsec is used by organizations that have recognized the need to protect their information  Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Check Point Full Disk Encryption.

EHR system hacked

June 15th, 2016 by admin No comments »

A Pennsylvania-based healthcare facility suffered potential data breach when unauthorized users hacked into its EHR system. The system was managed by Bizmatics. The incident has potentially affected around 19,776 individuals as per the Office of Civil Rights (OCR).IT_Security_Lock_binary_-Hacked- (1)

Bizmatics found out that an outside entity accessed its systems, which resulted some patient files to be exposed. Affected information includes names, addresses, Social Security numbers, and healthcare visit information.

Bizmatics did not specify if patient records from Integrated Health Solutions PC were accessed during the hacking incident. To be on safer side, healthcare has taken measures to strengthen healthcare data security policies.

“Integrated Health Solutions, values your privacy and deeply regrets that this incident occurred and is working closely with its advisors and Bizmatics to ensure the incident is properly addressed, including, a review of our data security measures in order to help prevent a recurrence of such an attack,” reported the statement. “We have also contacted relevant state and federal authorities regarding this issue.”

It had informed several other organizations of potential healthcare data breaches that left EHR files exposed to outside entities. Bizmatics also suffered data breach early this year.

One example includes that of Florida-based Southeast Eye Institute, PA. It notified 87,314 individuals due to hacking incident which was managed by Bizmatics. Another example involved 19,937 patients at the Pain Treatments Center of America (PTCOA) and Interventional Surgery Institute (ISI) in Arkansas which was affected by data breach.

“We have no reason to believe that our patient files were the target of the hackers’ attack on Bizmatics,” wrote PTCOA and ISI. “Due to the nature of the attack, Bizmatics cannot say for certain that PTCOA’s patient files were among the data that was accessed or acquired by the hacker.”

————————————————————————————————————————————————————–

Alertsec is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

UNM Hospital suffers potential data breach

June 13th, 2016 by admin No comments »

Potential healthcare data breach affected around 2,827 patients. Affected information included names, provider names, dates of service, and descriptions of medical services, such as X-ray or flu shot information, disclosed after their information was mailed to an another address.University_Hospital_University_of_New_Mexico

According to the reports, facility mistakenly mailed 33 invoice documents to 18 addresses sometime between December 22, 2015 and April 2, 2016. Documents contained patient information for several individuals. The incident was caused by a technical error in the hospital’s billing systems.

Facility mentioned that there is involvement of financial, health insurance, or detailed treatment information. It also didn’t include dates of birth, Social Security numbers, or medical record numbers.

“UNM Hospital is committed to protecting the privacy and confidential health information of all of our patients, and we take this incident very seriously,” said Chief Privacy Officer of the University of New Mexico Health Sciences Center Sarah Morrow. “We have thoroughly investigated and identified the technical issues that lead to the erroneous mailings, and we are monitoring the system to ensure this does not happen again.”

According to the UNM website –

The UNM Health Sciences Center’s most important value is a steadfast duty to improve the health of all New Mexicans. We will serve our patients and the public with integrity and accountability. We will strive as an institution and as individuals to recognize, cultivate and promote all forms of diversity; to fully understand the health needs of our communities; and to advance clinical, academic, and research excellence. We are committed to perform our duties with compassion and respect for our patients, learners, and colleagues; and always to conduct ourselves with the highest level of professionalism.

————————————————————————————————————————————————————-

Alertsec is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Check Point Full Disk Encryption.

ProMedica suffers data breach

June 10th, 2016 by admin No comments »

ProMedica, a healthcare organization in Ohio potentially suffered healthcare data breach. Several employees had inappropriately accessed the private medical records for patients who were not treated directly by them. The incident has affected around 3,500 patients.2000px-Promedica_Logo.svg

Affected information included names, addresses, phone numbers, dates of birth, insurance information, diagnoses, medications, and other clinical information exposed through the EHR system.

Patient privacy violations had occurred between May 1, 2014 and April 26, 2016. ProMedica mentioned that the staff members involved did not have valid business or clinical reasons.

ProMedica conducted an internal audit. It mentioned that the employees did not planned to keep or use the patient data accessed in an inappropriate manner. Some of the employees has been terminated for their involvement in this incident.

Facility also mentioned that it has conducted additional staff training regarding acceptable patient data access. Also, a more proactive auditing program that involves software monitoring tools that track staff activity on the EHR system is implemented.

ProMedica’s president at both hospitals, Julie Yaroch, also told that the investigation had taken so long because the healthcare organization lacked the “necessary software.”

“This is a very serious event,” added Yaroch.

