Archive for the ‘Personal Health Information’ category

Data breaches due to unauthorized access

March 23rd, 2017

Virginia Commonwealth University (VCU) Health System recently announced data breach which affected over 2,700 patients. The incident occurred due to unauthorized access over a three-year period between January 3, 2014 and January 10, 2017.

Facility conducted investigation which found out that employees of community physician groups, and an employee of a contracted vendor had access to patient records without proper explanation. Concerned employees are terminated.

“As part of the health system’s partnership with community physicians, access is provided to their practices so they can view the medical records of their patients who are referred to the VCU Health System for care and treatment. Access also is provided to certain contracted vendors who provide medical equipment to patients for continuity of care at discharge from the hospital.”

Affected information included patient names, addresses, dates of birth, medical record numbers, health care providers, visit dates and Social Security numbers.

Facility is providing one year of free credit monitoring.

Second incident involves Tarleton Medical who announced data breach recently. Incident involves unauthorized access of a data server containing PHI from patient medical records.

Affected information included patient names, addresses, dates of birth, Social Security numbers, and healthcare claims information.

Facility did not mention number of individuals affected. As per the OCR reporting tool, incident affected 3,929 individuals.

“We have taken steps to enhance the security of TM patient information to prevent similar incidents from occurring in the future,” the healthcare organization explained in its notification letter.

Tarleton Medical contacted FBI. It is also offering patients free access to a credit monitoring service for one year.

As per the statement, it advised patients to follow below guidelines:

You can follow the recommendations on the following page to protect your personal information. You can also contact ID Experts with any questions Please note that the deadline to enroll is three months following the date of this letter. To receive the aforementioned services, you must be over the age of 18, have established credit in the U.S., have a Social Security number in your name, and have a U.S. residential address associated with your credit file. Your services start on the date that you enroll in the services and can be used at any time thereafter for 12 months following  enrollment.

___________________________________________________________________________________

Alertsec helps you comply with HIPAA, PCI and SOX requirements. The implemented encryption is powered by CheckPoint and has the highest security certifications: FIPS 140-2, Common Criteria EAL4 and BITS.

Summit Reinsurances Services announces data breach

March 20th, 2017

Summit Reinsurance Services, Inc., recently suffered data breach when it became aware of a ransomware attack on its server. Patient PHI was present was involved in the incident. Facility immediately conducted Investigation. It mentioned that an unauthorized user accessed the server during March 13, 2016.

Affected information included Social Security numbers, health insurance information, provider names, and claim-focused medical records containing diagnoses and clinical information.

Facility didn’t mention the number of affected patients. Also, there is no information or evidence of any misuse of information. It is providing information about ways of protecting against identity theft and fraud. One year of free credit monitoring and identity restoration is provided.

As per the statement:

  • Facility is asking patients to remain vigilant against incidents of identity theft and fraud. Review of account statements should be done. Also, credit reports and explanation of benefits forms should be monitored for suspicious activity.
  • Three major credit bureaus can be reached directly to request a free copy of credit report.
  • Fraud alerts can be placed on the files that will alert affected patients before granting credit. But it will delay ability to obtain credit while the agency verifies identity.
  • Security freeze on credit reports can be placed. Once this is activated, credit bureau can’t release consumer’s credit report without the consumer’s written authorization. This facility will affect customers request for new loans, credit mortgages, employment, housing, or other services.

“In order to request a security freeze, you will need to supply your full name, address, date of birth, Social Security number, current address, all addresses for up to five previous years, email address, a copy of your state identification card or driver’s license, and a copy of a utility bill, bank or insurance statement, or other statement proving residence.”

____________________________________________________________________________ 

Alertsec’s cloud-based information security service provides an easy and convenient way to protect information on your organization’s laptops and computers.

Emails sent to unintended recipient

March 13th, 2017

Orange County Global Medical Center recently suffered data breach which involved some of its patients. As per the reports, an employee emailed an Orange County Global statistical report to an wrong recipient.

“We take this matter, and the security and privacy of your information, very seriously,” explained the letter, a copy of which was posted on the California Office of Attorney General. “Since the incident occurred, and in addition to instructing the inadvertent recipient to delete the information, we have implemented additional protocols for sending information, reviewed our policies and procedures, and provided additional training to staff.”

Facility came to know about the incident the same day. It reached out to the recipient asking him to immediately and permanently delete the email and related information from his email account.

Affected information included patient treatment and diagnoses information, medical record numbers, dates of birth, treatment dates, and names.

Orange County Global Medical Center mentioned that patient Social Security numbers, driver’s license numbers, health insurance information, or financial account information were not affected in the incident. It didn’t mentioned the number of patients affected by the incident. It is providing free access to identity monitoring and restoration services for one year to affected patients.

As per the statement:

“If you believe there was fraudulent use of your information as a result of this incident and would like to discuss how you may be able to resolve those issues, please reach out to an Experian agent. If, after discussing your situation with an agent, it is determined that identity restoration support is needed then an Experian Identity Restoration agent is available to work with you to investigate and resolve each incident of fraud that occurred from the date of the incident.”

Facility has asked affected patients to contact Experian Identity Works for any fraud issues. One can also enroll for –

  • Internet Surveillance
  • Identity Restoration
  • Experian IdentityWorks ExtendCARET
  • $1 Million Identity Theft Insurance

___________________________________________________________________________________

Alertsecs cloud-based information security service provides an easy and convenient way to protect information on your organization’s laptops and co

Health Facility suffers data breach due to improper shredding of paper documents

March 9th, 2017

Minnesota-based Allina Health recently suffered data breach due to paper documents, which were emptied into the trash insecurely. As per the reports, proper shredding of the documents was not done.

Documents belong to physician’s private office and was supposed to be shredded at the Minneapolis Heart Institute at Abbott Northwestern Hospital. After the incident, facility launched an investigation. Affected information included patient information including names, medical record numbers, addresses, and insurance information.

As per the OCR data breach reporting tool, incident affected 776 patients.  Facility mentioned that some patients use their Social Security numbers as identification numbers on insurance documents.  Hence there is possibility of Social Security numbers being exposed.

“Allina Health has undertaken a system wide awareness campaign to inform the workforce of the simplified “shred all paper” disposal process and reinforced its safeguards policy to re-emphasize the importance of proper disposal.”

Allina Health also added that there is no information or evidence of any misuse of the data. It is notifying affected patients. Also, one year of free credit monitoring and identity protection services are provided.

“Allina Health has simplified its systemwide process to require all paper and documents be placed into secured or locked shredding bins, whether or not the paper contains patient information,” the statement explained. “All paper is shredded and then recycled. The enhanced process also removes all desk-side recycling bins to prevent paper from being placed into recycling without being shredded first.”

Allina Health mentioned that it takes the confidentiality of patients’ information very seriously. Also, it will take steps to ensure that a similar incident does not occur in the future. Patients who believe they may have been impacted or patients who have other questions should call toll-free number.

___________________________________________________________________________________

Alertsec helps you comply with HIPAA, PCI and SOX requirements.

Unauthorized employee access at Vanderbilt University

March 6th, 2017

Vanderbilt University Medical Center (VUMC) recently suffered data breach when it came to know about the unauthorized employee access to patient medical records. As per the reports, concerned employee were working as patient transporters. Patients’ electronic medical records was accessed without necessary permissions.

As per the statement, “The breach prompted the medical center to change the way the patient transport staff gets information so that it no longer gives them access to electronic medical records. Staff in that department were also retrained about appropriate access to information. VUMC is in the process of migrating from its current electronic health record system to a new software system designed by Epic Systems.”

Facilty conducted an audit of electronic medical records (EHR) which was accessed by the employee.  As per the reports, two employees were involved in the breach who viewed adult and pediatric patient information, including patients’ names, dates of birth, and medical record numbers for internal use. One of them got access to patient Social Security numbers in a few instances.

VUMC mentioned that there is no information whether data was downloaded, transferred, or misused in any way. Affected patients received notification letter Facility has offered fraud or identity theft services. As per the report from The Tennessean, incident affected 3,247 medical records.

“We are committed to providing our patients the highest quality care and protecting the confidentiality of their personal information. To our knowledge, the information the employees viewed was not printed, forwarded or downloaded.  So far, we have no reason to believe that our patients’ personal information has been used or disclosed in other ways,” said VUMC Chief Communications Officer John Howser. “While we are not aware of any risk of financial harm to these patients, we are contacting each of them by letter to recommend that they vigilantly review account statements and their credit status.”

_____________________________________________________________________________________________________

Alertsec helps you comply with HIPAA, PCI and SOX requirements. The implemented encryption is powered by CheckPoint and has the highest security certifications: FIPS 140-2, Common Criteria EAL4 and BITS.