According to the statement:

ProMedica Bixby and Herrick Hospitals are members of Toledo, Ohio-based ProMedica, a mission-based, not-for-profit healthcare organization serving northwest Ohio and southeast Michigan. The 13-hospital system has more than 17,000 employees, 2,300 physicians with privileges, and more than 800 healthcare providers employed by ProMedica Physicians. Additionally it offers a health plan, Paramount, which serves 320,000 members including more than 225,000 members in the statewide Medicaid plan. Driven by its Mission to improve your health and well-being, ProMedica offers a full range of diagnostic, medical and surgical specialties in areas such as emergency medicine and trauma, behavioral health, heart and vascular, oncology, orthopaedics, neurology, and women’s and children’s services. The health system has been nationally recognized for its advocacy programs and efforts to raise awareness about hunger as a health issue.

 ———————————————————————————————————————————————————-

Alertsec is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Stolen logbook and data breach

June 8th, 2016 by admin No comments »

A physician’s logbook was stolen from a personal vehicle which caused a possible healthcare data breach. According to the reports, approximately 1,000 individuals were affected by the incident. The logbook consists of entires of Carondelet St. Mary’s and St. Joseph’s emergency rooms between October 14, 2015 and March 25, 2015. Affected information included names, dates of birth, ages, genders, hospital names, dates of hospital visits, hospital medical record numbers, hospital identification numbers, and descriptions of medical issues.car_thief1

The incident didn’t violate the HIPAA rules as physician took the logbook out of the hospital and left it in her person vehicle. But it is not recommended practice.

Trish Markus, a North Carolina-based health-care attorney who focuses on data privacy and security said, “On the bright side, the compromised patient data did not involve Social Security numbers or payment information, making it less likely the patients involved will suffer adverse effects financially. But with details such as the patient’s name, date of birth and medical record number, the thief could attempt to pose as a patient by assuming his or her “medical identity.”

Arizona-based Emergency Medicine Associates published a statement about the possible healthcare data breach. Facility provides ER staffing coverage for the affected emergency departments and Carondelet Health Network deferred all questions to the staffing company.The incident did not involve Carondelet staff.

“The loss of (the logbook), other than the fact that it contains patient information, is probably less problematic for the emergency group from a business standpoint,” she said. “But from a reputational standpoint, obviously it’s never good when you have something like this happen.”

“EMA [Emergency Medicine Associates] takes safeguarding the privacy of its patients’ personal information very seriously,” said Privacy Officer for Emergency Medicine Associates Lori Levine, DO, FACEP, in a news release. “In response to this theft, EMA has reviewed and revised its policies regarding logbooks and provided additional training to its physicians so that incidents like this can be prevented from occurring in the future.”

Additional HIPAA training was conducted and all affected individuals of the potential healthcare data breach were notified.

————————————————————————————————————————————————————-

Alertsec is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Mis-mailing and data breach

June 6th, 2016 by admin No comments »

Coordinated Health Mutual, Inc. recently suffered data breach which affected around 591 individuals  as per the Office of Civil Rights data breach portal. Facility confirmed the healthcare data security breach. The incident occurred after a vendor experienced an internal, electronic sorting issue. Around 650 incorrect or incomplete 1095-B forms were inadvertently printed and mailed.email-309678_960_720

A 1095-B form is a healthcare insurance form is used to verify individual’s health insurance coverage for a specific amount of time. Individual needs to enter information like dependents on the policy, and the how long the policy was active.

According to the statement, ‘These incorrect or incomplete forms either do not display a policyholder’s dependents at all, or they have incorrect dependents listed. No medical information was included and this information is not publically available; specifically, one policyholder may have the information on the dependents of another policyholder. ‘

Coordinated Mutual Health, Inc. conducted investigation and found that less than 800 dependents were listed on the incorrect policyholder’s form.

“Following an initial assessment and report by our vendor, we alerted all members and appointed brokers of the issue on April 5 and asked that they contact our Compliance Department if they received an incorrect 1095-B form. We are also encouraging members to destroy or return any incorrect forms they may have received.”

Coordinated Mutual Health, Inc. mentioned in the statement about identity protection services offerings to any impacted dependent. Policyholders will also receive their corrected 1095-B forms with instructions on how to enroll in the services.

As per the company website:

HIPAA, which stands for Health Insurance Portability and Accountability Act, is a set of Federal Regulations originally passed in 1996. One component that HIPAA focuses on is Privacy.

So what is HIPAA Privacy all about? HIPAA Privacy is about protecting the confidential nature of an individual’s health information. It is as simple as that.

The Privacy Regulation protects health information relating to past, present or future physical or mental health of an individual. Any health information that can be directly linked or associated with an individual is referred to as “protected health information” or PHI for short. Protected health information can be in written, electronic or oral form. For more information please visit United States Department of Health & Human Services Website.

————————————————————————————————————————————————————-

Alertsec is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.