Data breach due to hacking

March 2nd, 2017

Emory Healthcare’s Orthopaedics & Spine Center and Brain Health Center (EHC) at Emory Clinic recently suffered data breach, which impacted almost 80,000 patients. Facility came to know about the incident on Jan 3, 2017. It involved third party database called Waits & Delays. As per the statement, the affected database was used for patients’ appointment information.

Affected information included patient names, dates of birth, contact information, internal medication record numbers, dates of service, and physician names. The above information was removed from the server by an unauthorized individual. The person demanded payment from EHC to restore the data.

As per the reports, individuals who scheduled an appointment at the Orthopaedics & Spine Center within Emory Clinic between March 25, 2015 and January 3, 2017, and any patients with an appointment at Emory Clinic Brain Health Center between December 6, 2016 and January 3, 2016 are potentially affected.

As per the OCR data breach reporting tool, incident affected 79,930 individuals.  Facility mentioned that no Social Security numbers, financial information, diagnoses, or any other information from patient EHRs were accessed during the incident.

Another instance of unauthorized access by an independent security research center was also noticed. It resulted due to efforts of finding gaps in application security to alert companies of areas needing improvement by security company.

Facility launched an internal investigation after the incident. It also notified law enforcement. Potentially affected individuals are also notified. EHC is performing analysis on its current security measures. Internal and external systems which contained patient information will be changed as per the reports.

EHC mentioned that it has no information or indication of accessed data misuse.

“Please refer to the notice you will receive in the mail regarding steps that you can take to protect yourself. In general, we recommend, as a precautionary measure, that you remain vigilant to protect against potential fraud and/or identity theft by, among other things, reviewing your account statements and monitoring credit reports closely. If you detect any suspicious activity on an account, you should promptly notify the financial institution or company with which the account is maintained. You should also promptly report any fraudulent activity or any suspected incidents of identity theft to proper law enforcement authorities, including the police and your state’s attorney general.”

___________________________________________________________________________________

Alertsec’s cloud-based information security service provides an easy and convenient way to protect information on your organization’s laptops and computers.

Data breach at rehabilitation facility

February 27th, 2017

Catalina Post-Acute and Rehabilitation recently announced data breach when paper files were left in an unattended area. The patient data and certain employee information were left temporarily vulnerable to possible unauthorized public access. Current or past residents and employees are encouraged to take steps to protect themselves.

Facility has mission statement provided on the website as, “Working together to create a sense of community, our dedicated and compassionate staff will strive to exceed your expectations and make a difference in the lives of those we serve by providing exceptional care and service, and remembering you are the reason we are here.”

The healthcare organization mentioned that it came to know about these files on December 5, 2016. Affected information included demographic information. Diagnoses and Social Security numbers in some cases. As per the OCR reporting tool, the incident affected 2,953 individuals.

Facility mentioned that it launched an investigation into the incident. Also, protocols in place relating to PHI storage and employee information are reviewed. It also mentioned that as per the internal investigation it appears that no patient or employee information was misused.

“Catalina Post-Acute and Rehabilitation is committed to the proper handling and protection of resident and employee information, and regularly assesses its systems and processes to ensure that this information is maintained and managed in accordance with State and Federal Law,” the online statement explained.

Facility also mentioned that consumers may request free copy of their credit report once 12 months from Equifax, Experian and Trans Union. These agencies have central website to provide free credit report.  It has also provided contact number to answer questions and queries of affected individuals.

___________________________________________________________________________________

Alertsec is powered by Check Point Endpoint Security products, which are positioned in the leaders quadrant in Gartner’s Magic Quadrant for Mobile Data Protection.

Healthcare companies to increase security spending

February 26th, 2017

As per the recent survey of more than 1,100 senior security executives worldwide, here are the results-

  • Seventy six percent of global healthcare organizations plan to increase security budget
  • Eight one percent of U.S. healthcare organizations mentioned that they will increase the security budget

As per the survey conducted by Thales Data Threat, sixty percent healthcare are deploying to cloud, big data, and IoT or container environments without proper security measures.  Ninety percent believes that they can face data breach.

“For healthcare data to remain safe from cyber exploitation, encryption strategies need to move beyond laptops and desktops to reflect a world of Internet-connected heart-rate monitors, implantable defibrillators and insulin pumps,” Thales e-Security vice president of strategy Peter Galvin said in a statement. “Adhering to the security status quo will create vulnerabilities that lead to breaches, and further erode customer trust.”

As per the Redspin’s Breach Report there is increase in data breach incidents in 2016.

“Healthcare providers have become the primary targets of malicious hackers, and their attacks are becoming increasingly sophisticated and disruptive to operations,” Dan Berger, vice president at CynergisTek, said in a statement (Redspin is now part of the CynergisTek portfolio).

“The dramatic increase in hacking attacks in 2016, coupled with the large number of patient records copmromised in those incidents, points to a pressing need for providers to take a much more proactive and comprehensive approach to protecting their information assets in 2017 and beyond,” Berger added.

Accenture conducted survey which concluded that 26 percent of U.S. consumers faced data breach. Fifty percent faced medical identity theft.

“Health systems need to recognize that many patients will suffer personal financial loss from cyber attacks of their medical information,” Reza Chapman, managing director of cyber security in Accenture’s health practice, said in a statement. “Not only do health organizations need to stay vigilant in safeguarding personal information, they need to build a foundation of digital trust with patients to help weather the storm of a breach.

Fifty percent found the breach by themselves by looking at their credit card statement. Twenty five percent changed their healthcare providers after the breach. Twenty one percent changed insurance plan. And nineteen percent took help of legal counsel.

___________________________________________________________________________________

Alertsec helps you comply with HIPAA, PCI and SOX requirements. The implemented encryption is powered by CheckPoint and has the highest security certifications: FIPS 140-2, Common Criteria EAL4 and BITS.

Emails forwarded to personal email account

February 24th, 2017

An employee of A Multnomah County Health Department automatically forwarded all emails from county email account to a personal Google email account. The recipient email account is not maintained by the Oregon county. PHI was present on some of the emails. The incident has  created a PHI breach.

On November 22, 2016 facility came to know about the incident during an audit. Facility mentioned that it found no evidence  of the emails getting misused. It also concluded that personal account had been deleted after the investigation. It is no longer available to the employees.

PHI was present in the email attachments because it was attributed to a member of the Health Department. Potentially affected information included individuals’ names, medical record numbers, prescription numbers, diagnoses, and dates of service. As per the OCR data breach reporting tool, incident affected 1,700 individuals.

Facility also mentioned that there is no presence of any patient’s Social Security number, home address, or phone number.

Multnomah County and the County Health Department are also monitoring any activity involving patient information.  It is also taking measures to increase protections of personal information in response to this incident.

“We have policies and procedures for handling personal information which were reviewed with the staff member involved in this incident,” the department explained. “We are also reviewing controls, business practices and policies to increase protections of personal information in response to this incident.”

About Multnomah County:

Around 766,135 residents in the country

Total area of 465 square miles

It includes cities like Fairview, Gresham, Maywood Park, Portland, Troutdale, Wood Village

County Employees number count is 5,600 people

Facility provides Services for seniors and disabled people, animal services, assessment and taxation, bridges, community justice, courts, elections, health, jails, libraries, marriage licenses and passports, school and community partnerships.

_____________________________________________________________________________________________________

Alertsec’s cloud-based information security service provides an easy and convenient way to protect information on your organization’s laptops and computers.

Unauthorized EHR access at medical centre

February 22nd, 2017

Dignity Health St. Joseph’s Hospital and Medical Center recently announced data breach, which has potentially affected 600 patient medical record. During routine review of employee access to the hospital’s electronic health records, St. Joseph’s came to know about the incident.

“Dignity Health and St. Joseph’s Hospital and Medical Center are committed to furthering the healing ministry of Jesus, and to providing high-quality, affordable healthcare to the communities we serve.”

As per the reports, sections of patient medical records were viewed without authorization by a part time hospital employee. Facility has sent advisory letters to impacted patients.

St. Joseph’s mentioned that the records did not contain Social Security numbers, billing, and credit card information. It also added that there is “no reason to believe these patients need to take any action to protect themselves against identity theft.”

“Dignity Health St. Joseph’s Hospital and Medical Center is deeply committed to protecting its patients,” the statement explained. “Any person who accesses medical records without a job-related reason is in violation of St. Joseph’s policy and appropriate action has been taken in response to this event.”

The individuals who were patients at St. Joseph’s between Oct. 1, and Nov. 22, 2016 are notified. Potentially affected information included patient medical records, demographic information (e.g. names and dates of birth), and clinical data, such as doctor’s orders and diagnostic information.

“St. Joseph’s regrets any inconvenience caused by this incident. Letters have been mailed to patients whose medical records may have been viewed and the hospital has established a call center to answer any questions they may have. “

An electronic health record (EHR) is a digital patient’s record. EHRs are advantageous as they are  are real-time as well as patient-centric. It also contains broader view of patient’s record and care.

___________________________________________________________________________________

Alertsec Endpoint Encrypt is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.